Administrator account has blank password

Risk Level: High risk vulnerability  High

Check or Attack Name: adminblankpw
Platforms: Windows NT
Description:

An administrator account with no password was detected. Some vendors ship Windows NT pre-installed with no password on the Administrator or other user accounts. This misconfiguration is an extremely high risk vulnerability, and should be corrected immediately.

This vulnerability is typically detected on a machine where there is also no minimum password length required. If the file and registry permissions are not very tightly restricted, this situation can give any attacker the ability to access sensitive information and systems.
Remedy:

Set the user password to a minimum length of seven characters and change the password. Require a minimum length for all passwords, or set up a password filter to reject weak password choices. Disable the account if is not required.

To set the minimum password length, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Select the user account.
  3. From the Policies menu, select Account to display the Account Policy dialog box.
  4. For the Minimum Password Length, require a minimum length of at least seven characters. Click OK.
  5. From the User menu, select Properties to display the User Properties dialog box.
  6. Type and confirm a non-trivial password.
  7. Click OK.

—AND—

For maximum password security, apply the passfilt.dll password filter to reduce guessable passwords. See Microsoft Knowledge Base Article Q161990 "How to Enable Strong Password Functionality in Windows NT" at http://support.microsoft.com/support/kb/articles/q161/9/90.asp.

—OR—

Disable the user account if it is not needed.

To disable a user account, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Select the user from the list.
  3. From the User menu, select Properties to display the User Properties dialog box.
  4. Select the Account Disabled check box.
  5. Click OK.
References:

Microsoft Knowledge-Pak Desktop Suite, How to: Set minimum password length policy, http://support.microsoft.com/support/ntserver/serviceware/nts40/e9mse5z47.asp
X-Force Logo
Know Your Risks