I was recently interested in allowing the guest account network access as related to a research project I was doing.
This was on a Windows Server OS.
The outcry was amazing….people freaking out and saying how insecure it is and how there just had to be a better way regardless of my needs or wants.
Apparently it's such a bad idea that under no circumstances should the question even be asked.
This seems like FUD
Looking around on the net the solution given when other people have asked around was to make a limited user account instead. Now, this seems like a worse solution.
If for whatever reason (and there are many, trying to answer for a specific reason does not help anyone, nor the community) someone is determined to have a guest account for anonymous access on a Server OS, is it not better that they use the built in guest account?
A limited account created for the exact same purpose will be used the exact same way, except that the built in guest account is already locked down to a far greater degree. Indeed, using the built in guest account with network access would seem to be more secure than creating a limited account for the same purpose.
So, why is trying to enable network access for the built in guest account considered so insecure, and why does it evoke such panic and FUD?
edit: To be clear I am referring to having the guest account initiate network connection from the machine while logged in, not using the guest account to access anything remotely
Best Answer
The purpose of the Guest account is to control anonymous access to some OS facilities. If I wanted to allow anonymous access to, say, an SMB share, I'd enable the Guest account,
Enabling the account in changes the behavior of the OS. Guest is a user account, but its enabled/disabled status acts as a flag that says "Hey-- when this account is enabled allow anybody with any credentials to authenticate as this context."
The "FUD" comes from Microsoft's historically bad handling of security and allowing anonymous users unnecessarily broad access, by default, in older versions of the OS. Even though Windows Server 2003 and newer versions of Windows do a much better job with this the community is still a little gun-shy.
To my mind there's nothing wrong with using the OS built-in Guest account for its intended purpose.
Personally I'd tend to be against using anonymous SMB file sharing. I'd export the files you want to share with HTTP or, if they needed to be read/write, WebDAV. I tend to think that writeable folders with anonymous access enabled are irresponsible to host.
Edit:
If you want "Guest" to access a shared folder via SMB in a Windows Server OS's (W2K3 and W2K8 flavors) then you'd want to:
The "Users" and "Authenticated Users" built-in groups don't contain "Guest" (though "Everyone" does) so most default folder ACLs won't allow Guest access. I'd add "Guests" explicitly, rather than "Everyone", so that it's visually very clear that I've allowed "Guests" access to this folder. (You don't have to use the group "Guests" but, generally it's better to use groups in permissions rather than individual users. When you're joined to be a domain be aware that "DOMAIN\Domain Guests" is nested into your computer's local "Guests" group, though.)