Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Baseline Analyzer shows Guest Account enabled when it's NOT! Win XP Pro
SP2 fully patched. What's going on? Is it a bug?
--
Interim Systems and Management Accounting
Gordon Burgess-Parker
Director
www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

That sounds like a bug to me.

"Gordon" wrote:

> Baseline Analyzer shows Guest Account enabled when it's NOT! Win XP Pro
> SP2 fully patched. What's going on? Is it a bug?
> --
> Interim Systems and Management Accounting
> Gordon Burgess-Parker
> Director
> www.gbpcomputing.co.uk
>

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

It's not a bug. Rerun the Baseline Analyzer. This time, in the
Guest account section, click on the "What was scanned" link. An
explanation will appear which may clarify this situation for you.

When Simple File Sharing is enabled it uses the Guest account to
provide network access to shared resources on your computer. The
Guest account being disabled (in User Accounts or the Users
folder in Computer Management) means that no one can sit down in
front of your PC and logon using the Guest account. Simply put
the Guest account has remote access enabled but local access
disabled.

--
Nepatsfan
"Gordon" <gordonbp1@yahoo.co.uk.invalid> wrote in message
news:eps6SsHFFHA.1396@tk2msftngp13.phx.gbl...
> Baseline Analyzer shows Guest Account enabled when it's NOT!
> Win XP Pro SP2 fully patched. What's going on? Is it a bug?
> --
> Interim Systems and Management Accounting
> Gordon Burgess-Parker
> Director
> www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Nepatsfan wrote:
> It's not a bug. Rerun the Baseline Analyzer. This time, in the
> Guest account section, click on the "What was scanned" link. An
> explanation will appear which may clarify this situation for you.
>
> When Simple File Sharing is enabled it uses the Guest account to
> provide network access to shared resources on your computer. The
> Guest account being disabled (in User Accounts or the Users
> folder in Computer Management) means that no one can sit down in
> front of your PC and logon using the Guest account. Simply put
> the Guest account has remote access enabled but local access
> disabled.
>
Simple file sharing is not enabled. I turn that off immediately to use
the "security" settings for files and folders.

--
Interim Systems and Management Accounting
Gordon Burgess-Parker
Director
www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Here are the results I get on my XPPro box running MBSA 1.2.1

Scenario 1
Simple File Sharing enabled.
Control Panel/User accounts -> Guest account is off.
Computer Management/Users -> Guest account is not disabled.
Results: Green check mark - Guest account is not disabled on this
computer.

Scenario 2
Simple File Sharing disabled.
Control Panel/User accounts -> Guest account is off.
Computer Management/Users -> Guest account is not disabled.
Results: Red X - Guest account is not disabled on this computer.

Scenario 3
Simple File Sharing disabled.
Control Panel/User accounts -> Guest account is off.
Computer Management/Users -> Guest account is disabled.
Results: Green check mark - Guest account is disabled on this
computer.

All three scenarios yield the expected results.

You could try uninstalling/reinstalling MBSA. Make sure you're
using the latest version. Also, have you made any changes in the
Local Security Policy with respect to the Guest account? If so,
that may have an impact on your results.

If you want to make a case that MBSA is not an accurate gauge of
the security of a PC, you won't get an argument from me. I've run
it on a number of machines and found it to yield inaccurate
results in other areas. I wouldn't rely on it to guarantee the
security of your machine.

--
Nepatsfan
"Gordon" <gordonbp1@yahoo.co.uk.invalid> wrote in message
news$ywBeMFFHA.3840@tk2msftngp13.phx.gbl...
> Nepatsfan wrote:
>> It's not a bug. Rerun the Baseline Analyzer. This time, in the
>> Guest account section, click on the "What was scanned" link.
>> An explanation will appear which may clarify this situation
>> for you.
>>
>> When Simple File Sharing is enabled it uses the Guest account
>> to provide network access to shared resources on your
>> computer. The Guest account being disabled (in User Accounts
>> or the Users folder in Computer Management) means that no one
>> can sit down in front of your PC and logon using the Guest
>> account. Simply put the Guest account has remote access
>> enabled but local access disabled.
>>
> Simple file sharing is not enabled. I turn that off immediately
> to use the "security" settings for files and folders.
>
> --
> Interim Systems and Management Accounting
> Gordon Burgess-Parker
> Director
> www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Nepatsfan wrote:

> Control Panel/User accounts -> Guest account is off.
> Computer Management/Users -> Guest account is not disabled.

If the guest account is OFF (ie in my book disabled) in Control panel,
why the hell is it "Not disabled" in Computer management/Users?

Totally and completely illogical, isn't it?

--
Interim Systems and Management Accounting
Gordon Burgess-Parker
Director
www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You're right. But that's the default setup in order to provide
network access when Simple File sharing is enabled. No Guest
account, no network access. Go figure!

I seem to recall reading that when MS was developing XP, they
wanted to give there customers a method of sharing files in a
workgroup that was easier to configure than it was in W2K, where
matching user accounts needed to exist on both computers. That
led them to validate any user trying to access shared resources
by using the built-in Guest account. The result was Simple File
Sharing. It works fine
for many but is turned off by users, such as yourself, who want
to operate in a more secure environment.

Getting back to MBSA, it seems that version 2.0 will be available
soon as a Beta. Maybe they'll get your bug fixed. I'll be happy
when it stops telling me to apply updates that I know have
already been installed.

--
Nepatsfan
"Gordon" <gordonbp1@yahoo.co.uk.invalid> wrote in message
news:eOG4nzRFFHA.4052@TK2MSFTNGP14.phx.gbl...
> Nepatsfan wrote:
>
>> Control Panel/User accounts -> Guest account is off.
>> Computer Management/Users -> Guest account is not disabled.
>
> If the guest account is OFF (ie in my book disabled) in Control
> panel, why the hell is it "Not disabled" in Computer
> management/Users?
>
> Totally and completely illogical, isn't it?
>
> --
> Interim Systems and Management Accounting
> Gordon Burgess-Parker
> Director
> www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Nepatsfan wrote:
> You're right. But that's the default setup in order to provide
> network access when Simple File sharing is enabled. No Guest
> account, no network access. Go figure!

But simple file sharing is OFF! (Or is there another setting somewhere
that shows it ON? )
>
> I seem to recall reading that when MS was developing XP, they
> wanted to give there customers a method of sharing files in a
> workgroup that was easier to configure than it was in W2K,

I'd heard that that was the idea in XP Home, but I've got Pro!


> Getting back to MBSA, it seems that version 2.0 will be available
> soon as a Beta. Maybe they'll get your bug fixed. I'll be happy
> when it stops telling me to apply updates that I know have
> already been installed.

LOL!

--
Interim Systems and Management Accounting
Gordon Burgess-Parker
Director
www.gbpcomputing.co.uk

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Gordon" <gordonbp1@yahoo.co.uk.invalid> wrote in message
news:u%23PlZGZFFHA.3664@TK2MSFTNGP15.phx.gbl...
> Nepatsfan wrote:
>> You're right. But that's the default setup in order to provide
>> network access when Simple File sharing is enabled. No Guest
>> account, no network access. Go figure!
>
> But simple file sharing is OFF! (Or is there another setting
> somewhere that shows it ON? )

Folder Options is the only location I'm aware of to turn it off.
The steps you've taken (SFS off, Guest disabled) should result in
MBSA showing a green check mark with "The Guest account is
disabled on this computer". That's what I get on my XPPro
machine. I don't know why your results differ. I've tried
changing a number of different settings on my machine (registry,
local group policy, created a user that was a member of only the
Guests group) and can't recreate your results. You may be right,
it could be a bug.

>> I seem to recall reading that when MS was developing XP, they
>> wanted to give there customers a method of sharing files in a
>> workgroup that was easier to configure than it was in W2K,
>
> I'd heard that that was the idea in XP Home, but I've got Pro!

I know you're using Pro. I only mentioned that to point out the
fact that I think Microsoft sacrificed security for ease of use.

>> Getting back to MBSA, it seems that version 2.0 will be
>> available
>> soon as a Beta. Maybe they'll get your bug fixed. I'll be
>> happy
>> when it stops telling me to apply updates that I know have
>> already been installed.
>
> LOL!

Hey! They could be hard at work right now fixing your bug.

FYI, From the latest issue of the Microsoft Technet newsletter:

Announcing MBSA 2.0 Beta

http://go.microsoft.com/?linkid=2167605

Please help us improve the quality of the next version of the
Microsoft Baseline Security Analyzer. We are currently accepting
nominations into the MBSA 2.0 beta program. Customers can
nominate themselves for the beta. They will need to log on to the
system using their Microsoft .NET Passport and a guest ID of
"MBSA20" and then complete the survey. Microsoft will contact
customers who are selected for the private beta directly; those
not selected will automatically be notified of the public beta at
the end of March.

Sorry I couldn't shed more light on your problem. Good luck.

Nepatsfan