Local Account Passwords

Check Description

This check identifies any blank or simple passwords for each local user account on the computer. This check is not performed on domain controllers.

Microsoft® Windows® Server 2003, Windows XP, Windows 2000, and Windows NT® operating systems all require user authentication through passwords. In general, users are permitted to choose their own passwords. The security of their account depends on the choice of the password. This check enumerates all user accounts and checks for the following password conditions:

Password is blank.
Password is the same as the user account name.
Password is the same as the machine name.
Password uses the word "password."
Password uses the word "admin" or "administrator."

This check also notifies you of any accounts that have been disabled or are currently locked out.

For Windows XP machines that use simple file sharing (includes Windows XP Home Edition and Windows XP Professional machines not joined to a domain), MBSA will not flag local accounts with blank passwords. To help protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen.

Notes

Microsoft Baseline Security Analyzer does not attempt to crack passwords during this check, and instead attempts a password change request using each condition in the preceding list. Account lockout policy counts will be reset if in effect on the scanned machine.

Additional Resources

What's New in Security for Windows XP Professional and Windows XP Home Edition

Creating Strong Passwords

How to Enable Strong Password Functionality in Windows NT