Sunday, December 2, 2007

Setting Up a Secure Guest Account

By default, the Guest account has access to your computer's programs, to files in the Shared Documents folder, and to files in the Guest profile. But no password is required to use the account, so you'll want to be sure that the Guest account doesn't expose items that a casual user shouldn't see or modify. In fact, the default settings place pretty tight restrictions on the Guest account, but you should ensure that these rather obscure settings are still in place:

Prevent network logon by the Guest account.
This prevents a user at another computer from using the Guest account to log on over the network. In Local Security Settings (Secpol.msc), open Local Policies, User Rights Assignment. Be sure that Guest is listed in the Deny Access To This Computer From The Network policy.

Do not include Guest in this policy if you use Simple File Sharing and you are sharing your computer's folders or printers. Simple File Sharing requires the use of the Guest account for network access.

Prevent a Guest user from shutting down the computer.
In Local Security Settings, open Local Policies, User Rights Assignment. Be sure that Guest is not listed in the Shut Down The System policy. (Even with this policy in place, anyone-including guests-can shut down the computer from the Welcome screen. You can set a policy that allows only a logged-on user to shut down the computer. To do that, open Local Policies, Security Options and disable the Shutdown: Allow System To Be Shut Down Without Having To Log On policy.)

Prevent a Guest user from viewing event logs.
In Registry Editor, open HKLM\System\CurrentControlSet\Services\Eventlog. Visit each of the three subkeys-Application, Security, and System-and be sure that each contains a DWORD value named RestrictGuestAccess set to 1.

0 comments: