5.10 Ensure Fast User Switching Is Disabled

Information

Fast user switching allows a person to quickly log into the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access, many valid users can login to other user's assigned computers.

Rationale:

Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out, users can have unsaved data running in a background session that is not obvious.

Impact:

When support staff visits a user's computer console, they will not be able to log into their own session if there is an active and locked session.

Solution

Perform the following to disable fast user switching:
Graphical Method:

Open System Preferences

Select Users & Groups

Select Login Options

Uncheck 'Show fast user switching menu as...'

Terminal Method:
Run the following command to turn fast user switching off:

$ sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false

Profile Method:

Create or edit a configuration profile with the PayloadType of .GlobalPreferences

Add the key MultipleSessionEnabled

Set the key to </false>

See Also

https://workbench.cisecurity.org/files/4000