Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 21, 2005

Use Guest Accounts to Fight Malware

Limit permissions on apps most vulnerable to attack
A Web Exclusive from Windows IT Pro
Mark Burnett
Feature
InstantDoc #48300
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Security Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

In the fight against malicious code, security experts have long recommended that administrators have two accounts—one for everyday use and one for administrative tasks. Running as an administrator leaves you vulnerable to a malicious software (malware) attack. Moreover, administrator privileges grant a user sweeping powers such as setting passwords, file permissions, users and groups, and many others. Security administrators face the dilemma of limiting the use of administrator privileges while giving users adequate permissions to perform their routine tasks. One solution that accommodates both needs is to let some users run as administrators and configure those applications that are most vulnerable to a malware attack—email, IM, and Web browsing—to run as low-privilege Guest accounts. Let's look at when you might want to use a Guest account and how to set one up.

Why Use a Guest Account?
Because some users require privileged access for many of their daily functions, either forcing a restrictive permissions policy on users or granting all users full administrator rights could prove counterproductive. Take, for example, one company I visited several years ago that had a security-aware network administrator. He forced everyone in the company, even the developers, to run as nonadministrators on their own workstations for day-to-day tasks. Everyone felt this policy was overbearing and either complained about it or, if they had the know-how, broke in to their own systems to gain administrator access. . . .

Reader Comments
This is a really dumb article. For one thing, enabling the Guest account with a weak password invites a breakin, and its needless. A better plan would be to create a new user, add it to the Guests group, and remove it from the Users group. An identical security context is thus created without exposing a well-known built-in account.

More importantly, much of the premise of this article is based on fiction. When a guest account logs out, everything in it's profile goes away, including all of HKEY_CURRENT_USER, and everything in the profile directory. You can login as a guest as many times as you want, and change every setting under the sun, but as soon as you log out, it's all gone.

Since the whole profile is vaporized on logout, suggesting that a guest account would be suitable for email or IM is just plain stupid. Guest accounts retain no settings, they are allowed zero storage that persists beyond the session. It has been that way since at least Windows 2000.

And another thing, on my system the user Deny Logon Locally is set for Guest (but not Guests,) so to make your suggestion even minimally work, I'd have to edit local policy.

I wish the "rate this article" less useful scale went into negative numbers, this little farce doesn't deserve a 1, but that was the lowest available choice.

Question: don't your writers check these things out before writing a bunch of hooey, and subsequently looking stupid? Might want to give it some thought. There's already a large volume of misinformation out there; why you choose to carelessly add to that I can't even imagine.

-Mark McGinty

mmcginty November 23, 2005 (Article Rating: )

I concur with Mr. McGinty's comments. I lot of misinformation and holes in this document. I would pull the article if I were the editor. It's unfortunate that an otherwise excellent author, Mark Burnett would let something like this slip out, unsubstantiated. Must have been the tryptophan in the turkey. - Eric Stockwell

stockwee November 29, 2005 (Article Rating: )

Let’s not forget that Microsoft's best practices advise disabling the account. Many trusted security policy sites also recommend denying privileges to the Guests group and Guest account.

While I think the intent with the article was good, the approach is completely wrong and against accepted security practices.

MorfiusX November 30, 2005 (Article Rating: )

I expect people to disagree with my sometimes unorthodox advice, but I am surprised with these particular comments. I am not suggesting everyone implement this, normally I do suggest disabling guest accounts. This advice won't work for every situation, and it's not the best for everyone; I simply present it as a new idea. It certainly will break a lot of things because many programs simply were never tested running as a guest. And yes, it might force you to change a few policies to get it to work correctly in your environment.
Nevertheless, this article is not a suggestion I made carelessly or without any research. It is not full of holes and misinformation. It is a technique I have used successfully myself. It goes against Microsoft's security advice and goes against what many others might say, but that certainly does not mean it is wrong! Is that now somehow a gauge of accuracy? Besides, this is not the first time I have gone against someone else's security advice. This article is not a slip and is by no means unsubstantiated. And I still stand behind the advice.

You must realize that using a guest account in itself is not bad. It is enabling it and forgetting it is there and letting hackers use it that is bad. And remember that much of the security advice we have for Windows nowadays was developed for Windows NT, not Windows 2003. Guest accounts in Windows NT had access to many things, this is not true in Windows 2003. In Windows NT the guest account was included in the Everyone group. Not anymore. Enabling a guest account--and I never said to use a weak password--by no means invites a break in.

As for losing profiles, I find this quite useful for some purposes. But you are actually incorrect that all guests lose their profiles upon logout. That only applies to the built-in Guest account. I still have--and use--the profile for the guest account for IE I set up when writing this article. I originally made a better distinction between the two but in the wr

mburnett December 02, 2005 (Article Rating: )

I originally made a better distinction between the two but in the writing, rewriting, and editing process that did get a blurred. Unfortunately that does happen. I actually have several guest accounts, I use for different purposes, including the built-in guest account.

I do appreciate feedback, even negative feedback, and I encourage you to poke holes in my ideas. Nevertheless, you shouldn't be so hasty to call it a dumb article or assume that these techniques are invalid. I have tested them and they work quite well for me. In doing so, I am not vulnerable to most IE bugs because code running as a guest simply cannot do much. Even better, I feel much safer when I am forced to use a web browser on a sensitive server or when I must go to a web site I don’t quite trust. Do you feel safe?

Mark Burnett

mburnett December 02, 2005 (Article Rating: )

Perhaps the mistake we've all made is to refer to the 'guest account' as if it's a uniformly implemented construct -- apparently it's anything but... To treat it as such is disingenuous at best.

Much of what I do involves businesses and [NT] domains, so I tend to view things in that light. I just tested the Guest account across a range of scenarios on a set of virtuals. As it turns out, guest account profiles are removed upon logoff *only* if the machine is a member of a domain (but regardless of whether logged in to the domain or the local system.)

XP Home in all cases does indeed retain its guest user profile across sessions (can't join XP Home to a domain) and XP Pro behaves likewies if not joined to a domain.

One thing kind of ugly is that it will even delete a previously created profile, right after the first login session. It does not suffix the profile of a guest account with the domain name, so if you had been using a guest account, and then joined a domain, you would loose that profile at the end of the first session.

Amusingly, while testing XP Home I turned off the "welcome screen login" feature, and in so doing, I locked myself out of that virtual. it implicitly activated a minimum password length policy; the admin acct had a short password. :-) If it had a real machine, it would've been highly irritating -- I really don't see the value of enforcing password rules when tendering credentials, especially with no provision to check/handle existing accounts that don't comply when a rule is activated... but I digress.

Also amusing [to me anyway] is a statement made by the MSDN aritcle (link below) to the effect that the guest account password cannot be changed. It's true that XP Home offers no UI to change it, but it is surely possible, using NET.EXE. (In XP Pro, it's flagged pwd never expires and user cannot change, but the settings can be changed just like any other account.)

[more]

mmcginty December 03, 2005 (Article Rating: )

The link mentioned above is: http://support.microsoft.com/default.aspx?scid=kb;en-us;300489

So in any case, as you can see I upgraded my usefulness rating for this article, partly because my statement [about guest profiles] was equally incorrect (neither yours nor mine were completely qualified), and partly because I did create a shortcut to open IE via runas.exe, much as you suggested. I have a DC/Server running here, so the throw-away profile thing limited its usefulness, but I dumped my usual settings to a .reg file, made them available via http. Loading that into the guest context via the browser improves its usability quite a bit.

As for your question, do I feel safe? Well... I run two desktops, one priveleged and one not, thanks to a very cool program called NetExec (http://netexec.de/), Symantec Corp AV and MS Anti-spyware are protecting all machines. I also run a home-grown solution that blocks a configurable set of domains, via BIND, that lets us avoid a bunch of the disreputable and semi-reputable operators... I've got splashes of IPSEC here and there; access to our intranet is authenticated using certs. And a Cisco PIX firewall at the head-end of it all...

With all the crud on the Internet these days, does anyone [that knows anything about it] feel truly safe? I like to think I'm quite a bit more safe than most home offices. I'm also fairly cautious, and very aware of my systems' behaviors... I think I go to sufficient lengths to protect my tiny slice of the Net -- I feel safe enough... but the security job is never done.

Haven't had a virus since I brought NIMDA back from a co-location facility, so I think my track record speaks pretty well for my efforts.

Apologies, Mark, if I offended you... hopefully we all learned something from this exchange. :-)

-MM

mmcginty December 04, 2005 (Article Rating: )

It says "See More Comments 1" but no way to get to it??

mmcginty December 13, 2005 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing