Saturday, May 16, 2009

Make Windows more secure, use a blank password

Today I was attacking and pillaging a test windows machine from a linux box. Many windows machines are setup with a blank administrator password since people just hit the enter key when they are prompted for a password. I was testing to see what happens on these machines with this configuration. I also created another account with a blank password.

Using either of these accounts I was able to connect to manually created shares, but not to the admin shares (c$, d$, admin$). Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive (a good thing).

These home users who have "picked" the blank password when forced to pick a real password would probably pick a password that is very easy to guess, such as "password", <username>, or some word in a monosyllabic dictionary. It is arguable more secure for these users to have no password than to pick one. No, neither of these options is good (both are dumb), but at least Microsoft prevents users from exceptionally reducing their security. 

Yes, I understand the stupidity of the argument either way, this is meant to be a little touch-in-cheek.

If you are interested in the tools I was using here they are:
rpcclient  - link1 link2