While testing Windows 7 for eWEEK, Andrew Garcia found something nasty: in certain circumstances, Windows 7 provides anyone with an administrator account that has no password
One thing new with Windows 7 RTM – since the Release Candidate – is that the default administrator account is now disabled by default (the account was also disabled in Vista SP1 and SP2).
When Windows 7 (Ultimate x64 in my case) is installed, the user creates a personal log-in and password, and this account is automatically made part of the local Administrators group. At the same time, a second Administrator user account gets created in the background with no password, but the account is disabled by default.
In the Release Candidate, this account was enabled, but no more.
I discovered this little tidbit, while producing a review of Windows 7, as I configured my system for least privilege user mode.
After I slid the UAC (User Account Control) slider bar to maximum protection, I logged into the Local Users and Groups dialog to change the name of the Administrator account and add a password. Unfortunately, I failed to notice the account was disabled by default.
As a result, once I deleted the Administrators group membership from my personal account, I found I had therefore locked myself out of the ability to access any UAC-protected tools – such as Computer Management or Add/Remove Programs. As there was no active Administrator account in my case, both UAC and RunAs were useless and there was no active Admin account with which I could actively log on.
Then I learned Microsoft only went halfway with this significant change, and, man, the other half is really badly done.
As a last recourse, I rebooted and hit F8 during the OS load to get to the Advanced Boot Options. I selected Windows 7’s new “Repair Your Computer” option, which loads a slimmed-down user interface for the recovery tool. I selected my account with my limited rights credentials from a drop-down menu and was presented with a single option: Startup Repair.
The tool ran a series of diagnostics – it didn’t say what at that time, but I later learned it was running file-system, disk and registry validation checks – then presented me with the option to restore the computer using System Restore. I was not allowed to select which System Restore settings to use, although the system appeared to use the most recently saved settings.
The restore was completed, and voila, permissions were returned to a workable state. Upon further investigation, however, I found that in the preboot environment I could also log in and effect changes using the otherwise disabled local Administrator account, but only under certain circumstances.
No password by default… after all these years?
Specifically, when no other local administrator accounts are present, the disabled Administrator account appears in the log-in drop-down box and can suddenly be accessed.
And as I mentioned above, even after all these years of Microsoft receiving criticism for this lack of attention to security, the Administrator account has no password by default.
An admin logging into the recovery tool has a lot more options at his or her disposal, too. As an admin, I could perform the same auto-fix tests, perform System Restores with the ability to select the settings to use, run a System Image Recovery event to restore from a disk backup, run memory diagnostic tests or access the command line for more possible actions.
And from the command line I could change drives over to the main drive (from the pre-executable one) and read anything I wanted, even copy it to a USB stick and take it with me.
Certainly, we know that a data thief with physical access to the machine typically means game over. Boot to a LiveCD or a USB stick that can see into NTFS (NT File System), and thieves can take whatever they want. The usual countermeasures are then to block boot from CD or USB at the BIOS, and put a BIOS password on the system. But, heck, now Microsoft puts in the hacking tools for you – no need for third-party boot media.
Users could protect themselves by fully encrypting the drive with BitLocker so the intruder only sees garbage. Oh, wait, that’s only for Ultimate and Enterprise customers, not the vast majority of people who will use Home Premium. Never mind.
Honestly, it’s hard to take Microsoft seriously about the security of its products when you can drive a bus through some of their holes. I know the circumstances of this case were a little unique (who among you plan to remove your admin rights?), but in my book, disabled should mean disabled. Microsoft should NOT be creating as default an admin account with no password, then opening up the account for use in certain situations.
Word to the wise: Even though that admin account is disabled, do yourself a favour and put a password on it. You probably won’t regret it.