Re: Insufficient Authentication vulnerability in Asus notebook
On Thursday 14 May 2009 15:39:29 Susan Bradley wrote:
> We're talking XP Home here, right? A admin account without a password
> cannot be access remotely over the internet, so if you have physical
> access at all times of that Asus netbook it's arguably more secure in
> some circumstances.
Not just XP Home. I can confirm that this "vulnerability" is a standard feature
of several OEM and MS released versions of both XP Home and XP Professional.
In both cases I've had to manually re-set the password to something.
This seems to be a "feature" - since if you have to use the recovery console
it'll ask you for the password for "Administrator"... by default it's blank
and you can just hit enter.
DRH
> nameless wrote:
> > Susan Bradley wrote:
> >> 3. For XPs it's kinda handy to have a blank admin password when you
> >> sometimes come in on a network and need to get to that particular
> >> machine and you didn't set it up, otherwise you have to use the Admin
> >> password boot disk trick and reset the password to blank.
> >
> > You should only do the above recommendation, if you like to have your
> > boxes owned.
> >
> > You should not have any administrative accounts named "Administrator"
> > and _all_ administrative accounts should have a _STRONG_ password
> > associated with them.
> >
> > No exceptions.
> >
> > Password safes are available at no charge. If you somehow forget your
> > password, you can always reset it via AD or resetting the SAM.