Securing OS X 10.4: Tips from Apple and the NSA

Securing OS X 10.4: Tips from Apple and the NSA

Summary: Apple and the National Security Administration (NSA) have published a security guide for Mac OS 10.4 with key highlights on network administration, securing Safari and the importance of physical security.

SHARE:
TOPICS: Apple
59

Apple and the National Security Administration (NSA) have published a security guide for Mac OS 10.4 with key highlights on network administration, securing Safari and the importance of physical security.

As Jason O'Grady points out, the guide is helpful to anyone that works with a number of Macs. And the 171-page guide is also likely to become more relevant as Apple increasingly becomes a security target.

Among the key excerpts by chapter:

Chapter 1: Apple makes its case that 10.4 (Tiger) is more secure due to the operating system's design and architecture choices. Apple says 10.4 is more secure because it has:

  • An open source foundation. "Using open source methodology makes Mac OS X a more robust, secure operating system, because its core components have been subjected to peer review for decades.
  • Secure default settings. "When you take your Mac out of the box, it is securely configured to meet the needs of most common usage environments, so you don’t have to be a security expert to setup your computer. The default settings make it very difficult for malicious software to infect your computer."
  • Modern security architecture. "Mac OS X includes state-of-the-art, standards-based technologies that enable Apple and third-party developers to build secure software for the Mac. These technologies support all aspects of system, data, and networking security required by today’s applications."
  • Innovative security applications. "Mac OS X includes features that take the worry out of using a computer. For example, FileVault protects your documents using strong encryption, an integrated VPN client gives you secure access to networks over the Internet, and a powerful firewall secures your home network."
  • Rapid response. "Because the security of your computer is so important, Apple responds rapidly to provide patches and updates."

Chapter 2: Apple recommends a reinstall to make sure the computer is secure. "If Mac OS X was already installed on the computer, consider reinstalling it. By reinstalling Mac OS X, and reformatting the volume, you avoid potential vulnerabilities caused by previous installations or settings."A lot of time is spent on permissions and whether to use software updates externally over the Internet or via an internal server.

Chapter 3: The big takeaway in this chapter: Physical security matters--a lot.

"The first level of security is protection from unwanted physical access. If someone can physically access a computer, it becomes much easier to compromise the computer’s security. When someone has physical access to the computer, they can install malicious software or various event-tracking and data-capturing services. Use as many layers of physical protection as possible. Restrict access to rooms that contain computers that store or access sensitive information. Provide room access only to those who must use those computers. If possible, lock the computer in a locked or secure container when it is not in use, or bolt or fasten it to a wall or piece of furniture."

In addition: "Hardware components such as wireless features and microphones should be physically disabled if possible. Only an Apple Certified Technician should physically disable these components, which may not be practical in all circumstances."

Directions are then given on what to disable every time there's a system update. Meanwhile, OS 9 also lingers:

"When you upgrade from previous versions of Mac OS X to Mac OS X version 10.4, an adaptation of Mac OS 9, known as Classic, remains on the computer. If you perform a new installation of Mac OS X version 10.4 without upgrading, Mac OS 9 is not installed on the computer. It is possible to install Mac OS 9 on computers with a new installation of Mac OS X version 10.4. Mac OS 9 lacks many of the security features included with Mac OS X, so you should remove it unless you need it. If you must use Mac OS 9, you can run it from a CD or DVD, or from a disc image."

A walk-through of access warnings is also provided. In a nutshell, these warnings tell the user he is being monitored.


Chapter 4:
Here Apple and the NSA talk about securing accounts. Among the tips:

"When creating non-administrator accounts, you should restrict the accounts so that they can only use what is operationally required. For example, if you plan to store all data on your local computer, you can disable the ability to burn DVDs."

"In addition to restricting the distribution of administrator accounts, you should also limit the use of administrator accounts. Each administrator should have two accounts: a standard account for daily use, and an administrator account for when administrator access is needed."

"The most powerful user account in Mac OS X is the system administrator, or root, account. By default the root account on Mac OS X is disabled and it is recommended you do not enable it...You should restrict access to the root account. If multiple users can log in as root, it is impossible to track which user performed root actions. Direct root login should not be allowed, because the logs cannot identify which administrator logged in. Instead, accounts with administrator privileges should be used for login, and then the sudo command used to perform actions as root."

There's also discussion about biometrics, tokens and smart cards.

Chapter 5: In this chapter there's discussion about how to secure systems preferences.

"System Preferences has many different configurable preferences within it that can be used to further enhance system security. Some of these configurations might be things to consider, depending on your organization. Mac OS X includes many system preferences that you can customize to improve security. When modifying settings for one account, make sure your settings are mirrored on all other accounts, unless there is an explicit need for different settings."

Among the tips:

  • If you must use .Mac, enable it only for user accounts that don’t have access to critical data. Do not enable .Mac for your administrator or root user accounts.
  • You should not enable iDisk Syncing.
  • You should also modify login options to disable the Restart, Sleep, and Shut Down buttons. By disabling these buttons, the user cannot restart the computer without pressing the power key or logging in.
  • The computer should not perform automatic actions when the user inserts CDs or DVDs. When you disable automatic actions in System Preferences, you must disable these actions for every user account on the computer. This does not prevent users from re-enabling automatic actions. To prevent the user from re-enabling automatic actions, you must restrict the user’s account, so that the user cannot open System Preferences.

Chapter 6: This chapter examines the importance of data and secure erasing if a computer is stolen. Much of the discussion is best suited for qualified professionals.

Among the tidbits:

  • "By setting global permissions, encrypting home folders, and encrypting portable data, you can be sure your data is secure. Using the secure erase feature of Mac OS X, any deleted data is completely erased form the computer."
  • "To protect files that you want to transfer over a network or save to removable media, you should either encrypt a disk image or encrypt the individual files and folders. FileVault doesn’t protect files transmitted over the network or saved to removable media."
  • "Mac OS X provides several ways to securely erase files. You’ll have the choice of using one of three erase methods: a zero-out erase, a 7-pass erase, or a 35-pass erase. A zeroout erase sets all data bits on the disk to 0, while 7-pass and 35-pass use algorithms of varying complexity to overwrite the disk. The zero-out erase is the quickest. The 35-pass erase is the most secure, but it is also 35 times slower than the zero-out erase."

Chapter 7: This chapter covers network security.

Tips include:

  • "You should only send email that is digitally signed and encrypted. Digitally signed messages let your recipients verify your identity as the sender, and provide assurance that the message has not been tampered with in transit."
  • "In particular, you should change your Safari preferences to disable all AutoFill options, opening safe files after downloading cookies (only from sites you navigate to), and ask before sending nonsecure forms."
  • "When using Safari, you should always use private browsing. Private browsing prevents Safari from logging your actions, adding web pages to the history, keeping items in the Downloads window, saving information for AutoFill, and saving your Google searches."

There's also discussion of VPNs, firewalls and connection protocols. To close out the document, there's checklist of all actions to secure OS 10.4 as well as daily best practices. Those best practices include all those password usage tips that IT users forget almost daily.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • Apple Rocks!

    whooohooo I'm #1!
    Reverend MacFellow
    • And I'm errrrrrr number 2...truer words sigh.

      Pagan jim....:)
      Laff
  • Password Assistant to the rescue

    Article states: "Those best practices include all those password usage tips that IT
    users forget almost daily."

    Apple's Password Assistant to the rescue. It's available from System Preferences,
    when you're changing or creating a password, and from the Keychain. It suggests
    and rates the strength of passwords using different algorithms. It's a great feature of
    OS X.
    YinToYourYang-22527499
    • Password security

      The server should enforce a minimum password strength no matter what the user wants to do. No matter what tools are available for "suggestions", NO ORGANIZATION should ever let its users (or even the OS) decide what a good password is.
      KTLA
      • or even the OS

        What does the server you want to enforce password strength run on? Smoke?
        frgough
  • I still don't think disabling prefs is foolproof

    I used to boot macs with something like command-opt-shift-delete to boot to the next device. On Open Firmware macs, you could also use command-option-o-f to boot to open firmware and with a little Forth knowledge and maybe a little experimentation, change the boot sequence to whatever you want.

    I have not fiddled with the new Intel macs so I don't know if they're any more secure. I'm not saying that Win-Tel is any better - if you have access to the box itself, there's all kinds of ways to get in.
    Clewin
    • Passwords?

      Dude, just set an Open Firmware password! Also, the Intel Macs have EFI, which
      doesn't have the Forth interpreter. You have to be logged in as an admin to change
      nvram properties.
      cmjrees
  • Do you know who has the best security ever?

    According to Steve Jobs logic - homeless.

    They secured their life so well, that they do not need even a lock, passwords, firewall, antivirus program, ... and nobody will touch their property, or will steal their data.

    It's sad to notice that a Mac is not yet so well secured as homeless - it still requires a password to enter ...

    I hope Steve Jobs will invent this type of security in Apple, starting with himself.

    The rest of the World will be so unfortunate to live in far less secure houses with Windows surrounded by dangerous Penguins with fresh cancers, lobsters, and other anti-Gates seafood that always want to eat any lunch in any Windowed house.

    Thus, according to Steve Jobs logic, if you are not iHomeless - your future is uncertain.
    Vily Clay
    • Yeah that's the ticket....

      You know I jsut clicked on the latest post not knowing it was U my friend but after
      reading a line or two I just knew it was you.....HAD to be Viley I said to myself and
      yup I was right. And of course you were wrong again some more still:P

      Pagan jim
      Laff
      • I am glad you agreed with me, Laff. Anything else on the topic? (NT)

        (NT)
        Vily Clay
      • But it was well written

        I did enjoy it.
        John Zern
        • He's almost always amusing.....

          Pagan jim
          Laff
          • It's good that you love to make a joke out of Jobs and Apple. (NT)

            (NT)
            Vily Clay
          • Dude what is your net worth?

            How have you lead the computer and or technology industry? What company have
            you started with a buddy from scratch and made into a multi BILLION dollar
            behemouth? Then as a side .....you led a small little known company named PIXAR
            into the national spot light? I mean Viley for someone with such strong opinions
            you must have some cred to back said up so let's hear it! Or are you just blowing
            smoke?

            When you make an announcement about a new product how many headlines do
            you grab the next day?

            Pagan jim
            Laff
          • Laff, if you can't talk about the subject, can you talk for a reason? (NT)

            (NT)
            Vily Clay
    • Ah well

      It's a pity the assertion about the homeless is wrong. They get their identity stolen along with lots of other things a great deal more often than "regular people." So, I guess Jobs was wrong.

      Mind you, you seem to want him to become homeless, so how about trying it out yourself? Perhaps you could suggest to Bill Gates he try it too. Just so as it can be verified that it's the "secure" way to be.

      Erm, also, do you have a house in the sea, or have you watched certain Honda advertisements involving sea creatures too many times? After all, I think most people would find it rather bizarre (as in Timothy Leary weird) to find any house surrounded by penguins, cancers and a range of seafood (or sea life). Or is it normal for you (and perhaps your "rest of the world") to have such hallucinations? :P
      zkiwi
      • So you agreed that the homeless have the best security ...

        [b]zkiwi wrote[/b]:"[i]It's a pity the assertion about the homeless is wrong. They get their identity stolen along with lots of other things a great deal more often than "regular people." So, I guess Jobs was wrong[/i]."

        What the hell they need their identity if their security is the best? Maybe Steve Jobs? Do you see how insecure are others?




        [b]zkiwi wrote[/b]:"[i]Mind you, you seem to want him to become homeless, so how about trying it out yourself[/i]?"

        I do not need such strong security, maybe you?



        [b]zkiwi wrote[/b]:"[i]After all, I think most people would find it rather bizarre (as in Timothy Leary weird) to find any house surrounded by penguins, cancers and a range of seafood (or sea life). Or is it normal for you (and perhaps your "rest of the world") to have such hallucinations[/i]? :P'

        What made you think that seafood is not dangerous for Bill Gates? He fears the delivered by Penguins cancer even more than Steve Jobs.
        Vily Clay
        • I guess

          That you need to learn to read. I stated a fact; the homeless do not have the best security. If Jobs said that they had the best security, then he was wrong.

          On your second "point", seeing as Apple/Jobs has pretty much based OS X on a BSD foundation, I would conclude that he doesn't fear anything like a "penguin."

          Also, I thought that you could write better than you have. Are falling into a LoveRock or No_Ax frothing at the keyboard mode?
          zkiwi
          • Are you serious? If yes- well, I'll take you seriously. Are you ready? (NT)

            (NT)
            Vily Clay
          • Serious?

            Yes. I'm surprised you'd read me any other way.

            Please note, just because "authority x" (which in the case you present, Jobs), says something, it doesn't make it so.
            zkiwi