Guest Account check

Applies To: Forefront Client Security

The Guest Account SSA check determines whether the built-in Guest account is enabled on the scanned computer. The Guest account is intended for users who require temporary access to the system. However, if this account is enabled, a security risk may exist because an unauthorized user could gain anonymous access to the system through this account.

Computers running Windows XP map incoming user connections from across a network to the local Guest account (ForceGuest) when simple file sharing is enabled. This feature is configured under the ForceGuest registry setting. If the Guest account is enabled on computers running Microsoft Windows Server 2003, Windows XP, Windows 2000 Server, or Windows NT® (not using simple file sharing; ForceGuest registry setting disabled), Client Security includes it in SSA-related reports as a potential vulnerability. If the Guest account is enabled on computers running Windows XP that use simple file sharing (ForceGuest registry setting enabled), Client Security does not include it in reports as a potential vulnerability.

The Guest account is disabled by default in Windows XP Home Edition. However, only the guest's ability to log on locally is affected. The account itself is not disabled for incoming user connections from across the network and can still be used with simple file sharing.

Resolutions for potentially unacceptable scores

It is recommended that the Guest account be disabled. The Guest account is disabled by default in Microsoft Windows Server 2003, Windows XP, and Windows 2000 Server.

Scoring and results

The following table shows how Client Security determines the score resulting from performing this check on a client computer and what message appears in related reports.

Related Topics

Other Resources

How to Set Security in Windows XP Professional That Is Installed in a Workgroup
Description of the Guest account in Windows XP