Networking / Beginners

Limit Local Account Use of Blank Passwords to Console Logon Only

One of the coolest features with Windows XP is how it handles blank passwords. By default, if an account has a blank password it can only be used at the console, not over the network. This is designed as a home-user feature to allow them to have the same experience they would have with Windows 9x, where passwords provide no real value. The Group Policy setting is there only to enforce this functionality. It is important to ensure that it stays on.

For the record, you can use this functionality with Windows Server 2003 as well. We have recommended its use in cases where we have servers locked in physically secure racks. Setting a blank Administrator account password allows physically trusted personnel to access the systems in case of severe failure, but those Administrator accounts cannot be used across the network by an attacker.

Anonymous Restrictions

Clients should look like black holes on the network to all systems other than management points. The authenticated IPsec bypass in the Windows XP Service Pack 2 firewall is a great way to make that happen, but the same lockdown should also be done with respect to anonymous restrictions. Pure clients have no business volunteering anything to anonymous users, and we recommend configuring all the anonymous settings discussed above.

We have even gone so far on some particularly threatened clients as turning off the Server service. This will, however, render the machine unmanageable since the Server service is used by virtually all remote management tools. On a system that is particularly threatened where remote management is not a requirement, however, this may be a reasonable course of action.

Enable Auditing

How much auditing you really want to do on clients depends on a lot of factors, such as the threats, management processes in place for audit logs, the number of clients, etc. Generally speaking, however, you probably do not want to collect gigantic logs from clients. However, a few events can prove very useful in forensics.

[Previous] [Contents] [Next]