2

I was recently interested in allowing the guest account network access as related to a research project I was doing.

This was on a Windows Server OS.

The outcry was amazing....people freaking out and saying how insecure it is and how there just had to be a better way regardless of my needs or wants.

Apparently it's such a bad idea that under no circumstances should the question even be asked.

This seems like FUD

Looking around on the net the solution given when other people have asked around was to make a limited user account instead. Now, this seems like a worse solution.

If for whatever reason (and there are many, trying to answer for a specific reason does not help anyone, nor the community) someone is determined to have a guest account for anonymous access on a Server OS, is it not better that they use the built in guest account?

A limited account created for the exact same purpose will be used the exact same way, except that the built in guest account is already locked down to a far greater degree. Indeed, using the built in guest account with network access would seem to be more secure than creating a limited account for the same purpose.

So, why is trying to enable network access for the built in guest account considered so insecure, and why does it evoke such panic and FUD?

edit: To be clear I am referring to having the guest account initiate network connection from the machine while logged in, not using the guest account to access anything remotely

  • What exactly do you mean? A guest accessible a shared folder? – The Digital Ninja Nov 12 '10 at 02:44
  • To be fair - your previous two deleted questions were about giving the Guest account the ability to join arbitrary wireless networks. That's a vastly different ballgame than just allowing Guest network access as you state above. Once again, I understand your frustration, but please try and be open and honest when making complaints about the community. – EEAA Nov 13 '10 at 01:49
  • 1
    ErikA, no, I never mentioned arbitrary wireless networks anywhere in my question. I simply asked how to allow the guest account to join a network, any network wireless or cabled. If the comments read join a network as 'arbitrary wireless network' that would explain the behavior I described. Even so, there is no excuse for marking a clearly on-topic question as off-topic because you disagree with it. People could have provided an answer and the community could have benefited from the discussion. Closing it accomplishes nothing. –  Nov 13 '10 at 07:37
  • Okay, well then I must be remembering incorrectly. I view the fact that it was closed as "off-topic" as an unfortunate consequence of a limited number of of options to pick from when voting to close. Off-topic gets used as a de-facto catch-all at times when none of the other options are appropriate. I do think that your question is on-topic, but unfortunately, as Robert suggested below, I usually choose to not enable what I see as non-optimal infrastructure choices, whether in production or not. – EEAA Nov 13 '10 at 16:46

1 Answers1

1

The purpose of the Guest account is to control anonymous access to some OS facilities. If I wanted to allow anonymous access to, say, an SMB share, I'd enable the Guest account,

Enabling the account in changes the behavior of the OS. Guest is a user account, but its enabled/disabled status acts as a flag that says "Hey-- when this account is enabled allow anybody with any credentials to authenticate as this context."

The "FUD" comes from Microsoft's historically bad handling of security and allowing anonymous users unnecessarily broad access, by default, in older versions of the OS. Even though Windows Server 2003 and newer versions of Windows do a much better job with this the community is still a little gun-shy.

To my mind there's nothing wrong with using the OS built-in Guest account for its intended purpose.

Personally I'd tend to be against using anonymous SMB file sharing. I'd export the files you want to share with HTTP or, if they needed to be read/write, WebDAV. I tend to think that writeable folders with anonymous access enabled are irresponsible to host.

Edit:

If you want "Guest" to access a shared folder via SMB in a Windows Server OS's (W2K3 and W2K8 flavors) then you'd want to:

  • "Enable" the "Guest" account from "Local User and Groups"
  • Add either the "Guest" user or the "Guests" group with the desired permissions (hopefully read-only) to the ACL on the shared folder

The "Users" and "Authenticated Users" built-in groups don't contain "Guest" (though "Everyone" does) so most default folder ACLs won't allow Guest access. I'd add "Guests" explicitly, rather than "Everyone", so that it's visually very clear that I've allowed "Guests" access to this folder. (You don't have to use the group "Guests" but, generally it's better to use groups in permissions rather than individual users. When you're joined to be a domain be aware that "DOMAIN\Domain Guests" is nested into your computer's local "Guests" group, though.)

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • 2
    For the benefit of those who are unaware, that poor security record mainly stems from Windows having evolved out of a single user, single tasking operating system. In that situation OS security just doesn't matter and was therefore always an afterthought. In most earlier versions of Windows security was handled with more after than thought. – John Gardeniers Nov 12 '10 at 03:05
  • 1
    So then, in your opinion, asking how to enable network access on the built in guest account would not be a security risk? I tried that and got told strongly by various people it was a security risk -- of course they couldn't say how and simply closed the question, bizarrely, as off-topic. –  Nov 12 '10 at 03:07
  • @Jacob, was this a question you asked here? Can you provide us a link? I suspect there must be more to the closed question, then just asking about a guest account. – Zoredache Nov 12 '10 at 03:14
  • 1
    Zoredache, I deleted the question after it was closed. I was very very frustrated. It was voted down almost immediately and then closed as off topic. All I asked was how to enabled the built in guest account the ability to join a network. Nothing else. People then started asking why I wanted that (which is irrelevant, and self-righteous to insist) and insisted there was a better way. I said I wanted to know how to do that, and then it got closed as off topic. I could open the question again and show you the same responses, but that probably isn't wise. –  Nov 12 '10 at 03:49
  • 2
    @John Gardeniers: I'll take a little umbrage to the "single user, single tasking" statement. I think that Microsoft (and, in general the PC culture of the time) wasn't geared toward secure design and implementation practices. "NT", as designed by David Cutler and his team, certainly did come from a background of secure, solid design (DEC VMS). Bolting "Windows" onto "NT", though, brought a lot of baggage from the rest of Microsoft's culture. Give "Showstopper" (http://goo.gl/AW7sk) a read sometime. It's got some great insight into the beginnings of "NT". – Evan Anderson Nov 12 '10 at 04:12
  • @Evan - Would you know of any way to enable network access for the built in guest account, or why it has been made very hard to enable? –  Nov 12 '10 at 06:23
  • @Evan, you know very well that NT was far from the first version of Windows. While by that stage security was being given some consideration the heritage still had its effect and versions of NT prior to 2000 were notoriously insecure "out of the box". – John Gardeniers Nov 12 '10 at 10:50
  • 1
    @John, what Evan was getting at was that NT was a completely different OS from the shell that ran on top of DOS. Yes, it had a similar interface and a port of the API, but it's security problems were not because it's sister OS was single user and single tasking. –  Nov 12 '10 at 11:17
  • 1
    @John Gardeniers: "NT" was the first version of "NT". NT's design is solid and has stood up well over time. Security wasn't added on as an afterthought. "Windows" existed before NT and, as I said, was bolted onto NT bringing w/ it lots of questionable MS culture. IMO that culture drove the "nortoriously insecure" defaults you mention. You *can* configure NT 4.0 to be heavily locked-down but it didn't ship tht way. The OS's design allows for it to be secure, but the culture at Microsoft shipped it very open. That's not because of any "single-user, single-tasking" heritage. That's just culture. – Evan Anderson Nov 12 '10 at 14:37
  • @Jacob: re: your question in your comment-- I'll drop on an edit clarifying. – Evan Anderson Nov 12 '10 at 14:42
  • 4
    @Jacob **People then started asking why I wanted that (which is irrelevant, and self-righteous to insist)** - yes and no. I can see why it might feel inappropriate to you, but people here don't *have* to answer questions, and many people here have a code of ethics that won't allow them to provide what they think of as fundamentally bad advice. Think of it as a doctor, who when asked "how do I wrap even more bandages around my bleeding arm", replies "perhaps instead of doing that, I should be helping you stop the wound from bleeding in the first place" – Rob Moir Nov 12 '10 at 15:51
  • 1
    @Robert Moir: "The bloody bandages are a fashion statement." >smile – Evan Anderson Nov 12 '10 at 16:27
  • @Evan, I think you may have misunderstood. When I refer to enabling network access for the Guest account, I refer to logging in as the built in guest user and being able to join a network. At present that option is greyed out and access is denied, and I don't understand this. –  Nov 13 '10 at 02:44
  • 1
    @Robert, I get all that, I do. The self-righteousness comes in the fact the people *assume* they know better, and won't justify their *belief* that my question is wrong. If I have a very specific question why not provide a technical answer with whatever side explanation you think is necessary. Your Doctor analogy is slightly inaccurate...the situation sometimes on this site is more akin to a Doctor refusing to provide crutches because someone with a broken leg should not be out and about anyway. –  Nov 13 '10 at 02:53
  • 1
    The thing that really annoyed me was that no one was able to give a reason why what I was asking was insecure. There is nothing insecure about wanting to enable network access for the guest account, and instead people were self-assured that it was not a good idea, instead recommending I set up a limited user account instead, which is a more *insecure* option. What's worse, was the question was voted as offtopic, without any actual answer to my question being given. I expect more from the people on this site. –  Nov 13 '10 at 02:57
  • @Evan, just to point out again I was referring to letting the built in Guest account join a network connection, eg join a wireless network or disable/enable a cable connection, not anything to do with SMB. –  Nov 14 '10 at 09:39