5.17 Disable Fast User Switching

Information

Fast user switching allows a person to quickly log in to the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access many valid users can login to other user's assigned computers.

Rationale:

Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out users can have unsaved data running in a background session that is not obvious.

Impact:

Where support staff visit users computers consoles they will not be able to log in to their own session if there is an active and locked session.

Solution

In System Preferences: Accounts, Login Options, make sure the 'Enable fast user switching' checkbox is off.

Additional Information:

macOS is a multi-user operating system, and there are other similar methods that might provide the same kind of risk. The Remote Login service that can be turned on in the Sharing System Preferences pane is another.

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-10

Plugin: Unix

Control ID: 8e19cf9f02b0fb1c5b9ff7ba12bbde4e667d20ec94d45c07c892b175d2718c92