1. Physical Security
2. Protecting against Viruses and Worms
3. Securing Accounts and Account Access
4. Protecting against Unauthorized Privilege Use
5. File System and Sharing Security
6. Securing Services
7. Deleting Unnecessary Accounts
8. Patching Your System
9. Other Mac OS X Workstation Security Tips
10. Conclusion
11. Online Resources

_____________

A. Physical Security

[ ] Enable password protection in your system’s screen saver.

Unattended terminals spell security trouble regardless of the particular operating system. Go to System Preferences > Screen Effects > Activation > Use my User Account Password. Make the delay period small, e.g., 5 minutes, and create a hot-corner for instant activation of the screen saver in the “Hot Corners” tab in case you ever need to activate the screen saver immediately. To do this, go to Screen Effects > Hot Corners.

Note: Apple Security Update 2003-07-14 fixed a vulnerability in the Screen Effects password handling that could grant access to your desktop to someone without the password. You should make sure that your system has this update installed. (See “Patching Your System” for instructions on checking which updates are installed.)

[ ] If the Mac is likely to be easily accessed by the general public, protect against unauthorized single-user boots by disabling single-user mode.

If you press the "Command" and "s" keys during startup, your Mac OS X system will boot in “single-user mode,” giving anyone who starts the boot sequence root access without having to enter any password. Needless to say, this is a potential security catastrophe. A good countermeasure is to download and install MSEC, a free patch that disables single-user boots altogether.

An alternative is to enable Apple's Open Firmware Password Protection, which requires a password to boot in single-user mode. http://www.securemac.com/startupsecurity.php describes how to enable this password protection.

IMPORTANT WARNING: Before you install Open Firmware Password, be sure you read and understand the information in Apple’s Knowledgebase. Using Open Firmware Password incorrectly can damage your computer.

B. Protecting against Viruses and Worms

[ ] Download and install the Lab’s free antivirus software for Mac OS X from http://www.lbl.gov/download/.

Although Windows systems are overwhelmingly the most common targets of viruses and worms, no Mac system is immune from these types of malicious code, as proven by the success of the Mac/Simpsons@MM worm in Macs just a few years ago. See http://www.lbl.gov/ITSD/Security/systems/mac.html#viruses for information about viruses and worms that can infect Macs. More viruses and worms that specifically target Mac OS X are likely in time. Additionally, there already are several Trojan horse programs that target Mac OS X systems that antivirus software will detect and eradicate. Norton Antivirus for Mac OS X [1] is available to LBNL users for free at http://www.lbl.gov/download/. Note that you need to install only one copy of Norton AV on your Mac; this copy will cover Mac OS X and the classic environment it uses.

[ ] Ensure that you set up a scheduled Norton AV update and scan a minimum of once a week.

To schedule Norton AV definitions updates on your Mac:

1. Launch Norton AntiVirus.
2. Click on the Live Update button in the main window.
3. Click on the Schedule Future Updates icon.
4. Click on New to create a new event, and type in a name for the event.
5. Go to the pull-down menus, choose the type of update and how often the update will occur.
6. Enter the start date and the time the update is to occur.
7. Click OK.

To schedule a scan:

1. Launch Norton AntiVirus.
2. Click on the Scheduled Scan button.
3. Click on New Scheduled Scan.
4. Enter the date and time.
5. Click OK.

Note: Selecting different times for automatic scanning and updating virus definitions is important. Updating definitions takes only a few minutes, but Automatic Scans take quite a while, something that will slow your computer down.

C. Securing Accounts and Account Access

[ ] Install a warning banner and ensure that it is displayed at the start of every login attempt.

To display a warning banner, perform the following steps:

1. Download the security warning 1.0 Stuffit archive, and unstuff it with Stuffit Expander.
   
2. Drag the security warning 1.0 application to your OS X Applications folder.
   
3. Open up System Preferences, and select the Login Items preference pane. You will see a list of items (if any) that are set to run automatically when you log in. Click on Add... Select the securitywarning1.0 application and click on the Add button. Leave the Hide box unchecked and quit System Preferences.

If you have more than one user account enabled, you will need to repeat step 3 when logged in as each user.

[ ] Ensure that all passwords for all other accounts are difficult to guess/crack. Guidelines for choosing a good password are at http://www.lbl.gov/cyber/systems/passwords.html#choose.

To change a password:

1. Go to System Preferences -> Accounts and double-click on Accounts, as shown in the figure below:
   
   
   

   Figure 1. System Preferences screen.

   
   
2. Highlight the account for which you want to change the password, as shown in the figure below:
   
   
   

   Figure 2. Accounts screen.
   
   

3. A dialog box (see figure below) will appear. Enter the current password for the account.
   
   
   

   Figure 3. Password dialog box.

   
   
4. Another dialog box that informs you that your Keychain password will be changed to be the same as your changed password will appear (see figure below). Click OK.
   
   
   
   

   Figure 4. Accounts screen.

   
   
5. Now enter the new password in the field to the right of "Password" and enter it again in the field to the right of "Verify," and then press <ENTER>
   
   
   

Figure 5. Keychain password change confirmation.

[ ] Ensure that the password for the administrator account is difficult to guess and is 8 characters long.

The administrator account and root account are the two default accounts in Mac OS X (although the root account is disabled by default). The administrator account is simply a user account with administrator privileges. Most likely, it’s the one you created when you first set up your mac OS X system. Anyone who breaks into either account can cause incredible damage and trouble. That is why having a very difficult-to-guess and fairly long password (8 characters) is so important! To change your administrator password at any time, use the My Account System Preference pane. Next to “My Password," click on “Change...”, or go to System Preferences > Accounts > Users, select the administrative user whose password you want to change, and click on “Edit User....”[3] (You’ll have to enter the new password twice for the change to go into effect.)

Note: Entering a root password longer than 8 characters does not do any good; the maximum password length is 8 characters.

[ ] Do not enable the root account in Mac OS X workstations.

The root account spells trouble; if you don’t need it, don’t enable it. Although this account is generally needed on Mac OS X servers, it is not generally needed on workstations.

D. Protecting against Unauthorized Privilege Use

[ ] Allow only the people who genuinely need administrative access to login to an administrator account.

The more people with administrative access, the more likely someone will either break into one of these accounts or use it maliciously or incompetently, damaging your system. Verify that all logins with administrator privileges genuinely need that level of access (e.g., they need to be able to install new programs).

[ ] Turn off the automatic login capability.

Once the administrator account is created and configured, the system administrator has the option of not having to enter any password to login into that account after the system boots. This option is potentially catastrophic from a security perspective; it should thus be disabled. Go to System Preferences and then choose the Login icon and then uncheck “Automatically log in” in the “Login Window” tab of the Login Preference pane. Depending on how you receive the default install of Mac OS X, it may be set to automatically log in a user upon startup. This is generally considered contrary to good security policy.

E. File System and Sharing Security

[ ] If you do not need to share your Public folder, turn off file sharing altogether. If you need file sharing, be sure that your administrative password is difficult to crack.

By default, Mac OS X permissions allow remote read access to each user's Public folder if file sharing is enabled. It is best to not enable file sharing at all, provided, of course, that you do not need to share files with other users.

To turn file sharing off:

1. Go to System Preferences -> Sharing (see screen below, the "Internet and Network" section).



Figure 1. System Preferences screen.

2. From the "Sharing" screen, select "Personal File Sharing" (see screen below) and click on the Stop button at the right.



Figure 2. Setting Personal File Sharing.

"Personal File Sharing" should now look like this (see screen below):



Figure 3. Personal File Sharing disabled.

If you need to enable file sharing, do not allow any more than the default read-access to the Public folder. Unless you need the drop box to collect files from others with whom you are collaborating, change the drop-box permissions to "read only."

You can see and change the permissions on a folder by selecting it and running the Get Info command (command-I). The only exception to this rule is drop-in directories, as discussed previously.

F. Securing Services

[ ] Leave services that you do not need to use disabled. Do not enable additional services such as FTP, Personal Web Sharing, or Windows File Sharing unless your system needs to run them.

The more services you run, the more ways there are for attackers to hammer your Mac OS X system. Fortunately, in a default installation of Mac OS X, every Internet service is disabled by default. [2] To obtain a list of services running on your system that can be accessed by remote systems, open the Sharing pane in System Preferences and click on the Services tab.

[ ] If you need to remotely connect to your Mac, enable SSH and use the SSH command in the terminal to connect.

Since using SSH is the most secure way to remotely access a Mac OS X system, be sure to enable it if you need remote access to your Mac. In System Preferences, go to Sharing > Services and select Remote Login. Now go to the Firewall tab and select Remote Login - SSH (22).

If you do not need the remote login service, disable it:

1. Go System Preferences -> Sharing and double click on Sharing, as shown in the screen below:
   
   


Figure 1. System Preferences screen.



2. Highlight "Remote Logon" and then Click on "Stop" next to "Remote Login On" (see figure below).
   
   
   
   

   Figure 2. Sharing screen.
   
   

3. Now uncheck "On" for Remote Login, per the screen below:
   
   
   
   

   Figure 3. Sharing screen.

G. Deleting Unnecessary Accounts

[ ] Delete unnecessary accounts of users who no longer need access to your system, and accounts that have been dormant for 90 days or more.

Unnecessary accounts are big targets for attackers, who try to break into these accounts by guessing one password after another in a "brute force" attack without anyone noticing. To delete any unnecessary account, do the following:

1. Go to System Preferences -> Accounts (see screen below).



Figure 1. System Preferences screen.

2. The names of accounts will be listed. Double click on the name of the account to be deleted, as shown in the screen below.



Figure 2. Accounts screen.

A prompt that reads, "Are you sure you want to delete the user account?" will appear, as shown in the screen below.



Figure 3. Account deletion prompt.

3. Click OK.



4. Repeat this procedure for any additional unnecessary accounts.

H. Patching Your System

[ ] Leave Software Update enabled and (optional) configure it to update daily instead of weekly.

A substantial number of vulnerabilities in Mac OS X have surfaced. Failure to keep up with security patches is the major reason for unauthorized access to systems and successful denial of service attacks. Software Update is a good solution; it automatically goes to Apple’s Web site and informs you of available patches. You can then easily download and install any patches it finds. Packages that you installed through Software Update are copied to /Library/Receipts. The Installed Updates tab allows you to see a list of all the updates for your system. Be sure to leave Software Update enabled so that your system will be up-to-date with respect to patches. The fact that it updates only once a week by default may be a problem, however, if your system needs a high level of security. To change to daily updates go to the Software Update Preference pane and select “Daily” from the pull-down menu.

I. Other Mac OS X Workstation Security Tips

[ ] Avoid installing the BSD Subsystem (and especially the NetInfo utilities) and Developer Tools unless you genuinely need them.

When you install Mac OS X you have the option of installing the BSD subsystem, including the NetInfo directory service. For the sake of brevity, suffice it to say here that the BSD subsystem, especially the NetInfo utilities, and the Developer tools have a large number of vulnerabilities, including some that allow everyone to obtain a copy of the encrypted passwords in the password file. If you do not need the BSD subsystem, including the NetInfo utilities, or the Developer Tools, don’t install them. If you need them, at a minimum, change the permissions on all NetInfo command-level interface tools to allow only administrator and root to read, write, or execute these executables. Group and others should not have any access whatsoever.

[ ] Disable the display of usernames in the login window.

By default anyone can discover usernames on a Mac OS X system by bringing up the login window. Disabling the display of usernames in this window is thus a good thing to do for security. Go to System Preferences, then select the Login icon, and then select "Display Login Windows as:" to finally select "Name and Password entry fields."

J. Conclusion

This checklist should by no means be considered a complete list of things to do to tighten Mac OS X security. You could, for example, use the built-in IP firewall to increase the security of your system even more. Instead this checklist specifies a reasonable set of measures that will make it more resistant to attacks than out-of-the-box systems (although Apple has done more than a respectable job as far as most of its default settings go). Macs have generally fared well against Internet attacks in recent years, but with the release of Mac OS X, the situation is already changing. The number of hacking tools that work against Unix and Linux systems is increasing. It is only a matter of time before more of these tools are modified to target and/or run on Mac OS X; many already have been. So taking the time to follow the steps described in the checklist is not really an option—it is a necessity.

K. Online Resources

http://www.apple.com/support/security/ (Apple product security)

http://www.lbl.gov/ITSD/Security/systems/mac.html

http://lists.apple.com/mailman/listinfo/security-announce (Apple’s security mailing list)

http://www.macintouch.com/security.html

http://www.macsecurity.org

http://www.macsecurity.org/mailman/listinfo

http://www.sans.org/infosecFAQ/mac/mac_list.htm

____________________

1. This software actually works on versions 8–10 of the Mac OS.
2. If you run the BSD Subsystem, including NetInfo, numerous services will be added, but by default they will be disabled.
3. Other ways to change the password, such as changing the password hash in NetInfo, exist, but they are less secure.