Cyber Essentials
DashboardSign Out

Lesson 4.2 — Default passwords, firewall admin accounts and remote administration access

This lesson helps the learner check whether firewall and router administration is secure.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • confirm whether default firewall and router passwords have been changed
  • identify who has administrator access
  • check whether administrative access is exposed to the internet
  • record any business justification
  • MFA or IP allow-listing controls needed for remote administration.

Why This Matters

It explains why default passwords must be changed, why firewall administrator access must be controlled, how to treat remote administration, and what evidence should be collected before answering the detailed firewall questions.

The most common problems are:

  • assuming default passwords were changed without checking;
  • changing the default password to a weak or reused password;
  • using the same admin password across many routers or customer sites;
  • leaving remote administration enabled because it is convenient;

The Core Rule

Firewalls and routers are powerful systems. If their administration access is weak, the whole network boundary can be weakened.

Default passwords must be changed. Replacement passwords should be strong, unique and controlled. Administrator access should be limited to people who genuinely need it. Remote administration from the internet should be disabled unless there is a clear business reason.

What the CE Assessor Looks For

A strong position shows:

  • every in-scope firewall/router has a known owner;
  • default administrator passwords have been changed;
  • passwords are strong and unique;
  • admin access is limited to authorised people;
  • named admin accounts are used where possible;
  • shared accounts are tightly controlled if unavoidable;

Common Mistakes

  • assuming default passwords were changed without checking;
  • changing the default password to a weak or reused password;
  • using the same admin password across many routers or customer sites;
  • leaving remote administration enabled because it is convenient;
  • exposing firewall admin interfaces directly to the internet without justification;
  • failing to use MFA where the management portal supports it;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why are default firewall and router passwords dangerous?
  • [ ] Is changing the default password enough if the replacement password is weak?
  • [ ] Why are firewall administrator accounts powerful?
  • [ ] What is remote administration?
  • [ ] What is the safest default position for external firewall administration?

Your Action

Do this now — it takes 10–20 minutes.

Check the admin password on every firewall and router. If any are still on a default or shared password, change it today. Record the outcome in Section F.

Key Takeaway

Collect evidence that shows the control exists without exposing secrets.

Your Workbook Activity

Complete: Firewall administration control record

Next Lesson

In the next lesson: Inbound connections, port forwarding and firewall rule justification

Up next

Inbound connections, port forwarding and firewall rule justification

Control inbound connections and port forwarding with clear technical justification and risk awareness.