5.7 Ensure an Administrator Account Cannot Log In to Another User's Active and Locked Session

Information

macOS has a privilege that can be granted to any user that will allow that user to unlock an active user's sessions.

Rationale:

Disabling the administrator's and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information.

Impact:

While Fast user switching is a workaround for some lab environments, especially where there is even less of an expectation of privacy, this setting change may impact some maintenance workflows.

Solution

Terminal Method:
Run the following command to disable a user logging into another user's active and/or locked session:

$ /usr/bin/sudo /usr/bin/security authorizationdb write system.login.screensaver use-login-window-ui

YES (0)

See Also

https://workbench.cisecurity.org/benchmarks/14563