11.2.05

Limited Admin Rights on Windows XP with Blank Password

Here is something I learned from Aaron Margosis today that I think would be of interest to a lot of you. If you run with least privilege your probably have set up an "Admin" account with Administrator's right and your normal account with Limited User rights.

Now here is something I learned today that floored me. Since the introduction of Windows XP, a blank password is actually MORE SECURE for certain scenarios than a weak password. By default, any account that has a blank password can only be used for log on at the console. You cannot get network access, and it cannot be used with "Run As". Isn't that interesting. A middle ground for the mom and pop home machines that don't use passwords anyways.. and want to limit their normal user access rights.

There are two problems with this approach that I see though. You have to trust everyone who has physical access to the computer... which is something I cannot do for my TabletPC (especially when on the road) or office machines. Secondly... as a normal user I hate having to CTRL-L to user switch and log on if I want to do anything 'adminy' (is that even a word???). I like runas, and you just can't take that away from me.
But if you are ok with those constraints... party on with an Admin account with a blank password that only allows console login.