N/A - KB906574

Microsoft has issued this Security Advisory to clarify information of the issue addressed in Security Bulletin MS05-039 for non-default configurations of Windows XP Service Pack 1.This feature is known as “Simple File Sharing and ForceGuest.”If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability. Also, customers that have applied the security update included with MS05-039 are not impacted by this issue.We recommend that customers continue to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.

If Simple File Sharing is enabled on a Microsoft Windows XP system that is not joined to a domain, then all users who access this system through the network are forced to use the Guest account. This is the “Network access: Sharing and security model for local accounts” security policy setting, and is also known as ForceGuest.

Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.

There is no known attack that is seeking to exploit this scenario.The Advisory is being issued as a special precaution.There is no change to the update in Security Bulletin MS05-039.Customers who have applied this update are protected in this scenario.

Mitigating Factors:

Windows XP Service Pack 2 is not vulnerable remotely to the issue addressed by MS05-039 even when Simple File Sharing enables the Guest account. On Windows XP Service Pack 2, the impact of this vulnerability is only Local Privilege Elevation, and only exploitable if a user has the ability to logon locally to the system.

Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems.

Enabling Simple File Sharing does not expose customers who have applied the security updates provided by Microsoft Security Bulletin MS05-039 to the vulnerability that is addressed by that security bulletin.

What is the scope of the advisory?
This advisory clarifies the Simple File Sharing feature of Windows XP and its use of the Guest account. This process, which is called ForceGuest, does not introduce a security vulnerability. However, ForceGuest automatically enables the Guest account and it is given permission to access the system through the network.If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. The Simple File Sharing feature is an optional configuration that some customers may choose to enable. This feature is not available on systems that are joined to a domain. For more information about this feature and how to appropriately configure it, visit the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How does the Guest account become enabled and allowed to access the system through the network?
Windows XP Professional systems that are members of a workgroup and Windows XP Home systems use Simple File Sharing. With Simple File Sharing, a user must manually use the Network Setup Wizard, documented at the following Web site, or bypass the Network Setup Wizard by selecting the If you understand the security risks but want to share files without running the wizard, click here option to complete the configuration of Simple File Sharing. These procedures enable the Guest account and give it permission to access the system from the network by removing the Guest account from the Deny access to this computer from the network local security policy. If you manually enable the Guest account it would not have permission to access the system through the network.

It is not enough to just have the File and Print Sharing enabled to enable the Guest account to have access to they system through the network. You must manually perform the steps that are documented in this FAQ section to enable the Guest account and allow it to access the system through the network. Once these steps have been performed, any file or print sharing connection request will successfully authenticate as the Guest account. For more information about Simple File Sharing and its use of the Guest account, visit the following Web site. This issue does not affect Windows XP Professional systems that are members of a domain. Domain-joined systems do not use Simple File Sharing. Sharing files or printers on domain-joined systems does not enable the Guest account or give it permission to access the system through the network. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Can non-domain-joined systems have their Guest account enabled through Simple File Sharing?
Domain-joined Windows XP Professional systems do not implement the Simple File Sharing feature. However, if a Windows XP Professional system had the Guest account enabled by Simple File Sharing, before being joined to a domain, then the Guest account remains enabled when that system is later joined to the domain. To disable the Guest account on these systems, perform the steps documented at the following Web site. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How do I know if I am using a system where these steps have been performed?
If you are using a Windows XP Professional system that is a member of a workgroup, or if you are using a Windows XP Home system, you can quickly check to see if you might be vulnerable to this issue by using the following command. At a command prompt type Net User Guest. In the list of results, if the Guest account is listed as Account Active – Yes, you could be vulnerable to this issue if the Guest account has also been granted permission to access the system through the network. Also, if you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

Does the Microsoft Baseline Security Analyzer (MBSA) detect if the Guest account has been enabled on a system within my domain?
Yes.While the having the Guest account enabled is not enough to allow it to access the system throught the network, disabling the Guest account is a good best-practice and would block unintended network access. MBSA will check that a Guest account has been disabled on a system, and will report success or failure depending on the system configuration.

Does the Windows Firewall help block access when the Guest account has been enabled through Simple File Sharing?
While Simple File Sharing automatically enables an exception in the Windows Firewall, access is limited to the local subnet.However, Windows XP Service Pack 2 systems are not vulnerable remotely to the issue discussed in MS05-039 with or without the firewall enabled.

How do I disable the Guest account on a Windows XP Home system?
At a command prompt, type Net User Guest /Active:No to disable the guest account on workgroup joined systems.Disabling the guest account will block Simple File Sharing, so the recommended action for systems that are not joined to a domain, but would like enhanced protection while using Simple File Sharing, is to set a password for the Guest account.See the Suggested Actions section below for more information on setting this password. If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability.

How can I enforce that the Guest account be disabled within my domain using Group Policy?
While the having the Guest account enabled is not enough to allow it to access the system through the network, disabling the Guest account is a good best-practice and would block unintended network access.The Guest account can be disabled through Group Policy by ensuring that the Accounts: Guest account statusis set to Disabled in your domain.