The Apple Core

Jason D. O'Grady & David Morgenstern
Home / News & Blogs / The Apple Core

Mac security hardening tips from the NSA

By | August 25, 2011, 7:36pm PDT

Summary: The National Security Agency (NSA) offers “Hardening Tips for Mac OS X 10.6 ‘Snow Leopard,’ a tri-fold security brochure for the agency’s Information Assurance Mission. It’s packed with useful tips.

The National Security Agency (NSA) offers “Hardening Tips for Mac OS X 10.6 ‘Snow Leopard,’ a tri-fold security brochure for the agency’s Information Assurance Mission. It’s packed with useful tips.

While taking aim at Snow Leopard, most of the tips can apply to plain old Leopard as well as Lion. Some are simple and practical but would require a security-conscious workflow.

For example, the guide suggests creating a user account specifically for surfing and reading e-mail. Many single-user machines read mail and surf in the primary account, which is likely the Admin Account for the machine.

There’s also a list of LaunchDaemon and LaunchAgent services that may, or may not, be necessary for every user in an organization and certainly not in many buttoned-down federal shops. If you’re not using a VPN, maybe shuting it down could be an idea.

The difference between the government shop and the rest of us can be seen in the section on Bluetooth and Airport security.

The best way to disable Bluetooth hardware is to have an Apple- certified technician remove it. If this is not possible, disable it at the software level by removing the following files from /System/Library/Extensions:

IOBluetoothFamily.kext IOBluetoothHIDDriver.kext

The best way to disable AirPort is to have the AirPort card physically removed from the system. If this is not possible, disable it at the software level by removing the following file from /System/Library/Extensions:

IO80211Family.kext

If the service and hardware offends you, take it out!

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Apple Core”

Topics

Apple Macintosh, Tip, Bluetooth, Security, Wireless And Mobility, David Morgenstern

David Morgenstern has covered the Mac market and other technology segments for 20 years.

Disclosure

David Morgenstern

Freelance journalist/blogger David Morgenstern has nothing to disclose.

Biography

David Morgenstern

David Morgenstern has covered the Mac market and other technology segments for 20 years. In the recent past, he founded Ziff-Davis' Storage Supersite, served as news editor for Ziff Davis Internet and held several executive editorial positions at eWEEK. In the 1990s, David was editor of Ziff Davis' award-winning MacWEEK news publication as well as its successor title, eMediaWEEKly, which focused on multiplatform professional content creation. His byline can be found online and in print publications including CreativePro.com, Peachpit Press' Mac Bible and Popular Photography.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
5
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Mac security hardening tips from the NSA
jackson1984-24316069205748857739440257893812 10th Oct
Your website is incredibly practical. I am loving every from the info you might be sharing football shop with every single human being!
View in thread
0 Votes
+ -
RE: Mac security hardening tips from the NSA
Earthling2 25th Aug
Mac Firewire ports, batteries and the keyboard are hacked, too (google it). They should be removed to make Macs really secure. happy

For example, the guide suggests creating a user account specifically for surfing and reading e-mail. Many single-user machines read mail and surf in the primary account, which is likely the Admin Account for the machine.

These and some other advices from the brochure are for Windows 7 users, too.
0 Votes
+ -
Here's an idea for any computer:
jscott69 26th Aug
just unplug it. That'll make it secure.

Seriously, some of the NSA's suggestions are excellent -- FileVault for laptops, non-admin accounts, disabling (at least through software) unneeded services or hardware. And the general advice applies to any system, not just Macs.

Not sure how much is to be gained by disabling Bonjour; perhaps someone can correct me, but I believe it only functions on your segment of the LAN -- it won't pass through routers. So, to use it as an attack vector, the perp would have to be on your LAN with you. NSA might have bigger problems than Bonjour, if that's the case. Otherwise, Bonjour makes it easy to connect to printers, servers, etc.

They do raise an excellent point that certain settings might be reset by software updates, so you have to be vigilant and check them periodically. That shouldn't be necessary: Apple should preserve existing settings, unless those functions are changing ... and then it should default to the more secure option. And when will Apple finally change Safari's default setting so that it will NOT open "safe" files downloaded from the internet?! Have they learned nothing from Microsoft's past troubles ... or the MacDefender brouhaha?

My favorite NSA suggestion: "Placing opaque tape over the camera is less secure but still helpful." Gotta love high-tech solutions!
0 Votes
+ -
The problem with Bonjour
use_what_works_4_U 26th Aug
@jscott69
You are right that Bonjour (zeroconf) is limited to the subnet you are on. The issue is that because it constantly broadcasts its own availability, and because a user isn't told if they left it enabled the last time they were on the Mac (PC), it can open a door to the system at any Starbucks, McDonald's, Denny's, or Public Library where you happen to be using your laptop.

That's probably not much of an issue for NSA (where equipment typically won't leave the campus) but travel a few miles South from Ft. Meade to Goddard Space Flight Center and you get a new agency acronym - NASA. I can assure you having supported Macs and PCs on 2 different NASA campuses as well as the Apple Store closest to GSFC, those employees do take their laptops home and use them on all kids of networks. This is to say nothing of the rest of the Federal Alphabet Soup around here. FBI, NIH, NIMH, CIA, USPS (ok, privatized but still ...), USAF, USN, USCG, USMC, USA, USSS, etc...

Zeroconf is also available to Windows and Linux users also.
0 Votes
+ -
Morg': "If the service and hardware offends you, take it out!"
thx-1138_@... 27th Aug
.. you mean like LDAP for Apple enterprise users? I thought that was a "feature" of Cupertino's new, enterprise "ease-of-use" architecture.

Did you get any tips from NSA on that, tiny, little oversight??
0 Votes
+ -
RE: Mac security hardening tips from the NSA
jackson1984-24316069205748857739440257893812 10th Oct
Your website is incredibly practical. I am loving every from the info you might be sharing football shop with every single human being!

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix