February 24th, 2004, 05:08 PM
Guest Account Question
In the last 2 days, I been connecting by the Computer Management console to every single Nt/2000/Xp computer in my domain. I rename the local administrator account and change it password. I also rename the guest account and I had a very strong password. I was so suggest to create an account with guest as username with a very strong password and to disable it after.
So basically, I had a NT guest account disable and now, I have a guest account rename with very a strong password and a new account with the username "Guest" with a very strong password.
Why does having a new account with the username "Guest" with a very strong password help when you allready rename it? Auditing who try to log with it that account?
February 24th, 2004, 05:43 PM
Changing the name of the account just makes it so that somebody cannot have the account name to bruteforce. You do know that you can change both the administrative and guest account names through GPO? This way you don't have to log into each machine. I would also suggest just disabling the guest account and not worrying about a strong password.
I would never recommend that you have an account called guest or administrator on the machine if you are concerned about security.
February 24th, 2004, 05:52 PM
The idea, as I understand it, is that you will see attempts to connect to this "default" guest account without incurring the security risk normally associated with leaving the Microsoft default in place. The "guest" account that you renamed can still be used for that purpose?
February 24th, 2004, 06:08 PM
You will see failed login attempts for an account that doesn't exist anyways.
I would expect to see an event ID 529 or 681 with the following error code:
3221225572 C0000064 User logon with misspelled or bad user account
So if there is no guest account on the system, and somebody is trying to login as guest, that will generate an error that you can correlate to somebody trying to bruteforce. If you see enough of the events.
Description of security log event IDs----
681 error codes-
February 26th, 2004, 09:19 PM
My domain is still on NT 4.0 for now. That why I had to use Computer Management console to connect to each computer. But good info, thank.