Mac OS X security audit
No security scheme you set up on your computer will withstand an attack long if you don't handle physical security first. If someone can access your computer using your keyboard, mouse/trackpad, and display, then they will probably be able to get full control of the computer.
For better security, prevent unauthorized users from physically accessing the computer and opening up its case. All modern Macintosh models can be locked shut to prevent internal changes that render some security mechanisms useless.
Startup disk security
Any Macintosh capable of booting Mac OS X can at least boot from the Apple system CD-ROMs. These CDs let you install Mac OS X, but also provide a utility to reset any password on the computer. The password reset utility can even change the root password for the "System Administrator" account.
The "System Administrator" (root) account is disabled by default -- as intended by Apple. ITS recommends you leave this account disabled. However, you should be aware that anyone who can boot your computer with a system CD can change the root password, and have complete control of the computer.
Therefore, if you are working in an open environment and need more control, you should consider the Open Firmware password option. The Open Firmware password is a powerful feature, but can be inconvenient in many circumstances. We do not recommend using it on portables like PowerBooks and iBooks, and its best use may be in dedicated computer labs. If you would like to discuss whether the Open Firmware password capability is right for your environment, please contact us.
There are three names for a Mac OS X system, and it is important to understand them when you are in a networked environment:
|Name||Uses and setup||Notes|
|DNS host name||Determined by reverse DNS lookup against your local DNS servers; defined at RIT when you register your computer at http://start.rit.edu/||Should appear similar to "host.rit.edu," where "host" is the unique name of your computer; it cannot contain spaces or punctuation|
|Rendezvous name||Defined by any administrative user using the Sharing pane in the System Preferences application, used for local lookups (and by applications such as Print Center, iChat, and iTunes 4) on your current network segment only||Should appear like "host.local," where "host" is the unique name of your computer in the local section of the network (but it may not be unique elsewhere, even within RIT); it cannot contain spaces or punctuation|
|Computer name||Used for Personal File Sharing over AppleTalk networks||Should appear as "Host," which can be a name with capitals, spaces, and so on|
If you are setting up a computer, you will want to make sure that these names are unique on whatever network you are connected with.
Also, when you connect to another computer (or connect to yours remotely), you should verify that it at least has the correct name. This is not always a guarantee that you are connecting to the computer you expect to connect to, but it's a start.
You should limit the number of local accounts you create on your computer. If an account is not being used, delete it. Some system accounts -- those with UIDs less than 500 -- are only visible in the "NetInfo Manager application" or through the "Terminal application".
You should limit the privileges of accounts you create on a Mac OS X computer. If a user does not need the privileges granted by administrator-level access, do not grant it. Administrator-level access can provide a user with full control of the system in short order.
We also strongly recommend that you leave the default "System administrator," or "root," account disabled. Apple disables this very powerful account for security reasons at the factory. We agree with this decision. If you have need of root access on an RIT-owned computer, please contact us for alternatives.
You should use passwords that provide a reasonable level of security; see our "Mac OS X password tips" page.
Make sure only those sharing features you actually need are enabled. Sharing features involving files or folders follow normal file/folder permissions. By default, the system ships with no sharing features enabled.
Some sharing services broadcast their availability using Rendezvous and/or Service Location Protocol (SLP) services. Each service responds to requests sent to it over a network, and the types of responses can inform an outside party that the service is available. If you enable a sharing service, you should not expect that it will never be discovered across a network.
Personal Web Sharing shares only the following folders:
- /Library/WebServer/Documents/, which defaults to a generic Apache page
- ~/Sites/ for each user account under in the /Users folder on the computer
Personal File Sharing and Windows File Sharing share:
- The entire contents of each drive on the computer, if you remotely connect as an administrator
- Your own home directory, if you log in as an administrator or normal user
- ~/Public/ for each user account under the /Users folder on the computer, if you log in as an administrator, normal user, or guest
Guest access is automatically enabled when Personal File Sharing is turned on, but guests can only access the "Public" folder for each user account. If there are no files in the Public folder, and appropriate file/folder permissions are maintained everywhere else in the "Mac OS X file system", then the risk of unauthorized file access by guests is greatly reduced.
Guests can, however, save files to the "Drop Box" folder inside each user's "Public" folder when Personal File Sharing is enabled. You may want to eliminate the "Drop Box" folder to prevent unauthorized users from filling up your hard drive by dropping files into that folder. (Filling up the hard disk can cause performance and stability problems on Mac OS X.) Once files are in that folder, guests can no longer access them -- they have write-only privileges. Therefore, the "Drop Box" folder cannot be used for unauthorized users to share files with other guests.
Up-to-date anti-virus tools can help prevent the spread of a virus outbreak. Mac OS X is currently most susceptible to macro viruses attached to Microsoft Word and Microsoft Excel documents. You should make sure that the default protections against macro viruses are enabled in these applications.
For virus protection on Mac OS X, please see our information about Virex.
The entire Mac OS X file system is protected with file/folder permissions. This is not done lightly, or to decrease the usability of a Macintsoh computer. Rather, it is done to support the multi-user nature of the operating system, and enforce file security for those potential users on a Mac OS X system. In most respects, Mac OS X systems with only a single user account operate as if they were a Mac OS 9 computer -- where file and folder permissions were not present or adequately enforceable.
These file/folder permissions also provide the basis for much of the security that Mac OS X provides.
To verify the integrity of the file/folder permissions on items important for the operating system, you can run "Repair Permissions in Disk Utility".
To verify that you have the latest version of the Mac OS X system software, including any recommended security patches, use the "Software Updates" mechanism in the System Preferences application. This routine does not update software that did not ship with Mac OS X.
You will still need to update Mac OS X applications on your own. You can do this manually, and there are also commercial subscription services that help to automate it. If you are a system administrator controlling a number of systems, ITS may have other recommendations on how to maintain your software installations, as well; please feel free to contact us.