"Gary S. Terhune" none wrote in message
...
I'm not going that far. I don't know anything more than that Gordon is not
providing any real evidence to back up his statements. So far, it's been
more the opposite. But that doesn't mean there isn't something I *don't*
know about with regard to the Guest account. I just don't see anything
that says other than what I already practice and should already be applied
to ALL accounts. Use strong passwords and turn off Simple File Sharing.

If you intend to use the Guest account, I'd advise you to start a new
thread with the subject line: "Is the Guest account insecure?"



So WHY then, Mr high-and -mighty, does the MICROSOFT (Not a third-party app
you note) Baseline Security Advisor, say that the Guest Account is a
SECURITY risk? Why not ask MS, you being an MVP and all? Who is the non-MS
person supposed to believe?

Because any known quantity in Windows, particularly usernames and passwords,
constitute a vulnerability in the system. Which is why "Administrator should
always be disabled when not specifically needed. You can, additionally,
change the SID (familiar name) of the account to something else in order to
make it more difficult to guess, and give it a super-strong password.
(Enabling/disabling and renaming are done in Control Panel = Administrative
Tools = Local Security Policy = Local Policies = Security Options.)

You can do the same for the Guest account, in that same Policy Editor, and
if you also edit the "ForceGuest" value to "1" in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa
you force a prompt to anyone trying to access the machine to log on as
"Guest" (can't change that, it's grayed out) and provide a password. Since
"Guest" has been renamed, there's no way to get past the prompt. It's not as
perfect as simply disabling the Guest account, but it works. You just don't
want to do that if you intend to allow network connections from any other
machine, by anyone.. Which is to say it's good for stand-alone machines that
have no intention of letting anyone, from anywhere, log onto the machine.
There's also a setting that I changed somewhere that set another tweak,
adding the alias I gave to the built-in Guest account to a list of users
denied access from the network. It's in the same Management Console I
described above, ...= Local Security Policy = User Rights Assignment.

This is what I meant. The simple solution is to disable the Guest account
entirely and to create a new user account and add it to the Guests group for
further restriction of use. (Still, don't leave the password blank, use a
strong one, even though you have tape it to the monitor for everyone to see.
But it IS possible to tweak the Guest account to make it almost as difficult
as any other account to use to get into the machine.

Now, I've done a lot of investigation to come up with this, and I've yet to
find anything more specific than the above info that it's simply an issue of
built-in accounts, and especially the Guest account (which is used by some
legit apps to gain entry). If you have anything more specific that counters
what I've claimed, please provide documentation.

--
Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com



"Gordon" wrote in message
...
"Gary S. Terhune" none wrote in message
...
I'm not going that far. I don't know anything more than that Gordon is
not providing any real evidence to back up his statements. So far, it's
been more the opposite. But that doesn't mean there isn't something I
*don't* know about with regard to the Guest account. I just don't see
anything that says other than what I already practice and should already
be applied to ALL accounts. Use strong passwords and turn off Simple File
Sharing.

If you intend to use the Guest account, I'd advise you to start a new
thread with the subject line: "Is the Guest account insecure?"



So WHY then, Mr high-and -mighty, does the MICROSOFT (Not a third-party
app you note) Baseline Security Advisor, say that the Guest Account is a
SECURITY risk? Why not ask MS, you being an MVP and all? Who is the non-MS
person supposed to believe?