Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Mac OS X Tiger

Posted by Zonk on from the intense-lockdown dept.

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

15 of 130 comments (clear)

  1. Re:CIA still using OS X? by OneOver137 · · Score: 4, Informative

    Oops, guess it was the NSA

  2. Secure swap space by guildsolutions · · Score: 5, Informative

    One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment

  3. Read before you sudo rm -rf / by JonTurner · · Score: 5, Informative

    Mildly funny, but also a bit irresponsible without a warning:

    Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.

    Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.

    Another tip: never enter console commands you don't understand.

  4. More securing OS X links/pdf's etc by Anonymous Coward · · Score: 5, Informative

    http://www.nsa.gov/snac/

    http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf

    http://eq.rsug.itd.umich.edu/software/radmind/

    http://homepage.mac.com/hogfish/PhotoAlbum2.html

    Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.

  5. Re:CIA still using OS X? by Been+on+TV · · Score: 4, Informative

    NSA did a pretty good writeup of Securing Mac OS X Panther Server earlier this year. One can still apply all the recommendations to Tiger Server.

    --
    The future is in beta
  6. Re:Windows password hash storage by kekeruusperi · · Score: 3, Informative

    In Tiger, when enabling samba sharing, you have to choose which accounts to use and you are also warned about storing the passwords in a less secure way.

  7. Re:Windows password hash storage by Smurf · · Score: 2, Informative

    You may be recalling incorrectly...

    Otherwise, you may be happy to know that on Tiger there is no "hash" subdirectory in /var/db/samba, only a file called secrets.tdb.

    Maybe it's stored somewhere else. Or maybe Apple fixed this vulnerability in Tiger (your experience is with Panther anyway).

  8. Re:Windows password hash storage by zhiwenchong · · Score: 2, Informative

    Yes, this was an issue but it was resolved.
    Apple fixed this in one of the recent Software Updates. It was mentioned in the release notes.

  9. Re:Windows password hash storage by Anonymous Coward · · Score: 5, Informative

    Cortana: "By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper"

    On Tiger, this is not true. In Tiger, one has to explicitly check a checkbox for each user, and enter that user's password, to allow those users to use Windows sharing. The sheet with these checkboxes states:

    "Sharing with Windows computers requires storing your password in a less secure manner. You must enter the password for each account that you want to enable."

    So, Windows file sharing is there, but Apple has not exactly made it easy to enable it.

    Given this UI, I guess that there is no way to secure this weakness in Windows file sharing without breaking compatibility.

  10. Re:Most secure? Says: mi2g by Anonymous Coward · · Score: 4, Informative

    London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.

    http://www.macworld.com/news/2004/11/02/mi2g/index .php

  11. Re:Does default matter? by sld126 · · Score: 4, Informative

    You're ignorant of the default services for OS X client.

    They're all turned off.

    Even on the server version, only SSH is turned on by default.

    Do you really need a firewall until you turn on any services? Most users will never do this. And they have a GUI for the firewall that allows holes for most typical services with just a check box.

    --
    You're just jealous because the voices only talk to me.
  12. Move your keychain file to a removable disk by sdpinpdx · · Score: 4, Informative

    You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.

  13. Good guide overall by Durandal64 · · Score: 2, Informative

    I skimmed through it, and it's pretty thorough. Great for lab admins to have handy. I do wish they would have mentioned something about chroot for SFTP though.

    1. Re:Good guide overall by netsrek · · Score: 2, Informative

      the standard chroot methods for openssh work under OS X, and if you build the binaries yourself, you don't need all the Frameworks that the Apple version requires.

      The problem with chrooting on 10.4 now is that Apple's network home mounting method borks if you have /./ in the path, so you have to do static mappings.

      small world Durandal. :)

      (dhaveconfig/netsrek)

      --

      i don't read slashdot anymore.
  14. Re:mod parent down: clueless alarmism by duck_oil · · Score: 2, Informative

    That is not funny. Would you like it if a random /. reader came to your home and erased your data? DO NOT RUN THIS COMMAND!!