Tip: Best Practices for Creating a Secure Guest Account

Follow Our Daily Tips

Twitter | Blog | RSS | Facebook

In some environments, you might need to set up a Guest account that can be used by visitors. Most of the time, you’ll want to configure the Guest account on a specific computer or computers and carefully control how the account can be used. Here are some best practices to follow when creating a secure Guest account:

Enable the Guest account for use
By default, the Guest account is disabled, so you must enable it to make it available. To do this, access Local Users And Groups in Computer Management, select the Users folder, double-click Guest, and then clear the Account Is Disabled check box. Click OK.

Set a secure password for the Guest account
By default, the Guest account has a blank password. To improve security on the computer, you should set a password for the account. In Local Users And Groups, right-click Guest, and then select Set Password. Click Proceed at the warning prompt. Type the new password and then confirm it. Click OK twice.

Ensure that the Guest account cannot be used over the network
The Guest account shouldn’t be accessible from other computers. If it is, users at another computer could log on over the network as a guest. To prevent this, start the Local Security Policy tool from the Administrative Tools menu, or type secpol.msc at the command prompt. Then, under Local Policies\User Rights Assignment, check that the Deny Access To This Computer From The Network policy lists Guest as a restricted account.

Prevent the Guest account from shutting down the computer
When a computer is shutting down or starting up, it is possible that a guest user (or anyone with local access) could gain unauthorized access to the computer. To help deter this, you should be sure that the Guest account doesn’t have the Shut Down The System user right. In the Local Security Policy tool, expand Local Policies\User Rights Assignment and ensure that the Shut Down The System policy doesn’t list the Guest account.

Prevent the Guest account from viewing event logs
To help maintain the security of the system, the Guest account shouldn’t be allowed to view the event logs. To be sure this is the case, start Registry Editor by typing regedit at a command prompt, and then access the HKLM\SYSTEM\Cur-rentControlSet\services\Eventlog key. Here, among others, you’ll find three important subkeys: Application, Security, and System. Make sure each of these subkeys has a DWORD value named RestrictGuestAccess with a value of 1.

From the Microsoft Press book Windows 7 Administrator’s Pocket Consultant by William R. Stanek.

Looking for More Tips?

For more tips on Windows 7 and other Microsoft technologies, visit the TechNet Magazine Tips library.