Mac Installation Security 101
This is the first part of a short series of posts about installing Mac OS X. Today’s topic is nailing down the security. In the next part, I’ll look at setting up the standard applications.
Before I get started on this post, I should like to point out that, yes, I did work for the Ministry of Defence for many years. But, NO, it was not me that famously had a laptop full of national secrets stolen from a train!
Anyway… after more than 3 weeks in repair, I got my macbook back yesterday, complete with new logic board and optical drive, but still awaiting a new keyboard surround. Unfortunately, when I got it home I wasn’t able to log in to either my normal encrypted user account, or the unencrypted administrator accounts. So it seems that my password database had become corrupted somehow. Luckily, I had backed up all my important data before I took the machine in (secretly hoping they would toss it, and give me a new one), so I simply wiped the drive and reinstalled from the restore disks. In the process of manually setting up everything from scratch I thought I’d make notes on all the steps I had to go through to turn a pristine installation into a productive and secure work environment.
Before getting carried away with anything else, I like to lock down the System Preferences as securely as possible. Here are the steps you should use to do that:
1. Software Update
It’s a sure thing that Apple will have put out several point releases and security patches since the installation DVD’s were burnt, so run Software Update to make sure all those fixes are live on your mac. Often, not everything will be listed in the first attempt (it took 3 runs for me), so when it finishes, run it over until it explicitly says that there are no more updates.
Also, you don’t want your machine to be vulnerable for a week or more after Apple puts out their next security update. From the Software Update preferences, set the Check for Updates frequency to Daily. And, would you believe, just as I was collecting screenshots for this post, even though I ran Software Update myself 3 times this afternoon, I just automatically picked up Apple Security Update 2007-05!
2. System Name
No sense in making it easy for a hacker on your network by telling him this machine is a macbook, so in the Sharing preferences rename the machine (I’m not sure why Apple chose such a strange place to put the machine name, but I suppose the logic is that it is how people who use your shared resources will see you on the network… or something). All the computers, printers, routers etc. on my network are named after demons, and the macbook is no exception now that I’ve called it baal.
3. Firewall
I have no clue why Apple don’t enable it by default, but while we have the Sharing preferences open, start the firewall too. I also need ssh enabled to do day to day work, so I start Remote Login from the Services tab. Since I’m not running any UDP services from my laptop, I set Block UDP Traffic from the Advanced dropdown in the Firewall tab. I also like to make sure Enable Stealth Mode is on, which tells Mac OS to drop any packets it wasn’t expecting, rather than send an access denied message: this effectively makes my machine invisible to the network unless it knows my machine address and an open port number!
4. Apple Remote
Partly to stop the macBook from responding to someone else’s infrared remote shenanegins, and partly to stop my iPod from responding to my macBook remote, I always pair the remote with the machine it came with. You’ll need administrative rights to do the actual pairing, so make sure to do this before the next step.
With the remote just an inch or three from the IR sensor, press and hold menu on the remote, and when Frontrow has launched, also press and hold fast forward on the remote for about 5 seconds until the chain link is displayed.
5. Login Options
If someone steals my laptop, I don’t want to give them half of the information they need to get through the Login & Password screen to get access to my private data. From the Accounts preferences, select Display Login Window as Name and Password, and deselect Show password hints. Since I use the Dvorak keymap, if I shared this computer with anyone else, I’d need to enable show input menu in login window — but I don’t, so I leave it deselected to make life even harder for whoever stole my machine. Serves them right!
6. Administrator Access
I just discovered that if you turn off the Administrator privileges for your main login account, Mac OS prompts for an adminstrator enabled username and password if it needs it (to install software for instance). To make hacking the machine over the network more difficult, in the Accounts preferences create a brand new user and give them administrator rights before turning off your own Allow user to administer this computer option.
As a linux refugee, and GNU maintainer, I spend the vast majority of my development time in the Terminal. Unfortunately, removing the administrator rights of my login account means that sudo doesn’t work: luckily, it’s easy to reenable it:
$ su -c 'sudo visudo' admin-account
You have to enter the password for the admin-account once for su, and then again when it invokes sudo, after which you just add a new line to the file that is being editted:
gary ALL=(ALL) ALL
7. Filevault
I always used to be a little wary of this, but it is the best way to lock laptop thieves out of your personal data. Be aware that network logins over afp, and samba shares won’t work with an encrypted account when you’re logged out. I’ll explain how to work around that in the next part of this series.
First you have to select Set Master Password, and then you can Turn On Filevault from the Security preferences, and wait for a few minutes while your home directory is encrypted.
8. Login Security
Still in the Security preferences, for obvious reasons select all of the following: Require password to wake this computer from sleep or screen saver; Disable automatic Login; Require password to unlock each secure system preference; and Use secure virtual memory.
In order to be able to prompt for a password from the screen saver, you’ll also need to enable one from the Desktop & Screensaver preferences. If you’re machine will be left unattended at a desk, you should make triggering the screensaver as easy as possible — having the thing start up after you’ve been watching a compile for just a few minutes can be annoying, but if someone is going to “borrow” your machine for a spot of hacking while you’re away, they’ll want to get started quickly, so it’s best have the delay set to just the 3 minutes minimum. You can then use the Hot Corners pane to Disable Screensaver with the top corners, and Start Screensaver with the bottom corners. That way you just need to remember to to put the mouse in a bottom corner before you dash to the bathroom, and in the a top corner if you’re watching a slideshow or a long compile.
9. Bluetooth
In the Settings tab of the Bluetooth preferences, turn off discoverable, and unless you normally use a bluetooth mouse or keyboard, turn bluetooth itself off altogether, but leave it showing in the menu bar to make pairing with phones and so forth as easy as possible. In the Sharing tab, select Require pairing for security for all bluetooth sharing services.
10. Keychain Access
Especially if you’ve decided not to encrypt your home directory, you should launch the Keychain Access application and select Change Password For Keychain “login” from the Edit menu. In the Current Password text field, type your login password. Type a new password in the New Password field and again in the Verify field. You can also test how secure your password is by clicking the key icon next to the New Password field to bring up the Password Assistant.
Once you’ve unlocked the keychain, it normally remains open until you logout again. It’s much safer to have it automatically lock after a period of inactivity, say 5 minutes. You can set that from the Change Settings For Keychain “login” in the Edit menu. I always select the Lock when sleeping option here too.
4 Responses so far
2007.05.25@7:31 pm
Quite a lot of useful infos down here. Though I’ve been a hardcore Mac user for a year now, half of the things you mention were strange to me. Thanks
2007.05.26@12:30 am
Nice - i’ve used some of these things before to lock down my macbook a bit.
With regard to “3. Firewall”, i suspect they might not have it on by default because more or less no tcp/udp servers run by default (though that is only a guess, i’ve not checked that one out sadly).
With regard to “6. Administrator Access”, i would have thought re-enabling the sudo for the user would have been the equivalent of setting the “Allow user to administer this computer” option. It’d be interesting to see what the preference pane actually does for that option.
With regard to “7. Filevault” a quick google search revealed that Filevault is evil and almost always corrupts your files. Though then again, maybe 90% of people that use it just don’t use it properly. In any case, i decided to turn it on on my macbook, and keep anything that doesn’t need encrypting such as the iTunes library somewhere else (note: you can switch the iTunes library location by holding down the option key whilst it is launching).
Pretty good advice in general. Thanks.
p.s. if you are really paranoid you should also turn on the “Use secure virtual memory” option present in the FileVault pane, which should ensure no cleartext passwords in memory get written to the disk. Note though that i have read elsewhere that this option is useless if you let your mac hibernate as it encrypts the sleep state to disk, but also writes the key to decode it. It should also be noted that some programs (from what i’ve seen, typically VM’s) don’t like this option turned on.
2007.05.29@5:48 pm
Thanks for reading, and I’m glad you’ve found the post useful. I wouldn’t want you to become one of those guys who thinks that because you run MacOSX, you’re immune to viruses, rootkits, malware and being hacked!
2007.05.29@5:59 pm
Hi James,
Thanks for the comments.
@3: That might be it, but a firewall does a lot more than protect the services behind tcp/udp ports…
@6: Administrator access does more than grant a sudoers bit: it allows you to change system and network preferences without a password in some cases, and worse allows you to edit and install system files and applications (possibly without a password, depending on other settings). Taking all that stuff away is important, but my workflow relies on sudo access which is why I described how to get that back without losing all the other security advantages of turning off Administrator access.
@7: To my knowledge, Filevault was less than perfect when first released, and I am still a little nervous about it, which makes me keep to a strict backup regimen. I am led to believe that it performs well in the latest releases provided you don’t dump 80Gb of music, photo’s and music in the same account (oh, the voice of experience!).
I mentioned the secure virtual memory in point 8, but hadn’t attributed any of the occasional VM problems I’ve had to that. I’ll try switching it off for a while and see whether it helps. Thanks for the tip!
Cheers, Gary
Leave a comment
This blog uses Gravatar for comment avatar pictures: If you'd like a different picture next to your comments, sign up at gravatar.com, upload a picture, and within 5 or 10 minutes you'll be able to see it here (and at lots of other websites with Gravatar support).