Enterprise Infrastructure Services

Outline

O. Introduction

I. Security Recommendations for all Mac OS X users

• 1. Accounts and users
• 2. Passwords
• 3. Physical security
• 4. Patches and software updates
• 5. Sharing and networking
• 6. Virus prevention
• 7. Backups
• 8. FileVault and Firewall

II. Hardening OS X

III. For More Information

Summary:

Out-of-the-box, Mac OS X is quite secure. Apple provides a good default configuration, and issues regular Security Updates. This article recommends additional measures all Princeton users can use for better security.

With OS X 10.5 "Leopard," Apple finally published several excellent guides for securing your Macintosh personal computer or your OS X server. There is also a more comprehensive Security Overview available. Apple's documents should be considered authoritative if there is any conflict between them and what you read here. (Kindly let the OIT helpdesk know of any errors you find, so we can correct them. Thanks.)

Mac OS X has two user interfaces, graphical (GUI) - the Macintosh "Finder" - and command-line (CLI) or "Unix." Apple assumes that most users will seldom make use of the command line, but system/server administrators will need to do so, and advanced users may wish to use it as well. This article suggests security techniques and tools that are available, mostly in the Finder, some using the command line. This is not, however, a complete tutorial. There is much good information about OS X security available now on the web.

1. Accounts and users

Do not accept Apple's default, which is to log in to your Mac automatically without a password. It's much better to have several accounts or logins on your Mac OS X system. Be in control of all access to your system by other users, and don't allow Guest access without a very good reason.

Recommendations:

• By default, the account created when installing OS X is an Administrator account which has the power to install software and modify configurations. It's not secure or necessary to use that account for routine work. Log in as the administrator, use the "Accounts" System Preference tool to create a non-administrator user account, and give it a different password. Next, click Login Options, and select "name and password" instead of "list of users". Next time you log in, use the user account for daily tasks so you won't accidentally overwrite important settings or software.
• By default, OS X logs in automatically after restart, using the first account created during installation and that account's stored password. We've already seen that this is an administrator account, so if the Mac isn't in a perfectly secure location, any passer-by can start it up and make changes to it. To fix this, go to the "Security" System Preference, under the "General" tab, and click "Disable automatic login for all accounts." While here, click "Require password immediately after sleep or screen saver..." After making these changes, log out. To log in, you will now need your user name and password.
• Do not enable File Sharing (with the "Sharing" System Preference pane) unless you need to. If you do, you should use the ability in versions of OS X above 10.3 to create users and groups, and require use of a password to access files or software on your Mac. It's a bad idea to allow guest (no password) or anonymous access to any program, folder, or file unless you understand what you're doing. See below for more details.

2. Passwords

The first line of defense for your system is the password. Choose a good one, and change it regularly.

Recommendations:

• Set the "Security" preferences in System Preferences so a password is required to wake from sleep or from the screen saver (see above); this will keep others from using your unattended Mac.
• Do not use the same account name and password on your Mac that you use to log on to other campus services such as mail (LDAP) or Samba (Windows files).
• Don't create a guest account, anonymous login, or an account with blank or obvious password.
• Select strong passwords which are not easily guessed. Keep them secret; don't send them in e-mail or write them down. Change them regularly. See http://www.helpdesk.princeton.edu/docs/password.html for more information about selecting and using passwords.

3. Physical Security

Anyone can change your Administrator password if they start your Mac up with an OS X Installation CD or DVD. If your Mac is started up from an OS 9 (Classic) System Folder (OS X 10.4 and earlier supported this), there is no protection or security at all for the OS X files in the same disk partition. Use of a firmware password can prevent the possibility of someone booting your Macintosh from an external hard drive, DVD, or CD, and then changing your administrator password, erasing your disk, or accessing your private documents.

Recommendations:

• Intel-based Macs use "EFI" and PowerPC (G4, G5) Macs use "Open Firmware," but the concept and tools are similar. Both offer a utility to set a firmware password. See http://docs.info.apple.com/article.html?artnum=106482 for complete instructions and a copy of the utility.
• Upgrade to OS X completely. Remove any OS 9 system folders and the "Classic" System Preference panel from your Macintosh.

4. Patches and updates

Updating system software is easy and keeps your system secure.

Recommendations:

• There is no real reason for using older versions of OS X if your Mac is capable of running the current OS level. It is always worthwhile to buy and install Apple's major system upgrades. The campus price is well below retail price; order on-line through Princeton's OIT Software Sales. Apple upgrades always include major security improvements, as well as better performance and new features. At this writing, support is transitioning between 10.5 "Leopard" and 10.6 "Snow Leopard." 10.5 dropped "classic" support, and 10.6 dropped support for PowerPC hardware.
• Between major upgrades, set the Software Update System Preference to automatically check Apple's upgrade service at frequent intervals. When you buy a new Mac, or perform a fresh system installation, manually trigger the Software Upgrade tool, to make it download any software updates that haven't been installed yet. Apply all Apple security updates and System Updates that appear, as soon as possible.
• If you are nervous about breaking something when you upgrade, wait a day or two and read your favorite internet sites for reports of any problems that may affect you. Waiting can be a security risk in the case of Security Updates, because when a vulnerability is announced it is likely to be exploited quickly. Rarely, OS X updates do trigger conflicts with installed software. If you have extensive system modifications, use non-Apple add-on hardware, or use unusual drivers, you are more likely to have difficulties. Useful Mac news sites such as http://arstechnica.com/apple/news/, www.tidbits.com and www.macintouch.com offer upgrade reports, troubleshooting tips and warnings. Always make sure you have current backups before updating.
• Most application developers also offer updates via download. Read all warnings before applying them to make sure there will not be any adverse effects on your system; back up first; and follow the directions carefully.
• Do not install shareware or downloads from unknown vendors or web sites, unless you use good virus-checking and backup practices and are willing to take risks.

5. Sharing and networking

There are several options that can affect your Macintosh security by reconfiguring network services. Permitting 'Guest' access to your Macintosh is not recommended. Apple File Sharing is a lightweight solution if you just need to transfer files among a couple of Macs, but passworded logins are still important. General purpose file services on campus, such as WebSpace, the OIT Central File Server, and SharePoint, provide cross-platform solutions which are more robust than built-in Macintosh sharing.

See the OIT Networking page for detailed information on configuring your Macintosh for the Princeton network. See the OIT Knowledgebase Article 5872 for information about file services and file sharing between other platforms at Princeton. See Article 9268 to learn how to use your "H:" drive to store files on the Central File Server. Article 9754 gives instructions on using Secure File Transfer (SFTP) between your Macintosh and a Unix system.

Recommendations:

• For best security, do not enable any of the incoming services listed under the Sharing pane of OS X System Preferences. (In 10.5, the services are DVD or DC Sharing, Screen Sharing, File Sharing, Printer Sharing, Scanner Sharing, Web Sharing, Remote Login, Remote Management, Remote Apple Events, XGrid Sharing, and Internet Sharing). Note that these settings only affect incoming connections to your computer; you can still make outbound connections to servers, printers, etc. from your Mac. Use of Internet Sharing is strongly discouraged. See OIT Networking document Do Not Use Mac OS X Internet Sharing Feature on the Campus Network for more information.
• If you want to use "Remote Login" yourself, be sure to choose "Only these users:" and enable your own user name, without allowing "All Users." You can now SSH in to your Mac securely, from any other Mac (using the command-line Terminal) or from Unix and Windows systems.
• By default, if you enable File Sharing, you also enable guest access to several folders on your computer. There is a Shared folder at the System level as well as a Public Folder in each User directory, all of which permit guest (anonymous) access by default. Guest access is a potentially large security hole. If you do enable File Sharing, use the tools provided to turn off Guess Access. Under "Users" select "Everyone" and set the value to "No Access." With this arrangement, you can still connect from another Mac using your own login/password, but others cannot access your hard disk. You can use the same tool to define only the folders/directories you really need to access.
• If you want to use File Sharing to share files with some other specific Mac user over AppleShare, use your administrator account and the Accounts Preference Pane to create a new user with a password. Use the tools in the Sharing Preference Pane to give that user Read/Write access to their Public Folder, while changing access from Everybody to None. Tell your new user to select the menu choice Go => Connect to Server to access your system; they will enter an address of the type afs://yourmacname.princeton.edu and then log in with their account and password.
• You can use SMB (Windows native file sharing protocol) instead of Apple File Sharing to share files with Mac OS X or Windows users over SMB. To start it, turn on Windows File Sharing in the "Options" section of the Sharing Preference Pane. Then use your administrator account and the Accounts Preference Pane to create a new user with a password. Using the Sharing Preference Pane, change the user's Public Folder access to Read/write, while changing access for Everybody to None. Tell the user to use Go => Connect to Server to log into your system; they will enter an address of the type smb://yourmacname.princeton.edu and then log in with their account/password.

6. Virus prevention

There is still, at this writing, no virus that can infect OS X without some action on the user's part -- you, the Mac user, take some action such as running a trojan program or opening an infected file. Also, your Mac can transfer virus-infected documents and e-mail attachments to Windows computers without being infected, thus endangering your friends and relations. Prevent this by using anti-virus software on your Mac.

Recommendations:

• Be especially watchful for viruses concealed in cute kitten pictures, chain letters, and other apparently harmless stuff forwarded in e-mail by your friends.
• Don't click on links that come in unsolicited e-mail messages from banks and other businesses; they often are forged.
• Never type your password, bank account number, SSN, or credit card number in response to an e-mail, even if it appears to come from someone you know, unless you are absolutely certain of the source of the request.
• Use Princeton's anti-spam services in combination with OS X Mail's trainable Junk Mail filter (or another favorite e-mail client) to weed out junk mail.
• Never download and install software from an unknown source.
• Install the anti-virus software of your choice.
  • Princeton University has a site license for Macafee. See the Help Desk Antivirus article, 3308, for further information on obtaining and installing this software.
  • Anti-virus software is useless if not absolutely up-to-date. Configure your software to check for updated virus data daily.

For more information about viruses, see: 

• MacAfee's Threat Center 
  http://www.mcafee.com/us/threat_center/default.asp
• Macintouch Security Reports
  http://www.macintouch.com/security.html
• Norton's SARC: 
  http://www.sarc.com/

7. Backups

An old saw says that there are two kinds of computer users, those who have had a hard disk crash and those who will.

Recommendation:

Select and use a backup system. Some possibilities:

• Apple's Time Machine is provided with all Macs that run OS X 10.5 and higher. It requires an external disk or flashdrive. This solution is easy to use and highly recommended.
• Departmental Princeton Macintosh users can use Tivoli Storage Manager (TSM) to back up their OS X /User files. Special arrangements and charges apply if TSM is used to back up entire systems, such as servers. Contact the OIT Help Desk for assisstance.
• You can copy your documents to your home file system, often called your "H" drive, on the central file server. You can mount this drive as an external disk drive with a Macintosh interface, and log in using your campus netid and password. See Help Desk article 9268 for information. All Princeton students and staff have 250Mb of storage.
• For particular needs, such as server backup or disk imaging, there are other backup clients available, for example Retrospect or CarbonCopyCloner; the OIT Help Desk cannot support these but you may find one which fits your needs. Search http://www.versiontracker.com or http://www.macupdate.com for possibilities.

8. FileVault and Firewall

• FileVault creates an encrypted, passworded virtual disk image of your files, which cannot be accessed without the password. You may configure it to encrypt your entire hard disk or selected folders. Caution: If you forget your password, there will be no way to regain access to your files. For most users FileVault is probably overkill provided the other security measures suggested above are in use.


• Firewall, in 10.5 Leopard, is not what you will expect if you have used a typical Unix firewall based on port numbers. Instead, the so-called OS X firewall is an application security system which relies on application signatures (certificates) and will run only recognized applications. If an unknown application tries to execute, the OS will ask you to approve before running it. This can help to prevent attacks by "trojans" and other malware. Use of the OS X firewall is a good idea in most cases.

  The Application Firewall is turned OFF by default; you must turn it on in the Security Preference Pane, Firewall tab. Advanced configuration options allow you to disable applications on a case-by-case basis. Do not enable "Stealth" mode at risk of interfering with correct network configuration. (Note that the linux-style "ipfw" firewall system is still available and is compatible with the application firewall, but you will need to use the command line or a third-party application to configure it.) See Apple Support Library #1810 for more information.

II. Hardening OS X

Each advanced user or system administrator is likely to have a unique environment for which a security strategy must be developed. There is a growing body of OS X- specific information to help, and the traditional Unix literature and tools are also almost completely applicable. Here are some basic suggestions for further study in developing a security plan for your situation.

Recommendations:

• If running 10.4 or older, conceal the legacy NetInfo database and utilities from users. These were finally replaced by LDAP-based Open Directory in Leopard. (Deal 2002, p. 14)
• Use network access controls (ipfw firewall, xinetd, and/or tcpwrappers) to prevent unauthorised access to TCP/IP and UDP ports. (Cote n.d.)
• Use encryption to prevent unauthorised access to sensitive data (Apple Devel. Library, Security Overview)
• Use intrusion detection tools such as Tripwire (http://tripwire.darwinports.com from the open source world.
• Use tools such as OpenSSL and Kerberos for authentication and authorization. Both are supported by Apple and provided as part of a basic OS X installation.
• Audit the system by exploring your startup scripts, cron jobs, and /etc/hostinfo configuration to see what each does.
• If you develop software, plan and test for security in licensing, installation, features and support.

For more information about hardening OS X, see:

Leopard:

• Cuthbert, Daniel. Securing Mac OS X Leopard (10.5) August, 2008. http://research.corsaire.com/whitepapers/technical.html 
  This guide is an updated version of "Securing Mac OS X Tiger (10.4)" by S. de Vries - still available at the same site - and includes the new security features offered by Mac OS X Leopard (10.5). The standard reference before Apple issued its own OS X Security Manuals.

Older versions and general information:

• Deal, Daniel. Mac OS X 10.1.4: Security Analysis and Recommendations. June, 2002. http://www.sans.org/rr/papers/index.php?id=241 Old but still useful if you need to deal with NetInfo.
• Boswell, Martin S. Securing a MacOS X Workstation Using UNIX Tools. December, 2002. www.giac.org/practical/GCUX/Martin_Boswell_GCUX.pdf
• Cote, Daniel. Setting up firewall rules on Mac OS X: Tutorial. [undated.] http://www.novajo.ca/firewall.html

>III. For More information

 Local assistance:

 Apple OS X Security resources:

 ;Web sites with coverage of OS X security

See the OIT Security site, http://www.princeton.edu/itsecurity for general Princeton security policies and resources.