With its UNIX core, Mac OS X has many robust built-in security features that restrict attempts to compromise the system, either intentionally or accidentally. However, as with any security system, there are ways to bypass or override the controls. In the end, to secure your machine, you must control physical access to the computer as well as user access to the files on the computer. There are various types of passwords used in Mac OS X, although some of these are optional:
Creating PasswordsWhenever you create a password, it is important to pick one that will be easy to remember but difficult for other people to guess. If you allow users to transcribe passwords, the written passwords should be stored in a secure place to prevent unauthorized access to the accounts. The passwords used in this book are not good examples of secure passwords. They are used only for simplicity's sake. However, Mac OS X 10.4 includes a tool called Password Assistant that determines the quality ("strength") of specific passwords and suggests good passwords. To access Password Assistant, click the small icon of a key that appears in Accounts preferences, Security preferences, Keychain Access, and other Mac OS X 10.4 utilities. If you choose Memorable from the Type pop-up menu, Password Assistant will generate a password of the specified length, composed of uppercase and lowercase letters, punctuation, and numbers. Such passwords are designed to be easy to remember but not vulnerable to dictionary attacks. A dictionary attack is a common intrusion attempt, where an intruder or intrusion tool simply tries to authenticate with common usernames and words that can be found in a dictionary for the passwords (for example, jsmith as the username and workbook as the password.) High-quality passwords would be SuP3rM@n!, not superman; l%%k@meNøw, not lookatmenow; and E2B3Two®, not earlytobedearlytorise. Enter these passwords into Password Assistant and watch the Quality indicator. For even stronger passwords, choose a different setting from the Type pop-up menu, or increase the length of the password. A standard user can change his or her own login password, but before doing so the user must enter the current password for authentication. If a user forgets a password, any administrator user on the computer can change the password using Accounts preferences. A password for any account, including the System Administrator, can be changed by booting from the Mac OS X Install DVD and choosing Utilities > Reset Password. NOTE Be warned that resetting a login password allows a user to log in with a new password, but changing passwords this way does not reset keychain passwords, master passwords, or network passwords used in a directory service environment. Setting an Open Firmware PasswordYou can set an Open Firmware password that must be entered whenever anyone attempts to alter the normal startup procedure by pressing a modifier key (such as Option to choose a different startup disk). For instructions, refer to Knowledge Base document 106482, "Setting up Open Firmware Password Protection in Mac OS X 10.1 or later." Encrypting Home Folders with FileVaultAlthough login passwords provide some protection from users gaining access to documents stored in another user's home folder, other users can still gain access to those files. For example, anyone with a Mac OS X Install DVD or an administrator account on the computer can reset a password and log in to the account. Even without changing passwords, someone with System Administrator access can access any file on the system, including those in another home folder. FileVault enables users to encrypt the contents of their home folders, allowing file access only when the user is logged in. When a user enables the FileVault feature, the user's entire home folder is transferred into an encrypted sparse disk image (which is covered in more depth in Lesson 4, "File Systems"). NOTE A sparse image is a special kind of disk image that can automatically resize as needed. However, like any file system, a sparse image can become damaged after an abrupt system restart or power outage. Use Disk Utility to repair damaged or corrupted sparse images and disk images. When the user logs in to the computer locally (not via ssh or Remote Access), the disk image is decrypted and mounted in the Users folder, allowing the user to use his or her home folder. When the user logs out, the disk image is unmounted and re-encrypted, leaving only the disk image file in place of the user's home folder contents. Other users, including administrators, may access the disk image file, but because the disk image file is encrypted, they can't access the contents without the password. The time necessary to encrypt and decrypt the home folder depends upon the size of the folder and the speed of the computer. NOTE When turning FileVault on or off for an account, there must be disk space available equal to or greater than the size of the user's home folder. If there is not enough disk space, the account cannot be converted. TIP FileVault is not a good choice for home folders with large amounts of data. If you need to encrypt large amounts of data, you should put it in an encrypted disk image on an external FireWire drive or other storage device. One of the drawbacks of encrypting data is that if the user forgets his or her password, access to the files in the home folder is lost. If an account has FileVault enabled, an administrator user cannot use Accounts preferences to change that account's password, nor can the administrator user turn off FileVault for the account; only the user can do that. Because users often forget passwords, Mac OS X provides a master password feature to allow passwords on FileVault-protected accounts to be reset. The master password is used only as a back door for recovering FileVault-encrypted accounts. If during login a user enters three incorrect passwords for his or her FileVault-encrypted account, the account's password hint is displayed along with a Reset Password button. After the user clicks Reset Password and enters the master password (obtained from the administrator), he or she can set a new login password. If you forget the master password, you can reset it, but you must know the passwords for any accounts with FileVault enabled:
NOTE Do not forget the master password! Although it is possible to reset the master password, it still requires all users with FileVault-protected accounts to know their passwords. If a user has forgotten his or her login password, and you have forgotten the master password, there is no way to recover the user's data. Setting the Master PasswordIf you want to use FileVault to encrypt your home folder, you must first set the master password for the computer in Security preferences. This password is different from the password you set in Accounts preferences. To set the master password:
Encrypting a Home FolderTo encrypt a home folder using FileVault, create a new user for this exercise and then encrypt the home folder:
Verifying the Home Folder EncryptionOnce a home folder is encrypted, the contents of the home folder are inaccessible unless the owner of the home folder logs in. Do the following to verify that the system encrypted Warren's home folder:
Resetting a User's PasswordIf Warren forgets his password, the contents of his home folder are inaccessible, unless his password is reset using the master password.
Setting Security OptionsYou've just learned how to set a master password and turn on FileVault in Security preferences. This pane has a collection of other options to help protect your system from unauthorized use. You can specify that a password is required to wake the computer from sleep or from a screen saver. You can also disable automatic login to force users to authenticate, require users to enter a password to unlock a secure system preference, and log out a user after a specific number of minutes of inactivity. A new feature in Mac OS X 10.4 is the use of secure virtual memory. This addresses a rare issue in which private information could be obtained by searching the information left over in the virtual memory scratch files. Select the "Use secure virtual memory" checkbox to take advantage of this feature. TIP While the default installation of Mac OS X has automatic login enabled, most corporate environments would want this feature turned off, as well as requiring a password to wake a system from sleep. For additional security, consider using secure virtual memory, FileVault, and the Open Firmware Password utility. Using KeychainsBeyond the user login password, a user has to keep track of passwords for many other resources, such as Web sites, servers, and applications. When you connect to a server or Web site or open a keychain-aware application, the password used can be stored in the keychain. The next time you access those resources, the password is read from your keychain automatically. The user's default keychain is automatically created at the same time the account is created. That keychain is named "login" and is stored in ~/Library/Keychains. By default, the login keychain is protected by the user's original login password. A system-wide keychain named "System" is also created by default and is shared by all users on the system. Since the keychain is not "tied" to the computer, it can be copied to other computers. For example, when a user upgrades to a new computer, he or she can copy the keychain from the old computer to the new one. You can use Keychain Access (/Applications/Utilities) to create additional keychains for each user, based on types of resources or on particular locations. Users can also use Keychain Access to manage their keychains, including what passwords are stored in a keychain and what password is used to unlock the keychain. Keychain Access also includes Keychain First Aid (located under the Keychain Access menu), which can be used to verify and repair keychain settings and permissions. You can change the password to unlock a keychain at any time, however, if you want your default keychain to be unlocked automatically when you log in, make sure your keychain password is the same as your Mac OS X login password. If an administrator changes a login password, the keychain password for that account does not get changed as well. As a result, the user can log in with the new password, but the keychain will not automatically open. Synchronizing Login and Keychain PasswordsWhen users change their own login password using Accounts preferences, their keychain password is updated with the new password information if the keychain's existing password is the same as the user's existing login password. If a user's login password is changed by an administrator or by the Reset Password utility on the Mac OS X Install DVD, the user's keychain is still protected by the user's old password and needs to be synchronized with the new login password. This exercise will guide you through resetting a user's keychain password, creating a keychain entry, then synchronizing the login and keychain passwords.
Troubleshooting User Account IssuesHere are some basic user account troubleshooting topics and solutions:
|