Mac Security - Standard User Accounts vs Administrator

By Chad Calease | March 11, 2021
Chad is the cyber resilience lead at Ntiva, focused on eliminating preventable risk and loss to businesses from cybercrime.

Cybersecurity is top of mind for every organization, including those who are Mac-based. Learn how you can reduce security risks on Macs by managing the two different types of user accounts, Standard User and Administrator!

Why You Should Not Run Your Mac As An Administrator 

Let's start with a good analogy - money.

There's a reason we don't carry all the money we have around with us all the time. We carry a few bucks, maybe, just what we need.

Carrying it all would put us at more risk than we're comfortable with.

We still have access to the rest of it when we need it but because there's too much at stake, we simply do not carry it all at once. Besides, there's really no need.

This is true about how we use MacOS Big Sur, too.

There really is no need for any of us to use all the administrative powers that a Mac offers all the time.

Sure, we Mac users might need to use the administrator role sometimes to install software and make sure apps can access what they need, or make a significant change to a system file every now and then.

But being an administrator on our Apple devices all the time is like carrying all of our money around with us.

In this post, I'm going to illustrate why I use my Mac as a Standard User and why it's a great layer of protection we can put to use right away against malware, ransomware, and other exploits that count on us being Administrator users.

I'm going to demonstrate why minimizing the times we use this power can exponentially reduce our risks to some very nasty stuff, as well as plain old human errors (yes, I still make those, too!).


The Principle of Least Privilege

In technical cultures, there's a wise practice known as the Principle of Least Privilege.

What this means is that programmers and other technical folks don't ever grant themselves more permissions than absolutely needed to get their work done.

People who work with critical systems know very well that we're all human and we all make mistakes eventually.

Making mistakes as a root or administrative user (the highest privilege of all) is unwise because often enough those mistakes cannot be undone.

Limiting their power to damage those systems, even on accident, is a very good thing.

We might propose that the Macs we work on day-to-day are critical systems, too. Without them we wouldn't be able to do our jobs or even earn a living.

If that's true, then we might ask: why are so many of us still using Administrator accounts when we know that the vast majority of data breaches start with privilege abuse?

The answer? It's just a habit, but it's a habit that we can change for the better!


Mac Security Ransomware

Malware Likes Mac Administrator Accounts 

We know that more than 90% of malware is delivered via email.

Once we've clicked on something we shouldn't, the malware is inside our Macs, which means attackers have the same privileges of the account we used to click on the malicious link.

If I'm using an Administrator account when I click on something nasty, the criminal can use my Administrator account to steal information, infect other Macs, and anything else they choose because they have full, unlimited power to do so.

If I was logged into my Mac using a Standard User account, the damage a successful attacker can do is exponentially limited in contrast.

Because so many organizations still permit people to have administrator accounts on their Macs, you can imagine why criminals love this.

We should ask our organizations to protect us (and them) by putting a better strategy in place.


How To Protect Privileged Access on a Mac

Here at Ntiva, we've developed a solution, one I use myself every day.

I'm a Standard User, which means I have no Administrator privileges on my Mac.

When I need to, which isn't very often, I can invoke a "Grant me Admin Access" script that elevates my privileges only temporarily so I can install a critical security update, for example, or make a change that requires it.

Once I've completed my task, I return to my much-more-comfortable Standard User account.

Conversely, we've also developed a "Standardize My Account" script that does the opposite.

This one demotes me from an Administrator to a Standard User, limiting my power and thereby the risk of a bad actor using my elevated privileges to do their bidding without my knowledge.

I may be the Cyber Resilience Lead but I'm still human, which means I still make mistakes just like anyone else who may or may not have a ton of fluency in technology.

Limiting the potential damage I can do, even unintentionally, reduces my stress level significantly and gives me some welcome peace-of-mind.

I don't know about you but these days I'll take as much of that as I can get.


Ready to learn more about protecting your Mac and managing and securing your Apple environment? See how Ntiva is one of the few MSPs who fully support both pure Apple and hybrid Apple/Windows environments. 


Apple MSP


Tags: Apple