Secure Computing: Best Practices for Macintosh OS X
Securing an OS X Desktop
This document focuses on securing the MacOS X operating system (10.2 as of this writing), but much of the information works for MacOS 9 as well.
No matter what operating system you're using, the basic steps for securing an operating system are the same:
- Install all operating system patches.
- Verify user account security.
- Eliminate unnecessary applications and network services.
- Install and configure necessary applications and network services.
- Keep applications and operating system patches up to date.
Install the latest patches
It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.
On OSX, use Software Update to maintain up to date versions of your operating system and Apple applications. In its default configuration, Software Update checks for updates weekly. Once it asks you to update software, please do so -- in most cases, multiple security patches are rolled into a single update, and in some cases certain security updates will not be listed until prerequisite updates are installed first.
You can also run Software Update from the command line. Open the Terminal Application. If you type
/usr/sbin/softwareupdate
with no arguments, the application will return a list of available updates, with descriptions, version numbers, and sizes. You can then download, un-archive, and install a particular update by entering
/usr/sbin/softwareupdate <name-of-update>.
More information on Apple Security Updates
Verify user account security
- Make sure all accounts have good passwords set. By default, the first account created is also an admin account, and their password provides system-level privileges. Please use passwords that are not based on dictionary words. Use of non-dictionary words and additional use of other marks in passwords is highly suggested for all accounts.
- Limit Administrative Privileges. Not all accounts need to be a part of the admin group. Furthermore, it is not always wise to use an account that has admin privileges. You may wish to create an account for your daily use, and use an account in the admin group only when it prompts you for increased privileges.
Eliminate unnecessary services
Remote login, File Sharing, Printer Sharing, and other services are not enabled by default. Only enable these services if absolutely necessary, and if so, consider using firewall rulesets listed below. Never use Internet Connection Sharing, which actually allows multiple systems to use your ISP connection. On campus, this causes network problems, including the possibility of unintentionally allowing the people sharing your ISP connection to share your Kerberos identity as well.
MacLeland 2.1.1 (currently beta 4) has a fix for the Internet Connection Sharing (ICS) problem. The new version of MacLeland checks for the presence of NATd, the service that provides ICS, when it starts up. If Internet Connection Sharing is present, MacLeland disables the piece of its functionality that allows users to capture Kerberos identity. MacLeland gives the user a warning that ICS is running, and that the Kerberos identity functionalitiy will remain disabled until ICS is no longer running. This version of MacLeland is expected to begin ITSS internal beta testing the week of April 7, 2003. Check http://macleland.stanford.edu for the most current information.
Kerberos identities and Internet Connection Sharing
Install required applications: MacLeland
MacLeland is the application that provides Kerberos authentication to Macintosh OS X, for access to applications such as Samson, Outlook and Eudora. It currently exists in three versions: 2.1 for users of OS X 10.2 (Jaguar), 2.0 for OS X 10.1, and 1.4 for Mac OS 9 and earlier. Because of differences between the operating systems, the different versions of MacLeland provide slightly different functionality. Versions 1.4 and 2.0 provide Kerberos authentication, single sign-on, and access to the Stanford AFS file system.
v2.1 for OS X.2 does not include the single sign-on capability or support for AFS -- OS X.2 users need to install OpenAFS separately, as described below.
Configuring mail with Kerberos in OS 10.2 (with MacLeland)
Install required services: have a good time
Stanford's Kerberos infrastructure relies on time synchronization to function properly, so it's a good idea to be sure that your Macintosh has the correct time. The System Preferences application includes an option that enables the Network Time Protocol, a service that queries network servers for the correct time and updates your local computer if required. Within System Preferences, check the Use Network Time box. By default, the Macintosh NTP client queries a machine called time.apple.com. In most cases that's okay, but you can configure it to use time.stanford.edu by entering that machine name in the obvious field:
OS X.2 only: install MacLeland AFS+
For versions of Macintosh operating systems prior to 10.2, MacLeland includes components that provide access to Stanford's AFS file system. For OS X.2, due to changes in the operating system, support for AFS must be installed separately from the core MacLeland application. Detailed instructions on installing MacLeland 2.1, including the AFS components, are located here.
AFS support within MacLeland 2.1 is still in the beta testing period. No problems have been reported, but you may choose to avoid installing the application until it is fully released. In that case, you can
Install required services: host-based firewall
As of OSX 10.2, you can go to the Sharing panel in System Preferences, and select the Firewall tab to further restrict what can connect to your system.
Please consult Jim Brown's document on OS X.2 Firewall Configuration for details on how to set things up for the Stanford environment.
Keep applications and operating system patches up to date.
If you're using Software Updates to check for new software patches, as recommended in the first step of this document, you'll be told when updates are available for your machine. Install them when they become available, and you'll be safe from the majority of attacks that are roaming the Internet.
Install and use the Security Self-Test. Install the Security Self-Test to make sure your system meets a good standard for security. This tool checks for many of the above conditions, as well as what software you have installed. Passing this test confirms that the changes you've made have been successful, and that your computer is ready for the Stanford network..