Mac OS X Security Configuration - Office of Information Technology

More documents

Recommendations

Info

Users can restrict firewall access to essential network services (such as those needed forDHCP, BOOTP, IPSec VPNs, and Bonjour), or they can allow (or block) access to selectedapplications on an individual basis. The application firewall uses digital signatures toverify the identity of applications. If you select an unsigned application, Mac OS X v10.5signs that application to uniquely identify it.For expert users, the IPFW firewall is still available on the system. Because IPFW handlespackets at the protocol-layer of the networking stack and the application firewall is anapplication layer filter, IPFW rules take precedence.Signed ApplicationsBy signing applications, your Mac can verify the identity and integrity of an application.Applications shipped with Mac OS X v10.5 are signed by Apple. In addition, third-partysoftware developers can sign their software for the Mac. Application signing doesn’tprovide intrinsic protection, but it integrates with several other features to enhancesecurity.Features such as parental controls, managed preferences, Keychain, and the firewall useapplication signing to verify that the applications they are working with are the correct,unmodified versions.With Keychain, the use of signing dramatically reduces the number of Keychain dialogspresented to users because the system can validate the integrity of an application thatuses Keychain. With parental controls and managed preferences, the system usessignatures to verify that an application runs unmodified.The application firewall uses signatures to identify and verify the integrity ofapplications that are granted network access. In the case of parental controls and thefirewall, unsigned applications are signed by the system on an ad hoc basis to identifythem and verify that they remain unmodified.Smart Card Unlock of FileVault and Encrypted StorageSmart cards enable you to carry your digital certificates with you. With Mac OS X, youcan use your smart card whenever an authentication dialog is presented.Mac OS X v10.5 has the following four token modules to support this robust, two-factorauthentication mechanism and Java Card 2.1 standards:Â Belgium National Identification Card (BELPIC)Â Department of Defense Common Access Card (CAC)Â Japanese government PKI (JPKI)Â U.S. Federal Government Personal Identity Verification, also called FIPS-201(PIV)26 Chapter 1 Introduction to Mac OS X Security Architecture
Other commercial smart card vendors provide token modules to support integration oftheir smart card with the Mac OS X Smart Card architecture.Similar to an ATM card and a PIN code, two-factor authentication relies on somethingyou have and something you know. If your smart card is lost or stolen, it cannot beused unless your PIN is also known.Mac OS X has additional functionality for smart card use, such as:Â Lock system on smart card removal. You can configure your Mac to lock the systemwhen you remove your smart card.Â Unlock keychain. When you insert a smart card, the keychain can be unlocked andthen your stored information and credentials can be used.Â Unlock FileVault. You can use a smart card to unlock your FileVault encrypted homedirectory. You can enable this function by using a private key on a smart card.Sharing and Collaboration ServicesIn Mac OS X v10.5, you can enable and configure sharing services to allow access onlyto users that you specify through access control lists (ACLs). You can create useraccounts for sharing based on existing user accounts on the system, and for entries inyour address book. Sharing services become more secure with ACLs.Enhanced Encrypted Disk Image CryptographyThe Disk Utility tool included in Mac OS X enables you to create encrypted diskimages—using 128-bit or even stronger 256-bit AES encryption—so you can safely mailvaluable documents, files, and folders to friends and colleagues, save the encrypteddisk image to CD or DVD, or store it on the local system or a network file server.FileVault also uses this same encrypted disk image technology to protect user folders.A disk image is a file that appears as a volume on your hard disk. It can be copied,moved, or opened. When the disk image is encrypted, files or folders placed in it areencrypted.To see the contents of the disk image, including metadata such as file name, date, size,or other properties, a user must enter the password or have a keychain with the correctpassword.The file is decrypted in real time, only as the application needs it. For example, if youopen a QuickTime movie from an encrypted disk image, Mac OS X decrypts only theportion of the movie currently playing.Chapter 1 Introduction to Mac OS X Security Architecture 27
Page 1 and 2: Mac OS XSecurity ConfigurationFor V
Page 3 and 4: 1 ContentsPreface 11 About This Gui
Page 5 and 6: 52 PowerPC-Based Systems52 Using th
Page 7 and 8: 130 Encrypting Home Folders131 Over
Page 9 and 10: 172 Securing Network Sharing Servic
Page 11 and 12: About This GuidePrefaceThis guide p
Page 13 and 14: Â Chapter 13, “Advanced Security
Page 15 and 16: This guide...User ManagementWeb Tec
Page 17 and 18: For additional security-specific in
Page 19 and 20: 1 Introductionto Mac OS X SecurityA
Page 21 and 22: Apple built the foundation of Mac O
Page 23 and 24: These functions are used when the s
Page 25: Parental ControlsParental controls
Page 29 and 30: 2 InstallingMac OS X2Use this chapt
Page 31 and 32: 9 In the “Install Summary screen,
Page 33 and 34: Avoid names and short names like
Page 35 and 36: From the Command Line:# Updating fr
Page 37 and 38: From the Command Line:# Updating Ma
Page 39 and 40: When you use Disk Utility to verify
Page 41 and 42: 3 ProtectingSystem Hardware3Use thi
Page 43 and 44: OS ComponentsMac OS X provides kern
Page 45 and 46: From the Command Line:# Removing Bl
Page 47 and 48: From the Command Line:# Securing Vi
Page 49 and 50: From the Command Line:# Securing Fi
Page 51 and 52: 4 SecuringGlobal System Settings4Us
Page 53 and 54: You can test your settings by attem
Page 55 and 56: Intel-based and PowerPC-based compu
Page 57 and 58: When an application requests author
Page 59 and 60: 5 SecuringAccounts5Use this chapter
Page 61 and 62: It is risky to assign the same user
Page 63 and 64: To securely configure an account wi
Page 65 and 66: Securing Administrator AccountsEach
Page 67 and 68: 3 In the Defaults specification sec
Page 69 and 70: The authentication and contacts sea
Page 71 and 72: Â FIPS-181 compliant: According to
Page 73 and 74: Before the smart card processes inf
Page 75 and 76: You can create multiple keychains,
Page 77 and 78:
2 Enter a name, select a location f
Page 79 and 80:
Using Portable and Network-Based Ke
Page 81 and 82:
6 SecuringSystem Preferences6Use th
Page 83 and 84:
Securing .Mac Preferences.Mac is a
Page 85 and 86:
3 Don’t register your computer fo
Page 87 and 88:
To securely configure Accounts pref
Page 89 and 90:
To securely configure Appearance pr
Page 91 and 92:
This does not prevent users from re
Page 93 and 94:
4 Choose a time zone.From the Comma
Page 95 and 96:
From the Command Line:# Securing De
Page 97 and 98:
2 From the Sleep pane, set “Put t
Page 99 and 100:
From the Command Line:# Securing Ex
Page 101 and 102:
To securely configure Network prefe
Page 103 and 104:
If the account you want to manage i
Page 105 and 106:
To securely configure Print & Fax p
Page 107 and 108:
You can find and install third-part
Page 109 and 110:
FileVault SecurityMac OS X includes
Page 111 and 112:
Â “Set access for specific servi
Page 113 and 114:
You can change your computer’s na
Page 115 and 116:
To securely configure Software Upda
Page 117 and 118:
The following shows the Text to Spe
Page 119 and 120:
By placing specific folders or disk
Page 121 and 122:
To enter Target Disk Mode, hold dow
Page 123 and 124:
7 SecuringData and UsingEncryption7
Page 125 and 126:
Interpreting POSIX PermissionsTo in
Page 127 and 128:
In this example, the folder named s
Page 129 and 130:
Not all applications recognize the
Page 131 and 132:
If you want to protect file or fold
Page 133 and 134:
This provides network management of
Page 135 and 136:
Make sure the size of the image is
Page 137 and 138:
A zero-out erase sets all data bits
Page 139 and 140:
Using Secure Empty TrashSecure Empt
Page 141 and 142:
8 SecuringSystem Swap andHibernatio
Page 143 and 144:
9 AvoidingMultiple SimultaneousAcco
Page 145 and 146:
10 EnsuringData Integrity withBacku
Page 147 and 148:
11 InformationAssurance withApplica
Page 149 and 150:
Â NTLMÂ Kerberos Version 5 (GSSAP
Page 151 and 152:
Safari supports server-side and cli
Page 153 and 154:
Before they are opened, the followi
Page 155 and 156:
Website forms can include items tha
Page 157 and 158:
iChat AV Encryption leverages a PKI
Page 159 and 160:
When you and your buddy have the .M
Page 161 and 162:
IPSec requires security certificate
Page 163 and 164:
Mac OS X includes a firewall. If yo
Page 165 and 166:
4 Click Advanced.5 Select the Enabl
Page 167 and 168:
12 InformationAssurance withService
Page 169 and 170:
Before using Bonjour to connect to
Page 171 and 172:
Securing the Back to My Mac (BTMM)
Page 173 and 174:
Screen Sharing (VNC)Screen Sharing
Page 175 and 176:
From the Command Line:# Disable Fil
Page 177 and 178:
Enabling an SSH ConnectionTo enable
Page 179 and 180:
5 On the client, enter a complex pa
Page 181 and 182:
$ mkdir ~/.ssh/2 If ~/.ssh/known_ho
Page 183 and 184:
You can add a specific host and opt
Page 185 and 186:
The first time you connect, you hav
Page 187 and 188:
From the Command Line:# Remote Appl
Page 189 and 190:
From the Command Line:# Internet Sh
Page 191 and 192:
13 AdvancedSecurity Management13Use
Page 193 and 194:
When a program asks for a right, Au
Page 195 and 196:
The Security Server requests authen
Page 197 and 198:
Validating File IntegrityWhen downl
Page 199 and 200:
To inspect a specific requirement,
Page 201 and 202:
The following sample line specifies
Page 203 and 204:
If auditing is enabled, the /etc/rc
Page 205 and 206:
Intrusion Detection SystemsAn intru
Page 207 and 208:
ASecurity ChecklistAAppendixUse the
Page 209 and 210:
Account Configuration Action ItemsF
Page 211 and 212:
Action Items Completed? NotesSecure
Page 213 and 214:
Action Item Completed? NotesInstall
Page 215 and 216:
BSecurity ScriptsBAppendix# Updatin
Page 217 and 218:
# Securing Global System Settings#
Page 219 and 220:
# Securing Energy Saver Preferences
Page 221 and 222:
defaults write "com.apple.speech.re
Page 223 and 224:
GlossaryGlossaryThis glossary defin
Page 225 and 226:
computational cluster A group of co
Page 227 and 228:
FTP File Transfer Protocol. A proto
Page 229 and 230:
NetBoot server A Mac OS X server yo
Page 231 and 232:
public key One of two asymmetric ke
Page 233 and 234:
streaming Delivery of video or audi
Page 235 and 236:
IndexIndex.Mac preferences 83-85, 1
Page 237 and 238:
Gglobal file permissions 128-129gri
Page 239 and 240:
SSafari preferences 150, 152-156san
show all

Mac OS X Security Configuration - Office of Information Technology

Create successful ePaper yourself

Delete template?

Save as template?