Windows security out of the box

millar at millar at
Wed Jul 23 19:14:06 GMT 2003

I've asked Dell and IBM  if they could configure new XP boxes so that end 
users are strongly encouraged to choose strong Administrator 
passwords.  The proposed solution seems like it will be unnecessarily 
confusing to some of our users and I'm wondering if anyone else has made 
any better arrangements with Dell and/or IBM.  Here's what Dell has proposed:

The first thing the new Windows box owner sees when they boot 
out-of-the-box is Windows Mini-Setup (the screen dialogue that every new 
user goes through when they start up a brand new Windows machine).  During 
Windows Mini-Setup the user is presented with a screen to choose a password 
for the Administrator account, but whatever the user types will ultimately 
be ignored (see below).  At this point the user can type anything for an 
Administrator password or nothing -- it's a moot point since whatever they 
type will not be set as the password on the Administrator account.   In 
fact our draft instructions currently tell people to simply type *nothing* 
for password at this stage of Mini-Setup.

When the user completes Windows Mini-Setup, the machine reboots.  At the 
Windows welcome screen, a dialog box appears, saying: "Your password 
expires today. Do you want to change it now?"   Assuming they take the 
default, "yes" they are first asked to type their old password (which, 
you'll recall from above,  is null no matter what they typed back in 
Mini-setup).  They're also asked to choose a new password and re-enter it 
for verification.

OK - so I'm willing to accept the part that you can lead a horse to water, 
but you can't make him drink (i.e. you can make it the default to choose a 
strong Administrator password, but users determined to leave their box wide 
open can always change policy settings or choose to ignore the password 
expiration warning at boot time.)

But the part that is unsatisfying is the bogus Administrator password 
screen prompt that Windows Mini-Setup presents the user with, and which is 
subsequently ignored.  Many users will type something as a password, 
despite our written instructions otherwise.  And human nature is to assume 
that the password "took."   So when the box reboots and the user is asked 
to enter their old password before they can choose a new, strong password, 
human nature is to enter whatever they entered as the Admin password back 
in Windows Mini-Setup.  They will then get an error message and won't be 
able to proceed unless they leave the "old password" field blank.

Has anyone gotten Dell, IBM or Microsoft to provide a more satisfying, and 
less potentially confusing out-of-the-box end user interface that results 
in the user being strongly encouraged to choose a strong password for the 
Administrator account?

Thanks in advance,
Dave Millar
University Information Security Officer
University of Pennsylvania

More information about the unisog mailing list