Secure Mac OS X
All the basic OS X "security settings" are within System Preferences. This guide is to help you perform "basic" but good security for your MAC running OS X Leopard. It is not the end all and there are more options using "ipfw", but for the average user this is a good guide from which to branch out on as needs arise.
Click on the "Sharing" Icon. Un-check Services that are not needed or are a possible security risk. I've chosen to open "SSH/Remote Access" to my system, but I've also limited to only allow my account. Chances are if Systems Staff set up your Mac there is a "csroot" account, please grant this account SSH access if you would like us to assist you remotely; if you do not have a "csroot" account please request that one be set up.
Security General Tab
Next Click "Show All" button and go to "Security" General Tab:
- Require password to wake this computer from sleep or screen saver: This does exactly what it says. If you put the computer to sleep or have a screen saver setup then you’ll be asked for your user account information to unlock the computer. Use this, especially on portables. Of course, a restart will make this go away, so …
- Disable automatic login: This completely disables automatic login. Your system will start up to a login panel with a list of names.
This is the most secure option because it doesn’t make the computer usable from a cold boot.
- Require password to unlock each secure system preference: Notice how a lot of preferences have that lock at the bottom
(like Network, Security, and Accounts)? Turning this on locks all of those by default, requiring an admin password (even for the admin user) to unlock. If you don’t do this, anyone can come right back to this preference pane and turn all of these settings off. Check it.
- Log out after __ minutes of inactivity: More annoying than useful to me, but if you tend to walk away from your computer
and don’t mind losing your place in your work, turn this on. Locking the screen saver works well for me, instead.
- Use secure virtual memory: Turn this on. If this is off, then any time you enter a password it’s possible the system
will write that password out in a block of memory it’s dumped to a file in /var/vm and, thus, makes the password recoverable. Using secure VM means those files are encrypted and it’s near-impossible to discover a user’s password from the swap files.
Security FileVault Tab
Early versions of Panther did very nasty things to FileVault; therefore FileVault has a reputation of being risky. If you think you want to use FileVault please think it over carefully and research. It is recommend using “encrypted” folders instead (see below for how-to) In short:
- All of your personal files are automatically encrypted and decrypted as you use them. You don't have to think about it or type in multiple passwords as you work.
- FileVault uses AES-128 encryption which is approved by the National Security Agency to protect classified information. National policy on the use of AES to protect national security systems link (PDF)
- Since FileVault encrypts and decrypts files as you use them, it can affect the performance of your computer. We don't recommend FileVault for tasks like movie editing or advanced graphics work that requires rendering. However, you can create two separate user accounts to work around this.
Use FileVault on the user account with your business documents and use creative applications on an account without FileVault.
- If you forget your log-in and master password, you will not be able to access any of your files. These passwords cannot be reset and your files cannot be recovered.
I strongly suggest the creation of a single encrypted image (Folder) to keep sensitive documents/data in. Also suggest keeping a good backup of that data in a physically secure location at home just in case the image bites it. Here is a url to a good how-to for creating an encrypted image:
Security Firewall Tab
- Toggle: Set access for specific services and applications"
In this case you see that SSH/Remote Login is listed as a service and you have the option to add other services or applications. Gives you more control than the "default". Next Click on the "advance" button.
Security Firewall "advanced" Tab
- Logging: Up to you... I believe logging is a good
- “Enable Stealth Mode.” This hides closed services from someone probing your computer using certain techniques(nmap, ping sweep ..etc)
while adding just a little extra security.
*Disable any/all guest access