Windows Tip Sheet
Come Right In, The Door’s Open
Uninvited guests can wreck havoc on your computers if you don't secure your Guest accounts.
I recently had a client who suffered a major security incident, where several
confidential documents were taken from a WinXP computer. The culprit? The computer’s
built-in Guest account. True, Microsoft disables that account by default, but
it had somehow become enabled, and, as you probably know, it doesn’t have
a password by default. This is similar to the problem many SQL Server computers
have, where the ultra-powerful sa account is left with a blank password because
the server is set not to use SQL logins; by switching the server’s security
mode, the account -- sans password -- becomes available to use.
The moral of the story is that all accounts, disabled or useful or not, should
have complex passwords. The WinXP Guest account is easy enough to fix: Just
run net user guest password from a command-line
prompt (inserting an appropriate password, of course). You’ll need to
be logged on as an administrator to make this change, and there’s no harm,
of course, in leaving the Guest account disabled. Now, however, if the account
becomes enabled for some reason, it won’t be a sitting duck. You can also
set a password using WinXP’s GUI, but the command-line technique is more
easily scriptable -- something you could perhaps add into your “new desktop”
scripts that you run when setting up new computers.
More Resources
- This
is a good tip even for WinXP Home Edition, although there’s
no GUI to work with.
- Read more about how the Guest account is used by WinXP here.
Micro-Tips
In addition to setting passwords for all accounts, think about renaming built-in
accounts. Not knowing the account name will make it a bit tougher for attackers
trying to log in as a local Administrator, for example. Or, even better, create
a totally new account and give it all the rights and permissions the local Administrator
(or other) account would have; then disable the Administrator account. Since
the new account won’t be using the well-known Administrator Security ID
(SID), it’ll be, once again, just a bit tougher for an attacker to pick
the right account to hack.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.