\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected] and you might see the answer in this column!\]
During a recent Windows NT security group meeting, we discussed the degree of risk that the NT built-in Guest account poses. We agreed to keep the Guest account disabled on all NT workstation and server platforms, but can we delete the account?
In NT, the Guest account lets people log on to an NT computer when they don't have a personal account defined on the computer, in the computer's domain, or in any of the domains that the computer's domain trusts. Like the Administrator account, the Guest account is a built-in account with a fixed SID; although you can rename the account, it can't—by default—be deleted. Unlike the Administrator account, the Guest account doesn't require a password for logon, which is why it's disabled by default. A Guest account reenabled by mistake would pose a significant security hole.
Arne Vidstrom developed a freeware tool called DelGuest, which can delete the Guest account from an NT 4.0 system. You can download DelGuest from his Web site at http://www.ntsecurity.nu. If you use this tool, remember that Microsoft doesn't support it, and the tool might corrupt your SAM.
You must run DelGuest from the command prompt, and the tool requires a server reboot to delete the Guest account. DelGuest uses the SID of the built-in Guest account to identify the account to delete. Vidstrom recommends minimizing access to the SAM database while you run DelGuest. The best time to run DelGuest is right after the installation of the NT OS, before you install anything else on the system.
If you find implementing DelGuest too risky, make sure that you use the built-in NT auditing features to log Guest account property changes and logons. You might also consider using an event-log reporting and alerting tool to notify you when and where the Guest account is used to log on to your systems. Examples of such tools include TNT Software's Event Log Monitor and Aelita Software's EventAdmin. Also, most host-based Intrusion Detection Systems (IDSs) such as Internet Security Systems' (ISS's) RealSecure can provide the same functionality.
