Restricted/Guest vs. Limited/Standard Account

[TechOutsider]

What, in your opinion, is the more secure account on Windows XP?

I know the Guest account is not password protected, thus allowing anyone access to the computer.

However, the Limited account has more privileges, enough to install/uninstall most programs and do just about anything, except for system-wide changes, or ones that will affect all users.

[SweX]

My opinion is that Limited account it the best, most secure and easiest to use
for most users.

Limited with hardware DEP.

[Sully]

Quote:

Originally Posted by TechOutsider

However, the Limited account has more privileges, enough to install/uninstall most programs and do just about anything, except for system-wide changes, or ones that will affect all users.

If you are referring to an account that is only a member of users, I don't believe this is correct. By default an account that is a user, can read/execute/modify in the profile directory and custom directories. However only read/execute is allowed for other profiles, c:, windir and program files. So this account should not be able to install or uninstall anything in program files, nor should it be able to mess with any system settings.

Sul.

[TechOutsider]

I'm referring to a Guest account. It is not a member of "users". I am looking at the file permissions and there is a separate entry for configuring permissions for a "guest" user.

Limited account users can't even write anything to C let alone install, the only install they can do is local to the documents and setting app folder so in rare case if something does get installed, it will be limited to the account and not system wide.

[TechOutsider]

I figured out how to assign a password to a Restricted/Guest account . Guess that's the winner.

[zopzop]

Sully I can confirm TechOutsider's problem. On every system I've come across, the LUA was able to write to any folder except Programs and Windows directories. And even install and uninstall some software exactly like TechOutsider is saying.

I have 4 pcs at home : 2 Windows XP Home , 2 Windows XP Media Center Edition. My friend has 5 PCs : 1 Windows XP Home, 4 Vista Home Premium. All of them allowed the LUA to make any changes they wanted to as long as weren't in Program and Windows directories.

We had to manually remove the permissions using the security tab.

It seems Guest > LUA in terms of default security.

PS TechOutsider how do you set a password for the guest account?

[Meriadoc]

Guest account has an even lesser set of privileges but even though it is limited it should be secured.

btw net user guest password at command prompt, Enter.

[buggy]

I can't connect to the internet with my guest a/c, so I locked it off with an "unbreakable" password and forgot about it.

No such problem with the LUA, but it can't tamper with Programs, can't install aps.

[TechOutsider]

You can disable your Guest account, buggy. Yes, that's the command I used Meriadoc. I like how Vista gives Administrators a set of Limited Priv.; even so, Admins. have a great amount of jusrisdiction over the system.

[buggy]

Quote:

Originally Posted by TechOutsider

You can disable your Guest account ...

I put the passwd on first for extra security

Then I disabled using

NET USER Guest /ACTIVE:no

and the system works ok - but I'm not sure if I really have disabled it, eg

"Even if you select "Turn Off The Guest Account" it will only be turned off in terms of its ability to log on directly to Windows. In the background, the account will still be functional because Windows XP Home uses the Guest account to authenticate users connecting remotely to shared resources on that machine. It is virtually impossible to truly disable the Guest account and doing so would cause a number of problems on a Windows XP Home computer."
(http://netsecurity.about.com/cs/wind...a/aa042204.htm)

- or if I should

http://www.petri.co.il/disable_the_g...windows_xp.htm

[TechOutsider]

Oh, I didn't know that buggy. Thanks for sharing. Does the same apply to Professional?