• This article is only available to VIP subscribers. Sign up now and get instant access!
  • [November 21, 2005]
  • Use Guest Accounts to Fight Malware
  • Limit permissions on apps most vulnerable to attack
  • By:  Mark Burnett
  • Feature
  • InstantDoc #48300
  • Web Exclusive from Windows IT Pro

Running as Guest
You can launch your applications to run under the Guest account in several ways. The quickest way is to simply run the Runas command or invoke runas.exe in a batch file. To run the Runas command, right-click the application's icon and select Run as from the menu. (In Windows 2000, you need to hold down the Shift key and right-click.) In the dialog box that's displayed, click The following user radio button and enter the username (Guest) and password you want to use, as Figure 1 shows.

You can also execute Runas at a command line and specify the /save cred parameter to let you save the password so that you don't have to enter it every time. As a rule, using this feature isn't prudent, but because in this case you're using Runas to impersonate the Guest account from an Administrator account, saving the password poses little risk. If someone already has access to your privileged account, they'd have little to gain from running programs as a local Guest.

If you want more features than the built-in Runas command provides, many third-party tools provide them. For example, Wingnut Software (http://www.wingnutsoftware.com) provides a tool called Encrypted RunAs that lets you save account credentials in an encrypted format. Another tool, a freeware utility called SUperior SU (http://www. stefankuhr.de/supsu/main.php3), lets you not only launch a process as another user, but it also switches to a unique desktop for that user, providing even further protection.

The best way to remind users to use the Guest account for security-sensitive activities, such as browsing the Internet, is to replace all the regular desktop and Start menu icons with new icons that launch the applications under the Guest account. That way, users don't have the opportunity to forget to log on as a Guest. On a shortcut's properties, if you click Advanced, you can select the Run with different credentials check box, so that when the user double-clicks a shortcut to start an application, it always prompts for different credentials, as Figure 2 shows. This method requires the user to enter a password each time he or she runs the application, so you might find one of the previously mentioned utilities more convenient to use. These other utilities let you save the user credentials and provide more options for launching the application.

A Partial Solution
Bear in mind that using a Guest account should be only one part of your security strategy. It doesn't completely eliminate security threats; it only minimizes the effects of those threats. Using a Guest account is one implementation of a least-privilege strategy that, as part of a larger security policy, can greatly reduce a user's exposure to attack. For greater security, you should connect user workstations only to trusted networks and use mechanisms such as personal firewalls and antivirus software, antispam software, and antispyware tools to limit network traffic, filter incoming email messages, and block the downloading and installation of malware. Most important, you should actively work to educate users about the risks and techniques for protecting themselves. For more information about the importance of educating users about security, see the Windows IT Pro article "Security Is My Business—and Yours," October 2005, InstantDoc ID 47880.

End of Article

Prev. page     1 [2]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

This is a really dumb article. For one thing, enabling the Guest account with a weak password invites a breakin, and its needless. A better plan would be to create a new user, add it to the Guests group, and remove it from the Users group. An identical security context is thus created without exposing a well-known built-in account.

More importantly, much of the premise of this article is based on fiction. When a guest account logs out, everything in it's profile goes away, including all of HKEY_CURRENT_USER, and everything in the profile directory. You can login as a guest as many times as you want, and change every setting under the sun, but as soon as you log out, it's all gone.

Since the whole profile is vaporized on logout, suggesting that a guest account would be suitable for email or IM is just plain stupid. Guest accounts retain no settings, they are allowed zero storage that persists beyond the session. It has been that way since at least Windows 2000.

And another thing, on my system the user Deny Logon Locally is set for Guest (but not Guests,) so to make your suggestion even minimally work, I'd have to edit local policy.

I wish the "rate this article" less useful scale went into negative numbers, this little farce doesn't deserve a 1, but that was the lowest available choice.

Question: don't your writers check these things out before writing a bunch of hooey, and subsequently looking stupid? Might want to give it some thought. There's already a large volume of misinformation out there; why you choose to carelessly add to that I can't even imagine.

-Mark McGinty

mmcginty- November 23, 2005

Article Rating 1 out of 5

I concur with Mr. McGinty's comments. I lot of misinformation and holes in this document. I would pull the article if I were the editor. It's unfortunate that an otherwise excellent author, Mark Burnett would let something like this slip out, unsubstantiated. Must have been the tryptophan in the turkey. - Eric Stockwell

stockwee- November 29, 2005

Article Rating 1 out of 5

Let’s not forget that Microsoft's best practices advise disabling the account. Many trusted security policy sites also recommend denying privileges to the Guests group and Guest account.

While I think the intent with the article was good, the approach is completely wrong and against accepted security practices.

MorfiusX- November 30, 2005

Article Rating 1 out of 5

I expect people to disagree with my sometimes unorthodox advice, but I am surprised with these particular comments. I am not suggesting everyone implement this, normally I do suggest disabling guest accounts. This advice won't work for every situation, and it's not the best for everyone; I simply present it as a new idea. It certainly will break a lot of things because many programs simply were never tested running as a guest. And yes, it might force you to change a few policies to get it to work correctly in your environment. Nevertheless, this article is not a suggestion I made carelessly or without any research. It is not full of holes and misinformation. It is a technique I have used successfully myself. It goes against Microsoft's security advice and goes against what many others might say, but that certainly does not mean it is wrong! Is that now somehow a gauge of accuracy? Besides, this is not the first time I have gone against someone else's security advice. This article is not a slip and is by no means unsubstantiated. And I still stand behind the advice.

You must realize that using a guest account in itself is not bad. It is enabling it and forgetting it is there and letting hackers use it that is bad. And remember that much of the security advice we have for Windows nowadays was developed for Windows NT, not Windows 2003. Guest accounts in Windows NT had access to many things, this is not true in Windows 2003. In Windows NT the guest account was included in the Everyone group. Not anymore. Enabling a guest account--and I never said to use a weak password--by no means invites a break in.

As for losing profiles, I find this quite useful for some purposes. But you are actually incorrect that all guests lose their profiles upon logout. That only applies to the built-in Guest account. I still have--and use--the profile for the guest account for IE I set up when writing this article. I originally made a better distinction between the two but in the wr

mburnett- December 02, 2005

Article Rating 5 out of 5

I originally made a better distinction between the two but in the writing, rewriting, and editing process that did get a blurred. Unfortunately that does happen. I actually have several guest accounts, I use for different purposes, including the built-in guest account.

I do appreciate feedback, even negative feedback, and I encourage you to poke holes in my ideas. Nevertheless, you shouldn't be so hasty to call it a dumb article or assume that these techniques are invalid. I have tested them and they work quite well for me. In doing so, I am not vulnerable to most IE bugs because code running as a guest simply cannot do much. Even better, I feel much safer when I am forced to use a web browser on a sensitive server or when I must go to a web site I don’t quite trust. Do you feel safe?

Mark Burnett

mburnett- December 02, 2005

Article Rating 5 out of 5

Perhaps the mistake we've all made is to refer to the 'guest account' as if it's a uniformly implemented construct -- apparently it's anything but... To treat it as such is disingenuous at best.

Much of what I do involves businesses and [NT] domains, so I tend to view things in that light. I just tested the Guest account across a range of scenarios on a set of virtuals. As it turns out, guest account profiles are removed upon logoff *only* if the machine is a member of a domain (but regardless of whether logged in to the domain or the local system.)

XP Home in all cases does indeed retain its guest user profile across sessions (can't join XP Home to a domain) and XP Pro behaves likewies if not joined to a domain.

One thing kind of ugly is that it will even delete a previously created profile, right after the first login session. It does not suffix the profile of a guest account with the domain name, so if you had been using a guest account, and then joined a domain, you would loose that profile at the end of the first session.

Amusingly, while testing XP Home I turned off the "welcome screen login" feature, and in so doing, I locked myself out of that virtual. it implicitly activated a minimum password length policy; the admin acct had a short password. :-) If it had a real machine, it would've been highly irritating -- I really don't see the value of enforcing password rules when tendering credentials, especially with no provision to check/handle existing accounts that don't comply when a rule is activated... but I digress.

Also amusing [to me anyway] is a statement made by the MSDN aritcle (link below) to the effect that the guest account password cannot be changed. It's true that XP Home offers no UI to change it, but it is surely possible, using NET.EXE. (In XP Pro, it's flagged pwd never expires and user cannot change, but the settings can be changed just like any other account.)

[more]

mmcginty- December 03, 2005

Article Rating 3 out of 5

The link mentioned above is: http://support.microsoft.com/default.aspx?scid=kb;en-us;300489

So in any case, as you can see I upgraded my usefulness rating for this article, partly because my statement [about guest profiles] was equally incorrect (neither yours nor mine were completely qualified), and partly because I did create a shortcut to open IE via runas.exe, much as you suggested. I have a DC/Server running here, so the throw-away profile thing limited its usefulness, but I dumped my usual settings to a .reg file, made them available via http. Loading that into the guest context via the browser improves its usability quite a bit.

As for your question, do I feel safe? Well... I run two desktops, one priveleged and one not, thanks to a very cool program called NetExec (http://netexec.de/), Symantec Corp AV and MS Anti-spyware are protecting all machines. I also run a home-grown solution that blocks a configurable set of domains, via BIND, that lets us avoid a bunch of the disreputable and semi-reputable operators... I've got splashes of IPSEC here and there; access to our intranet is authenticated using certs. And a Cisco PIX firewall at the head-end of it all...

With all the crud on the Internet these days, does anyone [that knows anything about it] feel truly safe? I like to think I'm quite a bit more safe than most home offices. I'm also fairly cautious, and very aware of my systems' behaviors... I think I go to sufficient lengths to protect my tiny slice of the Net -- I feel safe enough... but the security job is never done.

Haven't had a virus since I brought NIMDA back from a co-location facility, so I think my track record speaks pretty well for my efforts.

Apologies, Mark, if I offended you... hopefully we all learned something from this exchange. :-)

-MM

mmcginty- December 04, 2005

Article Rating 3 out of 5

It says "See More Comments 1" but no way to get to it??

mmcginty- December 13, 2005

Article Rating 3 out of 5

 
 

ADS BY GOOGLE