Citadel / Controls / GuestLogin

GuestLogin Control

What does this control check?

The GuestLogin control verifies that the Guest User account is disabled on your Mac. The Guest account allows anyone to use your computer without a password, creating a backdoor that bypasses all normal security controls.

Important: When Guest login is enabled, anyone can click "Guest" on your login screen and access your Mac without knowing any password. While the Guest account has limited access compared to your main account, it still allows someone to browse the internet, access shared files, potentially install software, and use your Mac's network connection for malicious purposes. If your Mac is lost or stolen, the Guest account gives thieves immediate access to use your device. Additionally, the Guest account bypasses audit logs, making it impossible to track who used your Mac and what they did.

Why is this important?

🚪

Unauthorized Access

Guest accounts allow anyone to use your Mac without authentication, completely bypassing password protection and giving strangers access to your device.

📝

No Audit Trail

Activity in the Guest account can't be traced to a specific person, making it impossible to investigate security incidents or determine who accessed your Mac.

🌐

Network Abuse

Guest users can access the internet through your Mac, potentially using your network connection for illegal activities, malware distribution, or attacks on other systems.

How to fix this

Disabling Guest Login on macOS

  1. Click the Apple menu in the top-left corner
  2. Select System Settings (or System Preferences on older versions)
  3. Click Users & Groups (or just Users)
  4. You may need to click the lock icon and enter your password to make changes
  5. In the left sidebar, find Guest User
  6. Click on Guest User
  7. Toggle "Allow guests to log in to this computer" to Off
  8. Also ensure "Allow guest users to connect to shared folders" is Off
  9. Close System Settings
Note: On macOS Ventura (13) and later, the option might be worded as "Allow guests to log in" or found under a different submenu. The concept is the same - make sure guest access is disabled.
⚠️ Important notes:
  • Disabling Guest login will not affect your ability to use your Mac normally
  • If someone legitimately needs to use your Mac, create a separate standard user account instead
  • Guest login creates security and compliance risks even if you "trust" the people around you
  • Some organizations completely remove the Guest account option via MDM

Verifying the fix

After disabling Guest login, Citadel will automatically verify this control during its next check.

To verify Guest login is disabled:

  1. Open System SettingsUsers & Groups
  2. Click on Guest User in the sidebar
  3. Verify that "Allow guests to log in to this computer" is toggled Off
  4. Also check that "Allow guest users to connect to shared folders" is Off

Alternative check: Log out of your Mac (Apple menu → Log Out). The login screen should NOT show a "Guest" option.