Why is allowing the guest account network access considered insecure?

windows security guest
9,122

The purpose of the Guest account is to control anonymous access to some OS facilities. If I wanted to allow anonymous access to, say, an SMB share, I'd enable the Guest account,

Enabling the account in changes the behavior of the OS. Guest is a user account, but its enabled/disabled status acts as a flag that says "Hey-- when this account is enabled allow anybody with any credentials to authenticate as this context."

The "FUD" comes from Microsoft's historically bad handling of security and allowing anonymous users unnecessarily broad access, by default, in older versions of the OS. Even though Windows Server 2003 and newer versions of Windows do a much better job with this the community is still a little gun-shy.

To my mind there's nothing wrong with using the OS built-in Guest account for its intended purpose.

Personally I'd tend to be against using anonymous SMB file sharing. I'd export the files you want to share with HTTP or, if they needed to be read/write, WebDAV. I tend to think that writeable folders with anonymous access enabled are irresponsible to host.

Edit:

If you want "Guest" to access a shared folder via SMB in a Windows Server OS's (W2K3 and W2K8 flavors) then you'd want to:

  • "Enable" the "Guest" account from "Local User and Groups"
  • Add either the "Guest" user or the "Guests" group with the desired permissions (hopefully read-only) to the ACL on the shared folder

The "Users" and "Authenticated Users" built-in groups don't contain "Guest" (though "Everyone" does) so most default folder ACLs won't allow Guest access. I'd add "Guests" explicitly, rather than "Everyone", so that it's visually very clear that I've allowed "Guests" access to this folder. (You don't have to use the group "Guests" but, generally it's better to use groups in permissions rather than individual users. When you're joined to be a domain be aware that "DOMAIN\Domain Guests" is nested into your computer's local "Guests" group, though.)

Share:
9,122

Related videos on Youtube

Admin
Author by

Admin

Updated on September 17, 2022

Comments

  • Admin
    Admin almost 2 years

    I was recently interested in allowing the guest account network access as related to a research project I was doing.

    This was on a Windows Server OS.

    The outcry was amazing....people freaking out and saying how insecure it is and how there just had to be a better way regardless of my needs or wants.

    Apparently it's such a bad idea that under no circumstances should the question even be asked.

    This seems like FUD

    Looking around on the net the solution given when other people have asked around was to make a limited user account instead. Now, this seems like a worse solution.

    If for whatever reason (and there are many, trying to answer for a specific reason does not help anyone, nor the community) someone is determined to have a guest account for anonymous access on a Server OS, is it not better that they use the built in guest account?

    A limited account created for the exact same purpose will be used the exact same way, except that the built in guest account is already locked down to a far greater degree. Indeed, using the built in guest account with network access would seem to be more secure than creating a limited account for the same purpose.

    So, why is trying to enable network access for the built in guest account considered so insecure, and why does it evoke such panic and FUD?

    edit: To be clear I am referring to having the guest account initiate network connection from the machine while logged in, not using the guest account to access anything remotely

    • mattFllr
      mattFllr over 13 years
      What exactly do you mean? A guest accessible a shared folder?
    • EEAA
      EEAA over 13 years
      To be fair - your previous two deleted questions were about giving the Guest account the ability to join arbitrary wireless networks. That's a vastly different ballgame than just allowing Guest network access as you state above. Once again, I understand your frustration, but please try and be open and honest when making complaints about the community.
    • EEAA
      EEAA over 13 years
      Okay, well then I must be remembering incorrectly. I view the fact that it was closed as "off-topic" as an unfortunate consequence of a limited number of of options to pick from when voting to close. Off-topic gets used as a de-facto catch-all at times when none of the other options are appropriate. I do think that your question is on-topic, but unfortunately, as Robert suggested below, I usually choose to not enable what I see as non-optimal infrastructure choices, whether in production or not.
  • John Gardeniers
    John Gardeniers over 13 years
    For the benefit of those who are unaware, that poor security record mainly stems from Windows having evolved out of a single user, single tasking operating system. In that situation OS security just doesn't matter and was therefore always an afterthought. In most earlier versions of Windows security was handled with more after than thought.
  • Admin
    Admin over 13 years
    So then, in your opinion, asking how to enable network access on the built in guest account would not be a security risk? I tried that and got told strongly by various people it was a security risk -- of course they couldn't say how and simply closed the question, bizarrely, as off-topic.
  • Zoredache
    Zoredache over 13 years
    @Jacob, was this a question you asked here? Can you provide us a link? I suspect there must be more to the closed question, then just asking about a guest account.
  • Admin
    Admin over 13 years
    Zoredache, I deleted the question after it was closed. I was very very frustrated. It was voted down almost immediately and then closed as off topic. All I asked was how to enabled the built in guest account the ability to join a network. Nothing else. People then started asking why I wanted that (which is irrelevant, and self-righteous to insist) and insisted there was a better way. I said I wanted to know how to do that, and then it got closed as off topic. I could open the question again and show you the same responses, but that probably isn't wise.
  • Spence
    Spence over 13 years
    @John Gardeniers: I'll take a little umbrage to the "single user, single tasking" statement. I think that Microsoft (and, in general the PC culture of the time) wasn't geared toward secure design and implementation practices. "NT", as designed by David Cutler and his team, certainly did come from a background of secure, solid design (DEC VMS). Bolting "Windows" onto "NT", though, brought a lot of baggage from the rest of Microsoft's culture. Give "Showstopper" (goo.gl/AW7sk) a read sometime. It's got some great insight into the beginnings of "NT".
  • Admin
    Admin over 13 years
    @Evan - Would you know of any way to enable network access for the built in guest account, or why it has been made very hard to enable?
  • John Gardeniers
    John Gardeniers over 13 years
    @Evan, you know very well that NT was far from the first version of Windows. While by that stage security was being given some consideration the heritage still had its effect and versions of NT prior to 2000 were notoriously insecure "out of the box".
  • Admin
    Admin over 13 years
    @John, what Evan was getting at was that NT was a completely different OS from the shell that ran on top of DOS. Yes, it had a similar interface and a port of the API, but it's security problems were not because it's sister OS was single user and single tasking.
  • Spence
    Spence over 13 years
    @John Gardeniers: "NT" was the first version of "NT". NT's design is solid and has stood up well over time. Security wasn't added on as an afterthought. "Windows" existed before NT and, as I said, was bolted onto NT bringing w/ it lots of questionable MS culture. IMO that culture drove the "nortoriously insecure" defaults you mention. You can configure NT 4.0 to be heavily locked-down but it didn't ship tht way. The OS's design allows for it to be secure, but the culture at Microsoft shipped it very open. That's not because of any "single-user, single-tasking" heritage. That's just culture.
  • Spence
    Spence over 13 years
    @Jacob: re: your question in your comment-- I'll drop on an edit clarifying.
  • Rob Moir
    Rob Moir over 13 years
    @Jacob People then started asking why I wanted that (which is irrelevant, and self-righteous to insist) - yes and no. I can see why it might feel inappropriate to you, but people here don't have to answer questions, and many people here have a code of ethics that won't allow them to provide what they think of as fundamentally bad advice. Think of it as a doctor, who when asked "how do I wrap even more bandages around my bleeding arm", replies "perhaps instead of doing that, I should be helping you stop the wound from bleeding in the first place"
  • Spence
    Spence over 13 years
    @Robert Moir: "The bloody bandages are a fashion statement." >smile<
  • Admin
    Admin over 13 years
    @Evan, I think you may have misunderstood. When I refer to enabling network access for the Guest account, I refer to logging in as the built in guest user and being able to join a network. At present that option is greyed out and access is denied, and I don't understand this.
  • Admin
    Admin over 13 years
    @Robert, I get all that, I do. The self-righteousness comes in the fact the people assume they know better, and won't justify their belief that my question is wrong. If I have a very specific question why not provide a technical answer with whatever side explanation you think is necessary. Your Doctor analogy is slightly inaccurate...the situation sometimes on this site is more akin to a Doctor refusing to provide crutches because someone with a broken leg should not be out and about anyway.
  • Admin
    Admin over 13 years
    The thing that really annoyed me was that no one was able to give a reason why what I was asking was insecure. There is nothing insecure about wanting to enable network access for the guest account, and instead people were self-assured that it was not a good idea, instead recommending I set up a limited user account instead, which is a more insecure option. What's worse, was the question was voted as offtopic, without any actual answer to my question being given. I expect more from the people on this site.
  • Admin
    Admin over 13 years
    @Evan, just to point out again I was referring to letting the built in Guest account join a network connection, eg join a wireless network or disable/enable a cable connection, not anything to do with SMB.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to list all openssl ciphers available in statically linked python releases?
CryptographicException: Access denied - How to give access on User store?
Determine password expiry date
How to set Windows Services permissions from Powershell?
Hide the taskbar using C#
Error C0000142 when Starting a Process
Confused over LocalSystem and LocalService Accounts
Detect when users take screenshots of my program
Add group "Everyone" to directory and all of it's sub-directories
can windows virus affect Linux machine through wine?