Windows Tip Sheet

Come Right In, The Door’s Open

Uninvited guests can wreck havoc on your computers if you don't secure your Guest accounts.

I recently had a client who suffered a major security incident, where several confidential documents were taken from a WinXP computer. The culprit? The computer’s built-in Guest account. True, Microsoft disables that account by default, but it had somehow become enabled, and, as you probably know, it doesn’t have a password by default. This is similar to the problem many SQL Server computers have, where the ultra-powerful sa account is left with a blank password because the server is set not to use SQL logins; by switching the server’s security mode, the account -- sans password -- becomes available to use.

The moral of the story is that all accounts, disabled or useful or not, should have complex passwords. The WinXP Guest account is easy enough to fix: Just run net user guest password from a command-line prompt (inserting an appropriate password, of course). You’ll need to be logged on as an administrator to make this change, and there’s no harm, of course, in leaving the Guest account disabled. Now, however, if the account becomes enabled for some reason, it won’t be a sitting duck. You can also set a password using WinXP’s GUI, but the command-line technique is more easily scriptable -- something you could perhaps add into your “new desktop” scripts that you run when setting up new computers.

More Resources

  • This is a good tip even for WinXP Home Edition, although there’s no GUI to work with.
  • Read more about how the Guest account is used by WinXP here.

Micro-Tips
In addition to setting passwords for all accounts, think about renaming built-in accounts. Not knowing the account name will make it a bit tougher for attackers trying to log in as a local Administrator, for example. Or, even better, create a totally new account and give it all the rights and permissions the local Administrator (or other) account would have; then disable the Administrator account. Since the new account won’t be using the well-known Administrator Security ID (SID), it’ll be, once again, just a bit tougher for an attacker to pick the right account to hack.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus
Most   Popular

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.