1. Home
  2. System Vulnerabilities
  3. How to remediate – Windows NT FTP ‘guest’ Account Present
Searching...

How to remediate – Windows NT FTP ‘guest’ Account Present

Contents

1. Introduction

The Windows NT FTP ‘guest’ account vulnerability allows unauthenticated access to a remote FTP server. This could allow attackers to upload, download, and modify files on affected systems. Systems running Windows NT with the default FTP service enabled are typically at risk. A successful exploit can compromise confidentiality, integrity, and availability of data stored on the server.

2. Technical Explanation

The vulnerability arises from a pre-configured ‘guest’ account that is often left active on Windows NT FTP servers. This account has minimal security restrictions and allows anonymous access. An attacker can connect to the FTP server without credentials and potentially gain control over files. CVE-1999-0546 details this issue.

  • Root cause: The default installation of Windows NT includes a ‘guest’ FTP account with insufficient access controls.
  • Exploit mechanism: An attacker connects to the FTP server anonymously and uses standard FTP commands to list, download, or upload files. For example, they could use an FTP client to connect as ‘anonymous’ with any password.
  • Scope: Windows NT operating systems running the default FTP service are affected.

3. Detection and Assessment

You can confirm a vulnerable system by checking for the presence of the ‘guest’ account. A thorough assessment involves attempting an anonymous login.

  • Quick checks: Use net user guest to check if the account exists. An active account will show details, while an inactive one may not be listed.
  • Scanning: Nessus plugin ID 20835 can detect this vulnerability. Other scanners may have similar checks.
  • Logs and evidence: Check FTP server logs for successful anonymous logins. Event IDs related to FTP authentication failures or successes should be reviewed.
net user guest

4. Solution / Remediation Steps

Disable the ‘guest’ FTP account to prevent unauthenticated access. Follow these steps carefully.

4.1 Preparation

  • Ensure you have administrative credentials for the server. Roll back by re-enabling the account if needed.
  • A change window may be required depending on your organisation’s policies and impact assessment.

4.2 Implementation

  1. Step 1: Open Command Prompt as an administrator.
  2. Step 2: Run the command net user guest /delete to remove the account.
  3. Step 3: Restart the FTP service to apply the changes.

4.3 Config or Code Example

Before

net user guest

After

net user guest /delete

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue.

  • Practice 1: Least privilege reduces the impact of an exploited account. Limit access rights for all accounts, including default ones.
  • Practice 2: Safe defaults ensure services are configured securely out-of-the-box. Disable unnecessary features and accounts.

4.5 Automation (Optional)

A PowerShell script can automate the account deletion.

# Requires elevated privileges
Stop-Service -Name "FTP" -Force
net user guest /delete
Start-Service -Name "FTP"

5. Verification / Validation

Confirm the fix by checking that the ‘guest’ account no longer exists and attempting an anonymous login.

  • Post-fix check: Run net user guest again. The command should report “The system was unable to find the specified object.”
  • Re-test: Attempt to connect to the FTP server anonymously using an FTP client. The connection should be refused.
  • Smoke test: Verify that legitimate users can still access the FTP service with their credentials.
  • Monitoring: Monitor FTP logs for failed login attempts from anonymous sources.
net user guest

6. Preventive Measures and Monitoring

Update security baselines and implement regular patch cycles to prevent similar issues.

  • Baselines: Update your Windows NT security baseline to include disabling the ‘guest’ account. Consider using CIS controls as a reference.
  • Pipelines: Implement configuration management tools to enforce secure settings across all servers.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Applications relying on anonymous FTP will be disrupted. Mitigate by identifying and reconfiguring these applications.
  • Roll back: Step 1: Open Command Prompt as an administrator. Step 2: Run the command net user guest /add to recreate the account. Step 3: Restart the FTP service.

8. References and Resources

Refer to official advisories for detailed information.

Updated on October 26, 2025

Was this article helpful?

Yes No

Related Articles