Microsoft Windows 11

The built-in guest account must be disabled

STIG ID: WN11-SO-000010 | SRG: SRG-OS-000121-GPOS-00062 | Severity: Medium | CCI: CCI-000804 | Vulnerability ID: V-253433

Description

A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.

Check

C-56886r829381_chk

Verify the effective setting in Local Group Policy Editor.Run "gpedit.msc".Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.

Fix

F-56836r829382_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled".