Export (0) Print
Expand All

Guest Account check

Published: December 16, 2009

Applies To: Forefront Client Security

The Guest Account SSA check determines whether the built-in Guest account is enabled on the scanned computer. The Guest account is intended for users who require temporary access to the system. However, if this account is enabled, a security risk may exist because an unauthorized user could gain anonymous access to the system through this account.

Computers running Windows XP map incoming user connections from across a network to the local Guest account (ForceGuest) when simple file sharing is enabled. This feature is configured under the ForceGuest registry setting. If the Guest account is enabled on computers running Microsoft Windows Server 2003, Windows XP, Windows 2000 Server, or Windows NT® (not using simple file sharing; ForceGuest registry setting disabled), Client Security includes it in SSA-related reports as a potential vulnerability. If the Guest account is enabled on computers running Windows XP that use simple file sharing (ForceGuest registry setting enabled), Client Security does not include it in reports as a potential vulnerability.

The Guest account is disabled by default in Windows XP Home Edition. However, only the guest's ability to log on locally is affected. The account itself is not disabled for incoming user connections from across the network and can still be used with simple file sharing.

Resolutions for potentially unacceptable scores

It is recommended that the Guest account be disabled. The Guest account is disabled by default in Microsoft Windows Server 2003, Windows XP, and Windows 2000 Server.

Scoring and results

The following table shows how Client Security determines the score resulting from performing this check on a client computer and what message appears in related reports.

 

Score Guest account enabled ForceGuest enabled Guest account set by Group Policy No Guest account Computer is a domain controller (or backup domain controller) Results message

High

Yes

No

No

Not applicable

No

The Guest account is not disabled on this computer. Guest account name: domain\username.

Informational

Yes

Yes

No

Not applicable

No

The Guest account is active, but ForceGuest is also set to true. Guest account name: domain\username.

 

Not applicable

Not applicable

Yes

Not applicable

No

The Guest account is controlled by Group Policy.

 

Not applicable

Not applicable

Not applicable

Not applicable

Yes

This check is not supported on domain controllers.

Low

No

Not applicable

No

Not applicable

No

The Guest account is disabled on this computer. Guest account name: domain\username.

 

Not applicable

Not applicable

No

Yes

No

The Guest account has been deleted on this computer.

Related Topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft