The other day the conversation came up about blank passwords on accounts in Win2k3 and XP and I made the point that in a default installed system, that a blank password on an account meant that it could not be remotely accessable from the Internet. The argument can be made that if you could physically secure a device, that the account would actually be more secure as it could not be remotely accessed.
I went on to say that my Tablet PC had an administrative account that had a blank password.
Now to many that seems like a insane thing to do for a person who has volunteered on various Security groups and has a GSEC certification to boot.
But I do it for a reason. To remind me that key data should never be on that device in the first place. Part of it is to prove the point that when you work in an industry like mine, client information and client data should never be on a mobile device. The laptop is used for Remote web workplace, blogging, internet access and personal (but not business) emails. There is truly more client data on my cell phone than there is on that laptop. Because the laptop is designed (on purpose) to be an expendable device, it’s a reminder to never put any information on that laptop that I care about. Because truly, if I lose the laptop, regardless if I have a password on an account or not, law number 3 of computers states that should I lose physical security of a device, it’s no longer mine.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Oh, the things a bad guy can do if he can lay his hands on your computer! Here’s a sampling, going from Stone Age to Space Age:
He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
He could unplug the computer, haul it out of your building, and hold it for ransom.
He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).
He could remove the hard drive from your computer, install it into his computer, and read it.
He could make a duplicate of your hard drive and take it back his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.
He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.
Always make sure that a computer is physically protected in a way that’s consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.
If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.
So if you design your system from the beginning with the thought that the device you use is expendable…. then you don’t use it as anything other than a conduit. Thus no Outlook over http is allowed. And as far as the risk of the device having a connection information left on it? What’s the risk of a Remote Web Workplace web address if you have strong password and Scorpion Software’s RWW Guard? If Internet temp files are dumped on exit? If the risk of the device having data left behind on it is so great, then it should be encrypted. If the risk of the device having an access/connection information on it, then don’t access from it. See where I’m going here?
Remember that if you have physical access to a system, it is trivial to reset the password. And if you reset the password it’s owned. Thus the lack of a password on one of the accounts, therefore, is a mental reminder to me to consider that laptop expendable. That to keep it physically secure. To never store data on it. And if it’s not physically secure, that it’s worthless to me as a secured and and therefore securable device.
Truly there is more risk to me of the loss of my cell phone with a domain password, with Outlook sync’d to the office server, than there is in a Vista Tablet pc that is not domain joined, dumps IE temp files, and is small enough that it travels everywhere I do and doesn’t have client data on it as I Remote Web Workplace back to the office.
Steal my laptop? Go ahead. Steal my cellphone? And I’m using the remote wipe features of Exchange 2003 sp2/Mobile pack stuff. In fact, if you truly do care about the information on that laptop such that you’d never let it leave your site without a password, then you install a remote “nuke and pave” program so that should it leave your physical custody, you still have a bit of control over that Law #3 above. Now I’d argue if you lost a laptop, you’d probably for a little more comfort sake and piece of mind, change the passwords on your accounts even with my remote access policy.
But see where I’m trying to get you to see here? That the risk is a direct relationship to the data on the device. And the risk is physical security. And once you lose that… it really doesn’t matter anymore if the password is one that’s long and complex …. or even blank.
Game is over. Bad guys have won.
So unless that key data is encrypted on that device, or stored elsewhere, or … better yet, not on the device in the first place and merely used as nothing more than a dumb terminal of sorts…. whether you use a blank password ….or not….. if you lose physical access… you’ve already lost.
Protect the data. The device is expendable.
P.S. On Vista this is more of a exercise in just being unusual since the built in Administrator account is disabled anyway 😉