Posted on 11-16-2018 09:24 AM
I noticed below today. I'm guessing this has been this way for a long time, and the community just accepts it? Does anyone know of a way to mitigate this?
If a user has the screen locked, any admin account can unlock the screen and have full access to the desktop/applications/network under the identity of the originally logged in user. This is a huge security issue. NO ONE should be able to operate as another user like that, with the exception of explicitly granted sudo privileges in a shell.
Posted on 11-16-2018 09:32 AM
Then disable it?
What baseline are you running? CIS? DISA?
This has been true of OS X basically.... since OS X started.
Section 5.16 of the CIS 10.13 baseline addresses the issue, FWIW.
Here's some discussion here in Jamf Nation on how to disable.
https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver
Posted on 11-16-2018 09:35 AM
you can try the following
/etc/authorization
Change "authenticate-session-owner-or-admin " to "authenticate-session-owner" in the "system.login.screensaver" key.
Save the file.
Posted on 11-16-2018 10:07 AM
From:
https://www.jamf.com/jamf-nation/discussions/18195/system-login-screensaver
The command we are using to prevent users other than the logged in user to unlock their screen is: security authorizationdb write system.login.screensaver authenticate-session-user