In general, unsecure platforms are largely due to configuration mistakes.  Leaving default configuration items can also be considered mistakes if they leave the platform insecure.  Cisco routers do a pretty good job  with the defaults, such as not allowing you to telnet to a router until passwords are set or not being allowed to enter enable mode from a telnet session with missing enable passwords.  However, configuring these basic items are no where near where you should leave the configuration.

Cisco even provides a utility in most newer versions of the IOS to help secure the platform.  This feature is called auto secure and was introduced in version 12.3(1).  The auto secure utility goes a long way in helping the administrator configure a secure IOS device.  This article will contain many of the things the auto secure utility will implement and more, along with hopefully explaining what each command is accomplishing.

The configuration items are grouped into categories, to better separate the purpose of each.

Securing Access to the Router

!
! Do not leave any unencrypted passwords in the IOS configuration
!
service password-encryption
!
! Configure a secret password which takes the place on the enable pw
! Remove the enable pw completely after secret is configured
!
enable secret ^Pr3tty53cr3tpa55w0rd!
no enable password
!
! If no external authentication server is being used then configure
! local username/passwords in the configuration.  Don't just use
! vty or secret password for telnet access.  In this example,
! configure a user called admin with level 15 access and associated secret
! password which is stored in the configuration as a type 5, which currently
! can't be reversed (as apposed to type 7 passwords that can be un-encrypted)
!
user admin privilege 15 secret ^n0th3r53cr3tpa55w0rd!
!
! Enable AAA on the device which allows aaa commands to be configured
!
aaa new-model
!
! Create an authentication list named Admins that authenticates against
! locally configured users
!
aaa authentication login Admins local
!
! Tell the router to consider the priviledge level configured for each
! locally defined user
!
aaa authorization exec default local
!
! For console logins, use the authentication list called Admins
!
line con 0
login authentication Admins
!
! For telnet/ssh logins, use the authentication list called Admins
!
line vty 0 4
login authentication Admins

Disable unnecessary services on the device

!
! Disable the bootp server
!
no ip bootp server
!
! Disable the http server
!
no ip http server
!
! Disable the finger server
!
no ip finger
no service finger
!
! Disable Packet Assembler/Disassembler for X25
!
no service pad
!
! Disable echo discard daytime chargen
!
no service udp-small-servers
no service tcp-small-servers

Other

!
! Use the real date and time on all logging and debugging output
! as apposed to the device's uptime
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!
! Set logging to the internal buffer and make it large enough to hold
! log entries without being lost due to wrapping
! because of the small default buffer size
!
logging buffered 16384
!
! Set local timezone and DST if observed
!
clock timezone CST -6
clock summer-time CDT recurring
!
! Just about all company legal departments want this used
! This will display when the device is accessed (before authenticating)
!
banner login ^C
Authorized Access only
  This system is the property of Xpresslearn.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.^C
!
! Don't try to obtain a configuration via tftp at device boot
!
!
no service config