guest account and its mitigation

[Doug Fox]

What can I do to migitate the risk having a guest account enabled on a
member server? Any pointers are appreciated.

Thanks,

 

[Steven L Umbach]

Do you mean intentionally enabled for the use of it or in case it does become enabled
when it is not supposed to? --- Steve

 

[Doug Fox]

Some OS/2-based and DOS-based applications require the guest account on a
member server, not on the domain.

 

[Steven L Umbach]

Hi Doug.

I am not sure how those accounts require access, but a couple of things you could do.
You could add the guest account to deny local logon and/or deny access this computer
from the network in Local Security Policy depending on which one does not interfere
with the applications. The other thing is to remove everyone/user from folders where
you do not want guest account to access and replace it with authenticated users which
does not include the guest account or giving the guest account specific deny
permissions. I do not recommend changing any permissions on the \winnt folder or
subfolders themselves, but it is OK to lock down specific executables like the IIS
Lockdown tool does. Be sure to back up before making changes just in case. --- Steve