secure your snow leopard - rm education · application frameworks cocoa carbon java darwin graphics...
TRANSCRIPT
Secure yourSnow Leopard
Benjamin Stanley
CertifiedTrainer
1
Structure of OSSafer BrowsingSystem Prefs that help with securityManaged prefs from serverKeychainHardware securityAVand a little about mobile
Mac OS X Structure
This chapter provides a high-level introduction to Mac OS X, describing its overall architecture and developmenttools support. The goal of this chapter is to orient you to the Mac OS X operating system and to give you areference point from which to explore the available tools and technologies described throughout thisdocument. Developers who are already familiar with the Mac OS X system architecture and technologiesmay want to skip this chapter.
Note: For a listing of commonly used Mac OS X terms, see “Glossary” (page 159).
A Layered Approach
The implementation of Mac OS X can be viewed as a set of layers. At the lower layers of the system are thefundamental services on which all software relies. Subsequent layers contain more sophisticated servicesand technologies that build on (or complement) the layers below. Figure 1-1 provides a graphical view ofthis layered approach, highlighting a few of the key technologies found in each layer of Mac OS X.
Figure 1-1 Layers of Mac OS X
User Experience
Aqua Dashboard Spotlight Accessibility
Application Frameworks
Cocoa Carbon Java
Darwin
Graphics and Media
OpenGL Quartz Core Audio
Core Animation Core Image Core Video QuickTime
The bottom layer consists of the core environment layer, of which Darwin is the most significant component.Darwin is the name given to the FreeBSD environment that comprises the heart of Mac OS X. FreeBSD is avariant of the Berkeley Software Distribution UNIX environment, which provides a secure and stable foundationfor building software. Included in this layer are the kernel environment, device drivers, security support,interprocess communication support, and low-level commands and services used by all programs on thesystem. Besides Darwin, this layer contains several core services and technologies, many of which are simplyhigher-level wrappers for the data types and functions in the Darwin layer. Among the available core services
A Layered Approach 172008-10-15 | © 2004, 2008 Apple Inc. All Rights Reserved.
CHAPTER 1
Mac OS X System Overview
2
It helps to understand a little how the system is structuredDarwin Open Source kernel with user layers on top.Some separation between core OS and application space give us some security
Mac OS X Structure
3
In the file systemusers stuff and system stuff are separateusers only have access to their things - administrator needed for /Library and /System
Mac OS X Structure
4
There are actually more items than shown. MacOS X has two ways to hide filesStart the name with a full stop .or set an extended attribute called hidden - done via the terminal and the chflags commandDS_Store Desktop Services Store holds folder settings.Trashes holds trashed items!
Mac OS X Structure
• System Administrator (root)
• Administrator
• Standard
• Guest
• Sharing
sudo
5
Root cannot login by defaultDirectory Utility to enable and disable root user.sudo for an admin user to be root for a bit (5 mins)standard users see stuff lockedguest login must be enabled - home folder deleted at logoutsharing users only for remote access - no home so no login
Mac OS X Structure
• Directory
• Local
• Connected
• OD
• AD
• eDirectory
7
Need to think about where our users are locatedAlways a Local Datastore for local usersOpen Directory is our name for all directory stuffWe can connect to an other directory: AD, OD, eDirectory, any LDAP datasource
Mac OS X Structure
• Binding to AD
• Where is home?
• Local is good
• sync at logout
8
If we are binding to AD for Authentication....We use Directory Utility or Accounts System Preferencewhere is the home located?mobile account can cause sync issuesbest to keep things local and sync at logout
Mac OS X Structure
• Users on AD
• Permissions managed via OD
9
Ideal set up is to leave users on AD and manage through ODToday we will focus on local stuff - things are very similar when connected to OD
Safer Browsing
10
Safari 5 - ultra modern web browserHTML5 CSS3uses WebKit (apple invented) used by Google Android, Nokia Series 60, Palm WebOS, Google ChromeAntiphishing and malware technology
Safer Browsing
11
Lets have a look at Safari PreferencesOpen Safe files after downloading - turn off?Supports the Windows Attachment Monitor to notify AV software that a file has been downloaded and can prompt a scan of the downloaded file!
Safer Browsing
12
All downloads are tagged so Mac OS X knows where the files were obtained from.The website time and date, just get info on a downloaded file to see this.Phishing websites are detected and a warning displayed.
Safer Browsing
13
Cookies should be set to only be accepted from the current domain. Some people object to being tracked so will disable cookies completely.Setting this to never may cause issues with VLE or school management tools.
Safer Browsing
14
You may be surprised to see how many sites use cookies to store user information and how long they will be kept as a record of your browsing history.Of course the remove button will tidy this list up.Cookies are stored in the Users Library folder in a folder called Cookies as a Property list file.~/Library/Cookies/Cookies.plist
Safer Browsing
15
Cookies and other browsing information can be cleared by choosing to Reset Safari from the Safari application menu.Choose what to reset then click Reset
System Preferences
16
We are going to look atSecurityParental Controls (local managed prefs)SharingSpotlight Hiding System Preferences
Security
• Lock Screen
• Parental Controls
• Managed Preferences
17
Security PreferencesRequire password Disable auto loginLog out after x minutes, problem with unsaved docs - demo on next slide
Security
• Lock Screen
• Parental Controls
• Managed Preferences
19
FileVault is for securing home foldersStrong 256-bit AES (Advanced Encryption Standard) encryptionMaster password must be set as a safety net in case user forgets password
Security
20
Firewall - application level - easy for users, a fairly automatic process.When opening an app that needs net access user is asked to allow or deny.Enabling Stealth Mode stops ICMP (Internet Control Message Protocol) responses.
Parental Controls
21
Parental Controls - Think of these as Local managed preferencesWe can choose what applications and access to hardware the user has.Simple Finder is useful and secure, but will quickly get in the way for advanced users.
Parental Controls
22
Parental Controls - Think of these as Local managed preferencesContent filtering, dictionary and webWebsites can be specified on an allow and deny list
Sharing
23
Mac OS X can share all sorts of things, hardware, connections, files, services, host.It is a good idea to turn off what isn’t required.Restrict access to certain users or groups for services you do enable.
Sharing
24
for exampleWith remote login which gives command line access to the machine over the network using SSH we should restrict this to admin users only.
Sharing
25
Selecting file sharing turns on AFP. Notice all public folders for local users are shared as read only (a drop box inside allows write only)To share via SMB, turn it on and enter password! stores as NTLMv2 for windows users
Spotlight Privacy
26
Spotlight is our searching and indexing serviceIndexes everything, file names, contents, all metadataChoose what is shown in the results list Control what isn’t included in the Spotlight indexMight be worth adding USB sticks with confidential data to the privacy list so they are never indexed. Index is stored in .Spotlight-V100 at the root.
Software Update
27
Software updates from Apple for the OS and Apple softwareYou may want to disable auto checking and deploy manuallyAll updates now delivered with a certificate.Run your own software update server to mirror the updatesSecurity updates delivered as required, no release schedule (patching Tuesday)
Network
28
Good idea to disable network ports that are not needed.Just select the port and choose Make service inactive from the Action menu
Hide System Prefs
• Can lock
• Grey icon if managed
• Move to hide
• /System/Library/PreferencePanes
29
We know can lock system prefsThrough managed preferences we can deny accessbut it may be better to hide them?
Hide System Prefs
• Remove rather than hide
• /System/Library/PreferencePanes
32
it disappears!Not the best way
Hide System PrefsAccounts.prefPane
33
Bit silly to do that, so...Would be better to move to /Users/LocalAdminUser/Library/PreferencePanesso only that user can access
Managing Preferences
34
Talk about server side preference managementMore control over who can do whatControl from a central location - a Mac OS X server
Managing Preferences
35
Here’s what we haveLots of things to control and at various levelsuser, workgroup, computer and computer group
Managing Preferences
36
managed Finder preferencescontrol what users can access and what is show on the desktopSimple Finder gives minimal access
Managing Preferences
38
managed Media Access preferencesSelect what physical and virtual storage can be used.Block USB stick access or set to require authentication.
Managing Preferences
39
managed System Preferences preferencesHide system prefs from view - sensible
Keychain
41
Stores passwords and other information securelyLogin.keychain is locked with the same password as the users account, unlocks on loginKeychain Access is the program to look after the keychainAny time the user clicks “Remember” password is stored in keychain
Keychain
42
Keychain Access preferences allow us to Lock the screen. Like turning on a screen saver and asking for password on wake
Secure Erase & Format
43
Empty trash from finder menuSecure empty trash like a 7 pass eraseCan use Disk Utility to erase free space, 7 pass or 35 pass!
Securing the Hardware
• Firmware Password
• utility on the Snow Leopard DVD
• via Deploy Studio script
• through Apple Remote Desktop
• Knowledge Base article HT1352
44
Firmware password - set from a utility on the DVDRequests password if any keys held at startupDeployStudio post image task
http://support.apple.com/kb/HT1352http://developer.apple.com/samplecode/ApplyFirmwarePassword/
Securing the Hardware
45
All macs (except macbook air and new mini) have a Kensington compatible lock slotMacPro has a side panel lock to restrict internal access
Anti-virus or not?
• Malware, Trojan or Virus
• RSPlug-F
• iWorkS-A
• Leap-A
47
Current level of risk is minimal, arguably negligible, but real.Malware is in existence, and can do some nasty stuff.Remember system/user are separate - anything that asks for admin rights should be treated with respect.RSPlug-F - changes DNS settingsLeap-A OompaLoompa! application dressed as an image (no effect on standard user account)We should be nice to other computer users on our network - our mac could be a gateway in from a USB stick.
Anti-virus or not?
48
Solutions availableIntego Virus BarrierMcAfee VirusScan for MacNorton for Mac 11ClamXav - free open source solutionSophosWhatever you choose keep it up to date
Anti-virus or not?
49
Sophos have an iPhone app to show current threats, free from App StoreAnti-virus conclusion...minimal threat, run something just in case to protect your network - good idea to run something server side.
Mobile Security
50
Snow Leopard has been our main topic todayBut think about security on mobile devices as their use becomes more widespread
Mobile Security
51
iPod and iPad can be secured.Restrictions can be put in place for all iOS devices, restrictions hidden behind a passcode.Virus even less of an issue as all apps checked.
Training
AuthorisedTraining Centre
52
RM have a national training provider with NTIAuthorised Apple Training Centre delivering accredited, certified Apple coursesSnow 101 for client, Snow 201 for server, 301, 302, 303 for Deployment, Directory and Security & Mobility
Thank youAny questions?
Benjamin [email protected]
53
We’ve covered a lot todayStructure of OS, Safer Browsing, System Prefs that help with securityManaged prefs from server, Keychain, Hardware security, AVand a little about mobileAny questions?