Shavlik Empower Domain Guest Account Lockout

Version 5

    Purpose

     

    This document has been created to address Guest Account lockouts after scanning with Empower.

     

    Symptoms

     

    After implementing the Shavlik Empower Sentinel and beginning scans, you notice your “Guest” account locking out, or you begin receiving security alerts from your 3rd party security monitoring tools showing Guest account logon attempts.

     

    Cause

     

    Your organizations security policy, more specifically, "Network Access: Sharing and Security model for local accounts" is set to “Guest Only”

    Per Microsoft's documentation ( Network access: Sharing and security model for local accounts ) the policy setting "Network Access: Sharing and Security model for local accounts" determines how network logons that us Local Account are authenticated.

       

        When using "Classic"- Network logons that use Local account credentials to authenticate with those credentials.

     

        When using "Guest Only"- Network logons that use Local accounts are automatically mapped to the Guest account. Due to "Guest Only" mode treating all Network logon users equally they will all receive the same predetermined set of permissions. In many instances the domain admin has either disabled the Guest account or provided the guest account with read only access.

     

    What this means- When your "Sharing and Security model for local accounts" Security Option is set to "Guest only - local users authenticate as Guest" and a Network Logon that uses a Local Account (i.e. Local Administrator) attempts to logon it will be mapped to the Guest Account.  As many Domain Admins disable the Guest account by default or give it little to no permissions the Shavlik Sentinel will fail to authenticate to that machine. Repeated authentication failures will lockout the account and alert 3rd party security monitoring software of each failure.

    SecPol_setting.JPG

    Resolution

     

    This issue can be addressed with several different solutions once you have identified what device(s) is locking out the Guest account. Pinpointing the problem device(s) can be challenging, but many individuals have created scripts to make this task easier(2).

     

    To prevent the Guest account from being used you must change the way Network Logon's that use a Local Accounts authenticate.  The easiest way of accomplishing this is by modifying the security policy to Classic, however doing so does create the vulnerabilities explained in the Sharing and Security document listed below(1). Alternatively you could use GPO to push out/create a global "patching" Local Admin account for you to use within Empower. This would effectively bypass the aforementioned security setting because you would no longer be using a Network Logon using a Local Logon, rather you would just be authenticating directly via a Local Account.

     

    References

     

    (1) Network access: Sharing and security model for local accounts

    (2) Script Determine What Device is Locking Out an Active Directory User Account