Establishing Local Operating-System Security


Settings in Mac OS X fall into two general categories:

  • System-wide settings apply to the computer as a whole and all users on it. Only administrators can change these settings.

  • Personal settings are set separately for each user account. All users can change their own personal settings.

A preferences pane that includes system-wide settings will have a padlock icon in the lower-left corner; if the lock is unlocked, the user has been authenticated as an administrator.

Making system-wide changes does not require logging in as an administrator; it is sufficient to click the locked padlock and give the user name and password for an account with administrator rights. After making your changes, you can click the padlock again to cancel authentication and prevent further changes.

Some preferences panes contain a mix of system-wide and personal settings. These will have the padlock icon, but some settings (the personal ones) can be changed without authentication.

There are also a few idiosyncratic settings, such as parental controls. These are set by one user (an administrator user) but apply to specific other (nonadministrator) users.

Securing Unattended Computers

Users leaving themselves logged into their computers is a common source of operational insecurity. Teaching users to always log out can help, but logging out can be inconvenient enough that users will almost inevitably cheat sometimes. Mac OS X has three main options to help with this problem.

Require a Sleep/Screen Saver Password

The computer can be configured to require a password to wake from sleep or a screen saver. If the computer is configured to sleep and/or activate a screen saver after a certain amount of time, this will keep passersby from taking over a user's login session. The password requirement (enabled in the System Preferences Security pane) is a personal setting, meaning that it must be enabled separately for each user account; also, a user can disable it if desired.

The activation settings for the screen saver are also personal settings, configured in the Desktop & Screen Saver pane. Configuring a Hot Corner to start the screen saver is recommended; this way the user can trigger the screen saver manually, eliminating the window of vulnerability between when the user leaves and when the screen saver activates.

Sleep timing is a system-wide setting, configured in the Energy Saver pane. Note that a password is required to wake the computer only from a full sleep, not screen sleep.

Enable Fast User Switching

Enabling Fast User Switching allows a user to quickly switch from a session to the login window (using the user menu near the right of the menu bar). Like the sleep/screen saver password, this prevents passersby from getting access to a user's session without supplying the correct password. Unlike the sleep/screen saver password, this protection can be activated only manually, not automatically after a period of inactivity. Enable this setting in the System Preferences Accounts pane, under Login Options.

Note

Temporarily mounted volumes (such as FireWire drives or disk images) are (usually) fully accessible by all logged-in users, not just the user who mounted them. Using Fast User Switching may weaken FileVault protection on the user's home directory. As long as the FileVault user's session is running (even in the background), her home directory disk image will remain mounted. If another user logs in, the only thing keeping him out of the FileVault user's home directory will be the folder permissions on that directory. For maximum FileVault security, leave Fast User Switching disabled.


One security benefit of Fast User Switching is that it allows switching from a normal (nonadministrator) user account to an administrator user account when administrator access is needed, then immediately switching back to normal. This is actually safer than temporarily enabling administrator access from the nonadministrator account (by clicking a padlock and authenticating, for example). You can disable administrator access temporarily (by relocking a padlock icon), but it's easy to forget and leave it disabled (especially if multiple enables are needed). Switching to administrator and then logging out automatically disables all administrator access in a single step.

If both Fast User Switching and the sleep/screen saver are enabled, the option to switch users will be available from the sleep/screen saver password dialog box.

Log Out Users

You can configure the computer to log out users automatically after a period of inactivity. This is a system-wide setting, enabled in the System Preferences Security pane. This option does not provide much security protection, because any running application can (and often will) cancel the logout process. For example, if the user has any unsaved documents open, the Save dialog will cause the logout process to time out. Using this setting is not generally recommended.

Configuring the Login Process

The default settings for the login process are chosen more for the convenience of home users than for security. As a result, you should make a couple of changes to ensure a secure environment:

  • Disable automatic login. By default, the computer will automatically log in to the initial administrator account every time the computer boots without requiring a password. You can disable this either in the System Preferences Security pane (by selecting Disable Automatic Login) or in the Accounts preferences pane's Login Options section (by deselecting "Automatically log in as").

  • Turn off display of user names. By default, a list of users (names and pictures or icons) is displayed at the login window; this gives an attacker important hints about what logins are available on the computer. (The has to guess only passwords, not user names.) In the Accounts preferences pane's Login Options section, you can select the "Name and password" option, which causes the login window to display name and password fields; one must correctly enter both to log in.

  • Keep "Show password hints" deselected. This check box is deselected by default and should not be selected. This login option makes the login window display a user-provided password hint after three unsuccessful login attempts. Users should not enter password hints in the first place, but if they do, the hints should not be displayed.

In some situations you may want the login window to display a warning message against unauthorized use of the computer. You can configure this by launching the Terminal utility and entering the following command (replace the example warning with whatever message you want displayed):

sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Example Warning Message"


Note

Although this command is reproduced here (and will display on screen) as several lines, it should be typed in as a single long command; do not press Return until you enter the entire command. If the message is particularly long, it may be easier to correct typos by entering the whole thing into a text editor and then pasting it into the Terminal window.


Using Other Security-Related Settings

There are other security-related settings that you can use. Here are some examples:

  • Require a password to unlock each secure system preference (found in the Security preferences pane). By default, preference settings that affect all users (such as this setting) cannot be changed without first clicking the padlock in the bottom-left corner of the preferences pane and authenticating as an administrator user. If this option is deselected, anyone logged in as an administrator may change system-wide settings without specifically authenticating first. Keep this option enabled for higher security.

  • Use secure virtual memory (in the Security preferences pane). This option enables encryption of the virtual memory swap files. Since virtual memory can contain important data (even including passwords), encrypting it is highly recommended. See Lesson 14, "Optimizing Data Confidentiality," for more details. Note that changing this setting does not take effect until the next time the computer is rebooted.

  • Add Dynamic Host Configuration Protocol (DHCP)supplied Lightweight Directory Access Protocol (LDAP) servers to automatic search policies. This option is automatically disabled if no LDAP server configuration is received from a DHCP server the first time the computer boots. Nonetheless, it's a good idea to make sure this is disabled and remains disabled. The risk of having it enabled is that an attacker could hook up a specially configured DHCP/LDAP server, and the client would trust the information in that server. This might include an administrator account with a password that the attacker chose. This setting is not available in the System Preferences utility. To check or change it, open the Directory Access utility, select the Services tab, click the padlock icon, authenticate, select the LDAP line, and click the Configure button.

  • Turn the authentication path option to "Local directory." This prevents any chance of remotely authenticating to a remote server by allowing authentication to only the local NetInfo database.

  • Bluetooth is a wireless protocol intended for connecting relatively lightweight devices (cell phones, headphones, keyboards, mice, etc.) to each other or to computers. It has basic security built in, but its level of security is not adequate for critical situations. Disabling or limiting Bluetooth access will be discussed in Lesson 15, "Mobility Security Concerns."




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net