This is the second in an ongoing series of posts on how libraries with limited resources can provide a reliable and safe public computing environment consistent with the tenets of Intellectual Freedom. If you missed the previous post on browser privacy, you may want to check that out first.
In this post, you’ll learn how to enable the guest account in Windows 7. Guest accounts are shared user accounts with significant restrictions on what they’re allowed to do. Most changes that you would want to retain control over require an administrative password (handled on a case-by-case basis. They’re not infallible, but we’ll work on securing them further in future posts.
By default, guest accounts are disabled in Win7. They’re also really easy to set up, so there’s truly no reason not to have one for your patrons. To enable a guest account, click on the Windows orb in the lower left corner.
Type guest account into the search box. For most of you, you should see the option “Turn guest account on or off” at the top of the menu. Click on this. You should now see the current enabled user accounts for your machine as well as this world-weary suitcase:
Click on that little bugger and you’ll be presented with the option of turning the guest account on. Simply click the Turn On button. Voila! While we’re here, make sure that your Administrator account has a strong password. If it doesn’t, click on it to change it or all your work here will be for naught…
If you didn’t see “Turn guest account on or off” after the earlier search, do not despair! There’s another way forwards for your professional machine. Here’s what you’ll need to do: Click on the Windows orb. Enter local security policy into the search box. Click on it when it comes up (should be at the top of your list under Programs).
Now in the Local Security Policy window, you’ll need to select Local Policies > Security Options from the left pane.
In the right pane, look for the “Accounts: Guest account status” policy. Double click it and select Enabled. Now click Okay.
Next go to Local Policies > User Rights Assignment in the left pane. Scroll down until you see “Deny log on locally.” If Guest is listed under Security Setting, double click on it.
Now select Guest and click Remove.
There’s one more setting you’ll want to check, and that’s also under Local Policies > User Rights Assignment. This time look for “Deny access to this computer from the network.”
If Guest is listed there, the Guest account won’t have internet access, which would probably make your patrons very unhappy, indeed. Double click on it and then remove Guest, just like you did above. Huzzah!
You can X out of the Local Security Policy window now.
Next, we’re going back to the Windows Orb. This time, search for edit local users. Select “Edit local users and groups” from the menu.
In this new window, select Users in the left pane and then double click on Guest in the right pane. Give Guest a Full Name (I recommend Guest, as it’s easy to remember).
Okay, so you’ve got a guest account enabled. That wasn’t too hard, was it? Now you should test to make sure it’s behaving properly. Switch Users so that you’re logged into the guest account and see what you can break. Check if you can change settings in the control panel or install a new program. Hopefully you’ll be prompted by UAC for an administrative password whenever you attempt anything potentially pernicious like this.
Note: you will still have to do some configuration and setup to get this account looking and behaving the way you want it to (shortcuts to a word processor, and whatnot). Don’t forget to configure the web browser(s) of your choice to protect your patron’s privacy and comply with confidentiality laws like I showed you in the last article in this series!
While you’re messing around with the Guest, you’ll probably notice some soft spots where you’re able to do things you wouldn’t want patrons to do and you’ll also notice there’s some evidence left behind of past users’ activities. We’ll work to address these shortcomings in future installments.
Please leave any questions you might have in the comments!
UPDATE: It occurred to me that there’s one other important issue that should be addressed under Local Security Policy. Under Local Policies > User Rights Assignment, find the policy called “Deny log on through Remote Desktop Services.”
If the Security Setting doesn’t have Guest listed, you’ll want to set that. Do so by double clicking the policy name (Deny log on through Remote Desktop Services). This will open a new window for that policy. Click on Add User or Group. You’ll now see the following:
In the textbox labeled “Enter the object names to select (examples):” type in Guest and then click Check Names. Your entry for guest will be altered slightly (short path name will be pre-pended). Finally Click OK (twice). You can now close out of the Local Security Policy window.