Re: Insufficient Authentication vulnerability in Asus notebook

[Daniel Hazelton <dhazelton () enter net>]

On Thursday 14 May 2009 15:39:29 Susan Bradley wrote:
> We're talking XP Home here, right?  A admin account without a password
> cannot be access remotely over the internet, so if you have physical
> access at all times of that Asus netbook it's arguably more secure in
> some circumstances.

Not just XP Home. I can confirm that this "vulnerability" is a standard feature 
of several OEM and MS released versions of both XP Home and XP Professional. 
In both cases I've had to manually re-set the password to something.

This seems to be a "feature" - since if you have to use the recovery console 
it'll ask you for the password for "Administrator"... by default it's blank 
and you can just hit enter.

DRH

> nameless wrote:
> > Susan Bradley wrote:
> > > 3.  For XPs it's kinda handy to have a blank admin password when you
> > > sometimes come in on a network and need to get to that particular
> > > machine and you didn't set it up, otherwise you have to use the Admin
> > > password boot disk trick and reset the password to blank.
> >
> > You should only do the above recommendation, if you like to have your
> > boxes owned.
> >
> > You should not have any administrative accounts named "Administrator"
> > and _all_ administrative accounts should have a _STRONG_ password
> > associated with them.
> >
> > No exceptions.
> >
> > Password safes are available at no charge.  If you somehow forget your
> > password, you can always reset it via AD or resetting the SAM.