 |
Show Changes |
|
Edit |
|
|
|
Recent Changes |
|
Subscriptions |
|
Lost and Found |
|
Find References |
|
Rename |
| Search |
History
| 7/30/2004 5:54:05 PM |
|
List all versions |
|
Show Changes |
|
Edit |
|
|
|
Recent Changes |
|
Subscriptions |
|
Lost and Found |
|
Find References |
|
Rename |
| Search |
History
| 7/30/2004 5:54:05 PM |
|
List all versions |
Besides the null session (WhatIsANullSession), the guest logon is another way to represent an anonymous user. However, a guest logon works a bit differently from a null session. First of all, to enable any guest logons on a machine you must first enable the local Guest account. Then you must assign it either a real password or an empty password. If you assign a real password, clients attempting to connect must prove knowledge of that password before being allowed a guest logon. If you assign an empty password, this proof isn't required and any client password will do.
An example will best demonstrate how a guest logon occurs. Take a couple of machines that don't have any domain affiliation, and say one of them has a local account for a user named Alice. If Alice is logged into the first machine and she tries to authenticate with the second machine (which doesn’t have any such account), and if the guest account is enabled on the second machine, a challenge-response handshake will verify that Alice's password matches the Guest password. If this is true, Alice will be granted a logon on the second machine. If the Guest account on the second machine has an empty password, the handshake still occurs; however, Alice isn't required to have any particular password, so it's not much of a challenge! She’ll always be allowed a guest logon in this case. But note that if the second machine did have an account named Alice, a guest logon wouldn't even be considered — you'd simply see a normal challenge-response handshake to validate Alice's password. Thus guest logons work only for account names that are unknown to the server (and any domains it trusts). It's a rather sketchy mechanism that should normally be disabled (by disabling the Guest account). The Guest account is disabled by default on all versions of Windows I've seen.
If you do allow guests on a system, here's what SIDs (WhatIsASID) the resulting token will have:
Guest (this is the user SID)EveryoneGuestsNETWORKAs was the case with the null session (WhatIsANullSession), Authenticated Users doesn't show up here, so this can be used to gate access to both null sessions and guest logons. By granting access to Authenticated Users instead of Everyone, you're implicitly denying null sessions and guests.1
1 Last time I checked, which was around service pack 4, Windows NT 4 had this wrong: Guest logins there did have the Authenticated Users SID, but SYSTEM didn’t! Windows 2000 fixed these flaws, but please tell me you're not still using Windows NT 4!
Keith's first book-in-a-wiki. If you would like to read the book online or order a physical copy to throw at annoying coworkers, surf to the HomePage. Please note that due to overwhelming wikispam, this particular wiki is no longer editable.
About FlexWiki.
Recent Topics