Mac security hardening tips from the NSA

Mac security hardening tips from the NSA

Summary: The National Security Agency (NSA) offers "Hardening Tips for Mac OS X 10.6 'Snow Leopard,' a tri-fold security brochure for the agency's Information Assurance Mission. It's packed with useful tips.

SHARE:

The National Security Agency (NSA) offers "Hardening Tips for Mac OS X 10.6 'Snow Leopard,' a tri-fold security brochure for the agency's Information Assurance Mission. It's packed with useful tips.

While taking aim at Snow Leopard, most of the tips can apply to plain old Leopard as well as Lion. Some are simple and practical but would require a security-conscious workflow.

For example, the guide suggests creating a user account specifically for surfing and reading e-mail. Many single-user machines read mail and surf in the primary account, which is likely the Admin Account for the machine.

There's also a list of LaunchDaemon and LaunchAgent services that may, or may not, be necessary for every user in an organization and certainly not in many buttoned-down federal shops. If you're not using a VPN, maybe shuting it down could be an idea.

The difference between the government shop and the rest of us can be seen in the section on Bluetooth and Airport security.

The best way to disable Bluetooth hardware is to have an Apple- certified technician remove it. If this is not possible, disable it at the software level by removing the following files from /System/Library/Extensions:

IOBluetoothFamily.kext IOBluetoothHIDDriver.kext

The best way to disable AirPort is to have the AirPort card physically removed from the system. If this is not possible, disable it at the software level by removing the following file from /System/Library/Extensions:

IO80211Family.kext

If the service and hardware offends you, take it out!

Topics: Security, Apple, Hardware, Mobility, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • RE: Mac security hardening tips from the NSA

    Mac Firewire ports, batteries and the keyboard are hacked, too (google it). They should be removed to make Macs really secure. :-)

    [i]For example, the guide suggests creating a user account specifically for surfing and reading e-mail. Many single-user machines read mail and surf in the primary account, which is likely the Admin Account for the machine.[/i]

    These and some other advices from the brochure are for Windows 7 users, too.
    Earthling2
  • Here's an idea for any computer:

    just unplug it. That'll make it secure.

    Seriously, some of the NSA's suggestions are excellent -- FileVault for laptops, non-admin accounts, disabling (at least through software) unneeded services or hardware. And the general advice applies to any system, not just Macs.

    Not sure how much is to be gained by disabling Bonjour; perhaps someone can correct me, but I believe it only functions on your segment of the LAN -- it won't pass through routers. So, to use it as an attack vector, the perp would have to be on your LAN with you. NSA might have bigger problems than Bonjour, if that's the case. Otherwise, Bonjour makes it easy to connect to printers, servers, etc.

    They do raise an excellent point that certain settings might be reset by software updates, so you have to be vigilant and check them periodically. That shouldn't be necessary: Apple should preserve existing settings, unless those functions are changing ... and then it should default to the more secure option. And when will Apple finally change Safari's default setting so that it will NOT open "safe" files downloaded from the internet?! Have they learned nothing from Microsoft's past troubles ... or the MacDefender brouhaha?

    My favorite NSA suggestion: "Placing opaque tape over the camera is less secure but still helpful." Gotta love high-tech solutions!
    jscott69
    • The problem with Bonjour

      @jscott69
      You are right that Bonjour (zeroconf) is limited to the subnet you are on. The issue is that because it constantly broadcasts its own availability, and because a user isn't told if they left it enabled the last time they were on the Mac (PC), it can open a door to the system at any Starbucks, McDonald's, Denny's, or Public Library where you happen to be using your laptop.

      That's probably not much of an issue for NSA (where equipment typically won't leave the campus) but travel a few miles South from Ft. Meade to Goddard Space Flight Center and you get a new agency acronym - NASA. I can assure you having supported Macs and PCs on 2 different NASA campuses as well as the Apple Store closest to GSFC, those employees do take their laptops home and use them on all kids of networks. This is to say nothing of the rest of the Federal Alphabet Soup around here. FBI, NIH, NIMH, CIA, USPS (ok, privatized but still ...), USAF, USN, USCG, USMC, USA, USSS, etc...

      Zeroconf is also available to Windows and Linux users also.
      use_what_works_4_U
  • Morg': "If the service and hardware offends you, take it out!"

    .. you mean like LDAP for Apple enterprise users? I thought that was a "feature" of Cupertino's new, enterprise [i]"ease-of-use"[/i] architecture.

    Did you get any tips from NSA on that, [i]tiny, little oversight[/i]??
    thx-1138_