Microsoft optimize

How do I create a secure Guest Account in Windows 7?

In certain situations, you may want to allow guest users access to a PC. Take the proper steps to ensure that the guest access you grant is secure.

In certain environments and situations, you may want to grant guest-user access to a workstation running Microsoft Windows 7. Best practices dictate that such access be as secure as possible. Here are several steps you can, and should, take before giving access to a guest user in Windows 7.

This blog post is also available as a TechRepublic download and a TechRepublic Photo Gallery.

Note: This tip applies to Windows 7 Professional and Ultimate only. It does not apply to Windows 7 Home Premium.

Secure Guest Account

The first step is to enable guest accounts, which is disabled by default. Type computer into the Start Menu search box, as shown in Figure A, and then click on the Computer Management item in the results.

Figure A

Find the guest account setting.
Navigate the left tree hierarchy to the Users Folder under Local Users and Groups (Figure B). Double-click the Guest entry.

Figure B

Enable guest accounts.
On the next configuration screen (Figure C), uncheck the Account Is Disabled box to enable guest accounts.

Figure C

Uncheck to enable.

Set password

By default, the guest account password is blank, but that is an unnecessary security risk, so you should establish a password. Right-click the Guest entry in the Computer Management console and click the Set Password entry (Figure D). The ensuing warnings are not a concern if you just enabled the guest account.

Figure D

Set the guest account password.
 

No network access

Another potential security problem occurs if the guest account is accessible by other users across the network. To prevent this, type local security into the Start Menu search box and then click the Local Security Policy entry, as shown in Figure E.

Figure E

Modify the Local Security Policy.
Navigate to the Local Policies | User Rights Assignments entry. Scroll down the list of policies until you find Deny Access to This Computer from the Network. Guest should be one of the denied accounts listed. If it isn't, add it (Figure F).

Figure F

Deny access.

Prevent shutdown

Another potential security vulnerability occurs during the PC shutdown process. You should deny the guest account the ability to shut down a PC. Go back to the Local Security Policy consoled as you did before, navigate to Local Policies | User Rights Assignments, and look for the entry Shut Down the System (Figure G). Double-click the entry to make sure the Guest account is not in the list (Figure H).

Figure G

Verify the Shut Down the System entry.

Figure H

Guest is not on the list.

Event logs

One last security concern is the Event logs. You don't want a guest account to have access to that information. The most efficient way to manage these settings is with a Registry edit.

Warning: Editing the Windows Registry should be done with caution; we recommend that you have a verified backup of the file ready in case of a catastrophic failure.

Type regedit into the Start Menu Search box and then click the regedit.exe entry. Navigate down the keys until you reach this entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Eventlog

Under this key are three important sub-keys: Application, Security, and System (Figure I). There should be a key under each section: Restrict Guest Access. And each of those keys should have a corresponding DWORD of "1" that enables this restriction.

Figure I

DWORD should be 1.

Bottom line

Guest accounts are sometimes necessary, but they should never be implemented without some configuration for additional security. Have you checked the security settings for all your guest accounts lately?

Thanks to TechNet for the topic idea.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About

Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.

9 comments
v_stackmomo6
v_stackmomo6

none of these tell me how to get past the sign in page. I have a computer running windows home premium that was used by a previous employee that has an unknown password. No matter what search words I use to get seem to get that across to anyone. please advise

chrisderoover
chrisderoover

Hello, I checked and the guest account is not in the local policy 'Shut down the system'. However the guest account is able to shutdown the pc without any problem. Anyone an idea? tia chris

voxpopus
voxpopus

On my new Win 7 "Local Users and Groups" does not appear in the Computer Management box. Is a puzzlement... any suggestions? voxpopus@yahoo.com

auroraflame
auroraflame

Thanks!! Just what i was looking for..

Mark W. Kaelin
Mark W. Kaelin

Have you checked the security settings for all of you guest accounts lately? How many guest accounts do you have in your organization?

TobiF
TobiF

like "users", which, in turn, has been granted access to shut down?

jollyollyman_87
jollyollyman_87

I believe the home versions of Win7 don't have the "Local Users and Groups".

PurpleSkys
PurpleSkys

in with administrative privileges or as admin?

chrisderoover
chrisderoover

No, the guest account is only part of the Guests group, which has not been granted access to shut down.