6.1.3 Disable guest account login

Information

The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out.

Rationale:

Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.

Solution

Perform the following to implement the prescribed state:

1. Open System Preferences
2. Select Users & Groups
3. Select Guest User
4. Uncheck Allow guests to log in to this computer

Alternatively:

1. Run the following command in Terminal:

sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO

See Also

https://workbench.cisecurity.org/files/2105

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Unix

Control ID: 99316c5ed316eecff7e0c84c53f15b54bc07a6de0784c1e9bf134c4f84d901bb