5.10 Ensure Fast User Switching Is Disabled

Information

Fast user switching allows a person to quickly log into the computer with a different account. While only a minimal security risk, when a second user is logged in, that user might be able to see what processes the first user is using, or possibly gain other information about the first user. In a large directory environment where it is difficult to limit login access, many valid users can login to other user's assigned computers.

Rationale:

Fast user switching allows multiple users to run applications simultaneously at console. There can be information disclosed about processes running under a different user. Without a specific configuration to save data and log out, users can have unsaved data running in a background session that is not obvious.

Impact:

When support staff visits a user's computer console, they will not be able to log into their own session if there is an active and locked session.

Solution

Perform the following to disable fast user switching:
Graphical Method:

Open System Preferences

Select Users & Groups

Select Login Options

Uncheck 'Show fast user switching menu as...'

Terminal Method:
Run the following command to turn fast user switching off:

$ sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool false

Profile Method:

Create or edit a configuration profile with the PayloadType of .GlobalPreferences

Add the key MultipleSessionEnabled

Set the key to </false>

See Also

https://workbench.cisecurity.org/files/4000

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: 331ab706c3661185f7d7fe56048647ad9adc11dd16e83f1f4ea71bdc19be2b9a