Solved

Windows XP - Can I have a user without a password and have that system  secure in public network?

Posted on 2014-09-25
16
340 Views
Last Modified: 2015-03-19
I have an old Windows XP OS desktop I use for POP3 and SMTP email only
Is there a way I can keep a user with no password and  yet keep the system secure?
What I mean is - Is it absolutely necessary that every Windows User must have a windows password? The default is no password. I am hoping that so long as I am not using
Remote Terminal  or network shares on my Windows XP SP3 desktop that it will remain secure
I use this for my email almost soley and do not intend to be installing any network software other than the THE BAT by RITLABS.COM  software so please let me know if this is a problem from a security standpoint. I am not talking about the Administrator just a single user and

perhaps there is a way to simply strip any remote access by a specific user and handle the issue that way?
0
Comment
Question by:Robert Silver
  • 4
  • 4
  • 3
  • +4
16 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40345228
Can  you explain why you would not want a password for local users?  Can you lock up the system in a secure area?  Are you concerned that someone from the internet might access the system from outside if there is a local user with no password?

What is at stake if an untrusted person gains access to the system?  If only some bits and bobs, then no matter.  if the password to the vault that holds the recipe for digestive biscuits, then maybe.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40345240
I don't understand what having a password does that's objectionable.
A user can have a password and NEVER need to use it overtly.

The real issue with Windows XP is that it is becoming increasingly vulnerable.  I don't think that passwords have much to do with that really.  It remains to be seen what kinds of vulnerabilities emerge.
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 40345260
Is there a way I can keep a user with no password and  yet keep the system secure?

NO. Dead simple to hack into.

Can I keep XP secure?  

 Not any more. operating system holes will never again be patched.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40345270
I'd be interested, and I'm sure you'd be interested in view of your question:

Under what conditions can a computer be hacked with or without a password?
I'm thinking that the computer is on a LAN  / a private network and NOT on a public network.
I'm thinking that telnet is disabled (a common situation as it has to be overtly ENabled).
How to access then?

Clearly, no password is the ultimate of simple passwords.  Yet, it is a password called [blank].
The question then really, is what is the hacking mechanism that simple passwords are vulnerable to on a private network without telnet?
I just don't know the answer so I ask.
0
 
LVL 2

Author Comment

by:Robert Silver
ID: 40345271
Interesting response. I have a screen saver on the system and constantly need to access it physically so  I know the importance of a password - What I trying to do here is not have one and feel safe from remote access
If Windows was set up properly this would never be an issue mainly  no remote access via the network period then I could feel free not to have a password on one specific user I tend to use on the unit.

Microsoft does so little to protect us from malware and viruses it makes me sick but that being said
I would not mind making this machine only  connectable via ports 110 and 25 and dirivitives of port 25 for my email servers.

My question would still be suppose I just want to not have to use a password on that one computer what does it take to make it safe without a password?  This should not be impossible - I have seen  CEOs with no password in their office so
some one must have a way to make it work - Ofcourse I would never do this in a publically available kiosk or office but a locked or private machine???
At the end of the day I am looking for a way to provide no password possibly because the user just does not want the hastle.
How many of you password protect your internet phone's - few people have the patience to login when a call comes through to my experience.

I get it normally passwords are vital essential even but this desktop will not be vulnerable that way if I can switch off all the remote login capabilities I think my machine should be reasonably safe and if it does get a virus or malware that password would have no bearing on damages by any virus as use of the device is guarenteed anyway.

Can anyone at least explain why Microsoft defaults to no password in the logins on home edition XP???

Frankly for the lazy user involved's sanity I would like better responses here. Stop the I must have a password speach please - This should very easily be doable and secure enough so long as no one can connect through a NAT class C connection and login remotely in any form via bios or therwise.
I should mention Administrator does have a password but why wouldn't I want the ability to not have to log in if my desktop is secured by  a key.

I know biometric devices are a more costly way to provide a no password solution (actually there could be a password but the user need never use it) Just scan their finger

Can anyone show me an easy way to just shut off remote access of all kinds BIOS, TCP/IP etc..
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40345279
Microsoft does so little to protect us from malware and viruses  <-- That is actually not true. With Windows 8.1, EMET (Microsoft) and top notch commercial, paid anti virus, there is not much way to hack it.

Can anyone at least explain why Microsoft defaults to no password in the logins on home edition XP???

That was just a dumb idea on their part which has long been corrected.

Without a password, it is easy to install Cain's Agent and get into the system. Cain is from oxid.it and is a legitimate tool but can be used to get into insecure systems.

Stop the I must have a password speech please

XP is dead. It is insecure, and it is very easily hacked. Passwords (especially passwords with special characters) are a way to protect. This is true even if you don't wish to listen.
0
 
LVL 2

Author Comment

by:Robert Silver
ID: 40345280
John Hurst - Your were completely definitive about the simple hack and I am not arguing although how will I add security holes if I plan not to install any new software on this old XP box. I do not have Microsoft office insalled or anything else that should effect me. I use "The Bat" by Ritlabs.com
Can you explain why no password is the default for Microsoft?  How often is the Windows User transmitted out or accessable I mean if my user name was  R18378947KUBLIKAHN  how would a hacker get that user name let alone start trying to access my computer and how would it happen through a NAT Home LAN connection in any event?
Can you give me any scenarios? That would really help my understanding here.
If I used WireShark would that help me better understand how the hack is so simple?
Even connecting to uinit should be impossible. I have Norton Internet Security running so a formitable firewall is in place
HOW IS THIS A SIMPLE HACK?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40345281
How many of you password protect your internet phone's

Do you understand this at all?  You can password protect a smart phone and still receive a call. As soon as the call is over, you have to log in to use the phone. But you can receive a call. I lock and password my phone and it does not impede its use.

Think ahead. System have been ever more secured and passwords are now necessary on the strongest systems.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 90

Expert Comment

by:John Hurst
ID: 40345283
Can you explain why no password is the default for Microsoft?  <-- I did. It was a lapse of judgment on their part that they have corrected.

The case you are making is from a decade ago. What you are trying to do won't work on a modern system.

Please do not misinterpret me. You can do as you wish and it does not matter to me.

I am only pointing out what can happen to an insecure system.
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40345294
@rsdds,

What exactly are you arguing for or against?  Either you think passwords are a good idea or you don't.  In either case you don't seem open to any logic that says yea or nay.

So, make up your own mind and go with that policy.  Install a secure user and password, including the screen saver on that now outdated system or not.  But be aware that the consequences of your decision are yours alone and no one else's.
0
 
LVL 2

Author Comment

by:Robert Silver
ID: 40345296
That was the point of the question - It just seems to me that the whole need to reboot should have been thrown out as well.
But on another note how would a hacker get my Windows User name unless microsoft sends it out idiotically I do not see how that information would ever be transmitted Hostname maybe but my windows user names should never be transmitted.
I recently had a VOIP  Spoofer pretend to be from Microsoft and asked them my host name since they were calling to tell me they noticed my system was infected  The loosers could not even tell me the HOSTNAME let alone my user name or windows login so I knew they were would be hackers

I would hope that Microsoft never transmits user Window Login names. I know NetBIOS probably transmits HOSTNAMEs because in windows Explorer you can see the all the hostnames you are connected with  on your LAN anyway but
I sure do hope Microsoft never sends Window LOGIN information anywhere unless a remote connection by that Windows LOGIN USER is ever attempted knowingly
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40345535
The thread is growing nothing but chaotic. Please keep it to some simple questions, all of those will have definite answers like these:

"Is there a way I can keep a user with no password..." - yes!
"...and  yet keep the system secure?" - it depends how you define what should be secured. Without a password, an account cannot be used for runas (runas is an attack vector), neither it is possibleto use this account for network logon (that is: share access, remote process execution and so on).
"Is it absolutely necessary that every Windows User must have a windows password?" - of course not. It depends on what possible attacks you see.
"The default is no password" - incorrect. You may set no password, that's how it is. But you are asked to set one.
"perhaps there is a way to simply strip any remote access by a specific user and handle the issue that way?" - see above what I wrote about network access.

But frankly: if you are not familiar with network security, then you should not use xp and at the same time expect to be able to secure it...even with the help of ee, this is not possible.

You could get all shields up: use the firewall and no remote access is possible. As for other vulnerabilities that come in through malware and unsafe browsing habits AND of course the OS vulnerabilities that are no longer patched, it all depends on you if those get exploited.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40346462
I'm having a bit of trouble following the issue here.
I asked about the particular environment but so far have seen only tangential anecdotal comments.
As McKnife also mentions, it depends on your situation or assumptions.
Different situations present different vulnerabilities.

I didn't understand the comment about screen savers.  Clearly it's related but, as I said earlier, you can have a password and not have to use it.  Screen saver has that option.

Also, I'm surprised that nobody mentioned using "control userpasswords2".
This allows the computer to automatically log in using a "hidden" username and password without anyone entering the password.
However this only affect the initial startup login.
Other things will still require the password.

Having said these things, I think we're back to the fundamental question:

- what environment situation are you interested in receiving an answer to your question?
I suggested that telnet is not enabled as one assumption.
I suggested that being on a private LAN as another suggestion.
... what else?  and what different?
- are you interested in internal or external threats?
Given this information then folks can tell you what vulnerabilities may lurk.

Have you considered setting it up the way you want and then running something like Microsoft Baseline Security?
0
 
LVL 27

Expert Comment

by:tliotta
ID: 40391022
In addition to everything already said, no one knows all of the possible ways to attack a WinXP system remotely, including via port 110 or 25. New ways will likely be discovered for the next five or more years, and we can't know what will come.

The builtin firewall is probably as good as you're going to get if those are the only ports you really want to keep open. With all others blocked, and if the system is patched to its fullest degree, it probably doesn't matter what else you do.

Just don't expect certainty. No one can provide it. (Nor is anyone likely to post "how" it might be done in an open, ethical forum.)

Tom
0
 
LVL 2

Expert Comment

by:SteveInNV
ID: 40676705
If you're looking for an answer and not an argument, here's the most basic answer: if you don't want to use a password *AND* you choose to use an old, unsupported OS with no security updates, then a) unplug the computer from any and all communications systems (serial, USB, network, etc) and b) create a new account with no password.  Problem solved.

Arguing about the validity of hardening systems is futile and just plain silly.

Thanks, and good luck.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40677117
The last author comment was last September.....
Why hasn't this been closed long ago?
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now