Home page logo
/

basics logo Security Basics mailing list archives

Re: using Administrator-Account with empty password
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 2 Jun 2008 17:40:47 +0200

On 2008-06-01 Scan_it wrote:
I have two Computers, both Win xp pro SP2
(no passwords for Administrator's account set).

I assume that no one has local access to the computer.
so the only way to get to the data(shares, ipc$) is by remote (home
network, internet)

When I try to establish a connection via ipc$ or a connection to a
network share , using the Administrator account
(e.g. with Sysinternals tools), Windows declines the connection.

If i set the same password on both computers, i can establish a
connection, use administrative priviliges, network
shares etc.

http://technet.microsoft.com/en-us/library/bb457114.aspx#EDAA (Section
"Blank Password Restrictions")

So my question is why should I even bother to set up a strong password
for my Admin Account (which can be broken by BruteForce or Wordlist),
when Windows denies any connection with an empty password.
Wouldnt it be a lot more secure to configure a system without a
Password?

For Windows XP, if you can guarantee that no unauthorized user will be
able to get physical access: yes. Earlier versions don't have this
restriction, so you have to have a strong password there.

Or is there any way to trick Windows into accepting a connection with
an empty password or to run a programm from the command line without a
password?

None that I'm aware of. Which of course doesn't mean that there aren't
any.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]