The first thing you should do on a new Mac

The very first thing you should always do on your new Mac is to make sure you run as non-admin. This protects you against most malware out on the net, since it makes it very difficult to install anything without you knowing about it. It doesn’t exclude it entirely, but it makes a major difference.

First, open System Preferences…:

Then, select “Accounts”:

Once in the accounts panel, you’ll see your accounts to the left. Chances are you’ll only have one, while I have a bunch on this system. The one you have will probably have the subtitle “Admin”:

You’ll see a checkbox to the right that says “Allow user to administer this computer”, but you can’t unselect this unless there is at least one other account that is set to “administer this computer”, so we need to create another account with that ability first.

So, click the “+” down to the left, and what you’ll see then is this:

See to it that the dropbox at the top says “Administrator”, then fill in the rest as you wish. You can use the same password for this account as for your regular account, but see to it that it is a strong password (long and complex). I see no reason why you should necessarily choose another password here. It could look like this, when you’re done:

Click “Create Account” and this is what you should see in the “Accounts” pane:

Now you can select your original account and deselect “Allow user to administer this computer”:

You’ll probably be asked to reboot at this point, at least if you were logged in as “Noobie Json” as in this example (which I wasn’t). Once you start up again, log in as “Noobie Json” or whatever your account is called, not as “NoobieAdmin”. You should probably never log in as “NoobieAdmin”, ever.

From now on, whenever you need to do something that requires admin level rights, the system will ask you to provide an admin username and password in a dialogbox. For example, if I try to delete an application from “Applications”, the system pops up a dialog box and I have to provide the “NoobieAdmin” credentials:

Now, this never happens without me knowing exactly why it happened, so don’t ever go input your admin credentials unless you know why you should. If you have any doubt, click on the “Details” and it will tell you a little bit more:

In this particular case, “Details” didn’t tell me much I didn’t already know, but when in doubt, in may often tell you exactly what you want to know. If some malware is requesting admin credentials, the app that issued the request will be clearly shown.

If you’re really paranoid, click the double arrow to the right and you’ll see the entire folder hierarchy leading to the app that requested the credentials. Just in case some malware called itself “Finder” for instance. In this case we’ll see that “Finder” is part of “Core Services” which in turn is in the System/Library. Totally kosher, in other words:

OSX very rarely asks for admin rights, so there is very little risk of you getting into a habit of just entering your credentials without thinking. Yes, the first day you use your new Mac, you will do this a number of times until it is all set up, but after that, it becomes a rarity.

4 Comments on “The first thing you should do on a new Mac”


By Neil. January 10th, 2011 at 3:41 am

I am running my Mac as an admin and also always get the checkbox to enter my password, to confirm Installations and such. I do not see a major difference here.

By martin. January 10th, 2011 at 8:39 am

Running an actual installation package makes the system ask for your password, that’s true. The big difference is while running the program as such. If you are running as admin, the program can write in places admins can write without making the system ask you for permission, which can’t happen if you are not running as admin. The same would be true for an exploit in a browser, for instance.
The only exploit on a Mac with any significance, the Leap-A, can only work if you’re running as admin. And even then, it’s admittedly not very impressive, but it does show the importance of running as non-admin.

By Neil. January 10th, 2011 at 6:11 pm

Thanks for the reply. How dangerous is it really to run in admin mode plus I have “Little Snitch” (Firewall)? I have always thought I am pretty much safe like that…

Thanks,
Neil

By martin. January 10th, 2011 at 6:24 pm

Today it’s not very dangerous, but as soon as any kind of malware appears, it will make a lot of difference. I think the ability to run as non-admin without any problem on a Mac is the major difference with Windows, and the one thing that will keep the Mac platform relatively safe. It’s very, very hard to run as non-admin on Windows, which is ,in my opinion, their major problem.

Little Snitch is a great tool, but it will only show you malware if that malware connects out to a server, and that it does it in a way you notice as clearly abnormal. That’s the only thing Little Snitch does, but it does it very well (I also use it). In other words, Little Snitch is not a firewall, it stops nothing coming in and it does not stop malware from installing or running.

Lastly, if you run as admin, it would theoretically (maybe even practically) be possible for malware to change the settings of the system, including Little Snitch, without you noticing. Not if you run as non-admin.

An afterthought: the only example I can think of is Leap-A which spreads through iChat. I think it makes iChat send files (not sure) and if that is the way is spreads, Little Snitch won’t say anything since you’ve already approved iChat for connections (which you have, else you wouldn’t have gotten infected with Leap-A in the first place.) I may be wrong about Leap-A, but the principle holds, so any malware spreading the way I imagine Leap-A would spread, would not trigger anything unusual in Little Snitch.