Mike Alexander

Scotland

IT Specialist

This has been discussed recently on some SecurityFocus lists...

While MS often deserve the flak they take regarding security flaws, in this case I feel it is necessary to balance the books and offer something in their defence.

Every Windows server admin (NT,2K) knows that the "guest" account should be disabled or otherwise removed - regardless of whatever else the server might be used for.

This so-called "vulnerability" requires the guest account to be enabled, so if a server has been properly secured (and MS publish plenty of material on how this can be achieved) the "vulnerability" shouldn't exist.

Mr Greenspan states "Even if you think you've done everything (to secure the
server), you are still open to spammers". Everything, it seems, except implement one of the fundamental (and most commonly-known) security measures.

Which leads me to the best little gem in this whole affair. Mr Greenspan is quoted as saying "It is really inexcusable for a company that claims
security is its top priority". Sorry Mr Greenspan - you're wrong. What is inexcusable is that you and your company charge clients for the priviledge of having you misonfigure their servers, leave the guest account enabled and then try to shift the blame onto someone else when things go pear-shaped. As these issues only appear to have been picked up by your own clients, I think you need to look closer to home to find where the problem lies.