Improve your Mac's security by running a Standard account

While by default the first account in OS X is an administrator account, running day-to-day operations with this account has an increased security risk.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

When you install and set up OS X for the first time, the account created will be an administrator account. This is an easy way to allow people to access every aspect of their systems, and perform functions like changing system settings and installing applications if needed. While administrative functions still require a password even when you're logged in as administrator, running in an administrator account does pose more of a security risk than running in an standard account.

As basic directory entries, accounts in OS X are all the same regardless of whether they are admins, guests, managed users, system users, or standard users. The difference in these accounts lies not in attributes of the accounts, but rather in the groups they belong to. It is the different groups in OS X that are given access to various system resources, and account restrictions are based on group memberships. This setup is where much of the security in OS X lies.

If an administrator account's password is compromised and a hacker is able to use these credentials to either directly access the system or run programs remotely, then that hacker can access all files on the system, including core system files and files in other users' accounts. On the other hand, if a standard user account is compromised then malicious activity will be limited to the resources that account can access, so system settings and other user accounts will not be harmed.

Keep in mind that OS X is a fairly secure OS overall and it is highly unlikely that your account will be compromised without direct user interaction, but you can always make mistakes and authorize malware or make your passwords known to people with bad intentions. Doing what you can to increase the security of your system will help, and one way is to run your day-to-day activities in a standard user account.

On a new system you can easily create a new standard account in the Accounts system preferences pane. However, if you migrate from a previous system or have been running your current system for a while, then you may have already established your work flow in an administrator account. Despite this, it is relatively easy to switch your account to being a standard account and create a new administrator account to use for installing applications, changing system preferences, and otherwise administering the system.

  1. Go to the Accounts system preferences.

  2. Create a new Admin account (you may need to click the lock first to unlock the panel).

  3. Log out of your current account and log into the new Admin account.

  4. Go to the Accounts system preferences in the new account.

  5. Select your old account in the Accounts list (you may need to authenticate again).

  6. Uncheck the option "Allow user to administer this computer."

At this point the old account will no longer be a member of the administrator group, and therefore will not be able to make changes to the system. Nevertheless, you will not have to log out and log in to the new admin account in order to make changes to the system. Instead, go ahead and administer the system from your new Standard user account as you normally would, but instead of providing your current account's password when making changes, just provide the username and password for the new user account.

As a final note, OS X's security is not perfect, and Apple and independent security testers are continually uncovering and patching vulnerabilities in OS X. These vulnerabilities are usually kept relatively secret until a software patch is made available to fix them; however, once such a patch is available then more people will know about the flaws. Therefore, be sure to update your system with the latest OS version and security updates if possible to fix security problems as they arise.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.