Dedicated user account for extra-security

[Georgh]

Hi, this is my first post in this forum and it is related to security on MacOS.

In MacOS, how well user account are separated ? Is it commun for MacOS malware to be able to read data or install malicious software on an other user account on the same computer ?

I am wondering if creating a dedicated user account for sensitive stuff, like online banking or offline-password management, would provide any real advantage. Softwares and browsers extensions installed in this user account would be limited to the minimum.

My question arose after the new Big Sur feature allowing fast user switching.

Thank you very much for your highlights.

 

[avkills]

Not sure about the Malware, but the user account system is pretty much like unix systems. I used to do this; mostly because I wanted to be able to store my user info separate from the OS. I stopped doing it a while back because of all the Nanny stuff needed to get software to work right; you pretty much need to be an admin.

 

[Fishrrman]

My opinion?
Not worth the trouble.
Probably few (or no) benefits at all.

 

[chown33]

Fast user switching isn't a new feature. It's been there since 10.2 Panther in 2003:

Mac OS X Panther - Wikipedia

en.wikipedia.org

Some aspects have been revised over the years, but the feature has been there for almost 2 decades.

 

[Red Menace]

Admin for administrative and Standard for individual use is the way it is supposed to work (even for single user systems). This provides separation for stuff like mail, documents, application preferences, etc, that don’t have anything to do with system administration.

Other standard users don’t have access to your account, and any malware (or bugs) will only have the same access as the user running it. Administrative stuff can still be done from a standard account, you just need the admin name and password when prompted. Anything that requires admin access to run better have a good reason.

 

[avkills]

Admin for administrative and Standard for individual use is the way it is supposed to work (even for single user systems). This provides separation for stuff like mail, documents, application preferences, etc, that don’t have anything to do with system administration.

Other standard users don’t have access to your account, and any malware (or bugs) will only have the same access as the user running it. Administrative stuff can still be done from a standard account, you just need the admin name and password when prompted. Anything that requires admin access to run better have a good reason.

Several OS versions ago I might agree with you; but in the current state of OS X I do not. I should not need to give applications I installed permission to access my hard drive and other hardware associated with my computer. Perhaps a better way would have been given a choice during installation on whether you wanted this level of paranoid control or security or whatever you want to call it.

 

[svenmany]

It would be awkward for me to have two accounts, one for administrative work and one for daily work. The reason is that I have so much content in the cloud - iCloud, Dropbox, and OneDrive. If I wanted access to some overlapping content then I'd have tons of duplication of files on my disk.

I'm not sure that logging in as an admin user automatically gives a dangerous level of permissions since I'm still often prompted for credentials to gain elevated security access. But, certainly there are more limitations when logging in as a non-admin user. For example, my wife's computer can never successfully apply automatic software updates. That's actually quite a nuisance.

 

[KaliYoni]

I am wondering if creating a dedicated user account for sensitive stuff, like online banking or offline-password management, would provide any real advantage.

Compartmentalization is a good security practice in most cases. None of us here so far, obviously, know how confidential or mission-critical the "sensitive stuff" on your computer is. But a way to think about what you should do is to compare the pain you would feel using a separate workflow for certain tasks to the pain that would come from discovering and having to neutralize a successful attack on your information. If potentially losing control of your data is less of a concern than losing some time whenever you initiate a certain activity, it could make sense to not make any changes to your configuration.

Personally, I use a slightly different setup than the one you're thinking about. First, my main user account is non-Admin. I only login to the Admin account to do installations, troubleshooting, and maintenance. Second, I have a multiple browser setup. I use Firefox with a full set of security and privacy add-ons for most browsing. I use an essentially stock version of Safari with a very small set of trusted, frequently used websites.

 

[Fishrrman]

I've always used "administrative" accounts for OS X, since I first started using it back around 2004 or so.

This is with multiple Macs.
Never had a problem, ever.

 

[Georgh]

Thank you all very much for the quality of your replies. The setup with different web browsers are extremely interesting. I might go with just this and using a non-admin user account for the day-to-day basis.
Let me know if you have any more thought about this.
Love this forum!

 

[killawat]

Make sure to use little snitch. It is the first application I install on a fresh OS.

 

[Georgh]

Make sure to use little snitch. It is the first application I install on a fresh OS.

Very expensive.. I use LuLu from https://objective-see.com/products/lulu.html

 

[Sausage.Biscuit]

Compartmentalization is a good security practice in most cases. None of us here so far, obviously, know how confidential or mission-critical the "sensitive stuff" on your computer is. But a way to think about what you should do is to compare the pain you would feel using a separate workflow for certain tasks to the pain that would come from discovering and having to neutralize a successful attack on your information. If potentially losing control of your data is less of a concern than losing some time whenever you initiate a certain activity, it could make sense to not make any changes to your configuration.

Personally, I use a slightly different setup than the one you're thinking about. First, my main user account is non-Admin. I only login to the Admin account to do installations, troubleshooting, and maintenance. Second, I have a multiple browser setup. I use Firefox with a full set of security and privacy add-ons for most browsing. I use an essentially stock version of Safari with a very small set of trusted, frequently used websites.

Same for me. I've used OS X since '04, I have always used a Standard account. Sure there are times when I need to input an admin password to change a setting, but it's not a big deal. I don't need admin powers 99% of the time. I also use multiple browsers.

 

[svenmany]

I really don't understand this topic. When I'm logged in as an admin user, I'm often prompted to type in my credentials to get things done. It's almost as if:

1 - I'm not running at an elevated permission level even though I'm logged in as an admin user.

2 - Setting a user to be an admin user just means that those credentials may be used when prompted for admin credentials.

But, I know this is not true. Certainly there are certain things that are just allowed when running as an admin user that aren't allowed when running as a standard user. For example, dragging a file into the Applications folder is allowed without extra authentication when running as an admin user.

But, dragging a file is a very intentional thing. Certainly, if I wanted to do that and entered credentials to get it done, then that is just as dangerous as already being an admin user and doing it. One might argue that forcing you to enter credentials to do something intentional forces you to think carefully before doing it. I'm not convinced that's much of a benefit; very few people are equipped to seriously understand the risks of most things.

So, not being an admin user, at best, offers protection against things happening which we aren't aware of. What are those things? Are we sure that those same things wouldn't require an admin user to retype their credentials?