As stated by Microsoft, the guest account is a default account that has limited access to computers of the domain (or locally) and is disabled by default. By default, the guest account password is left blank, which allows this account to be accessed without requiring the user to enter a password. Enabling the guest account exposes the network to unauthorized access, granting individuals access to its resources. This can facilitate reconnaissance, which is often the initial phase of an attack. Also, disabling the guest account enhances traceability. If individuals use this account, it can obscure their actions, complicating the tracking and understanding of user activity.

Tenable recommends keeping the guest account disabled to prevent anonymous access to the domain, thus aiding in reducing the attack surface. You can disable the guest account in the following ways:

GUI

Using a graphical user interface (GUI):

1. Open Active Directory Users and Computers.
2. Navigate to the default location CN=Users, DC=<domain>, DC=. If you moved it, navigate to the new location.
3. Right-click on the Guest account. If you renamed it, right-click on the new name.
4. Click on "Disable account".

PowerShell

Run the following PowerShell command:

Disable-ADAccount -Identity "$((Get-ADDomain).DomainSID.Value)-501"

Note: If the guest account re-enables itself automatically, check for a Group Policy Object (GPO) with the security policy setting Accounts: Guest account status. If this GPO exists, set it to Disable. This Indicator of Exposure checks only for the account status and not the GPO parameter.

Name: Enabled Guest Account

Codename: GUEST-ACCOUNT-ENABLED

Severity: Low