Best Practices for Creating a Secure Guest Account

 

In some environments, you might need to set up a Guest account that can be used by visitors. Most of the time, you’ll want to configure the Guest account on a specific computer or computers and carefully control how the account can be used. Here are some best practices to follow when creating a secure Guest account:

Enable the Guest account for use

By default, the Guest account is disabled, so you must enable it to make it available.

Go to Start | Right Click on Computer and Click on Manage

Now Expand Local Users and Groups and Select Users.

On your Right Side Pane you’ll find Guest. Double Click on Guest

Clear the Account Is Disabled check box. Click OK.

Set a secure password for the Guest account

By default, the Guest account has a blank password. To improve security on the computer, you should set a password for the account.

Right-click Guest, and then select Set Password.

Click Proceed at the warning prompt.

Type the new password and then confirm it. Click OK twice.

Ensure that the Guest account cannot be used over the network

The Guest account shouldn’t be accessible from other computers. If it is, users at another computer could log on over the network as a guest.

Go to Start under search  type secpol.msc 

Expand Local Policies Branch under that select User Rights Assignment

Double Click on Deny Access To This Computer From The Network

Click on Add User or Group and Type in Guest there and Click OK twice.

 

Prevent the Guest account from shutting down the computer

When a computer is shutting down or starting up, it is possible that a guest user (or anyone with local access) could gain unauthorized access to the computer. To help deter this, you should be sure that the Guest account doesn’t have the Shut Down The System user right.

Go to Start under search  type secpol.msc 

Expand Local Policies then expand User Rights Assignment

Make sure Shut Down The System policy doesn’t list the Guest account.

Prevent the Guest account from viewing event logs

To help maintain the security of the system, the Guest account shouldn’t be allowed to view the event logs.

Go to Start under Search type in regedit then go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

Look for three important Registry Keys

• Application
• Security
• System

Make sure each of these subkeys has a DWORD value named RestrictGuestAccess with a value of 1. To check that double click on RestrictGuestAccess 

Source: http://technet.microsoft.com/en-us/magazine/ff687018.aspx