Guest Account check
Applies To: Forefront Client Security
The Guest Account SSA check determines whether the built-in Guest account is enabled on the scanned computer. The Guest account is intended for users who require temporary access to the system. However, if this account is enabled, a security risk may exist because an unauthorized user could gain anonymous access to the system through this account.
Computers running Windows XP map incoming user connections from across a network to the local Guest account (ForceGuest) when simple file sharing is enabled. This feature is configured under the ForceGuest registry setting. If the Guest account is enabled on computers running Microsoft Windows Server 2003, Windows XP, Windows 2000 Server, or Windows NT® (not using simple file sharing; ForceGuest registry setting disabled), Client Security includes it in SSA-related reports as a potential vulnerability. If the Guest account is enabled on computers running Windows XP that use simple file sharing (ForceGuest registry setting enabled), Client Security does not include it in reports as a potential vulnerability.
The Guest account is disabled by default in Windows XP Home Edition. However, only the guest's ability to log on locally is affected. The account itself is not disabled for incoming user connections from across the network and can still be used with simple file sharing.
It is recommended that the Guest account be disabled. The Guest account is disabled by default in Microsoft Windows Server 2003, Windows XP, and Windows 2000 Server.
The following table shows how Client Security determines the score resulting from performing this check on a client computer and what message appears in related reports.
Score | Guest account enabled | ForceGuest enabled | Guest account set by Group Policy | No Guest account | Computer is a domain controller (or backup domain controller) | Results message | |
---|---|---|---|---|---|---|---|
High |
Yes |
No |
No |
Not applicable |
No |
The Guest account is not disabled on this computer. Guest account name: domain\username. |
|
Informational |
Yes |
Yes |
No |
Not applicable |
No |
The Guest account is active, but ForceGuest is also set to true. Guest account name: domain\username. |
|
|
Not applicable |
Not applicable |
Yes |
Not applicable |
No |
The Guest account is controlled by Group Policy. |
|
|
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Yes |
This check is not supported on domain controllers. |
|
Low |
No |
Not applicable |
No |
Not applicable |
No |
The Guest account is disabled on this computer. Guest account name: domain\username. |
|
|
Not applicable |
Not applicable |
No |
Yes |
No |
The Guest account has been deleted on this computer. |
How to Set Security in Windows XP Professional That Is Installed in a Workgroup
Description of the Guest account in Windows XP