Kinda by accident I came across an interesting behavior in Windows Server 2003 Remote Desktop. By default, on a Windows 2003 workgroup server, regardless of the user account rights or security group membership, remote desktop does not allow a user with a blank password to logon through Terminal Services. This is because of a policy setting called Accounts: Limit local account use of blank passwords to console logon only. However, via an odd series of steps, you can still logon with a user account that has a blank password.
In order to make this work, you need two accounts: 1) a local admin account with a blank password and 2) an account with a policy qualifying password and rights to terminal service to the target machine but without admin rights to the target machine.
Steps to reproduce the issue:
1. At the run prompt from a remote machine, launch mstsc /console (or /admin depending the version of the RDP client) against the machine where you created the two local accounts.
2. Attempt to logon with the admin account with a blank password.
NOTE: This should fail because the policy prevents non-local logon with an account with a blank password.
3. Now attempt to log in with the non-admin account which has TS rights.
NOTE: This should fail because session 0 requires admin rights.
4. Without exiting the terminal service shell, attempt to logon on with the admin account with a blank password.
RESULT: You should be able to log in with an account with a blank password even though the policy states that you should not be able to.
Weird, huh?
Now, as a good IT citizen I did report this to Microsoft first in case they should be concerned. They mentioned that they were aware of the issue and that they felt it was covered by immutable law of security number 5. The laws can be found here. I have attached the email string between Microsoft and me below.