Security Advisory
Microsoft Security Advisory 906574
Clarification of Simple File Sharing and ForceGuest
Published: August 23, 2005
Microsoft has issued this Security Advisory to clarify information of the issue addressed in Security Bulletin MS05-039 for non-default configurations of Windows XP Service Pack 1. This feature is known as “Simple File Sharing and ForceGuest.” If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability. Also, customers that have applied the security update included with MS05-039 are not impacted by this issue. We recommend that customers continue to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.
If Simple File Sharing is enabled on a Microsoft Windows XP system that is not joined to a domain, then all users who access this system through the network are forced to use the Guest account. This is the “Network access: Sharing and security model for local accounts*”* security policy setting, and is also known as ForceGuest*.*
Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.
There is no known attack that is seeking to exploit this scenario. The Advisory is being issued as a special precaution. There is no change to the update in Security Bulletin MS05-039. Customers who have applied this update are protected in this scenario.
Mitigating Factors:
- Windows XP Service Pack 2 is not vulnerable remotely to the issue addressed by MS05-039 even when Simple File Sharing enables the Guest account. On Windows XP Service Pack 2, the impact of this vulnerability is only Local Privilege Elevation, and only exploitable if a user has the ability to logon locally to the system.
- Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems.
- Enabling Simple File Sharing does not expose customers who have applied the security updates provided by Microsoft Security Bulletin MS05-039 to the vulnerability that is addressed by that security bulletin.
General Information
Overview
Purpose of Advisory: To clarify the purpose of the Simple File Sharing feature of Windows XP and its use of the Guest account.
Advisory Status: Advisory published.
Recommendation: Review the advisory and apply the appropriate configuration changes for increased security.
| References | Identification |
|---|---|
| Microsoft Web site | Simple Sharing and ForceGuest |
| Microsoft Web site | Securing Windows XP in a Peer-to-Peer Networking Environment |
| The Symantec DeepSight Threat Analysis Team, and Symantec BID | 14513 |
| Security Bulletin | MS05-039 |
This advisory discusses the following software.
| Related Software |
| Microsoft Windows XP Service Pack 1 |
| Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) |
| Microsoft Windows XP Service Pack 2 |
| Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) |
| Microsoft Windows XP Professional x64 Edition |
Frequently Asked Questions
What is the scope of the advisory?
This advisory clarifies the Simple File Sharing feature of Windows XP and its use of the Guest account. This process, which is called ForceGuest, does not introduce a security vulnerability. However, ForceGuest automatically enables the Guest account and it is given permission to access the system through the network. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. The Simple File Sharing feature is an optional configuration that some customers may choose to enable. This feature is not available on systems that are joined to a domain. For more information about this feature and how to appropriately configure it, visit the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
How does the Guest account become enabled and allowed to access the system through the network?
Windows XP Professional systems that are members of a workgroup and Windows XP Home systems use Simple File Sharing. With Simple File Sharing, a user must manually use the Network Setup Wizard, documented at the following Web site, or bypass the Network Setup Wizard by selecting the If you understand the security risks but want to share files without running the wizard, click here option to complete the configuration of Simple File Sharing. These procedures enable the Guest account and give it permission to access the system from the network by removing the Guest account from the Deny access to this computer from the network local security policy. If you manually enable the Guest account it would not have permission to access the system through the network.
It is not enough to just have the File and Print Sharing enabled to enable the Guest account to have access to they system through the network. You must manually perform the steps that are documented in this FAQ section to enable the Guest account and allow it to access the system through the network. Once these steps have been performed, any file or print sharing connection request will successfully authenticate as the Guest account. For more information about Simple File Sharing and its use of the Guest account, visit the following Web site. This issue does not affect Windows XP Professional systems that are members of a domain. Domain-joined systems do not use Simple File Sharing. Sharing files or printers on domain-joined systems does not enable the Guest account or give it permission to access the system through the network. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
Can non-domain-joined systems have their Guest account enabled through Simple File Sharing?
Domain-joined Windows XP Professional systems do not implement the Simple File Sharing feature. However, if a Windows XP Professional system had the Guest account enabled by Simple File Sharing, before being joined to a domain, then the Guest account remains enabled when that system is later joined to the domain. To disable the Guest account on these systems, perform the steps documented at the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
How do I know if I am using a system where these steps have been performed?
If you are using a Windows XP Professional system that is a member of a workgroup, or if you are using a Windows XP Home system, you can quickly check to see if you might be vulnerable to this issue by using the following command. At a command prompt type Net User Guest. In the list of results, if the Guest account is listed as Account Active - Yes, you could be vulnerable to this issue if the Guest account has also been granted permission to access the system through the network. Also, if you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
Does the Microsoft Baseline Security Analyzer (MBSA) detect if the Guest account has been enabled on a system within my domain?
Yes. While the having the Guest account enabled is not enough to allow it to access the system throught the network, disabling the Guest account is a good best-practice and would block unintended network access. MBSA will check that a Guest account has been disabled on a system, and will report success or failure depending on the system configuration.
Does the Windows Firewall help block access when the Guest account has been enabled through Simple File Sharing?
While Simple File Sharing automatically enables an exception in the Windows Firewall, access is limited to the local subnet. However, Windows XP Service Pack 2 systems are not vulnerable remotely to the issue discussed in MS05-039 with or without the firewall enabled.
How do I disable the Guest account on a Windows XP Home system?
At a command prompt, type Net User Guest /Active:No to disable the guest account on workgroup joined systems. Disabling the guest account will block Simple File Sharing, so the recommended action for systems that are not joined to a domain, but would like enhanced protection while using Simple File Sharing, is to set a password for the Guest account. See the Suggested Actions section below for more information on setting this password. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.
How can I enforce that the Guest account be disabled within my domain using Group Policy?
While the having the Guest account enabled is not enough to allow it to access the system through the network, disabling the Guest account is a good best-practice and would block unintended network access. The Guest account can be disabled through Group Policy by ensuring that the Accounts: Guest account statusis set to Disabled in your domain.
Suggested Actions
Review the following Microsoft Web site.
For more information about the Simple File Sharing feature of Windows XP and the ForceGuest process, visit the following Web site.
Windows XP Professional customers that cannot disable the Guest account should change the default password on the Guest account.
If you cannot disable the Guest account we recommend that you configure a password for the Guest account. This will require all systems on your network to provide this password to connect to each other. Windows XP Professional customers can configure this password by following the instructions listed at the following https:. Configuring a password on the Guest account will help prevent these systems from becoming remotely vulnerable to issues that attempt to authenticate using the Guest account credentials.
Block TCP ports 139 and 445 at the firewall:
These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.
Follow the Protect Your PC guidance.
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.
For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
Keep Windows updated.
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure that you install them.
Other Information
Resources:
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- August 23, 2005: Advisory published
Built at 2014-04-18T13:49:36Z-07:00 </https:>