Best security practices advise that user accounts run according to the least privilege required, which would virtually erase the ability for standard users to manage systems on their own. While this increases the workload exponentially for IT, standardization can be implemented, and that is increasingly important.
One common practice is the implementation of a local user account with admin rights used to continue management of a device in the event that the trust relationship is severed or directory authentication is otherwise unavailable. The provisional account is typically used only to manage the device in times of absolute necessity in lieu of formatting the machine.
While it is common practice on a Windows domain to rename and disable a local admin account, Macs will (by default) require at least one local admin account to be created and present in order for the system to function properly.
With the recent release of OS X El Capitan, Apple has added functionality to further secure OS X, especially during the deployment phase by fully pre-configuring the administrator account and keeping it hidden from all other users that log on to a system. This is a nice security benefit, as the account is kept from users' prying eyes, while still allowing IT the flexibility of having a local account to manage devices, if needed.
But what if you're not running El Capitan? The feature is available as a terminal command within OS X Yosemite and later. It can be executed by following the steps below.
1. Create a new user account and assign it admin rights.
2. Launch Terminal.app and enter the following command:
sudo dscl . /Users/HIDDEN_USERNAME IsHidden 1
In essence, the command will hide the local admin account from the logon screen and from the User preferences. While the admin account is "hidden" from common view, the home folder and public folder share point will still be visible to all users who navigate to the /Users folder.
To remedy these issues and redirect the home folder to another hidden directory, enter the following command:
sudo mv /Users/HIDDEN_USERNAME /var/HIDDEN_USERNAME
To update the home folder user record with the new home path, enter the following command:
sudo dscl . -create /Users/HIDDEN_USERNAME NFSHomeDirectory /var/HIDDEN_USERNAME
To delete the public folder share point for the hidden admin account, enter the following command:
sudo dscl . -delete "/SharePoints/HIDDEN_USERNAME Public Folder"
A new, hidden administrator account will be created in OS X with a home folder that's redirected to a hidden directory. The public folder share point for that account will be deleted.
This isn't a clear-cut solution to protecting a local admin account from becoming compromised, though it does serve as a layer of protection, which when combined with other established best security practices, will strengthen the security of the admin account used to manage Macs on your network.
- How to fix five known issues affecting OS X El Capitan
- Apple OS X zero-day flaw hands over root access without system passwords (ZDNet)
- Researcher unveils new privilege vulnerability in Apple's Mac OS X (ZDNet)
- How to quickly restore a missing admin account in OS X (CNET)
- How to switch to a standard user account in OS X (CNET)
Note: TechRepublic, ZDNet, and CNET are CBS Interactive properties.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.