Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Security Guide for Mac OS X

Posted by michael on from the take-a-bite-out-of-crime dept.

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

13 of 250 comments (clear)

  1. These things make a nice checklist, but.... by general_re · · Score: 4, Insightful

    ....actually implementing everything the NSA recommends in its guides will get you a system that is both highly secure and exceptionally inconvenient for its users. It's a useful reference, to see if you've forgotten anything that you particularly want, or anything obvious, but as always, individual admins will have to decide for themselves where they want their systems to lie on the security-usability axis...

    --
    ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
  2. Security, Usability, Reliability by stratjakt · · Score: 5, Insightful

    Pick any two.

    --
    I don't need no instructions to know how to rock!!!!
  3. Re:Lack of safety in numbers by hbackert · · Score: 3, Insightful

    Did you click on the second link in the story? There's a lot for Windows See under "Operating Systems".

    Given the fact that I don't use MacOSX, I checked out the Cisco one some time ago and it's quite impressive. Lots of common sense things of course, but some good ideas I would have otherwise not thought about. Definitely recommended.

    It's nice to see government agencies not waste our (sorry: your) tax dollars and instead produce something useful and not hiding it in one of their many shelfs.

  4. Counterintuitive... by Anonymous Coward · · Score: 4, Insightful

    Since it's a security site, I'd expect it to display a warning and disable the site if you are clueless enough to accept the cookie!

    You gotta start with the fundamentals...

  5. Re:What about... by 0racle · · Score: 2, Insightful

    I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request. Windows also has a single Ask for Admin form, all you have to do to trigger it is name an application setup.exe and it will ask if you want to run it as Administrator or not and I'm sure thats not the only way.

    Malware is hard to code on Linux and *BSD not because of some standard or non-standard way of asking for access, but because of years of very intelligent people asking themselves how can we safely do that. OS X's polished GUI functions are over and above that to present the nice base OS in a non-threatening way.

    --
    "I use a Mac because I'm just better than you are."
  6. Re:Screwed up by athanis · · Score: 2, Insightful

    A lot of users that I come into contact with seem to have a false sense of security. They seem to think that if they have an antivirus software, then their computer would become immune...
    But I think more needs to be done to educate the public that security isn't any single software/component, but rather, a process.. From passwords, to firewalls, to antivirus, to spyware, there are many parts to it.

    I think it's unfair to blame the OS solely. Application developers need to be aware of bugs and potential problems. No matter how hard you idiot proof a system, they will build a better idiot, as the saying goes.

  7. Re:What about... by evilviper · · Score: 2, Insightful
    As its a pain in the ass to code a spyware on linux, its much more harder on OS X. Guess why? OS X shows a user friendly window which is centralized by OS GUI whenever a program needs administrative access.

    That would make it EASIER to spread worms/viruses than a normal Unix system, NOT harder. In Unix, attempts to access resources you don't have permissions to, just fail. If it pops up a window that says "would you like to give this program access" then you're just as screwed as the rest of the world... That's because people are stupid and click yes without knowing what they're doing. If it's piggybacking on some other installation (browser plug-ins or other 'gee wiz' features) then users wouldn't have the slightest reason to suspect anything.

    Note, though, that this is only for viruses/worms, because spyware doesn't need root access to do it's job. It can spy on you in user-land just fine. It can change your browser proxy settings without root access, and pop-up ads from competing sites without root access. Am I missing any annoying features?
    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  8. Re:File Vault by Daengbo · · Score: 4, Insightful

    I don't trust it with anything important though

    Kind of defeats the purpose, doesn't it?

    --
    Put identity in the browser.
  9. Re:What about... by Anonymous Coward · · Score: 4, Insightful

    Not sure if this would make it more secure for the OS challenged, but when it asks for administrative permission it asks for a password. If an office admin wants to keep the OS X's in the office secure, just don't give the secretaries the password for their computers. If they need to do anything which requires the password, they have to ask the computer guy and he can say, "So why do you need to see nude pictures of Brad Pitt again?"

  10. Pardon Me while I take a NAP while waiting for my by sir+lox+elroy · · Score: 3, Insightful

    download to complete, DOH it's now stalled. /me wants to call the NSA and ask if they can mail me a printed version of the document it would be faster

    --
    Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
  11. Re:Slashdotted already? by networkBoy · · Score: 2, Insightful

    Got a media reference? I live in the area and have heard nothing about it.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  12. Re:What about... by Durandal64 · · Score: 4, Insightful
    What are you thinking? That all other OSes just give you an OKAY button and don't ask for a password to get Admin rights? No, of course not. You always need the password.
    Not quite. Administrators on Mac OS X and Windows are different things. On Mac OS X, an administrator is a user who is allowed to temporarily acquire root privileges through a sudo action. To get these privileges, the user must enter his password. So, if I want to install a program that needs to write files to /Library or anywhere that isn't /Applications (the admin group has full access to the /Applications directory) or my home directory, I need to enter my password. If I choose, I can require authentication for "secure" system preferences, like the login preferences.

    On Windows, if you are logged in as an administrator (not the Administrator account), your account will automatically authenticate during program installations and such, hence why you can make changes to the system settings and install programs without ever being challenged for a password. That is what makes the Windows way of doing things inherently more risky. You don't need to enter your password for administrator actions.
  13. Re:MacOSX attacks... by Matthias+Wiesmann · · Score: 2, Insightful
    Has anyone actually checked the robustness of Apple's X-11 implementation? .
    Well, given the fact that it is XFree86 4.3.0 it is as robust as on Linux or other BSD...