• This article is only available to VIP subscribers. Sign up now and get instant access!
  • [November 21, 2005]
  • Use Guest Accounts to Fight Malware
  • Limit permissions on apps most vulnerable to attack
  • By:  Mark Burnett
  • Feature
  • InstantDoc #48300
  • Web Exclusive from Windows IT Pro

In the fight against malicious code, security experts have long recommended that administrators have two accounts—one for everyday use and one for administrative tasks. Running as an administrator leaves you vulnerable to a malicious software (malware) attack. Moreover, administrator privileges grant a user sweeping powers such as setting passwords, file permissions, users and groups, and many others. Security administrators face the dilemma of limiting the use of administrator privileges while giving users adequate permissions to perform their routine tasks. One solution that accommodates both needs is to let some users run as administrators and configure those applications that are most vulnerable to a malware attack—email, IM, and Web browsing—to run as low-privilege Guest accounts. Let's look at when you might want to use a Guest account and how to set one up.

Why Use a Guest Account?
Because some users require privileged access for many of their daily functions, either forcing a restrictive permissions policy on users or granting all users full administrator rights could prove counterproductive. Take, for example, one company I visited several years ago that had a security-aware network administrator. He forced everyone in the company, even the developers, to run as nonadministrators on their own workstations for day-to-day tasks. Everyone felt this policy was overbearing and either complained about it or, if they had the know-how, broke in to their own systems to gain administrator access.

When that network administrator left the company and a new administrator replaced him, the new admin faced so much user and management resistance to this policy that he decided to abandon it completely. Unfortunately, after that everyone ran as an administrator on their local systems, which posed a much greater risk than letting a few power users run as local administrators. A better solution would have been to work with users to find the best balance of security and productivity, so that users more willingly participated in the security process. Guest accounts let you accommodate power users who need privileged access and yet still provide them the protection they need for certain tasks.

Least Privilege
Guest accounts are an example of using least privilege: granting each user only those privileges required to fulfill his or her role and responsibilities. For an introduction to least privilege and how to implement it, see "Get the Most from Least Privilege," September 2005, InstantDoc ID 47174. For additional tips about putting least privilege into practice, see "Learn to Be Least," October 2005, InstantDoc ID 47622.

As I mentioned, some attacks exploit security flaws in certain software applications. Typically these attacks occur as email-based viruses or browser vulnerabilities that are the medium through which spyware or Trojan horses are installed on a system. If you aren't logged on as an administrator, malicious code is less likely to damage your system.

Unfortunately, in practice least privilege sometimes inconveniences users so much that they start seeking ways to circumvent it. Such circumventions might cause a greater security exposure than if you hadn't used least privilege at all. In fact, many administrators and security experts who support least privilege still find it difficult to run as nonadministrators and don't follow the least-privilege policy themselves. Guest accounts provide a way to implement a degree of least privilege that prevents users from completely circumventing security.

Account Choices
Typically, you should run as a nonadministrator and use tools such as the Runas utility (runas.exe) to perform specific tasks as an administrator. For this strategy, certain users may log in as administrators for most of their tasks yet perform particular highexposure tasks as guests. The drawback of using Runas is that it requires users to maintain two accounts—a user account and an Administrator account—each with its own password to remember, set of permissions to manage, and profile to administer. Furthermore, regular user accounts still have enough power to do significant damage and usually have access to network and other sensitive resources.

For many Internet activities, though, you don't need the level of privilege of even a regular user account. The Windows built-in Guest account is perfect for this situation. It already has limited access configured and, because it's a local account, it doesn't have access to the domain. Also, because it's a limited account, you can relax a bit in your efforts to keep it secure. For example, you might let users go as long as 6 months without requiring a password change for that account.

Preparing the Guest Account
The Guest account needs some preparation before you use it. By default, the account is disabled and has no password. You also might have Group Policy restrictions that disable or rename the account.

First, adjust or disable any security policies you've set that might affect the Guest account. Next, configure basic account options by running this command at a command prompt: 

net user "Guest" * /active:yes 
  /passwordchg:yes 
	/passwordreq:yes 
	/workstations:%COMPUTERNAME%

(The command wraps to several lines here because of space limitations; you should actually type it on one line.) After you press Enter, you're prompted to enter a new password for the account. Type an appropriate password, and retype the password to confirm it.

Finally, you need to log off and log back on by using the Guest account. Doing so lets you configure your browser's preferences and security settings. You might also find it helpful to make some changes to your Windows and browser UI settings so that you can easily distinguish which account you're using. For example, you could use a different toolbar or skin setting depending on which browser you use. You can also configure a different background bitmap for Microsoft Internet Explorer (IE). To do so, see the instructions at http://www .winguides.com/registry/display.php/ 66. After you finish configuring your applications, log off and log on again by using your regular Administrator account.

Because you'll probably want to download files from the Internet, you might want to create a shared folder that the Administrator and Guest accounts share. Make sure that you limit the permissions on this folder to allow only the minimal access needed to save downloaded files. You might, for example, not allow the Guest account to execute any files in that directory.

   Prev. page   [1] 2     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

This is a really dumb article. For one thing, enabling the Guest account with a weak password invites a breakin, and its needless. A better plan would be to create a new user, add it to the Guests group, and remove it from the Users group. An identical security context is thus created without exposing a well-known built-in account.

More importantly, much of the premise of this article is based on fiction. When a guest account logs out, everything in it's profile goes away, including all of HKEY_CURRENT_USER, and everything in the profile directory. You can login as a guest as many times as you want, and change every setting under the sun, but as soon as you log out, it's all gone.

Since the whole profile is vaporized on logout, suggesting that a guest account would be suitable for email or IM is just plain stupid. Guest accounts retain no settings, they are allowed zero storage that persists beyond the session. It has been that way since at least Windows 2000.

And another thing, on my system the user Deny Logon Locally is set for Guest (but not Guests,) so to make your suggestion even minimally work, I'd have to edit local policy.

I wish the "rate this article" less useful scale went into negative numbers, this little farce doesn't deserve a 1, but that was the lowest available choice.

Question: don't your writers check these things out before writing a bunch of hooey, and subsequently looking stupid? Might want to give it some thought. There's already a large volume of misinformation out there; why you choose to carelessly add to that I can't even imagine.

-Mark McGinty

mmcginty- November 23, 2005

Article Rating 1 out of 5

I concur with Mr. McGinty's comments. I lot of misinformation and holes in this document. I would pull the article if I were the editor. It's unfortunate that an otherwise excellent author, Mark Burnett would let something like this slip out, unsubstantiated. Must have been the tryptophan in the turkey. - Eric Stockwell

stockwee- November 29, 2005

Article Rating 1 out of 5

Let’s not forget that Microsoft's best practices advise disabling the account. Many trusted security policy sites also recommend denying privileges to the Guests group and Guest account.

While I think the intent with the article was good, the approach is completely wrong and against accepted security practices.

MorfiusX- November 30, 2005

Article Rating 1 out of 5

I expect people to disagree with my sometimes unorthodox advice, but I am surprised with these particular comments. I am not suggesting everyone implement this, normally I do suggest disabling guest accounts. This advice won't work for every situation, and it's not the best for everyone; I simply present it as a new idea. It certainly will break a lot of things because many programs simply were never tested running as a guest. And yes, it might force you to change a few policies to get it to work correctly in your environment. Nevertheless, this article is not a suggestion I made carelessly or without any research. It is not full of holes and misinformation. It is a technique I have used successfully myself. It goes against Microsoft's security advice and goes against what many others might say, but that certainly does not mean it is wrong! Is that now somehow a gauge of accuracy? Besides, this is not the first time I have gone against someone else's security advice. This article is not a slip and is by no means unsubstantiated. And I still stand behind the advice.

You must realize that using a guest account in itself is not bad. It is enabling it and forgetting it is there and letting hackers use it that is bad. And remember that much of the security advice we have for Windows nowadays was developed for Windows NT, not Windows 2003. Guest accounts in Windows NT had access to many things, this is not true in Windows 2003. In Windows NT the guest account was included in the Everyone group. Not anymore. Enabling a guest account--and I never said to use a weak password--by no means invites a break in.

As for losing profiles, I find this quite useful for some purposes. But you are actually incorrect that all guests lose their profiles upon logout. That only applies to the built-in Guest account. I still have--and use--the profile for the guest account for IE I set up when writing this article. I originally made a better distinction between the two but in the wr

mburnett- December 02, 2005

Article Rating 5 out of 5

I originally made a better distinction between the two but in the writing, rewriting, and editing process that did get a blurred. Unfortunately that does happen. I actually have several guest accounts, I use for different purposes, including the built-in guest account.

I do appreciate feedback, even negative feedback, and I encourage you to poke holes in my ideas. Nevertheless, you shouldn't be so hasty to call it a dumb article or assume that these techniques are invalid. I have tested them and they work quite well for me. In doing so, I am not vulnerable to most IE bugs because code running as a guest simply cannot do much. Even better, I feel much safer when I am forced to use a web browser on a sensitive server or when I must go to a web site I don’t quite trust. Do you feel safe?

Mark Burnett

mburnett- December 02, 2005

Article Rating 5 out of 5

Perhaps the mistake we've all made is to refer to the 'guest account' as if it's a uniformly implemented construct -- apparently it's anything but... To treat it as such is disingenuous at best.

Much of what I do involves businesses and [NT] domains, so I tend to view things in that light. I just tested the Guest account across a range of scenarios on a set of virtuals. As it turns out, guest account profiles are removed upon logoff *only* if the machine is a member of a domain (but regardless of whether logged in to the domain or the local system.)

XP Home in all cases does indeed retain its guest user profile across sessions (can't join XP Home to a domain) and XP Pro behaves likewies if not joined to a domain.

One thing kind of ugly is that it will even delete a previously created profile, right after the first login session. It does not suffix the profile of a guest account with the domain name, so if you had been using a guest account, and then joined a domain, you would loose that profile at the end of the first session.

Amusingly, while testing XP Home I turned off the "welcome screen login" feature, and in so doing, I locked myself out of that virtual. it implicitly activated a minimum password length policy; the admin acct had a short password. :-) If it had a real machine, it would've been highly irritating -- I really don't see the value of enforcing password rules when tendering credentials, especially with no provision to check/handle existing accounts that don't comply when a rule is activated... but I digress.

Also amusing [to me anyway] is a statement made by the MSDN aritcle (link below) to the effect that the guest account password cannot be changed. It's true that XP Home offers no UI to change it, but it is surely possible, using NET.EXE. (In XP Pro, it's flagged pwd never expires and user cannot change, but the settings can be changed just like any other account.)

[more]

mmcginty- December 03, 2005

Article Rating 3 out of 5

The link mentioned above is: http://support.microsoft.com/default.aspx?scid=kb;en-us;300489

So in any case, as you can see I upgraded my usefulness rating for this article, partly because my statement [about guest profiles] was equally incorrect (neither yours nor mine were completely qualified), and partly because I did create a shortcut to open IE via runas.exe, much as you suggested. I have a DC/Server running here, so the throw-away profile thing limited its usefulness, but I dumped my usual settings to a .reg file, made them available via http. Loading that into the guest context via the browser improves its usability quite a bit.

As for your question, do I feel safe? Well... I run two desktops, one priveleged and one not, thanks to a very cool program called NetExec (http://netexec.de/), Symantec Corp AV and MS Anti-spyware are protecting all machines. I also run a home-grown solution that blocks a configurable set of domains, via BIND, that lets us avoid a bunch of the disreputable and semi-reputable operators... I've got splashes of IPSEC here and there; access to our intranet is authenticated using certs. And a Cisco PIX firewall at the head-end of it all...

With all the crud on the Internet these days, does anyone [that knows anything about it] feel truly safe? I like to think I'm quite a bit more safe than most home offices. I'm also fairly cautious, and very aware of my systems' behaviors... I think I go to sufficient lengths to protect my tiny slice of the Net -- I feel safe enough... but the security job is never done.

Haven't had a virus since I brought NIMDA back from a co-location facility, so I think my track record speaks pretty well for my efforts.

Apologies, Mark, if I offended you... hopefully we all learned something from this exchange. :-)

-MM

mmcginty- December 04, 2005

Article Rating 3 out of 5

It says "See More Comments 1" but no way to get to it??

mmcginty- December 13, 2005

Article Rating 3 out of 5