Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
  1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
  2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
  3. ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
  4. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
  5. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
Add comment