Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 21, 2005

Use Guest Accounts to Fight Malware

Limit permissions on apps most vulnerable to attack
A Web Exclusive from Windows IT Pro
Mark Burnett
Feature
InstantDoc #48300
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Security Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

Running as Guest
You can launch your applications to run under the Guest account in several ways. The quickest way is to simply run the Runas command or invoke runas.exe in a batch file. To run the Runas command, right-click the application's icon and select Run as from the menu. (In Windows 2000, you need to hold down the Shift key and right-click.) In the dialog box that's displayed, click The following user radio button and enter the username (Guest) and password you want to use, as Figure 1 shows.

You can also execute Runas at a command line and specify the /save cred parameter to let you save the password so that you don't have to enter it every time. As a rule, using this feature isn't prudent, but because in this case you're using Runas to impersonate the Guest account from an Administrator account, saving the password poses little risk. If someone already has access to your privileged account, they'd have little to gain from running programs as a local Guest. . . .


Already a VIP member?
Please log on to view the full article

Why become a VIP member?

VIP-only online access
VIP CD delivered twice a year: offline access to the entire Windows IT Pro article library
Monthly issue of your choice of Windows IT Pro or SQL Server Magazine

Subscribe Now
Reader Comments
This is a really dumb article. For one thing, enabling the Guest account with a weak password invites a breakin, and its needless. A better plan would be to create a new user, add it to the Guests group, and remove it from the Users group. An identical security context is thus created without exposing a well-known built-in account.

More importantly, much of the premise of this article is based on fiction. When a guest account logs out, everything in it's profile goes away, including all of HKEY_CURRENT_USER, and everything in the profile directory. You can login as a guest as many times as you want, and change every setting under the sun, but as soon as you log out, it's all gone.

Since the whole profile is vaporized on logout, suggesting that a guest account would be suitable for email or IM is just plain stupid. Guest accounts retain no settings, they are allowed zero storage that persists beyond the session. It has been that way since at least Windows 2000.

And another thing, on my system the user Deny Logon Locally is set for Guest (but not Guests,) so to make your suggestion even minimally work, I'd have to edit local policy.

I wish the "rate this article" less useful scale went into negative numbers, this little farce doesn't deserve a 1, but that was the lowest available choice.

Question: don't your writers check these things out before writing a bunch of hooey, and subsequently looking stupid? Might want to give it some thought. There's already a large volume of misinformation out there; why you choose to carelessly add to that I can't even imagine.

-Mark McGinty

mmcginty November 23, 2005 (Article Rating: )

I concur with Mr. McGinty's comments. I lot of misinformation and holes in this document. I would pull the article if I were the editor. It's unfortunate that an otherwise excellent author, Mark Burnett would let something like this slip out, unsubstantiated. Must have been the tryptophan in the turkey. - Eric Stockwell

stockwee November 29, 2005 (Article Rating: )

Let’s not forget that Microsoft's best practices advise disabling the account. Many trusted security policy sites also recommend denying privileges to the Guests group and Guest account.

While I think the intent with the article was good, the approach is completely wrong and against accepted security practices.

MorfiusX November 30, 2005 (Article Rating: )

I expect people to disagree with my sometimes unorthodox advice, but I am surprised with these particular comments. I am not suggesting everyone implement this, normally I do suggest disabling guest accounts. This advice won't work for every situation, and it's not the best for everyone; I simply present it as a new idea. It certainly will break a lot of things because many programs simply were never tested running as a guest. And yes, it might force you to change a few policies to get it to work correctly in your environment.
Nevertheless, this article is not a suggestion I made carelessly or without any research. It is not full of holes and misinformation. It is a technique I have used successfully myself. It goes against Microsoft's security advice and goes against what many others might say, but that certainly does not mean it is wrong! Is that now somehow a gauge of accuracy? Besides, this is not the first time I have gone against someone else's security advice. This article is not a slip and is by no means unsubstantiated. And I still stand behind the advice.

You must realize that using a guest account in itself is not bad. It is enabling it and forgetting it is there and letting hackers use it that is bad. And remember that much of the security advice we have for Windows nowadays was developed for Windows NT, not Windows 2003. Guest accounts in Windows NT had access to many things, this is not true in Windows 2003. In Windows NT the guest account was included in the Everyone group. Not anymore. Enabling a guest account--and I never said to use a weak password--by no means invites a break in.

As for losing profiles, I find this quite useful for some purposes. But you are actually incorrect that all guests lose their profiles upon logout. That only applies to the built-in Guest account. I still have--and use--the profile for the guest account for IE I set up when writing this article. I originally made a better distinction between the two but in the wr

mburnett December 02, 2005 (Article Rating: )

I originally made a better distinction between the two but in the writing, rewriting, and editing process that did get a blurred. Unfortunately that does happen. I actually have several guest accounts, I use for different purposes, including the built-in guest account.

I do appreciate feedback, even negative feedback, and I encourage you to poke holes in my ideas. Nevertheless, you shouldn't be so hasty to call it a dumb article or assume that these techniques are invalid. I have tested them and they work quite well for me. In doing so, I am not vulnerable to most IE bugs because code running as a guest simply cannot do much. Even better, I feel much safer when I am forced to use a web browser on a sensitive server or when I must go to a web site I don’t quite trust. Do you feel safe?

Mark Burnett

mburnett December 02, 2005 (Article Rating: )

Perhaps the mistake we've all made is to refer to the 'guest account' as if it's a uniformly implemented construct -- apparently it's anything but... To treat it as such is disingenuous at best.

Much of what I do involves businesses and [NT] domains, so I tend to view things in that light. I just tested the Guest account across a range of scenarios on a set of virtuals. As it turns out, guest account profiles are removed upon logoff *only* if the machine is a member of a domain (but regardless of whether logged in to the domain or the local system.)

XP Home in all cases does indeed retain its guest user profile across sessions (can't join XP Home to a domain) and XP Pro behaves likewies if not joined to a domain.

One thing kind of ugly is that it will even delete a previously created profile, right after the first login session. It does not suffix the profile of a guest account with the domain name, so if you had been using a guest account, and then joined a domain, you would loose that profile at the end of the first session.

Amusingly, while testing XP Home I turned off the "welcome screen login" feature, and in so doing, I locked myself out of that virtual. it implicitly activated a minimum password length policy; the admin acct had a short password. :-) If it had a real machine, it would've been highly irritating -- I really don't see the value of enforcing password rules when tendering credentials, especially with no provision to check/handle existing accounts that don't comply when a rule is activated... but I digress.

Also amusing [to me anyway] is a statement made by the MSDN aritcle (link below) to the effect that the guest account password cannot be changed. It's true that XP Home offers no UI to change it, but it is surely possible, using NET.EXE. (In XP Pro, it's flagged pwd never expires and user cannot change, but the settings can be changed just like any other account.)

[more]

mmcginty December 03, 2005 (Article Rating: )

The link mentioned above is: http://support.microsoft.com/default.aspx?scid=kb;en-us;300489

So in any case, as you can see I upgraded my usefulness rating for this article, partly because my statement [about guest profiles] was equally incorrect (neither yours nor mine were completely qualified), and partly because I did create a shortcut to open IE via runas.exe, much as you suggested. I have a DC/Server running here, so the throw-away profile thing limited its usefulness, but I dumped my usual settings to a .reg file, made them available via http. Loading that into the guest context via the browser improves its usability quite a bit.

As for your question, do I feel safe? Well... I run two desktops, one priveleged and one not, thanks to a very cool program called NetExec (http://netexec.de/), Symantec Corp AV and MS Anti-spyware are protecting all machines. I also run a home-grown solution that blocks a configurable set of domains, via BIND, that lets us avoid a bunch of the disreputable and semi-reputable operators... I've got splashes of IPSEC here and there; access to our intranet is authenticated using certs. And a Cisco PIX firewall at the head-end of it all...

With all the crud on the Internet these days, does anyone [that knows anything about it] feel truly safe? I like to think I'm quite a bit more safe than most home offices. I'm also fairly cautious, and very aware of my systems' behaviors... I think I go to sufficient lengths to protect my tiny slice of the Net -- I feel safe enough... but the security job is never done.

Haven't had a virus since I brought NIMDA back from a co-location facility, so I think my track record speaks pretty well for my efforts.

Apologies, Mark, if I offended you... hopefully we all learned something from this exchange. :-)

-MM

mmcginty December 04, 2005 (Article Rating: )

It says "See More Comments 1" but no way to get to it??

mmcginty December 13, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Windows 7 Sets Sales Record

Microsoft CEO Steve Ballmer described Windows 7's first ten days of sales as "fantastic" while in Japan yesterday. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement