Standard installations of Windows XP all have two default accounts. The "Administrator Account", which is usually only seen on the "Welcome/logon screen" when XP has been started in "Safe Mode". The other is the "Guest Account". This is well known by all would be intruders, which means they are half the way to controlling your computer. They have an account name now all they need is the password. If these two accounts DO NOT have password protection then the bad guys are all the way there should they breech other security measures that you have in place. The intruder could have as much control of the computer as you have. To enforce my point here is a quotation from Wikipedia, the online encyclopedia.
Security issues are compounded by the fact that users of the Home edition, by default, receive an administrator account that provides unrestricted access to the underpinnings of the system. If the administrator's account is broken into, there is no limit to the control that can be asserted over the compromised PC. Link to Quote
Windows XP Professional has Administrative tools that aren't available in the Windows XP Home Edition. With these tools available from the control panel XP Pro users can secure these two accounts with ease. In fact, all local user accounts on their machine can be secured with these tools. The only prerequisite is that the account being used must have administrator privileges. Therefore, this article is aimed primarily at XP Home users. The techniques to be described can also be applied to the XP Pro version.
Getting back to the subject, a password on these accounts is all that is needed to slow down the bad guys. A good strong password could stop them cold. Good strong passwords are a mixture of upper and lower case letters, numbers, symbols and spaces. A length of eight characters has been recommended for quite some time, however, longer IS better. Although that makes them hard to remember, the bad guys won't be able to just run through a dictionary until they get the right password. The art of creating strong passwords is not the subject of this article, however, since it is such an important part of your personal security here are a few links that give you some pointers.
- How To Create and Use Strong Passwords
- Security Now Episode 4
- Security Now Episode 5
- Creating Passwords
Once you have chosen your passwords, you will be ready to associate them with an account. This is done on the User Accounts screen. My eight year old daughter showed me this short cut. Click on the "Start" button.
At the top of the "Start Menu" click on your user picture. This opens the "User Accounts" dialog at the user icon screen.
What we want on this screen is located at the top just under the title bar. The title bar is the part of the screen that has minimize, maximize and close buttons on one end and the title on the other. Directly under the title are three buttons one labeled "back" the other arrow button is dimmed and and the other is labeled "Home".
Click on the "Home" button.
This opens the "pick a task or pick an account to change" dialog window.
Under "or pick account to change" are icons for each user account plus one for the Guest account.
If your account does not have a password yet click your user icon.
Now click "Create a password"
This takes us to the "Create a password" dialog. Here you type in your chosen
password in the top line then again in the middle box. In the bottom box you type
in a word or phrase that will remind you what your password is should it ever slip
your mind. This does happen and for those of us that were always told to never write
their password down a good hint can be a life saver. Lately, this policy has been
changed. These days writing passwords down is encouraged with emphasis on keeping
your list in a safe place because an easy to remember password is likely to be an easy
to guess password. Now just click the "Create Password" button and repeat this step
for the other user accounts or have the other users do it.
That brings us to the Guest account. If you remember, for the other accounts there was either the choice to assign or to change the password. This is not true with the Guest account. Notice rather than reporting user privileges or indicating that the account is password protected the Guest account simply says "Guest account is on" Click the Guest account icon to open the "Change account" dialog.
The first thing you'll notice is that there are no options here at all for passwords.
We can however turn this account off by clicking "Turn off the Guest account" after which
we are returned to the "pick an account..." screen. Here we can see that the Guest account is now off. However, it still isn't protected by a password. If you have XP Professional Edition, you can, as mentioned, assign passwords via Administrator tools available in the control panel or by typing "lusrmgr.msc" in the run box. With the Home Edition of XP, however, it is necessary to use the "command line interpreter" to give the Guest account a password. Unfortunately, I only have access to Home Edition so can't do a step by step on the lusrmgr.msc procedure. The "command prompt" method will work for Win XP Pro as well as the Home Edition.
The long way to get to the command prompt is to click on "Start", then "All Programs", then "Accessories" and finally select "Command Prompt". Another way is to click "Start", then "Run"
In the "Run" box type "cmd", without the quotes, then click the "OK" button. This, by the way is where Win XP Pro users would type "lusrmgr.msc". Whether you choose to use the Start Menu, Accesories route or the Run command you'll end up with the "command prompt" which looks remarkably like the old DOS screens.
The "command prompt" shown here has been resized to make a smaller file for faster downloading. Also the stars seen here after "Documents and Settings\" will, on your command prompt screen, be your user name. You'll find it easier to work with a larger "command prompt" screen. Either resize the window or click the maximize button at the top.
With the black command prompt window resized to suit your tastes, you can finish protecting your Guest account by typing the following into the command prompt :
net user guest your_chosen_password_here
In place of "your_chosen_password_here" you would type the password you have chosen for this account. Make sure to place a space after "net","user" and "guest" otherwise you'll receive a syntax error. Hit the "Enter" key on your keyboard and you're done.
If at this point, you got a "Command completed successfully" return at your command prompt you can proceed to secure your "Administrator" account by clicking this button Next Page. What follows is a more detailed description of this procedure which could also be viewed as a crash course in "command prompt" usage.
You might wonder what use you would ever have for the command shell aside from setting the password for the Guest account. Do you collect music or movies? Have you ever wanted to print out a list of the files in your collection? A savvy Windows user might open "Windows Explorer" navigate to the folder containing the files. Then hit the "Print Screen" button on the keyboard. Then open Paint or any other graphics program and click paste and after a bit of editing print out a picture of a list, repeating this process until the whole list has been printed. A seasoned veteran, however, would open the command window navigate to the folder in which the files are located then type at the prompt "dir /d > filename.txt" after which he would open the text file in "Notepad" and print out a 3 column alphabetized list and be finished long before the other user because pictures take more time to print and might, depending on the number of files in the collection, take several pictures to get the entire list. If that isn't enough reason to become familiar with the command screen then perhaps finding out that there are several Windows Support Tools available that only run in the command prompt will be sufficient reason. The net command is only one of many available for your use. The Microsoft Malicious Software Removal Tool and The Netstat Command are other tools documented on this site.
With that said, lets type "net" into our command window and hit the "Enter" key.
You should have something similar to this on your screen. The colored arrow toward
the top marks where "net" was entered. The lower arrow is the command prompt waiting
for a new command. In between is the result of entering the "net" command a list
of "methods" to be used with this command.
This time type "net user" and hit enter. Again, the stars you see here will be replaced
with names specific to your computer on your screen.
As you can see, entering "net user" results in a list of accounts on your computer. The
ASPNET account is part of Microsoft's .NET framework. The HelpAssistant account is
for Remote Desktop Assistance. The Support_388945a0 account is part of Help and Support
Services. Most of this information can be confirmed by typing the account name after
the "net user" command. Don't forget to make a space after "user". A hint from DOS days :
to use a command again hit the F3 key on the top row of keys on your keyboard. This works
because there is space reserved in system memory for the keyboard and referred to as the
keyboard buffer. This buffer isn't cleared when you hit the enter key and a number of
characters are held in the buffer for reuse until you start typing again.
Check out the report from entering "net user guest".
Notice the arrows pointing out the Guest account's "active status" as "yes" even after we just turned this account off. A very good reason to password protect this account and there is no time like the present so type "net user guest yourpassword" and hit enter. The "guest" and "yourpassword" parts of this command line are referred to as a "parameters".
If you turn your Guest account back on to check the results, you will find that the Guest
account now
looks more like a regular account. Unless you have regular guest users, you might want
to turn this account back off. The view here shows that the Guest account is now
password protected but since we have come this far we might as well do a complete job
of securing this account.
When we now type "net user guest" in our command prompt window we can see that the password has recently been changed. A closer look, however, reveals that the password isn't required. One more step in this procedure should lock this account down.
A bit more knowledge of the command prompt window will explain our last step. As mentioned, command lines consist of commands, methods and parameters. Another command line part to be aware of is what is known as switches or options. These are usually preceded by a slash "/". Furthermore there is one switch that is available to all commands and that is the "/help" switch. If you type "net user /help" at the command prompt and hit enter a help screen, which provides the user with the proper usage of the command in question, is produced. There is also a listing of available switches and options. Notice that the switches and options for the net user command match the lines in the "net user guest" report.
Since we want to change the "password required" line, we'll use the "/passwordreq" switch. If you haven't done anything with the command prompt since the last "net user guest" command line, you can hit your "F3" key hit the space bar then type "/passwordreq:yes". If you have been entering other commands you will probably need to type in the entire line "net user guest /passwordreq:yes" then hit enter.
Now hit "F3" and backspace through the "/passwordreq:yes" switch, leaving the "net user guest" command line. If you hit the enter key you should receive a report on the guest account showing that passwords are now a requirement for this account.
That wraps up the Guest account. Next we secure the "Administrator" account. This account can be password protected using the steps we've covered here with the command prompt. There are other methods that accomplish this and an extra security measure we can put into place on this account. Just click on the "Next" button to go to page two.
Microsoft,Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
