I followed instructions from this post Remote access settings to install it as a service on Windows 10 Home with no password set for local administrator account.
After that I wanted to store backup on a local FreeNAS share which does not have username or password.
If I selected “Log On” option under Duplicati Service and entered my administrator account and no password for it windows would complain about failure to login.
I found this post by William Hilsum windows 7 - Remote desktop without a password - Super User that basically creates huge security whole if remote desktop would be enabled but I do not use and if I need remote access I use Teamviewer.
Other than home version of Win 7 it is possible to set as suggested in the above post using gpedit.msc
Win 10 Home cannot run gpedit.msc so workaround is to edit registry and set LimitBlankPasswordUse to 0
My question is aside from remote desktop inside home network what other possible issues am I missing with this registry hack?
The Administrator account isn’t even secured with a password
Microsoft tries to reduce the security risks by disabling RDP and file/printersharing for accounts that do not have a password set. The registry hack breaks this security that was activated by design.
This will expose your computer to every attack I can think of:
Ransomware can encrypt every single file on your local storage (and storage in your LAN) when logged on with an account that has administrative rights.
Targeted attacks have way more chance to succeed with an enabled Administrator account, especially when no password is set.
Hacking your network infrastructure (KRACK) will expose your computer completely to the hacker (\computername\c$) or to anyone with a connection to your local LAN.
Disabling security features that are enabled by design will put you at risks that are not needed. The fact that you cannot start a Windows service using an account without a password is by design. So I recommend you strongly to set passwords to accounts you use for starting services and for accounts you want to enable file/printersharing for and/or accounts with administrative privileges.
Disable the Administrator account and create a new account with password to use for yourself and/or to start the service with.
Taking these actions have a positive side effect: you will be able to configure Duplicati and other software solutions without the hassle of registry hacks and disabling security settings.
PS Also check if Windows Firewall (or other software firewall) is enabled and add exceptions for network traffic you want to allow.
I haven’t had any caffeine yet today so I may just be a bit slow, but was the reason for all this because you want to run Duplicati as a service and store to a NAS destination but the system account has no network access and your user accounts have no password (so by default can’t be used to run services)?
Thank you! It is not worth the risk so I will set passwords. FreeNAS storage is also used by IP cameras that do not have option to set user/password so that is the main reason for not having set one in the first place.
I’ve worked on a few machines where we wanted local users w/out passwords but had services (and remote desktop) like this where we did want passwords so we simply created a password protected “Svcs” account. This also opened the opportunity to log in as that account and create mapped drives and set other environment variables that could be used in Scheduled Task environments.
If I understand you correctly you created an account w/ password just to be used with services? That would leave “main” still able to login into windows without password?
Just remember, if the “Duplicati account” password expires then your service can’t run, and if the password is changed you’ll likely have to change it on the service “log on” tab.
