Shared:Securing Mac OS X

From GGCWiki

Jump to: navigation, search

Contents

[edit] How to Determine if You Are at Risk

The following information came directly from http://www.sans.org/top20/#m1 and http://www.bestsecuritytips.com/xfsection+article.articleid+20.htm

"Any default or unpatched Mac OS X installations should be presumed to be vulnerable.
The following procedure will check if there are new packages available. 
  :1. Choose System Preferences from the Apple Menu.
  :2. Choose Software Update from the View menu.
  :3. Click Update Now.
  :4. Check the items available
To aid in the process of vulnerability assessment, you can leverage any vulnerability scanner.
"Mac OS X is made up of many different components. Each of these components could potentially have security flaws. Ex: Safari, ImageIO, :Unix, and wireless""

[edit] How to Protect Against These Vulnerabilities

The following information came directly from *http://www.sans.org/top20/#m1 and http://www.apple.com/macosx/features/security/

  • "Be sure to stay current and have all security updates for Apple products applied by turning on the Software Update System to  :automatically check for software updates released by Apple. Although different schedules are possible, we recommend that you configure it :to check for updates on a weekly basis at least. For more information about how to check and run the Software Update System, see the Apple :Software Updates webpage - http://www.apple.com/macosx/upgrade/softwareupdates.html


  • To avoid unauthorized access to your machine, turn on the built-in personal firewall. If you have authorized services running in your :machine that need external access, be sure to explicitly permit them.


  • There are many excellent guides available for hardening Mac OS X. The CIS Benchmark for Mac OS X enumerates security configurations :useful for hardening the Operating System. The actions suggested by the CIS Level-1 benchmarks documents are unlikely to cause any :interruption of service or applications and are highly recommended to be applied on the system. Also, the Securing Mac OS X 10.4 Tiger :white paper examines security features and hardening of Mac OS X.


  • You can secure your firewall. This can prevent spyware and viruses that can harm your PC.


  • Mac OS X automatically downloads software updates. This helps to prevent your computer from being unsafe. It stays current with the :latest 
     :available protection updates which are released directly from Apple".

[edit] Virus prevention

This information was obtained directly from http://www.princeton.edu/~psg/unix/osx/osxsecurity.html#onesix

"There is still, at this writing, no virus that infects OS X. But virus-infected documents and e-mail attachments can be transmitted :through OS X to Windows computers. Prevent that by using anti-virus software on your Mac.


Install the anti-virus software of your choice.
  • "Princeton University has a site license for Norton Anti-Virus (NAV). If you purchased a Mac through the Student Computing Initiative you :received a copy. Contact the Help Desk Virus FAQ for further information. Virex anti-virus software is available from Apple, through :subscription to the Dot.Mac service."


  • "Virus software is useless if not absolutely up-to-date. Configure your virus software to check for updated virus data daily."


  • "Do not click on links that come in unsolicited e-mail messages. Do not even open or preview e-mail messages and attachments from unknown :sources. Use Princeton's e-mail SPAM Assassin service in combination with OS X Mail's trainable Junk Mail filter to weed out junk mail."


For more information about viruses, see:
Norton's SARC:
http://www.sarc.com/
MacAfee's Threat Center:
http://www.mcafee.com/us/threat_center/default.asp
Macintouch Security Reports:
http://www.macintouch.com/security.html


Free virus prevention software can be downloaded from http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0"

[edit] Back-Ups

This information came directly from http://www.princeton.edu/~psg/unix/osx/osxsecurity.html#onesix

"An old saw says that there are two kinds of computer users, those who have had a hard disk crash and those who will.


Select and use a backup system. Some possibilities:
  • Princeton Macintosh users can use Tivoli Storage Manager (TSM) to back up their OS X /User files. Special arrangements and charges apply if TSM is used to back up entire systems, such as servers. OIT documentation for OS X TSM is still being developed since the OS X version is still relatively new. Contact the Help Desk for assisstance.


  • Drag-copy your documents to your home file system, often called your "H" drive. You have space on a central file server which you can mount as an external disk drive with a Macintosh interface, and log in using your LDAP password. (Formerly called Samba or SMB, this service is now known as CIFS). See Help Desk article 9268 for information. Quotas were increased to 250Mb for 2004-5.


  • Apple's "Backup" software works with internal CD-RW or Apple SuperDrive, or over the internet to Apple's iDisk. This requires a subscription to .Mac http://www.mac.com/ for $99/year.




[edit] Nine Tips on Securing Your Mac

Information came directly from: http://brightlaunch.com/resources/security/securing-your-mac

"It is very important to secure your Mac. It will help to prevent someone else from getting any of your personal information.


1. Turn off your Mac at night.


2. Turn off Automatic login.


3. Require a password when waking your Mac from sleep or a screen saver.


4. Lock Your Keychain.


5. Change Your Keychain Password


6. Store Your Sensitive Files in an Encrypted Disk Image


7. Completely Erase Sensitive Files


8. Use FileVault


9. Set an Open Firmware Password"

[edit] Securing Keychain Items

This information came directly from:


"Keychain - a secure store for certificates, passwords, or any small bits of information to be kept private (also known as secure "notes")
Keychains can store multiple encrypted items. You can configure some of these

individual items so that only certain applications are permitted access. Access Control cannot be set for certificates. To secure individual keychain items:

1. In Keychain Access, select a keychain, and then select an item.


2. Click the Information (i) button.


3. Click Access Control. Authenticate if you are requested to do so.


4. Select “Confirm before allowing access.”
After you enable this option, Mac OS X prompts you before giving a security credential

to an application. If you selected “Allow all applications to access this item” you allows any application to access the security credential whenever the keychain is unlocked. When accessing the security credential, there is no user prompt, so enabling this is a security risk.


5. Select “Ask for Keychain password.”

After selecting this, you have to provide the keychain password before applications can access security credentials. Enabling this is particularly important for critical items, such as your personal identity (your public key certificates and the corresponding private key), that are needed when signing or decrypting information. These items can also be placed in their own keychains.


6. Remove all nontrusted applications that are listed in “Always allow access by these

applications,” by selecting each application and clicking the Remove (–) button. Any application listed here will be prompted to enter the keychain password to access the security credentials".

Retrieved from "http://wiki.ggc.usg.edu/mediawiki/index.php/Shared:Securing_Mac_OS_X"