What point is there in using an everyday non-admin account on OS X?
There is only one root account on every OS X computer and it is disabled by default. It doesn't have a password and you can't login as root unless you specifically use Directory Utility and enable it. It's dangerous, because when logged in as root the system bypasses all authorization - it doesn't even ask for a password. In that aspect, an OS X computer is indeed rootless, which is A Good Thing™.
Admins accounts are simply standard accounts that also happen to be in the admin group. Any action in OS X performed by a logged-in user is checked against the authorization database (you can see its rules in /System/Library/Security/authorization.plist to see whether no authentication is required or is it enough to be authenticated as the session owner (standard user that is logged in), or must you be a member of the admin group. It gives very fine-grained control. So three possibilities might occur, for example in System Preferences when clicking the locked padlock. Upon clicking, it may simply unlock without authentication, it may offer authentication dialog with account name already put in (which means please confirm it's you) or may offer authentication dialog with account name and password fields blank (which means you are not admin, please call an admin to type his credentials in).
A rule of thumb is that anything that can affect other users on the computer (system-wide change) will require administrative authentication. But it's more complex than that. Standard users, for example, can install apps from the Mac App Store in the /Applications folder (which is a system-wide change) but cannot bypass GateKeeper to run unsigned applications even if only within their own data. Standard users cannot invoke sudo which has a bad side-effect of not requiring authentication in a 10-15 minutes window after that. A cleverly designed script will ask you for an admin authentication for something you approve of, but after that it will do all sorts of wacky stuff you know nothing about.
Standard users can also be managed via parental controls or configuration profiles and can have password policies enforced. Admin users can do no such thing.
System Integrity Protection addresses the fact that people have been clicking thru installer packages and providing passwords so easily that the users have become the weakest link. SIP just tries to keep the system afloat, nothing else (and sometimes fails in that, too).
You would not believe how many people I've seen that have only one user on the computer (which is also admin account) and even without an account password, just to perceive a slight decrease in annoyance in form of a login window activity.
I can't agree with your opinion that it is a pain to switch to an admin account when necessary. If you are in Terminal, you only need to su myadminacct before doing anything, including sudo or launching Finder as another user by executing /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder.
In GUI, well, Mac App Store updates (including OS X updates) do not require admin authentication. Those installer packages that end up in Downloads folder, including Adobe Flash updates, yes, you should be very careful before opening those doing the extra work and making triple sure they come from the right place and are not full of nasties.
That's why I think using a Mac with a standard account is better and more secure than with an admin, because it protects me from my own mistakes and oversights. Even the majority of knowledgeable users don't inspect every downloaded script line-by-line to see if there is anything fishy going on.
I hope that the controls could get even stricter in the future, for example introducing conditions or schedules when an app (or script or any executable) can be run or have access to the network or that an executable may not even be started if I didn't explicitly allowed it (authentication dialog) within last month or so.
Security is best implemented as a Multi Layered, Multi Vectored Strategy.
The Principle of Least Privilege (POLP) is just another cog in the machine that keeps your computer secure.
Everything that you listed there are all good but none of that will prevent someone from taking over your computer with an exploit such as the Dropped Drive Hack.
-
How does a firewall prevent a user from inserting a USB with an remote control exploit embedded on the drive?
-
How does SIP prevent a keylogger from capturing your keystrokes?
-
How does having SIP even matter when it can be easily disabled by the Admin?
-
How do you prevent unauthorized/illegally licensed software from being installed? A restricted user account will ensure that users who shouldn't be installing software aren't installing software.
Your last line of defence is using an account that is not an Admin account so that you can mitigate the threat by putting up another layer of security (user authentication) when a piece of malware tries to install itself.
I have been saying this for what seems eons now:
"Security" is not a product you buy or a switch you flip on; it's a practice, it's a mindset, to leverage all the tools you can to minimize your risk.
It is generally considered best practice to use an account that has no more privileges than are required. What this means generally is that you should use an account that has the lowest privilege level possible, and elevate your privileges when it is needed for a specific task that requires the higher privileges.
However, this gets annoying rather quickly. The reason for this is that what seems like a simple task to you or me ("I only wanted to turn on the WiFi") is seen as a privileged operation for the OS ("You want to enable a network device and allow the machine to be put onto some random network").
Striking a balance between convenience and security is much harder than it sounds, and my personal feeling is that OS X does a much better job of it than some other OSen out there such as Windows.
If you do run as an administrator all the time, you might accidentally click on an email that contains some link to a site containing crapware, and it automatically runs a script that does some reconfiguration without your knowledge. But if you are running as a non-privileged user, then as soon as that script is run the OS will pop up a dialog saying "this malicious script wants to do something to your computer. Please confirm by typing your password". This would usually cause alarm or surprise, if it is not something you would expect to see at that point.
Also - more importantly, you set up a computer for someone else. Someone not computer-literate in your family. It is an excellent idea to give them a non-privileged login, and keep the admin password for yourself, so next time they click on any old rubbish (as is their wont), they CAN NOT infest the computer with crapware. They sometimes complain when you do this, but you only have to remind them of that time they had 35 toolbars installed on IE 6, and every time they did a google search they got pages of pornographc popups, before they will grudgingly agree that it might be a good idea. The downside is that they will be calling you more often to get you to unlock their computer when they want to update the Flash plugin.
As said before: security is an attitude, not a simple switch that you can flip.
Let me see how your reasons would work or not:
Admin accounts are not root. While true, they may be able to call
sudo
and perhaps they may even have the password ready for input (orsudo
was configured not to ask for password).SIP (System Integrity Protection): This is only one layer which is not enough for all attacks. Can be disabled? Even better!
Spyware argument: Well, perhaps. Privileges are still not separate enough. But even so, it's still a limitation.
Basic lines of defense are system wide: #1 says apps running on admin accounts can gain root.
Switching? It's widely known that you can do admin related tasks from standard accounts as long as you enter the admin account password. No need to actually do a real switch of accounts.