Administrator guide: how to obtain or prevent access to OS X (1)

Administrator guide: how to obtain or prevent access to OS X (1)

Working as a system administrator is sometimes not an easy task. Because many devices, networks, and users need to be managed, it is easy to get exhausted. Therefore, a certain configuration is not ignored, but is protected too strictly.

Obtain administrator access to OS X

However, either of these extremes inevitably leads to one of the two scenarios: Once a loophole is drilled down, unauthorized users will be granted higher permissions; or the environment is too secure, and even the IT department loses its unrestricted access.

IT is ironic that, in the early stages of my IT career, when I was studying Group policies or Apple's Server Admin Tools, I met this scene several times. The lesson I learned is that you must understand how to solve a technology most clearly.

The three methods described in this article can be used not only to regain access to the administrator account, but also to learn how to prevent others from attempting to do the same.

1. restore partitions

How does it happen?

This process is very simple. From the power-off status, enable Mac power, and press the [Option] key before Apple's clock. Hold down this key until the Startup Manager is mounted. Next, select recover Partition ). Start to restore the partition, select Utilities (utility) | Terminal (Terminal ). Enter the "resetpassword" command (note that there are no double quotation marks) and press enter to bring up the password reset utility. Then, select the drive that contains the account you want to reset and select a user from the drop-down menu. Specify a new password for the account, confirm the password, and click Save. Restart the computer. Once OS X is loaded, you only need to enter the account name and the password you just reset to obtain management access.

Who can perform this operation?

The reset method can be executed by anyone who actually contacts the node.

How can this operation be prevented?

Fortunately, there are two ways to prevent this operation. First, enable Firmware Password, which can also be enabled by restoring Utilities (Utility) in the partition | Firmware Password Utility (Utility for Firmware Password, it sets an EFI boot password to prevent user boot from entering any device except the default boot drive.

Second, enable FileVault 2, which is Apple's full-disk encryption function, which can protect the password from the same password reset routine as the non-encrypted account, because FV2 processes the password reset method independently of the operating system. This means that, although the user may change the password of the Administrator account, authentication may be handled differently in FV2, the user will first need to use the previous password (he/she does not know the password) to authenticate the identity, the authentication is passed before obtaining system access.