Security policy: servers without root/administrator password

Jakob asked:

I am considering running public web and application servers with blank root/Administrator passwords, and I’m wondering whether this might be a bad policy.

I see several advantages of having no password. “No password” can’t be brute-forced, lost, forgotten or end up in the wrong hands. Administrators will need to log in with their personal accounts, making it easier to see who has access and is doing what, instead of keeping track of who knows the root password. If you manage to lock yourself out, it’s easy to reactivate any account with physical access to the machine.

I run mostly Ubuntu 14 and Windows Server 2008 servers, both of which refuse remote logins for accounts without passwords by default. The Linux machines are accessed via SSH, the Windows machines are accessed via RDP, as well as SSH through Copssh. The server is physically protected enough for practical purposes, anybody who manages to gain access would be able to do damage anyway, regardless of passwords.

The question is, may this a good security policy or are there practical considerations here I haven’t thought of? Specifically, are there any particular services in Windows or Linux that may allow remote access to a machine, through accounts with blank passwords?

My answer:

Don’t even think about giving the root user a blank password. If you do this, it’s trivial to leverage a non-root compromise into a root compromise.

Consider one of many possible scenarios:

An attacker uses an unpatched vulnerability to compromise the web server or the application the web server is serving. He gets a shell running as the web server’s user. With a blank root password, he merely needs to execute su and he now has root.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.