Control Physical Access to Your Mac


One of the first ways to protect the security of your Mac and its files is to ensure that no one can access it. While it’s easy to prevent anyone from accessing a computer over a network—just unplug its Ethernet cable, or turn off AirPort wireless networking—physical access to your Mac is another story. It has been said that the only truly safe computer is one locked in a vault and protected by armed guards, but that defeats the purpose of having a computer.

Your Mac is already protected so others cannot access your files: you have an individual user name and password, which allow you to access your account and the files in your home folder. If you are the administrator of your Mac, which is the case if you are its only user (see Chapter 8 for a discussion of the administrator account), you can eventually access any user’s files on your Mac.

If you use your Mac in an environment where others can approach your Mac—your home, office, school, or lab—there’s little you can do to prevent these people from accessing your Mac, but you can do several things to prevent them from accessing your files. Some of these are settings in the Security pane of the System Preferences. (See Figure 19-1.) To access these settings, open the System Preferences by clicking its icon in the Dock, or select the Apple Menu | System Preferences. Click the Security icon to display this preference pane.

click to expand
Figure 19-1: The Security preference pane is where you turn on settings that can protect your Mac.

To access many of the settings on this preference pane, you must be an administrator, and if the lock icon shows a closed padlock, click it and enter your user name and password to make changes. If you are not an administrator, you can access FileVault settings for your account and turn on password protection after waking from sleep or a screen saver.

Tip

If your Mac is in an office or school, or even if you work in a store or any other location where a lot of people pass through, you might want to consider a Kensington MicroSaver security cable (www.microsaver.com) to lock your Mac and prevent anyone from walking off with it.

Use FileVault

Mac OS X 10.3 includes a new feature called FileVault, which automatically encrypts the contents of your home folder. When you need to use a file in this folder or its subfolders, FileVault decrypts it on-the-fly; then when you’ve finished working with it, encrypts it again.

FileVault offers powerful 128-bit encryption to protect the files in your home folder in case your Mac is lost or stolen. It also prevents hackers or vandals from accessing your files if they manage to enter your computer over a network and you are not logged in to your account.

FileVault requires that you set a master password; this password, which only an administrator can set, can unlock any FileVault account on the computer. Each user needs their individual password to access their account; this is the same password they use to log in to their account. To turn on FileVault for your account, click Turn On FileVault, and then enter your password at the prompt and click OK. You’ll see a warning that makes it clear that “if you forget your login password and the master password is not available, your data will be lost forever.” This is no joke; you won’t be able to get your files back if you don’t have one of these two passwords.

If you’re really sure you want to go ahead, click Turn On FileVault in this dialog. Your account will log out and you’ll see a FileVault screen as your home folder is encrypted. This may take a while if you have a lot of files. When encryption has completed, you’ll see a login window. Click your user name, and then enter your password to log in. You can now access your files as before, with the difference being that they are protected and other users will not be able to decrypt them without either your login password or the master password.

You can tell that your home folder is encrypted by its icon, visible either in the Finder window sidebar or in the Users folder.

If you ever want to turn off FileVault protection, open the Security pane of the System Preferences and click Turn Off FileVault. You’ll be prompted to enter your password; do this, and then click OK. A dialog asks you to confirm that you want to turn off FileVault. Click Turn Off FileVault to do this. As when you turned on FileVault, your Mac logs out your account. It then decrypts your home folder and displays a login screen for you to log in again.

Note

Before deciding to use FileVault, you should be aware of its advantages and disadvantages, and decide whether it is worth using. FileVault offers no choice in what you encrypt. It encrypts your entire home folder, and if you store digital music files, photos, and video there, it can be very slow and take a long time to encrypt or decrypt. In addition, early users of FileVault lost data. Apple fixed some of the problems quickly, but the fact remains that this type of technology leaves little room for error. If you do use FileVault to protect your files, make sure to back up these files often. (See Chapter 21 for more on backing up files.) If you only have a handful of files that are sensitive enough to warrant encryption, there are other solutions available. I’ll tell you about them later in this chapter in the “Other Encryption Solutions” section.

Other Security Settings

The Security preference pane offers other security settings as well.

click to expand

You can choose to activate the following functions for your account:

  • Require Password to Wake this Computer from Sleep or Screen Saver If you check this, your Mac will ask you to enter your password when you wake it from sleep or when a screen saver has become active. This applies only to the active account, and each user can access this setting. This is useful to protect physical access to your Mac if you go away from your desk and put your Mac to sleep, or if you turn on its screen saver using a hot corner when you step away.

The remaining settings on the Security preference pane affect all accounts, and only an administrator can change them.

  • Disable Automatic Login If you check this, your Mac will ask for a user to log in by entering their password each time it starts up. If you use automatic login—which is convenient if you’re the only user of your Mac—this password request is bypassed, and your Mac starts up in the user account selected for automatic login. Turning off automatic login means that a user with an account must be present when the computer is turned on for any files to be accessible. Otherwise, anyone can turn on your Mac and access the files belonging to the user who logs in automatically.

    Note

    You can also turn on automatic login from the Login Options screen of the Accounts preference pane. This is a bit confusing, though. The Accounts pane lets you turn automatic login on and choose which users log in automatically. The Security pane lets you turn it off—in spite of it saying “Disable Automatic Login,” it doesn’t disable this feature, or turn it off permanently. Checking this option on the Security pane is the same as turning off automatic login from the Accounts pane. If you do this, then turn automatic login back on in the Accounts pane; you’ll see that Disable Automatic Login is no longer checked in the Security pane.

  • Require Password to Unlock Each Secure System Preference Checking this means that even administrators, logged in to an administrator account, must enter their password each time they want to access secure system preferences. These are preference panes where you see a lock icon at the bottom left. They include the Startup Disk, Network, Sharing panes, some items on the Security and Accounts panes, and others.

  • Log Out After n Minutes of Inactivity This tells the Mac to log out if its user is inactive for the number of minutes you select. This restricts physical access to the Mac if the user leaves their computer and doesn’t log out. However, it doesn’t protect that same Mac for the number of minutes before it logs out. If you set this to a low number, any user who is in front of their Mac and not using it—maybe they are on the phone or doing other work—will be annoyed by having to log in often. If you set it to a high number, it won’t protect the computer much, since a user can be away from their desk for several minutes before it activates. If you’re really worried about such access, turn on Fast User Switching (see Chapter 8), and instruct your users to select Login Window from the user menu whenever they leave their desks. This displays a login window without logging out the current user. When they return to their desk, they can just click their user name, enter their password, and get back to work right away.

Other Encryption Solutions

In the section on FileVault earlier in this chapter, I pointed out that there are advantages and disadvantages to using FileVault. There are other solutions for protecting selected files by encrypting them—some are commercial, but one is built into Mac OS X.

Among the commercial solutions is software called PGP (Pretty Good Privacy; www.pgp.com). PGP offers a full range of encryption solutions, from e-mail to files, and its product line includes software for everyone from home users to large companies. Most Mac users will find that PGP Personal Desktop meets their needs. This offers e-mail encryption and includes PGP Disk, which creates volumes that are encrypted when not in use, and offers excellent security for portable computers in case they are lost or stolen.

Work with an Encrypted Disk Image

One of the best ways to protect sensitive files is built into Mac OS X. You can create an encrypted disk image, in which you can copy any sensitive files you have on your Mac. When you mount the disk image, you are asked for its password, and when you unmount it, it is protected. Here’s how you go about creating an encrypted disk image:

  1. Open Disk Utility, which is in the Utilities folder of your Applications folder.

  2. Select Images | New | Blank Image. The New Blank Image dialog displays.

    click to expand

  3. Enter a name for your disk image, and then select a location to save it in. (For more on using Save dialogs, see Chapter 13.) You’ll probably want to save it in your Documents folder, or somewhere else in your home folder.

  4. Select a size from the Size pop-up menu. By default, this displays 40MB. If you want to protect a lot of files, calculate how much space they will take up, and then add about 25 percent to make sure that you can add other files. If you only have a few files to protect, select a smaller size, such as 5MB. If you think you’ll be adding many files to this disk, plan accordingly and choose a larger size.

  5. Click the Encryption pop-up menu and select AES-128.

  6. Leave the format as Read/Write Disk Image, so you can add files to it later.

  7. When you’ve made all these selections, click Create.

  8. A dialog displays asking you to enter a password for this disk image. Enter a password, and then enter it again in the Verify field. If you want to add it to your keychain, check Remember Password (Add to Keychain). (I’ll talk about the keychain later in the “Work with Keychains” section of this chapter.)

  9. Click OK to record this password.

Disk Utility creates your encrypted disk image and then mounts it on the Desktop. (See Figure 19-2.)


Figure 19-2: A disk image file, at the left, and its disk image mounted on the Desktop

To add files to the disk image, just copy them into the mounted disk image, the icon on the right in the figure 19-2. This works like a virtual disk; you can double-click this icon to display its contents, add files to it, and remove files by dragging them to the Trash. When you’re finished adding files to the disk image, drag it to the Trash (or click it and select File | Eject) to eject it. (Make sure not to drag the disk image file to the Trash. This is the file with the .dmg extension.)

When you want to access your files, double-click the disk image file to mount the encrypted disk image. If you chose to add your password to your keychain, you may not need to enter your password; if you’ve already entered your keychain password in the current session, your keychain will be unlocked. If not, you’ll be prompted to enter your password to access the disk image’s files.

As long as your files remain inside this disk image, they are encrypted, but if you copy them to another location on your Mac, the encryption is removed. You can delete any of the files in the disk image by dragging them to the Trash, and then emptying it.




How to Do Everything with Mac OS X Panther
How to Do Everything with Mac OS X Panther
ISBN: 007225355X
EAN: 2147483647
Year: 2003
Pages: 171

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net