Often, people will have computers running Windows 2000 and XP at their homes or small offices that aren't part
of a Windows domain. These users use local accounts, where only the username and password are stored on that computer, instead of domain accounts. If this scenario sounds familiar, you may have something to worry about. This could happen if, for example, you're not running a VPN for connections from remote workers to the home office, and users are getting their e-mail through a Web interface.
In instances like these, users who are marginally concerned about security might not set passwords on their accounts because their computer is physically secured -- locked in a home or office. But these computers are still almost always connected to a network such as the Internet.
An interesting feature in Windows XP that enhances the security in these situations is the new way it handles accounts without passwords. In XP, unlike prior versions, you cannot log into a local computer across the network using an account with no password. However, you can still log in at the console.
This is an interesting compromise. While most security professionals would insist that passwords are always worth the effort, in XP you are at least somewhat less exposed if you choose to allow accounts with no passwords.
Remember, this does not apply to domain accounts, only local accounts. Also, the Guest account (if you haven't disabled it) is still able to log in across a network without using a password.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.