2.12.1 Ensure Guest Account Is Disabled

Information

The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes and cannot remotely login to the system. All files, caches, and passwords created by the guest user are deleted upon logging out.

Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system.

Solution

Graphical Method:

Perform the following steps to disable guest account availability:

- Open System Settings
- Select Users & Groups
- Select the i next to the Guest User
- Set Allow guests to log in to this computer to disabled

Terminal Method:

Run the following command to disable the guest account:

% /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool false

Profile Method:

Create or edit a configuration profile with the following information:

- The PayloadType string is com.apple.MCX
- The key to include is DisableGuestAccount
- The key must be set to <true/>
- The key to include is EnableGuestAccount
- The key must be set to <false/>

Impact:

A guest user can use that access to find out additional information about the system and might be able to use privilege escalation vulnerabilities to establish greater access.

See Also

https://workbench.cisecurity.org/benchmarks/18634

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: ba78ebbc87fa6a4212bb263d7c49f7560d1116ea553064100c7b0e5e9f93aa5e