osx ml tt security

8/11/2019 Osx Ml Tt Security

1/91


2/91

Apple Inc. 2013 Apple Inc. All rights reserved.

Apple, the Apple logo, AirPort, Bonjour,FileVault, Finder, FireWire, Mac, MacBook,MacBook Air, Mac OS, OS X, and Safari aretrademarks of Apple Inc., registered in the U.S.and other countries. Apple Remote Desktopand AirDrop are trademarks of Apple Inc.

The absence of an Apple product or servicename or logo from this page does notconstitute a waiver of Apples trademark orother intellectual property rights concerning

that name or logo.Intel is a trademark of Intel Corp. in the U.S.and other countries.

IOS is a trademark or registered trademark ofCisco in the U.S. and other countries and isused under license.

Java is a registered trademark of Oracle and/orits affiliates.

UNIX is a registered trademark of The OpenGroup.

OS X version 10.8 is an Open Brand UNIX 03Registered Product.

Other company and product namesmentioned herein are trademarks of theirrespective companies. Mention of third-partyproducts is for informational purposes onlyand constitutes neither an endorsement nor arecommendation. Apple assumes noresponsibility with regard to the performanceor use of these products. All understandings,

agreements, or warranties, if any, take placedirectly between the vendors and theprospective users. Every effort has been madeto ensure that the information in thisdocument is accurate. Apple is not responsiblefor printing or clerical errors.

July 11, 2013

This document is intended for Apple internal and channel audiences, and is for training purposes only.


3/91

Table of Contents........................................................................................Introduction 1................................................................................................................About this series 1

.............................................................................................................Security overview 1.......................................................................................................About this document 3

..................................................................................1 Device Security 4....................................................................................................Securing the hardware 4

.................................................................................................Securing system startup 5............................................................................................................Locking the device 6

...............................................................................2 Platform Security 9......................................................................................................Protecting the system 9

...................................................................................................Securing system access 11

......................................................................................3 Data Security 42.................................................................................................................Encrypting data 42

.......................................................................................................Securely erasing data 53

...............................................................................4 Network Security 57........................................................................................Securing Sharing preferences 57

...........................................................................................Making secure connections 76...............................................................................................Exchanging data securely 78

............................................................................................Resources 88................................................................................................................Security website 88

.......................................................................................Security configuration guides 88................................................................................................................Security updates 88

....................................................................................................Technical white papers 88............................................................................................................Support resources 88

2013 Apple Inc. Apple confidentialfor internal and channel use only iii


4/91

Introduction

About this series This guide is one of a four-part series designed to help IT professionals who are evaluating anddeploying OS X on Mac computers in commercial and government organizations. The otherguides in the series are:

OS X Technical Training: Integration OS X Technical Training: Deployment OS X Technical Training: Management

Security overviewA security strategy is fundamentally about managing risk. With OS X, a security strategy isimplemented thats central to the design of the operating system. To enhance security on yourcomputer, OS X provides the following features:

Modern security architecture OS X includes state-of-the-art, standards-based technologiesthat enable Apple and third-party developers to build secure software for Mac. Thesetechnologies support all aspects of system, data, and networking security required by todaysapplications.

Secure default settings When you take your Mac out of the box, its securely configured tomeet the needs of most common environments, so you dont need to be a security expert toset up your computer. The default settings make it very difficult for malicious software to infectyour computer. You can further configure security on the computer to meet organizational oruser requirements.

Innovative security applications OS X includes features that take the worry out of using acomputer. For example, FileVault protects your documents by using strong encryption, anintegrated VPN client gives you secure access to networks over the Internet, and a powerfulfirewall secures your home network.

Open source foundation Open source methodology makes OS X a robust, secure operatingsystem, because its core components have been subjected to peer review for decades.Problems can be quickly identified and fixed by Apple and the larger open source community.

OS X Technical Training: Security

2013 Apple Inc. Apple confidentialfor internal and channel use only 1


5/91

Layered security defenseOS X security is built on a layered defense for maximum protection. Security features such as thefollowing provide solutions for securing data at all levels, from the operating system andapplications to networks and the Internet.

Secure worldwide communication Firewall and mail filtering help prevent malicioussoftware from compromising your computer.

Secure applications Encrypted disk images and FileVault 2 help prevent intruders fromviewing data on your computer.

Secure network protocols Secure Sockets Layer (SSL) is a protocol that helps preventintruders from viewing information exchange across a network; Kerberos secures theauthentication process; and a firewall prevents unauthorized access to a computer or network.

Security services Authentication using keychains, together with Portable Operating SystemInterface (POSIX) and access control list (ACL) permissions, helps prevent intruders from usingyour applications and accessing your files.

Secure boot and lock down Firmware Password Utility helps prevent people who can accessyour hardware from gaining root-level access permissions to your computer files.




6/91

About this document This document organizes these layers and technologies into the following chapters:

Device security This chapter focuses on techniques and technologies that protect the device itself, including:

Securing the hardware with the security slot Securing system startup with an EFI firmware password Locking the Mac with the User Portal and Profile Manager in OS X Server

Platform security This chapter focuses on techniques and technologies that protect the operating system,including:

Protecting the systemUNIX infrastructure, security framework, signed applications,mandatory access controls, sandboxing, Gatekeeper, enhanced quarantining, memory andruntime protection

Securing system accessPermissions, accounts, passwords, restrictions, certificates and

keychains, an d system preferencesData security

This chapter focuses on techniques and technologies that protect data stored at rest on the Mac,including:

Encrypting data using cryptography, encrypted disk images, encrypted PDFs, encrypted timemachine backups, and FileVault

Securely erasing data using Finder, Disk Utility, and the User Portal and Profile Manager in OS XServer

Network security This chapter focuses on techniques and technologies that protect the data transmitted betweendevices, including:

Securing network accessSharing services, Bonjour, AirDrop, firewalls, 802.1X Making secure connectionsSSL/TLS, VPN Exchanging data securelyMail, web, Messages

Important: This document is intended for use by security professionals in sensitive environments. Techniques and settings in this document affect system functionality and may not beappropriate for every user or environment.




7/91

1 Device Security The first layer is device security. Device security refers to built-in features and technologies that

help protect the Mac hardware, including securing the hardware and system startup and lockingthe device.

Securing the hardwarePerhaps the most fundamental level of security is protection from unwanted physical access.Someone who physically accesses your computer can compromise the computers security andinstall malicious software or event-tracking and data-capturing services.

Use as many layers of physical protection as possible. Restrict access to rooms that containcomputers that store or access sensitive information. If possible, lock the computer in a locked orsecure container when it isnt in use, and bolt or fasten it to a wall or piece of furniture.

The hard disk is the most critical hardware component in your computer. Someone who removesyour hard disk and installs it in another computer can bypass safeguards you set up. Lock orsecure the computers internal hardware.

If you have a portable computer, keep it secure. Consider buying a computer bag with a lockingmechanism and lock the computer in the bag when you arent using it.

Security slotMany of Apples desktop and portable computers include a security slot, also known as aKensington Security Slot, a K-Slot, or Kensington lock. Special locks with a key or combinationlock attached to a rubberized metal cable are inserted into the security slot. The end of the cablehas a small loop so you can wrap the cable around a stationary object, such as a heavy table, tosecure it in place.

Models with security slots Models without security slots

Mac Pro Mac mini

MacBook Pro MacBook Air

iMac MacBook Pro with Retina display




8/91

Securing system startupFirmware passwordsAll computers have firmware to control low-level hardware. A firmware password can be addedto the boot process so the computer restricts access to data stored on it. As with BIOSpasswords, firmware passwords in Mac computers are fairly simple to reset and dont provide anyencryption on the boot volume.

EFI

Mac computers with Intel processors use Extensible Firmware Interface (EFI) to control low-levelhardware. EFI is the hardware base layer for Intel-based Mac computers that contains the linkbetween the hardware and the operating system.

EFI manages which partition or disk to load OS X from and whether a user can enter single-usermode. Single-user mode logs the user in as root, which is dangerous because root user access isthe most powerful level of access, and actions performed as root are anonymous. If you create anEFI password, you prevent users from accessing single-user mode, loading unapproved partitionsor disks, and enabling target disk mode at startup.

Using the Firmware Password UtilityIntel-based computers can use the Firmware Password Utility to password-protect the hardwarelayer. The OS X Recovery HD includes the Firmware Password Utility, which you can use to enablean EFI password.

To use the Firmware Password Utility:

1. Restart your computer from the Recovery HD.

2. Choose Firmware Password Utility from the Utilities menu.

3. Click Turn On Firmware Password.

4. In the Password and Verify fields, enter a new EFI password and click OK.

5. Close the Firmware Password Utility.

You can test your settings by attempting to start up in single-user mode. Restart thecomputer while holding down the Command and S keys. If the login window opens,changes made by the Firmware Password Utility were successful.

After creating an EFI password, you must enter this password when you start the computer froman alternate disk (in situations such as hard disk failure or file system repair).

WARNING: EFI settings are critical. Be careful when modifying EFI settings and when creating asecure firmware password.

Resetting and bypassing EFI passwords

EFI passwords shouldnt be considered as a replacement for full disk encryption. EFI passwordscan be reverse engineered on older systems, so they shouldnt be the same as any otherpasswords in use in the environment (for example, as a local administrative password).

This doesnt mean EFI passwords dont have a place in your organizations security plan. You canuse the nvram command to set an EFI password, but doing so involves using a complexalgorithm to translate the password into an easily reversible form. On newer Intel-based Maccomputers, the only way to bypass an EFI password is to take the computer to an Apple Store orApple Authorized Service Provider.




9/91

Locking the deviceProfile ManagerProfile Manager is a service included with OS X Server that makes it easy for departments toconfigure computers running OS X (v10.7 or later) and iOS devices so theyre set up to usecompany or school resources and have the settings the organization requires.

Profile Manager consists of three parts that work together so organizations can specify howclient computers are configured, how to manage devices, and how to deliver configurations tousers and devices.

Web-based administration tool

IT administrators can use the Profile Manager web app to configure settings for devices, manageenrolled devices and device groups, and execute or monitor tasks on enrolled devices.

Self-service user portal

Profile Managers user portal is an easy-to-use, secure website for distributing settings ITadministrators defined with the administration tool. Users connect to the web-based portal fromtheir device. After they log in, the settings that the IT administrators assigned to them areavailable for download and installation. Users also use this site to enroll devices for Mobile DeviceManagement if the organization is using Profile Manager as an MDM server.

Mobile Device Management server

Profile Manager provides an MDM server so that IT administrators can remotely manage enrolledcomputers running OS X Mountain Lion and iOS devices. After a device is enrolled with ProfileManager, IT administrators can update the configuration over the network without userinteraction, as well as execute tasks such as reporting or locking and wiping the device.

For more information about enrolling devices with Profile Manger, see OS X Technical Training:Management .

Locking a device with the User PortalAfter you have enrolled a device with Profile Manager, the user responsible for it can performbasic security tasks. The most basic is a remote lock, helpful when a device is misplaced or stolen.

To remotely lock a device with the User Portal:

1. Open a web browser and navigate to https:// yourserver /profilemanager (where yourserver isthe name or IP address of your server running the Profile Manager service).

2. Authenticate as the user who enrolled the device.

The Devices tab shows enrolled devices.

3. Click Lock for the device you want to lock.




10/91

4. Enter a passcode when prompted.

When you lock a Mac with OS X (v10.7 or later), it immediately reboots to a PIN pad. Only thePIN you created in the User Portal can unlock it.

Administrators can make sure the device is locked in Profile Manager.

Locking a device with Profile Manager The Profile Manager portal lets administrators perform security tasks on remote devices.

To remotely lock a device with Profile Manager:

1. Open Server from the Applications folder.

2. Choose Profile Manager from the Services list.

3. Click Open Profile Manager in the lower-left corner of the Profile Manager area.

4. Authenticate with administrator credentials.

5. Choose Devices or Device Groups from the Library.

6. Choose the device or device group you want to lock.




11/91

7. Click the Action pop-up menu (the gear button) in the device or device group pane.

8. Choose Lock.

9. Enter a lock passcode that can be used to unlock the device.

10. Click Lock.

11. When you lock a Mac with OS X (v10.7 or later), it immediately reboots to a PIN pad. Only thePIN you created in Profile Manager can unlock it.

12. Confirm that the lock has been completed in the Completed Tasks section of ProfileManager.




12/91

2 Platform Security The second layer is platform security. Platform security refers to built-in features and technologies

that help protect the operating system. This section describes how to protect the system andsecure access to the system.

Protecting the systemOS X security services are built on two open source standards:

Berkeley Software Distribution (BSD) is a form of UNIX that provides fundamental services,including the OS X file system and file access permissions.

Common Data Security Architecture (CDSA) provides an array of security services, includingmore specific access permissions, authentication of user identities, encryption, and secure datastorage.

Many the security features and technologies built into OS X work in the background, withoutuser intervention.

UNIX infrastructure The OS X kernelthe heart of the operating systemis built from BSD and Mach. BSD providesa user and group identification scheme and enforces access restrictions to files and systemresources based on user and group IDs. Mach provides access by controlling which tasks cansend a message to a Mach port. BSD security policies and Mach access permissions are anessential part of security in OS X and are critical to enforcing local security.

Security framework The security framework in OS X is an implementation of the Content Delivery and Security

Association (CDSA) architecture. It contains an expandable set of cryptographic algorithms toperform code signing and encryption operations while maintaining the security of thecryptographic keys. It also contains libraries that allow the interpretation of X.509 certificates.

The CDSA code is used by OS X features such as Keychain and URL access for protection of logindata.

Signed applicationsApplications shipped with OS X are signed by Apple so your Mac can verify the identity andintegrity of the apps. Third-party software developers can also sign their software for the Mac,such as apps on the Mac App Store. Application signing integrates with several other features toenhance security.

Features such as parental controls, managed preferences, Keychain, and the firewall useapplication signing to make sure that the applications they work with are the correct, unmodifiedversions.

With Keychain, signing dramatically reduces the number of Keychain dialogs presented to usersbecause the system can validate the integrity applications that use Keychain. For parentalcontrols and managed preferences, the system uses signatures to verify that an application runsunmodified.




13/91

The application firewall uses signatures to identify and verify the integrity of applications that aregranted network access. For parental controls and the firewall, unsigned applications are signedby the system on an ad hoc basis to identify them and verify that they remain unmodified.

Mandatory access controlsOS X uses an access control policies known as mandatory access controls. These policies set

security restrictions created by the developer. Unlike discretionary controls, mandatory accesscontrols cant be overridden.

Mandatory access controls in OS X arent visible; theyre the underlying technology that helpsenable several important features including sandboxing, and a safety net feature for TimeMachine.

Mandatory access controls are integrated with the exec system service to prevent the executionof unauthorized applications. This is the basis for application controls in parental controls in OS Xand managed preferences in OS X Server.

In the case of sandboxing, mandatory access controls restrict access to system resources asdetermined by a special sandboxing profile provided for each sandboxed application. This meansthat even processes running as root can have extremely limited access to system resources.

Time Machine is a good example of the difference between mandatory access controls and theuser privilege modelit allows files within Time Machine backups to be deleted only byprograms related to Time Machine. From the command line, no usernot even one logged in asrootcan delete files in a Time Machine backup. Time Machine uses this strict policy because itutilizes file system features in OS X. The policy prevents corruption in the backup directory bypreventing tools from deleting files from backups that may not consider the new file systemfeatures.

SandboxingSandboxing helps ensure that applications do only what theyre intended to do by placingcontrols on applications to restrict what files and networks they can access and whether the

applications can be used to start other applications.Apps purchased from the Mac App Store are sandboxed. In OS X, many of the systems helperapplications that normally communicate with the networksuch as mDNSResponder (Bonjoursunderlying software) and the Kerberos KDCare sandboxed to guard against abuse by attackerstrying to access the system.

In addition, other programs that routinely take untrusted input (for instance, arbitrary files ornetwork connections), such as the Quick Look and Spotlight background daemons, aresandboxed.

Enhanced quarantiningApplications that download files from the Internet or receive files from external sources (such as

mail attachments) can use the quarantine feature to provide a first line of defense againstmalicious software such as Trojan horses. When an application receives an unknown file, it addsmetadata (quarantine attributes) to the file using functions found in Launch Services.

Files downloaded using Safari, Mail, and Messages are tagged with metadata indicating that theyare downloaded files, including the URL, date, and time of the download. This metadata ispropagated from archive files that are downloaded (such as ZIP or DMG files) so that any fileextracted from an archive is also tagged with the same information. This metadata is used by thedownload inspector to prevent dangerous file types from being opened unexpectedly.




14/91

The first time you try to run an application that has been downloaded, Download Inspectorinspects the file, prompts you with a warning asking whether you want to run the application,and displays the information on the date, time, and location of the download.

You can continue to open the application or cancel the attempt, which is appropriate if you dontrecognize or trust the application. The file and its contents are also inspected for malicioussoftware (malware). If malware is detected, a dialog appears with the name of the malware threatcontained in the file. It warns the user to move the file to the Trash or eject the image and deletethe source file to prevent damage to the computer. Malware patterns are continually updatedthrough software updates.

Memory and runtime protectionOS X running on a 64-bit chip supports memory and executable protection. Memory andexecutable protection prevent specific types of malicious software from exploiting the memoryallocation or execution methods to force a processor to execute arbitrary code from anotherprocesss memory area.

OS X has the following 64-bit protection features: no-execute stack, no-execute data, and no-execute heap. In OS X, no-execute stack is available for 32- and 64-bit applications. For 64-bit

processes, OS X provides protection from code execution in both heap and stack data areas.OS X also has Library Randomization, which uses shifting memory locations for operating systemprocesses each time the system starts up. Because an attacker cant depend on key systemprocesses running in known memory locations, its difficult to compromise the operating system.

OS X also has process sandboxing, which is a way of restricting what kinds of activities anapplication can perform.

GatekeeperGatekeeper is a feature in OS X Mountain Lion that works with the quarantining system andapplication signatures to prevent applications from unknown source from running. By default,signed applications from the Mac App Store and from registered developers are allowed to run

without warning. Any unsigned application from an unknown developer wont be allowed to runwithout intervention from the user. This additional layer of notification prevents the casual use ofuntrusted applications.

Gatekeeper settings can be set in the Security & Privacy pane of System Preferences or inconfiguration profiles. Additional security policies can be managed from the command line usingthe spctl tool.

Securing system accessIn addition to the security services that run in the background, OS X also includes several featuresand technologies that users can modify to enhance the security of the system. In this section,

youll learn about ways to secure access to the system using permissions, passwords, restrictions,and System Preferences.

Authorization versus authenticationAuthorization is the process by which an entity, such as a user or a computer, obtains the right toperform a restricted operation. Authorization can also refer to the right itself, as in Anne has theauthorization to run that program. Authorization usually involves authenticating the entity andthen determining whether it has the correct permissions.




15/91

Authentication is the process by which an entity (such as the user) demonstrates that they arewho they say they are. For example, the user enters a password that only he or she could know,which allows the system to authenticate that user. Authentication is normally a step in theauthorization process. Some applications and operating system components perform their ownauthentication. Authentication might use authorization services when necessary.

Understanding the AuthPlugin architectureAuthPlugins are used to control access to a service or application. Preinstalled AuthPlugins for OSX are located in the /System/Library/CoreServices/SecurityAgentPlugins/ folder. These plug-ins(and their associated rules and authorization rights for users) are defined in the

/etc/authorization database, and are queried by the Security Server.

When an application requests authorization rights from the Security Server, the Security Serverchecks the rights database (/etc/authorization) to determine how to authenticate.

If necessary, the Security Server requests user interaction through the Security Agent. TheSecurity Agent then prompts the user to authenticate through the use of a password, smart card,or biometric reader. Then the Security Agent sends the authentication information back to theSecurity Server, which passes it back to the application.

The following graphic shows the workflow of the Security Server:

Access permissionsAn important aspect of computer security is the granting or denying of access permissions(sometimes called access rights ). A permission is the ability to perform a specific operation, suchas gaining access to data or to execute code.

Permissions are granted at the folder, subfolder, file, and application level. Permissions are alsogranted for specific data in files or application functions.

Permissions in OS X are controlled at many levels, from the Mach and BSD components of thekernel through higher levels of the operating system, andfor networked applicationsthroughnetwork protocols.

You protect files and folders by setting permissions that restrict or allow users to access them. OSX supports two methods of setting file and folder permissions:

Portable Operating System Interface (POSIX) permissions Standard for UNIX operatingsystems




16/91

Access Control Lists (ACLs) permissions Used by OS X, and compatible with MicrosoftWindows Server 2003, Microsoft Windows XP, and newer

ACLs use POSIX when verifying file and folder permissions. The process ACLs uses to determine ifan action is allowed or denied includes verification rules called access control entries ( ACEs). If noACEs apply, standard POSIX permissions determine access.

Note : In this guide, the term privileges refers to the combination of ownership and permissions,but the term permissions refers only to the permission settings that each user category canhave (Read & Write, Read Only, Write Only, and None).

POSIX permissionsOS X bases file permissions on POSIX standard permissions such as file ownership and access. Youcan assign four types of standard POSIX access permissions to a share point, folder, or file: Read &Write, Read Only, Write Only, and None.

You can assign standard POSIX access permissions to these categories of users:

Owner A user who creates an item (file or folder) on the computer is its owner and has Read& Write permissions for that item. By default, the owner of an item and the administrator can

change the items access privileges (allow a group or everyone to use the item). Theadministrator can also transfer ownership of the shared item to another user.

Group You can put users who need the same access to files and folders into group accounts.Only one group can be assigned access permissions to a shared item.

Everyone This is any registered user or guest who can log in to the file server.

In the Finder, Control-click a file and choose Get Info. Click the Sharing & Permissions disclosuretriangle to view POSIX permissions.

You can also use the command line to view and modify permissions using chown and chmod . Formore information, see the man pages for those commands.

ACL permissionsFor greater flexibility in configuring and managing file permissions, OS X implements ACLs. AnACL is an ordered list of rules called access control entries ( ACEs) that control file permissions. EachACE contains the following components:

Userowner, group, and other

Action read, write, or execute

Permission allow or deny the action

The rules specify the permissions to be granted or denied to a group or user and control how thepermissions are propagated through a folder hierarchy.

ACLs in OS X let you set file and folder access permissions for multiple users and groups, inaddition to standard POSIX permissions. This makes it easy to set up collaborative environmentswith smooth file sharing and uninterrupted workflows without compromising security.

To determine if an action is allowed or denied, ACEs are evaluated in order. The first ACE thatapplies to a user and an action determines the permission and no further ACEs are assessed. If noACEs apply, standard POSIX permissions determine access.

You can set ACL permission for files. The chmod command enables an administrator to grantread, write, and execute privileges to specific users for a single file.




17/91

Service access control listsYou can further secure sharing services by allowing access only to users you specified in serviceaccess control lists (SACLs). You can create user accounts for sharing based on existing useraccounts on the system, and for entries in your address book.

Securing user home folders To secure user home folders, change the permissions of each users home folder so the folderisnt world-readable or world-searchable.

Permissions on the home folder of a user account allow other users to browse the folderscontents. However, users might inadvertently save sensitive files to their home folder, instead ofinto the more-protected ~/Documents or ~/Desktop folders.

The ~/Public and ~/Public/Drop Box folders in each home folder may require world-readable orworld-writeable permissions if File Sharing or Web Sharing is enabled. If these services arent inuse, permissions on these folders can be safely changed to prevent other users from browsing orwriting to their contents.

In OS X, all users are a member of the staff group, not of a group that has the same name as their

user name.Securing accounts

To securing user accounts you need to determine how accounts are used and set the level ofaccess for users.

When you define a users account you specify the information to prove the users identity, such asuser name, authentication method (password, digital token, smart card, or biometric reader), anduser identification number (user ID). Other information in a users account is needed by variousservices to determine what the user is authorized to do and to personalize the usersenvironment.

Types of user accountsWhen you log in to OS X, you use a nonadministrator or administrator account. The maindifference between the two types is that OS X provides safety mechanisms to preventnonadministrator users from editing key preferences, or performing actions critical to computersecurity. Administrator users arent as limited as nonadministrator users.

You can further define nonadministrator and administrator accounts by specifying additionaluser privileges or restrictions.

The following table shows the access provided to user accounts.

User account User access

Guest nonadministrator Restricted user access (disabled by default)

Standard nonadministrator Nonprivileged user access

Managed nonadministrator Restricted user access

Administrator Full computer configuration administration

System administrator (root) Unrestricted access to the computer

User




18/91

Always log in as a nonadministrator user unless you need administrator access for specific systemmaintenance tasks that cant be accomplished by authenticating with the administrators accountwhile logged in as a normal user. Log out of the administrator account when you arent using thecomputer as an administrator.

If youre logged in as an administrator, youre granted privileges and abilities that you might notneed. For example, you can potentially modify system preferences without being required toauthenticate and bypass a security safeguard that prevents malicious or accidental modificationof system preferences.

Guidelines for creating accountsWhen you create user accounts, follow these guidelines:

Never create accounts that are shared by several users. Each user should have his or her ownstandard or managed account.Individual accounts are necessary to maintain accountability. System logs can track activitiesfor each user account, but if several users share the same account its difficult to track whichuser performed an activity.

Each user needing administrator access should have an administrator account in addition to astandard or managed account.Administrator users should only use their administrator accounts for administrator purposes. Byrequiring an administrator to have a personal account for typical use and an administratoraccount for administrator purposes, you reduce the risk of an administrator performing actionslike accidentally reconfiguring secure system preferences.

Defining user IDsA user ID is a number that uniquely identifies a user. OS X computers use the user ID to track ausers folder and file ownership. When a user creates a folder or file, the user ID is stored as thecreator ID. A user with that user ID has read and write permissions to the folder or file by default.

The user ID is a unique string of digits between 500 and 2,147,483,648. New users created using

the Users & Groups pane of System Preferences are assigned user IDs starting at 501. New userscan also be created using the command line, which allows the administrator to specify the userID for new users. When using the command line to create new users, its risky to assign the sameuser ID to different users, because two users with the same user ID have identical directory andPOSIX file permissions.

Each user has a unique GUID that is generated when the user account is created. A users GUID isassociated with ACL permissions set on files or folders. By setting ACL permissions you canprevent users with identical user IDs from accessing files and folders.

The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use. Useraccounts with these user IDs shouldnt be deleted and shouldnt be modified except to changethe password of the root user.

In general, after a user ID is assigned and the user starts creating files and folders, you shouldntchange the user ID.

One scenario in which you might need to change a user ID is when you merge users fromdifferent servers onto a new server or cluster of servers. The same user ID might have beenassociated with a different user on the previous server.




19/91

Securing the guest account The guest account is used to give a user temporary access to your computer. The guest accountis disabled by default because it doesnt require a password to log in to the computer. If thisaccount is enabled and not securely configured, malicious users can gain access to yourcomputer without a password.

If you enable the guest account, you should also enable parental controls to limit what the usercan do. Enabling parental control on an account doesnt defend against a determined attackerand shouldnt be used as the primary security mechanism.

Whether or not the guest account is enabled, disable guest account access to shared files andfolders by deselecting the Allow guest to connect to shared folders checkbox. If you allow theguest account to access shared folders, an attacker can easily attempt to access shared folderswithout a password.

When you finish setting permissions for the guest account, disable it by deselecting the Allowguests to log into this computer.

Securing nonadministrator accounts

There are two types of nonadministrator user accounts:Standard user accounts dont have administrator privileges and dont have parental controlslimiting their actions.

Managed user accounts dont have administrator privileges but have active parental controls.Parental controls help deter unsophisticated users from performing malicious activities. They canalso help prevent users from accidentally installing malware on their computer.

Note : If your computer is connected to a network, you can manage preferences and accountinformation for managed users over the network.

When you create nonadministrator accounts, restrict the accounts so they can only use whatsrequired. For example, if users plan to store sensitive data on their local computer, disable the

ability to burn DVDs.

Managed user accountsParental controls provide administrators with tools to enforce a reasonable level of restrictions forusers of the computer.

Administrator users can use features like Simple Finder to limit opening a set of applications orcreate a white list of web sites that users can visit. However, if attackers have physical access tocomputer ports such asThunderbolt, USB, or FireWire, they can bypass parental controls bymounting a disk image that contains malicious software.

These are the kind of simple things administrators of a public library or computer environmentcan use to keep users from performing malicious activities.

Parental controls preferencesYou can set limits for users on a Mac running OS X by using Parental Controls preferences. Forexample, you might want to prevent users from being able to install or uninstall software, or youmight want to restrict access to specific administrator tools or utilities. You can set thesepreferences according to your environment.




20/91

To securely configure an account with parental controls:

1. Open System Preferences, then click Users & Groups.

2. If the lock icon is locked, click it to unlock it and enter an administrator name and password.

3. Select the user account you want to manage with parental controls and select the EnableParental Controls checkbox.

4. Click Open Parental Controls.

5. Click Apps.

You can enable Simple Finder, which restricts an account to using applications listed on theDock. With Simple Finder enabled, users cant create or delete files. Simple Finder alsoprevents users from changing their passwords.

Enabling Simple Finder isnt recommended, unless the computer is used in a kiosk-likeenvironment.

In the Apps pane, you can specify the applications the user has access to by selecting theLimit Applications checkbox. Then you can select or deselect applications in the applicationslist.

When you install third-party applications, you can add them to this list. Disable third-partyapplications unless the user needs to use them securely. Third-party applications might givea standard user some administrator abilities, which can be a security issue.

You can also prevent the user from modifying the Dock by deselecting Allow User to Modifythe Dock.

6. Click Web.

In the Web pane, you can restrict the websites that users can view by selecting Try to limitaccess to adult websites automatically, and you can customize the list of adult sites byclicking customize and adding the URL of sites to the Always allow these sites list or theNever allow these sites list.




21/91

You can also select Allow access to only these websites, which prevents a user fromaccessing any site not in the list. Expand the list by clicking the Add (+) button below the listof sites.

7. Click People.

In the People pane, you can limit access to Game Center for multiplayer games and adding

friends.Also in the People pane, you can limit Mail and Messages to go only to specific addresses inthe Only allow emailing and instant messaging with list. To add users to the list, click theAdd (+) button below the list.

You can also select the Send permission request to checkbox and enter an administratorsmail address. When a user attempts to send mail to someone not in the list, the mail is sentto the administrator for permission to be sent.

8. Click Time Limits.

In the Time Limits pane, you can restrict the number of hours the computer is used byselecting the Limit computer use to checkbox and setting the number of hours.

You can also set the times the computer can be accessed by selecting School nights: Sundaythrough Thursday or Weekend: Friday and Saturday, and setting a time range.

9. Click Other.

In the Other pane, you can disable Dictation, hide profanity in the Dictionary, limit printeradministration, prevent disc burning, and disable changing the password.

Securing administrator accounts The administrators account should be used only when absolutely necessary to accomplishadministrative tasks. To secure administrator accounts, restrict the distribution of administratoraccounts and limit the use of these accounts.

A user account with administrator privileges can perform standard user and administrator taskssuch as:

Creating user accounts Adding users to the Admin group Enabling or disabling sharing Enabling, disabling, or changing firewall settings Changing other protected areas in System Preferences Installing system software

Securing the system administrator account The most powerful user account in OS X is the system administrator, or root account. The rootaccount is primarily used for performing UNIX commands and actions that involve critical systemfiles. By default, the root account on OS X is disabled and its recommended that you keep itdisabled.

Using strong authenticationAuthentication is the process of verifying the identity of a user. OS X supports local and network-based authentication to ensure that only users with valid authentication credentials can accessthe computers data, applications, and network services.




22/91

You can require passwords to log in, to wake the computer from sleep or a screen saver, to installapplications, or to change system settings. OS X also supports authentication methods such assmart cards, digital tokens, and biometric readers.

Strong authentication uses combinations of the following authentication dimensions to makeidentification more reliable and certain:

What the user knows, such as a password or PIN What the user has, such as one-time-password (OTP) token or smart card What the user is, such as a fingerprint, retina scan, or DNA sample

Using Password Assistant to generate or analyze passwordsOS X includes Password Assistant, an application that analyzes the complexity of a password orgenerates a complex password for you. You can specify the length and type of password youdlike to generate.

You can open Password Assistant from some applications. For example, when you create anaccount or change passwords in Users & Groups preferences, you can use Password Assistant tohelp you create a secure password.

You can choose from the following types of passwords:

Manual You enter a password and then Password Assistant tells you how strong the password

is. If the quality level is low, Password Assistant gives tips for increasing it.Memorable According to your password length requirements, Password Assistant generates alist of memorable passwords in the Suggestion menu.

Letters & Numbers According to your password length requirements, Password Assistantgenerates a list of passwords with a combination of letters and numbers.

Numbers Only According to your password length requirements, Password Assistant generatesa list of passwords containing only numbers.

Random According to your password length requirements, Password Assistant generates a listof passwords containing random characters (which includes mixed upper and lowercase,punctuation, and numbers).

FIPS-181 compliant According to your password length requirements, Password Assistantgenerates a password that is FIPS-181 compliant (which includes only the 26 lowercase letters ofthe English alphabet).

Password policiesA variety of password policies are available to clients running in an Open Directory environment.

These should meet the requirements of your organizations security policy. In this example, youll




23/91

configure Open Directory password policies globally and then specifically for the user JimmyFoster. You can use a different account for testing if you want.

To set up Open Directory password policies for a user:

1. Open Server.

2. Click Open Directory in the Services list.

3. Expand the action menu at the bottom of the window.

4. Choose Edit Global Password Policy.

Configure the global password policies for the Open Directory service. These policies control

login for accounts and set controls on passwords for all users in the directory service.

5. After setting the global password policies, click OK.




24/91

To add additional settings for specific users using Workgroup Manager:

1. Download and install Workgroup Manager from Apples support website athttp://support.apple.com/kb/DL1567 .

2. Open /Applications/Workgroup Manager and authenticate to Open Directory.

3. Click the user or users you want to set up.

4. Click Advanced.

5. Click the Options button below the User Password Type section.

6. Configure specific settings for each user, such as controlling when to disable accounts andwhen to require the user to change passwords.

7. When youre finished managing these settings, click OK.Note: When using Active Directory, the AD password policies are recognized and enforced byOS X. Users are notified about expiring passwords and can change their passwords in OS X.


http://support.apple.com/kb/DL1567http://support.apple.com/kb/DL1567


25/91

KeychainsAll users find themselves authenticating to and accessing an ever-increasing number ofprotected services. These services include email, file sharing, social networking, banking, andsystem administration. With so many credentials, users and administrators need an easy way tostore and retrieve credentials on demand without risking exposure to unauthorized access. Toaddress this need, OS X provides a feature called keychains.

A keychain is a container for securely storing user and system credentials on the local system, sothey can be retrieved quickly. Each keychain can hold a collection of credentials and protectthem with a single password. Keychains store encrypted passwords, certificates, and other privatevalues (called secure notes ). These values are accessible only by unlocking the keychain using thekeychain password and only by applications that are approved and added to the access controlapplication list.

Keychains and the corresponding services are integrated so deeply into OS X that its a requiredservice that cant be disabled or shut off. Each new system account has four default keychains,each providing a specific purpose, protection, and storage. The default keychains are describedbelow.

LoginStored in /Users//Library/Keychains/login.keychain, the login keychainallows users on OS X to start with an empty keychain called login where they can store theirown credentials. All passwords, keys, secure notes, and user identities should be stored here. OSX populates the keychain with certificates acquired during the parsing of digitally signed emailmessages in the Mail app. The login keychain is protected with a passphrase thats the same asthe users login password, but it can be changed.

Directory Services Locally configured Directory Servers can be enabled to search externaldirectory services, such as Active Directory, LDAP, and NIS for certificates and retrieve X.509certificates for users.

System The System keychain is managed by the operating system and system administratoraccount. It is stored in /Library/Keychains/System.keychain. It is used for machine (system)authentication to network services and storing corporate Root Certificate Authority (CA)certificates for systemwide trust. The System keychain is always accessible by the operatingsystem, no matter what user is logged in.

Important: Any network services with machine authentication, such as 802.1X, VPN, and WPA/WPA2, requires that the credentials and any corresponding trust chain be stored in the Systemkeychain if those certificates were issued from a corporate CA or from any Root CA notincluded in the System Roots.

System Roots The System Roots keychain is managed by the operating system and is usedfor storing the pretrusted Root CA certificates of OS X. It is stored in /System/Library/Keychains/SystemRootCertificates.keychain. Administrators can alter the trust on any of theroot certificates to reflect desired systemwide CA trust, but they cant remove or delete anyroot certificates from this keychain. Apple updates the certificates in this keychain during OS XSoftware and Security Updates.




26/91

Storing credentials in keychainsOS X includes Keychain Access, an application that manages collections of passwords andcertificates in a single secure place called a keychain. You can create multiple keychains, each ofwhich appears in a keychain list in Keychain Access. Each value is called a key item. You can createa key item in any user-created keychain.

Each item in a keychain has an Access Control List (ACL) that can be populated with applicationsthat have authority to use that item. A further restriction can be added that forces an applicationwith access to confirm the keychain password.

Every keychain in the keychain list can be used by the system and administra tor for locating an dretrieving appropriate credentials. By using keychains, you no longer need to rememberpasswords for multiple accounts, so the passwords you choose can be very complex and caneven be randomly generated.

OS X Keychain services enable you to create keychains and provide secure storage of keychainitems. After a keychain is created, you can add, delete, and edit keychain items, such aspasswords, keys, certificates, and notes. A user can unlock a keychain with a single password andapplications can then use that keychain to store and retrieve data, such as passwords.

Using the default user keychainWhen a users account is created, a default keychain called login is created for that user. Thepassword for the login keychain is initially set to the users login password and is unlocked whenthe user logs in. It remains unlocked unless the user locks it, or until the user logs out.

When an application must store an item in a keychain, it stores it in the keychain designated asthe users default keychain.

You should secure the login keychain so the user must unlock it when he or she logs in, or afterwaking the computer from sleep.

To secure the login keychain:

1. Open Keychain Access from the Utilities folder.

2. If you dont see a list of keychains, click Show Keychains.

3. Select the login keychain.

4. Choose Edit > Change Password for Keychain login.

5. Enter the current password, and create and verify a password for the login keychain.

After you create a login keychain password thats different from the normal login password,your keychain isnt unlocked at login.

To create a secure password, use Password Assistant. For information, see Using PasswordAssistant to generate or analyze passwords in this chapter.

6. Choose Edit > Change Settings for Keychain login.

7. Select Lock when sleeping.

8. Secure each login keychain item.

Creating additional keychainsA user can create additional keychains, each of which can have different settings and purposes.




27/91

Users might want to group credentials for mail accounts into one keychain. Because mailprograms query the server frequently to check for mail, it isnt practical for users toreauthenticate when such a check is performed.

Users could create a keychain and configure its settings, so that theyre required to enter thekeychain password at login and whenever the computer is awakened from sleep.

Users can then move all items containing credentials for mail applications into that keychain andset each item so that only the mail application associated with that credential can automaticallyaccess it. This forces other applications to authenticate for access to that credential.

Configuring a keychains settings for use by mail applications might be unacceptable for otherapplications. If users have web-based mail accounts they dont use often, they should storekeychain settings in a keychain configured to require reauthentication for every access.

You can also create multiple keychains to accommodate varying degrees of security. Separatingkeychains based on security, prevents exposing sensitive credentials to less sensitive applicationswith credentials on the same keychain.

To create a keychain and customize its authentication settings:

1. In Keychain Access, choose File > New Keychain.2. Enter a name, select a location for the keychain, and click Create.

3. Enter a password for the keychain, then enter it again in the Verify field, and click OK.

If you need help choosing a good password, click the key button to the right of thePassword field.

4. If you dont see a list of keychains in the sidebar, click Show Keychains in the View menu.

5. Select the new keychain.

6. Choose Edit > Change Settings for Keychain keychain_name , and authenticate, ifrequested.

7. Change the Lock after # minutes of inactivity setting based on the access frequency of thesecurity credentials included in the keychain.

If the security credentials are accessed frequently, deselect Lock after # minutes ofinactivity. If the security credentials arent accessed frequently, select Lock after # minutes ofinactivity and select a value, such as 15. If you password protect your screensaver, considersetting this value to the idle time required for your screensaver to start.

8. Select Lock when sleeping.

9. Drag the security credentials from other keychains to the new keychain and authenticate, ifrequested.

You should have keychains that only contain related certificates. For example, a mailkeychain should only contain mail items.

10. If youre asked to confirm access to the keychain, enter the keychain password and clickAllow Once.

After confirming access, Keychain Access moves the security credential to the new keychain.

To secure a keychain item:

1. In Keychain Access, select a keychain and then select an item.




28/91


29/91

6. Select the keychain you want set up.

7. Choose File > Delete Keychain keychain_name .

8. Click Delete References.

9. In Finder, copy the keychain files from the previously noted location to the portable drive.

10. Move the keychain to the Trash on the computer and use Secure Empty Trash to securelyerase the keychain file stored on the computer.

For information, see Securely erasing data in Chapter 3, Data Security.

11. Double-click the keychain file on your portable drive to add it to your keychain search list.

Using KerberosKerberos is an authentication protocol used for systemwide single sign-on, allowing users toauthenticate to multiple services without having to reenter passwords or send passwords overthe network. Every system generates its own principals, allowing it to offer secure services thatare fully compatible with other Kerberos-based implementations.

OS X uses Kerberos v5 to make it easier to share services with other computers. You dont need a

key distribution center (KDC) to use Kerberos authentication between two OS X computers.When you connect to a computer that supports Kerberos, youre granted a ticket that permitsyou to continue to use services on that computer, without reauthentication, until your ticketexpires.

For example, consider two OS X computers named Mac01and Mac02. Mac02 has screensharing and file sharing turned on. If Mac01 connects to a shared folder on Mac02, Mac01 cansubsequently connect to screen sharing on Mac02 without supplying login credentials again.

This Kerberos exchange is only attempted if you connect using Bonjour, navigate to thecomputer in the Finder, or use the Go menu in the Finder to connect to a server using the localhostname of the computer name (for example, computer_name .local).

You can also use the kinit , kdestroy , and kpasswd commands to manage Kerberos tickets.For more information, see the man pages for these commands.

Public Key Infrastructure (PKI) The Public Key Infrastructure (PKI) includes certificate, key, and trust services functions to:

Create, manage, and read certificates Add certificates to a keychain Create encryption keys Manage trust policies and certificate verification/validation

These functions are used when the services call Common Security Service Manager (CSSM)functions. This is transpar ent to users.

About certificatesA certificate is a piece of cryptographic information that enables the secure transfer ofinformation over the Internet. Certificates are used by web browsers, mail applications, andonline chat applications. In OS X, certificates are part of your digital identity and are stored inyour keychain.

When you communicate with a secure site, information exchanged with the site is encrypted. This protects your login information, credit card numbers, addresses, and other secure data.




30/91

Certificates are signed and issued by trusted organizations, such as Thawte or Entrust calledcertificate authorities (CA). When you go to a secure website, OS X checks the sites certificate andcompares it with certificates that are known to be legitimate. If the websites certificate isntrecognized, or if the site doesnt have one, you receive a message.

The validity of a certificate is verified electronically using the public key infrastructure (PKI).Certificates consist of your public key, the identity of the organization, the CA that signed yourcertificate, and other data that may be associated with your identity.

A certificate is usually restricted for particular uses, such as digital signatures, encryption, use withweb servers, and so on. This is called the key use restriction. Although its possible to create onecertificate for multiple uses, its unusual to make one for all possible uses. Creating a certificate formultiple uses is also less secure.

A certificate is valid only for a limited time; it then becomes invalid and must be replaced with anewer version. The CA can also revoke a certificate before it expires.

If you need to send a certificate to someone, you can export it using Keychain Access, and thensend it through email or by other means. Likewise, if someone sends you a certificate, you canadd it to your keychain by dragging it onto the Keychain Access icon, or by using the Import

menu in Keychain Access.

Creating a self-signed certificateYou can create a certificate using the Certificate Assistant in Keychain Access. The certificate youcreate is called a self-signed certificate. Self-signed certificates dont provide the trust level of acertificate signed by a CA.

By default, certificates created with the RSA algorithm using Certificate Assistant have a 2048 bitkey size. Keys less than 1024 bits are expected to be broken within the expiration time of thecertificate issued.

To create a self-signed certificate:

1. Open Keychain Access from the Utilities folder.2. Choose Keychain Access > Certificate Assistant > Create a Certificate.

3. Enter a name for the certificate.

4. From the Identity Type pop-up menu, choose one of the following:

Self Signed Root: A self-signed root certificate is a root CA that someone makes forimmediate use as a certificate. Such certificates dont benefit from the security ofcertificate chains and certificate policies. Most computers dont accept a self-signedcertificate unless the certificates owner tells them to first, and some computers dontaccept them under any circumstances. However, they are easy and quick to make, and areoften used for testing purposes in place of certificates signed by a proper CA.

Leaf certificate: A leaf is a certificate signed by an intermediate or root CA. A leaf certificatebenefits from the security of certificate chains and certificate policies. A leaf is situated atthe bottom of a certificate chain.

5. From the Certificate Type pop-up menu, choose the specific purpose that your certificate willbe used for.

6. If you want to manually specify the information in the certificate, such as key pairs,extensions, and encryption, select Let me override defaults.

7. Click Create.




31/91


32/91

Expires is the date when the keychain item expires (for example, the expiration date of acertificate).

Keychain is the name of the keychain where the item is stored.

3. Click any keychain item to see top-level information about it.

4. Double-click the keychain item or click the Information (i) button at the bottom of thewindow to bring up the information pane for the selected item.

5. Drag any keychain item to another location to copy it.

To select categories of Keychain items:


2. Select the item category you want by clicking its name in the Category list.

The right side of the Keychain Access window now displays all items of the type you chosecurrently stored within the selected keychain. In the My Certificates category, all X.509

identities (certificate and corresponding private key) are displayed. To refine whats listed,enter information in the search field in the upper-right corner of the window.

To set up directory services to search for certificates:


2. Choose Preferences from the Keychain Access menu.

3. Click General.




33/91

4. Select the Search directory services for certificates checkbox to enable the system to searchall directory services configured for the system.

5. Close the Preferences window.

To set up certificate revocation checking:1. Open Keychain Access from the Utilities folder.

2. Choose Preferences from the Keychain Access menu.

3. Click Certificates.

4. Select an option from the Online Certificate Status Protocol (OCSP) menu:

Off

Best attempt

Require if certificate indicates

5. To enforce OCSP verification for all certificates, hold down the Option key while choosing

from this menu.6. Select an option for the Certificate Revocation List (CRL).

7. To enforce CRL verification for all certificates, hold down the Option key while choosing fromthis menu.

8. When both OCSP and CRL are enabled, select which protocol response has priority, orwhether to require both responses for full validation.

Note: If you select Require both and either server doesnt respond, the system wont be ableto verify the certificate, and you wont be able to use this certificate.

To import items into a keychain with the GUI:

1. Double-click any valid credential such as an X.509 identity file (.p12 file).

Keychain Access automatically opens and asks if you want to add the certificate(s) from thefile to a keychain.

2. Select the keychain where you want to import the itemeither the login keychain for usercredentials or the system keychain for system-wide credentials.




34/91


35/91

To export items from a keychain:


2. Find the item you want to export by selecting the appropriate keychain or category, orentering words in the search field.

3. Choose Export Items from the Keychain Access File menu.

4. In the Save File dialog, select where to export the item(s).

5. Click Save.

6. If the items you want to export are encrypted in the keychain, enter a password to protectthem. Use a strong password to make sure an unauthorized user cant unlock the credential.Youll need to enter the keychain password to unlock it.




36/91

7. Click Allow.

The items are now stored at your selected location.

To export public items from a keychain via drag and drop:


2. Find the item you want to export by selecting the appropriate keychain or category, or enterwords in the search field.

3. Select a public item in the keychain, such as an X.509 certificate.

4. To export the item, drag it to a file system location.

5. Release to create the file.

Securing a certificate from another CAMany environments use a Windows-based Certificate Authority (CA). The CA can distributecertificates to client systems, including those with OS X installed.

If youre using a CA, it needs to be in a format that OS X understands. Common certificate formats

include (but arent limited to): .cer, .crt, .der Binary certificates

.pem Base64 DER certificates

.p12 Public and private certificates

Mac computers running OS X can also obtain client certificates via SCEP and in configurationprofile payloads. See http://support.apple.com/kb/HT5357 for more information.

To install a .cer certif icate:

1. In Safari, download the certificate from a CA.

2. Click the Downloads button in Safari.

3. Double-click the certificate. Keychain Access opens.

4. In the Add Certificates pane, choose the keychain where you want to install the certificate. To

make certificates available to all users, choose the System Keychain; otherwise choose a userkeychain such as login.

5. Click OK.

6. If youre installing the certificate into the System Keychain then enter a user or administrativeaccount in the Authenticate screen,.

7. Click Always Trust.


http://support.apple.com/kb/HT5357http://support.apple.com/kb/HT5357http://support.apple.com/kb/HT5357


37/91

8. Click the keychain where you imported the certificate.

9. Click the certificate to make sure its valid.

Application restrictionsYou can use Profile Manager to restrict OS X applications. For more information about managingrestrictions with Profile Manager, see OS X Technical Training: Management.

Securing System PreferencesSystem Preferences has many configurable preferences you can use to customize systemsecurity. This section summarizes preferences included with OS X and describes recommendedmodifications to improve security.

System Preferences overview To view system preferences, choose System Preferences in the Apple menu ( ! ). When youmodify settings for one account, make sure the settings are mirrored on all other accounts, unlesstheres an explicit need for different settings.

Some critical preferences require that you authenticate before you modify their settings. Toauthenticate, click the lock (see the images below) and enter an administrators name andpassword (or use a digital token, smart card, or biometric reader).

If you log in as a user with administrator privileges, these preferences are unlocked unless youselect Require an administrator password to access system preferences with lock icons inSecurity preferences.

If you log in as a standard user these preferences remain locked. After unlocking preferences, youcan lock them again by clicking the lock.




38/91

System Preferences that require authentication include:

Security & Privacy Energy Saver Print & Scan Network

Sharing Users & Groups Parental Controls Date & Time Software Update Time Machine Startup Disk

Securing Users & Groups preferencesUse Users & Groups preferences to change or reset account passwords, to enable parentalcontrols, or to modify login options for each account. If youre the administrator, you can reset

other user account passwords by selecting the account and clicking Reset Password.Note : Password policies arent enforced when you change the password on an administratoraccount or when you reset another users password using an administrators account. Therefore,when you reset passwords as an administrator, you should follow the password policy set by yourorganization.

Securing Date & Time preferencesCorrect date and time settings are required for authentication protocols, like Kerberos. Incorrectdate and time settings can cause security issues.

You can use Date & Time preferences to set the date and time based on a Network Time Protocol(NTP) server.

If you require automatic date and time, use a trusted internal NTP server.

To securely configure Date & Time preferences:

1. Open Date & Time preferences.

2. In the Date & Time pane, select the Set date and time automatically checkbox and choose asecure and trusted NTP server in the Set date and time automatically pop-up menu.

3. Click Time Zone.

4. Choose a time zone from the Closest City pop-up menu.

Securing Desktop & Screen Saver preferences

You can use Security & Privacy preferences to password protect your screen saver sounauthorized users cant access your computer while youre away. You can use several otherauthentication methods to unlock the screen saver, including digital tokens, smart cards, andbiometric readers.

You should also set a short inactivity interval to decrease the amount of time the unattendedcomputer is unlocked. For information about requiring authentication for screen savers, seeSecuring Security & Privacy preferences .




39/91

Securing Energy Saver preferencesYou can use the Energy Saver Sleep pane to configure a period of inactivity before a computer,display, or hard disk enters sleep mode.

If the computer receives directory services from a network that manages its client computerswhile your computer is in sleep mode, the computer is considered unmanaged and isnt detected

as being connected to the network. If you want your computer to be visible to the network,configure the display and hard disk to sleep, but not the computer.

You can reactivate the computer (see Securing Security & Privacy preferences ) the same wayyou unlock a screen saver, with a password, digital token, smart card, or biometric reader.

You can also make settings depending on your power supply (power adapter, UPS, or battery).You should configure the computer so it only wakes when you physically access the computer.Dont set the computer to restart after a power failure.

To securely configure Energy Saver preferences:

1. Open Energy Saver preferences.

2. Set Computer sleep to Never.

3. Select Put hard disks to sleep when possible.

4. Deselect Wake for network access and Restart automatically if the computer freezes.

Securing Network preferencesYou should disable unused hardware devices listed in Network preferences because enabledunused devices (such as Wi-Fi and Bluetooth) are a security risk. Only hardware thats installed onthe computer is listed in Hardware preferences.

When configuring your computer for network access, use a static IP address when possible. ADHCP IP address should be used only if necessary.

Some organizations use IPv6, a new version of the Internet protocol (IP). The primary advantage

of IPv6 is that it increases the address size from 32 bits (the current IPv4 standard) to 128 bits.

An address size of 128 bits is large enough to support a large number of addresses. This allowsmore addresses or nodes than are otherwise available. IPv6 also provides more ways to set upthe address and simplifies autoconfiguration.

By default IPv6 is configured automatically, and the default settings are sufficient for mostcomputers that use IPv6. You can also configure IPv6 manually. If your organizations networkcant use or doesnt require IPv6, turn it off.

To securely configure Network preferences:

1. Open Network preferences.

2. From the list of hardware devices, select one you dont use.3. Click the Action pop-up menu below the list of hardware devices and choose Make Service

Inactive.

4. Repeat steps 2 and 3 to deactivate all the devices you dont use.

5. From the list of hardware devices, select the hardware device you use to connect to yournetwork (for example, Wi-Fi or Ethernet).

6. From the Configure IPv4 pop-up menu, choose Manually.




40/91

7. Enter your static IP address, Subnet Mask, Router, DNS Server, and Search Domainconfiguration settings.

8. Click Apply.

Securing Parental Controls preferencesYou can set parental controls to customize access for each account individually. You cant enableparental controls for an administrator account that is currently logged in to the computer.

To secure Parental Controls preferences:

1. Open Parental Controls preferences.

2. Select the account you want to activate parental controls for.

If the account you want to manage isnt listed, open Users & Groups preferences and clickthe lock to authenticate, if its locked. From the accounts list, select the account you want tomanage. Then select the Enable Parental Control checkbox and click Open Parental Controls.

3. In the Apps pane, select Limit Applications to restrict application access to specificapplications.

4. In the Allowed Apps list, select the applications that the user can access.

5. Click the Other tab and limit tasks you dont want the user to perform, such as changingprinter settings, burning CDs and DVDs, or changing the password.

6. Select the Web pane.

7. In the Web pane, limit website access to specific sites by selecting Allow access to only thesewebsites.

8. Click the Add (+) button, select Add bookmark from the pop-up menu, and enter thewebsite name and address.

Securing Security & Privacy preferences

Security & Privacy preferences cover a range of OS X security features, including login options,FileVault, firewall, and privacy protection.

General tabConsider the following security related settings in the General tab:

Require password Require a password to wake this computer from sleep or screen saver. Thishelps prevent unauthorized access on unattended computers. Although there is a lock button forSecurity preferences, users dont need to be authorized as an administrator to make changes.Enable this password requirement for every user account on the computer.

Disable automatic login Disabling automatic login is necessary for any level of security. If youenable automatic login, an intruder can log in without authenticating.

Password-protect System Preferences (Advanced) Some system preferences are unlockedwhen you log in with an administrator account. By requiring a password, digital token, smartcard, or biometric reader to unlock secure system preferences, you require extra authentication.

This helps prevent accidental modification of system preferences.

Automatic logout (Advanced) Although you might want to enable automatic logout based oninactivity, there are reasons why you should disable this feature. First, it can disrupt yourworkflow. Second, it can close applications or processes without your approval (but a password-




41/91

protected screen saver wont close applications). Third, because automatic logout can beinterrupted, it provides a false sense of security. Applications can prevent successful automaticlogout. For example, if you edit a file in a text editor, the editor might ask if you want to save thefile before you log out.

Infrared receiver (Advanced) If you arent using a remote control, disable the infrared receiver.

This prevents unauthorized users from controlling your computer through the infrared receiver. Ifyou use an Apple IR Remote Control, pair it to your computer by clicking Pair. When you pair it,no other IR remote can control your computer.

FileVault tabOS X includes FileVault 2 , which encrypts your computers boot volume.

FileVault 2 uses AES-XTS-128 encryption standard keys, with a 256-bit volume encryption key.

A recovery key is automatically generated when you set up FileVault for the first time. You needthat recovery key or a login password to access the data on a FileVault 2 volume.

Important: Store your password and recovery key in a safe place and dont share it with others. Ifyou forget or lose both your password and your recovery key, the data on a FileVault 2 encrypted

volume cant be accessed.FileVault 2 and recovery keys are covered in more detail in Chapter 3, Data Security.

Firewall tabWhen you turn on a firewall using the Firewall pane, only signed software is allowed to receiveincoming connections. You can click Firewall Options to specify which incoming connections areblocked or allowed.

Note: You should block all incoming connections and allow only basic Internet services.

You can enable stealth mode to prevent the computer from responding or acknowledging touninvited access.

Privacy tabLocation Services: If you disable location services, information about the location of yourcomputer wont be provided to applications.




42/91

To securely configure Security & Privacy preferences:

1. Open Security & Privacy preferences.

2. In the General pane, select the following:

Require password __ after sleep or screen saver begins Disable automatic login

3. Click the Advanced button and make the following changes:

Deselect the Log out after __ minutes of inactivity checkbox. Select Require administrator password to access locked preferences Select the Disable remote control infrared receiver checkbox.

4. In the Firewall pane, click Turn On Firewall.

5. Click Firewall Options and select Enable Stealth ModeBlock all incoming connections andEnable stealth mode.

6. Add specific services and applications to the list and set them to allow or block incomingconnections.

7. In the Privacy pane, deselect the Enable Location Services checkbox.8. In the FileVault pane, click Turn On FileVault.

9. Record your recovery key in a safe location and click continue.

10. Select Do not store the recovery key with Apple and click Contin ue.

11. Click Restart to start the encryption process.

Securing Sharing preferencesBy default, every service listed in Sharing preferences is disabled. Dont enable these servicesunless you use them. The following services are described in detail in Securing Sharingpreferences in Chapter 4, Network Security.

Service Description

DVD or CD Sharing Allows users of other computers to use the DVD or CD drive on yourcomputer remotely.

Screen Sharing Allows users of other computers to remotely view and control yourcomputer.

File Sharing Allows other users to access the Public folder on your computer andallows administrators to access all volumes.

Printer Sharing Allows other users on the network to use printers connected to yourcomputer.

Scanner Sharing Allows other users to use a scanner connected to your computer.

Remote Login Allows users of other computers to access your computer using SSH.

Remote Management Allows other users to access your computer using Apple RemoteDesktop.


2013 A