Apple MAC OS X 10.4 Security Configuration

Mac OS X

Security Configuration

For Version 10.4 or Later
Second Edition

K

Apple Inc.

© 2007 Apple Inc. All rights reserved.

The owner or authorized user of a valid copy of
Mac OS X software may reproduce this publication for
the purpose of learning to use such software. No part of
this publication may be reproduced or transmitted for
commercial purposes, such as selling copies of this
publication or for providing paid-for support services.

Every effort has been made to ensure that the
information in this manual is accurate. Apple is not
responsible for printing or clerical errors.

Apple
1 Infinite Loop
Cupertino, CA 95014-2084
408-996-1010
www.apple.com

The Apple logo is a trademark of Apple Inc., registered
in the U.S. and other countries. Use of the “keyboard”
Apple logo (Option-Shift-K) for commercial purposes
without the prior written consent of Apple may
constitute trademark infringement and unfair
competition in violation of federal and state laws.

Apple, the Apple logo, AirPort, FireWire, Keychain, Mac,
Macintosh, the Mac logo, Mac OS, QuickTime, and
Xserve are trademarks of Apple Inc., registered in the
U.S. and other countries. Apple Remote Desktop, Finder,
and Xgrid are trademarks of Apple Inc.

®

The Bluetooth
the Bluetooth SIG, Inc. and any use of such marks by
Apple Inc. is under license.

UNIX is a registered trademark in the United States
and other countries, licensed exclusively through
X/Open Company, Ltd.

Other company and product names mentioned herein
are trademarks of their respective companies. Mention
of third-party products is for informational purposes
only and constitutes neither an endorsement nor a
recommendation. Apple assumes no responsibility with
regard to the performance or use of these products.

019-0922/02-15-07

word mark and logos are owned by

Contents

1

Preface 9 About This Guide

9

Target Audience

9

What’s New in Mac OS X Version 10.4

10

What’s in This Guide

11

Using This Guide

11

Using Onscreen Help

11
12
13
13
14

Mac Help
The Mac OS X Server Suite
Getting Documentation Updates
Getting Additional Information
Acknowledgments

Chapter 1 15 Introducing Mac OS X Security Architecture

16

Security Architectural Overview

16
16
16
17
18
18
18
18
18
19
19

UNIX Infrastructure

Access Permissions

Security Framework

Layered Security Defense
Built-In Security Services

Keychain Services

Secure Transport Services

Certificate, Key, and Trust Services

Authorization Services

Smart Card Services
Authorization versus Authentication

Chapter 2 21 Installing Mac OS X

21

System Installation Overview

21
22
23
23
23

Disabling the Open Firmware Password
Installing from CD or DVD
Installing from the Network
Restoring from Preconfigured Disk Images

Initializing System Setup

3

23

24
25
25

26
27
27

28
28
29
29
29
30

Using Setup Assistant
Creating Initial System Accounts
Setting Correct Time Settings

Updating System Software

Updating from an Internal Software Update Server
Updating from Internet-Based Software Update Servers
Updating Manually from Installer Packages
Verifying the Integrity of Software

Repairing Disk Permissions

Kinds of Permissions
POSIX Permissions Overview
ACL Permissions Overview
Using Disk Utility to Repair Disk Permissions

Chapter 3 31 Protecting Hardware and Securing Global System Settings

31

Protecting Hardware

32
33
33

34
34

35
36
37
38
38
39
39

40

Disabling Hardware

Removing Mac OS 9

Using the Command Line to Remove Mac OS 9
Running Mac OS 9 from a CD or DVD
Running Mac OS 9 from a Disc Image

Securing System Startup

Using the Open Firmware Password Application
Configuring Open Firmware Settings
Using Command-Line Tools to Secure Startup
Requiring a Password for Single-User Mode

Configuring Access Warnings

Enabling Access Warnings for the Login Window
Enabling Access Warnings for the Command Line

Chapter 4 41 Securing Accounts

41

Types of User Accounts

42
42
43
45
46
47
48
49
50
50

51

4

Guidelines for Creating Accounts
Defining User IDs
Securing Nonadministrator Accounts
Securing Administrator Accounts
Securing the System Administrator Account

Understanding Directory Domains

Understanding Network Services, Authentication, and Contacts
Configuring LDAPv3 Access
Configuring Active Directory Access

Using Strong Authentication

Using Password Assistant

Contents

52
52
52
53
53

54

55
56
57

Using Smart Cards
Using Tokens

Using Biometrics
Setting Global Password Policies
Storing Credentials

Using the Default User Keychain

Securing Keychain Items

Creating Additional Keychains

Using Portable and Network-Based Keychains

Chapter 5 59 Securing System Preferences

59

System Preferences Overview

61

Securing .Mac Preferences

63

Securing Accounts Preferences

66

Securing Appearance Preferences

67

Securing Bluetooth Preferences

68

Securing CDs & DVDs Preferences

69

Securing Classic Preferences

71

Securing Dashboard and Exposé Preferences

72

Securing Date & Time Preferences

74

Securing Desktop & Screen Saver Preferences

76

Securing Displays Preferences

76

Securing Dock Preferences

77

Securing Energy Saver Preferences

78

Securing International Preferences

79

Securing Keyboard & Mouse Preferences

80

Securing Network Preferences

82

Securing Print & Fax Preferences

84

Securing QuickTime Preferences

85

Securing Security Preferences

87

Securing Sharing Preferences

90

Securing Software Update Preferences

91

Securing Sound Preferences

92

Securing Speech Preferences

93

Securing Spotlight Preferences

95

Securing Startup Disk Preferences

96

Securing Universal Access Preferences

Chapter 6 97 Securing Data and Using Encryption

97

Understanding Permissions

97

Setting POSIX Permissions

98
99

Viewing POSIX Permissions

Interpreting POSIX Permissions

Contents

5

10 0
10 0
10 0
10 0
101
101
10 2

Modifying POSIX Permissions

Setting File and Folder Flags

Viewing Flags

Modifying Flags

Setting ACL Permissions

Enabling ACL

Modifying ACL Permissions

10 2 Setting Global File Permissions
10 3 Securing Your Home Folder
10 4 Encrypting Home Folders
10 5 Using FileVault Master Keychain
10 5 Encrypting Portable Files
10 6 Creating a New Encrypted Disk Image
10 7 Creating an Encrypted Disk Image from Existing Data
10 7 Creating Encrypted PDFs
10 8 Securely Erasing Data
10 9 Using Disk Utility to Securely Erase a Disk or Partition
10 9 Using Command-Line Tools to Securely Erase Files

11 0 Using Secure Empty Trash

111 Using Disk Utility to Securely Erase Free Space
111 Using Command-Line Tools to Securely Erase Free Space

Chapter 7 113 Securing Network Services

113 Securing Apple Applications
113 Securing Mail
11 4 Securing Web Browsing
11 5 Securing Instant Messaging
11 5 Securing VPN
117 Securing Firewall
11 8 About Internet Sharing

11 9 Enabling TCP Wrappers
12 0 Securing SSH
12 0 Enabling an SSH Connection
121 Configuring a Key-Based SSH Connection
12 4 Preventing Connections to Unauthorized Host Servers
12 5 Using SSH as a Tunnel
12 6 Securing Bonjour
12 7 Securing Network Services
12 7 Securing AFP
12 8 Securing Windows Sharing
12 8 Securing Personal Web Sharing
12 8 Securing Remote Login
12 9 Securing FTP Access

6

Contents

12 9 Securing Apple Remote Desktop
12 9 Securing Remote Apple Events
12 9 Securing Printer Sharing
12 9 Securing Xgrid
13 0 Intrusion Detection Systems

Chapter 8 131 Validating System Integrity

131 About Activity Analysis Tools
131 Using Auditing Tools
13 2 Configuring Log Files
13 2 Configuring syslogd
13 3 Local System Logging
13 4 Remote System Logging
13 5 About File Integrity Checking Tools
13 5 About Antivirus Tools

Appendix A 137 Security Checklist

13 7 Installation Action Items
13 8 Hardware and Core Mac OS X Action Items
13 8 Account Configuration Action Items
13 9 Securing System Software Action Items
13 9 .Mac Preferences Action Items

14 0 Accounts Preferences Action Items
14 0 Appearance Preferences Action Items
14 0 Bluetooth Preferences Action Items

141 CDs & DVDs Preferences Actions Items
141 Classic Preferences Action Items

14 2 Dashboard and Exposé Preferences Action Items
14 2 Date & Time Preferences Action Items
14 2 Desktop & Screen Saver Preferences Action Items
14 2 Dock Preferences Action Items
14 3 Energy Saver Preferences Action Items
14 3 Securing International Preferences
14 3 Securing Keyboard & Mouse Preferences
14 3 Network Preferences Action Items
14 4 Print & Fax Preferences Action Items
14 4 QuickTime Preferences Action Items
14 4 Security Preferences Action Items
14 5 Sharing Preferences Action Items
14 5 Software Update Preferences Action Items
14 5 Sound Preferences Action Items
14 5 Speech Preferences Action Items
14 6 Spotlight Preferences Action Items

Contents 7

14 6 Startup Disk Preferences Action Items
14 6 Data Maintenance and Encryption Action Items
14 6 Network Services Configuration Action Items
14 8 System Integrity Validation Action Items

Appendix B 149 Daily Best Practices

14 9 Password Guidelines
14 9 Creating Complex Passwords
15 0 Using an Algorithm to Create a Complex Password

151 Safely Storing Your Password
151 Password Maintenance

15 2 Email, Chat, and Other Online Communication Guidelines
15 2 Computer Usage Guidelines

Glossary 15 5

Index 167

8 Contents

About This Guide

This guide provides an overview of features in Mac OS X that
can be used to enhance security, known as hardening your
computer.

This guide is designed to give instructions and recommendations for securing
Mac OS X version 10.4 or later, and for maintaining a secure computer.

Target Audience

This guide is for users of Mac OS X version 10.4 or later. If you’re using this guide, you
should be an experienced Mac OS X user, be familiar with the Mac OS X user interface,
and have at least some experience using the Terminal application’s command-line
interface. You should also be familiar with basic networking concepts.

Preface

Some instructions in this guide are complex, and deviation could result in serious
adverse effects on the computer and its security. These instructions should only be
used by experienced Mac OS X users, and should be followed by thorough testing.

What’s New in Mac OS X Version 10.4

Mac OS X version 10.4 offers the following major security enhancements:
 Access control lists. Provide flexible file system permissions that are fully compatible

with Windows Server 2003 Active Directory environments and Windows XP clients.

 Secure instant messaging. Your private, secure iChat Server, based on Jabber XMPP

protocol, integrates with Open Directory for user accounts and authentication.

 Software update server. By enabling the new Apple Software Update Server,

administrators can control which updates their users can access and when.

 Certificate management. Certificate Assistant is an easy-to-use utility that helps you

request, issue, and manage certificates.

 Smart cards as keychains. Use a smart card to authenticate to your system or

Keychain.

9

 Secure erase. Secure erase follows the U.S. Department of Defense standard for the

sanitation fro magnetic media.

 VPN service is now Kerberized. Use Kerberos-based authentication for single sign-on

to a VPN network.

 Firewall enhanced. The firewall service has been enhanced to use the reliable open

source IPFW2 software.

 Antivirus and antispam. New adaptive junk mail filtering using SpamAssassin and

virus detection and quarantine using ClamAV.

What’s in This Guide

This guide can assist you in securing a client computer. It does not provide information
about securing servers. For help with securing computers running Mac OS X Server
version 10.4. or later, see Mac OS X Server Security Configuration.

This guide includes the following chapters, arranged in the order that you’re likely to
need them when securely configuring your computer:

 Chapter 1, “Introducing Mac OS X Security Architecture,” explains the infrastructure of

Mac OS X. It also discusses the different layers of security within Mac OS X.

 Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The

chapter also discusses how to securely install software updates and explains
permissions and how to repair them.

 Chapter 3, “Protecting Hardware and Securing Global System Settings,” explains how

to physically protect your hardware from attacks. This chapter also tells you how to
secure settings that affect all users of the computer.

 Chapter 4, “Securing Accounts,” describes the types of user accounts and how to

securely configure an account. This includes securing the system administrator
account, using Open Directory, and using strong authentication.

 Chapter 5, “Securing System Preferences,” describes recommended settings to secure

all Mac OS X system preferences.

 Chapter 6, “Securing Data and Using Encryption,” describes how to encrypt your data

and how to use secure erase to ensure old data is completely removed.

 Chapter 7, “Securing Network Services,” describes how to protect the computer by

securely configuring network services.

 Chapter 8, “Validating System Integrity,” describes how to use security audits to

validate the integrity of your computer and data.

 Appendix A, “Security Checklist,” provides a checklist that guides you through

securing your computer.

 Appendix B, “Daily Best Practices,” explains best practices for creating and managing

passwords. It also discusses communication and computer usage guidelines.

 The Glossary defines terms you’ll encounter as you read this guide.

10 Preface About This Guide

Note: Because Apple frequently releases new versions and updates to its software,
images shown in this book might be different from what you see on your screen.

Using This Guide

The following are suggestions for using this guide:
 Read the guide in its entirety. Subsequent sections might build on information and

recommendations discussed in prior sections.

 The instructions in this guide should always be tested in a nonoperational

environment before deployment. This nonoperational environment should simulate
as much as possible the environment where the computer will be deployed.

 This information is intended for computers running Mac OS X. Before securely

configuring a computer, determine what function that particular computer will
perform, and apply security configurations where applicable.

 A security checklist is provided in the appendix to track and record the settings you

choose for each security task and note what settings you change to secure your
computer. This information can be helpful when developing a security standard
within your organization.

Important: Any deviation from this guide should be evaluated to determine what

security risks it might introduce and take measures to monitor or mitigate those risks.

Using Onscreen Help

To see the latest help topics, make sure the computer is connected to the Internet
while you’re using Help Viewer. Help Viewer automatically retrieves and caches the
latest help topics from the Internet. When not connected to the Internet, Help Viewer
displays cached help topics.

Mac Help

You can view instructions and other useful information and documents in the server
suite by using onscreen help.

On a computer running Mac OS X, you can access onscreen help from the Finder or
other applications on the computer. Use the Help menu to open Help Viewer.

Preface About This Guide 11

The Mac OS X Server Suite

The Mac OS X Server documentation includes a suite of guides that explain the
available services and provide instructions for configuring, managing, and
troubleshooting the services. All of the guides are available in PDF format from:
www.apple.com/server/documentation/

This guide ... tells you how to:

Getting Started, Getting Started
Supplement, and Mac OS X Server
Worksheet

Collaboration Services
Administration

Command-line Administration Use commands and configuration files to perform server

Deploying Mac OS X Computers
for K-12 Education

Deploying Mac OS X Server for
High Performance Computing

File Services Administration Share selected server volumes or folders among server clients

High Availability Administration Manage IP failover, link aggregation, load balancing, and other

Java Application Server Guide Configure and administer a JBoss application server on Mac OS X

Mac OS X Security Configuration Securely install and configure Mac OS X computers.

Mac OS X Server Security
Configuration

Mail Service Administration Set up, configure, and administer mail services on the server.

Migrating to Mac OS X server from
Windows NT

Network Services Administration Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,

Open Directory Administration Manage directory and authentication services.

Print Service Administration Host shared printers and manage their associated queues and print

QuickTime Streaming Server 5.5
Administration

System Imaging and Software
Update Administration

Upgrading And Migrating Use data and service settings that are currently being used on

Install Mac OS X Server and set it up for the first time.

Set up and manage weblog, chat, and other services that facilitate
interactions among users.

administration tasks in a UNIX command shell.

Configure and deploy Mac OS X Server and a set of Mac OS X
computers for use by K-12 staff, teachers, and students.

Set up and manage Mac OS X Server and Apple cluster computers
to speed up processing of complex computations.

using these protocols: AFP, NFS, FTP, and SMB/CIFS.

hardware and software configurations to ensure high availability of
Mac OS X Server services.

Server.

Securely install and configure Mac OS X Server computers.

Move accounts, shared folders, and services from Windows NT
servers to Mac OS X Server.

and NAT services on the server.

jobs.

Set up and manage QuickTime streaming services.

Use NetBoot and Network Install to create disk images from which
Macintosh computers can start up over the network. Set up a
software update server for updating client computers over the
network.

earlier versions of the server software.

12 Preface About This Guide

This guide ... tells you how to:

User Management Create and manage user accounts, groups, and computer lists. Set

up managed preferences for Mac OS X clients.

Web Technologies Administration Set up and manage a web server, including WebDAV, WebMail, and

web modules.

Windows Services Administration Set up and manage services including PDC, BDC, file, and print for

Windows computer users.

Xgrid Administration Manage computational Xserve clusters using the Xgrid application.

Mac OS X Server Glossary Learn about terms used for server and storage products.

Getting Documentation Updates

Periodically, Apple posts new onscreen help topics, revised guides, and help topics.
The new help topics include updates to the guides.

 To view new onscreen help topics, make sure your computer is connected to the

Internet and access the Mac Help page.

 To download the latest guides and solution papers in PDF format, go to the

Mac OS X Server documentation webpage: www.apple.com/server/documentation/.

Getting Additional Information

For more information, Apple provides the following resources:
 Read Me documents—Important updates and special information. Look for them on

the installation discs.

 Mac OS X Server website (www.apple.com/server/macosx/)—Gateway to extensive

product and technology information.

 Apple Support website (www.apple.com/support/)—Access to hundreds of articles

from Apple’s support organization.

 Apple Customer Training website (train.apple.com)—Instructor-led and self-paced

courses for honing your server administration skills.

 Apple Certification Programs website (train.apple.com/certification/)—In-depth

certification programs designed to create a high level of competency among
Macintosh service technicians, help desk personnel, technical coordinators, system
administrators, and other professional users.

 Apple Discussions website (discussions.info.apple.com)—Discussions forums for

sharing questions, knowledge, and advice with other administrators.

 Apple Product Security Mailing Lists website (lists.apple.com/mailman/listinfo/security-

announce)—Mailing lists for communicating by email with other administrators
about security notifications and announcements.

 Open Source website (developer.apple.com/opensource/)—Access to Darwin open

source code, developer information, and FAQs.

Preface About This Guide 13

 Apple Product Security website (www.apple.com/support/security/)—Access to

security information and resources, including security updates and notifications.

For additional security-specific information, consult these resources:
 NSA security configuration guides (www.nsa.gov/snac/)—The National Security

Agency provides a wealth of information on securely configuring proprietary and
open source software.

 NIST Security Configuration Checklists Repository (checklists.nist.gov/repository/

category.html)—The National Institute of Standards and Technology repository for
security configuration checklists.

 DISA Security Technical Implementation Guide (www.disa.mil/gs/dsn/policies.html)—

The Defense Information Systems Agency guide for implementing secure
government networks. A Department of Defense (DoD) PKI Certificate is required to
access this information.

 CIS Benchmark and Scoring Tool (www.cisecurity.org/bench_osx.html)—The Center for

Internet Security benchmark and scoring tool used to establish CIS benchmarks.

Acknowledgments

Apple would like to thank the National Security Agency for their assistance in creating
and editing the security configuration guides for Mac OS X 10.4 ‘Tiger’ client and server.

14 Preface About This Guide

1 Introducing Mac OS X Security

Architecture

1

Mac OS X delivers the highest level of security through the
adoption of industry standards, open software development,
and smart architectural decisions.

With Mac OS X, a security strategy is implemented that is central to the design of the
operating system, ensuring that your Mac is safe and secure. This chapter describes the
features in Mac OS X that can be used to enhance security on your computer.

 Open source foundation. Using open source methodology makes Mac OS X a more

robust, secure operating system, because its core components have been subjected
to peer review for decades. Problems can be quickly identified and fixed by Apple
and the larger open source community.

 Secure default settings. When you take your Mac out of the box, it is securely

configured to meet the needs of most common usage environments, so you don’t
have to be a security expert to setup your computer. The default settings make it
very difficult for malicious software to infect your computer. Security can be further
configured on the computer to meet organizational or user requirements.

 Modern security architecture. Mac OS X includes state-of-the-art, standards-based

technologies that enable Apple and third-party developers to build secure software
for the Mac. These technologies support all aspects of system, data, and networking
security required by today’s applications.

 Innovative security applications. Mac OS X includes features that take the worry out

of using a computer. For example, FileVault protects your documents using strong
encryption, an integrated VPN client gives you secure access to networks over the
Internet, and a powerful firewall secures your home network.

 Rapid response. Because the security of your computer is so important, Apple

responds rapidly to provide patches and updates. Apple works with worldwide
partners, including the Computer Emergency Response Team (CERT), to notify users
of any potential threats. Should vulnerabilities be discovered, the built-in Software
Update tool automatically notifies users of security updates, which are available for
easy retrieval and installation.

15

Security Architectural Overview

Mac OS X security services are built on two open source standards: Berkeley Software
Distribution (BSD) and Common Data Security Architecture (CDSA). BSD is a form of the
UNIX operating system that provides fundamental services, including the Mac OS X file
system, and file access permissions. CDSA provides a much wider array of security
services, including finer-grained access permissions, authentication of users’ identities,
encryption, and secure data storage. The default security settings on your Mac OS X
computer are configured to be secure from local network and Internet attacks.

UNIX Infrastructure

The Mac OS X kernel—the heart of the operating system—is built from BSD and Mach.
Among other things, BSD provides basic file system and networking services and
implements a user and group identification scheme. BSD enforces access restrictions to
files and system resources based on user and group IDs. Mach provides memory
management, thread control, hardware abstraction, and interprocess communication.
Mach enforces access by controlling which tasks can send a message to a given Mach
port (a Mach port represents a task or some other resource). BSD security policies and
Mach access permissions constitute an essential part of security in Mac OS X, and are
both critical to enforcing local security.

Access Permissions

An important aspect of computer security is the granting or denying of access
permissions (sometimes called access rights). A permission is the ability to perform a
specific operation, such as gaining access to data or to execute code. Permissions are
granted at the level of folders, subfolders, files, or applications. Permissions are also
granted for specific data within files or application functions.

Permissions in Mac OS X are controlled at many levels, from the Mach and BSD
components of the kernel through higher levels of the operating system, and—for
networked applications—through the networking protocols.

Security Framework

Apple built the foundation of Mac OS X and many of its integrated services with open
source software—such as FreeBSD, Apache, and Kerberos, among many others—that
has been made secure through years of public scrutiny by developers and security
experts around the world. Strong security is a benefit of open source software because
anyone can freely inspect the source code, identify theoretical vulnerabilities, and take
steps to strengthen the software. Apple actively participates with the open source
community by routinely releasing updates of Mac OS X that are subject to independent
developers’ ongoing review—and by incorporating improvements. An open source
software development approach provides the transparency necessary to ensure that
Mac OS X is truly secure.

16 Chapter 1 Introducing Mac OS X Security Architecture

This open approach has clear advantages and a long, well-documented history of
quickly identifying and correcting source code that could potentially contain
exploitable vulnerabilities. Mac OS X users can comfortably rely on the ongoing public
examination by large numbers of security experts, which is made possible by Apple’s
open approach to software development. The result is an operating system that is
inherently more secure.

Layered Security Defense

Mac OS X security is built on a layered defense for maximum protection. Security
features provide solutions for securing data at all levels, from the operating system and
applications to networks and the Internet.

 Secure worldwide communication—Firewall and mail filtering help prevent

malicious software from compromising your computer.

 Secure applications—Authentication using keychains and encryption using FileVault

helps prevent intruders from using your applications and viewing data on your
computer.

 Secure network protocols—Secure sockets layer helps prevent intruders from

viewing information exchange across a network and Kerberos secures the
authentication process.

 Operating system—POSIX and ACL permissions help prevent intruders from

accessing your files.

 Hardware—The Open Firmware Password application helps prevent people who can

access your hardware from gaining root-level access permissions to your computer
files.

Secure Worldwide Communication Internet

Secure Applications

Secure Network Protocols

Security Services

Secure Boot/”Lock Down”

Chapter 1 Introducing Mac OS X Security Architecture 17

Applications

Network

Operating System

Hardware

Built-In Security Services

Mac OS X has several security services that are managed by the security server
daemon. Security server implements several security protocols such as encryption,
decryption, and authorization computation. The use of the security server to perform
actions with cryptographic keys enables the security implementation to maintain
the keys in a separate address space from the client application, keeping them
more secure.

Keychain Services

A keychain is used to store passwords, keys, certificates, and other secrets. Due to the
sensitive nature of this information, keychains use cryptography to encrypt and
decrypt secrets, and they safely store secrets and related data in files.

The Mac OS X keychain services enable you to create keychains and provide secure
storage of keychain items. Once a keychain is created, you can add, delete, and edit
keychain items, such as passwords, keys, certificates, and notes for one or more users.
A user can unlock a keychain through authentication (by using a password, digital
token, smart card, or biometric reader) and applications can then use that keychain to
store and retrieve data, such as passwords.

Secure Transport Services

Secure Transport is used to implement Secure Socket Layer (SSL) and Transport Layer
Security (TLS) protocols. These protocols provide secure communications over a TCP/IP
connection such as the Internet by using encryption and certificate exchange.

Certificate, Key, and Trust Services

The certificate, key, and trust services include functions to:

 Create, manage, and read certificates
 Add certificates to a keychain
 Create encryption keys
 Manage trust policies

These functions are carried out when the services call a variety of Common Security
Service Manager (CSSM) functions. This is all transparent to users.

Authorization Services

Authorization services give applications control over access to specific operations
within an application. For example, a directory application that can be started by any
user can use authorization services to restrict access for modifying directory items to
administrators. In contrast, BSD provides access permissions only to an entire file or
application.

18 Chapter 1 Introducing Mac OS X Security Architecture

Smart Card Services

A smart card can be a plastic card (similar in size to a credit card) or a USB dongle that
has memory and a microprocessor embedded in it. The smart card is capable of both
storing information and processing it. Smart cards can securely store passwords,
certificates, and keys. A smart card normally requires a personal identification number
(PIN) or biometric measurement (such as a fingerprint) as an additional security
measure. Because it contains a microprocessor, a smart card can carry out its own
authentication evaluation offline before releasing information. Smart cards can
exchange information with a computer through a smart card reader.

Authorization versus Authentication

Authorization is the process by which an entity, such as a user or a computer, obtains
the right to perform a restricted operation. Authorization can also refer to the right
itself, as in “Anne has the authorization to run that program.” Authorization usually
involves first authenticating the entity and then determining whether it has the
appropriate permissions.

Authentication is the process of verifying the identity of a user or service.
Authentication is normally done as a step in the authorization process. Some
applications and operating system components carry out their own authentication.
Authentication might use authorization services when necessary.

Chapter 1 Introducing Mac OS X Security Architecture 19

20 Chapter 1 Introducing Mac OS X Security Architecture

2 Installing Mac OS X

2

Though the default installation of Mac OS X is highly secure,
it can be customized for your particular network security
needs.

By securely configuring the different stages of the installation process and
understanding Mac OS X permissions, you can make sure that your computer is
hardened to match your security policy.

System Installation Overview

If Mac OS X was already installed on the computer, consider reinstalling it.
By reinstalling Mac OS X, and reformatting the volume, you avoid potential
vulnerabilities caused by previous installations or settings.

Because there might still be some recoverable data left on the computer, you should
securely erase the partition that you’re installing Mac OS X on. For more information,
see “Using Disk Utility to Securely Erase a Disk or Partition” on page 109.

If you decide against securely erasing the partition, securely erase free space after
installing Mac OS X. For more information, see “Using Disk Utility to Securely Erase Free
Space” on page 111.

Disabling the Open Firmware Password

Before installing Mac OS X, you should first disable the Open Firmware password.

If you already have Mac OS X version 10.4 installed, you can use the Open Firmware
Password application to disable the Open Firmware password. For more information,
see “Using the Open Firmware Password Application” on page 36.

Note: If you are using an Intel-based Macintosh computer, you cannot use the
following method to disable the Open Firmware password. Use the Open Firmware
Password application instead.

21

To disable the Open Firmware password:

1 Restart the computer while holding down the Command, Option, O, and F keys.

2 Enter the Open Firmware password when prompted.

If you are not prompted to enter a password, the Open Firmware password is already
disabled.

3 Enter the following commands:

reset-nvram

reset-all

Installing from CD or DVD

When you install Mac OS X version 10.4 from the original installation discs, you should
do two things: erase the partition where you will install Mac OS X, and install only the
packages that you plan on using.

Before installing Mac OS X, you should first securely erase the partition you want to
install Mac OS X on. For more information, see “Using Disk Utility to Securely Erase a
Disk or Partition” on page 109.

WARNING: To install Mac OS X, you must erase the contents of the partition you’re

installing on. Be sure to back up the files that you want to keep before continuing.

To install Mac OS X version 10.4 from the original installation discs:

1 Insert the first of the Mac OS X installation discs in the optical drive.

2 Restart the computer while holding down the C key.

The computer will start up using the disc in the optical drive.

3 Follow the installation steps until you reach the “Select a Destination” step.

4 Choose a partition to install Mac OS X on, and click Options. Select “Erase and Install.”

In “Format disk as,” choose “Mac OS Extended (Journaled).”

Mac OS Extended disk formatting provides extended file characteristics that enhance
multiplatform interoperability.

5 Click OK and then click Continue.

6 In the “Easy Install on partition_name” step, click Customize. Deselect any packages that

you do not plan on using. Do not select the X11 package unless you have a use for it.

The X11 X Window system lets you run X11-based applications in Mac OS X. While this
might be useful, it also makes it harder to maintain a secure configuration.

Removing additional unused packages not only frees up disk space, but reduces the
risk of attackers leveraging potential vulnerabilities in unused components.

7 Click Install.

22 Chapter 2 Installing Mac OS X

Installing from the Network

There are several ways to deploy images from the network. When choosing a method,
make sure you can do it securely. When retrieving the image over a network, make sure
that the network is isolated and can be trusted. For information about deploying
images from a network, see the getting started guide. Verify the image to make sure
that it is correct. For more information about verifying images, see “Verifying the
Integrity of Software” on page 28.

Restoring from Preconfigured Disk Images

One of the most efficient ways to deploy secure computers is to configure a model
computer first, using all of the security settings requested by your organization. Create
a disk image of the computer after thoroughly testing the computer’s settings, making
sure that the computer meets your organization’s standards. You can then deploy this
image without having to manually configure individual settings on each computer.

You can use NetBoot or Apple Software Restore (ASR) to restore your computer from a
network-based disk image. With NetBoot, you can restore an image directly from the
network. With ASR, you can restore an image deployed by an ASR server, or you can
save that image to disk. By saving the image to disk, you can verify its validity before
using it. If you’re deploying multiple computers simultaneously, ASR can be much more
efficient.

For information about how to use NetBoot, see the system imaging and software
update administration guide. For information about how to use ASR, enter man asr in a
Terminal window. For information about how to use Disk Utility to create disk images,
see the system imaging and software update administration guide.

Initializing System Setup

After installing Mac OS X, the computer restarts and loads Setup Assistant.

Using Setup Assistant

Setup Assistant initially configures Mac OS X. You can use Setup Assistant to transfer
information from other computers and send registration information to Apple. Setup
Assistant configures the first account on the computer as an administrator account.
Administrator accounts should only be used for administration. Users should use
standard user accounts for day-to-day computer use.

Note: Apple protects information submitted by the Setup Assistant, but you should
avoid entering any information considered sensitive by your organization.

To use Setup Assistant without providing confidential information:

1 Proceed to the Do You Already Own a Mac step. Select “Do not transfer my

information,” and click Continue.

Chapter 2 Installing Mac OS X 23

2 Proceed to the Your Internet Connection step. Click Different Network Setup.

Select “My computer does not connect to the Internet,” and click Continue.

Even if you can configure the computer to access your network, you should disable
network access until your network services settings are secure and validated. For more
information, see Chapter 7, “Securing Network Services,” on page 113.

If you don’t disable your network connection, an additional step, Enter Your Apple ID,
appears. Don’t enter any values in the provided fields. The administrator account
should only be used for administration, so there’s no need for an Apple ID.

3 In Registration Information, press Command-Q. Click “Skip to bypass the remaining

registration and setup process.”

When you bypass the remaining registration and setup process, you can’t go back to
change any settings. Before bypassing, you might want to go back through the steps to
remove any sensitive information. Once you enter information in the Your Internet
Connection step, you cannot go back to that step to change your network settings.
You can then only change network settings after completing installation.

If you enter registration information, an additional step, Register With Apple,
will be added later in the installation process. Select Register Later, but don’t register
with Apple.

Creating Initial System Accounts

After completing the initial steps of Setup Assistant, you’re presented with the Create
Your Account step. In this step, you create a system administrator account. You should
make sure that this account is as secure as possible.

Note: The system administrator account should be used only for performing
administrative tasks. You should also create additional accounts for nonadministrative
use. For more information, see “Types of User Accounts” on page 41.

To set up a secure system administrator account:

1 In the Name and Short Name fields, enter names that are not easily guessed.

Avoid easily guessed names and short names like “administrator” and “admin.” You can
use either the long name or the short name when you’re authenticating. The short
name is often used by UNIX commands and services.

2 In the Password and Verify fields, enter a complex password that is at least twelve

characters long and composed of mixed-cased characters, numbers, and special
characters (such as ! or @).

Mac OS X supports only passwords that contain standard ASCII characters.

For more information, see “Creating Complex Passwords” on page 149.

24 Chapter 2 Installing Mac OS X

3 In the Password Hint field, do not enter any information related to your password.

If a hint is provided, the user is presented with the hint after three failed authentication
attempts. Any password-related information provided in the field could compromise
the integrity of the password. Adding contact information for your organization’s
technical support line would be convenient and doesn’t compromise password
integrity.

4 Click Continue.

Setting Correct Time Settings

After creating the system administrator account, you’ll configure the computer’s time
settings. You must configure the computer’s time settings correctly because several
authentication protocols, such as Kerberos, require valid time settings to work properly.
Also, security auditing tools rely on valid time settings.

Mac OS X can set the time automatically by retrieving date and time information from
a Network Time Protocol (NTP) server. You should still set valid time settings in case
you decide to disable this feature, or incase you don’t have access to a secure internal
NTP server.

For more information about using a secure NTP server, see “Securing Date & Time
Preferences” on page 72.

Updating System Software

After installing Mac OS X, be sure to install the latest approved security updates.
Mac OS X includes Software Update, an application that downloads and installs
software updates either from Apple’s Software Update server or from an internal
software update server. You can configure Software Update so that it checks for
updates either periodically or whenever you choose. You can also configure Software
Update to download, but not install, updates, in case you want to install them later.

Before installing updates, check with your organization for their policy on downloading
updates. They might prefer that you use an internal software update server, which
reduces the amount of external network traffic and lets the organization prequalify
software updates against organization configurations before updating individual
systems.

Chapter 2 Installing Mac OS X 25

System updates should be installed immediately after the operating system installation.
Software updates are obtained and installed in several ways:

 Using Software Update to download and install updates from an internal software

update server

 Using Software Update to download and install updates from Internet-based

software update servers

 Manually downloading and installing updates as separate software packages

Important: All security updates published by Apple contain fixes for security issues,

and are usually released in response to a specific known security problem. Applying
these updates is essential.

If Software Update does not install an update that you request, contact your network
administrator. Failure to update indicates that the requested update might be a
malicious file.

Important: If you have not secured and validated your settings for network services

you should not enable your network connection to install software updates. For
information, see Chapter 7, “Securing Network Services,” on page 113. Until you have
securely configured your network services settings, you will be limited to using the
manual method of installing software updates.

For more information, see “Securing Software Update Preferences” on page 90.

Updating from an Internal Software Update Server

Your computer automatically looks for software updates on an internal software update
server. By using an internal software update server, you reduce the amount of data
transferred outside of the network. Your organization can control which updates can be
installed on your computer.

If you run Software Update on a wireless network or untrusted network, you run a
chance of downloading malicious updates from a rogue software update server.
Software Update, however, will not install a package that has not been digitally signed
by Apple.

If you connect your computer to a network that manages its client computers,
the network can require that the computer use a specified software update server.
Or, you can enter the following command in a Terminal window to specify your
software update server:

defaults write com.apple.SoftwareUpdate CatalogURL http://

swupdate.apple.com

Replace

swupdate.apple.com

address of your software update server.

:8088/index.sucatalog

with the fully qualified domain name (FQDN) or IP

26 Chapter 2 Installing Mac OS X

Updating from Internet-Based Software Update Servers

Before connecting to the Internet, make sure your network services are securely
configured. For information, see Chapter 7, “Securing Network Services,” on page 113.

Instead of using your operational computer to check for and install updates, consider
using a test-bed computer to download updates and verify file integrity before
installing updates. You can then transfer the update packages to your operational
computer. For instructions on installing the updates, see “Updating Manually from
Installer Packages” on page 27.

You can also download software updates for all of Apple’s products at
www.apple.com/support/downloads/.

To download and install software updates using Software Update:

1 Choose Apple () > Software Update.

After Software Update looks for updates to your installed software, it displays a list of
all updates. To get older versions of updates, go to the software update website at
www.apple.com/support/downloads/.

2 Select the updates you want to install, and choose Update > Install and Keep Package.

When you keep the package, it is stored in the /Library/Packages/ folder. If you do not
want to install any of the updates, click Quit.

3 Accept the licensing agreements to start installation.

Some updates might require your computer to restart. If, after installing updates,
Software Update asks you if you want to restart the computer, do so.

Important: Make sure updates are installed when the computer can be restarted

without affecting the users accessing the server.

Updating Manually from Installer Packages

Software updates can be manually downloaded for all of Apple’s products from
www.apple.com/support/downloads/ using a computer designated specifically for
downloading and verifying updates. The download should be done separately so that
file integrity can be verified before the updates are installed.

It is possible to review the contents of each security update before installing it. To see
the contents of a security update, go to Apple’s Security Support Page at
www.apple.com/support/security/ and click the “Security Updates page” link.

To manually download, verify and install software updates:

1 Go to www.apple.com/support/downloads/ and download the necessary software

updates on a computer designated for verifying software updates.

Note: Updates provided through Software Update might sometimes appear earlier
than the standalone updates.

Chapter 2 Installing Mac OS X 27

2 Review the SHA-1 digest (also known as a checksum) for each update file downloaded,

which should be posted online with the update package.

3 Check all downloaded updates for viruses.

4 Verify the integrity of each update.

For more information, see“Verifying the Integrity of Software” on page 28.

5 Transfer the update packages from your test computer to your current computer. The

default download location for update packages is /Library/Packages/. You can transfer
update packages to any location on your computer.

6 Double-click the package. If the package is located within a disk image (dmg) file,

double-click the dmg file, and then double-click the package.

7 Proceed through the installation steps.

8 Restart the computer, if requested.

Install the appropriate system update and then install any subsequent security updates.
These updates should be installed in order by release date, oldest to newest.

Verifying the Integrity of Software

Software images and updates can include a SHA-1 digest, which is also known as a
checksum. You can use this SHA-1 digest to verify the integrity of the software.
Software updates retrieved and installed automatically from Software Update verify the
checksum before installation.

To verify software integrity:

1 Open Terminal.

2 Use the sha1 command to display a files a file’s SHA-1 digest.

$ /usr/bin/openssl sha1

The

full_path_filename

is the full path filename of the update package or image for

which the SHA-1 digest is being checked.

If provided, the SHA-1 digest for each software update or image should match the
digest created for that file. If it does not, the file was corrupted in some way and a new
copy should be obtained.

Repairing Disk Permissions

Before you modify or repair disk permissions, you should understand Portable
Operating System Interface (POSIX) and Access Control List (ACL) permissions. POSIX
permissions are standard for UNIX operating systems. ACL permissions are used by
Mac OS X, and are compatible with Windows Server 2003 and Windows XP.

28 Chapter 2 Installing Mac OS X

full_path_filename

Kinds of Permissions

Before you modify or repair disk permissions, you should understand the two kinds of
file and folder permissions that Mac OS X Server supports:

 Portable Operating System Interface (POSIX) permissions—standard for UNIX

operating systems.

 Access Control Lists (ACLs) permissions—used by Mac OS X, and compatible with

Microsoft Windows Server 2003 and Microsoft Windows XP.

Note: In this guide, the term “privileges” refers to the combination of ownership and
permissions, while the term “permissions” refers only to the permission settings that
each user category can have (Read & Write, Read Only, Write Only, and None).

POSIX Permissions Overview

POSIX permissions let you control access to files and folders. Every file or folder has
read, write, and execute permission defined for three different categories of users
(Owner, Group, and Everyone). There are four types of standard POSIX permissions that
you can assign: Read&Write, Read Only, Write Only, None.

For more information, see “Setting POSIX Permissions” on page 97.

ACL Permissions Overview

Access Control List provides an extended set of permissions for a file or folder and
enables you to set multiple users and groups as owners. An ACL is a list of access
control entries (ACEs), each specifying the permissions to be granted or denied to a
group or user, and how these permissions are propagated throughout a folder
hierarchy. In addition, ACLs are compatible with Windows Server 2003 and Windows XP,
giving you added flexibility in a multiplatform environment.

ACLs provide more granularity when assigning privileges than POSIX permissions.
For example, rather than giving a user full write permission, you can restrict him or her
to the creation of only folders and not files.

If a file or folder has no ACEs defined for it, Mac OS X applies the standard POSIX
permissions. If a file or folder has one or more ACE defined for it, Mac OS X starts with
the first ACE in the ACL and works its way down the list until the requested permission
is satisfied or denied. After evaluating the ACEs, Mac OS X evaluates the standard POSIX
permissions defined for the file or folder. Then, based on the evaluation of ACL and
standard POSIX permissions, Mac OS X determines what type of access a user has to a
shared file or folder.

For more information, see “Setting ACL Permissions” on page 101.

Chapter 2 Installing Mac OS X 29

Using Disk Utility to Repair Disk Permissions

Installing software sometimes causes file permissions to become incorrectly set.
Incorrect file permissions can create security vulnerabilities. Disk Utility repairs only
POSIX permissions or the minimal ACL permissions.

Most software you install in Mac OS X is installed from package (.pkg) files. Each time
something is installed from a package file, a “Bill of Materials”(.bom) file is stored in the
packages receipt file. Each Bill of Materials file contains a list of the files installed by that
package, along with the proper permissions for each file.

When you use Disk Utility to verify or repair disk permissions, it reads the Bill of
Materials files from the initial Mac OS X installation and compares its list to the actual
permissions on each file listed. If the permissions differ, Disk Utility can repair them.

You should repair disk permissions, if you experience symptoms that indicate
permission related problems after installing software, software updates, or applications.

Note: If you’ve modified permissions for files, in accordance with organizational
policies, be aware that repairing disk permissions can reset those modified permissions
to those stated in the “Bill of Materials” files. After repairing permissions, you should
re-apply the file permission modifications to stay within your organizational policies.

To repair disk permissions:

1 Open Disk Utility.

2 Select the partition that you want to repair.

Be careful to select a partition, not a drive. Partitions are contained within drives and
are indented one level in the list on the left.

3 Click Repair Disk Permissions.

If you do not select a partition, this button is disabled.

4 Choose Disk Utility > Quit Disk Utility.

5 Choose Installer > Quit Installer, and click Restart.

30 Chapter 2 Installing Mac OS X