Mac OS X Security Configuration For Version 10.
K Apple Inc. © 2007 Apple Inc. All rights reserved. Apple, the Apple logo, AirPort, FireWire, Keychain, Mac, Macintosh, the Mac logo, Mac OS, QuickTime, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Finder, and Xgrid are trademarks of Apple Inc. The owner or authorized user of a valid copy of Mac OS X software may reproduce this publication for the purpose of learning to use such software.
1 Contents Preface 9 9 9 10 11 11 11 12 13 13 14 About This Guide Target Audience What’s New in Mac OS X Version 10.
23 24 25 25 26 27 27 28 28 29 29 29 30 Using Setup Assistant Creating Initial System Accounts Setting Correct Time Settings Updating System Software Updating from an Internal Software Update Server Updating from Internet-Based Software Update Servers Updating Manually from Installer Packages Verifying the Integrity of Software Repairing Disk Permissions Kinds of Permissions POSIX Permissions Overview ACL Permissions Overview Using Disk Utility to Repair Disk Permissions Chapter 3 31 31 32 33 33 34 34
2 52 52 53 53 54 55 56 57 Using Smart Cards Using Tokens Using Biometrics Setting Global Password Policies Storing Credentials Using the Default User Keychain Securing Keychain Items Creating Additional Keychains Using Portable and Network-Based Keychains Chapter 5 59 59 61 63 66 67 68 69 71 72 74 76 76 77 78 79 80 82 84 85 87 90 91 92 93 95 96 Securing System Preferences System Preferences Overview Securing .
Chapter 7 6 100 100 100 100 101 101 102 102 103 104 105 105 106 107 107 108 109 109 110 111 111 Modifying POSIX Permissions Setting File and Folder Flags Viewing Flags Modifying Flags Setting ACL Permissions Enabling ACL Modifying ACL Permissions Setting Global File Permissions Securing Your Home Folder Encrypting Home Folders Using FileVault Master Keychain Encrypting Portable Files Creating a New Encrypted Disk Image Creating an Encrypted Disk Image from Existing Data Creating Encrypted PDFs Securely E
129 129 129 129 130 Securing Apple Remote Desktop Securing Remote Apple Events Securing Printer Sharing Securing Xgrid Intrusion Detection Systems Chapter 8 131 131 131 132 132 133 134 135 135 Validating System Integrity About Activity Analysis Tools Using Auditing Tools Configuring Log Files Configuring syslogd Local System Logging Remote System Logging About File Integrity Checking Tools About Antivirus Tools Appendix A 137 137 138 138 139 139 140 140 140 141 141 142 142 142 142 143 143 143 143 144
146 146 146 148 Startup Disk Preferences Action Items Data Maintenance and Encryption Action Items Network Services Configuration Action Items System Integrity Validation Action Items Appendix B 149 149 149 150 151 151 152 152 Daily Best Practices Password Guidelines Creating Complex Passwords Using an Algorithm to Create a Complex Password Safely Storing Your Password Password Maintenance Email, Chat, and Other Online Communication Guidelines Computer Usage Guidelines Glossary 155 Index 167 Con
Preface About This Guide This guide provides an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer. This guide is designed to give instructions and recommendations for securing Mac OS X version 10.4 or later, and for maintaining a secure computer. Target Audience This guide is for users of Mac OS X version 10.4 or later.
 Secure erase. Secure erase follows the U.S. Department of Defense standard for the sanitation fro magnetic media.  VPN service is now Kerberized. Use Kerberos-based authentication for single sign-on to a VPN network.  Firewall enhanced. The firewall service has been enhanced to use the reliable open source IPFW2 software.  Antivirus and antispam. New adaptive junk mail filtering using SpamAssassin and virus detection and quarantine using ClamAV.
Note: Because Apple frequently releases new versions and updates to its software, images shown in this book might be different from what you see on your screen. Using This Guide The following are suggestions for using this guide: Â Read the guide in its entirety. Subsequent sections might build on information and recommendations discussed in prior sections. Â The instructions in this guide should always be tested in a nonoperational environment before deployment.
The Mac OS X Server Suite The Mac OS X Server documentation includes a suite of guides that explain the available services and provide instructions for configuring, managing, and troubleshooting the services. All of the guides are available in PDF format from: www.apple.com/server/documentation/ This guide ... tells you how to: Getting Started, Getting Started Install Mac OS X Server and set it up for the first time.
This guide ... tells you how to: User Management Create and manage user accounts, groups, and computer lists. Set up managed preferences for Mac OS X clients. Web Technologies Administration Set up and manage a web server, including WebDAV, WebMail, and web modules. Windows Services Administration Set up and manage services including PDC, BDC, file, and print for Windows computer users. Xgrid Administration Manage computational Xserve clusters using the Xgrid application.
 Apple Product Security website (www.apple.com/support/security/)—Access to security information and resources, including security updates and notifications. For additional security-specific information, consult these resources:  NSA security configuration guides (www.nsa.gov/snac/)—The National Security Agency provides a wealth of information on securely configuring proprietary and open source software.  NIST Security Configuration Checklists Repository (checklists.nist.gov/repository/ category.
1 Introducing Mac OS X Security Architecture 1 Mac OS X delivers the highest level of security through the adoption of industry standards, open software development, and smart architectural decisions. With Mac OS X, a security strategy is implemented that is central to the design of the operating system, ensuring that your Mac is safe and secure. This chapter describes the features in Mac OS X that can be used to enhance security on your computer. Â Open source foundation.
Security Architectural Overview Mac OS X security services are built on two open source standards: Berkeley Software Distribution (BSD) and Common Data Security Architecture (CDSA). BSD is a form of the UNIX operating system that provides fundamental services, including the Mac OS X file system, and file access permissions. CDSA provides a much wider array of security services, including finer-grained access permissions, authentication of users’ identities, encryption, and secure data storage.
This open approach has clear advantages and a long, well-documented history of quickly identifying and correcting source code that could potentially contain exploitable vulnerabilities. Mac OS X users can comfortably rely on the ongoing public examination by large numbers of security experts, which is made possible by Apple’s open approach to software development. The result is an operating system that is inherently more secure.
Built-In Security Services Mac OS X has several security services that are managed by the security server daemon. Security server implements several security protocols such as encryption, decryption, and authorization computation. The use of the security server to perform actions with cryptographic keys enables the security implementation to maintain the keys in a separate address space from the client application, keeping them more secure.
Smart Card Services A smart card can be a plastic card (similar in size to a credit card) or a USB dongle that has memory and a microprocessor embedded in it. The smart card is capable of both storing information and processing it. Smart cards can securely store passwords, certificates, and keys. A smart card normally requires a personal identification number (PIN) or biometric measurement (such as a fingerprint) as an additional security measure.
Chapter 1 Introducing Mac OS X Security Architecture
2 Installing Mac OS X 2 Though the default installation of Mac OS X is highly secure, it can be customized for your particular network security needs. By securely configuring the different stages of the installation process and understanding Mac OS X permissions, you can make sure that your computer is hardened to match your security policy. System Installation Overview If Mac OS X was already installed on the computer, consider reinstalling it.
To disable the Open Firmware password: 1 Restart the computer while holding down the Command, Option, O, and F keys. 2 Enter the Open Firmware password when prompted. If you are not prompted to enter a password, the Open Firmware password is already disabled. 3 Enter the following commands: reset-nvram reset-all Installing from CD or DVD When you install Mac OS X version 10.
Installing from the Network There are several ways to deploy images from the network. When choosing a method, make sure you can do it securely. When retrieving the image over a network, make sure that the network is isolated and can be trusted. For information about deploying images from a network, see the getting started guide. Verify the image to make sure that it is correct. For more information about verifying images, see “Verifying the Integrity of Software” on page 28.
2 Proceed to the Your Internet Connection step. Click Different Network Setup. Select “My computer does not connect to the Internet,” and click Continue. Even if you can configure the computer to access your network, you should disable network access until your network services settings are secure and validated. For more information, see Chapter 7, “Securing Network Services,” on page 113. If you don’t disable your network connection, an additional step, Enter Your Apple ID, appears.
3 In the Password Hint field, do not enter any information related to your password. If a hint is provided, the user is presented with the hint after three failed authentication attempts. Any password-related information provided in the field could compromise the integrity of the password. Adding contact information for your organization’s technical support line would be convenient and doesn’t compromise password integrity. 4 Click Continue.
System updates should be installed immediately after the operating system installation.
Updating from Internet-Based Software Update Servers Before connecting to the Internet, make sure your network services are securely configured. For information, see Chapter 7, “Securing Network Services,” on page 113. Instead of using your operational computer to check for and install updates, consider using a test-bed computer to download updates and verify file integrity before installing updates. You can then transfer the update packages to your operational computer.
2 Review the SHA-1 digest (also known as a checksum) for each update file downloaded, which should be posted online with the update package. 3 Check all downloaded updates for viruses. 4 Verify the integrity of each update. For more information, see“Verifying the Integrity of Software” on page 28. 5 Transfer the update packages from your test computer to your current computer. The default download location for update packages is /Library/Packages/.
Kinds of Permissions Before you modify or repair disk permissions, you should understand the two kinds of file and folder permissions that Mac OS X Server supports: Â Portable Operating System Interface (POSIX) permissions—standard for UNIX operating systems. Â Access Control Lists (ACLs) permissions—used by Mac OS X, and compatible with Microsoft Windows Server 2003 and Microsoft Windows XP.
Using Disk Utility to Repair Disk Permissions Installing software sometimes causes file permissions to become incorrectly set. Incorrect file permissions can create security vulnerabilities. Disk Utility repairs only POSIX permissions or the minimal ACL permissions. Most software you install in Mac OS X is installed from package (.pkg) files. Each time something is installed from a package file, a “Bill of Materials”(.bom) file is stored in the packages receipt file.
3 Protecting Hardware and Securing Global System Settings 3 After installing and setting up Mac OS X, make sure you protect your hardware and secure global system settings. This chapter discusses common practices for protecting hardware and demonstrates how to remove Mac OS 9 and secure both Open Firmware and Mac OS X startup. This chapter also discuss how using log files help to monitor system activity. Protecting Hardware The first level of security is protection from unwanted physical access.
Disabling Hardware Hardware components such as wireless features and microphones should be physically disabled if possible. Only an Apple Certified Technician should physically disable these components, which may not be practical in all circumstances. The following instructions provide an alternative means of disabling these components by removing the associated kernel extensions.
6 (Optional) To remove support for mass storage devices (e.g. USB flash drives, external USB hard drives, external FireWire Hard Drives), drag the following files to the Trash: IOUSBMassStorageClass.kext IOFireWireSerialBusProtocolTransport.kext 7 Open the /System/Library folder. 8 Drag the following files to the Trash: Extensions.kextcache Extensions.mkext 9 Choose Finder > Secure Empty Trash to delete the file. 10 Restart the system.
4 Enter the following commands to remove Classic folders and files: $ sudo srm –rf '/System/Library/Classic/' $ sudo srm –rf '/System/Library/CoreServices/Classic Startup.app' % sudo srm –rf '/System/Library/UserTemplate/English.
To run Mac OS 9 from a disc image: 1 Install Mac OS 9 and the software that requires Mac OS 9 on a test-bed computer. 2 On the test-bed computer, create a folder and name it Mac OS 9. 3 Copy the Mac OS 9 System Folder into the Mac OS 9 folder your created in the previous step. 4 On the test-bed computer, open Disk Utility. 5 Choose File > New > Disk Image from Folder. 6 Select the Mac OS 9 folder (created in step 2) and click Image. 7 In Image Format, choose read-only. 8 In Encryption, choose none.
To secure startup, perform one of the following tasks:  Use the Open Firmware Password application to set the Open Firmware password  Set the Open Firmware password within Open Firmware  Verify and set the security mode from the command line WARNING: Open Firmware settings are critical. Take great care when modifying these settings and when creating a secure Open Firmware password.
5 Close the Open Firmware Password application. You can test your settings by attempting to start up in single-user mode. Restart the computer while holding down the Command and S keys. If the login window loads, changes made by the Open Firmware Password application completed successfully. Configuring Open Firmware Settings You can securely configure Open Firmware settings within Open Firmware.
You can test your settings by attempting to start up in single-user mode. Restart the computer while holding down the Command and S keys. If the login window appears, your Open Firmware settings are set correctly. WARNING: Modifying critical system files can cause unexpected issues. Your modified files may also be overwritten during software updates. Make these modifications on a test computer first, and thoroughly test your changes every time you change your system configuration.
To require entry of the root password for single-user mode: 1 Log in as an administrator. 2 Start the Terminal application, located in /Applications/Utilities. 3 At the prompt, enter the command: $ cd /etc 4 To create a backup copy of /etc/ttys, enter the command: $ sudo mv ttys ttys.old 5 To edit the ttys file as root, enter the command: $ sudo pico ttys 6 Replace all occurrences of the word “secure” with the word “insecure” in the configuration lines of the file.
To create a login window access warning: 1 Open Terminal. 2 Change your login window access warning: $ sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Warning Text” Replace Warning Text with your access warning text. Your logged-in account must be able to use sudo to perform a defaults write. 3 Log out to test your changes. Your access warning text appears below the Mac OS X subtitle.
4 Securing Accounts 4 Securely configuring user accounts requires determining how the accounts will be used and setting the level of access for users. When you define a local user’s account, you specify the information needed to prove the user’s identity: user name, authentication method (such as a password, digital token, smart card, or biometric reader), and user identification number (user ID).
Unless administrator access is required, you should always log in as a nonadministrator user. You should log out of the administrator account when you are not using the computer as an administrator. If you are logged in as an administrator, you are granted some privileges and abilities that you might not need. For example, you can modify some system preferences without being required to authenticate.
The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use; user accounts with these user IDs should not be deleted and should not be modified except to change the password of the root user. If you do not want the user to appear in the login window of computers with Mac OS X version 10.4 or later installed, assign a user ID of less than 500. In general, once a user ID has been assigned and the user starts creating files and folders, you shouldn’t change the user ID.
To secure a managed account: 1 Open Accounts preferences. 2 Click the lock to authenticate. Enter an administrator’s name and password and click OK. You can also authenticate through the use of a digital token, smart card, or biometric reader. 3 Select an account labeled “Standard” or “Managed.” You cannot set parental controls on administrator users. When selecting a user with the “Managed” label, make sure you do not select an account with preferences managed through the network.
When you install third-party applications, they may be added to this list. You should disable all third-party applications unless the user has a specific need to use the application, and can do so in a secure manner. Third-party applications might give a standard user some administrator abilities, which can be a security issue. Additionally, if you’re connecting to an organization’s network, you should install only third-party applications that are specifically approved by the organization.
Securing the System Administrator Account The most powerful user account in Mac OS X is the system administrator, or root, account. By default the root account on Mac OS X is disabled and it is recommended you do not enable it. The root account is primarily used for performing UNIX commands. Generally, any actions that involve critical system files require that you perform those actions as root.
To restrict sudo usage, change the /etc/sudoers file: 1 Edit the /etc/sudoers file using the visudo tool, which allows for safe editing of the file. The command must be run as root: $ sudo visudo 2 Enter the administrator password when prompted. Note: There is a timeout value associated with sudo. This value indicates the number of minutes until sudo prompts for a password again.
Mobile accounts cache authentication information and managed preferences. A user’s authentication information is maintained on the directory server, but cached on the local computer. With cached authentication information, a user can log in using the same user name and password (or a digital token, smart card, or biometric reader), even if he or she is not connected to the network. Users with mobile accounts have both local and network home folders, which combine to form portable home directories.
In addition to enabling and disabling services, you can use Directory Access to choose the directory domains that you want to authenticate with. Directory Access defines the authentication search policy that Mac OS X uses to locate and retrieve user authentication information and other administrative data from directory domains. The login window, Finder, and other parts of Mac OS X use this authentication information and administrative data.
Configuring Active Directory Access Connecting to an Active Directory server is not as secure as connecting to an Open Directory server that has all of its security settings enabled. For example, you cannot receive directory services from an Active Directory server that enables digitally signing or encrypting all packets. Mac OS X supports mutual authentication with Active Directory servers. Kerberos is a ticket-based system that enables mutual authentication.
Using a combination of the three dimension above makes authentication more reliable and user identification more certain. Using Password Assistant Mac OS X includes Password Assistant, an application that analyzes the complexity of a password or generates a complex password for you. You can specify the length and type of password you’d like to generate. For example, you can create a randomly generated password, or a FIPS-181 compliant password. You can open Password Assistant from certain applications.
Using Smart Cards A smart card is a plastic card (similar in size to a credit card) or USB dongle that has memory and a microprocessor embedded in it. The smart card is capable of storing and processing information such as passwords, certificates, and keys. The microprocessor inside the smart card can do authentication evaluation offline before releasing information.
Setting Global Password Policies You can use the pwpolicy command-line tool to configure a password policy that can apply globally or to individual users. Global password policies are not implemented in Mac OS X; instead, password policies are set for each individual user account. You can set specific rules governing the size and complexity of acceptable passwords.
Each item on the keychain has an ACL that can be populated with applications that have authority to use that keychain item. A further restriction can be added that forces an application with access to confirm the keychain password. The main issue with having to remember many passwords is that you’re likely to either make all the passwords identical or keep a written list of all passwords. By using keychains, you can greatly reduce the number of passwords that you have to remember.
9 Secure each individual login keychain item. For information, see “Securing Keychain Items” on page 55. Securing Keychain Items Keychains can store multiple encrypted items. You can configure some of these individual items so that only certain applications are permitted access. Access Control cannot be set for certificates. To secure individual keychain items: 1 In Keychain Access, select a keychain, and then select an item. 2 Click the Information (i) button. 3 Click Access Control.
Creating Additional Keychains When a user account is created, it contains only the initial default keychain, login. A user can create additional keychains, each of which can have different settings and purposes. For example, a user might want to group all his or her credentials for mail accounts into one keychain. Since mail programs query the server frequently to check for new mail, it would not be practical to expect the user to reauthenticate every time such a check is being performed.
If the security credentials are accessed infrequently, select “Lock after # minutes of inactivity,” and select an appropriate value, such as 1. 8 Select “Lock when sleeping.” 9 Drag the desired security credentials from other keychains to the new keychain. Authenticate, if requested. You should have keychains that only contain related certificates. For example, you could have a mail keychain that only contains mail items.
6 Choose File > Delete Keychain “keychain_name.” 7 Click Delete References. 8 Copy the keychain files from the previously noted location to the portable drive. 9 Move the keychain to the Trash and use Secure Empty Trash to securely erase the keychain file stored on the computer. For information, see “Using Secure Empty Trash” on page 110. 10 Open Finder, and double-click the keychain file located on your portable drive to add it to your keychain.
5 Securing System Preferences 5 Securing Mac OS X system software enables further protection against attacks. System Preferences has many different configurable preferences within it that can be used to further enhance system security. Some of these configurations might be things to consider, depending on your organization. System Preferences Overview Mac OS X includes many system preferences that you can customize to improve security.
Some of the more critical preferences require that you authenticate before you can modify their settings. To authenticate, you click a lock and enter an administrator’s name and password (or use a digital token, smart card, or biometric reader). If you log in as a user with administrator privileges, these preferences are unlocked unless you select “Require password to unlock each secure system preference” in Security preferences. For more information, see “Securing Security Preferences” on page 85.
Securing .Mac Preferences .Mac is a suite of Internet tools designed to help you synchronize your data and other important information for when you’re away from the computer. You should not use .Mac if you must store critical data only on your local computer. You should only transfer data over a secure network connection to a secure internal server. If you must use .Mac, enable it only for user accounts that don’t have access to critical data. Do not enable .Mac for your administrator or root user accounts.
You should not register any computers for synchronization in the Advanced pane of .Mac preferences. To securely configure .Mac preferences: 1 Open .Mac preferences. 2 Deselect “Synchronize with .Mac.” 3 Don’t enable iDisk Syncing in the iDisk pane. 4 Don’t register your computer for synchronization in the Advanced pane.
Securing Accounts Preferences You can use Accounts preferences to perform two major security-related tasks: change or reset account passwords, and modify login options. You should immediately change the password of the first account that was created on your computer. If you are an administrator, you can change other user account passwords by selecting the account and clicking Change Password.
The password change and reset dialogs provide access to Password Assistant, an application that can analyze the strength of your chosen password and assist you in creating a more secure password. For information, see “Using Password Assistant” on page 51. You should modify login options so that you provide as little information as possible to the user. You should require that the user know which account they want to log in with, and the password for that account.
You should also modify login options to disable the Restart, Sleep, and Shut Down buttons. By disabling these buttons, the user cannot restart the computer without pressing the power key or logging in. To securely configure Accounts preferences: 1 Open Accounts preferences. 2 Select an account and click the Password pane. Then, change the password by clicking the Change Password button.
Securing Appearance Preferences Recent items refer to applications, documents, and servers that you’ve recently used. You can access recent items by choosing Apple > Recent Items. You should consider changing the number of recent items displayed in the Apple menu to none. If intruders gain access to your computer, they can use recent items to quickly view your most recently accessed files.
Securing Bluetooth Preferences Bluetooth allows wireless devices, such as keyboards, mice, and mobile phones, to communicate with the computer. If the computer has Bluetooth capability, Bluetooth preferences become available. If you don’t see Bluetooth preferences, you cannot use Bluetooth. Note: Some high security areas do not allow radio frequency (RF) communication. You should consult your organizational requirements for possible further disablement of the component.
Securing CDs & DVDs Preferences The computer should not perform automatic actions when the user inserts CDs or DVDs. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer. This does not prevent users from reenabling automatic actions. To prevent the user from reenabling automatic actions, you must restrict the user’s account, so that the user cannot open System Preferences.
Securing Classic Preferences Mac OS X includes an adaptation of Mac OS 9, known as Classic. Mac OS 9 should be removed from the computer. If you remove Mac OS 9 and do not plan on using it, you do not need to configure Classic preferences. For instructions on how to remove Mac OS 9, see “Removing Mac OS 9” on page 33. If you are going to use Mac OS 9 from a CD, DVD, or disk image, you must configure Classic preferences.
Turn off extensions in the Advanced pane of Classic preferences. Although Classic is not allowed to interact directly with hardware, you might have several extensions that are related to hardware and are therefore unnecessary. You can also use the Memory/Versions pane of Classic preferences to view the applications running in Mac OS 9. By choosing to show background applications, you become more aware of any malicious applications running in Mac OS 9.
To securely configure Classic preferences: 1 Open Classic preferences. 2 In the Start/Stop pane, deselect “Start Classic when you login” and “Hide Classic while starting.” 3 Select “Warn before starting Classic.” 4 Click the Advanced pane, and select “Turn Off Extensions.” Securing Dashboard and Exposé Preferences Your computer should require authentication when waking from sleep or screen saver.
If your organization does not want to use Dashboard because of its potential security risk, you can disable it. To disable Dashboard from command line: 1 Open Terminal. 2 Enter the command: $ defaults write com.apple.dashboard mcx-disabled -boolean YES This prevents Dashboard from opening. 3 Quit Terminal. Securing Date & Time Preferences Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues.
To securely configure Date & Time preferences: 1 Open Date & Time preferences. 2 In the Date & Time pane, enter a secure and trusted NTP server in the “Set date & time automatically” field. Click the Time Zone pane. 3 In the Time Zone pane, choose a time zone.
Securing Desktop & Screen Saver Preferences You can configure a password-protected screen saver to help prevent accessing of unattended computers by unauthorized users. Different authentication methods can be used to unlock the screen saver, which include digital tokens, smart cards, or biometric readers. You should set a short inactivity interval to decrease the amount of time the unattended computer spends unlocked.
You can configure Desktop & Screen Saver preferences to allow you to quickly enable or disable screen savers if you move your mouse cursor to a corner of the screen. You should not configure any corner to disable screen savers. You can also do this by configuring Dashboard & Exposé preferences. When you configure Desktop & Screen Saver preferences, you must configure these preferences for every user account on the computer. This doesn’t prevent users from reconfiguring their preferences.
Securing Displays Preferences If you have multiple displays attached to your computer, be aware that enabling display mirroring might inadvertently expose private data to others. Having this additional display provides extra opportunity for others to see private data. Securing Dock Preferences You can configure the Dock to be hidden when not in use, which can prevent others from seeing what applications you have available on your computer when they pass by.
Securing Energy Saver Preferences You can configure the period of inactivity required before a computer, display, or hard disk enters sleep mode, and require authentication by use of a password, digital token, smart card, or biometric reader when a user tries to use the computer. This is similar to using a password-protected screen saver. Mac OS X also allows you to set up different settings, depending on your power supply (power adapter or battery).
You should configure the computer so that it only wakes from sleep mode when you try to physically access the computer. Also, the computer should not be set to restart after a power failure. To securely configure Energy Saver preferences: 1 Open Energy Saver preferences. 2 Click the Sleep pane. 3 Set “Put the computer to sleep when it is inactive for:” to Never. 4 Select “Put the hard drive disk(s) to sleep when possible.” Click the “Options” pane.
Securing Keyboard & Mouse Preferences It is recommended that Bluetooth be turned off if not required. If Bluetooth is necessary it is good practice to disable allowing Bluetooth devices to awake the computer. To securely configure Keyboard & Mouse preferences: 1 Open Keyboard & Mouse preferences. 2 Click Bluetooth. 3 Deselect “Allow Bluetooth devices to wake this computer.
Securing Network Preferences You should disable any unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer. Some organizations use IPv6, a new version of the Internet protocol (IP). The primary advantage of IPv6 is that it increases the address size from 32 bits (the current IPv4 standard) to 128 bits.
By default, IPv6 is configured automatically, and the default settings are sufficient for the vast majority of computers that use IPv6. If your organization’s network is not capable of using or require IPv6, you should turn it off. You can also configure IPv6 manually. To securely configure Network preferences: 1 Open Network preferences. 2 In the Show pop-up menu, choose your network device. 3 Click Configure IPv6. 4 In the Configure IPv6 pop-up menu, choose Off. 5 Click OK.
Securing Print & Fax Preferences You should only use printers that are in a secure location. If you print confidential material in an insecure location, your confidential data sent to the printer might be viewable by unauthorized users. You should also be careful not to print to a shared printer, since that allows another computer to capture the complete print job directly. The remote computer could be maliciously monitoring and capturing confidential data being sent to the real printer.
You should not use your computer to share a printer, or to send faxes. If you share a printer, unauthorized users can add items to your print queue without having to authenticate. If you enable these functions, you provide a mechanism for intruders to access your computer. To securely configure Print & Fax preferences: 1 Open Print & Fax preferences. 2 In the Faxing pane, deselect “Receive faxes on this computer.” 3 In the Sharing pane, deselect “Share these printers with other computers.
Securing QuickTime Preferences You should only download QuickTime movies from trusted, secure sources. By default, QuickTime stores downloaded movies in a cache. If someone gained access to your account, they would be able to see your previously viewed movies, even if you did not explicitly save them as files. You can change QuickTime preferences to disable the storing of movies in a cache. You should not install third-party QuickTime software unless you specifically require that software.
To securely configure QuickTime preferences: 1 Open QuickTime preferences. 2 In the Browser pane, deselect the “Save movies in disk cache.” Securing Security Preferences The settings in Security preferences cover a wide range of Mac OS X security issues. Mac OS X includes FileVault, which encrypts the information in your home folder. FileVault uses the latest government-approved encryption standard, the Advanced Encryption Standard with 128-bit keys (AES-128).
Virtual memory decreases the need for large amounts of physical memory. A swap file is used to store inactive physical memory contents, freeing up your physical memory. By default, the swap file is in an unencrypted, insecure format. This swap file can contain highly confidential data, such as documents and passwords. By using secure virtual memory, you secure the swap file at a cost of slower speed (to access the secure swap file, Mac OS X must encrypt or decrypt the secure swap file).
10 Select “Use secure erase.” 11 Click “Turn On FileVault.” 12 Restart the computer. Securing Sharing Preferences By default, every service listed in Sharing preferences is disabled. You should not enable any of these services unless you are required to use them. The following services are described in greater detail in “Securing Network Services” on page 127. Service Description Personal File Sharing Gives users of other computers access to each user’s Public folder.
You can change your computer’s name in Sharing preferences. By default your computer’s host name is typically firstname-lastname-computer, where firstname and lastname is the system administrator’s first name and last name, respectively, and computer is either the type of computer or simply “Computer.” When other users use Bonjour to discover your available services, your computer is displayed as hostname.local.
You can use the Firewall pane of Sharing preferences to enable a firewall that can block both TCP and UDP ports for any of the services listed. This firewall is very powerful and includes logging and stealth mode features. You can use the Internet pane of Sharing preferences to disable Internet Sharing. For more information about these services and the firewall and sharing capabilities of Mac OS X, see Chapter 7, “Securing Network Services.
To securely configure Sharing preferences: 1 Open Sharing preferences. 2 Change the default Computer Name to a name that does not identify you as the owner. 3 Click the Firewall pane, and select a service you want to allowed through the firewall. 4 Click the Internet pane, and disable Internet Sharing. Securing Software Update Preferences Your Software Update preferences configuration primarily depends on your organization’s policy.
To securely configure Software Updates preferences: 1 Open Software Update preferences. 2 Click the Update Software pane. 3 Deselect “Check for updates” and “Download important updates in the background.” Securing Sound Preferences Many Apple computers include an internal microphone, which can cause security issues. You can use Sound preferences to disable the internal microphone and the line-in port. To securely configure Sound preferences: 1 Open Sound preferences.
Securing Speech Preferences Mac OS X includes speech recognition and text to speech features, which are disabled by default. You should only enable these features if you’re working in a secure environment where no one else can hear you speak to the computer, or hear the computer speak to you. Also make sure there are no audio recording devices that can record your communication with the computer. If you do enable the text to speech feature, use headphones to keep others from overhearing your computer.
To securely configure Speech preferences: 1 Open Speech preferences. 2 Click the Speech Recognition pane, and set Speakable Items On or Off. Change the setting according to your environment. 3 Click the Text to Speech pane, and change the settings according to your environment. Securing Spotlight Preferences Spotlight is a new feature in Mac OS X version 10.4. You can use Spotlight to search your entire computer for files.
By placing specific folders or disks in the Privacy pane, you can prevent Spotlight from searching them. You should disable searching of all folders that contain confidential information. Consider disabling top-level folders. For example, if you store confidential documents in subfolders of ~/Documents/, instead of disabling each individual folder, disable ~/Documents/. By default the entire system is available for searching using spotlight.
Securing Startup Disk Preferences You can use Startup Disk preferences to make your computer start up from a CD, a network volume, a different disk or disk partition, or another operating system. Be careful when selecting a startup volume. Choosing a network install image reinstalls your operating system and might erase the contents of your hard disk. If you choose a FireWire volume, your computer will start up from the FireWire drive plugged into the current FireWire port for that volume.
If you hold down the T key during startup, you enter target disk mode. You can prevent the startup shortcut for target disk mode by enabling an Open Firmware or EFI password. If you enable an Open Firmware or EFI password, you can still restart in target disk mode using Startup Disk preferences. For more information about enabling an Open Firmware or EFI password, see “Using the Open Firmware Password Application” on page 36. To select a Startup Disk: 1 Open Startup Disk preferences.
6 Securing Data and Using Encryption 6 Your data is the most valuable part of the computer. By using encryption, you can protect your data in the case of an attack or theft of your mobile computer. By setting global permissions, encrypting home folders, and encrypting portable data, you can be sure your data is secure. Using the secure erase feature of Mac OS X, any deleted data is completely erased form the computer.
Viewing POSIX Permissions You can assign standard POSIX access permissions to these three categories of users: Â Owner—A user who creates a new item (file or folder) on the server is its owner and automatically has Read & Write permissions for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges (allow a group or everyone to use the item). The administrator can also transfer ownership of the shared item to another user.
Interpreting POSIX Permissions POSIX permissions can be interpreted by reading the first ten bits of the long format output listed for a file or folder. drwxr-xr-x 2 ajohnson ajohnson 68 Apr 28 2006 NewFolder -rw-r--r-- 1 ajohnson ajohnson 43008 Apr 14 2006 file.txt In this example, the NewFolder has the POSIX permissions drwxr-xr-x and has an owner and group of ajohnson. The d of the POSIX permissions signifies that newfolder is a folder.
Modifying POSIX Permissions After your determine the current POSIX permission settings, you can modify them by using the chmod command. To modify POSIX permission: 1 Enter the following in Terminal. $ chmod g+w file.txt This adds write permission for the group to file.txt. 2 View the permissions using the ls command. $ ls -l 3 Validate that the permissions are correct.
In this example, the folder named secret is locked. To unlock the folder, change uchg to nouchg. $ sudo chflags nouchg secret WARNING: There is an schg option for the chflags command. It sets the system immutable flag. This setting can only be undone when the computer is in single-user mode. If this is done on a RAID, XSan, or other storage that cannot be mounted in single user mode, the only way to undo the setting is to reformat the RAID or XSan. For more information, see the chflags man page.
Modifying ACL Permissions You can set ACL permission for files. The chmod command enables an administrator to grant read, write, and execute privileges to specific users regarding a single file. To set ACL permissions for a file: 1 Allow specific users to access specific files. For example, to allow Anne Johnson permission to read a specific file secret.txt, enter the following in Terminal: $ chmod +a “ajohnson allow read” secret.txt 2 Allow specific groups of users to access specific files.
To change the global umask: 1 Open Terminal. 2 Change the NSUmask setting to be the decimal equivalent of the umask setting: $ sudo defaults write /Library/Preferences/.GlobalPreferences NSUmask 23 You must be logged in as a user who can use sudo to perform these operations. This example sets the global umask to 027, which has the decimal equivalent of 23. Replace 23 with the decimal equivalent of your desired umask setting.
Encrypting Home Folders Mac OS X includes FileVault, which can encrypt your home folder and all the files contained within it. You should use FileVault on portable computers, and on any other computers whose physical security you cannot guarantee. You should enable FileVault encryption for your computer and for all its user accounts. FileVault moves all the content of your home folder into a sparse disk image that uses AES-128 encryption.
Using FileVault Master Keychain A FileVault master keychain can be set to decrypt any account using FileVault to encrypt data. It is recommended that FileVault keychain be set to ensure data is not lost in the event of a forgotten password. If a user forgets their FileVault account password, which is used to decrypt their encrypted data, the FileVault master keychain can be used to decrypt the data. To create the FileVault master keychain: 1 Open System Preferences > Security.
Using a server based encrypted disk image provides the added benefit of encrypting all network traffic between the computer and the server hosting the mounted encrypted disk image. Creating a New Encrypted Disk Image You can create a read/write image or a sparse image to encrypt and securely store data. A read/write image consumes the entire space that was defined when the image was created.
Creating an Encrypted Disk Image from Existing Data If you must maintain data confidentiality when transferring files from your computer, but you don’t need to encrypt files on your computer, create a disk image from existing data. Such situations include unavoidable plain text file transfers across a network, such as email attachments or FTP, or copying to removable media, such as a CD-R or floppy disk.
To create an encrypted, read-only document: 1 Open the document. 2 Choose File > Print. Some applications don’t allow you to print from the File menu. These applications might allow you to print from other menus. 3 Click PDF and choose Encrypt PDF. 4 Enter a password and verify it. Click Continue. 5 Enter a name for the document and choose a location. Click Save. You should test your document by opening it. You’ll be required to enter the password before you can view the contents of your document.
Using Disk Utility to Securely Erase a Disk or Partition You can use Disk Utility to securely erase a partition, using any of three methods: a zero-out erase, a 7-pass erase, or a 35-pass erase. Note: If you have a partition with Mac OS X installed and you want to securely erase an unmounted partition, you don’t have to use your installation discs. In the Finder, open Disk Utility (located in /Applications/Utilities/). WARNING: Securely erasing a partition is irreversible.
To securely erase a folder named secret: $ srm -r -s secret The -r option removes the content of the directory, and the -s option (simple) only overwrites with a single random pass. For a more secure erase, you can use the -m (medium) to perform a 7-pass erase of the file. The -s option overrides the -m option, if both are present. If neither is specified, the 35-pass is used. For more information, see the srm man page.
Using Disk Utility to Securely Erase Free Space You can use Disk Utility to securely erase free space on partitions, using a zero-out erase, a 7-pass erase, or a 35-pass erase. To securely erase a free space using Disk Utility: 1 Open Disk Utility (located in /Applications/Utilities/). 2 Select the partition on which you want to securely erase free space. Be sure to select a partition, not a drive. Partitions are contained within drives, and are indented one level in the list on the left.
Chapter 6 Securing Data and Using Encryption
7 Securing Network Services 7 Securely configuring network services is an important step in the process of securing your computer against network attacks. Organizations depend on network services to communicate with other computers, both on a private network and on a wide area network. Improperly configured network services provide an avenue for attacks. This chapter recommends settings and configurations for network services, to improve the security of network communication.
Mail automatically recognizes sender and recipient certificates. It notifies you of the inclusion of certificates by displaying a Signed (checkmark) icon and an Encrypt (closed lock) icon. When sending signed or encrypted email messages, the sender’s certificate must contain the case-sensitive email address listed in Mail preferences. You can disable the display of remote images in HTML messages in Mail’s Viewing preferences.
If you use a third-party web-browsing application, consider applying similar security guidelines. For information about how to perform these tasks and for other Safari security tips, open Safari Help and search for “security.” Securing Instant Messaging You can use iChat to send secure text, audio, and video messages. You can also use iChat to securely send files. To set up secure iChat messaging, both you and your buddy must have a .Mac membership and have Mac OS X version 10.4.3 or later installed.
To use VPN, you connect using a transport protocol—either L2TP over IPSec or PPTP. L2TP over IPSec is more secure. PPTP provides compatibility with VPN servers that don’t support L2TP over IPSec. It supports 128-bit and 40-bit encryption. 128-bit encryption is much more secure than 40-bit encryption. VPN also requires that you authenticate both yourself and the computer.
An attacker cannot view data transferred between Anne Johnson and the office because the VPN is an encrypted connection. To ensure secure remote communication, you should use encrypted connections only. Securing Firewall Mac OS X includes firewall software that you can access in the Firewall pane of Sharing preferences. When you enable the firewall, the computer only allows communication on ports used by required services.
Mac OS X also includes ipfw, a command-line firewall tool. You can fully customize this tool and use it to set up advanced firewall rules. For information, enter man ipfw in a Terminal window. SSH (port 22) access request from Tom Clark Access blocked Tom Clark’s computer IP address 192.168.8.113 Access request is forwarded to the SSH server listening on port 22 FTP server SSH server Internet Web server Firewall only allows access from IP address 192.168.12.
Enabling TCP Wrappers A TCP wrapper is an application that can control a particular service and allow traffic from only certain computers or networks in and out of a particular port. You can use the tcpd command-line tool to enable a TCP wrapper. By using TCP wrappers you can enhance the security of you network by further defining specific access to a particular service. For example, you can configure TCP wrapper to permit a user to use SSH or Web services and deny all other users access.
Securing SSH You can use the ssh command-line tool to securely connect to remote computers. The ssh tool enables several forms of authentication, including password and keybased authentication. It also encrypts data that travels over the network, and prevents data from being altered in transit. Enabling an SSH Connection You must first enable Remote Login in Sharing preferences on the server. For more information, see “Securing Sharing Preferences” on page 87.
5 Compare the fingerprint displayed on the client with the one displayed on the server. If they match, enter yes on the client. If they do not match, your connection is not authentic. You should never have to validate the server’s fingerprint again. If you are asked to validate the server’s fingerprint again, your connection has been compromised. It is also possible that Mac OS X has been reinstalled on the server. Verify with the server administrator to ensure that your connection is authentic.
4 On the client, when prompted for a location to store the keys, press Enter without entering a location. The keys are stored in /Users/username/.ssh/. The public key is named id_dsa.pub, and the private key is named id_dsa. 5 On the client, when prompted to enter a passphrase, enter a complex password. A complex password is at least twelve letters long and is composed of mixed-case characters, numbers, and special characters. For more information, see “Creating Complex Passwords” on page 149.
Default Replace with Modification Notes #UsePAM yes UsePAM no (not needed for key-based authentication) #StrictModes yes StrictModes yes Ensures that files and folders are adequately protected by the server’s permissions’ scheme #LoginGraceTime 2m LoginGraceTime 30 Reduces the time allowed to authenticate to 30 seconds #KeyRegenerationInterval 1h KeyRegenerationInterval 3600 Ensures that the server key is changed frequently #ServerKeyBits 768 ServerKeyBits 768 Requires that the server key i
Preventing Connections to Unauthorized Host Servers You can prevent your computer from connecting to rogue SSH servers by modifying your /etc/ssh_known_hosts file. This file lists the servers to which you are allowed to connect, including their domain names and their public keys. To prevent your computer from connecting to unauthorized servers: 1 If ~/.ssh/ doesn’t exist, enter the following command: $ mkdir ~/.ssh/ 2 If ~/.ssh/known_hosts exists, enter the following command to remove it: $ rm ~/.
Using SSH as a Tunnel SSH can be used to create a secure tunnel connecting to a server or client computer. Many organizations only allow connection though a single port on the firewall, to enhance network security. By using SSH tunneling, you can connect through a single port on a firewall and access a computer on the network. This is important for computers on the network that are not configured for secure encrypted communication.
Securing Bonjour Bonjour is a protocol for discovering file, print, chat, music sharing, and other services on IP networks. Bonjour listens for service inquiries from other computers, and also provides information about your available services. Users and applications on your local network can use Bonjour to quickly determine which services are available on your computer.
Securing Network Services By default, none of the network services listed in Sharing preferences are enabled and their respective ports are closed. Carefully choose which network services you want to enable. As you enable more services, you open more ports and increase the chance of network intrusion. Additionally, each service has specific security issues that you should be aware of. Improperly configured network services are a major security risk.
Securing Windows Sharing Windows sharing allows users to access shared files and printers by using the SMB/CIFS protocol. You should not enable Windows sharing, because there are well-known risks associated with SMB/CIFS. For example, SMB/CIFS uses NTLMv1 and NTLMv2 encryption, both of which are very weak password hashing schemes. When you enable Windows sharing, Mac OS X describes the dangers associated with SMB/CIFS.
Securing FTP Access The File Transfer Protocol (FTP) is an insecure tool used for file sharing that should not be enabled. When you authenticate with most FTP servers, your password is sent in clear text format. A computer with Mac OS X Server that provides FTP service can use Kerberos-based authentication. Although Kerberos provides secure authentication, data sent over FTP is still not secure. You should disable FTP service to prevent the chance of sending clear text passwords over a network.
When you volunteer your computer as an agent, or when you run a grid-enabled application as a client, you should always explicitly specify the controller by name or address. Although your computer can use Bonjour to automatically discover controllers on the local network, when you explicitly specify a controller, you help ensure that your computer connects to the intended Xgrid controller, and not a malicious controller.
8 Validating System Integrity 8 Monitoring events and logs can help to protect the integrity of your computer. Using auditing and logging tools to monitor your computer can help you secure your computer. By reviewing these audits and log files, you can stop login attempts from unauthorized users or computers, and further lock down your configuration settings. This chapter also discusses antivirus tools, which detect unwanted viruses.
Configuring Log Files Logging is the recording of various events, including changes to service status, processes, and operating system components. Some of these events are security related, while others are information messages about your computer’s activity. If an unexpected error occurs, you can analyze logs to help determine the cause of the error. For example, the logs might explain why a software update can’t be installed, or why you can’t authenticate.
The following sample line specifies that for any log messages in the category “mail,” with a priority of “emerg” or higher, the message will be written to the /var/log/mail.log file: mail.emerg /var/log/mail.log The facility and priority are separated by only a period, and these are separated from the action by one or more tabs. Wildcards (“*”) can also be used in the configuration file. The following sample line logs all messages of any facility or priority to the file /var/log/all.log: *.* /var/log/all.
The following line would change the time to 12:15 p.m. on Tuesday, when the computer is much more likely to be on: DayOf DayOf #Minute Hour Month Month Week User Command 15 12 * * 2 root periodic weekly Remote System Logging You Should use remote logging in addition to local logging for any computer because local logs can easily be altered if the computer is compromised. Several security issues must also be considered when making the decision to use remote logging.
About File Integrity Checking Tools File integrity tools help protect your computer by detecting and logging all changes to file system objects, such as files and folders. Some file integrity tools can also detect changes to your local directory domain, and to any kernel modules. Depending on the file integrity tool you choose, you can also use advanced features, such as the ability to reverse individual file system changes, or to receive highly detailed logs in a variety of formats.
Chapter 8 Validating System Integrity
A Security Checklist Appendix A This appendix contains a checklist of recommended steps required to secure Mac OS X. This appendix contains checklists of all the action items found throughout this guide, ordered by chapter. You can customize these checklists to suit your needs. For example, you can mark the completion status of action items in the “Completed?” column. If you deviate from the suggested action item, you can use the “Notes” column to justify or clarify your deviation.
Action Item Completed? Notes Use an internal Software Update server Update system software using verified packages Repair disk permissions after installing software or software updates Hardware and Core Mac OS X Action Items For details, see Chapter 3, “Protecting Hardware and Securing Global System Settings,” on page 31.
Action Item Completed? Notes Restrict sudo users to being able to access only required commands Securely configure LDAPv3 access Securely configure Active Directory access Use Password Assistant to help generate complex passwords Authenticate using a smart card, token, or biometric device Set a strong password policy Secure the login keychain Secure individual keychain items Create specialized keychains for different purposes Use a portable drive to store keychains Securing System Software Action Items
Accounts Preferences Action Items For details, see “Securing Accounts Preferences” on page 63. Action Item Completed? Notes Change initial password for the system administrator account Disable automatic login Display login window as name and password Disable “Show the Restart, Sleep, and Shut Down buttons” Disable “Show password hints” Disable “Enable fast user switching” Appearance Preferences Action Items For details, see “Securing Appearance Preferences” on page 66.
CDs & DVDs Preferences Actions Items For details, see “Securing CDs & DVDs Preferences” on page 68.
Dashboard and Exposé Preferences Action Items For details, see “Securing Dashboard and Exposé Preferences” on page 71 Action Item Completed? Notes Do not set any screen corner to Disable Screen Saver for each user account Set a screen corner to Start Screen Saver for each user account Remove privileges to modify Dashboard & Exposé System Preferences Date & Time Preferences Action Items For details, see “Securing Date & Time Preferences” on page 72.
Energy Saver Preferences Action Items For details, see “Securing Energy Saver Preferences” on page 77.
Print & Fax Preferences Action Items For details, see “Securing Print & Fax Preferences” on page 82. Action Item Completed? Notes Only use printers in secure locations Disable receiving faxes Disable printer sharing Disable sending faxes QuickTime Preferences Action Items For details, see “Securing QuickTime Preferences” on page 84.
Sharing Preferences Action Items For details, see “Securing Sharing Preferences” on page 87. Action Item Completed? Notes Change the computer name Enable firewall protection for services used Disable Internet Sharing Software Update Preferences Action Items For details, see “Securing Software Update Preferences” on page 90.
Spotlight Preferences Action Items For details, see “Securing Spotlight Preferences” on page 93. Action Item Completed? Notes Prevent Spotlight from searching all confidential folders Startup Disk Preferences Action Items For details, see “Securing Startup Disk Preferences” on page 95. Action Item Completed? Notes Carefully choose the startup volume Data Maintenance and Encryption Action Items For details, see Chapter 6, “Securing Data and Using Encryption,” on page 97.
Action Item Completed? Notes Configure Safari to disable AutoFill, not use cookies, and ask before sending nonsecure forms Always use Safari’s Private Browsing and frequently empty Safari’s cache Update iChat by upgrading to Mac OS X version 10.4.3 or later, and use .
System Integrity Validation Action Items For details, see Chapter 8, “Validating System Integrity,” on page 131.
Daily Best Practices B Appendix B This appendix contains best practices for passwords and computer usage. Passwords are a common method of authenticating with another computer. This appendix explains how to create, store, and manage passwords. It also discusses communication and computer usage guidelines. Password Guidelines Many applications and services require that you create passwords to authenticate.
Using an Algorithm to Create a Complex Password Consider creating an algorithm to make a complex (but memorable) password. Using an algorithm can increase the randomness of your password. Additionally, instead of having to remember a complex password, you must remember only the algorithm. The following example shows one possible algorithm for creating a complex password. Instead of using this algorithm, create your own or modify this one.
Safely Storing Your Password If you store your password or the algorithm used to make your password in a safe place, you’ll be able to create more complex passwords without the fear of being unable to recover forgotten passwords. When storing passwords, make sure your storage location is safe, unknown, and inaccessible to intruders. Consider storing your passwords in a sealed envelope within a locked container. Don’t store your password anywhere near your computer.
Email, Chat, and Other Online Communication Guidelines Be especially careful when sending and receiving email, instant messages, or any other kind of online communication. Online communication devices can be exploited by intruders who send you malicious files that compromise your computer’s integrity. They can also phish for information, which can be used to compromise account integrity and confidential information.
 Separate your confidential and personal usage between accounts. You should have an account dedicated to performing secure tasks, like confidential work, and you should have another account that you use to do less secure tasks, like personal errands.  Disable your computer when you’re away from it. Either turn off the computer, or enable a password-protected screensaver. For more information, see “Securing Desktop & Screen Saver Preferences” on page 74.
Appendix B Daily Best Practices
Glossary Glossary This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. access control A method of controlling which computers can access a network or network services. ACE Access Control Entry. An entry within the ACL that controls access rights. See ACL. ACL Access Control List.
BIND Berkeley Internet Name Domain. The program included with Mac OS X Server that implements DNS. The program is also called the name daemon, or named, when the program is running. binding (n.) A connection between a computer and a directory domain for the purpose of getting identification, authorization, and other administrative data. (v.) The process of making such a connection. See also trusted binding.
controller In an Xsan storage area network, short for metadata controller. In RAID systems, controller refers to hardware that manages the reading and writing of data. By segmenting and writing or reading data on multiple drives simultaneously, the RAID controller achieves fast and highly efficient storage and access. See also metadata controller. controller cache A cache that resides within a controller and whose primary purpose is to improve disk performance.
domain Part of the domain name of a computer on the Internet. It does not include the Top Level Domain designator (for example, .com, .net, .us, .uk). Domain name “www.example.com” consists of the subdomain or host name “www,” the domain “example,” and the top level domain “com.” DoS attack Denial of service attack. An Internet attack that uses thousands of network pings to prevent the legitimate use of a server.
hash (noun) A scrambled, or encrypted, form of a password or other text. host Another name for a server. host name A unique name for a computer, historically referred to as the UNIX hostname. HTTP Hypertext Transfer Protocol. The client/server protocol for the World Wide Web. The HTTP protocol provides a way for a web browser to access a web server and request hypermedia documents created using HTML. ICMP Internet Control Message Protocol.
Kerberos A secure network authentication system. Kerberos uses tickets, which are issued for a specific user, service, and period of time. Once a user is authenticated, it’s possible to access additional services without retyping a password (this is called single sign-on) for services that have been configured to take Kerberos tickets. Mac OS X Server uses Kerberos v5.
NFS Network File System. A client/server protocol that uses Internet Protocol (IP) to allow remote users to access files as though they were local. NFS exports shared volumes to computers according to IP address, rather than user name and password. node A processing location. A node can be a computer or some other device, such as a printer. Each node has a unique network address. In Xsan, a node is any computer connected to a storage area network. NTP Network time protocol.
phishing An attempt to masquerade as a trusted organization or individual to trick others into divulging confidential information. PKI Public Key Infrastructure. A mechanism that allows two parties to a data transaction to authenticate each other and use encryption keys and other information in identity certificates to encrypt and decrypt messages they exchange. POP Post Office Protocol. A protocol for retrieving incoming mail.
public key infrastructure A secure method of exchanging data over an unsecure public network, such as the Internet, by using public key cryptography. QTSS QuickTime Streaming Server. A technology that lets you deliver media over the Internet in real time. record type A specific category of records, such as users, computers, and mounts. For each record type, a directory domain may contain any number of records. recursion The process of fully resolving domain names into IP addresses.
share point A folder, hard disk (or hard disk partition), or CD that’s accessible over the network. A share point is the point of access at the top level of a group of shared items. Share points can be shared using AFP, Windows SMB, NFS (an “export”), or FTP protocols. shared secret A value defined at each node of an L2TP VPN connection that serves as the encryption key seed to negotiate authentication and data transport connections.
subnet A grouping on the same network of client computers that are organized by location (different floors of a building, for example) or by usage (all eighth-grade students, for example). The use of subnets simplifies administration. See also IP subnet. TCP Transmission Control Protocol. A method used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet.
workgroup A set of users for whom you define preferences and privileges as a group. Any preferences you define for a group are stored in the group account. zone transfer The method by which zone data is replicated among authoritative DNS servers. Slave DNS servers request zone transfers from their master servers to acquire their data.
.Mac preferences 61–62, 115, 139 A access control entries.
usage guidelines 152 Console tool 132 contacts search policy 49 cookies, disabling 114 credential storage 53–58 CSSM (Common Security Service Manager) 18 D Dashboard preferences 71–72, 142 data security 97–110, 146 Date & Time preferences 72–73, 142 Desktop preferences 74–75, 142 digital signature 113–114 directories.
browsers 114–115 email 113–114, 152–153 FTP access 129 instant messaging 115, 152–153 sharing 87–90, 118, 127–130 TCP wrappers 119 VPN 115–117 intrusion detection system (IDS) monitors 130 IP addresses 80 ipfw command 118 IPv6 addressing 80 K Kerberos 50, 113 key-based SSH connection 121–123 Keyboard & Mouse preferences 143 Keyboard & Mouse preferences 79 Keychain Access 53 keychain services 18, 53–58, 105 key services 18 Keyboard & Mouse 79 Network 80–81, 143 Print & Fax 82–83, 144 Security 85–86, 144 Sh
changing 63–65 command-line tools 38 firmware 21–22, 36–38, 95–96 keychain 54 master FileVault 104–105 policy setup 53 Startup Disk preferences 95–96 tokens 52 user 44 vs. key-based authentication 121 PDFs, encrypting 107–108 permissions access 16 disk 28–30 manipulating 100 overview 97–103 viewing 98 Personal File Sharing 87 Personal Web Sharing 128 physical access, securing 31 physical computers hardware security 31 PKI (public key infrastructure) 113, 115, 121 Point-to-Point Tunneling Protocol.
srm command 109–110 SSH (secure shell host) 120–125 ssh command 120–125 SSL (Secure Sockets Layer) 18, 113, 115 standard user accounts 41 startup, securing 35–38 Startup Disk preferences 95–96, 146 stealth mode 117, 118 sudo tool 46–48 sudo tool 33 su tool 46 swap file 86 synchronization 61–62 syslogd configuration file 132 system administrator (root) account 46–48 system preferences.
