Guide - Part 2: User Accounts

Question 1

What are the five types of user accounts in OS X? How are they different?

Answer 1

Standard is the default account type, administrative users can make changes to the system, a guest user doesn’t require a password, sharing-only users can access only shared files, and the root user has unlimited access to any file or folder in the system.

Question 2

What are some security risks associated with each type of user account?

Answer 2

Standard user accounts are very secure, assuming they have strong passwords. Administrative users can make changes that may negatively affect the system or other user accounts. A guest user could fill shared folders with unwanted files. Sharing-only users are generally very secure as long as they don’t have too much access to other user’s items. The potential for mayhem with root user access is nearly unlimited.

Question 3

Which two password methods are supported by OS X Yosemite for local user accounts?

Answer 3

In OS X Yosemite, local user accounts can take advantage of a locally saved password or a password that’s linked to an Apple ID.

Question 4

What are account attributes?

Answer 4

Account attributes are the individual pieces of information used to define a user account. Examples include full name, account name, user ID, Universally Unique ID (UUID), group, and home folder.

Question 5

How can you limit a user account from having full access to

all applications?

Answer 5

Parental controls can further limit a user account. Examples include enforcing a simple Finder, limiting applications and widgets, limiting Mac App Store content, setting time limits, and filtering content for several applications included in OS X.

Question 6

What types of resource contention issues can occur when fast user switching is enabled?

Answer 6

Resource contention occurs when fast user switching is enabled and a user tries to access an item that another user has open in the background. Document contention occurs when a user attempts to open a document that another user has already opened. Peripheral contention occurs when a user attempts to access a peripheral that’s already in use by another user’s open application. Application contention occurs when a second user attempts to access an application that has been designed to run only once on a system.

Question 7

Which storage-related security risk can occur when fast user switching is enabled?

Answer 7

When fast user switching is enabled, all users are allowed to see other users’ locally connected disks.

Question 8

A user’s home folder contains which default folders? What are some optional folders that can be added to a user’s home folder?

Answer 8

The default folders in a user’s home folder are Desktop, Documents, Downloads, Library (hidden), Movies, Music, Pictures, and Public. Optional home folder items include Applications and Sites folders.

Question 9

When you delete a local user account, the Users & Groups preferences gives you three options for dealing with the user’s home folder content. What are they?

Answer 9

When deleting a local user account, OS X can archive the home folder content into a compressed disk image, leave the home folder content in the /Users folder, or delete the home folder content. Optionally, OS X can perform a secure erase on the home folder content.

Question 10

Which three primary sources can Migration Assistant pull from?

Answer 10

Migration Assistant can migrate information from other OS X systems, other Windows systems, and other disks, including Time Machine backups.

Question 11

How do you make OS X associate a new local user account with a manually migrated or restored user’s home folder?

Answer 11

Before the local user account is created on a system, you must first copy the restored user’s home folder to the /Users folder. Then after you create the new user in Users & Groups preferences with the same account name, the system will prompt you to associate the new account with the restored home folder.

Question 12

What does the master password do?

Answer 12

The master password is used to reset local account passwords.

Question 13

When users change their own account password, how is their login keychain affected?

Answer 13

When users change their own account passwords, the system keeps their login keychain passwords in sync.

Question 14

What options are available when you try to change the password for a user account with an Apple ID password?

Answer 14

When you change the password for a user account with an Apple ID password, you’re given the option to either change to a separate, locally saved password or to change the Apple ID password.

Question 15

Which methods can be used to reset a user’s lost account password?

Answer 15

Local account passwords can be reset by an administrator in Users & Groups, by the master password at login, by a FileVault recovery key at startup, and by the Reset Password application in OS X Recovery. Local accounts with Apple ID passwords can also be resent online via https:// appleid.apple.com.

Question 16

How does resetting a user’s account password affect that user’s login keychain?

Answer 16

The account password reset process won’t change any keychain passwords. Therefore, the user’s keychains don’t automatically open when the user logs in with a new password. The user will have to manually change the keychain passwords using the Keychain Access utility.

Question 17

How does resetting the master password affect existing Legacy FileVault user accounts?

Answer 17

If a master password is reset because it was lost, Legacy FileVault accounts can’t be reset by the new master password.

Question 18

How can you limit the use of Location Services?

Answer 18

The Privacy pane of Security & Privacy preferences can be used to allow or disallow applications’ access to Location Services, Contacts, Calendars, Reminders, and Accessibility application access.

Question 19

How can you ensure that audio recordings used for Dictation

service remain private?

Answer 19

Audio recordings used for the Dictation service aren’t sent to Apple if the Use Enhanced Dictation feature is enabled in Dictation & Speech preferences.

Question 20

Which feature can you enable to locate a lost Mac system?

Answer 20

iCloud Find My Mac allows you to remotely locate a lost Mac system. You enable this feature in iCloud preferences. To locate a lost Mac system, you can use the iCloud website or the Find My iPhone app on an iOS device.

Question 21

How does the Firmware Password Utility help prevent users from making unauthorized password changes?

Answer 21

The Firmware Password Utility prevents users from starting up from another system disk. This in turn prevents them from using an OS X Recovery System to reset local passwords without authorization.

Question 22

Which types of items can be stored in a keychain?

Answer 22

Keychains are used to store secrets such as resource passwords, digital certificates, and encryption keys. The keychain system can also securely store Safari AutoFill information, Internet Account settings, and secure text notes.

Question 23

How does the keychain system help protect your

information?

Answer 23

The keychain system manages encrypted files that are used to securely save your items. By default, all users have login and Local Items keychains that use the same password as their account. Not even other administrative users can access your keychain secrets without knowing the keychain’s password.

Question 24

Where are the keychain files stored?

Answer 24

Each user starts with a login keychain saved at /Users/ /Library/Keychain/ login.keychain and a Local Items/iCloud keychain saved in the /Users// Library/Keychains/ folder. Administrative users can manage systemwide authentication assets with the /Library/ Keychain/System.keychain. Finally, Apple maintains several items in /System/Library/Keychains/ for OS X system use.

Question 25

What application is used to manage keychain settings?

Answer 25

Keychains can be managed from the /Applications/Utilities/ Keychain Access application.

Question 26

When and why would you set up an iCloud Security Code?

Answer 26

An iCloud Security Code can be set up the first time you enable the iCloud Keychain service for a specific Apple ID. The iCloud Security Code can be used to set up other devices for the iCloud Keychain service and can be used to regain access to the iCloud keychain if you lose all your Apple devices.

Question 27

What’s required to set up the iCloud Keychain service on multiple Apple devices?

Answer 27

Additional Apple devices must be authorized to use the iCloud Keychain service using a combination of the Apple ID password and another method. One method involves using an iCloud Security Code, the other method is to authorize access from another Apple device that has already been configured for the iCloud Keychain service.