Jun 27 2005
Backdoor == Bad
A back door is a bad idea to begin with. A back door with a blank password is foolish in the extreme. Dell may have some explaining to do to their customers. The only saving grace is that you need to have physical access to the computer to take advantage of the misconfiguration.
2 Responses to “Backdoor == Bad”
This is a pretty weak vulnerability and really has nothing to do with Dell. It’s loooong been known that Windows will install with no administrator password. XP is just more user-friendly so the users don’t know the administrator account exists.
From a logical point of view, Windows XP prevents the administrator account from being used over the network if it has no password. Therefore, to use this account you need physical access to the PC. Given physical access to the PC, you own the PC (pull the drive and mount it elsewhere, boot with alternate media, etc.). This is not a real vulnerability…
Steve,
You’re spot on. This is more of a poorly thought out installation practice, one which Microsoft shouldn’t allow. But I guess they need to have a default password on mass produced systems. Without some sort of default password, Dell’s tech support calls will end with a lot more ‘format your hard drive and re-install’ answers. This would lower customer satisfaction, in turn costing Dell money.
A possible solution: Dell already has a database of every computer they’ve sold. They could create a password tied to the computer serial number for the local administrators account. This serial number could be included in the initial documentation for the end user, and be kept in the database for tech support calls. Not a perfect solution, but better than no password or a default password.