Microsoft Security Advisory (906574)

Purpose of Advisory: To clarify the purpose of the Simple File Sharing feature of Windows XP and its use of the Guest account.

Advisory Status: Advisory published.

Recommendation: Review the advisory and apply the appropriate configuration changes for increased security.

This advisory discusses the following software.

What is the scope of the advisory?
This advisory clarifies the Simple File Sharing feature of Windows XP and its use of the Guest account. This process, which is called ForceGuest, does not introduce a security vulnerability. However, ForceGuest automatically enables the Guest account and it is given permission to access the system through the network. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. The Simple File Sharing feature is an optional configuration that some customers may choose to enable. This feature is not available on systems that are joined to a domain. For more information about this feature and how to appropriately configure it, visit the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How does the Guest account become enabled and allowed to access the system through the network?
Windows XP Professional systems that are members of a workgroup and Windows XP Home systems use Simple File Sharing. With Simple File Sharing, a user must manually use the Network Setup Wizard, documented at the following Web site, or bypass the Network Setup Wizard by selecting the If you understand the security risks but want to share files without running the wizard, click here option to complete the configuration of Simple File Sharing. These procedures enable the Guest account and give it permission to access the system from the network by removing the Guest account from the Deny access to this computer from the network local security policy. If you manually enable the Guest account it would not have permission to access the system through the network.

It is not enough to just have the File and Print Sharing enabled to enable the Guest account to have access to they system through the network. You must manually perform the steps that are documented in this FAQ section to enable the Guest account and allow it to access the system through the network. Once these steps have been performed, any file or print sharing connection request will successfully authenticate as the Guest account. For more information about Simple File Sharing and its use of the Guest account, visit the following Web site. This issue does not affect Windows XP Professional systems that are members of a domain. Domain-joined systems do not use Simple File Sharing. Sharing files or printers on domain-joined systems does not enable the Guest account or give it permission to access the system through the network. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Can non-domain-joined systems have their Guest account enabled through Simple File Sharing?
Domain-joined Windows XP Professional systems do not implement the Simple File Sharing feature. However, if a Windows XP Professional system had the Guest account enabled by Simple File Sharing, before being joined to a domain, then the Guest account remains enabled when that system is later joined to the domain. To disable the Guest account on these systems, perform the steps documented at the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How do I know if I am using a system where these steps have been performed?
If you are using a Windows XP Professional system that is a member of a workgroup, or if you are using a Windows XP Home system, you can quickly check to see if you might be vulnerable to this issue by using the following command. At a command prompt type Net User Guest. In the list of results, if the Guest account is listed as Account Active – Yes, you could be vulnerable to this issue if the Guest account has also been granted permission to access the system through the network. Also, if you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Does the Microsoft Baseline Security Analyzer (MBSA) detect if the Guest account has been enabled on a system within my domain?
Yes. While the having the Guest account enabled is not enough to allow it to access the system throught the network, disabling the Guest account is a good best-practice and would block unintended network access. MBSA will check that a Guest account has been disabled on a system, and will report success or failure depending on the system configuration.

Does the Windows Firewall help block access when the Guest account has been enabled through Simple File Sharing?
While Simple File Sharing automatically enables an exception in the Windows Firewall, access is limited to the local subnet. However, Windows XP Service Pack 2 systems are not vulnerable remotely to the issue discussed in MS05-039 with or without the firewall enabled.

How do I disable the Guest account on a Windows XP Home system?
At a command prompt, type Net User Guest /Active:No to disable the guest account on workgroup joined systems. Disabling the guest account will block Simple File Sharing, so the recommended action for systems that are not joined to a domain, but would like enhanced protection while using Simple File Sharing, is to set a password for the Guest account. See the Suggested Actions section below for more information on setting this password. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How can I enforce that the Guest account be disabled within my domain using Group Policy?
While the having the Guest account enabled is not enough to allow it to access the system through the network, disabling the Guest account is a good best-practice and would block unintended network access. The Guest account can be disabled through Group Policy by ensuring that the Accounts: Guest account statusis set to Disabled in your domain.

• Review the following Microsoft Web site.

  For more information about the Simple File Sharing feature of Windows XP and the ForceGuest process, visit the following Web site.

• Windows XP Professional customers that cannot disable the Guest account should change the default password on the Guest account.

  If you cannot disable the Guest account we recommend that you configure a password for the Guest account. This will require all systems on your network to provide this password to connect to each other. Windows XP Professional customers can configure this password by following the instructions listed at the following http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/lsm_change_password.mspx. Configuring a password on the Guest account will help prevent these systems from becoming remotely vulnerable to issues that attempt to authenticate using the Guest account credentials.

• Block TCP ports 139 and 445 at the firewall:

  These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.

• Follow the Protect Your PC guidance.

  We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.

• For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
• Keep Windows updated.

  All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure that you install them.