Securing Your Macintosh | Apple Training Series: Mac OS X Support Essentials v10.6: A Guide to Supporting and Troubleshooting Mac OS X v10.6 Snow Leopard

With its UNIX core, Mac OS X has many robust built-in security features that restrict attempts to compromise the system, either intentionally or accidentally. However, as with any security system, there are ways to bypass or override the controls. In the end, to secure your machine, you must control physical access to the computer as well as user access to the files on the computer.

There are various types of passwords used in Mac OS X, although some of these are optional:

Login password Each user should have a single login password that is used in the login window and prevents other users from accessing his or her files. (Administrators' login passwords also allow them to change system-wide settings.)
Open Firmware password The computer itself can be protected by a single password that prevents unauthorized users from altering the startup process.
Master password An administrator must create a single master password before users can protect their home folders with FileVault. The master password acts as a back door for resetting passwords on FileVault-protected accounts.
Resource passwords Users may create or enter passwords as needed in Web sites, servers, applications, folder archives, and encrypted disk images. For example, to retrieve email, your email client will require the password provided by your Internet service provider.
Keychain password This password unlocks a user's keychain, a Mac OS X feature that simplifies the storage and automatic retrieval of resource passwords as they are needed.
To maintain a secure company or departmental network and a safe network environment for your users, you must ensure that everyone on your network uses only high-quality passwords.

Creating Passwords

Whenever you create a password, it is important to pick one that will be easy to remember but difficult for other people to guess. If you allow users to transcribe passwords, the written passwords should be stored in a secure place to prevent unauthorized access to the accounts.

The passwords used in this book are not good examples of secure passwords. They are used only for simplicity's sake. However, Mac OS X 10.4 includes a tool called Password Assistant that determines the quality ("strength") of specific passwords and suggests good passwords. To access Password Assistant, click the small icon of a key that appears in Accounts preferences, Security preferences, Keychain Access, and other Mac OS X 10.4 utilities.

If you choose Memorable from the Type pop-up menu, Password Assistant will generate a password of the specified length, composed of uppercase and lowercase letters, punctuation, and numbers. Such passwords are designed to be easy to remember but not vulnerable to dictionary attacks. A dictionary attack is a common intrusion attempt, where an intruder or intrusion tool simply tries to authenticate with common usernames and words that can be found in a dictionary for the passwords (for example, jsmith as the username and workbook as the password.)

High-quality passwords would be SuP3rM@n!, not superman; l%%k@meNøw, not lookatmenow; and E2B3Two^®, not earlytobedearlytorise. Enter these passwords into Password Assistant and watch the Quality indicator. For even stronger passwords, choose a different setting from the Type pop-up menu, or increase the length of the password. A standard user can change his or her own login password, but before doing so the user must enter the current password for authentication. If a user forgets a password, any administrator user on the computer can change the password using Accounts preferences. A password for any account, including the System Administrator, can be changed by booting from the Mac OS X Install DVD and choosing Utilities > Reset Password.

NOTE

Be warned that resetting a login password allows a user to log in with a new password, but changing passwords this way does not reset keychain passwords, master passwords, or network passwords used in a directory service environment.

Setting an Open Firmware Password

You can set an Open Firmware password that must be entered whenever anyone attempts to alter the normal startup procedure by pressing a modifier key (such as Option to choose a different startup disk). For instructions, refer to Knowledge Base document 106482, "Setting up Open Firmware Password Protection in Mac OS X 10.1 or later."

Encrypting Home Folders with FileVault

Although login passwords provide some protection from users gaining access to documents stored in another user's home folder, other users can still gain access to those files. For example, anyone with a Mac OS X Install DVD or an administrator account on the computer can reset a password and log in to the account. Even without changing passwords, someone with System Administrator access can access any file on the system, including those in another home folder.

FileVault enables users to encrypt the contents of their home folders, allowing file access only when the user is logged in. When a user enables the FileVault feature, the user's entire home folder is transferred into an encrypted sparse disk image (which is covered in more depth in Lesson 4, "File Systems").

NOTE

A sparse image is a special kind of disk image that can automatically resize as needed. However, like any file system, a sparse image can become damaged after an abrupt system restart or power outage. Use Disk Utility to repair damaged or corrupted sparse images and disk images.

When the user logs in to the computer locally (not via ssh or Remote Access), the disk image is decrypted and mounted in the Users folder, allowing the user to use his or her home folder. When the user logs out, the disk image is unmounted and re-encrypted, leaving only the disk image file in place of the user's home folder contents. Other users, including administrators, may access the disk image file, but because the disk image file is encrypted, they can't access the contents without the password. The time necessary to encrypt and decrypt the home folder depends upon the size of the folder and the speed of the computer.

NOTE

When turning FileVault on or off for an account, there must be disk space available equal to or greater than the size of the user's home folder. If there is not enough disk space, the account cannot be converted.

TIP

FileVault is not a good choice for home folders with large amounts of data. If you need to encrypt large amounts of data, you should put it in an encrypted disk image on an external FireWire drive or other storage device.

One of the drawbacks of encrypting data is that if the user forgets his or her password, access to the files in the home folder is lost. If an account has FileVault enabled, an administrator user cannot use Accounts preferences to change that account's password, nor can the administrator user turn off FileVault for the account; only the user can do that.

Because users often forget passwords, Mac OS X provides a master password feature to allow passwords on FileVault-protected accounts to be reset. The master password is used only as a back door for recovering FileVault-encrypted accounts. If during login a user enters three incorrect passwords for his or her FileVault-encrypted account, the account's password hint is displayed along with a Reset Password button. After the user clicks Reset Password and enters the master password (obtained from the administrator), he or she can set a new login password.

If you forget the master password, you can reset it, but you must know the passwords for any accounts with FileVault enabled:

1.	As an administrator user, delete the master password keychain file (/Library/Keychains/FileVaultMaster.keychain). When the master password keychain is deleted, Mac OS X assumes that no master password is set yet.
2.	In Security preferences, set a new master password.
3.	Log in to each account that has FileVault turned on, and use Accounts preferences to reset the password for each account.

NOTE

Do not forget the master password! Although it is possible to reset the master password, it still requires all users with FileVault-protected accounts to know their passwords. If a user has forgotten his or her login password, and you have forgotten the master password, there is no way to recover the user's data.

Setting the Master Password

If you want to use FileVault to encrypt your home folder, you must first set the master password for the computer in Security preferences. This password is different from the password you set in Accounts preferences.

To set the master password:

1.	Log in as Apple Admin.
2.	Open System Preferences and click Security.
3.	Click Set Master Password.
4.	Authenticate as Apple Admin if requested.
5.	Type applemp in the Master Password and Verify fields.
6.	Click OK. The master password is set for the computer. You can change it later if you want to by clicking the Change button in Security preferences.
7.	Quit System Preferences.
8.	Choose Apple > Log Out Apple Admin.

Encrypting a Home Folder

To encrypt a home folder using FileVault, create a new user for this exercise and then encrypt the home folder:

1.	Open Accounts preferences.
2.	Unlock the Accounts pane by authenticating as Apple Admin.
3.	Add a new user, Warren Peece (Short Name: warren, Password: peece).
4.	Log out of the Apple Admin account.
5.	Log in to the Warren Peece account.
6.	Open Security preferences.
7.	Click the lock icon at the bottom left of the window, then authenticate as Apple Admin.
8.	Click Turn On FileVault.
9.	Type Warren's password (warren) in the Password field and click OK. A warning message appears asking you if you are sure you want to turn on FileVault.
10.	Take a moment to read the warning message, and then click Turn On FileVault. The system logs out Warren and displays a message indicating that the system is encrypting Warren's home folder and displays a progress bar. The system creates a sparse disk image, copies the home folder into the image, and deletes the old home folder. When the system is finished encrypting Warren's home folder, the login window appears.

Verifying the Home Folder Encryption

Once a home folder is encrypted, the contents of the home folder are inaccessible unless the owner of the home folder logs in. Do the following to verify that the system encrypted Warren's home folder:

1.	Log in as Apple Admin.
2.	Go to /Users/warren. You should see a file named warren.sparseimage. This is the disk image file where Warren's home folder is stored. If you double-click the disk image file, the system prompts you to enter a password. If you enter Warren's password, the disk image mounts.
3.	Click Apple Admin in the menu bar, and choose Warren Peece from the user accounts menu.
4.	Log in using Warren's password.
5.	Go to /Users/warren. Notice that Warren can access the contents of his home folder.
6.	Choose Apple > Log Out Warren Peece.

Resetting a User's Password

If Warren forgets his password, the contents of his home folder are inaccessible, unless his password is reset using the master password.

1.	In the login window, select Warren Peece.
2.	In the Password field, type ABC.
3.	Click Log In. Because ABC isn't Warren's password, the window will shake.
4.	In the Password field, type 123.
5.	Click Log In. Again, access will be denied.
6.	In the Password field, type xyz.
7.	Click Log In. Because logging failed three times, the login window will request the master password.
8.	In the Master Password field, type applemp.
9.	Click Log In. An alert appears explaining that the user's old keychain will be saved and a new one created.
10.	Click OK.
11.	In the New Password and Verify fields, type peece. This will be Warren's new password.
12.	Click Log in. The computer will then log in Warren.
13.	Choose Apple > Log Out Warren Peece.

Setting Security Options

You've just learned how to set a master password and turn on FileVault in Security preferences. This pane has a collection of other options to help protect your system from unauthorized use.

You can specify that a password is required to wake the computer from sleep or from a screen saver. You can also disable automatic login to force users to authenticate, require users to enter a password to unlock a secure system preference, and log out a user after a specific number of minutes of inactivity.

A new feature in Mac OS X 10.4 is the use of secure virtual memory. This addresses a rare issue in which private information could be obtained by searching the information left over in the virtual memory scratch files. Select the "Use secure virtual memory" checkbox to take advantage of this feature.

TIP

While the default installation of Mac OS X has automatic login enabled, most corporate environments would want this feature turned off, as well as requiring a password to wake a system from sleep. For additional security, consider using secure virtual memory, FileVault, and the Open Firmware Password utility.

Using Keychains

Beyond the user login password, a user has to keep track of passwords for many other resources, such as Web sites, servers, and applications. When you connect to a server or Web site or open a keychain-aware application, the password used can be stored in the keychain. The next time you access those resources, the password is read from your keychain automatically.

The user's default keychain is automatically created at the same time the account is created. That keychain is named "login" and is stored in ~/Library/Keychains. By default, the login keychain is protected by the user's original login password. A system-wide keychain named "System" is also created by default and is shared by all users on the system. Since the keychain is not "tied" to the computer, it can be copied to other computers. For example, when a user upgrades to a new computer, he or she can copy the keychain from the old computer to the new one.

You can use Keychain Access (/Applications/Utilities) to create additional keychains for each user, based on types of resources or on particular locations. Users can also use Keychain Access to manage their keychains, including what passwords are stored in a keychain and what password is used to unlock the keychain. Keychain Access also includes Keychain First Aid (located under the Keychain Access menu), which can be used to verify and repair keychain settings and permissions.

You can change the password to unlock a keychain at any time, however, if you want your default keychain to be unlocked automatically when you log in, make sure your keychain password is the same as your Mac OS X login password. If an administrator changes a login password, the keychain password for that account does not get changed as well. As a result, the user can log in with the new password, but the keychain will not automatically open.

Synchronizing Login and Keychain Passwords

When users change their own login password using Accounts preferences, their keychain password is updated with the new password information if the keychain's existing password is the same as the user's existing login password. If a user's login password is changed by an administrator or by the Reset Password utility on the Mac OS X Install DVD, the user's keychain is still protected by the user's old password and needs to be synchronized with the new login password.

This exercise will guide you through resetting a user's keychain password, creating a keychain entry, then synchronizing the login and keychain passwords.

1.	Restart using the Mac OS X Install DVD.
2.	At the first screen, select "Use English as the main language" then press Return.
3.	Choose Utilities > Reset Password.
4.	In the Reset Password window, select the volume icon that represents your startup disk. The "Select a user of this volume" pop-up menu will change to list the user accounts on that volume.
5.	Choose Chris Johnson from the pop-up menu. New users do not yet have data in the keychain, so changing their passwords has few consequences.
6.	In both password fields, enter f00tba11 (f-zero-zero-t-b-a-one-one).
7.	Click Save.
8.	Click OK in the Password Saved dialog. You have changed Chris Johnson's login password. Because the new login password does not match the original login password also used for the keychain, Chris is at risk of losing his keychain data. If a user forgets his or her keychain password when his or her login and keychain passwords are out of sync, the keychain cannot be unlocked and might need to be recreated.
9.	Quit Reset Password.
10.	Quit Installer.
11.	Click Restart.
12.	Log in as Chris Johnson (password: f00tba11).
13.	Open Accounts preferences.
14.	Click Change Password.
15.	Enter the password you just reset: f00tba11
16.	Enter a new password: chris
17.	Quit System Preferences. Chris Johnson's keychain does not contain any data. We will now attempt to create an entry in the keychain.
18.	Launch Disk Utility (/Applications/Utilities).
19.	Choose File > New > New Blank Image.
20.	Choose AES-128 from the Encryption pop-up menu.
21.	Enter test as the file name.
22.	Click Create.
23.	In the Authenticate window, enter test in the Password and Verify fields, select the "Remember password (add to Keychain)" checkbox, and click OK. Disk Utility attempts to add this disk image's password information to your keychain. Because the keychain is locked, you must authenticate with the keychain password.
24.	When prompted for your keychain password, enter f00tba11 and click OK. Because the keychain is protected by the original "changeme" password, the request fails. At this point, Chris has no access to his keychain data. If Chris forgot his keychain password, he would not be able to access his keychain data even though his login password could be reset.
25.	In the Password field, enter changeme and click OK. Because you entered the password that protects the keychain, Disk Utility is able to create the encrypted disk image and save its password to the keychain.
26.	Unmount the test disk icon from the Finder desktop.
27.	Open Keychain Access (/Applications/Utilities).
28.	Click Show Keychains at the bottom left.
29.	Lock the keychain by clicking the lock icon above the list of keychains.
30.	Double-click the disk image entry.
31.	In the Attributes pane, select the "Show password" checkbox. Because the keychain is now locked, you are prompted for the keychain password.
32.	In the Password field, enter changeme and click OK. The keychain will unlock.
33.	In the Password field of the "Confirm Access to Keychain" dialog, enter changeme and click Always Allow. This grants the Keychain Access application the permission to retrieve the encrypted disk image password. Notice that the disk image password (test) is now visible.
34.	Close the test.dmg window. Because the keychain password is not the same as the login password, mounting the test disk image will always require Chris to enter the disk image password. Let's synchronize the keychain password with the login password so that the disk image is automatically opened when double-clicked.
35.	In Keychain Access, verify that the login keychain is unlocked.
36.	Choose Edit > Change Password for Keychain "login."
37.	In the Change Keychain Password dialog, enter the following information: Current Password: changeme New Password: f00tba11
38.	Click OK to save the new password. Chris' keychain password is now synchronized with the login password. If Chris changes his login password again, the keychain password would also be changed because the login password and the keychain password are now the same.
39.	Quit Keychain Access.

Troubleshooting User Account Issues

Here are some basic user account troubleshooting topics and solutions:

If you are unable to log into a computer because the administrator login passwords are lost, boot from the Mac OS X Install DVD and choose Utilities > Reset Password. If you can log in using an administrator account, you can reset a user's password in Accounts preferences.
NOTE

If an account is protected by FileVault, the only way to reset its login password is to first enter the master password. If you forget your master password in addition to your account's login password, there is no way to recover the data that was encrypted by FileVault.
Whenever you have a problem with your computer, one troubleshooting technique is to log in with a different user account and see if the problem is reproducible. If the problem does not occur with the other user account, you can focus on the things that are user-specific, such as permissions and preferences.
If a user's login password is changed by an administrator or by the Reset Password utility on the Mac OS X Install DVD, the system does not change the old password stored in the keychain to the new one. To fix this problem, the user should use Keychain Access to change the keychain password to match the login password.
When using fast user switching to switch to another account, you might not be able to access certain resources. To determine if fast user switching is the cause, turn off fast user switching.
If you can't make changes to certain System Preferences such as Network, Sharing, and Energy Saver, or you cannot install applications in the Applications folder, it's because you are a standard user and not an administrator. As a standard user, you are limited to making configuration changes that affect only your account, such as what applications and files are opened when you log in and what picture is displayed as the background pattern. You cannot make changes to system-wide settings without first authenticating as an administrator.
You can get information such as Mac OS version, build number, serial number, date/time/time zone, and machine name by clicking the text field under Mac OS X in the login window.