5.16 Secure individual keychains and items

Information

By default, the keychain for an account, especially a local account, have the same password as the account's logon password. It is possible to change the passwords on keychains to something different than the login password, and doing so would keep that keychain locked until needed after login. This is especially important when a smartcard is being used for console login. Keychains need to be protected by more than a pin in order to be secured and the default behavior with a smartcard will result in a pin for the login password. Individual keychain entries can have special ACLs to increase security as well. Each keychain entry can have different access controls. It's possible to set the keychain item to require a keychain password every time an item is accessed, even if the keychain is unlocked. This level of security could be useful for bank passwords or other passwords that need extra security.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open Utilities Select Keychain Access Double-click keychain Select Access Control Check box next to "Ask for Keychain Password" Impact: Having to enter the keychain password for each access could become inconvenient and/or tedious for users.

See Also

https://workbench.cisecurity.org/files/299