Keep local administrative accounts from being a malicious user’s target by creating an invisible account.
Being in IT it’s natural to be concerned with the state of our network and the devices on them, but also the proverbial « weakest link in the chain » —the end-user’s account and access. Unfortunately, there is yet to be an effective stop-gap measure to solve all of an organization’s security woes.
The best bet is still to layer on different types of security so that the weaknesses of one are caught and successfully mitigated by the next one in line. Concepts like security through obscurity, or hiding things seldom work well to sway a determined threat actor, but it’s not to say that when used in conjunction with other policies it won’t add to the security posture of your environment.
Create a hidden administrative account in macOS
That’s the essence of this pro tip—creating a hidden administrative account in macOS. It’s not intended to single-handedly thwart anyone looking to gain access to or attempt to compromise the local admin account on your Macs. When used alongside other security best practices, such as hardening the OS, applying firmware passwords, and implementing Profile Manager policies, end-users are further limited in what they can do and the avenues available for casual users to gain access to administrative-level accounts is significantly reduced.
Note: For the process to work, the hidden account to be created cannot previously exist.
First, log in to the computer with an admin-level account. Launch Terminal and enter the following command, authenticating when prompted to do so:
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
Go to the Users & Groups preferences pane and create the admin account as you normally would. Right-click on the newly created user account and select Advanced Options…from the context menu (Figure A).
From the advanced menu, we will modify two bits of information: UserID and Home directory. For UserID, enter a number under 500. Bear in mind that this number must be unique for each user. Under Home directory, enter new path to store the user’s home directory that is not located in the usual location « /Users ». Once these have both been changed, click the OK button to save (Figure B).
The account has successfully been created. However, we must make one more change to the system by clicking on Login Options and ticking the radio button next to Name and password under the Display login window as section (Figure C).
To verify that the new account is hidden, close System Preferences and go back to the Users & Groups preference after relaunching it. The account should now be hidden from view and from the login window, as well.