Settings in Mac OS X fall into two general categories:
A preferences pane that includes system-wide settings will have a padlock icon in the lower-left corner; if the lock is unlocked, the user has been authenticated as an administrator. Making system-wide changes does not require logging in as an administrator; it is sufficient to click the locked padlock and give the user name and password for an account with administrator rights. After making your changes, you can click the padlock again to cancel authentication and prevent further changes. Some preferences panes contain a mix of system-wide and personal settings. These will have the padlock icon, but some settings (the personal ones) can be changed without authentication. There are also a few idiosyncratic settings, such as parental controls. These are set by one user (an administrator user) but apply to specific other (nonadministrator) users. Securing Unattended ComputersUsers leaving themselves logged into their computers is a common source of operational insecurity. Teaching users to always log out can help, but logging out can be inconvenient enough that users will almost inevitably cheat sometimes. Mac OS X has three main options to help with this problem. Require a Sleep/Screen Saver PasswordThe computer can be configured to require a password to wake from sleep or a screen saver. If the computer is configured to sleep and/or activate a screen saver after a certain amount of time, this will keep passersby from taking over a user's login session. The password requirement (enabled in the System Preferences Security pane) is a personal setting, meaning that it must be enabled separately for each user account; also, a user can disable it if desired. The activation settings for the screen saver are also personal settings, configured in the Desktop & Screen Saver pane. Configuring a Hot Corner to start the screen saver is recommended; this way the user can trigger the screen saver manually, eliminating the window of vulnerability between when the user leaves and when the screen saver activates. Sleep timing is a system-wide setting, configured in the Energy Saver pane. Note that a password is required to wake the computer only from a full sleep, not screen sleep. Enable Fast User SwitchingEnabling Fast User Switching allows a user to quickly switch from a session to the login window (using the user menu near the right of the menu bar). Like the sleep/screen saver password, this prevents passersby from getting access to a user's session without supplying the correct password. Unlike the sleep/screen saver password, this protection can be activated only manually, not automatically after a period of inactivity. Enable this setting in the System Preferences Accounts pane, under Login Options. Note Temporarily mounted volumes (such as FireWire drives or disk images) are (usually) fully accessible by all logged-in users, not just the user who mounted them. Using Fast User Switching may weaken FileVault protection on the user's home directory. As long as the FileVault user's session is running (even in the background), her home directory disk image will remain mounted. If another user logs in, the only thing keeping him out of the FileVault user's home directory will be the folder permissions on that directory. For maximum FileVault security, leave Fast User Switching disabled. One security benefit of Fast User Switching is that it allows switching from a normal (nonadministrator) user account to an administrator user account when administrator access is needed, then immediately switching back to normal. This is actually safer than temporarily enabling administrator access from the nonadministrator account (by clicking a padlock and authenticating, for example). You can disable administrator access temporarily (by relocking a padlock icon), but it's easy to forget and leave it disabled (especially if multiple enables are needed). Switching to administrator and then logging out automatically disables all administrator access in a single step. If both Fast User Switching and the sleep/screen saver are enabled, the option to switch users will be available from the sleep/screen saver password dialog box. Log Out UsersYou can configure the computer to log out users automatically after a period of inactivity. This is a system-wide setting, enabled in the System Preferences Security pane. This option does not provide much security protection, because any running application can (and often will) cancel the logout process. For example, if the user has any unsaved documents open, the Save dialog will cause the logout process to time out. Using this setting is not generally recommended. Configuring the Login ProcessThe default settings for the login process are chosen more for the convenience of home users than for security. As a result, you should make a couple of changes to ensure a secure environment:
In some situations you may want the login window to display a warning message against unauthorized use of the computer. You can configure this by launching the Terminal utility and entering the following command (replace the example warning with whatever message you want displayed): sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Example Warning Message" Note Although this command is reproduced here (and will display on screen) as several lines, it should be typed in as a single long command; do not press Return until you enter the entire command. If the message is particularly long, it may be easier to correct typos by entering the whole thing into a text editor and then pasting it into the Terminal window. Using Other Security-Related SettingsThere are other security-related settings that you can use. Here are some examples:
|