UNCLASSIFIED Report Number:I331-009R-2004 Apple Mac OS X v10.3.x “Panther” Security Configuration Guide Guide Version 1.1 Systems and Network Attack Center (SNAC) National Security Agency 9800 Savage Rd. Ft.
UNCLASSIFIED This Page Intentionally Left Blank UNCLASSIFIED
UNCLASSIFIED Warnings This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Apple Mac OS X v. 10.3.x “Panther” and should not be applied to any other Mac OS versions or operating systems.
UNCLASSIFIED This Page Intentionally Left Blank UNCLASSIFIED
UNCLASSIFIED Trademark Information All other names are registered trademarks or trademarks of their respective companies. v UNCLASSIFIED Trademark Information Apple, Macintosh, Mac OS X, and “Panther” are either registered trademarks or trademarks of the Apple Computer Corporation in the U.S.A. and other countries.
Trademark Information UNCLASSIFIED This Page Intentionally Left Blank UNCLASSIFIED
UNCLASSIFIED Table of Contents Warnings......................................................................................................................iii Table of Contents ........................................................................................................vii Introduction.................................................................................................................xi Getting the Most from this Guide ................................................................
Table of Contents UNCLASSIFIED Network..............................................................................................................36 Sharing ............................................................................................................... 37 Accounts.............................................................................................................42 Date and Time....................................................................................................
UNCLASSIFIED Creating an Encrypted Image From Existing Data ...........................................92 References...................................................................................................................95 Additional Resources..................................................................................................
Table of Contents UNCLASSIFIED This Page Intentionally Left Blank x UNCLASSIFIED
UNCLASSIFIED Introduction Introduction The purpose of this guide is to provide an overview of Mac OS X v10.3.x “Panther” operating system security and recommendations for configuring the security features. This guide provides recommended settings to secure systems using this operating system, and points out problems that could cause security concerns in systems using this operating system. This document is intended for anyone managing a locally-administered Apple Mac OS X v10.3.x system.
UNCLASSIFIED About this Guide This document consists of six chapters and two appendices: Introduction Chapter 1, “Scope of Guidance,” contains an overview of the type of system for which this guidance is intended. Chapter 2, “Introduction to Mac OS X Security,” contains a brief overview of some of the key security features found in the Mac OS X operating system. Chapter 3, “Initial Installation” contains step-by-step guidance for installing a new Mac OS X system.
UNCLASSIFIED Chapter 1 Apple’s Mac OS X operating system is very versatile, and can be used not only as a client workstation, but also to manage entire networks of machines and users. Apple offers two versions of the operating system: Mac OS X and Mac OS X Server. The two products offer many of the same administration and configuration features.
UNCLASSIFIED Chapter 1 – Scope of Guidance user. This method is labor-intensive for the system administrator, so the most appropriate method of password control for the operational site should be chosen. The guidance is also written such that a system secured using this guide should be easily transitioned into being a managed client in a Client-Server environment.
UNCLASSIFIED Chapter Chapter 2 Intro to Mac OS X Security 2 Introduction to Mac OS X Security Mac OS X v10.3.x (a.k.a. “Panther”) is the latest version of the Mac OS X operating system as of the printing of this guidance. This system combines the GUI-based, user-friendly features of the Macintosh operating system with the underlying foundation of a BSD Unix system. This chapter provides a brief look at the security features built into the Mac OS X system.
Chapter 2 – Intro to Mac OS X Security UNCLASSIFIED from an administrator account login. This means there will be an audit log showing when users have acted as root. Without this kind of accountability, it is difficult to know if an adverse action on the system was the result of an administrator error or a malicious attack. The root account should never need to be enabled, and it is strongly recommended that root remain disabled.
UNCLASSIFIED Security Support for Applications The Keychain Access application provides a user-friendly interface that allows storage of secure keys, passwords, and certificates for use with Mail and Safari, as well as other applications. Importing a certificate, for example, is a point and click operation. This allows users to easily configure their computer for encrypted network transmissions, enhancing the security of e-mail and web applications.
Chapter 2 – Intro to Mac OS X Security UNCLASSIFIED This Page Intentionally Left Blank 6 UNCLASSIFIED
UNCLASSIFIED Chapter 3 Although secure configuration of an existing Mac OS X installation is possible, securely configuring a fresh installation is much simpler. Although this may not always be practical, it is the recommended way to configure Mac OS X. This section details the steps involved in such an installation. If it is not possible to re-install the system, much of this chapter will not be applicable.
Chapter 3 – Initial Installation UNCLASSIFIED • Only user files and data should be saved and later restored; restoring system settings or previous accounts may change the system configuration specified in this guidance. • Applications should be re-loaded from the original media, not restored from a backup. • An “Archive and Install” option is available during installation. This option saves the current user accounts and restores them once the system has been re-installed.
UNCLASSIFIED Continue Through Installation Screens Chapter 3 Initial Installation Any necessary partitioning of the hard drive can be performed at this point, by selecting Disk Utility from the Installer menu. Only experienced administrators who understand how to properly partition a drive should perform disk partitioning. For information on using Disk Utility to partition a drive, see Disk Utility Help. All startup disks on a system should be securely configured.
UNCLASSIFIED 6. Click the Continue button when the Select a Destination screen re-appears. Chapter 3 – Initial Installation Install Mac OS X – Easy Install on 1. DO NOT CLICK “INSTALL” YET! Click on the Customize button to bring the list of packages available for installation. Skipping unnecessary packages can drastically reduce Mac OS X installation time. For example, not installing the Language Translation Package saves the time required to install the 695 MB package. 2.
UNCLASSIFIED iCal – Optional. iCal provides an electronic calendar, including some Internet connectivity features that present a security concern in some environments. Site policy and operational requirements should determine whether this tool is loaded. → Printer Drivers – Installs printer drivers for some Canon, Epson, Lexmark, and Hewlett-Packard printers. Install only those needed for the environment where the system will reside. → Additional Speech Voices – No.
UNCLASSIFIED Chapter 3 – Initial Installation Initial System Configuration The next set of screens deals with configuring the just-installed operating system. Again, instructions will only be provided for screens where specific actions should occur to conform to this guidance. Welcome Personalize Your Settings Your Apple ID The administrative account should not be used for any purpose other than administration; therefore, it does not require an Apple ID.
UNCLASSIFIED across the network when the machine is connected to one. Sensitive information should never be put in these screens. Create Your Account This screen sets up the initial account, which is also an administrative account. If information was entered into the registration screen, that information is used to fill in default values for the name and short name fields; otherwise, these fields are blank. Account information for the initial account should be entered as follows: 1.
UNCLASSIFIED Get Internet Ready Chapter 3 – Initial Installation Note: This screen will only appear if the entry of registration information was NOT skipped. The network security settings should be configured and validated before enabling networking on the machine. See the section on “Securing the Network” in Chapter 4 for information about configuring Mac OS X for network access. Skip connecting the machine to the Internet at this time: 1. Select I’m not ready to connect to the Internet. 2.
UNCLASSIFIED "Mac OS X Update 10.3.4" and security updates "Security Update 2004-05-24" and “Security Update 2004-06-07”. The guidance in this document has been confirmed under these updates. After Mac OS X v10.2.8, all security updates contain only fixes for security issues. It is possible to review the contents of each security update before installing it. To see the contents of a security update, go to Apple’s Security Support Page (http://www.apple.
Chapter 3 – Initial Installation UNCLASSIFIED Figure 1: Apple’s Update Download Web Page Administrators should note that updates provided through the Software Update utility may sometimes appear earlier than the standalone updates. Another resource for locating current updates for Mac OS X is the Knowledge Base article on Apple’s website: Title: Mac OS X 10.3: Chart of available Mac OS software updates Article ID: 25633 URL: http://docs.info.apple.com/article.
UNCLASSIFIED being updated is loaded with Mac OS X v.10.3.2 or earlier. If any of the listed updates have already been installed on the system being configured, skip the instructions for those updates. The updates that need to be downloaded are: Mac OS X (10.3.3) Combined Update 10.3.3 • Security Update 2004-05-24 (10.3.3) • Mac OS X Update 10.3.4 • Security Update 2004-06-07 (10.3.4) Make sure to note the SHA-1 digest for each of these files.
UNCLASSIFIED 1. Place the CD with the 10.3.3 Update package in the CD-ROM drive. Mac OS v.10.3.3 must be loaded before 10.3.4 can be installed. Chapter 3 – Initial Installation 2. Open the CD and double-click the MacOSXUpdateCombo10.3.3.dmg to open the disk image containing the update package. 3. Double-click the MacOSXUpdateCombo10.3.3.pkg to start the installation. 4. Follow the instructions provided by the Installer. 5.
UNCLASSIFIED 4. Follow the instructions of the Installer. 5. When the Installer has completed, click Restart. The system will reboot and automatically login to the administrator account. Fix Disk Permissions Permissions on files can sometimes become set incorrectly, especially during a software installation. Incorrect permissions can cause the system to operate incorrectly and even introduce security vulnerabilities.
UNCLASSIFIED Chapter 3 – Initial Installation operating system, updates, and applications.
UNCLASSIFIED Chapter Configuring System Settings System configuration follows the installation of the operating system and its updates. System-wide configuration settings are the focus of this chapter. This chapter also includes instructions for configuring the initial administrative account. In addition to these settings, user accounts should be created for each user. Chapter 5 describes the steps for creating and securely configuring additional accounts.
Chapter 4 – Configuring System Settings UNCLASSIFIED Removing Registration Information Mac OS X stores any registration information gathered during the installation in a file. The system attempts to send the registration information from that file to Apple the as soon as a network connection is made. Earlier in this guide, instructions were given to bypass entry of registration information.
UNCLASSIFIED Chapter 4Configuring System Settings Figure 2: System Preferences Application Many options within the System Preferences application require an administrator’s password to unlock. When an option has been selected and its settings appear in the System Preferences panel, a lock icon will appear in the bottom left corner of the window if that particular option is lockable.
Chapter 4 – Configuring System Settings UNCLASSIFIED system’s method of restricting a user from doing this places other serious restrictions on the account, such as losing the ability to change the login password, that make it impractical. Issues such as this should be addressed by user policy and made clear to all users of the system.
UNCLASSIFIED Chapter 4Configuring System Settings Figure 4: Active Screen Corners Panel 7. Use the pull-down menu corresponding to the corner chosen as the screen saver hot corner, and select Start Screen Saver in the menu. 8. Click the OK button. Security Settings The Security option is found in the Personal row in System Preferences. Unlike most panels, the Security panel’s lock only applies to part of the panel, the bottom section for All Accounts on this Computer.
UNCLASSIFIED Chapter 4 – Configuring System Settings Some users reported data loss under certain circumstances when using Mac OS X version 10.3. The 10.3.1 update addresses these problems. The use of FileVault is only recommended in version 10.3.1 or later of Mac OS X. FileVault is not used to protect files transmitted over the network or saved to removable media. Mac OS X provides methods for encrypting files in these situations, described in Appendix A.
UNCLASSIFIED To set the FileVault master password: Chapter 4Configuring System Settings 1. Click on the Show All icon in System Preferences, or restart System Preferences if necessary. 2. Select Security from the personal preferences row. 3. Unlock the window for editing, if necessary. 4. Select the Set Master Password button (Figure 5). Figure 5: FileVault Panel 5. Enter the master password for the system in the Master Password field, and again in the Verify field.
UNCLASSIFIED Chapter 4 – Configuring System Settings At this point, FileVault may now be activated for any user or administrative account. Enabling FileVault for individual users is addressed in Chapter 5. To enable FileVault for the current administrative account: 1. Click Turn on FileVault. A window will open asking for the user’s password. Since this is the administrator’s account, this password will be the administrator’s password. 2. Read the warning message that appears.
UNCLASSIFIED Chapter 4Configuring System Settings Figure 6: Security Panel Additional Settings 3. Place a check in the box for Require password to wake this computer from sleep or screen saver. Note that the lock icon has no effect on this particular option. This means that any user may disable this capability for his own account, even if the administrator has enabled it. 4. Unlock the window for editing if necessary. 5.
UNCLASSIFIED Chapter 4 – Configuring System Settings not complete until the user makes a decision about whether to save the file. Automatically activating the screen saver after a certain period of inactivity is preferred, even though the user can disable it. Administrators should periodically verify that users have not disabled the capability. 8. Click the unlocked lock icon at the bottom of the window.
UNCLASSIFIED 2. Click on the Bluetooth icon in the Hardware row of options. If there is no Bluetooth icon, Bluetooth capability is not installed on the machine. In this case, skip to the next section. 3. Click the Turn Bluetooth Off button (Figure 7). Figure 7: Bluetooth Configuration Panel CDs & DVDs The system should not perform an automatic action when a CD or a DVD is inserted.
Chapter 4 – Configuring System Settings UNCLASSIFIED Figure 8: CDs & DVDs Panel 3. Pull down and select Ignore for the When you insert a music CD option. 4. Pull down and select Ignore for the When you insert a picture CD option. 5. Pull down and select Ignore for the When you insert a video DVD option. Energy Saver The Energy Saver panel allows an administrator to configure the computer to sleep after a period of inactivity.
UNCLASSIFIED Chapter 4Configuring System Settings Figure 9: Energy Saver Sleep Panel 4. Unlock the window for editing if necessary. 5. Set the Put the computer to sleep when it is inactive for: slider to 15 minutes or whatever value is indicated by site policy. 6. All other options in this panel can be left at the default value, or changed to personal preference or to meet site policy guidelines. 7. Click on the Options button in the Energy Saver panel (Figure 10).
Chapter 4 – Configuring System Settings UNCLASSIFIED Figure 10: Energy Saver Options Panel 8. Uncheck the checkbox in front of the Wake when the modem detects a ring option to disable it. 9. Uncheck the checkbox in front of the Wake for Ethernet network administrator access option to disable it. 10. Uncheck the checkbox in front of the Restart automatically after a power failure option to disable it. 11. Click on the unlocked lock icon at the bottom of the panel to re-lock the panel.
UNCLASSIFIED 4. Click on the Internal Microphone selection (if available) and set the input volume slider bar to the minimal level. Chapter 4Configuring System Settings 5. Click on the Line In selection in the Choose a device for sound input box to select that as the default input for sound (if available). This will effectively disable the internal microphone (Figure 11). Figure 11: Sound Panel Line In Setting 6.
UNCLASSIFIED Chapter 4 – Configuring System Settings send a request for information to the Apple Federal e-mail address: AppleFederal@apple.com Additional instructions for disabling the microphone appear in a later section of this chapter. Network AirPort and Bluetooth wireless connectivity options should be turned off. They will only be present in the panel if supporting hardware is installed on the system. To configure the network settings: 1.
UNCLASSIFIED 6. Pull down the Location menu and repeat step 5 for any other locations in the menu. 8. Click the unlocked lock icon at the bottom of the panel to re-enable the lock on the System Preferences panel. Anytime a new location is added to the configuration, AirPort, Bluetooth, and Internal Modem should be disabled as described here. Again, all wireless capability, such as AirPort and Bluetooth, should be physically disabled in secure environments.
UNCLASSIFIED Chapter 4 – Configuring System Settings this guide, there is no need for this capability when configuring according to this guide. This capability should remain disabled. • Remote Apple Events: This service enables the machine to respond to Apple events from other computers, which may carry security implications. Configuring this capability is out of scope for this guide and it should remain disabled.
UNCLASSIFIED Chapter 4Configuring System Settings Figure 13: Sharing Services Configuration Panel 4. Unlock the window for editing if necessary. 5. Make sure all checkboxes are unchecked. These services are all disabled by default, and unless there is a specific operational need for a service, it should remain disabled. If a service is enabled because of operational requirement, the risks incurred by opening that service should be considered.
UNCLASSIFIED Chapter 4 – Configuring System Settings application. Only the settings that are handled within the System Preferences program are addressed here. The Firewall panel in the System Preferences application does not allow the administrator to manage protocols other than incoming TCP. If managing UDP or other protocols is necessary, either ipfw (provided with Mac OS X) or a thirdparty tool should be used to configure the firewall. Only TCP ports are managed through the Firewall panel.
UNCLASSIFIED left enabled, you will need to allow them through the firewall here. The rationale for whether the ports should be opened for incoming access is the same as given above for Services. There are two ports that may be included in this list that do not appear as services in the Services panel. These ports are “iChat: (5297, 5298)” and “iTunes Music Sharing (3689).” These ports should not be necessary in a normal operational environment.
Chapter 4 – Configuring System Settings UNCLASSIFIED Figure 15: Internet Sharing Configuration Panel 2. The words “Internet Sharing Off” should be in the window. If not, click on the Stop button to disable Internet sharing. 3. Click on the unlocked lock icon at the bottom of the panel to re-lock the window. Accounts The Accounts option in System Preferences allows administrators to create and configure user accounts.
UNCLASSIFIED 4. Click on the Login Options button near the bottom left side of the panel (Figure 16) to display general settings affecting all accounts. Chapter 4Configuring System Settings Figure 16: Account Login Options 5. Select Name and password as the setting for Display Login Window as:. This causes the machine to require both a user name and a password to be entered for login. If the List of users option is set, the system will provide a list of all valid user accounts.
UNCLASSIFIED Chapter 4 – Configuring System Settings unencrypted form on the system. The password for this account should be changed as follows: 1. Click on the currently logged in account, shown in the left column of the Accounts panel (Figure 16). 2. Type the new password into both the Password and Verify boxes. It is very important to choose a good password as described previously. 3. Click on the unlocked lock icon to re-lock the Accounts preferences panel.
UNCLASSIFIED 6. Set the date and time for the machine. 7. Click the Save button. 8. Click the Time Zone button at the top of the panel and select the appropriate time zone. 9. Click on the unlocked lock icon at the bottom of the panel to re-lock the window. Software Update Software updates should not be performed automatically. If the box in front of Check for updates: has been checked, the system automatically checks the Apple site for updates.
UNCLASSIFIED Chapter 4 – Configuring System Settings 3. If necessary, uncheck the checkbox in front of Check for updates: to disable the capability. 4. Exit the System Preferences application. User policy should state that this capability is to remain disabled. If a user reenables this capability, risk is minimal because administrator authentication is still required for download and installation.
UNCLASSIFIED Restricting Administrator’s Home Folder Permissions sudo chmod 700 /Users/ Securing the Root Account Like other UNIX-based systems, Mac OS X includes a root account that can perform any action on the system. Administration on most UNIX-based systems is performed through the root account and sometimes multiple administrators share access to the root account, which can make it impossible to distinguish the actions of one administrator from another in the audit logs.
UNCLASSIFIED Chapter 4 – Configuring System Settings 3. Click on the root item in the users column. The root user’s properties and any associated values will appear in the bottom panel of the window (Figure 19). Figure 19: NetInfo Manager 4. Click on the lock in the lower left corner of the NetInfo Manager window. Type an administrator's short name and password into the authentication dialog that appears and click the OK button. 5.
UNCLASSIFIED 9. Click the lock icon in the lower left corner of the NetInfo Manager window to re-lock the window. 11. Quit the NetInfo Manager application. Root login is now disabled. Using sudo The sudo program allows an administrator to perform command line functions that require root privileges. To use sudo, bring up a Terminal window and type sudo followed by the command to be performed with root privileges.
UNCLASSIFIED Chapter 4 – Configuring System Settings 4. At the next prompt, enter: setenv security-mode command 5. To restart the computer and enable the settings, enter the command: reset-all 6. The system should reboot into the Mac OS X Login Window. In command mode, the system will boot from the boot device specified in the system’s boot device variable and disallow users from providing any boot arguments. To test that the system has been put into command mode as recommended: 1.
UNCLASSIFIED 2) Even if a single-user mode boot is successfully initiated by changing the Open Firmware settings, the system can still prevent automatic root login. To require entry of a root password during a single-user mode boot, the console and ttys must be marked as insecure in /etc/ttys. In fact, the system will require entry of a special root password, stored in /etc/master.passwd.
Chapter 4 – Configuring System Settings UNCLASSIFIED 6. Open a new terminal window and issue the following command, replacing with two random characters and with an appropriate 8-character password: openssl passwd -salt A hash of the password will be displayed after executing the command. 7. Type or paste the password hash where the asterisk was deleted in step 10. 8. Exit, saving changes.
UNCLASSIFIED MasterPasswordHint . . . 3. Exit, saving changes. The warning banner should appear for the next person logging into the GUI. To provide a logon warning banner to users logging into remote services on the system: 1. Edit the file /etc/motd as an administrator with the following command in a Terminal window: sudo pico /etc/motd 2. Enter the warning banner that has been approved. 3. Exit, saving changes.
Chapter 4 – Configuring System Settings UNCLASSIFIED Figure 20: Console Log In Mac OS X, log files are handled by either the BSD subsystem or a specific application. The BSD subsystem handles most of the important system logging, while applications such as the Apache web server handle their own logging. Like other BSD systems, Mac OS X uses a background process called syslogd to handle logging. A primary decision to make when configuring syslogd is whether to use remote logging.
UNCLASSIFIED mail.emerg /var/log/mail.log *.* /var/log/all.log Local Logging The default configuration in /etc/syslog.conf is already appropriate for the typical Mac OS X system when a remote log server is not available. The system is set to rotate log files using a cron job at the time intervals specified in the file /etc/crontab. Rotation entails compressing the current log file, incrementing the integer in the filename of compressed log files, and creating a new log file for new messages (Table 2).
UNCLASSIFIED Chapter 4 – Configuring System Settings #Minute 15 DayOf Hour 12 Month * DayOf Month * Week 2 User root Command periodic weekly Remote Logging Using remote logging is recommended in addition to local logging because local logs can easily be altered if the system is compromised. However, remote logging is not always possible; a laptop, for example, may not always be connected to a network and therefore can only store logs locally.
UNCLASSIFIED not permanently disable the components; however, administrative access is needed to re-load them and restore the capabilities. 1. Open the folder /System/Library/Extensions. 2. To remove AirPort support, drag the following files to the Trash: AppleAirPort.kext AppleAirPort2.kext AppleAirPortFW.kext 3. To remove support for Bluetooth, drag the following files to the Trash: IOBluetoothFamily.kext IOBluetoothHIDDriver.kext 4.
Chapter 4 – Configuring System Settings UNCLASSIFIED running Mac OS 9 applications: booting the system into Mac OS 9, and running an application in Classic Mode. This mode is an adaptation of Mac OS 9 that runs as an application on a system running Mac OS X. It is not recommended to boot into Mac OS 9 or to use Classic Mode. Mac OS 9 and any Mac OS 9 applications should be removed from the system. To do this, use the following instructions.
UNCLASSIFIED sudo rm –rf '/System/Library/Classic/' sudo rm –rf sudo rm –rf '/System/Library/UserTemplate/English.lproj/Desktop/ Desktop (Mac OS 9)' 5. Type the following commands to remove additional Mac OS 9 files and directories from the system if they exist: sudo rm –rf '/System Folder' sudo rm –rf '/Mac OS 9 Files/' Make sure the single quotes (apostrophes) are placed correctly here.
Chapter 4 – Configuring System Settings UNCLASSIFIED This Page Intentionally Left Blank 60 UNCLASSIFIED
UNCLASSIFIED Chapter 5 Once the first administrator account and the root account are securely configured, additional user accounts may be created. This chapter describes the process of creating and configuring new user accounts. Note that some of the instructions in this chapter are repeated from previous chapters. This is because the system should be completely secured before creating and securing individual user accounts.
UNCLASSIFIED Chapter 6 – Future Guidance Creating User Accounts The following instructions describe creation of a standard user account on the system. A standard user can perform all normal user functions, such as accessing his own files, configuring his environment (e.g. desktop, screensaver), and using applications. These steps may be used for creating all new accounts on the system. Later sections address granting administrative privileges to, or to limiting the capabilities of, that account. 1.
UNCLASSIFIED policy should require a new user to change his password immediately upon first login. 6. Leave the Password Hint field blank. If a value is entered in this field, it will be given to anyone after 3 failed attempts to enter a password, making it easier to break into the account. 8. Make sure the Allow user to administer this computer checkbox is unchecked (Figure 22).
UNCLASSIFIED Chapter 6 – Future Guidance Granting Administrative Privileges An administrative user on the system can perform standard user-level tasks, as well as administrative-level activities such as: • Adding a user account • Changing the FileVault master password • Enabling or disabling sharing • Enabling, disabling, or changing firewall settings • Changing other protected areas within System Preferences • Installing system software Administrative privileges should only be granted to user
UNCLASSIFIED Chapter 6 Future Guidance Figure 23: Grant Administrative Privileges Limiting a User Account Two levels of limited user accounts are available: an account with configurable limits, and an account that is limited to a simple Finder. Managed User: Some Limits Within the Accounts System Preferences panel, the Limitations section allows the administrator to restrict a user’s access to programs and settings.
UNCLASSIFIED 1. Click on the Show All icon in System Preferences, or restart System Preferences if necessary. 2. Click on the Accounts icon in the System row to bring up the accounts management panel. Chapter 6 – Future Guidance 3. Unlock the screen for changes, if necessary. 4. Find the user for which limitations are to be set in the list at the left side of the window. Click on that user account to highlight it and display its settings. 5. Click on the Limitations button in the window.
UNCLASSIFIED 10. Check the box for This user can only use these applications. 11. Four categories appear under the Application column: Applications, Utilities, Applications (Mac OS 9), and Others. Expand these categories to list their contents. Uncheck the Allow box for any programs listed in Table 3. Access to any applications not appearing in this guide should be determined by site policy. The Applications (Mac OS 9) and Others options should be empty and require no action.
UNCLASSIFIED 12. Click on the unlocked lock icon at the bottom of the panel to re-lock the preferences panel. Chapter 6 – Future Guidance Managed User: Simple Finder Finally, a user can be restricted to a Simple Finder set of limitations: this user is not given full access to the System Preferences panel, and is only allowed to run applications listed by the administrator. Also, a user with Simple Finder privileges can only open one folder located on the Dock.
UNCLASSIFIED System Preferences Settings The following configuration should be done for every user account, and must be performed while logged into the account being configured. 1. Log into the user’s account. 2. Start the System Preferences program. 3. Click on the Bluetooth icon in the Hardware row if it exists. If it doesn’t, skip to step 5. 4. Click on the Turn Bluetooth Off button. Bluetooth should now be off, as shown in Figure 25. Figure 25: Disable Bluetooth Set the screen saver settings: 5.
UNCLASSIFIED 9. Click on the Hot Corners button at the bottom left of the Desktop & Screen Saver panel. Chapter 6 – Future Guidance 10. Choose which corner is to be used as the hot corner for starting the screen saver. 11. Use the pull-down menu corresponding to the corner chosen as the screen saver hot corner, and select Start Screen Saver in the menu. 12. Click the OK button. Set the CD/DVD settings: 13. Click on the Show All icon. 14. Click on the CDs & DVDs icon in the Hardware row of options. 15.
UNCLASSIFIED Chapter 6 Future Guidance Figure 26: Disable Software Update If an internal microphone is installed on the system, it must be disabled individually for every user. To disable the internal microphone: 21. Click on the Show All icon to see all the categories of preferences for this machine. 22. Click on the Sound icon in the Hardware row. 23. Click on the Input button on the Sound option panel. 24.
Chapter 6 – Future Guidance UNCLASSIFIED Figure 27: Disable Internal Microphone 28. Use a dummy plug to plug the Line In jack on the machine. 29. If there is no Line In jack, then the only setting available under the Choose a device for sound input box will be the internal microphone (if there is one), and there will be no way to remove that option. In either case, it is recommended that the internal microphone be physically disabled.
UNCLASSIFIED The next step is to enable FileVault for this user: 33. Make sure all applications (other than System Preferences) are closed, as the user will be logged out as part of the process of starting FileVault. 35. Unlock the window for editing if necessary. 36. Click on the Turn On FileVault button (Figure 28). Figure 28: Enable File Vault 37. When prompted, enter the password given to the account when it was created and click OK. 38.
UNCLASSIFIED Chapter 6 – Future Guidance Overriding the Default umask The default umask value can be overridden for a particular user, if needed. To do so, log into the user account to be changed.
UNCLASSIFIED certificate must be stored in a keychain. If a credential must be stored on the system, it should be stored and managed using the Keychain Access utility. The decision to use keychains should be determined by evaluating policy, operational needs, and operational environment. 1. Login to the account of the user whose menu bar is to be modified. 2. Start the Keychain Access program located in the /Applications/Utilities folder. 3.
UNCLASSIFIED Chapter 6 – Future Guidance login password and is automatically unlocked when the user logs in. It remains unlocked unless the user locks it, or until the user logs off. The settings for the login keychain should be changed so that the user will be required to unlock the login keychain when he logs in, or after waking the machine from sleep. 1. Start the Keychain Access program. 2. If the drawer showing the user’s keychains is not open, click on the Show Keychains icon to open it. 3.
UNCLASSIFIED Chapter 6 Future Guidance Figure 30: Keychain Password Change 6. From the Edit menu, select Change Settings for keychain “login”…. 7. Select Lock when sleeping (Figure 31).
Chapter 6 – Future Guidance UNCLASSIFIED Figure 31: Keychain Settings 8. Check the configuration of each of the items in the login keychain. Each item can be individually configured to permit access by only certain applications. The lower half of the Keychain Access window contains a tabbed view pane for configuring the attributes and settings for each item. Repeat the following steps for each item: a. Select an item within the currently selected keychain. b.
UNCLASSIFIED f. The Always allow access by these applications list should be kept empty unless operationally required. Any application in this list can access the item without prompting the user or requiring re-entry of the keychain password. If there are any applications in this list, click on one of them, and click on the Remove button at the bottom of the window. Repeat this until all entries have been removed from the list.
Chapter 6 – Future Guidance UNCLASSIFIED The first keychain configured here is designed to protect credentials that are accessed frequently and automatically whenever a user is logged in. A good example of this would be an e-mail account password used by the Mail application. If the keychain holding the credentials used by Mail is set to re-lock every 5 minutes, it is likely that the user will have to re-authenticate the keychain every time the Mail application tries to check for new mail.
UNCLASSIFIED 7. Click on the name of the newly created keychain to highlight it. 8. Select Change Settings for keychain “mail_keychain” … from the Edit menu. Chapter 6 Future Guidance 9. Make sure the Lock when sleeping option is selected, and that the Lock after x minutes of inactivity option is not selected (Figure 33). Figure 33: Settings for “mail_keychain” 10.
Chapter 6 – Future Guidance UNCLASSIFIED Figure 34: Mail Keychain Items Access Control Settings Keychain 2: Moderately accessed credentials (e.g. database access) This keychain is designed to protect credentials that are accessed frequently and automatically whenever a user is accessing a particular application that needs a credential from a keychain. An example of this might be a database that requires credentials for every query.
UNCLASSIFIED 7. Make sure the Lock when sleeping option is selected, and that the Lock after x minutes of inactivity option is selected and set to a appropriate value, such as 15 (Figure 35). Chapter 6 Future Guidance Figure 35:Database Keychain Settings 8. Move any items containing credentials for database applications, or any other items to be protected by this keychain, into the newly created keychain.
UNCLASSIFIED 4. Type a name for the new keychain in the Save As box in the window, and click on Create. For this example, the name of the new keychain is “accounts_keychain”. Chapter 6 – Future Guidance 5. Select a new password for the keychain and enter it in the window that appears on the screen. Use the password assistant (the “i” button) to check the strength of the password. 6. Select Change Settings for keychain “accounts_keychain”… from the Edit menu. 7.
UNCLASSIFIED guide may be used as the default keychain. If the user chooses to set a different keychain as the default, he should ensure that it is secured in the same manner as given for the login keychain configuration. To change the default keychain: 1. Start the Keychain Access application. Chapter 6 Future Guidance 2. If the drawer showing the user’s keychains is not open, click on the Show Keychains icon to open it. 3. Click to select the keychain that is to be designated as the new default. 4.
UNCLASSIFIED 11. Drag the original file to the Trash. Chapter 6 – Future Guidance 12. Choose Secure Empty Trash from the Finder menu to delete the file. 13. In the Keychain Access application, select Add keychain… from the File menu and open the keychain file that was moved.The keychain will appear in the list of keychains in the Keychain Access application. The system will now access the keychain file in its new location.
UNCLASSIFIED Chapter 6 Chapter 6 Future Guidance Future Guidance Topics for consideration in future versions of this guide or in other guidance documentation include: • Mac OS X v10.3.x Server • Managing Mac OS X networks • Cross-Platform (Mac OS X–Windows, Mac OS X–Linux, etc.
Chapter 6 – Future Guidance UNCLASSIFIED This Page Intentionally Left Blank 88 UNCLASSIFIED
UNCLASSIFIED Appendix Appendix A Encrypting Files and Folders A Encrypting Files and Folders As described earlier, Mac OS X’s FileVault feature can be used to encrypt a user’s entire home directory. However, some situations call for the encryption of individual files and folders, not simply the entire home directory. The Disk Utility program shipped with Mac OS X provides the ability to encrypt disk images containing arbitrary files and folders.
UNCLASSIFIED Appendix A – Encrypting Files and Folders 1. Open Disk Utility, located in /Applications/Utilities, and make sure nothing is selected in the Disk Utility window (Figure 37). Figure 37: Disk Utility Panel 2. In the Images menu, choose New > Blank Image or click the New Image button. 3. Type a name for the disk image and choose where to save it (Figure 38).
UNCLASSIFIED 4. Choose the size of the disk image from the Size pop-up menu. Disk images cannot be directly expanded, so make the size as large as may be needed. 5. Choose an encryption method. The recommended method is AES-128. 6. Choose a format, and then click Create. Although there is some overhead, the sparse format allows the image to maintain a size proportional to its contents (up to its maximum size), which can save disk space. 7.
Appendix A – Encrypting Files and Folders UNCLASSIFIED keychain is unlocked, the data will be transparently unencrypted if an attempt to access it is made. This box is checked by default. If the data are particularly sensitive, uncheck the box to prevent storing the password in a keychain. Creating an Encrypted Image From Existing Data The instructions below follow those in the Disk Utility help section “Creating a disk image of a device, folder, or volume.
UNCLASSIFIED Appendix A Encrypting Files and Folders Figure 41: Disk Utility Convert Image Panel 4. Select AES-128 (recommended) for Encryption and click Save. 5. As in the case of creating a new, blank encrypted image, a dialog box will appear requesting a password. See step 7 above for discussion.
Appendix A – Encrypting Files and Folders UNCLASSIFIED This Page Intentionally Left Blank 94 UNCLASSIFIED
UNCLASSIFIED Appendix B Appendix BReferences References 1. Mac OS X Maximum Security; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2003 2. Mac OS X Panther Unleashed; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2004 3. “Mac Help,” Mac OS X Panther, Apple Computer, Inc., 2003 4. Inside Mac OS X, “System Overview,” Apple Computer, Inc., 2001-2002 5.
Appendix B – References UNCLASSIFIED This Page Intentionally Left Blank 96 UNCLASSIFIED
UNCLASSIFIED Appendix C Appendix CAdditional Resources Additional Resources The following are additional resources that may be helpful to readers of this guide. 1.