Comments on: Tip of the day: It’s OK to use a blank password

By: nitj

nitj — Mon, 26 Feb 2007 19:59:31 +0000

plz tell me how can be access a remote desktop when user don’t have put any password..plz mail me
pinakie_2005@yahoo.com

By: fishpick

fishpick — Sun, 26 Nov 2006 17:59:02 +0000

The right way to do this – make an account have a “blank” password so it can start up and auto login (perfect for a DVR) – and also allow remote administration is:
1 – static IP on the box and allow inbound RDP connections on 3389 from only a trusted IP
2 – Under Administrative Tools>Local Security Settings>Local Policies>Security Options select – Accounts:Limit local account use of blank passwords to console logon only – set it to Disabled

This gives you the ability to RDP in as the DVR user without a password – allowing the DVR to do what it needs to do anyhow. Don’t forget step 1 however… for security sake.
AND – you should also invoke the mstsc with the /console command line – so you don’t freak out the software.

By: Jim Fox

Jim Fox — Mon, 11 Sep 2006 20:47:10 +0000

Exactly so. It appears that the blank password is only good protection from other users on the same LAN who might try to gain access to your PC via file sharing. But on the Internet, a hacker would normally have to install a trojan to get past the firewall anyway, so you are cooked.

Maybe there are other significant cases where it does you some good, but I don’t see them at the moment.

By: Ed Bott

Ed Bott — Mon, 11 Sep 2006 12:01:55 +0000

Jim,

Yes, if you install an application that allows remote logins, it gets to set the rules. This would be true of a legitimate remote control application like VNC or of a covertly installed Trojan app. The problem in that case is not the blank password, it’s the fact that you’re running a remote server.

By: Jim Fox

Jim Fox — Sun, 10 Sep 2006 13:57:37 +0000

Microsoft says:
“It is possible for applications that use remote interactive logons to bypass this setting.”
http://technet2.microsoft.com/WindowsServer/en/library/45acdbfd-7d8e-4b70-b332-97f9e2d975e11033.mspx?mfr=true

I have not tried a blank password with Remote Desktop myself.

By: Ed Bott

Ed Bott — Tue, 05 Sep 2006 18:02:09 +0000

Sorry for the confusion, Henri. The key in my second statement is the word “strong.” If you choose to enable Remote Desktop, my understanding is that you must have a password-protected account. And that password should not be something easy but should be a strong password that is not susceptible to a dictionary-based attack.

Brent’s other comment was in reference to ISPs that dole out IP addresses to customers in such a way that other customers of the same ISP could be seen as being on your local subnet. If you’re behind a router, this is a non-issue, but if you’re exposing an assigned public IP address to the world, then your neighbors with IP addresses in the same range would appear to be on your subnet and might be able to make a connection.

And to follow up on the issue that Brent raised: I just enabled Remote Desktop access to a machine running Windows XP Media Center Edition 2005. The only account on this machine is an administrator account with a blank password. I tried to connect to this machine via RDP using both the only defined user account and the built-in Administrator account. I was denied access in both cases. So I really don’t know what the issue is or what Brent is referring to when he says MCE “has a sequence of setup dialogs that prominently invite you to turn Remote Desktop on.” I’ve set up sevberal MCE machines recently and never saw any such invitation.

By: Henri Worthington

Henri Worthington — Tue, 05 Sep 2006 17:16:17 +0000

This is most confusing…Ed first writes,
” You can’t log on to a non-password-protected account over the network using a Remote Desktop connection.”
then in response to Brent,
“If you choose to enable Remote Desktop, which is a powerful server program, then you absolutely should have a strong password.”
So perhaps someone might explain how to logon from the network interactively without enabling Remote Desktop, and also under which circumstaces a pc may be accessed over the internet with blank password and [Security Option:Accounts: Limit local account use of blank passwords to console logon only Enabled]
Also, just what does Brent mean by “If your subnet happens to be your ISP’s subnet, hello world!”

By: Ed Bott

Ed Bott — Wed, 30 Aug 2006 12:50:04 +0000

Lou, the problem with a portable PC is that, by definition, you don’t always have physical security over it. So if you leave your PC somewhere and someone can walk up to it and log on, they can access anything on it. It really only makes sense for a computer located in a secure physical location.

By: Lou Guske, Jr.

Lou Guske, Jr. — Wed, 30 Aug 2006 11:11:29 +0000

Hi Ed,

I enjoyed this article, however, I was confused by the statement that you wouldn’t recommend this solution for a portable computer. Could you please briefly explain?

Much regards,

Lou

By: Ed Bott

Ed Bott — Tue, 29 Aug 2006 18:20:39 +0000

I did a clean installation of Windows XP Media Center Edition 2005 a few weeks ago. I was not prompted to enable Remote Desktop, nor is it enabled on this box.

My install is a System Builder OEM. Do you have a name-brand box?

The Windows Firewall should block any connections from outside your subnet. And your router adds another layer of protection. I wouldn’t worry. Maybe put a PIN-type password on.

By: Brent

Brent — Tue, 29 Aug 2006 18:09:35 +0000

Yes, it’s true that Remote Desktop Connection is disabled, but MCE 2005 has a sequence of setup dialogs that prominently invite you to turn Remote Desktop on. I believe this is to make it easier to manage such a machine without a keyboard when it is inside an entertainment center (which is what I do).
I haven’t been too concerned about security on those boxes, since they’re both inside my home firewall and never used for surfing. In addition, they won’t accept RDP connections from outside my home subnet, which is the default (but I DO use a PC inside my home network with a popular remote control software package to control those machines from outside my home). Should I be concerned about the password under these circumstances?

By: Ed Bott

Ed Bott — Tue, 29 Aug 2006 12:20:34 +0000

Hmmm. I was talking originally about XP Professional and haven’t tested with Media Center. In any case, RDP is a server program, which is (1) disabled by default and (2) not available in XP Home. Now, I don’t have a machine to test this on, but even RDP is not supposed to work with a blank password (I just checked, and Media Center’s Remote Access dialog box says users must have a password to connect remotely). But I’m talking specifically about interactive logon from the network with a blank password, which is denied by defaultin XP. If you choose to enable Remote Desktop, which is a powerful server program, then you absolutely should have a strong password.

By: Brent

Brent — Mon, 28 Aug 2006 20:17:22 +0000

Umm, this isn’t true.
You CAN log into a fully patched Windows XP machine using Remote Desktop from your local subnet. If your subnet happens to be your ISP’s subnet, hello world!
I know this because I have two Windows Media Center 2005 desktops that I log into at home using those machine’s admin accounts which have blank passwords. No special configuration was necessary to pull this off. Maybe something’s changed in the past year…

By: Bill Godfrey

Bill Godfrey — Wed, 31 Dec 1969 17:00:00 +0000

If only there were a way to configure an admin user with a password *and* restrict it to console access only.

By: Martey

Martey — Wed, 31 Dec 1969 17:00:00 +0000

Were these security enhancements introduced in one of the Service Packs, or do they exist in all versions of Windows XP?