Check or Attack Name: Network Guest Logon

The Guest account is allowed to log on from the network. This configuration may allow an attacker unauthorized remote access to a machine. Access can be improperly elevated if guest accounts are assigned to the wrong group, or if guests are granted stronger than normal user rights.

Since Windows NT 4.0 comes with the Guest account disabled by default, many administrators may find it sufficient to leave the account disabled.

To explicitly grant network logon rights, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policy menu, select User Rights to display the User Rights Policy dialog box.
3. From the Right list, select Access this computer from network.
4. If present, remove Everyone and Guest from the Grant To list
.
5. Add any users or groups who should be allowed to log in from the network.
6. Click OK.