In (e-mail address removed) David
Ngo said:
My computers been set this way for the past 3 years and
haven't seen any problems. But then again people could be
accessing my computer through telnet, ftp without me
knowing. Anyway if I wanted to close this security hole
would I just set the following registry value to 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
limitblankpassworduse set to 0
I used the script at
http://www.kellys-korner-xp.com/xp_tweaks.htm to allow no
passwords.
Thanks,
Dave
Yes, setting that value back to 1 returns your computer to the
default setting.
Keep in mind that if you make that change you're going to have
to add a password to your user account in order to run
scheduled tasks. Any existing tasks would have to be edited to
include this new password. Also, if your computer is setup to
automatically logon your user account, you'd have to go back
and run control userpasswords2 and change the settings to
include your account's new password.
I'll never claim to be a security expert but here's an extreme
example of why I don't recommend removing the blank password
restriction:
1. A computer in someone's office is running XP Professional.
2. It's connected directly to a cable or dsl modem.
3. Remote Desktop has been enabled so that the person who owns
this computer can access if from home.
4. Remote Desktop has been added on the Exceptions page of
Windows Firewall.
5. None of the user accounts on this system have passwords.
This includes the built-in Administrator account.
6. For convenience purposes, such as creating scheduled tasks,
the restriction on blank passwords has been disabled.
What that means is that the person who owns this computer can
sit at home and logon to the remote computer using an account
that has a blank password. But, unfortunately, so can a hacker.
If you want to logon to a remote computer, you need three
pieces of information; an IP address, the name of an account
that can logon from the network and that account's password.
Well, in this example, two of these items have been given away
for free. Every Windows XP computer comes with an account named
Administrator. By default, administrators are included in the
Remote Desktop Users group.There's one piece of the puzzle.
Blank passwords are allowed. There's piece number 2. Getting
the last part, the IP address, wouldn't take long.
Odds are, no one's been hacking into your system just because
you've relaxed the restrictions that are placed on accounts
with blank passwords. If you're behind a router and have a
firewall program up and running, you're probably safe from most
hacker attacks. I just can't recommend ever allowing any
account to have a blank password. Why take chances.
Nepatsfan