In certain environments and situations, you may want to grant guest-user access to a workstation running Microsoft Windows 7. Best practices dictate that such access be as secure as possible. Here are several steps you can, and should, take before giving access to a guest user in Windows 7.
Secure Guest AccountThe first step is to enable guest accounts, which is disabled by default. Type computer into the Start Menu search box, as shown in Figure A, and then click on the Computer Management item in the results.
Find the guest account setting.Navigate the left tree hierarchy to the Users Folder under Local Users and Groups (Figure B). Double-click the Guest entry.
Enable guest accounts.On the next configuration screen (Figure C), uncheck the Account Is Disabled box to enable guest accounts.
Uncheck to enable.
Set passwordBy default, the guest account password is blank, but that is an unnecessary security risk, so you should establish a password. Right-click the Guest entry in the Computer Management console and click the Set Password entry (Figure D). The ensuing warnings are not a concern if you just enabled the guest account.
Set the guest account password.
No network accessAnother potential security problem occurs if the guest account is accessible by other users across the network. To prevent this, type local security into the Start Menu search box and then click the Local Security Policy entry, as shown in Figure E.
Modify the Local Security Policy.Navigate to the Local Policies | User Rights Assignments entry. Scroll down the list of policies until you find Deny Access to This Computer from the Network. Guest should be one of the denied accounts listed. If it isn't, add it (Figure F).
Prevent shutdownAnother potential security vulnerability occurs during the PC shutdown process. You should deny the guest account the ability to shut down a PC. Go back to the Local Security Policy consoled as you did before, navigate to Local Policies | User Rights Assignments, and look for the entry Shut Down the System (Figure G). Double-click the entry to make sure the Guest account is not in the list (Figure H).
Verify the Shut Down the System entry.
Guest is not on the list.
One last security concern is the Event logs. You don't want a guest account to have access to that information. The most efficient way to manage these settings is with a Registry edit.Warning: Editing the Windows Registry should be done with caution; we recommend that you have a verified backup of the file ready in case of a catastrophic failure.
Type regedit into the Start Menu Search box and then click the regedit.exe entry. Navigate down the keys until you reach this entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EventlogUnder this key are three important sub-keys: Application, Security, and System (Figure I). There should be a key under each section: Restrict Guest Access. And each of those keys should have a corresponding DWORD of "1" that enables this restriction.
DWORD should be 1.
Guest accounts are sometimes necessary, but they should never be implemented without some configuration for additional security. Have you checked the security settings for all your guest accounts lately?
Thanks to TechNet for the topic idea.Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!
Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.