Apple MAC OS X 10.4 Security Configuration

Download

Page 1

Mac OS X

Security Configuration

For Version 10.4 or Later Second Edition

Page 2

Apple Inc.

The owner or authorized user of a valid copy of Mac OS X software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.

Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors.

Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com

The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Apple, the Apple logo, AirPort, FireWire, Keychain, Mac, Macintosh, the Mac logo, Mac OS, QuickTime, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Finder, and Xgrid are trademarks of Apple Inc.

The Bluetooth the Bluetooth SIG, Inc. and any use of such marks by Apple Inc. is under license.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.

019-0922/02-15-07

word mark and logos are owned by

Page 3

Preface 9 About This Guide

Target Audience

What’s New in Mac OS X Version 10.4

What’s in This Guide

Using This Guide

Using Onscreen Help

11 12 13 13 14

Mac Help The Mac OS X Server Suite Getting Documentation Updates Getting Additional Information Acknowledgments

Chapter 1 15 Introducing Mac OS X Security Architecture

Security Architectural Overview

16 16 16 17 18 18 18 18 18 19 19

UNIX Infrastructure

Access Permissions

Security Framework

Layered Security Defense Built-In Security Services

Keychain Services

Secure Transport Services

Certificate, Key, and Trust Services

Authorization Services

Smart Card Services Authorization versus Authentication

Chapter 2 21 Installing Mac OS X

System Installation Overview

21 22 23 23 23

Disabling the Open Firmware Password Installing from CD or DVD Installing from the Network Restoring from Preconfigured Disk Images

Initializing System Setup

Page 4

24 25 25

26 27 27

28 28 29 29 29 30

Using Setup Assistant Creating Initial System Accounts Setting Correct Time Settings

Updating System Software

Updating from an Internal Software Update Server Updating from Internet-Based Software Update Servers Updating Manually from Installer Packages Verifying the Integrity of Software

Repairing Disk Permissions

Kinds of Permissions POSIX Permissions Overview ACL Permissions Overview Using Disk Utility to Repair Disk Permissions

Chapter 3 31 Protecting Hardware and Securing Global System Settings

Protecting Hardware

32 33 33

34 34

35 36 37 38 38 39 39

Disabling Hardware

Removing Mac OS 9

Using the Command Line to Remove Mac OS 9 Running Mac OS 9 from a CD or DVD Running Mac OS 9 from a Disc Image

Securing System Startup

Using the Open Firmware Password Application Configuring Open Firmware Settings Using Command-Line Tools to Secure Startup Requiring a Password for Single-User Mode

Configuring Access Warnings

Enabling Access Warnings for the Login Window Enabling Access Warnings for the Command Line

Chapter 4 41 Securing Accounts

Types of User Accounts

42 42 43 45 46 47 48 49 50 50

Guidelines for Creating Accounts Defining User IDs Securing Nonadministrator Accounts Securing Administrator Accounts Securing the System Administrator Account

Understanding Directory Domains

Understanding Network Services, Authentication, and Contacts Configuring LDAPv3 Access Configuring Active Directory Access

Using Strong Authentication

Using Password Assistant

Contents

Page 5

52 52 52 53 53

55 56 57

Using Smart Cards Using Tokens

Using Biometrics Setting Global Password Policies Storing Credentials

Using the Default User Keychain

Securing Keychain Items

Creating Additional Keychains

Using Portable and Network-Based Keychains

Chapter 5 59 Securing System Preferences

System Preferences Overview

Securing .Mac Preferences

Securing Accounts Preferences

Securing Appearance Preferences

Securing Bluetooth Preferences

Securing CDs & DVDs Preferences

Securing Classic Preferences

Securing Dashboard and Exposé Preferences

Securing Date & Time Preferences

Securing Desktop & Screen Saver Preferences

Securing Displays Preferences

Securing Dock Preferences

Securing Energy Saver Preferences

Securing International Preferences

Securing Keyboard & Mouse Preferences

Securing Network Preferences

Securing Print & Fax Preferences

Securing QuickTime Preferences

Securing Security Preferences

Securing Sharing Preferences

Securing Software Update Preferences

Securing Sound Preferences

Securing Speech Preferences

Securing Spotlight Preferences

Securing Startup Disk Preferences

Securing Universal Access Preferences

Chapter 6 97 Securing Data and Using Encryption

Understanding Permissions

Setting POSIX Permissions

98 99

Viewing POSIX Permissions

Interpreting POSIX Permissions

Contents

Page 6

10 0 10 0 10 0 10 0 101 101 10 2

Modifying POSIX Permissions

Setting File and Folder Flags

Viewing Flags

Modifying Flags

Setting ACL Permissions

Enabling ACL

Modifying ACL Permissions

10 2 Setting Global File Permissions 10 3 Securing Your Home Folder 10 4 Encrypting Home Folders 10 5 Using FileVault Master Keychain 10 5 Encrypting Portable Files 10 6 Creating a New Encrypted Disk Image 10 7 Creating an Encrypted Disk Image from Existing Data 10 7 Creating Encrypted PDFs 10 8 Securely Erasing Data 10 9 Using Disk Utility to Securely Erase a Disk or Partition 10 9 Using Command-Line Tools to Securely Erase Files

11 0 Using Secure Empty Trash

111 Using Disk Utility to Securely Erase Free Space 111 Using Command-Line Tools to Securely Erase Free Space

Chapter 7 113 Securing Network Services

113 Securing Apple Applications 113 Securing Mail 11 4 Securing Web Browsing 11 5 Securing Instant Messaging 11 5 Securing VPN 117 Securing Firewall 11 8 About Internet Sharing

11 9 Enabling TCP Wrappers 12 0 Securing SSH 12 0 Enabling an SSH Connection 121 Configuring a Key-Based SSH Connection 12 4 Preventing Connections to Unauthorized Host Servers 12 5 Using SSH as a Tunnel 12 6 Securing Bonjour 12 7 Securing Network Services 12 7 Securing AFP 12 8 Securing Windows Sharing 12 8 Securing Personal Web Sharing 12 8 Securing Remote Login 12 9 Securing FTP Access

Contents

Page 7

12 9 Securing Apple Remote Desktop 12 9 Securing Remote Apple Events 12 9 Securing Printer Sharing 12 9 Securing Xgrid 13 0 Intrusion Detection Systems

Chapter 8 131 Validating System Integrity

131 About Activity Analysis Tools 131 Using Auditing Tools 13 2 Configuring Log Files 13 2 Configuring syslogd 13 3 Local System Logging 13 4 Remote System Logging 13 5 About File Integrity Checking Tools 13 5 About Antivirus Tools

Appendix A 137 Security Checklist

13 7 Installation Action Items 13 8 Hardware and Core Mac OS X Action Items 13 8 Account Configuration Action Items 13 9 Securing System Software Action Items 13 9 .Mac Preferences Action Items

14 0 Accounts Preferences Action Items 14 0 Appearance Preferences Action Items 14 0 Bluetooth Preferences Action Items

141 CDs & DVDs Preferences Actions Items 141 Classic Preferences Action Items

14 2 Dashboard and Exposé Preferences Action Items 14 2 Date & Time Preferences Action Items 14 2 Desktop & Screen Saver Preferences Action Items 14 2 Dock Preferences Action Items 14 3 Energy Saver Preferences Action Items 14 3 Securing International Preferences 14 3 Securing Keyboard & Mouse Preferences 14 3 Network Preferences Action Items 14 4 Print & Fax Preferences Action Items 14 4 QuickTime Preferences Action Items 14 4 Security Preferences Action Items 14 5 Sharing Preferences Action Items 14 5 Software Update Preferences Action Items 14 5 Sound Preferences Action Items 14 5 Speech Preferences Action Items 14 6 Spotlight Preferences Action Items

Contents 7

Page 8

14 6 Startup Disk Preferences Action Items 14 6 Data Maintenance and Encryption Action Items 14 6 Network Services Configuration Action Items 14 8 System Integrity Validation Action Items

Appendix B 149 Daily Best Practices

14 9 Password Guidelines 14 9 Creating Complex Passwords 15 0 Using an Algorithm to Create a Complex Password

151 Safely Storing Your Password 151 Password Maintenance

15 2 Email, Chat, and Other Online Communication Guidelines 15 2 Computer Usage Guidelines

Glossary 15 5

Index 167

8 Contents

Page 9

About This Guide

This guide provides an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer.

This guide is designed to give instructions and recommendations for securing Mac OS X version 10.4 or later, and for maintaining a secure computer.

Target Audience

This guide is for users of Mac OS X version 10.4 or later. If you’re using this guide, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application’s command-line interface. You should also be familiar with basic networking concepts.

Preface

Some instructions in this guide are complex, and deviation could result in serious adverse effects on the computer and its security. These instructions should only be used by experienced Mac OS X users, and should be followed by thorough testing.

What’s New in Mac OS X Version 10.4

Mac OS X version 10.4 offers the following major security enhancements: Â Access control lists. Provide flexible file system permissions that are fully compatible

with Windows Server 2003 Active Directory environments and Windows XP clients.

Â Secure instant messaging. Your private, secure iChat Server, based on Jabber XMPP

protocol, integrates with Open Directory for user accounts and authentication.

Â Software update server. By enabling the new Apple Software Update Server,

administrators can control which updates their users can access and when.

Â Certificate management. Certificate Assistant is an easy-to-use utility that helps you

request, issue, and manage certificates.

Â Smart cards as keychains. Use a smart card to authenticate to your system or

Keychain.

Page 10

Â Secure erase. Secure erase follows the U.S. Department of Defense standard for the

sanitation fro magnetic media.

Â VPN service is now Kerberized. Use Kerberos-based authentication for single sign-on

to a VPN network.

Â Firewall enhanced. The firewall service has been enhanced to use the reliable open

source IPFW2 software.

Â Antivirus and antispam. New adaptive junk mail filtering using SpamAssassin and

virus detection and quarantine using ClamAV.

What’s in This Guide

This guide can assist you in securing a client computer. It does not provide information about securing servers. For help with securing computers running Mac OS X Server version 10.4. or later, see Mac OS X Server Security Configuration.

This guide includes the following chapters, arranged in the order that you’re likely to need them when securely configuring your computer:

Â Chapter 1, “Introducing Mac OS X Security Architecture,” explains the infrastructure of

Mac OS X. It also discusses the different layers of security within Mac OS X.

Â Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The

chapter also discusses how to securely install software updates and explains permissions and how to repair them.

Â Chapter 3, “Protecting Hardware and Securing Global System Settings,” explains how

to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect all users of the computer.

Â Chapter 4, “Securing Accounts,” describes the types of user accounts and how to

securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication.

Â Chapter 5, “Securing System Preferences,” describes recommended settings to secure

all Mac OS X system preferences.

Â Chapter 6, “Securing Data and Using Encryption,” describes how to encrypt your data

and how to use secure erase to ensure old data is completely removed.

Â Chapter 7, “Securing Network Services,” describes how to protect the computer by

securely configuring network services.

Â Chapter 8, “Validating System Integrity,” describes how to use security audits to

validate the integrity of your computer and data.

Â Appendix A, “Security Checklist,” provides a checklist that guides you through

securing your computer.

Â Appendix B, “Daily Best Practices,” explains best practices for creating and managing

passwords. It also discusses communication and computer usage guidelines.

Â The Glossary defines terms you’ll encounter as you read this guide.

10 Preface About This Guide

Page 11

Note: Because Apple frequently releases new versions and updates to its software, images shown in this book might be different from what you see on your screen.

Using This Guide

The following are suggestions for using this guide: Â Read the guide in its entirety. Subsequent sections might build on information and

recommendations discussed in prior sections.

Â The instructions in this guide should always be tested in a nonoperational

environment before deployment. This nonoperational environment should simulate as much as possible the environment where the computer will be deployed.

Â This information is intended for computers running Mac OS X. Before securely

configuring a computer, determine what function that particular computer will perform, and apply security configurations where applicable.

Â A security checklist is provided in the appendix to track and record the settings you

choose for each security task and note what settings you change to secure your computer. This information can be helpful when developing a security standard within your organization.

Important: Any deviation from this guide should be evaluated to determine what

security risks it might introduce and take measures to monitor or mitigate those risks.

Using Onscreen Help

To see the latest help topics, make sure the computer is connected to the Internet while you’re using Help Viewer. Help Viewer automatically retrieves and caches the latest help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics.

Mac Help

You can view instructions and other useful information and documents in the server suite by using onscreen help.

On a computer running Mac OS X, you can access onscreen help from the Finder or other applications on the computer. Use the Help menu to open Help Viewer.

Preface About This Guide 11

Page 12

The Mac OS X Server Suite

The Mac OS X Server documentation includes a suite of guides that explain the available services and provide instructions for configuring, managing, and troubleshooting the services. All of the guides are available in PDF format from: www.apple.com/server/documentation/

This guide ... tells you how to:

Getting Started, Getting Started Supplement, and Mac OS X Server Worksheet

Collaboration Services Administration

Command-line Administration Use commands and configuration files to perform server

Deploying Mac OS X Computers for K-12 Education

Deploying Mac OS X Server for High Performance Computing

File Services Administration Share selected server volumes or folders among server clients

High Availability Administration Manage IP failover, link aggregation, load balancing, and other

Java Application Server Guide Configure and administer a JBoss application server on Mac OS X

Mac OS X Security Configuration Securely install and configure Mac OS X computers.

Mac OS X Server Security Configuration

Mail Service Administration Set up, configure, and administer mail services on the server.

Migrating to Mac OS X server from Windows NT

Network Services Administration Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall,

Open Directory Administration Manage directory and authentication services.

Print Service Administration Host shared printers and manage their associated queues and print

QuickTime Streaming Server 5.5 Administration

System Imaging and Software Update Administration

Upgrading And Migrating Use data and service settings that are currently being used on

Install Mac OS X Server and set it up for the first time.

Set up and manage weblog, chat, and other services that facilitate interactions among users.

administration tasks in a UNIX command shell.

Configure and deploy Mac OS X Server and a set of Mac OS X computers for use by K-12 staff, teachers, and students.

Set up and manage Mac OS X Server and Apple cluster computers to speed up processing of complex computations.

using these protocols: AFP, NFS, FTP, and SMB/CIFS.

hardware and software configurations to ensure high availability of Mac OS X Server services.

Server.

Securely install and configure Mac OS X Server computers.

Move accounts, shared folders, and services from Windows NT servers to Mac OS X Server.

and NAT services on the server.

jobs.

Set up and manage QuickTime streaming services.

Use NetBoot and Network Install to create disk images from which Macintosh computers can start up over the network. Set up a software update server for updating client computers over the network.

earlier versions of the server software.

12 Preface About This Guide

Page 13

This guide ... tells you how to:

User Management Create and manage user accounts, groups, and computer lists. Set

up managed preferences for Mac OS X clients.

Web Technologies Administration Set up and manage a web server, including WebDAV, WebMail, and

web modules.

Windows Services Administration Set up and manage services including PDC, BDC, file, and print for

Windows computer users.

Xgrid Administration Manage computational Xserve clusters using the Xgrid application.

Mac OS X Server Glossary Learn about terms used for server and storage products.

Getting Documentation Updates

Periodically, Apple posts new onscreen help topics, revised guides, and help topics. The new help topics include updates to the guides.

Â To view new onscreen help topics, make sure your computer is connected to the

Internet and access the Mac Help page.

Â To download the latest guides and solution papers in PDF format, go to the

Mac OS X Server documentation webpage: www.apple.com/server/documentation/.

Getting Additional Information

For more information, Apple provides the following resources: Â Read Me documents—Important updates and special information. Look for them on

the installation discs.

Â Mac OS X Server website (www.apple.com/server/macosx/)—Gateway to extensive

product and technology information.

Â Apple Support website (www.apple.com/support/)—Access to hundreds of articles

from Apple’s support organization.

Â Apple Customer Training website (train.apple.com)—Instructor-led and self-paced

courses for honing your server administration skills.

Â Apple Certification Programs website (train.apple.com/certification/)—In-depth

certification programs designed to create a high level of competency among Macintosh service technicians, help desk personnel, technical coordinators, system administrators, and other professional users.

Â Apple Discussions website (discussions.info.apple.com)—Discussions forums for

sharing questions, knowledge, and advice with other administrators.

Â Apple Product Security Mailing Lists website (lists.apple.com/mailman/listinfo/security-

announce)—Mailing lists for communicating by email with other administrators about security notifications and announcements.

Â Open Source website (developer.apple.com/opensource/)—Access to Darwin open

source code, developer information, and FAQs.

Preface About This Guide 13

Page 14

Â Apple Product Security website (www.apple.com/support/security/)—Access to

security information and resources, including security updates and notifications.

For additional security-specific information, consult these resources: Â NSA security configuration guides (www.nsa.gov/snac/)—The National Security

Agency provides a wealth of information on securely configuring proprietary and open source software.

Â NIST Security Configuration Checklists Repository (checklists.nist.gov/repository/

category.html)—The National Institute of Standards and Technology repository for security configuration checklists.

Â DISA Security Technical Implementation Guide (www.disa.mil/gs/dsn/policies.html)—

The Defense Information Systems Agency guide for implementing secure government networks. A Department of Defense (DoD) PKI Certificate is required to access this information.

Â CIS Benchmark and Scoring Tool (www.cisecurity.org/bench_osx.html)—The Center for

Internet Security benchmark and scoring tool used to establish CIS benchmarks.

Acknowledgments

Apple would like to thank the National Security Agency for their assistance in creating and editing the security configuration guides for Mac OS X 10.4 ‘Tiger’ client and server.

14 Preface About This Guide

Page 15

1 Introducing Mac OS X Security

Architecture

Mac OS X delivers the highest level of security through the adoption of industry standards, open software development, and smart architectural decisions.

With Mac OS X, a security strategy is implemented that is central to the design of the operating system, ensuring that your Mac is safe and secure. This chapter describes the features in Mac OS X that can be used to enhance security on your computer.

Â Open source foundation. Using open source methodology makes Mac OS X a more

robust, secure operating system, because its core components have been subjected to peer review for decades. Problems can be quickly identified and fixed by Apple and the larger open source community.

Â Secure default settings. When you take your Mac out of the box, it is securely

configured to meet the needs of most common usage environments, so you don’t have to be a security expert to setup your computer. The default settings make it very difficult for malicious software to infect your computer. Security can be further configured on the computer to meet organizational or user requirements.

Â Modern security architecture. Mac OS X includes state-of-the-art, standards-based

technologies that enable Apple and third-party developers to build secure software for the Mac. These technologies support all aspects of system, data, and networking security required by today’s applications.

Â Innovative security applications. Mac OS X includes features that take the worry out

of using a computer. For example, FileVault protects your documents using strong encryption, an integrated VPN client gives you secure access to networks over the Internet, and a powerful firewall secures your home network.

Â Rapid response. Because the security of your computer is so important, Apple

responds rapidly to provide patches and updates. Apple works with worldwide partners, including the Computer Emergency Response Team (CERT), to notify users of any potential threats. Should vulnerabilities be discovered, the built-in Software Update tool automatically notifies users of security updates, which are available for easy retrieval and installation.

Page 16

Security Architectural Overview

Mac OS X security services are built on two open source standards: Berkeley Software Distribution (BSD) and Common Data Security Architecture (CDSA). BSD is a form of the UNIX operating system that provides fundamental services, including the Mac OS X file system, and file access permissions. CDSA provides a much wider array of security services, including finer-grained access permissions, authentication of users’ identities, encryption, and secure data storage. The default security settings on your Mac OS X computer are configured to be secure from local network and Internet attacks.

UNIX Infrastructure

The Mac OS X kernel—the heart of the operating system—is built from BSD and Mach. Among other things, BSD provides basic file system and networking services and implements a user and group identification scheme. BSD enforces access restrictions to files and system resources based on user and group IDs. Mach provides memory management, thread control, hardware abstraction, and interprocess communication. Mach enforces access by controlling which tasks can send a message to a given Mach port (a Mach port represents a task or some other resource). BSD security policies and Mach access permissions constitute an essential part of security in Mac OS X, and are both critical to enforcing local security.

Access Permissions

An important aspect of computer security is the granting or denying of access permissions (sometimes called access rights). A permission is the ability to perform a specific operation, such as gaining access to data or to execute code. Permissions are granted at the level of folders, subfolders, files, or applications. Permissions are also granted for specific data within files or application functions.

Permissions in Mac OS X are controlled at many levels, from the Mach and BSD components of the kernel through higher levels of the operating system, and—for networked applications—through the networking protocols.

Security Framework

Apple built the foundation of Mac OS X and many of its integrated services with open source software—such as FreeBSD, Apache, and Kerberos, among many others—that has been made secure through years of public scrutiny by developers and security experts around the world. Strong security is a benefit of open source software because anyone can freely inspect the source code, identify theoretical vulnerabilities, and take steps to strengthen the software. Apple actively participates with the open source community by routinely releasing updates of Mac OS X that are subject to independent developers’ ongoing review—and by incorporating improvements. An open source software development approach provides the transparency necessary to ensure that Mac OS X is truly secure.

16 Chapter 1 Introducing Mac OS X Security Architecture

Page 17

This open approach has clear advantages and a long, well-documented history of quickly identifying and correcting source code that could potentially contain exploitable vulnerabilities. Mac OS X users can comfortably rely on the ongoing public examination by large numbers of security experts, which is made possible by Apple’s open approach to software development. The result is an operating system that is inherently more secure.

Layered Security Defense

Mac OS X security is built on a layered defense for maximum protection. Security features provide solutions for securing data at all levels, from the operating system and applications to networks and the Internet.

Â Secure worldwide communication—Firewall and mail filtering help prevent

malicious software from compromising your computer.

Â Secure applications—Authentication using keychains and encryption using FileVault

helps prevent intruders from using your applications and viewing data on your computer.

Â Secure network protocols—Secure sockets layer helps prevent intruders from

viewing information exchange across a network and Kerberos secures the authentication process.

Â Operating system—POSIX and ACL permissions help prevent intruders from

accessing your files.

Â Hardware—The Open Firmware Password application helps prevent people who can

access your hardware from gaining root-level access permissions to your computer files.

Secure Worldwide Communication Internet

Secure Applications

Secure Network Protocols

Security Services

Secure Boot/”Lock Down”

Chapter 1 Introducing Mac OS X Security Architecture 17

Applications

Network

Operating System

Hardware

Page 18

Built-In Security Services

Mac OS X has several security services that are managed by the security server daemon. Security server implements several security protocols such as encryption, decryption, and authorization computation. The use of the security server to perform actions with cryptographic keys enables the security implementation to maintain the keys in a separate address space from the client application, keeping them more secure.

Keychain Services

A keychain is used to store passwords, keys, certificates, and other secrets. Due to the sensitive nature of this information, keychains use cryptography to encrypt and decrypt secrets, and they safely store secrets and related data in files.

The Mac OS X keychain services enable you to create keychains and provide secure storage of keychain items. Once a keychain is created, you can add, delete, and edit keychain items, such as passwords, keys, certificates, and notes for one or more users. A user can unlock a keychain through authentication (by using a password, digital token, smart card, or biometric reader) and applications can then use that keychain to store and retrieve data, such as passwords.

Secure Transport Services

Secure Transport is used to implement Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols. These protocols provide secure communications over a TCP/IP connection such as the Internet by using encryption and certificate exchange.

Certificate, Key, and Trust Services

The certificate, key, and trust services include functions to:

Â Create, manage, and read certificates Â Add certificates to a keychain Â Create encryption keys Â Manage trust policies

These functions are carried out when the services call a variety of Common Security Service Manager (CSSM) functions. This is all transparent to users.

Authorization Services

Authorization services give applications control over access to specific operations within an application. For example, a directory application that can be started by any user can use authorization services to restrict access for modifying directory items to administrators. In contrast, BSD provides access permissions only to an entire file or application.

18 Chapter 1 Introducing Mac OS X Security Architecture

Page 19

Smart Card Services

A smart card can be a plastic card (similar in size to a credit card) or a USB dongle that has memory and a microprocessor embedded in it. The smart card is capable of both storing information and processing it. Smart cards can securely store passwords, certificates, and keys. A smart card normally requires a personal identification number (PIN) or biometric measurement (such as a fingerprint) as an additional security measure. Because it contains a microprocessor, a smart card can carry out its own authentication evaluation offline before releasing information. Smart cards can exchange information with a computer through a smart card reader.

Authorization versus Authentication

Authorization is the process by which an entity, such as a user or a computer, obtains the right to perform a restricted operation. Authorization can also refer to the right itself, as in “Anne has the authorization to run that program.” Authorization usually involves first authenticating the entity and then determining whether it has the appropriate permissions.

Authentication is the process of verifying the identity of a user or service. Authentication is normally done as a step in the authorization process. Some applications and operating system components carry out their own authentication. Authentication might use authorization services when necessary.

Chapter 1 Introducing Mac OS X Security Architecture 19

Page 20

20 Chapter 1 Introducing Mac OS X Security Architecture

Page 21

2 Installing Mac OS X

Though the default installation of Mac OS X is highly secure, it can be customized for your particular network security needs.

By securely configuring the different stages of the installation process and understanding Mac OS X permissions, you can make sure that your computer is hardened to match your security policy.

System Installation Overview

If Mac OS X was already installed on the computer, consider reinstalling it. By reinstalling Mac OS X, and reformatting the volume, you avoid potential vulnerabilities caused by previous installations or settings.

Because there might still be some recoverable data left on the computer, you should securely erase the partition that you’re installing Mac OS X on. For more information, see “Using Disk Utility to Securely Erase a Disk or Partition” on page 109.

If you decide against securely erasing the partition, securely erase free space after installing Mac OS X. For more information, see “Using Disk Utility to Securely Erase Free Space” on page 111.

Disabling the Open Firmware Password

Before installing Mac OS X, you should first disable the Open Firmware password.

If you already have Mac OS X version 10.4 installed, you can use the Open Firmware Password application to disable the Open Firmware password. For more information, see “Using the Open Firmware Password Application” on page 36.

Note: If you are using an Intel-based Macintosh computer, you cannot use the following method to disable the Open Firmware password. Use the Open Firmware Password application instead.

Page 22

To disable the Open Firmware password:

1 Restart the computer while holding down the Command, Option, O, and F keys.

2 Enter the Open Firmware password when prompted.

If you are not prompted to enter a password, the Open Firmware password is already disabled.

3 Enter the following commands:

reset-nvram

reset-all

Installing from CD or DVD

When you install Mac OS X version 10.4 from the original installation discs, you should do two things: erase the partition where you will install Mac OS X, and install only the packages that you plan on using.

Before installing Mac OS X, you should first securely erase the partition you want to install Mac OS X on. For more information, see “Using Disk Utility to Securely Erase a Disk or Partition” on page 109.

WARNING: To install Mac OS X, you must erase the contents of the partition you’re

installing on. Be sure to back up the files that you want to keep before continuing.

To install Mac OS X version 10.4 from the original installation discs:

1 Insert the first of the Mac OS X installation discs in the optical drive.

2 Restart the computer while holding down the C key.

The computer will start up using the disc in the optical drive.

3 Follow the installation steps until you reach the “Select a Destination” step.

4 Choose a partition to install Mac OS X on, and click Options. Select “Erase and Install.”

In “Format disk as,” choose “Mac OS Extended (Journaled).”

Mac OS Extended disk formatting provides extended file characteristics that enhance multiplatform interoperability.

5 Click OK and then click Continue.

6 In the “Easy Install on partition_name” step, click Customize. Deselect any packages that

you do not plan on using. Do not select the X11 package unless you have a use for it.

The X11 X Window system lets you run X11-based applications in Mac OS X. While this might be useful, it also makes it harder to maintain a secure configuration.

Removing additional unused packages not only frees up disk space, but reduces the risk of attackers leveraging potential vulnerabilities in unused components.

7 Click Install.

22 Chapter 2 Installing Mac OS X

Page 23

Installing from the Network

There are several ways to deploy images from the network. When choosing a method, make sure you can do it securely. When retrieving the image over a network, make sure that the network is isolated and can be trusted. For information about deploying images from a network, see the getting started guide. Verify the image to make sure that it is correct. For more information about verifying images, see “Verifying the Integrity of Software” on page 28.

Restoring from Preconfigured Disk Images

One of the most efficient ways to deploy secure computers is to configure a model computer first, using all of the security settings requested by your organization. Create a disk image of the computer after thoroughly testing the computer’s settings, making sure that the computer meets your organization’s standards. You can then deploy this image without having to manually configure individual settings on each computer.

You can use NetBoot or Apple Software Restore (ASR) to restore your computer from a network-based disk image. With NetBoot, you can restore an image directly from the network. With ASR, you can restore an image deployed by an ASR server, or you can save that image to disk. By saving the image to disk, you can verify its validity before using it. If you’re deploying multiple computers simultaneously, ASR can be much more efficient.

For information about how to use NetBoot, see the system imaging and software update administration guide. For information about how to use ASR, enter man asr in a Terminal window. For information about how to use Disk Utility to create disk images, see the system imaging and software update administration guide.

Initializing System Setup

After installing Mac OS X, the computer restarts and loads Setup Assistant.

Using Setup Assistant

Setup Assistant initially configures Mac OS X. You can use Setup Assistant to transfer information from other computers and send registration information to Apple. Setup Assistant configures the first account on the computer as an administrator account. Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use.

Note: Apple protects information submitted by the Setup Assistant, but you should avoid entering any information considered sensitive by your organization.

To use Setup Assistant without providing confidential information:

1 Proceed to the Do You Already Own a Mac step. Select “Do not transfer my

information,” and click Continue.

Chapter 2 Installing Mac OS X 23

Page 24

2 Proceed to the Your Internet Connection step. Click Different Network Setup.

Select “My computer does not connect to the Internet,” and click Continue.

Even if you can configure the computer to access your network, you should disable network access until your network services settings are secure and validated. For more information, see Chapter 7, “Securing Network Services,” on page 113.

If you don’t disable your network connection, an additional step, Enter Your Apple ID, appears. Don’t enter any values in the provided fields. The administrator account should only be used for administration, so there’s no need for an Apple ID.

3 In Registration Information, press Command-Q. Click “Skip to bypass the remaining

registration and setup process.”

When you bypass the remaining registration and setup process, you can’t go back to change any settings. Before bypassing, you might want to go back through the steps to remove any sensitive information. Once you enter information in the Your Internet Connection step, you cannot go back to that step to change your network settings. You can then only change network settings after completing installation.

If you enter registration information, an additional step, Register With Apple, will be added later in the installation process. Select Register Later, but don’t register with Apple.

Creating Initial System Accounts

After completing the initial steps of Setup Assistant, you’re presented with the Create Your Account step. In this step, you create a system administrator account. You should make sure that this account is as secure as possible.

Note: The system administrator account should be used only for performing administrative tasks. You should also create additional accounts for nonadministrative use. For more information, see “Types of User Accounts” on page 41.

To set up a secure system administrator account:

1 In the Name and Short Name fields, enter names that are not easily guessed.

Avoid easily guessed names and short names like “administrator” and “admin.” You can use either the long name or the short name when you’re authenticating. The short name is often used by UNIX commands and services.

2 In the Password and Verify fields, enter a complex password that is at least twelve

characters long and composed of mixed-cased characters, numbers, and special characters (such as ! or @).

Mac OS X supports only passwords that contain standard ASCII characters.

For more information, see “Creating Complex Passwords” on page 149.

24 Chapter 2 Installing Mac OS X

Page 25

3 In the Password Hint field, do not enter any information related to your password.

If a hint is provided, the user is presented with the hint after three failed authentication attempts. Any password-related information provided in the field could compromise the integrity of the password. Adding contact information for your organization’s technical support line would be convenient and doesn’t compromise password integrity.

4 Click Continue.

Setting Correct Time Settings

After creating the system administrator account, you’ll configure the computer’s time settings. You must configure the computer’s time settings correctly because several authentication protocols, such as Kerberos, require valid time settings to work properly. Also, security auditing tools rely on valid time settings.

Mac OS X can set the time automatically by retrieving date and time information from a Network Time Protocol (NTP) server. You should still set valid time settings in case you decide to disable this feature, or incase you don’t have access to a secure internal NTP server.

For more information about using a secure NTP server, see “Securing Date & Time Preferences” on page 72.

Updating System Software

After installing Mac OS X, be sure to install the latest approved security updates. Mac OS X includes Software Update, an application that downloads and installs software updates either from Apple’s Software Update server or from an internal software update server. You can configure Software Update so that it checks for updates either periodically or whenever you choose. You can also configure Software Update to download, but not install, updates, in case you want to install them later.

Before installing updates, check with your organization for their policy on downloading updates. They might prefer that you use an internal software update server, which reduces the amount of external network traffic and lets the organization prequalify software updates against organization configurations before updating individual systems.

Chapter 2 Installing Mac OS X 25

Page 26

System updates should be installed immediately after the operating system installation. Software updates are obtained and installed in several ways:

Â Using Software Update to download and install updates from an internal software

update server

Â Using Software Update to download and install updates from Internet-based

software update servers

Â Manually downloading and installing updates as separate software packages

Important: All security updates published by Apple contain fixes for security issues,

and are usually released in response to a specific known security problem. Applying these updates is essential.

If Software Update does not install an update that you request, contact your network administrator. Failure to update indicates that the requested update might be a malicious file.

Important: If you have not secured and validated your settings for network services

you should not enable your network connection to install software updates. For information, see Chapter 7, “Securing Network Services,” on page 113. Until you have securely configured your network services settings, you will be limited to using the manual method of installing software updates.

For more information, see “Securing Software Update Preferences” on page 90.

Updating from an Internal Software Update Server

Your computer automatically looks for software updates on an internal software update server. By using an internal software update server, you reduce the amount of data transferred outside of the network. Your organization can control which updates can be installed on your computer.

If you run Software Update on a wireless network or untrusted network, you run a chance of downloading malicious updates from a rogue software update server. Software Update, however, will not install a package that has not been digitally signed by Apple.

If you connect your computer to a network that manages its client computers, the network can require that the computer use a specified software update server. Or, you can enter the following command in a Terminal window to specify your software update server:

defaults write com.apple.SoftwareUpdate CatalogURL http://

swupdate.apple.com

Replace

swupdate.apple.com

address of your software update server.

:8088/index.sucatalog

with the fully qualified domain name (FQDN) or IP

26 Chapter 2 Installing Mac OS X

Page 27

Updating from Internet-Based Software Update Servers

Before connecting to the Internet, make sure your network services are securely configured. For information, see Chapter 7, “Securing Network Services,” on page 113.

Instead of using your operational computer to check for and install updates, consider using a test-bed computer to download updates and verify file integrity before installing updates. You can then transfer the update packages to your operational computer. For instructions on installing the updates, see “Updating Manually from Installer Packages” on page 27.

You can also download software updates for all of Apple’s products at www.apple.com/support/downloads/.

To download and install software updates using Software Update:

1 Choose Apple () > Software Update.

After Software Update looks for updates to your installed software, it displays a list of all updates. To get older versions of updates, go to the software update website at www.apple.com/support/downloads/.

2 Select the updates you want to install, and choose Update > Install and Keep Package.

When you keep the package, it is stored in the /Library/Packages/ folder. If you do not want to install any of the updates, click Quit.

3 Accept the licensing agreements to start installation.

Some updates might require your computer to restart. If, after installing updates, Software Update asks you if you want to restart the computer, do so.

Important: Make sure updates are installed when the computer can be restarted

without affecting the users accessing the server.

Updating Manually from Installer Packages

Software updates can be manually downloaded for all of Apple’s products from www.apple.com/support/downloads/ using a computer designated specifically for downloading and verifying updates. The download should be done separately so that file integrity can be verified before the updates are installed.

It is possible to review the contents of each security update before installing it. To see the contents of a security update, go to Apple’s Security Support Page at www.apple.com/support/security/ and click the “Security Updates page” link.

To manually download, verify and install software updates:

1 Go to www.apple.com/support/downloads/ and download the necessary software

updates on a computer designated for verifying software updates.

Note: Updates provided through Software Update might sometimes appear earlier than the standalone updates.

Chapter 2 Installing Mac OS X 27

Page 28

2 Review the SHA-1 digest (also known as a checksum) for each update file downloaded,

which should be posted online with the update package.

3 Check all downloaded updates for viruses.

4 Verify the integrity of each update.

For more information, see“Verifying the Integrity of Software” on page 28.

5 Transfer the update packages from your test computer to your current computer. The

default download location for update packages is /Library/Packages/. You can transfer update packages to any location on your computer.

6 Double-click the package. If the package is located within a disk image (dmg) file,

double-click the dmg file, and then double-click the package.

7 Proceed through the installation steps.

8 Restart the computer, if requested.

Install the appropriate system update and then install any subsequent security updates. These updates should be installed in order by release date, oldest to newest.

Verifying the Integrity of Software

Software images and updates can include a SHA-1 digest, which is also known as a checksum. You can use this SHA-1 digest to verify the integrity of the software. Software updates retrieved and installed automatically from Software Update verify the checksum before installation.

To verify software integrity:

1 Open Terminal.

2 Use the sha1 command to display a files a file’s SHA-1 digest.

$ /usr/bin/openssl sha1

The

full_path_filename

is the full path filename of the update package or image for

which the SHA-1 digest is being checked.

If provided, the SHA-1 digest for each software update or image should match the digest created for that file. If it does not, the file was corrupted in some way and a new copy should be obtained.

Repairing Disk Permissions

Before you modify or repair disk permissions, you should understand Portable Operating System Interface (POSIX) and Access Control List (ACL) permissions. POSIX permissions are standard for UNIX operating systems. ACL permissions are used by Mac OS X, and are compatible with Windows Server 2003 and Windows XP.

28 Chapter 2 Installing Mac OS X

full_path_filename

Page 29

Kinds of Permissions

Before you modify or repair disk permissions, you should understand the two kinds of file and folder permissions that Mac OS X Server supports:

Â Portable Operating System Interface (POSIX) permissions—standard for UNIX

operating systems.

Â Access Control Lists (ACLs) permissions—used by Mac OS X, and compatible with

Microsoft Windows Server 2003 and Microsoft Windows XP.

Note: In this guide, the term “privileges” refers to the combination of ownership and permissions, while the term “permissions” refers only to the permission settings that each user category can have (Read & Write, Read Only, Write Only, and None).

POSIX Permissions Overview

POSIX permissions let you control access to files and folders. Every file or folder has read, write, and execute permission defined for three different categories of users (Owner, Group, and Everyone). There are four types of standard POSIX permissions that you can assign: Read&Write, Read Only, Write Only, None.

For more information, see “Setting POSIX Permissions” on page 97.

ACL Permissions Overview

Access Control List provides an extended set of permissions for a file or folder and enables you to set multiple users and groups as owners. An ACL is a list of access control entries (ACEs), each specifying the permissions to be granted or denied to a group or user, and how these permissions are propagated throughout a folder hierarchy. In addition, ACLs are compatible with Windows Server 2003 and Windows XP, giving you added flexibility in a multiplatform environment.

ACLs provide more granularity when assigning privileges than POSIX permissions. For example, rather than giving a user full write permission, you can restrict him or her to the creation of only folders and not files.

If a file or folder has no ACEs defined for it, Mac OS X applies the standard POSIX permissions. If a file or folder has one or more ACE defined for it, Mac OS X starts with the first ACE in the ACL and works its way down the list until the requested permission is satisfied or denied. After evaluating the ACEs, Mac OS X evaluates the standard POSIX permissions defined for the file or folder. Then, based on the evaluation of ACL and standard POSIX permissions, Mac OS X determines what type of access a user has to a shared file or folder.

For more information, see “Setting ACL Permissions” on page 101.

Chapter 2 Installing Mac OS X 29

Page 30

Using Disk Utility to Repair Disk Permissions

Installing software sometimes causes file permissions to become incorrectly set. Incorrect file permissions can create security vulnerabilities. Disk Utility repairs only POSIX permissions or the minimal ACL permissions.

Most software you install in Mac OS X is installed from package (.pkg) files. Each time something is installed from a package file, a “Bill of Materials”(.bom) file is stored in the packages receipt file. Each Bill of Materials file contains a list of the files installed by that package, along with the proper permissions for each file.

When you use Disk Utility to verify or repair disk permissions, it reads the Bill of Materials files from the initial Mac OS X installation and compares its list to the actual permissions on each file listed. If the permissions differ, Disk Utility can repair them.

You should repair disk permissions, if you experience symptoms that indicate permission related problems after installing software, software updates, or applications.

Note: If you’ve modified permissions for files, in accordance with organizational policies, be aware that repairing disk permissions can reset those modified permissions to those stated in the “Bill of Materials” files. After repairing permissions, you should re-apply the file permission modifications to stay within your organizational policies.

To repair disk permissions:

1 Open Disk Utility.

2 Select the partition that you want to repair.

Be careful to select a partition, not a drive. Partitions are contained within drives and are indented one level in the list on the left.

3 Click Repair Disk Permissions.

If you do not select a partition, this button is disabled.

4 Choose Disk Utility > Quit Disk Utility.

5 Choose Installer > Quit Installer, and click Restart.

30 Chapter 2 Installing Mac OS X

Page 31

3 Protecting Hardware and

Securing Global System Settings

After installing and setting up Mac OS X, make sure you protect your hardware and secure global system settings.

This chapter discusses common practices for protecting hardware and demonstrates how to remove Mac OS 9 and secure both Open Firmware and Mac OS X startup. This chapter also discuss how using log files help to monitor system activity.

Protecting Hardware

The first level of security is protection from unwanted physical access. If someone can physically access a computer, it becomes much easier to compromise the computer’s security. When someone has physical access to the computer, they can install malicious software or various event-tracking and data-capturing services.

Use as many layers of physical protection as possible. Restrict access to rooms that contain computers that store or access sensitive information. Provide room access only to those who must use those computers. If possible, lock the computer in a locked or secure container when it is not in use, or bolt or fasten it to a wall or piece of furniture.

The hard drive is the most critical hardware component in your computer. Take special care to prevent access to the hard drive. If someone removes your hard drive and installs it in another computer, they can bypass any safeguards you set up. Lock or secure the computer’s internal hardware. If you can’t guarantee the physical security of the hard drive, consider using FileVault for each home folder (FileVault encrypts home folder content and prevents the content from being compromised). For more information, see “Encrypting Home Folders” on page 104.

If you have a portable computer, keep it secure. Lock up the computer or hide the computer when it is not in use. When transporting the computer, never leave it in an insecure location. Consider buying a computer bag with a locking mechanism and lock the computer in the bag when you aren’t using it.

Page 32

Disabling Hardware

Hardware components such as wireless features and microphones should be physically disabled if possible. Only an Apple Certified Technician should physically disable these components, which may not be practical in all circumstances. The following instructions provide an alternative means of disabling these components by removing the associated kernel extensions. Removing the kernel extensions does not permanently disable the components; however, administrative access is needed to restore and reload them. Although disabling hardware in this manner is not as secure as physically disabling hardware, it is more secure than only disabling hardware through the System Preferences. This method of disabling hardware components may not be sufficient to meet site security policy. Consult operational policy to determine if this method is adequate.

The following instructions will remove AirPort, Bluetooth, the microphone, and support for an external iSight camera. This will not remove the support for the internal iSight cameras currently shipping on some Macintosh systems. There is currently no way to disable this camera in software without disabling all USB drivers, which will also disable the keyboard, mouse, etc.

Important: Repeat these instructions every time a system update is installed.

To remove kernel extensions for certain hardware:

1 Open the /System/Library/Extensions folder.

2 To remove AirPort support, drag the following files to the Trash:

AppleAirPort.kext

AppleAirPort2.kext

AppleAirPortFW.kext

3 To remove support for Bluetooth, drag the following files to the Trash:

IOBluetoothFamily.kext

IOBluetoothHIDDriver.kext

4 To remove support for audio components such as the microphone, drag the following

files to the Trash:

AppleOnboardAudio.kext

AppleUSBAudio.kext

AudioDeviceTreeUpdater.kext

IOAudioFamily.kext

VirtualAudioDriver.kext

5 To remove support for the iSight camera, drag the following file to the Trash:

Apple_iSight.kext

32 Chapter 3 Protecting Hardware and Securing Global System Settings

Page 33

6 (Optional) To remove support for mass storage devices (e.g. USB flash drives, external

USB hard drives, external FireWire Hard Drives), drag the following files to the Trash:

IOUSBMassStorageClass.kext

IOFireWireSerialBusProtocolTransport.kext

7 Open the /System/Library folder.

8 Drag the following files to the Trash:

Extensions.kextcache

Extensions.mkext

9 Choose Finder > Secure Empty Trash to delete the file.

10 Restart the system.

Removing Mac OS 9

When you upgrade from previous versions of Mac OS X to Mac OS X version 10.4, an adaptation of Mac OS 9, known as Classic, remains on the computer. If you perform a new installation of Mac OS X version 10.4 without upgrading, Mac OS 9 is not installed on the computer. It is possible to install Mac OS 9 on computers with a new installation of Mac OS X version 10.4.

Mac OS 9 lacks many of the security features included with Mac OS X, so you should remove it unless you need it. If you must use Mac OS 9, you can run it from a CD or DVD, or from a disc image.

Using the Command Line to Remove Mac OS 9

To remove Mac OS 9, use the command line. You must log in as an administrator who can use the sudo command to remove files. For more information, see “Securing the System Administrator Account” on page 46.

WARNING: Incorrectly entering any of the commands described in this task can erase

critical data. Pay particular attention to correctly entering single quotes. Misplacing these single quotes can result in the removal of Mac OS X or applications.

To remove Mac OS 9 and Mac OS 9 applications and files:

1 Log in to Mac OS X as an administrator who can use sudo to remove files.

By default, all users who are administrators can use the sudo command to remove files. If you modify /etc/sudoers, you can choose which users can use about how to modify the /etc/sudoers file, enter

man sudoers in a Terminal window.

2 Open Terminal.

3 Enter the following command to remove the Classic icon from System Preferences:

$ sudo srm –rf '/System/Library/PreferencePanes/Classic.prefPane'

sudo. For information

Chapter 3 Protecting Hardware and Securing Global System Settings 33

Page 34

4 Enter the following commands to remove Classic folders and files:

$ sudo srm –rf '/System/Library/Classic/'

$ sudo srm –rf '/System/Library/CoreServices/Classic Startup.app'

% sudo srm –rf '/System/Library/UserTemplate/English.lproj/Desktop/Desktop

(Mac OS 9)'

5 Enter the following commands to remove Mac OS 9 folders and files:

$ sudo srm –rf '/System Folder'

$ sudo srm –rf '/Mac OS 9 Files/'

6 Enter the following command to remove Mac OS 9 applications:

sudo srm –rf '/Applications (Mac OS 9)'

7 Restart the computer.

Running Mac OS 9 from a CD or DVD

Classic is an environment for running Mac OS 9 applications. If you must run Mac OS 9, you can use Classic to run it from a CD or DVD. By running Mac OS 9 from a CD or DVD, you enforce read-only access.

Note: Intel-based Macintosh computers do not support the Classic environment or Mac OS 9.

To run Mac OS 9 from a CD or DVD:

1 Install Mac OS 9 and the software that requires Mac OS 9 on a test-bed computer.

2 Burn the Mac OS 9 System Folder from the test-bed computer onto a blank CD or DVD.

The System Folder is located at the root level of a partition. It might be named something besides “System Folder.” System folders are denoted by a folder icon with a 9 superimposed on them.

3 Eject the CD or DVD from the test-bed computer and insert it into your operational

computer.

4 Open Classic preferences on your operational computer.

5 Select the System Folder located on the CD or DVD in the “Select a system folder for

Classic” list.

6 Click Start.

Running Mac OS 9 from a Disc Image

Classic is an environment for running Mac OS 9 applications. If you must run Mac OS 9, you can use Classic to run it from a disc image. By running Mac OS 9 from a disc image, you enforce read-only access.

Note: Intel-based Macintosh computers do not support the Classic environment or Mac OS 9.

34 Chapter 3 Protecting Hardware and Securing Global System Settings

Page 35

To run Mac OS 9 from a disc image:

1 Install Mac OS 9 and the software that requires Mac OS 9 on a test-bed computer.

2 On the test-bed computer, create a folder and name it Mac OS 9.

3 Copy the Mac OS 9 System Folder into the Mac OS 9 folder your created in the

previous step.

4 On the test-bed computer, open Disk Utility.

5 Choose File > New > Disk Image from Folder.

6 Select the Mac OS 9 folder (created in step 2) and click Image.

7 In Image Format, choose read-only.

8 In Encryption, choose none.

9 Click Save.

10 Copy the Mac OS 9 disc image to your operational computer.

11 Double-click the Mac OS 9 disc image to mount it.

12 Open Classic preferences on your operational computer.

13 Select the System Folder located on the mounted disc image in the “Select a system

folder for Classic” list.

14 Click Start.

Securing System Startup

When a computer starts up, it first starts either Open Firmware or Extensible Firmware Interface (EFI). EFI is similar to Open Firmware, but it runs on Intel-based Macintosh computers. Open Firmware or EFI determines which partition or disk to load Mac OS X from. They also allow (or prevent) the user to enter single-user mode.

Single-user mode automatically logs in the user as “root.” This is dangerous because root user access is the most powerful level of access, and actions performed as root are anonymous.

If you create an Open Firmware or EFI password, you disable single-user mode. The password also stops users from loading unapproved partitions or disks, and from enabling target disk mode at startup.

After creating an Open Firmware or EFI password, you must enter this password when you start the computer from an alternate disk (for situations such as hard drive failure or file system repair).

Chapter 3 Protecting Hardware and Securing Global System Settings 35

Page 36

To secure startup, perform one of the following tasks:

Â Use the Open Firmware Password application to set the Open Firmware password Â Set the Open Firmware password within Open Firmware Â Verify and set the security mode from the command line

WARNING: Open Firmware settings are critical. Take great care when modifying these

settings and when creating a secure Open Firmware password.

Open Firmware password protection can be bypassed if the user changes the physical memory configuration of the machine and then resets the PRAM three times (by holding down Command, Option, P, and R keys during system startup). An Open Firmware password will provide some protection, however, it can be reset if a user has physical access to the machine and can change the physical memory configuration of the machine.

You can require a password to start single-user mode, which would further secure your computer.

For more information about Open Firmware password protection, see AppleCare Knowledge Base article #106482, “Setting up Open Firmware Password protection in Mac OS X 10.1 or later” (www.apple.com/support/), and AppleCare Knowledge Base article #107666, “Open Firmware: Password Not Recognized when it Contains the Letter ‘U’” (www.apple.com/support/).

Using the Open Firmware Password Application

The Mac OS X installation disc includes Open Firmware Password application, an application that allows you to enable an Open Firmware or EFI password.

To use the Open Firmware Password application:

1 Log in with an administrator account and open Open Firmware Password application

(located on the Mac OS X installation disc in /Applications/Utilities/).

2 Click Change.

3 Select “Require password to change Open Firmware settings.”

To disable the Open Firmware or EFI password, deselect “Require password to change Open Firmware settings.” You won’t have to enter a password and verify it. Disabling the Open Firmware password is only recommended for when you install Mac OS X.

4 Enter a new Open Firmware or EFI password in the Password and Verify fields. Click OK.

This password can be up to eight characters.

Do not use the capital letter “U” in an Open Firmware password.

36 Chapter 3 Protecting Hardware and Securing Global System Settings

Page 37

5 Close the Open Firmware Password application.

You can test your settings by attempting to start up in single-user mode. Restart the computer while holding down the Command and S keys. If the login window loads, changes made by the Open Firmware Password application completed successfully.

Configuring Open Firmware Settings

You can securely configure Open Firmware settings within Open Firmware.

Note: If you are using an Intel-based Macintosh computer, you cannot use the following method to change the Open Firmware password. Use the Open Firmware Password application instead.

To configure Open Firmware settings within Open Firmware:

1 Restart the computer while holding down the Command, Option, O, and F keys.

This loads Open Firmware.

2 At the prompt, change the password:

> password

3 Enter a new password and verify it when prompted.

This password can be up to eight characters.

Do not use the capital letter “U” in an Open Firmware password.

4 Enable command mode:

> setenv security-mode command

In command mode, the computer will only start up from the partition selected in the Startup Disk pane of System Preferences.

You could also enable full mode. Full mode is more restrictive than command mode. After enabling full mode, all Open Firmware commands will require that you enter your Open Firmware password. This includes the boot command, and thus Mac OS X will not start up unless you enter boot and authenticate with the Open Firmware password. To enable full mode, enter:

> setenv security-mode full

5 Restart the computer and enable Open Firmware settings with the following

command:

> reset-all

The login window should appear after restarting.

Chapter 3 Protecting Hardware and Securing Global System Settings 37

Page 38

You can test your settings by attempting to start up in single-user mode. Restart the computer while holding down the Command and S keys. If the login window appears, your Open Firmware settings are set correctly.

WARNING: Modifying critical system files can cause unexpected issues. Your modified

files may also be overwritten during software updates. Make these modifications on a test computer first, and thoroughly test your changes every time you change your system configuration.

Using Command-Line Tools to Secure Startup

Open Firmware can also be configured throughout the command line by using the

nvram tool. However, only the security-mode environment variable can be securely set.

security-password variable should not be set from the nvram tool, or it will be

The visible when viewing the environment variable list. To set the password for Open Firmware, start the computer in Open Firmware and set the password. See the “Configuring Open Firmware Settings” on page 37 for more information. The requires system administrator or root access to set environment variables.

Note: If you are using an Intel-based Macintosh computer, you cannot use the following method to change secure startup. Use the Open Firmware Password application instead.

nvram tool

To use nvram to secure startup from the command line:

1 Set the security mode by entering the following command.

# nvram security-mode=”command”

If you want to set the security mode to full:

# nvram security-mode=”full”

2 Verify that the variable has been set. The following command displays a list of all the

environment variables excluding the security-password variable.

# nvram -p

Requiring a Password for Single-User Mode

Additional protection can be provided in case the Open Firmware (PowerPC-based systems) or EFI (Intel-based systems) password is bypassed. By requiring entry of the root password during a single-user mode boot, the system can prevent automatic root login if the OF/EFI password is compromised.

To require entry of the root password during a single-user mode boot, the console and ttys must be marked as insecure in /etc/ttys. In fact, the system will require entry of a special root password, stored in /etc/master.passwd. If this remains unset as recommended, then it will be impossible for a user to enter the root password and complete the single-user boot, even if the Open Firmware password protection was bypassed.

38 Chapter 3 Protecting Hardware and Securing Global System Settings

Page 39

To require entry of the root password for single-user mode:

1 Log in as an administrator.

2 Start the Terminal application, located in /Applications/Utilities.

3 At the prompt, enter the command:

$ cd /etc

4 To create a backup copy of /etc/ttys, enter the command:

$ sudo mv ttys ttys.old

5 To edit the ttys file as root, enter the command:

$ sudo pico ttys

6 Replace all occurrences of the word “secure” with the word “insecure” in the

configuration lines of the file. Any line that does not begin with a “#” is a configuration line.

7 Exit, saving changes.

Configuring Access Warnings

You can use a login window warning or Terminal access warning to provide notice of a computer’s ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring.

Enabling Access Warnings for the Login Window

Before enabling an access warning, check your organization’s policy for what to use as your access warning.

When a user tries to access the computer’s login window (either locally or through Apple Remote Desktop), the user will see the access warning you create.

Chapter 3 Protecting Hardware and Securing Global System Settings 39

Page 40

To create a login window access warning:

1 Open Terminal.

2 Change your login window access warning:

$ sudo defaults write /Library/Preferences/com.apple.loginwindow

LoginwindowText “

Replace

Warning Text

with your access warning text.

”

Your logged-in account must be able to use sudo to perform a defaults write.

3 Log out to test your changes.

Your access warning text appears below the Mac OS X subtitle.

Enabling Access Warnings for the Command Line

Before enabling an access warning, check your organization’s policy for what to use as your access warning.

When a user opens Terminal locally or connects to the computer remotely, the user sees the access warning you create.

To create a command-line access warning:

1 Open Terminal.

2 Open the file /etc/motd in a text editor:

$ sudo pico /etc/motd

You must be able to use sudo to open pico. For information about how to use pico, enter man pico in a Terminal window.

3 Replace any existing text with your access warning text.

4 Save your changes and exit the text editor.

5 Open a new Terminal window to test your changes.

Your access warning text appears above the prompt in the new Terminal window.

40 Chapter 3 Protecting Hardware and Securing Global System Settings

Page 41

4 Securing Accounts

Securely configuring user accounts requires determining how the accounts will be used and setting the level of access for users.

When you define a local user’s account, you specify the information needed to prove the user’s identity: user name, authentication method (such as a password, digital token, smart card, or biometric reader), and user identification number (user ID). Other information in a user’s account is needed by various services—to determine what the user is authorized to do and to personalize the user’s environment.

Types of User Accounts

When you log in to Mac OS X, you can use either a nonadministrator account or an administrator account. The main difference between the two types of accounts is that Mac OS X provides safety mechanisms to prevent nonadministratior users from editing key preferences, or from performing certain actions that are critical to computer security. Administrator users are not as limited as nonadministrator users.

The nonadministrator and administrator accounts can be further defined by specifying additional user privileges or restrictions.

User Account User Access

Standard nonadministrator Nonprivileged user access

Managed nonadministrator Restricted user access

Administrator Administer the computer configuration

System administrator (root) Unrestricted access to the entire computer

Page 42

Unless administrator access is required, you should always log in as a nonadministrator user. You should log out of the administrator account when you are not using the computer as an administrator. If you are logged in as an administrator, you are granted some privileges and abilities that you might not need. For example, you can modify some system preferences without being required to authenticate. This automatic authentication bypasses a security safeguard that prevents malicious or accidental modification of system preferences.

Guidelines for Creating Accounts

When you create user accounts, follow these guidelines: Â Never create accounts that are shared by several users. Each user should have his or

her own standard or managed account.

Individual accounts are necessary to maintain accountability. System logs can track activities to each user account, but if several users share the same account, it becomes much more difficult to track which user performed a certain activity. Similarly, if several administrators share a single administrator account, it becomes much harder to track which administrator performed a specific action.

If someone compromises a shared account, it is less likely to be noticed. Users might mistake malicious actions performed by an intruder for legitimate actions by one of the users sharing the account.

Â Each user needing administrator access should have an individual administrator

account in addition to a standard or managed account. Administrator users should only use their administrator accounts for administrator purposes.

By requiring an administrator to have a personal account for typical use and an administrator account for administrator purposes, you reduce the risk of an administrator inadvertently performing actions like accidentally reconfiguring secure system preferences.

Defining User IDs

A user ID is a number that uniquely identifies a user. Mac OS X computers use the user ID to keep track of a user’s folder and file ownership. When a user creates a folder or file, the user ID is stored as the creator ID. A user with that user ID has read and write permissions to the folder or file by default.

The user ID is a unique string of digits between 500 and 2,147,483,648. New users created using the Accounts pane of System Preferences are assigned user IDs starting at 501. It is risky to assign the same user ID to different users, because two users with the same user ID have identical directory and file permissions.

42 Chapter 4 Securing Accounts

Page 43

The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use; user accounts with these user IDs should not be deleted and should not be modified except to change the password of the root user. If you do not want the user to appear in the login window of computers with Mac OS X version 10.4 or later installed, assign a user ID of less than 500.

In general, once a user ID has been assigned and the user starts creating files and folders, you shouldn’t change the user ID. One possible scenario in which you might need to change a user ID is when merging users created on different servers onto one new server or cluster of servers. The same user ID might have been associated with a different user on the previous server.

Securing Nonadministrator Accounts

There are two types of nonadministrator accounts: standard and managed. Standard users don’t have administrator privileges, and don’t have any parental controls limiting their actions. Managed users also don’t have administrator privileges, but they have active parental controls. Parental controls help deter unsophisticated users from performing any malicious activities. They can also help prevent users from accidentally misusing their computer.

Note: If your computer is connected to a network, a managed user can also be a user whose preferences and account information is managed through the network.

When creating nonadministrator accounts, you should restrict the accounts so that they can only use what is operationally required. For example, if you plan to store all data on your local computer, you can disable the ability to burn DVDs.

Chapter 4 Securing Accounts 43

Page 44

To secure a managed account:

1 Open Accounts preferences.

2 Click the lock to authenticate. Enter an administrator’s name and password and click

OK.

You can also authenticate through the use of a digital token, smart card, or biometric reader.

3 Select an account labeled “Standard” or “Managed.”

You cannot set parental controls on administrator users. When selecting a user with the “Managed” label, make sure you do not select an account with preferences managed through the network.

4 Click Parental Controls.

5 Select Finder & System, and click Configure.

6 Click Some Limits.

You can also enable Simple Finder, which restricts an account to using only applications listed in the Dock. With Simple Finder enabled, users cannot create or delete files. Simple Finder also prevents users from being able to change their own passwords. Enabling Simple Finder is not recommended, unless your computer is used in a kiosk-like environment.

7 Select “Open all System Preferences” and “Change password.”

To enable “Change password,” you must enable “Open all System Preferences.” By allowing the user to open all System Preferences, you also allow the user to change settings for things like screen saver activation. These settings can impact security. However, the inability of a user to change his or her own password is also a security risk.

8 Deselect “Burn CDs and DVDs.”

9 Deselect “Administer printers.”

10 Deselect “Allow supporting programs.”

If you allow supporting programs, applications can load “helper” applications. If these helper applications are insecure, they can expose your computer to other security risks. These helper applications are loaded by an application, not by you, so you might not be aware of them running.

11 Select “This user can only use these applications.”

12 Deselect applications and utilities that are not approved for use.

44 Chapter 4 Securing Accounts

Page 45

When you install third-party applications, they may be added to this list. You should disable all third-party applications unless the user has a specific need to use the application, and can do so in a secure manner. Third-party applications might give a standard user some administrator abilities, which can be a security issue. Additionally, if you’re connecting to an organization’s network, you should install only third-party applications that are specifically approved by the organization.

13 Deselect “Applications (Mac OS 9)” and “Others.”

14 Click OK.

Securing Administrator Accounts

A user account with administrator privileges can perform all standard user-level tasks, and key administrator-level tasks, such as:

Â Create user accounts Â Change the FileVault master password Â Enable or disable sharing Â Enable, disable, or change firewall settings Â Change other protected areas within System Preferences Â Install system software

In addition to restricting the distribution of administrator accounts, you should also limit the use of administrator accounts. Each administrator should have two accounts: a standard account for daily use, and an administrator account for when administrator access is needed.

Select to allow administrator privileges

Chapter 4 Securing Accounts 45

Page 46

Securing the System Administrator Account

The most powerful user account in Mac OS X is the system administrator, or root, account. By default the root account on Mac OS X is disabled and it is recommended you do not enable it. The root account is primarily used for performing UNIX commands. Generally, any actions that involve critical system files require that you perform those actions as root. Even if you are logged in as a Mac OS X administrator, you still have to perform these commands as root, or by using the sudo command. Mac OS X logs all actions performed using the sudo command. This helps you track any misuse of the sudo command on a computer.

You can use the su command to log in to the command line as another user. By entering su root, you can log in as the root user (if the root account is enabled). You can use the You should restrict access to the root account.

If multiple users can log in as root, it is impossible to track which user performed root actions. Direct root login should not be allowed, because the logs cannot identify which administrator logged in. Instead, accounts with administrator privileges should be used for login, and then the For instructions about how to restrict root user access in NetInfo Manager, open Mac Help and search for “NetInfo Manager.”

sudo command to perform commands that require root privileges.

sudo command used to perform actions as root.

By default, sudo is enabled for all administrator users. From the command line, you can disable root login or restrict the use of sudo command.

The computer uses a file named /etc/sudoers to determine which users have the authority to use sudo. You can modify root user access by changing the /etc/sudoers file to restrict sudo access to only certain accounts, and allow those accounts to perform only specifically allowed commands. This granularity gives you fine control over what users can do as root. For information about how to modify the /etc/sudoers file, see the sudoers man page.

The list of administrators allowed to use sudo should be limited to only those administrators who require the ability to run commands as root.

46 Chapter 4 Securing Accounts

Page 47

To restrict sudo usage, change the /etc/sudoers file:

1 Edit the /etc/sudoers file using the visudo tool, which allows for safe editing of the file.

The command must be run as root:

$ sudo visudo

2 Enter the administrator password when prompted.

Note: There is a timeout value associated with sudo. This value indicates the number of minutes until sudo prompts for a password again. The default value is 5, which means that after issuing the sudo command and entering the correct password, additional

sudo commands can be entered for 5 minutes without reentering the password. This

value is set in the /etc/sudoers file. See the sudo and sudoers man pages for more information.

3 In the Defaults specification section of the file, add the following line:

Defaults timestamp_timeout=0

This limits the use of the sudo command to a single command per authentication.

4 Restrict which administrators are allowed to run sudo by removing the line that begins

with %admin, and adding the following entry for each user, substituting the user’s short name for the word user:

user ALL=(ALL) ALL

Doing this means that any time a new administrator is added to the computer that administrator must be added to the /etc/sudoers file as described above, if that administrator requires the ability to use sudo.

5 Save and quit visudo.

For more information, enter man vi or man visudo in a Terminal window.

Understanding Directory Domains

User accounts are stored in a directory domain. Your preferences and account attributes are set according to the information stored in the directory domain.

Local accounts are hosted in a local directory domain. When you log in to a local account, you authenticate with that local directory domain. Users with local accounts typically have local home folders. When a user saves files in a local home folder, the files are stored locally. To save a file over the network, the user has to connect to the network and upload the file.

Network-based accounts are hosted in a network-based directory domain. When you log in to a network-based account, you authenticate with the network-based directory domain. Users with network accounts typically have network home folders. When they save files in their network home folders, the files are stored on the server.

Chapter 4 Securing Accounts 47

Page 48

Mobile accounts cache authentication information and managed preferences. A user’s authentication information is maintained on the directory server, but cached on the local computer. With cached authentication information, a user can log in using the same user name and password (or a digital token, smart card, or biometric reader), even if he or she is not connected to the network.

Users with mobile accounts have both local and network home folders, which combine to form portable home directories. When users save files, the files are stored in a local home folder. The portable home directory is a synchronized subset of a user’s local and network home folders.

Understanding Network Services, Authentication, and Contacts

You can use Directory Access to configure your computer to use a network-based directory domain. Directory search services that are not used should be disabled in the Services pane of Directory Access.

Each kind of directory service and service discovery protocol can be enabled or disabled in Directory Access. Mac OS X doesn’t access disabled directory services, except for the local NetInfo directory domain, which is always accessed. Mac OS X also doesn’t try to discover network services using disabled service discovery protocols. However, disabling a service discovery protocol doesn’t prevent Mac OS X from getting or providing network services. For example, if Bonjour is disabled, Mac OS X doesn’t use it to discover file services, but you can still share your files and connect to file servers whose addresses you know.

48 Chapter 4 Securing Accounts

Page 49

In addition to enabling and disabling services, you can use Directory Access to choose the directory domains that you want to authenticate with. Directory Access defines the authentication search policy that Mac OS X uses to locate and retrieve user authentication information and other administrative data from directory domains. The login window, Finder, and other parts of Mac OS X use this authentication information and administrative data. File service, mail service, and other services provided by Mac OS X Server also use this information.

Directory Access also defines the contacts search policy that Mac OS X uses to locate and retrieve name, address, and other contact information from directory domains. Address Book can use this contact information, and other applications can be programmed to use it as well.

The authentication and contacts search policy consists of a list of directory domains (also known as directory nodes). The order of directory domains in the list defines the search policy. Starting at the top of the list, Mac OS X searches each listed directory domain in turn until it either finds the information it needs or reaches the end of the list without finding the information.

For more information about using Directory Access, see the Open Directory administration guide.

Configuring LDAPv3 Access

Mac OS X version 10.4 primarily uses Open Directory as its network-based directory domain. Open Directory uses LDAPv3 as its connection protocol. LDAPv3 includes several security features that you should enable if your server supports them. Enabling every LDAPv3 security feature maximizes your LDAPv3 security. Check with your network administrator to make sure your settings match your network’s required settings.

When configuring LDAPv3, you should not add DHCP-supplied LDAP servers to automatic search policies. Otherwise, a malicious individual can create a rogue DHCP server and a rogue LDAP directory and then control your computer as the root user.

For information about changing the security policy for an LDAP connection, or about protecting computers from malicious DHCP servers, see the Open Directory administration guide.

Chapter 4 Securing Accounts 49

Page 50

Configuring Active Directory Access

Connecting to an Active Directory server is not as secure as connecting to an Open Directory server that has all of its security settings enabled. For example, you cannot receive directory services from an Active Directory server that enables digitally signing or encrypting all packets.

Mac OS X supports mutual authentication with Active Directory servers. Kerberos is a ticket-based system that enables mutual authentication. The server must identify itself by providing a ticket to your computer. This prevents your computer from connecting to rogue servers. Mutual authentication automatically occurs when you bind to Active Directory servers.

If you’re connecting to an Active Directory server with Highly Secure (HISEC) templates enabled, you can use third-party tools to further secure your Active Directory connection.

When you configure Active Directory access, the settings you choose are generally dictated by the Active Directory server’s settings. Check with your network administrator to make sure your settings match your network’s required settings. However, the “Allow administration by” setting can cause security issues because it allows any member of those groups to have administrator privileges on your computer. Additionally, you should only connect to trusted networks.

For more information about using Directory Access to connect to Active Directory servers, see the Open Directory administration guide.

Using Strong Authentication

Authentication is the process of verifying the identity of a local or network user. Mac OS X supports local and network-based authentication to ensure that only users with valid authentication credentials can access the computer’s data, applications, and network services.

Passwords can be required to log in, to wake the computer from sleep or from a screen saver, to install applications, or to change system settings. Mac OS X also supports emerging authentication methods, such as smart cards, digital tokens, and biometric readers.

Strong authentication is created by using combinations of the following three authentication dimensions:

Â What the user knows, such as a password or PIN number Â What the user has, such as SecurID card, smart card, or drivers license Â what the user is, such as a fingerprint, retina, or DNA

50 Chapter 4 Securing Accounts

Page 51

Using a combination of the three dimension above makes authentication more reliable and user identification more certain.

Using Password Assistant

Mac OS X includes Password Assistant, an application that analyzes the complexity of a password or generates a complex password for you. You can specify the length and type of password you’d like to generate. For example, you can create a randomly generated password, or a FIPS-181 compliant password.

You can open Password Assistant from certain applications. For example, when you create a new account or change passwords in Accounts preferences, you can use Password Assistant to help you create a secure password.

Click to open Password Assistant

For more information, see “Creating Complex Passwords” on page 149.

Chapter 4 Securing Accounts 51

Page 52

Using Smart Cards

A smart card is a plastic card (similar in size to a credit card) or USB dongle that has memory and a microprocessor embedded in it. The smart card is capable of storing and processing information such as passwords, certificates, and keys. The microprocessor inside the smart card can do authentication evaluation offline before releasing information. Before the smart card will process information, you must authenticate with the smart card by either a personal identification number (PIN) or biometric measurement (such as a fingerprint), which provides an additional layer of security.

For more information, see the Smart Card Setup Guide located on the web at www.apple.com/itpro/federal/.

Using Tokens

A digital token is used to identify a user for commerce, communication, or access control. This token can be generated by either software or hardware. Some of the most common tokens are the RSA SecurID and the CRYPTOCard KT-1. These are hardware devices that automatically generate tokens to identify the user. The generated tokens are specific to that user, so two users with different RSA SecurIDs or different CRYPTOCard KT-1s will have different tokens.

You can use tokens for two-factor authentication. Two-factor refers to authenticating both through something you have (a One-Time-Password token) and something you know (a fixed password). The use of tokens increases the strength of the authentication process.

Tokens are frequently used for VPN authentication. For information, see “Securing VPN” on page 115.

Using Biometrics

Mac OS X supports emerging biometrics-based authentication technologies, such as thumbprint readers. Password-protected websites and applications can now be accessed without having to remember a long list of passwords. Some biometric devices allow you to authenticate simply by placing your finger on a pad. Unlike a password, your fingerprint can never be forgotten or stolen. Fingerprint identification provides personal authentication and network access. The use of biometrics adds an additional factor to authentication by use of something you are (fingerprint).

52 Chapter 4 Securing Accounts

Page 53

Setting Global Password Policies

You can use the pwpolicy command-line tool to configure a password policy that can apply globally or to individual users. Global password policies are not implemented in Mac OS X; instead, password policies are set for each individual user account. You can set specific rules governing the size and complexity of acceptable passwords. For example, you can specify requirements for the following:

Â Minimum and maximum character length Â Alphabetic and numeric character inclusion Â Maximum number of failed logins before account lockout

To require that an authenticator’s password be a minimum of twelve characters and have no more than three failed login attempts, enter the following in a Terminal window, where authenticator is the authenticator’s name.

$ pwpolicy -a

maxFailedLoginAttempts=3”

For more advanced password policies, use Password Server in Mac OS X Server. You can use it to set global password policies that specify requirements for the following:

Â Password expiration duration Â Special character inclusion Â Mixed-case character inclusion Â Password reuse limits

authenticator

-setpolicy "minChars=12

You should use pwpolicy to set a password policy that meets your organization’s password standards. For more information about how to use pwpolicy, enter man

pwpolicy

in a Terminal window.

Storing Credentials

Mac OS X includes Keychain Access, an application that manages collections of passwords and certificates into a single credential store called a keychain. Each keychain can hold a collection of credentials and protect them with a single password. Keychains store encrypted passwords, certificates, and any other private values (called secure notes). These values are accessible only by unlocking the keychain using the keychain password and only by applications that have been approved and added to the access control application list.

You can create multiple keychains, each of which appears in a keychain list in Keychain Access. Each keychain can store multiple values; each value is called a key item. You can create a new key item in any user-created keychain. When an application must store an item in a keychain, it stores it in the one designated as your default. The default keychain is the keychain named “login,” but you can change that to any user-created keychain. The default keychain is denoted by the name being displayed in bold.

Chapter 4 Securing Accounts 53

Page 54

Each item on the keychain has an ACL that can be populated with applications that have authority to use that keychain item. A further restriction can be added that forces an application with access to confirm the keychain password.

The main issue with having to remember many passwords is that you’re likely to either make all the passwords identical or keep a written list of all passwords. By using keychains, you can greatly reduce the number of passwords that you have to remember. Since you no longer have to remember passwords for a multitude of accounts, the passwords chosen can be very complex and could even be randomly generated.

Keychains provide some additional protection for passwords, passphrases, certificates, and other credentials stored on the computer. In some cases, such as using a certificate to sign an email message, the certificate must be stored in a keychain. If a credential must be stored on the computer, it should be stored and managed using Keychain Access. Check your organization’s policy on keychain use.

Using the Default User Keychain

When a user’s account is first created, a single, default keychain named “login” is created for that user. The password for the login keychain is initially set to the user’s login password and is automatically unlocked when the user logs in. It remains unlocked unless the user locks it, or until the user logs out.

The settings for the login keychain should be changed, so that the user will be required to unlock the login keychain when he or she logs in, or after waking the computer from sleep.

To secure the login keychain:

1 Open Keychain Access.

2 If you do not see a list of keychains, click Show Keychains.

3 Select the login keychain.

4 Choose Edit > Change Password for Keychain “login.”

5 Enter the current password, and create and verify a new password for the login

keychain.

After you create a login keychain password that is different from the normal login password, your keychain will not be automatically unlocked at login.

You can use Password Assistant to help you create a more secure password. For information, see “Using Password Assistant” on page 51.

6 Choose Edit > Change Settings for Keychain “login.”

7 Select “Lock when sleeping.”

8 Deselect “Synchronize this keychain using .Mac.”

54 Chapter 4 Securing Accounts

Page 55

9 Secure each individual login keychain item.

For information, see “Securing Keychain Items” on page 55.

Securing Keychain Items

Keychains can store multiple encrypted items. You can configure some of these individual items so that only certain applications are permitted access. Access Control cannot be set for certificates.

To secure individual keychain items:

1 In Keychain Access, select a keychain, and then select an item.

2 Click the Information (i) button.

3 Click Access Control. Authenticate if you are requested to do so.

4 Select “Confirm before allowing access.”

After you enable this option, Mac OS X prompts you before giving a security credential to an application.

If you selected “Allow all applications to access this item” you allows any application to access the security credential whenever the keychain is unlocked. When accessing the security credential, there is no user prompt, so enabling this is a security risk.

5 Select “Ask for Keychain password.”

After selecting this, you have to provide the keychain password before applications can access security credentials. Enabling this is particularly important for critical items, such as your personal identity (your public key certificates and the corresponding private key), that are needed when signing or decrypting information. These items can also be placed in their own keychains.

6 Remove all nontrusted applications that are listed in “Always allow access by these

applications,” by selecting each application and clicking the Remove (–) button.

Any application listed here will be prompted to enter the keychain password to access the security credentials.

Chapter 4 Securing Accounts 55

Page 56

Creating Additional Keychains

When a user account is created, it contains only the initial default keychain, login. A user can create additional keychains, each of which can have different settings and purposes.

For example, a user might want to group all his or her credentials for mail accounts into one keychain. Since mail programs query the server frequently to check for new mail, it would not be practical to expect the user to reauthenticate every time such a check is being performed. The user could create a keychain and configure its settings, such that he or she would be required to enter the keychain password at login and whenever the computer is awakened from sleep. He or she could then move all items containing credentials for mail applications into that keychain and set each item so that only the mail application associated with that particular credential can automatically access it. This would force all other applications to authenticate to access that credential.

Configuring a keychain’s settings for use by mail applications might be unacceptable for other applications. If a user has an infrequently used web-based account, it would be more appropriately stored in a keychain configured to require reauthentication for every access by any application.

You can also create multiple keychains to accommodate varying degrees of sensitivity. By separating your keychains based on sensitivity, you prevent the exposure of your more sensitive credentials to less sensitive applications with credentials on the same keychain.

To create a keychain and customize its authentication settings:

1 In Keychain Access, choose File > New Keychain.

2 Enter a name and select a new location for the keychain. Click Create.

3 Enter a password and verify it. Click OK.

4 If you do not see a list of Keychains, click Show Keychains.

5 Select the new keychain.

6 Choose Edit > Change Settings for keychain “keychain_name.” Authenticate, if

requested.

7 Change the “Lock after # minutes of inactivity” setting based on the access frequency

of the security credentials included in the keychain.

If the security credentials are accessed frequently, do not select “Lock after # minutes of inactivity.”

If the security credentials are accessed somewhat frequently, select “Lock after # minutes of inactivity” and select an appropriate value, such as 15. If you use a password-protected screensaver, consider setting this value to the idle time required for your screensaver to start.

56 Chapter 4 Securing Accounts

Page 57

If the security credentials are accessed infrequently, select “Lock after # minutes of inactivity,” and select an appropriate value, such as 1.

8 Select “Lock when sleeping.”

9 Drag the desired security credentials from other keychains to the new keychain.

Authenticate, if requested.

You should have keychains that only contain related certificates. For example, you could have a mail keychain that only contains mail items.

10 If you are asked to confirm access to the keychain, enter the keychain password and

click Allow Once.

After confirming access, Keychain Access moves the security credential to the new keychain.

11 Secure each individual item in the security credentials for your keychain.

For information, see “Securing Keychain Items” on page 55.

Using Portable and Network-Based Keychains

If you’re using a portable computer, consider storing all your keychains on a portable drive, such as a USB flash memory drive. The portable drive can be removed from the portable computer and stored separately when the keychains are not in use. Anyone attempting to access data on the portable computer will need the portable computer, the portable drive, and the password for the keychain stored on the portable drive. This provides an extra layer of protection if the laptop is stolen or misplaced.

To use a portable drive to store keychains, you’ll have to move all your keychain files to the portable drive, and configure Keychain Access to use the keychains on the portable drive. The default location for your keychain is ~/Library/Keychains/. However, it is possible to store keychains in other locations.

You can further protect portable keychains by storing them on biometric USB flash memory drives, or by storing your portable drive contents in an encrypted file. For information, see “Encrypting Portable Files” on page 105.

Check with your organization to see if they allow you to use portable drives to store keychains.

To set up a keychain for use from a portable drive:

1 Open Keychain Access.

2 If you do not see a list of keychains, click Show Keychains.

3 Choose Edit > Keychain List.

4 Note the location of the keychain that you want to set up. The default location is

/System/Library/Keychains/. Click Cancel.

5 Select the keychain that you want set up.

Chapter 4 Securing Accounts 57

Page 58

6 Choose File > Delete Keychain “keychain_name.”

7 Click Delete References.

8 Copy the keychain files from the previously noted location to the portable drive.

9 Move the keychain to the Trash and use Secure Empty Trash to securely erase the

keychain file stored on the computer.

For information, see “Using Secure Empty Trash” on page 110.

10 Open Finder, and double-click the keychain file located on your portable drive to add it

to your keychain.

58 Chapter 4 Securing Accounts

Page 59

5 Securing System Preferences

Securing Mac OS X system software enables further protection against attacks.

System Preferences has many different configurable preferences within it that can be used to further enhance system security. Some of these configurations might be things to consider, depending on your organization.

System Preferences Overview

Mac OS X includes many system preferences that you can customize to improve security. When modifying settings for one account, make sure your settings are mirrored on all other accounts, unless there is an explicit need for different settings.

You can view system preferences by choosing Apple > System Preferences. In the System Preferences window, click any of the individual preferences to view them.

Page 60

Some of the more critical preferences require that you authenticate before you can modify their settings. To authenticate, you click a lock and enter an administrator’s name and password (or use a digital token, smart card, or biometric reader). If you log in as a user with administrator privileges, these preferences are unlocked unless you select “Require password to unlock each secure system preference” in Security preferences. For more information, see “Securing Security Preferences” on page 85. If you log in as a standard user, these preferences remain locked. After unlocking preferences, you can lock them again by clicking the lock.

Preferences that require authentication include the following:

Â Accounts Â Date & Time Â Energy Saver Â Network Â Print & Fax Â Security Â Sharing Â Startup Disk

This chapter lists each set of preferences included with Mac OS X and describes modifications recommended to improve security.

60 Chapter 5 Securing System Preferences

Page 61

Securing .Mac Preferences

.Mac is a suite of Internet tools designed to help you synchronize your data and other important information for when you’re away from the computer. You should not use .Mac if you must store critical data only on your local computer. You should only transfer data over a secure network connection to a secure internal server.

If you must use .Mac, enable it only for user accounts that don’t have access to critical data. Do not enable .Mac for your administrator or root user accounts.

You should not enable any options in the Sync pane of .Mac preferences.

You should not enable iDisk Syncing. If you must use a Public Folder, enable password protection.

Chapter 5 Securing System Preferences 61

Page 62

You should not register any computers for synchronization in the Advanced pane of .Mac preferences.

To securely configure .Mac preferences:

1 Open .Mac preferences.

2 Deselect “Synchronize with .Mac.”

3 Don’t enable iDisk Syncing in the iDisk pane.

4 Don’t register your computer for synchronization in the Advanced pane.

62 Chapter 5 Securing System Preferences

Page 63

Securing Accounts Preferences

You can use Accounts preferences to perform two major security-related tasks: change or reset account passwords, and modify login options.

You should immediately change the password of the first account that was created on your computer. If you are an administrator, you can change other user account passwords by selecting the account and clicking Change Password.

Chapter 5 Securing System Preferences 63

Page 64

The password change and reset dialogs provide access to Password Assistant, an application that can analyze the strength of your chosen password and assist you in creating a more secure password. For information, see “Using Password Assistant” on page 51.

You should modify login options so that you provide as little information as possible to the user. You should require that the user know which account they want to log in with, and the password for that account. You shouldn’t automatically log the user in, you should require that the user enter both a name and password, and that the user authenticate without the use of a password hint. Don’t enable fast user switching—it is a security risk because it allows multiple users to be simultaneously logged in to the computer.

64 Chapter 5 Securing System Preferences

Page 65

You should also modify login options to disable the Restart, Sleep, and Shut Down buttons. By disabling these buttons, the user cannot restart the computer without pressing the power key or logging in.

To securely configure Accounts preferences:

1 Open Accounts preferences.

2 Select an account and click the Password pane. Then, change the password by clicking

the Change Password button.

A menu will display asking you to input the old password, new password, verification of the new password, and a password hint. Do not enter a password hint, then click the Change Password button.

3 Click Login Options and select only “Display login window as: Name and password.”

Deselect all other options.

Chapter 5 Securing System Preferences 65

Page 66

Securing Appearance Preferences

Recent items refer to applications, documents, and servers that you’ve recently used. You can access recent items by choosing Apple > Recent Items.

You should consider changing the number of recent items displayed in the Apple menu to none. If intruders gain access to your computer, they can use recent items to quickly view your most recently accessed files. Additionally, intruders can use recent items to access any authentication mechanism for servers if the corresponding keychains are unlocked. Removing recent items provides a minimal increase in security, but it can deter very unsophisticated intruders.

To securely configure Appearance preferences:

1 Open Appearance preferences.

2 Set all of the “Number of Recent Items” preferences to none.

66 Chapter 5 Securing System Preferences

Page 67

Securing Bluetooth Preferences

Bluetooth allows wireless devices, such as keyboards, mice, and mobile phones, to communicate with the computer. If the computer has Bluetooth capability, Bluetooth preferences become available. If you don’t see Bluetooth preferences, you cannot use Bluetooth.

Note: Some high security areas do not allow radio frequency (RF) communication. You should consult your organizational requirements for possible further disablement of the component.

When you disable Bluetooth in System Preferences, you must disable Bluetooth for every user account on the computer. This does not prevent users from reenabling Bluetooth. It is possible to restrict a user account’s privileges so that the user cannot reenable Bluetooth, but to do this, you also remove several important user abilities, like the user’s ability to change his or her own password. For more information, see “Types of User Accounts” on page 41.

To securely configure Bluetooth preferences:

1 Open Bluetooth preferences.

2 Set Bluetooth Power to Off.

Chapter 5 Securing System Preferences 67

Page 68

Securing CDs & DVDs Preferences

The computer should not perform automatic actions when the user inserts CDs or DVDs. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer. This does not prevent users from reenabling automatic actions. To prevent the user from reenabling automatic actions, you must restrict the user’s account, so that the user cannot open System Preferences. For more information on restricting accounts, see “Securing Nonadministrator Accounts” on page 43.

To securely configure CDs & DVDs preferences:

1 Open CDs & DVDs preferences.

2 Choose Ignore for each pop-up menu to disable automatic actions when inserting

media.

68 Chapter 5 Securing System Preferences

Page 69

Securing Classic Preferences

Mac OS X includes an adaptation of Mac OS 9, known as Classic. Mac OS 9 should be removed from the computer. If you remove Mac OS 9 and do not plan on using it, you do not need to configure Classic preferences. For instructions on how to remove Mac OS 9, see “Removing Mac OS 9” on page 33.

If you are going to use Mac OS 9 from a CD, DVD, or disk image, you must configure Classic preferences. Although Mac OS 9 has security issues that you cannot prevent, you can minimize Mac OS 9 security risks. For instruction, see “Running Mac OS 9 from a Disc Image” on page 34.

In the Start/Stop pane of Classic preferences, do not set Classic to start when you log in, and do not set Classic to hide while starting. Mac OS X should also warn before starting Classic, and show Classic status in the menu bar. By changing these settings, you increase awareness when running Classic.

Chapter 5 Securing System Preferences 69

Page 70

Turn off extensions in the Advanced pane of Classic preferences. Although Classic is not allowed to interact directly with hardware, you might have several extensions that are related to hardware and are therefore unnecessary.

You can also use the Memory/Versions pane of Classic preferences to view the applications running in Mac OS 9. By choosing to show background applications, you become more aware of any malicious applications running in Mac OS 9.

70 Chapter 5 Securing System Preferences

Page 71

To securely configure Classic preferences:

1 Open Classic preferences.

2 In the Start/Stop pane, deselect “Start Classic when you login” and “Hide Classic while

starting.”

3 Select “Warn before starting Classic.”

4 Click the Advanced pane, and select “Turn Off Extensions.”

Securing Dashboard and Exposé Preferences

Your computer should require authentication when waking from sleep or screen saver. You can configure Dashboard & Exposé preferences to allow you to quickly start the screen saver if you move your mouse cursor to a corner of the screen. You should not configure any corner to disable the screen saver.

For information about requiring authentication for the screen saver, see “Securing Security Preferences” on page 85.

The Dashboard widgets included with Mac OS X can be trusted. However, you should be careful when you install third-party Dashboard widgets. You can install Dashboard widgets without having to authenticate. If you want to prevent Dashboard, from running, set the keyboard and mouse shortcuts to “–.”

When you configure Dashboard and Exposé preferences, you must configure these preferences for every user account on the computer. This does not prevent users from reconfiguring their preferences. It is possible to restrict a user account’s privileges so that the user cannot reconfigure preferences. To do this, you will also remove several important user abilities, like the user’s ability to change his or her own password. For more information, see “Types of User Accounts” on page 41.

Chapter 5 Securing System Preferences 71

Page 72

If your organization does not want to use Dashboard because of its potential security risk, you can disable it.

To disable Dashboard from command line:

1 Open Terminal.

2 Enter the command:

$ defaults write com.apple.dashboard mcx-disabled -boolean YES

This prevents Dashboard from opening.

3 Quit Terminal.

Securing Date & Time Preferences

Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues. Date & Time preferences can automatically set the date and time based on a Network Time Protocol (NTP) server. If you require automatic date and time, use a trusted, internal NTP server.

72 Chapter 5 Securing System Preferences

Page 73

To securely configure Date & Time preferences:

1 Open Date & Time preferences.

2 In the Date & Time pane, enter a secure and trusted NTP server in the “Set date & time

automatically” field. Click the Time Zone pane.

3 In the Time Zone pane, choose a time zone.

Chapter 5 Securing System Preferences 73

Page 74

Securing Desktop & Screen Saver Preferences

You can configure a password-protected screen saver to help prevent accessing of unattended computers by unauthorized users. Different authentication methods can be used to unlock the screen saver, which include digital tokens, smart cards, or biometric readers. You should set a short inactivity interval to decrease the amount of time the unattended computer spends unlocked. For information about requiring authentication for screen savers, see “Securing Security Preferences” on page 85.

74 Chapter 5 Securing System Preferences

Page 75

You can configure Desktop & Screen Saver preferences to allow you to quickly enable or disable screen savers if you move your mouse cursor to a corner of the screen. You should not configure any corner to disable screen savers. You can also do this by configuring Dashboard & Exposé preferences.

When you configure Desktop & Screen Saver preferences, you must configure these preferences for every user account on the computer. This doesn’t prevent users from reconfiguring their preferences. It is possible to restrict a user account’s privileges so that the user cannot reconfigure preferences. Doing this removes several important user abilities, like the user’s ability to change his or her own password. For more information, see “Types of User Accounts” on page 41.

To securely configure Desktop & Screen Saver preferences:

1 Open Desktop & Screen Saver preferences.

2 Click the Screen Saver pane.

3 Set “Start screen saver” to a short inactivity time.

4 Click Hot Corners.

5 Set a corner to Start Screen Saver for quick enabling of the screen saver.

Don’t set any screen corner to Disable Screen Saver.

Chapter 5 Securing System Preferences 75

Page 76

Securing Displays Preferences

If you have multiple displays attached to your computer, be aware that enabling display mirroring might inadvertently expose private data to others. Having this additional display provides extra opportunity for others to see private data.

Securing Dock Preferences

You can configure the Dock to be hidden when not in use, which can prevent others from seeing what applications you have available on your computer when they pass by.

To securely configure Dock preferences:

1 Open Dock preferences.

2 Select “Automatically hide and show the Dock.”

76 Chapter 5 Securing System Preferences

Page 77

Securing Energy Saver Preferences

You can configure the period of inactivity required before a computer, display, or hard disk enters sleep mode, and require authentication by use of a password, digital token, smart card, or biometric reader when a user tries to use the computer. This is similar to using a password-protected screen saver. Mac OS X also allows you to set up different settings, depending on your power supply (power adapter or battery). For information about how to set up password protection for sleep mode, see “Securing Security Preferences” on page 85.

If the computer will be receiving directory services from a network that manages its client computers, be aware that when the computer is in sleep mode, it is unmanaged. It also cannot be detected as being connected to the network. If you want to allow management and network visibility, you can configure the display and the hard disk to sleep, but not the computer.

Chapter 5 Securing System Preferences 77

Page 78

You should configure the computer so that it only wakes from sleep mode when you try to physically access the computer. Also, the computer should not be set to restart after a power failure.

To securely configure Energy Saver preferences:

1 Open Energy Saver preferences.

2 Click the Sleep pane.

3 Set “Put the computer to sleep when it is inactive for:” to Never.

4 Select “Put the hard drive disk(s) to sleep when possible.” Click the “Options” pane.

5 Click the Options pane, and deselect both “Wake from Ethernet network administrator

access” and “Restart automatically after a power failure.”

Securing International Preferences

No security-related configuration is necessary. However, if your computer uses more than one language, check the security risk of the language character set. It is recommended that you deselect any unused packages during the installation of Mac OS X.

78 Chapter 5 Securing System Preferences

Page 79

Securing Keyboard & Mouse Preferences

It is recommended that Bluetooth be turned off if not required. If Bluetooth is necessary it is good practice to disable allowing Bluetooth devices to awake the computer.

To securely configure Keyboard & Mouse preferences:

1 Open Keyboard & Mouse preferences.

2 Click Bluetooth.

3 Deselect “Allow Bluetooth devices to wake this computer.”

Chapter 5 Securing System Preferences 79

Page 80

Securing Network Preferences

You should disable any unused hardware devices listed in Network preferences. Enabled, unused devices (such as AirPort and Bluetooth) are a security risk. Hardware is listed in Network preferences only if the hardware is installed in the computer.

Some organizations use IPv6, a new version of the Internet protocol (IP). The primary advantage of IPv6 is that it increases the address size from 32 bits (the current IPv4 standard) to 128 bits. An address size of 128 bits is large enough to support a huge number of addresses, even with the inefficiency of address assignment. This allows more addresses or nodes than are otherwise available. IPv6 also provides more ways to set up the address and simplifies autoconfiguration.

80 Chapter 5 Securing System Preferences

Page 81

By default, IPv6 is configured automatically, and the default settings are sufficient for the vast majority of computers that use IPv6. If your organization’s network is not capable of using or require IPv6, you should turn it off. You can also configure IPv6 manually.

To securely configure Network preferences:

1 Open Network preferences.

2 In the Show pop-up menu, choose your network device.

3 Click Configure IPv6.

4 In the Configure IPv6 pop-up menu, choose Off.

5 Click OK.

6 In the Show pop-up menu, choose Network Port Configurations.

7 Deselect any unused devices to disable them.

Chapter 5 Securing System Preferences 81

Page 82

Securing Print & Fax Preferences

You should only use printers that are in a secure location. If you print confidential material in an insecure location, your confidential data sent to the printer might be viewable by unauthorized users. You should also be careful not to print to a shared printer, since that allows another computer to capture the complete print job directly. The remote computer could be maliciously monitoring and capturing confidential data being sent to the real printer.

You should not receive faxes on your computer. By enabling faxes, you provide an additional avenue for possible attack.

82 Chapter 5 Securing System Preferences

Page 83

You should not use your computer to share a printer, or to send faxes. If you share a printer, unauthorized users can add items to your print queue without having to authenticate. If you enable these functions, you provide a mechanism for intruders to access your computer.

To securely configure Print & Fax preferences:

1 Open Print & Fax preferences.

2 In the Faxing pane, deselect “Receive faxes on this computer.”

3 In the Sharing pane, deselect “Share these printers with other computers.”

Chapter 5 Securing System Preferences 83

Page 84

Securing QuickTime Preferences

You should only download QuickTime movies from trusted, secure sources. By default, QuickTime stores downloaded movies in a cache. If someone gained access to your account, they would be able to see your previously viewed movies, even if you did not explicitly save them as files. You can change QuickTime preferences to disable the storing of movies in a cache.

You should not install third-party QuickTime software unless you specifically require that software.

84 Chapter 5 Securing System Preferences

Page 85

To securely configure QuickTime preferences:

1 Open QuickTime preferences.

2 In the Browser pane, deselect the “Save movies in disk cache.”

Securing Security Preferences

The settings in Security preferences cover a wide range of Mac OS X security issues.

Mac OS X includes FileVault, which encrypts the information in your home folder. FileVault uses the latest government-approved encryption standard, the Advanced Encryption Standard with 128-bit keys (AES-128). For more information about FileVault, see “Encrypting Home Folders” on page 104.

You should require a password to wake the computer from sleep or screen saver. This helps prevent unauthorized access to unattended computers. Although there is a lock button for Security preferences, individual users don’t need to be authorized as an administrator to change this setting. You should enable this setting for every user account on the computer.

The settings listed under “For all accounts on this computer” require you to unlock Security preferences. You should disable automatic login, require a password to unlock Security preferences, disable automatic logout because of inactivity, and use secure virtual memory.

Disabling automatic login is necessary for any level of security. If you enable automatic login, an intruder can automatically log in without having to authenticate. Even if you automatically log in with a very restricted user account, this makes it much easier to perform malicious actions on the computer.

Some system preferences are automatically unlocked when you log in with an administrator account. By requiring a password, digital token, smart card or biometric reader, to unlock secure system preferences, you require extra authentication. This helps prevent accidental modification of system preferences.

Although you might want to enable automatic logout based on inactivity, there are several reasons why you should disable this feature. First, automatic logout can disrupt your workflow. Second, automatic logout can close applications or processes without your approval (whereas a password-protected screensaver will not close applications). Third, applications can prevent successful automatic logout. For example, if you edit a file in a text editor, the text editor might ask you if you want to save the file before you can log out. Since automatic logout can be interrupted, it provides a false sense of security.

Chapter 5 Securing System Preferences 85

Page 86

Virtual memory decreases the need for large amounts of physical memory. A swap file is used to store inactive physical memory contents, freeing up your physical memory. By default, the swap file is in an unencrypted, insecure format. This swap file can contain highly confidential data, such as documents and passwords. By using secure virtual memory, you secure the swap file at a cost of slower speed (to access the secure swap file, Mac OS X must encrypt or decrypt the secure swap file).

If your are not using the remote control, it is recommended that you disable the infrared receiver. This eliminate unauthorized users from controlling your computer through the infrared receiver.

To securely configure Security preferences:

1 Open Security preferences.

2 Select “Require password to wake this computer from sleep or screen saver.”

3 Select “Disable automatic login.”

4 Select “Require password to unlock each secure system preference.”

5 Deselect “Log out after # minutes of inactivity.”

6 Select “Use secure virtual memory.”

7 Select “Disable remote control infrared receiver.”

8 Click “Turn On FileVault.”

9 Authenticate with your account password.

86 Chapter 5 Securing System Preferences

Page 87

10 Select “Use secure erase.”

11 Click “Turn On FileVault.”

12 Restart the computer.

Securing Sharing Preferences

By default, every service listed in Sharing preferences is disabled. You should not enable any of these services unless you are required to use them. The following services are described in greater detail in “Securing Network Services” on page 127.

Service Description

Personal File Sharing Gives users of other computers access to each user’s Public folder.

Windows Sharing Allows users to access shared files and printer using the SMB/CIFS

protocol. You should disable this service. There are several wellknown risks associated with SMB/CIFS.

Personal Web Sharing Allows any user on the network to view web sites located in /Sites.

If you are enabling this service, you should securely configure the Apache web server.

Remote Login Allows users to access the computer remotely by using SSH. If you

require the ability to perform remote login, SSH is more secure than telnet, which is disabled by default.

FTP Access Allows users on other computers to access the computer through

the File Transfer Protocol (FTP). FTP transmits passwords insecurely, in clear text. Instead, if you enabled Remote Login, you can use

scp or sftp to transfer files.

Apple Remote Desktop Allows the computer to be accessed using Apple Remote Desktop.

Remote Apple Events Allows the computer to receive Apple events from other

computers.

Printer Sharing Allows other computers to access a printer connected to this

computer.

Xgrid Allows computers on a network to work together in a grid to

process a job.

Chapter 5 Securing System Preferences 87

Page 88

You can change your computer’s name in Sharing preferences. By default your computer’s host name is typically firstname-lastname-computer, where firstname and

lastname is the system administrator’s first name and last name, respectively, and computer is either the type of computer or simply “Computer.” When other users use

Bonjour to discover your available services, your computer is displayed as hostname.local. To increase your privacy, you should change your computer’s host name so that you are not identified as the owner of your computer.

88 Chapter 5 Securing System Preferences

Page 89

You can use the Firewall pane of Sharing preferences to enable a firewall that can block both TCP and UDP ports for any of the services listed. This firewall is very powerful and includes logging and stealth mode features.

You can use the Internet pane of Sharing preferences to disable Internet Sharing.

For more information about these services and the firewall and sharing capabilities of Mac OS X, see Chapter 7, “Securing Network Services.”

Chapter 5 Securing System Preferences 89

Page 90

To securely configure Sharing preferences:

1 Open Sharing preferences.

2 Change the default Computer Name to a name that does not identify you as the owner.

3 Click the Firewall pane, and select a service you want to allowed through the firewall.

4 Click the Internet pane, and disable Internet Sharing.

Securing Software Update Preferences

Your Software Update preferences configuration primarily depends on your organization’s policy. For example, if your operational computer is connected to a managed network, the management settings determine what software update server to use.

Instead of using Software Update, you can also manually update your computer by using installer packages. You could install and verify updates on a test-bed computer before installing them on your operational computer. For more information about how to manually update your computer, see “Updating Manually from Installer Packages” on page 27.

After transferring installer packages to your computer, you should verify the authenticity of the installer packages. For more information, see “Repairing Disk Permissions” on page 28.

When you try to install a software update, either by using Software Update or by using an installer package, you are required to authenticate with an administrator’s name and password. This reduces the chance of accidental or malicious installation of software updates. Software Update will not install a software package that has not been digitally signed by Apple.

90 Chapter 5 Securing System Preferences

Page 91

To securely configure Software Updates preferences:

1 Open Software Update preferences.

2 Click the Update Software pane.

3 Deselect “Check for updates” and “Download important updates in the background.”

Securing Sound Preferences

Many Apple computers include an internal microphone, which can cause security issues. You can use Sound preferences to disable the internal microphone and the line-in port.

To securely configure Sound preferences:

1 Open Sound preferences.

2 Select Internal microphone (if present), and set the “Input volume” to zero.

3 Select Line-In (if present), and set the “Input volume” to zero.

4 This ensures that “Line-In” is the devices selected rather than the internal microphone

when preferences is closed, providing protection against inadvertent use of the internal microphone.

5 Set “Input volume” to zero.

Chapter 5 Securing System Preferences 91

Page 92

Securing Speech Preferences

Mac OS X includes speech recognition and text to speech features, which are disabled by default. You should only enable these features if you’re working in a secure environment where no one else can hear you speak to the computer, or hear the computer speak to you. Also make sure there are no audio recording devices that can record your communication with the computer.

If you do enable the text to speech feature, use headphones to keep others from overhearing your computer.

92 Chapter 5 Securing System Preferences

Page 93

To securely configure Speech preferences:

1 Open Speech preferences.

2 Click the Speech Recognition pane, and set Speakable Items On or Off.

Change the setting according to your environment.

3 Click the Text to Speech pane, and change the settings according to your environment.

Securing Spotlight Preferences

Spotlight is a new feature in Mac OS X version 10.4. You can use Spotlight to search your entire computer for files. Spotlight searches not only the name and metainformation associated with each file, but also the contents of each file. Spotlight nullifies the use of file placement as an additional layer of security. You must still properly set access permissions on folders containing confidential files. For more information about access permissions, see “Repairing Disk Permissions” on page 28.

Chapter 5 Securing System Preferences 93

Page 94

By placing specific folders or disks in the Privacy pane, you can prevent Spotlight from searching them. You should disable searching of all folders that contain confidential information. Consider disabling top-level folders. For example, if you store confidential documents in subfolders of ~/Documents/, instead of disabling each individual folder, disable ~/Documents/.

By default the entire system is available for searching using spotlight.

To securely configure Spotlight preferences:

1 Open Spotlight preferences.

2 In the Search Results pane, deselect any categories you don’t want searchable by

spotlight.

3 Click the Privacy pane.

4 Click the Add button, or drag a folder or disk into the Privacy pane.

Folders and disks in the Privacy pane are not searchable by Spotlight.

You can use the mdutil tool to turn spotlight indexing off for a volume. For example, to erase the current meta store and turn indexing off for a volume called volumename:

$ mdutil -E -i off

volumename

For information, enter man mdutil in a Terminal window.

94 Chapter 5 Securing System Preferences

Page 95

Securing Startup Disk Preferences

You can use Startup Disk preferences to make your computer start up from a CD, a network volume, a different disk or disk partition, or another operating system.

Be careful when selecting a startup volume. Choosing a network install image reinstalls your operating system and might erase the contents of your hard disk. If you choose a FireWire volume, your computer will start up from the FireWire drive plugged into the current FireWire port for that volume. If you connect a new, different FireWire drive to that FireWire port, your computer will start from the first valid Mac OS X volume available to the computer. This is assuming you have not enabled the Open Firmware password.

When you enable an Open Firmware password, the FireWire volume you selected is the only volume that will start the computer. Open Firmware locks in the FireWire Bridge Chip GUID as a startup volume instead of the hard drive’s GUID (as is done with internal hard drives). If the drive inside the FireWire drive enclosure is replaced by a new drive, the computer can start from the new drive without having to bypass the Open Firmware password. To avoid this type of intrusion, make sure your hardware is physically secured. Open Firmware can also have a list of FireWire volumes that are approved for system startup. For information about physically protecting your computer, see “Protecting Hardware” on page 31.

You can also restart in target disk mode from Startup Disk preferences. When your computer is in target disk mode, another computer can connect your computer and access your computer’s hard drive. The other computer has full access to all the files on your computer. All file permissions for your computer are disabled in target disk mode.

Chapter 5 Securing System Preferences 95

Page 96

If you hold down the T key during startup, you enter target disk mode. You can prevent the startup shortcut for target disk mode by enabling an Open Firmware or EFI password. If you enable an Open Firmware or EFI password, you can still restart in target disk mode using Startup Disk preferences. For more information about enabling an Open Firmware or EFI password, see “Using the Open Firmware Password Application” on page 36.

To select a Startup Disk:

1 Open Startup Disk preferences.

2 Select a volume to use to start up your computer.

3 Click the “Restart” button to restart from the selected volume.

Securing Universal Access Preferences

Universal Access preferences are disabled by default. If you don’t use an assistive device, there are no security-related issues. However, if you do use an assistive device, follow these guidelines:

Â See the device manual for prevention of possible security risks. Â Enabling VoiceOver configures the computer to read the contents under the cursor

out loud, which might inadvertently disclose confidential data.

Â These devices allow access to the computer that could reveal information in an

compromising manner.

96 Chapter 5 Securing System Preferences

Page 97

6 Securing Data and Using

Encryption

Your data is the most valuable part of the computer. By using encryption, you can protect your data in the case of an attack or theft of your mobile computer.

By setting global permissions, encrypting home folders, and encrypting portable data, you can be sure your data is secure. Using the secure erase feature of Mac OS X, any deleted data is completely erased form the computer.

Understanding Permissions

Files and folders are protected by setting permission that restrict or allow users access to them. Mac OS X supports two methods of setting file and folder permissions:

Â Portable Operating System Interface (POSIX) permissions—standard for UNIX

operating systems.

Â Access Control Lists (ACLs) permissions—used by Mac OS X, and compatible with

Microsoft Windows Server 2003 and Microsoft Windows XP.

ACL uses POSIX in its process of verifying file and folder permissions. The process that ACL uses to determine if an action is allowed or denied includes checking specific rules called access control entries (ACEs). If none of the ACEs apply, then standard POSIX permissions are used to determine access.

Setting POSIX Permissions

Mac OS X bases file permissions on POSIX standard permissions such as file ownership and access. Each share point, file, and folder has read, write, and execute permission defined for three different categories of users (owner, group, and everyone). There are four types of standard POSIX access permissions that you can assign to a share point, folder, or file: Read & Write, Read Only, Write Only, and None.

Page 98

Viewing POSIX Permissions

You can assign standard POSIX access permissions to these three categories of users: Â Owner—A user who creates a new item (file or folder) on the server is its owner and

automatically has Read & Write permissions for that folder. By default, the owner of an item and the server administrator are the only users who can change its access privileges (allow a group or everyone to use the item). The administrator can also transfer ownership of the shared item to another user.

Â Group—You can put users who need the same access to files and folders into group

accounts. Only one group can be assigned access permissions to a shared item. For more information about creating groups, see the user management guide.

Â Everyone—Any user who can log in to the file server: registered users and guests.

Before setting or changing POSIX permissions, you should view the current permission settings.

To view the permissions of folders or files:

1 Open Terminal.

2 Run the ls command in Terminal.

$ ls -l

Output similar to the following will be displayed

computer:~/Documents ajohnson$ ls -l

total 500

drwxr-xr-x 2 ajohnson ajohnson 68 Apr 28 2006 NewFolder

-rw-r--r-- 1 ajohnson ajohnson 43008 Apr 14 2006 file.txt

Note: The “~” refers to your home folder, which in this case is /Users/ajohnson. ~/Documents/ is the current working folder.

You can also use the Finder to view POSIX permissions. In the Finder, Control-click a file and choose Get Info. Open the Ownership & Permissions disclosure triangle to view POSIX permissions.

98 Chapter 6 Securing Data and Using Encryption

Page 99

Interpreting POSIX Permissions

POSIX permissions can be interpreted by reading the first ten bits of the long format output listed for a file or folder.

drwxr-xr-x 2 ajohnson ajohnson 68 Apr 28 2006 NewFolder

-rw-r--r-- 1 ajohnson ajohnson 43008 Apr 14 2006 file.txt

In this example, the NewFolder has the POSIX permissions drwxr-xr-x and has an owner and group of ajohnson. The d of the POSIX permissions signifies that newfolder is a folder. The first three letters after the d (rwx) signify that the owner has read, write, and execute permission for that folder. The next three characters, r-x, signify that the group has read and execute permission. The last three characters, r-x, signify that all others have read and execute permission. In this example, any users who can access ajohnson’s ~/Documents/ folder can also open the NewFolder folder and can view, but not modify or open, the file.txt file. “Read” POSIX permissions are propagated through the folder hierarchy. Although be able to access the folder. This is because ajohnson‘s ~/Documents/ folder has drwx--

POSIX permissions.

----

By default, most of the user’s folders have drwx------ POSIX permissions. Only the ~/Sites/ and ~/Public/ folders have drwxr-xr-x permissions. This set of permissions allows other people to view folder contents without authenticating. You can change these folder permissions to drwx------ if you do not want other people to view their contents. Within the ~/Public/ folder, the Drop Box folder has drwx-wx-wx POSIX permission. This allows users other than ajohnson to add files into a ajohnson‘s drop box but they are not able to view those files.

NewFolder has drwxr-xr-x privileges, only ajohnson will

Occasionally, you‘ll see a t instead of an x for others’ privileges on a folder used for collaboration. This t is sometimes known as the “sticky bit”. Enabling the sticky bit on a folder prevents people from overwriting, renaming, or otherwise modifying other people’s files. This is something that can become common if several people are granted

rwx access. The sticky bit being set can appear as t or T, depending on whether the

execute bit is set for others. Â If the execute bit appears as t, the sticky bit is set and has searchable and executable

permissions.

Â If the execute bit appears as T, the sticky bit is set, but does not have searchable or

executable permissions.

See the sticky man page for more information.

Chapter 6 Securing Data and Using Encryption 99

Page 100

Modifying POSIX Permissions

After your determine the current POSIX permission settings, you can modify them by using the chmod command.

To modify POSIX permission:

1 Enter the following in Terminal.

$ chmod g+w file.txt

This adds write permission for the group to file.txt.

2 View the permissions using the ls command.

$ ls -l

3 Validate that the permissions are correct.

computer:~/Documents ajohnson$ ls -l

total 12346

drwxr-xr-x 2 ajohnson ajohnson 68 Apr 28 2006 NewFolder

-rw-rw-r-- 1 ajohnson ajohnson 43008 Apr 14 2006 file.txt

For more information, see the chmod man page.

Setting File and Folder Flags

Files and folders can also be protected using flags. These flags, or permission extensions, override standard POSIX permissions. These can be used to prevent the system administrator (root) from modifying or deleting files or folders.

Use the chflags command to enable and disable flags. The flag can only be set or unset by the file’s owner or an administrator using sudo.

Viewing Flags

Before setting or changing file or folder flags, you should view the current flag settings.

To display flags set on a folder:

$ ls -lo secret

-rw-r--r-- 1 ajohnson ajohnson uchg 0 Mar 1 07:54 secret

In this example the flag settings for a folder named secret are displayed.

Modifying Flags

After your determine the current file or folder flag settings, you can modify them using the chflags command.

To lock a folder using flags:

$ sudo chflags uchg secret

100 Chapter 6 Securing Data and Using Encryption