Guest Account Enabled
Table of Contents
Windows
Option 1: Disable the Guest Account
If the Guest account is not in use, completely disable it by opening a Administrative command prompt on the host and issuing the following command:
net user guest /active:no
Option 2: Restrict the Guest Account Access
If the Guest account is in use, restrict access to available shares by right clicking the share folder on the host, selecting the “Security” tab, selecting the “Guest” user, and removing any privileges.
Linux
Option 1: Disable Guest access to the samba service
You can verify that a guest has access to list samba shares using crackmapexec.
In order to prevent guest access to the samba service, the global section of smb.conf needs to be updated. Add the following lines to prevent the samba service from allowing a Guest to authenticate to the service and restart the samba service: sudo systemctl restart smbd.
Now the guest can no longer authenticate and list the shares.
Option 2: Restrict the Guest Account Access
If option 1 isn't viable because the guest needs access to some shares and not others, then use this option. This allows the guest to still authenticate to the samba service and list the shares but denies the guest access to a specific shared folder. Starting with a shared folder called Shared that a guest has access to, the config in smb.conf will look something like this:
That allows the guest to list the shared folders and access the specific Shared folder.
To remove the guest's access to Shared, the smb.conf config for Shared needs to be updated. Change guest ok = no and restart the samba service: sudo systemctl restart smbd.
Now the guest can still list the shares but is unable to connect to the Shared folder.
