Setting up user accounts standard vs admin security-wise

[GenlyAi]

Hi,
I recently purchase a Mac Air and is trying to learn the system. To give you bit of background. Comings from the Unix and Windows world, it's generally a good idea to create an admin account to handle software installation, but do not grant admin rights to any of the user accounts. This may seemed a bit troublesome because you would need to login to the admin account to install, but for security, this prevents say malware that took over your account from taking over your machine. Is it best practice to have separate admin and user accounts?

 

[GenlyAi]

OK,
It appears that one of the hardening technique would be to create a separate account for admin related task while leaving user account standard accounts, so it appears that this would actually be a good idea. If malware were to infect the mac, they would (unless they have some sort of permission elevating hack) limited to the the user account.

 

[maw_walker]

I read your post and actually just did this. I created a separate admin user and demoted my normal user to “standard”. No ill effects so far. Agree this is a more secure set up than having a standard user as an admin but I am not a Mac security expert. I liken this to sudo on Linux but I don’t know what happens when elevated privileges are requested when a “standard” user is logged in.

 

[GenlyAi]

I done more research. Apple does recommend in its security guide to do the standard account thing. The question is how does Apple security works?

On Windows, an admin account actually have more rights than a standard account. The admin accounts actually starts with elevated rights, and the UAC prompt you get act as a sort of gatekeeper to verify that this is what you want to do. If you use a standard account on windows, it can't be elevated. Instead the UAC prompt requires you to login as an account with admin rights.

On linux, accounts do not have elevated rights (or should not be setup with elevated rights) by default. If your account is in the sudo group, it can be elevated if you grant the elevation through sudo. One way to look at the difference is that window is preventing access from a elevated account while linux is elevating access from a non-elevated account.

I am thinking that Mac OS probably follow the windows model more. Their admin accounts probably have elevated rights.

One example of this attack is some years ago I acquire a trojan in Windows. My account was running as standard. After detection (the trojan attempted elevation), I log out and login as admin. The trojan did not make it to the rest of the system because it can only affect my standard account. I was able to then run Malwarebyte using my admin account and wiped out the trojan.