Cleverly manage Guest accounts to ensure secure system operation

Is the Guest account used or not used? By default, many Windows systems automatically disable the running status of the Guest account, it will not hesitate to "kill the killer" for the Guest account and prevent it from running. In the view of these users, as long as the Guest account is enabled, in this case, hacker attacks on Windows will inevitably occur! In fact, as long as we manage the Guest account smartly, we can enjoy the convenience that the Guest account brings to ourselves, while effectively ensuring the security of system operation! This document is based on the Windows Server 2008 system. I hope you can get help from the following content!

Potential threats to Guest accounts

To ensure that the system runs securely and stably, the Windows Server 2008 system provides non-system administrator users with an operating account to manage the operating system, common users can only access a small amount of system resources in the corresponding system, and cannot modify system parameter settings at will. On the surface, the enabling and running of Guest accounts does not pose much actual threats. However, many hackers on the Internet often use Guest accounts to indirectly steal system administrator privileges, in this way, enabling and running the Guest account is equivalent to opening an additional backdoor for the system, thus facilitating illegal attacks by hackers or Trojans.

To avoid various illegal attacks as much as possible, the Windows Server 2008 system will automatically close the running Guest account by default. If you find that the Guest account is enabled, We can temporarily disable the running status of the account as follows:

Log on to the Windows Server 2008 system as a system administrator, open the "Start" menu of the system, and click "program"/"Management Tools" commands in sequence, in the displayed system management tools list, double-click the "Computer Management" icon to open the computer management window of the corresponding system. Then, the area is displayed on the left of the Management window, expand the "System Tools", "local users and groups", and "users" branch options with the mouse. The area is displayed on the right of the corresponding "user" branch options, check whether the enabled status of the Guest account is normal. Once it is found to have started running properly, you can double-click the account icon directly to open the attribute setting window shown in 1;

Figure 1

In the settings window, select the "Account Disabled" option and click the "OK" button, so that the Guest account in Windows Server 2008 has been successfully disabled.

Of course, if we do not want other users to enable and run the Guest account at will, we can also use an extreme method to delete the Guest account name from the system; to perform this operation, follow these steps:

Click Start or run commands on Windows Server 2008 one by one. In the displayed system running dialog box, enter the string command regedit and click Enter, open the registry editing window of the corresponding system. In the left-side area of the registry editing window, expand the HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames branch option, select the Guest subitem under the Branch, and then select the subitem, at the same time, click the "edit"/"delete" command in the menu bar of the registry editing window, delete the Guest sub-item from the system registry, and press the F5 function key to refresh the system registry, this will make the above settings take effect.

Guest Account "transfer"

Although the enabling and running of the Guest account poses a great security threat to the Windows Server 2008 system, we only need to properly "tune up" the Guest account ", you can still enjoy the convenience provided by the Guest account without compromising the secure running performance of the system.

1. rename a Guest account

In a trusted work environment on the LAN, users often need to share and communicate with each other. If you directly disable the running of the Guest account, therefore, other users in the LAN often cannot access the shared resources in Windows Server 2008. To facilitate access to shared resources, we can try to rename the Guest account in Windows Server 2008 to ensure that common users in the LAN can still quickly access shared resources. The following describes the specific settings:

First, open the "Start" menu of Windows Server 2008, click the "run" command, open the "run" dialog box for the corresponding system, and enter the string command "gpedit. msc, click OK to go to the Group Policy console window of Windows Server 2008 system, and then to the left of the Group Policy console window, move the cursor to the "Computer Configuration" branch option, and click "Windows Settings", "Local Policy", and "Security Options" under the target branch option ", under the corresponding "Security Options", find the "account: Rename Guest Account" target group policy option, right-click the option, and execute the "attribute" command from the shortcut menu that appears, open the target group policy option setting window, as shown in figure 2;

Figure 2

In the settings window, change the default name of the Guest account to the name you want. For example, assume that you change it to "normal ", click "OK" to save the preceding settings. As a result, the name of the Guest account is changed to "normal.

2. Authorize the Guest account

We know that, once a Guest account is activated, an illegal attacker may use this account to remotely enumerate SAM and share it. In this way, attackers may gain effective control permissions on the Windows Server 2008 system, however, if we simply disable this account, we will not be able to enjoy the convenience and speed of shared access. In fact, we can grant appropriate shared access permissions to the Guest account to ensure that users with this account can only simply read the content of the target shared resource, rather than making changes or other dangerous operations at will, in this way, the Windows Server 2008 system is still safe when the Guest account is enabled. The following describes the specific configuration steps:

First, open the Windows Server 2008 system resource manager window, find the target shared resource, right-click the target shared folder icon, and execute the "attribute" command from the shortcut menu, open the attribute Setting dialog box for the target shared folder, click the "Security" tab in the dialog box, and click the "permission" button on the corresponding tag settings page, in the permission settings window that appears later, we can clearly see all users accessing the target folder and delete all user accounts other than the Administrator and Guest accounts;

Next, select the Guest account option to authorize the account with the appropriate shared access permissions, such as granting the "read" permission or "list folder directories" permission, click OK to save the settings.

3. Use the password for forcible Guest

When the Guest account is enabled, the Windows Server 2008 system allows the Guest account to directly access the target shared resources without a password by default. Obviously, in this way, Windows Server 2008 is prone to illegal access or other security threats. To make Windows Server 2008 run more securely, we can set a "strong" password for the Guest account, in addition, to allow the Windows Server 2008 System to require the Guest account to enter a password to complete the shared access operation, the following is the specific setup steps:

Log on to the Windows Server 2008 system as a system administrator, open the "Start" menu of the system, and click "program"/"Management Tools" commands in sequence, in the displayed system management tools list, double-click the "Computer Management" icon to open the computer management window of the corresponding system;

In the left-side area of the Management window, expand the branch options of "System Tools", "local users and groups", and "users" with the mouse, in the display area on the right of the corresponding "user" branch option, right-click the Guest account and execute the "properties" command from the shortcut menu to open the Guest account attribute settings window, in the settings window, select the "Change Password Upon next login" option and restart Windows Server 2008, we can set a strong password for this account;

Click "start"/"run" in Windows Server 2008. In the displayed system running dialog box, enter the string command "gpedit. msc, click the Enter key to open the Group Policy console window for the corresponding system;

In the left-side area of the Group Policy console window, move the cursor to the "Computer Configuration" branch option, under the target branch options, click "Windows Settings", "Local Policy", and "Security Options". Under the corresponding "Security Options", find "network access: share and Security Mode of the Local Account "target group policy option", right-click this option, and execute the "properties" command from the shortcut menu to open the target group policy option setting window, 3. Select the "classic-authenticate the local user without changing the identity" option, and then click "OK" to save the preceding settings, in this way, when we access the target shared resources in Windows Server 2008 with a Guest account in the future, the system will automatically ask us to enter the shared access password, and those users who do not know the Guest account password, naturally, you cannot access the target shared resources at will. In this way, the running security of Windows Server 2008 can be effectively guaranteed to a certain extent.