|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Joe_Walden
Trooper
Joined: Oct 18, 2007
Posts: 11
Location: USA
|
 Posted: Wed Dec 26, 2007 12:01 am Post subject: Should XP user accounts have a logon password or not? |
|
|
I'm working my way through the Windows Security Checklist and am confused about user logon passwords.
"Part 28 Limited-User Security on Windows XP" says:
| Quote: | A. Set up an "Administrator" account called "Admin," without a password.
B. Set up a "Limited User" account for each person who will be using the computer, without passwords.
By default, an account with a blank password can be used only for logging on at the console. It cannot be used for network access, nor with "Run As." Just clicking on your name to log on is so easy. If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the Admin account, this is a good way to go. If not, you can always enable passwords. |
But "Part 29: Securely Configuring Windows XP" says:
| Quote: | 4. Use Passwords on All Accounts
Both the Professional and Home editions of XP allow user accounts to utilize blank passwords to logon. In XP Pro, accounts with blank passwords can no longer be used to logon to the computer remotely over the network. Blank passwords are not good if you care about security. Be sure to assign passwords to all accounts. Note: In XP Home Edition, all user accounts have administrative privileges and no password by default. Make sure you change this as soon as possible. |
Can someone please tell me which approach is better and why?
Thanks,
Joe Walden
|
|
| Back to top |
|
 |
johnlgalt
Special Response Team
Premium Member
Joined: Feb 27, 2007
Posts: 1419
|
| Posted: Wed Dec 26, 2007 8:03 am Post subject: |
|
|
Here is the deal:
1) Blank passwords are good for home use when you set up limited user accounts, as long as, just like it says, you can trust the individual users to not mess with other users' settings. I disagree with the blank password for the admin account - for example, there was a thread recently here (or at another forum) where a user could not use Recovery Console because the password was blank. Recovery Console is used to repair Windows if it develops a problem prevent boot / use.
2) I tend to disagree with not using a password at all - I'd rather there be *some* sort of password for all accounts just to keep everything safe, and to keep accidental log ons by the wrong person - it can create minor inconveniences, small annoyances, or lead to further problems down the road.
My *personal* suggestion is to create passwords for everyone - that is just how I like doing things, though.
_________________
<img src="http://www.castlecops.com/zx/johnlgalt/johnlgalt%20sig.png">
<img src="http://www.castlecops.com/zx/johnlgalt/John%20L.%20Galt%20%20CPU-Z.png">
|
|
| Back to top |
|
|
Joe_Walden
Trooper
Joined: Oct 18, 2007
Posts: 11
Location: USA
|
| Posted: Fri Dec 28, 2007 7:46 am Post subject: |
|
|
Thanks John.
I hadn't heard about the potential password problem when using Recovery Console. I Googled it and came up with some interesting hits but they seem to all be about Recovery Console sometimes not accepting your administrator account password if WinXP was pre-installed by the computer maker. For example: http://support.microsoft.com/kb/308402 Don't know if that's what you were referring to or not, but now that I'm aware of the issue(s) I'll put it on my list of subjects I need to learn more about.
I've always felt pretty safe as far as anyone gaining unauthorized access to my computer from the keyboard because I have a password in bios that locks the whole machine. That has the advantage of not having to enter a separate password to move from one account to another, but I tend to agree with you that having a separate password on the Admin account is probably a good idea.
In fact, after thinking about this issue I've decided it would be a good idea to set up three accounts, even on my private computer: - Admin with a logon password
- LUA with access to my personal/private files and a logon password
- LUA for video games and normal Internet access (No access to private/personal files).
That was also a good suggestion about having even a simple password on each user account preventing anyone accidentally logging onto someone elses account by clicking the wrong icon/name on the Welcome/Login screen of a shared computer.
|
|
| Back to top |
|
|
johnlgalt
Special Response Team
Premium Member
Joined: Feb 27, 2007
Posts: 1419
|
| Posted: Sat Dec 29, 2007 2:52 am Post subject: |
|
|
You've thought this out, I can tell. I normally have never used a LUA myself, (except on *nix boxes) simply because it was too much of a hassle to set up in XP, and part of that reasons was that I tend to install something new / updated almost every single day (I like testing software, what can I say?) so even after reading the extensive blogs by Aaron Margosis on running as LUA and getting the different hacks and scripts to set up a ltd user account,...I found Vista and decided on skipping that chapter of my life.
Your structure certainly makes sense, and more so - if your games profile gets hosed, you still have the other profiles to work in and install from, so overall, it looks great. In fact, in the coming months, *I* might 'borrow' your idea there for my own scheme.
Cheers!
_________________
<img src="http://www.castlecops.com/zx/johnlgalt/johnlgalt%20sig.png">
<img src="http://www.castlecops.com/zx/johnlgalt/John%20L.%20Galt%20%20CPU-Z.png">
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
