Re: A "secure" Guest account for ISA server

From: Robert Moir (bofh_at_mvps.org)
Date: 12/14/03 

Date: Sun, 14 Dec 2003 22:16:18 -0000

BOT House wrote:
> Humor me on this, please. I know it's a stupid question.
>
> Given:
>
> a)the Guest account has been renamed
>
> b)the Guest account's password is blank
>
> c)the only right the Guest account needs is "access this computer
> from the network", but it doesn't need file or print access
>
> d)this is a Windows 2000 member server in an NT4 domain (AD to be
> implemented next year)
>
> How would you go about "securing" the server?
>
> I'm thinking explicit denies on various registry keys and system
> files.

The guest account has surprisingly little access anyway. If all you are
using it for is for "authenticating" anonymous proxy users, you could and
add it as an explicit deny to anything you were concerned about in the file
system or registry, without problems I should think.

> The problem is this: management wants to deploy an interior anonymous
> proxy server, but they want to know who uses it to go where. Probably
> 75% of the users will be from trusted domains. It is up to the
> untrusted domains as to how they will prevent "their" users from
> using "our" proxy (yes, it's a political nightmare).

I've got to ask, and I realise you probably already know this and i'm
totally not having a go at you, isn't deploying an anonymous proxy server
but wanting to know *who* uses it to go *where* a contradiction in terms?
Surely its either anonymous, Or, you want to know who uses it to go where?

I'm guessing you've been given a list of stuff to do by a manager who
doesn't understand the issues here, but it seems to me that with that set of
goals, someone somewhere is going to be disappointed with the outcomes? 

-- 
-- 
Rob Moir
Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Relevant Pages

  • New user, couple queries.
    ... It seems to work around "groups", each group has some "policy" that dictates ... can't seem to individually specify "whatever" for each user. ... it appears there's no way to restrict the Guest account from ... That allowed the Guest account to at least use the proxy server to connect. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: A "secure" Guest account for ISA server
    ... > c)the only right the Guest account needs is "access this computer ... > proxy server, but they want to know who uses it to go where. ... totally not having a go at you, isn't deploying an anonymous proxy server ...
    (microsoft.public.security)
  • New user, couple queries.
    ... >might as well enable the Guest account also. ... >Can the Guest account normally use the dialup account ... >other pc's on my ethernet which acts as a proxy server ... >Connections/Lan dialog even though it'd let me edit them ...
    (microsoft.public.windowsxp.security_admin)
  • Guest account use proxy server
    ... When I login as the local guest account on a Windows 2000 ... the Internet Explorer proxy server settings ...
    (microsoft.public.windows.inetexplorer.ie6.setup)