The Bitstream Blog :: Posts

Lock ’Em Down

Hallo hoppy reader,

I was slogging through yet another white paper, someone else’s about HDDs to be precise, and something mentioned got me thinking about security. So this month’s Bitstream is about a secure OS, specifically Mac OS. Despite the Mac’s reputation for safety and security, the truth is somewhat off that center, though Snow Leopard should address most of the existing vulnerabilities. So, let’s take a quick look at how you can lock down your Mac without going ca–razy…

Mac OS enjoys a relative small market share, somewhere around 10% of overall use relative to all operating systems, since Windows still swamps it along with everything else. The smugness felt by Mac users, which often includes me by the way, is largely a numbers game. Fewer users mean fewer exploits and, relative to other flavors of Unix, Mac OS has a healthy number of vulnerabilities. What’s a mother to do?

Let’s start with a really glaring issue, that of admin–level access…If you run your own show, you’re the one controlling access privileges. So, you have at least one admin account, for when the computer goes south. Right? For day to day work, you have a non–admin account as well, right? Probably not. Most power users disdain “standard” accounts because of the small amount of additional work required to log in or authenticate as an admin or root when heavy lifting needs to be done. Unless you’re a sysadmin however, you should consider using a standard account most of the time. The reasons are twofold; first, your day–to–day account will get squirrely over time. It just happens and, having a relatively pristine admin account you can fall back onto for testing and repair is simply a smart plan.

The other reason is security. There’s no good reason to be logged in as admin unless you’re, yup, doing admin stuff! I know, it can be a PITA, albeit a small pain, but the OS is a good bit more locked down that way.

OK, on to simple changes to your System Prefs…First, in Accounts, disable automatic login and display the login window as Name & Password fields, as opposed to a List of Users. That way, an attacker has to know both an account’s shortname and its password. Also, in the Security pane, enabled the Require password to awake from sleep option.

Next, root passwords. “Root” is another name for the “superuser”, the one user to bind them all, so to speak. In Mac OS, as in most Unix–like OSs, the root user has free reign, with permissions to do anything, see anything and, totally destroy the computer if not careful or if that’s their goal. If an unauthorized user gains root access, they can have their way with your Mac…not good. So, set a really strong root password and remember, FileVault’s master password is not your root password.

There are several ways to set the root password but arguably the easiest is to use NetInfo Manager. You’ll find it in Utilities. Start it up and head to the Security menu.

 

NetInfo Manager's Security menu

NetInfo Manager’s Security menu, click to zoom in

The Authenticate… menu selection let’s you do just that; enter your admin credentials. Once you’ve authenticated, you can then Enable Root User, then Change Root Password… to, again, a strong password string which includes a mix of upper and lower case letters and one or more numbers. Stay away from metacharacters, use only letters and numbers. [By the way, for FileVault’s master password, don’t start it with a capital U, there’s a bug that may bite you.] Don’t forget to Disable Root User and de–authenticate when you’re done in NetInfo Manager.

 

Setting the Root Password

Setting the Root Password

OK, now you have basic password protection unless…unless you have a portable. Anyone with unfettered physical access to your Mac can do whatever they want unless you set an Open Firmware password. An Open Firmware password prevents unauthorized user from, as Apple says, “…starting up the computer from a volume other than the one you have chosen as the startup disk (chosen in the Startup Disk preference panel within the System Preferences.) Once security is enabled, you cannot startup from other devices such as an external FireWire disk, a CD-ROM drive, or another partition or disk inside the computer.” In other words, you’re protected. I’m not going to go into detail about setting your Open Firmware password, I’ll leave that research to you. 😉

For in–depth info on locking down Mac OS, I recommend the National Security Agency’s Security Configuration Guides. They’re well written and cover several versions of Mac OS, Linux, Windows and Solaris. The ones for Mac OS were crafted by Apple with the assistance of the NSA. A short guide is also available from the MacTech folks. Back in 2005, they published Securing Mac OS X. Some of it’s out of date but it’s a good quick overview.

OK, I give up! My aim here is to increase your awareness of basic security issues, not write the exhaustive guide. So, read up on security. It could save you or your company’s butt and, as Mac OS’ market share increases it’s inevitable that Mac will increasingly become the targets of the same malware and attacks from which Windows already suffers. Instill good habits now, you’ll need ’em later! Also, if any of you have suggestions for other security resources, don’t lurk. Please weigh in and, continue to geek!

Share

2 Responses to “Lock ’Em Down”

  1. thank you for the new new entry. That is extremely heart felt.

  2. Regarding security methods, especially for companies, I have to agree with what you have said entirely. You’ll find so many choices in the marketplace, it is critical for any professional to know what is most effectivefor his or her situation along with particular office building. The insights you’re providing will be a terrific help to businesses in addition to security professionals similarly. Thanks again!