Let’s say you have two accounts on your Windows XP computer: An everyday account, set up as a Limited User, and an account in the Administrators group that you use for system maintenance tasks. Your computer is in a secure location, and you’re the only person with physical access to it. Which of the following options is more secure?
- You assign a blank password to the administrative account
- You create a strong password of 15 characters, using a randomly generated string of letters, numbers, and symbols, for the administrative account
Believe it or not, the blank password offers considerably more protection. Because of security enhancements introduced in Windows XP, accounts with a blank password can be used only to log on interactively at the computer by using either the Welcome screen or the Log On To Windows dialog box. You can’t log on to a non-password-protected account over the network using a Remote Desktop connection. Nor can you use the Run As feature to run in the context of an account with a blank password. An attacker who wants to break into your computer won’t be able to get administrative access over the network.
This approach isn’t for everyone – you don’t want to try it on a portable computer, or on one that’s part of a Windows domain, or if you actually need access via Remote Desktop.
But this strategy is a decent alternative for home computer users who don’t want to be bothered with passwords. You can return to the Welcome screen at any time by using the Windows key+L shortcut; from there, you can log on to the administrative account for system maintenance tasks.
Ed Bott 
If only there were a way to configure an admin user with a password and restrict it to console access only.
Were these security enhancements introduced in one of the Service Packs, or do they exist in all versions of Windows XP?
This change is part of the basic architecture of Windows XP, if I recall correctly.
Umm, this isn’t true.
You CAN log into a fully patched Windows XP machine using Remote Desktop from your local subnet. If your subnet happens to be your ISP’s subnet, hello world!
I know this because I have two Windows Media Center 2005 desktops that I log into at home using those machine’s admin accounts which have blank passwords. No special configuration was necessary to pull this off. Maybe something’s changed in the past year…
Hmmm. I was talking originally about XP Professional and haven’t tested with Media Center. In any case, RDP is a server program, which is (1) disabled by default and (2) not available in XP Home. Now, I don’t have a machine to test this on, but even RDP is not supposed to work with a blank password (I just checked, and Media Center’s Remote Access dialog box says users must have a password to connect remotely). But I’m talking specifically about interactive logon from the network with a blank password, which is denied by defaultin XP. If you choose to enable Remote Desktop, which is a powerful server program, then you absolutely should have a strong password.
Yes, it’s true that Remote Desktop Connection is disabled, but MCE 2005 has a sequence of setup dialogs that prominently invite you to turn Remote Desktop on. I believe this is to make it easier to manage such a machine without a keyboard when it is inside an entertainment center (which is what I do).
I haven’t been too concerned about security on those boxes, since they’re both inside my home firewall and never used for surfing. In addition, they won’t accept RDP connections from outside my home subnet, which is the default (but I DO use a PC inside my home network with a popular remote control software package to control those machines from outside my home). Should I be concerned about the password under these circumstances?
I did a clean installation of Windows XP Media Center Edition 2005 a few weeks ago. I was not prompted to enable Remote Desktop, nor is it enabled on this box.
My install is a System Builder OEM. Do you have a name-brand box?
The Windows Firewall should block any connections from outside your subnet. And your router adds another layer of protection. I wouldn’t worry. Maybe put a PIN-type password on.
Hi Ed,
I enjoyed this article, however, I was confused by the statement that you wouldn’t recommend this solution for a portable computer. Could you please briefly explain?
Much regards,
Lou
Lou, the problem with a portable PC is that, by definition, you don’t always have physical security over it. So if you leave your PC somewhere and someone can walk up to it and log on, they can access anything on it. It really only makes sense for a computer located in a secure physical location.
This is most confusing…Ed first writes,
” You can’t log on to a non-password-protected account over the network using a Remote Desktop connection.”
then in response to Brent,
“If you choose to enable Remote Desktop, which is a powerful server program, then you absolutely should have a strong password.”
So perhaps someone might explain how to logon from the network interactively without enabling Remote Desktop, and also under which circumstaces a pc may be accessed over the internet with blank password and [Security Option:Accounts: Limit local account use of blank passwords to console logon only Enabled]
Also, just what does Brent mean by “If your subnet happens to be your ISP’s subnet, hello world!”
Sorry for the confusion, Henri. The key in my second statement is the word “strong.” If you choose to enable Remote Desktop, my understanding is that you must have a password-protected account. And that password should not be something easy but should be a strong password that is not susceptible to a dictionary-based attack.
Brent’s other comment was in reference to ISPs that dole out IP addresses to customers in such a way that other customers of the same ISP could be seen as being on your local subnet. If you’re behind a router, this is a non-issue, but if you’re exposing an assigned public IP address to the world, then your neighbors with IP addresses in the same range would appear to be on your subnet and might be able to make a connection.
And to follow up on the issue that Brent raised: I just enabled Remote Desktop access to a machine running Windows XP Media Center Edition 2005. The only account on this machine is an administrator account with a blank password. I tried to connect to this machine via RDP using both the only defined user account and the built-in Administrator account. I was denied access in both cases. So I really don’t know what the issue is or what Brent is referring to when he says MCE “has a sequence of setup dialogs that prominently invite you to turn Remote Desktop on.” I’ve set up sevberal MCE machines recently and never saw any such invitation.
Microsoft says:
“It is possible for applications that use remote interactive logons to bypass this setting.”
http://technet2.microsoft.com/WindowsServer/en/library/45acdbfd-7d8e-4b70-b332-97f9e2d975e11033.mspx?mfr=true
I have not tried a blank password with Remote Desktop myself.
Jim,
Yes, if you install an application that allows remote logins, it gets to set the rules. This would be true of a legitimate remote control application like VNC or of a covertly installed Trojan app. The problem in that case is not the blank password, it’s the fact that you’re running a remote server.
Exactly so. It appears that the blank password is only good protection from other users on the same LAN who might try to gain access to your PC via file sharing. But on the Internet, a hacker would normally have to install a trojan to get past the firewall anyway, so you are cooked.
Maybe there are other significant cases where it does you some good, but I don’t see them at the moment.
The right way to do this – make an account have a “blank” password so it can start up and auto login (perfect for a DVR) – and also allow remote administration is:
1 – static IP on the box and allow inbound RDP connections on 3389 from only a trusted IP
2 – Under Administrative Tools>Local Security Settings>Local Policies>Security Options select – Accounts:Limit local account use of blank passwords to console logon only – set it to Disabled
This gives you the ability to RDP in as the DVR user without a password – allowing the DVR to do what it needs to do anyhow. Don’t forget step 1 however… for security sake.
AND – you should also invoke the mstsc with the /console command line – so you don’t freak out the software.
plz tell me how can be access a remote desktop when user don’t have put any password..plz mail me
pinakie_2005@yahoo.com