Administrator guide: how to obtain or prevent access to OS X
Working as a system administrator is sometimes not an easy task. Because many devices, networks, and users need to be managed, it is easy to get exhausted. Therefore, a certain configuration is not ignored, but is protected too strictly.
Obtain administrator access to OS X
However, either of these extremes inevitably leads to one of the two scenarios: Once a loophole is drilled down, unauthorized users will be granted higher permissions; or the environment is too secure, and even the IT department loses its unrestricted access.
IT is ironic that, in the early stages of my IT career, when I was studying Group policies or Apple's Server Admin Tools, I met this scene several times. The lesson I learned is that you must understand how to solve a technology most clearly.
The three methods described in this article can be used not only to regain access to the administrator account, but also to learn how to prevent others from attempting to do the same.
1. restore partitions
How does it happen?
This process is very simple. From the power-off status, enable Mac power, and press the [Option] key before Apple's clock. Hold down this key until the Startup Manager is mounted. Next, select recover Partition ). Start to restore the partition, select Utilities (utility) | Terminal (Terminal ). Enter the "resetpassword" command (note that there are no double quotation marks) and press enter to bring up the password reset utility. Then, select the drive that contains the account you want to reset and select a user from the drop-down menu. Specify a new password for the account, confirm the password, and click Save. Restart the computer. Once OS X is loaded, you only need to enter the account name and the password you just reset to obtain management access.
Who can perform this operation?
The reset method can be executed by anyone who actually contacts the node.
How can this operation be prevented?
Fortunately, there are two ways to prevent this operation. First, enable Firmware Password, which can also be enabled by restoring Utilities (Utility) in the partition | Firmware Password Utility (Utility for Firmware Password, it sets an EFI boot password to prevent user boot from entering any device except the default boot drive.
Second, enable FileVault 2, which is Apple's full-disk encryption function, which can protect the password from the same password reset routine as the non-encrypted account, because FV2 processes the password reset method independently of the operating system. This means that, although the user may change the password of the Administrator account, authentication may be handled differently in FV2, the user will first need to use the previous password (he/she does not know the password) to authenticate the identity, the authentication is passed before obtaining system access.
2. Single User Mode
How does it happen?
When guiding the Mac from the power-off status, press the [Command] + [S] key combination before Apple's clock, which will lead the computer to a single user mode (SUM ).
SUM is used as a tool to help IT and developers troubleshoot problems that affect OS X, especially those related to guidance. It does have another advantage (or disadvantage): It is started with root access (also known as Super User), which allows the command to be executed at the Administrator level. The node automatically directs to SUM without logon information.
If you run the following command, You can reset the runtime environment of Apple Setup and let it go back to factory settings, prompting the computer to run the process again during subsequent restart. The installation process also means that a new Administrator Account will be created, endangering system security.
Mount-uw/
Rm/var/db/. AppleSetupDone
Shutdown-h now
Who can perform this operation?
Just like restoring a partition, the reset method can be executed by anyone who actually contacts the node.
How can this operation be prevented?
Similarly, setting the firmware password will ensure that all the persons trying to obtain access permission must provide the firmware password before they can see the start manager and enter SUM.
In addition, FileVault 2 allows access to SUM, but the user must first verify the identity through the FV2 login window.
3. Apple ID
How does it happen?
Mount Users & Groups (user and user group) Preferences panel from System Preferences to list all accounts locally stored in a brain. When selecting an account, you can select the check box marked as "Allow user to reset password using Apple ID" (Allow users to reset their passwords using Apple ID.
The purpose of this option is that anyone with a user account associated with the Apple ID can reset the password when the logon screen appears, as long as they enter their Apple ID and use this account to authenticate the identity.
Note that although Apple ID and iCloud can and are encouraged to be separated as independent accounts, they are in many cases the same account. This adds another attack path. In the event that the Apple ID login information leaks, the iCloud account can be used to access the Find My iPhone application in the cloud, other devices associated with this account may be remotely deleted from the device list without the knowledge of the Administrator (or the device owner). It is often too late to detect such devices.
Who can perform this operation?
Only those who know the ID logon information required for accounts that are enabled to allow the use of Apple ID to reset this check box can perform this operation. However, risks may occur remotely or locally. They can also be executed by anyone who has the right to access an email account registered with an Apple ID account.
How can this operation be prevented?
The obvious choice is not to check the account's Apple ID Password Reset check box. However, this option is more useful than negative factors and depends on your environment and/or corporate policies.
A more practical approach is to follow the best password practices, such as choosing a strong password with at least 14 characters, with a wide gap between keys (using uppercase and lowercase letters, numbers, and characters ). You should change the password every 45 to 90 days, and make sure that the same password is not used in at least the first six changes.
It is also a good idea to separate the email account associated with the Apple ID from the company or individual account.
Finally, a two-step verification of Apple ID and iCloud is expected to prevent most attempts to bypass the restriction.
Remember: there are more than one way for a computer to execute a task. You need to do a good job of investigation to test the system. This will be of great help to enhance computer security and continue to improve the security awareness of personnel responsible for computer management and maintenance.