Restricted/Guest vs. Limited/Standard Account

Discussion in 'other security issues & news' started by TechOutsider, Apr 7, 2009.

Thread Status:
Not open for further replies.
  1. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    What, in your opinion, is the more secure account on Windows XP?

    I know the Guest account is not password protected, thus allowing anyone access to the computer.

    However, the Limited account has more privileges, enough to install/uninstall most programs and do just about anything, except for system-wide changes, or ones that will affect all users.
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    My opinion is that Limited account it the best, most secure and easiest to use
    for most users.
     
  3. Arup

    Arup Guest

    Limited with hardware DEP.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you are referring to an account that is only a member of users, I don't believe this is correct. By default an account that is a user, can read/execute/modify in the profile directory and custom directories. However only read/execute is allowed for other profiles, c:, windir and program files. So this account should not be able to install or uninstall anything in program files, nor should it be able to mess with any system settings.

    Sul.
     
  5. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    I'm referring to a Guest account. It is not a member of "users". I am looking at the file permissions and there is a separate entry for configuring permissions for a "guest" user.
     
  6. Arup

    Arup Guest

    Limited account users can't even write anything to C let alone install, the only install they can do is local to the documents and setting app folder so in rare case if something does get installed, it will be limited to the account and not system wide.
     
  7. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    I figured out how to assign a password to a Restricted/Guest account :). Guess that's the winner.
     
  8. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Sully I can confirm TechOutsider's problem. On every system I've come across, the LUA was able to write to any folder except Programs and Windows directories. And even install and uninstall some software exactly like TechOutsider is saying.

    I have 4 pcs at home : 2 Windows XP Home , 2 Windows XP Media Center Edition. My friend has 5 PCs : 1 Windows XP Home, 4 Vista Home Premium. All of them allowed the LUA to make any changes they wanted to as long as weren't in Program and Windows directories.

    We had to manually remove the permissions using the security tab.

    It seems Guest > LUA in terms of default security.

    PS TechOutsider how do you set a password for the guest account?
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Guest account has an even lesser set of privileges but even though it is limited it should be secured.

    btw net user guest password at command prompt, Enter.
     
  10. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    I can't connect to the internet with my guest a/c, so I locked it off with an "unbreakable" password and forgot about it.

    No such problem with the LUA, but it can't tamper with Programs, can't install aps.
     
  11. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    You can disable your Guest account, buggy. Yes, that's the command I used Meriadoc. I like how Vista gives Administrators a set of Limited Priv.; even so, Admins. have a great amount of jusrisdiction over the system.
     
  12. buggy

    buggy Registered Member

    Joined:
    Apr 12, 2009
    Posts:
    26
    Location:
    Derbyshire, UK
    I put the passwd on first for extra security

    Then I disabled using

    NET USER Guest /ACTIVE:no

    and the system works ok - but I'm not sure if I really have disabled it, eg

    "Even if you select "Turn Off The Guest Account" it will only be turned off in terms of its ability to log on directly to Windows. In the background, the account will still be functional because Windows XP Home uses the Guest account to authenticate users connecting remotely to shared resources on that machine. It is virtually impossible to truly disable the Guest account and doing so would cause a number of problems on a Windows XP Home computer."
    (http://netsecurity.about.com/cs/windowsxp/a/aa042204.htm)

    - or if I should

    http://www.petri.co.il/disable_the_guest_account_in_windows_xp.htm
     
    Last edited: Apr 14, 2009
  13. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Oh, I didn't know that buggy. Thanks for sharing. Does the same apply to Professional?
     
Loading...
Thread Status:
Not open for further replies.