How To

Mac Security Tip: Use a Standard User Account

Posted on June 14th, 2011 by

When you first start up a new Mac, the Mac OS X setup assistant asks you for your name, a user name and a password, and uses this information to set up your first user account. Since there has to be at least one user with administrative rights on your Mac, that first account is an administrator account. While this is useful - you can install software, and perform other actions, after entering your password - it can also be risky.

First, let's look at the two main types of user accounts. Administrators can, as we mentioned above, install any software, even if it requires an administrator's password. They can access secure System Preferences; the ones with padlock icons. They can change permissions to files and folders (select an item, press Command-I, click the padlock at the bottom of the window, enter a password, then make changes to the Sharing & Permissions section). They can also perform other tasks, such as install fonts for all users, access external disks on Macs where they have accounts, create folders in locations other than in their home folder, run certain utilities that are off-limits to standard users, and use the sudo command in the Terminal application to access or make changes to any files, or to run certain commands limited to administrators.

However, there are risks to using an administrator account. An administrator may make mistakes; since they can change or delete any file, they may do so, accidentally. They can also install any software, which may be a risk, if the software is malicious.

Standard users, on the other hand, have limited access rights on a Mac. They can use, change and create files in their home folder, access folders on shared volumes if the permissions allow it, change settings to non-secure preferences in System Preferences, and install some software (if it doesn't need to install items in the System or Library folders).

So while standard accounts are more limited, it can be useful to use a standard account, just to be safe, in daily work.

Assuming you set up a first administrator's account with the name Alice, you can set up a second, standard account, with the name Alice2, or any other name. Log into that second account, and use it for your everyday activities, and to store your personal files. Whenever an administrator's password is required, type Alice as the user name, and the appropriate password. While this will lead to some more password requests than if you were working under an administrator's account, each of these requests should raise a red flag and make you think whether you should be entering your password. For if malware gets onto your Mac, it may need such a password to install itself (as we have seen with the different variants of the MacDefender fake antivirus).

While using a standard account is not thorough protection from malware - only a fully-featured malware and network protection program, such as Intego VirusBarrier X6 will provide the protection you need - it is protection from some types of malware, and can provide a warning that something is going on. It can also prevent you from blundering by deleting files that you didn't mean to erase. So using two accounts is a tiny bit of hassle that is worth trying out to save you from potential problems.

  • Jeanne Shaw

    I found this to be a very useful advice but unfortunately I read it after my admin account was compromised. Now I daily use my standard account. Would like to not have my Apple ID on both accounts though and keep the admin account totally separate…any ideas on that?

    • Mike

      Log in to the admin account and then log out of iCloud and iTunes

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}