February 25, 2010

Guest account

I've been so terribly busy lately, which could be obvious from the number of posts I've made recently. The first reason I was so busy was I that I was facing IT auditors. The second reason was I was working with optimizing our ERP software, which I'll post about later this week.

About the auditors, one security problem the auditors found while auditing my network was that I had the guest account enabled on the Windows domain. Normally I agree with the auditors on all the security issues they find, but in this case, I had to disagree with them, and I wrote a huge email as my reply to their management letter, some of it I post below.

Names have been edited out, and some of the text have been re-edited for readability and context. Some of the wording might be slightly confusing since this consists of my original email and a follow-up when I was asked to clarify some points I made in the first email. Read on...

Guest account will be disabled from February 2010 onwards according to EY's recommendation. However, the IT team finds that EY does not have any understanding of the concepts or workings of a secure and correctly configured Microsoft Windows network; our IT and business processes or requirements; and how computers and networks are used in the real world.

Unlike default administrative or priviledged accounts, the guest account is not even an interactive logon account. It's not like "sa" of SQL Server 2000 that has an initially blank password or "admin" of most devices that have the initial password of "admin". I agree those accounts must have a secure and complex password set as soon as the program is installed or the device is powered up for the first time. However, the Windows domain guest account has no need for a password, and password changing is disabled. The guest account also can not be used to login to workstations (no interactive logon capability). Let's pretend for a second that a user can login to a workstation using the guest account, but then there's nothing they can do since the guest account can't access network file shares (which means the login process can't complete), and they can't change any workstation settings. A created user account, on the other hand, can access network file shares (which means they could put a virus or trojan in the network, or infect the network with a worm) and change workstation settings. With the guest account, visitors can easily access network resources such as printers and scanners after having received authorization from the IT Dept. There is no possible way for visitors to enter the network without prior authorization from the IT Dept.

The operating system itself may also need the guest account to access network resources or perform system maintenance tasks. Like I've mentioned before, the guest account is not a user account named "guest", but is a special account used for accessing company provided network resources. I also quote from Microsoft website: "We do not recommend that you disable the Guest account. If you disable the Guest account, you may not be able to access network resources. Additionally, you cannot access resources on a local computer from another computer on the network."

Firstly, we does not and will not have any kind of outside accessible network services such as e-mail server, web server, e-commerce server, remote desktop server, file transfer server, conferencing server, VPN server, SharePoint server, BlackBerry server, or any kind of Internet accessible services whatsoever. There is no possibility of any outsider access that even necessitates disabling the guest account. Our business processes and requirements do not ever require such services to be installed. And in the unlikely event that any Internet accessible services are ever to be installed, IT will do security and penetration testing accordingly before such services will be installed. Plus, eventhough there are no outside accessible network services and no ports open to the Internet, the internal network is protected by a firewall at the network level.

Internally on the local network, everyone can use the guest account to access network resources if they want, just like everyone is allowed to use the telephones or fax machines. But internally no one would want or need to use the guest account, since users are already logged into the network, they have far more access rights than the guest account.

In the Microsoft Windows network environment, the guest account in a domain is a special pre-configured account with lowest access rights and security levels, and as the name itself suggests, suitable and should always be used for guest access. Creating a user account for outsiders will not only go against our security policy of assigning user accounts, but will actually give the persons too much access to the internal and private network, such as giving access to file sharing access on the internal network, which is not accessible to guest users. Finally, the guest account allows simple network devices such as network shared printers or switching hubs to be purchased and used inside the network instead of always having to purchase "enterprise-grade" hardware with advanced security features. A simple calculation at the current market prices suggests that disabling guest access will require the IT Dept. to always purchase such advanced hardware that will inflate the yearly IT budget for networking hardware by 20 times or more. In additional, additional budget needs to be provided to retire and redesign the existing infrastructure and to purchase hardware to support such enterprise-grade hardware to be used on the local network.

Creating an user account for visitors means that I will probably need to join their computer into the domain, which is an extreme security risk from the fact that the visitors' computers may contain malware. I would also need to type the domain administrator password on the visitors' computer which could be recorded by key loggers, and the visitors will need administrative access to their computers.

Thus, disabling the guest account will only hinder our own employees, most notably members of the upper management, from correctly accessing the internal network and network devices. The IT team will also need time and budget to rework the entire network design to upgrade the existing infrastracture. Additionally, the guest account is used by EY's own auditing teams to access Internet and printing on the network shared printers while at the company's premises.

Most members of the upper management use notebook computers and travel frequently. Joining their computers into the domain is problematic when they're out of the network for extended periods and have no access to the domain controller. With guest account disabled, when they're back in the office, they also have to remember to login to the domain instead of login to the local computer in order to access network resources. Having to log into the domain and local computer separately also means there needs to be two separate accounts kept in the computer and two completely different locations for saving documents, leading to confusion for the users. These problems can be resolved by simply enabling the guest account.

However, the IT Dept. has already disabled the guest account according to EY's recommendation, and will hereafter refer all network access problems and issues arising from this change back to EY.

Recently we have faced many issues where the external auditors make recommendations that are against our standard workflow or recommendations that we are simply unable to comply since it's not how our business functions, and often we end up having to make up documents or make changes in workflow just to show the auditors that we're following their recommendation, when in fact those changes have no use to us whatsoever in our particular business (or IT) environment.

When presenting the changes to upper management, we're always faced by angry managers asking us why we don't make our cases clear with the auditors so we don't end up doing extra work for no reason at all? I'm simply presenting this as evidence.

Whew!! Of course, I realize that I made up a lot of this. But I was simply pissed that the auditors have to have things their way and no argument would make them see how things work in the Real World.

No comments: