Securing Mac OS X Tiger

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

Re:CIA still using OS X?

[OneOver137]

Oops, guess it was the NSA

Secure swap space

[guildsolutions]

One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment

Read before you sudo rm -rf /

[JonTurner]

Mildly funny, but also a bit irresponsible without a warning:

Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.

Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.

Another tip: never enter console commands you don't understand.

More securing OS X links/pdf's etc

http://www.nsa.gov/snac/

http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf

http://eq.rsug.itd.umich.edu/software/radmind/

http://homepage.mac.com/hogfish/PhotoAlbum2.html

Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.

Re:CIA still using OS X?

[Been+on+TV]

NSA did a pretty good writeup of Securing Mac OS X Panther Server earlier this year. One can still apply all the recommendations to Tiger Server.

Re:Windows password hash storage

Cortana: "By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper"

On Tiger, this is not true. In Tiger, one has to explicitly check a checkbox for each user, and enter that user's password, to allow those users to use Windows sharing. The sheet with these checkboxes states:

"Sharing with Windows computers requires storing your password in a less secure manner. You must enter the password for each account that you want to enable."

So, Windows file sharing is there, but Apple has not exactly made it easy to enable it.

Given this UI, I guess that there is no way to secure this weakness in Windows file sharing without breaking compatibility.

Re:Most secure? Says: mi2g

London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.

http://www.macworld.com/news/2004/11/02/mi2g/index .php

Re:Does default matter?

[sld126]

You're ignorant of the default services for OS X client.

They're all turned off.

Even on the server version, only SSH is turned on by default.

Do you really need a firewall until you turn on any services? Most users will never do this. And they have a GUI for the firewall that allows holes for most typical services with just a check box.

Move your keychain file to a removable disk

[sdpinpdx]

You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.