Securing Mac OS X Tiger

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

Re:Does default matter?

[prichardson]

The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.

Re:Wait for it...

[mcgroarty]

When you encrypt files with Windows, a copy of the file's key is encrypted against the key of each user with access to the file. With Windows, there are several additional keys that all keys are encrypted against, reputedly for law enforcement activities. (I can't find anything backing up the law enforcement claim apart from conspiracy nutcake sites, but the fact remains that the unexplained extra keys do exist.)

Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?

Metadata in the PDF

[grondin]

"martin" created this PDF document in MS Word 7 (using Acrobat 6 for Windows) on 8/19/05 at 7:07 am. The following meta-data was left in the PDF:

<?xpacket begin='&#212;&#170;&#248;' id='W5M0MpCehiHzreSzNTczkc9d'?>
<?adobe-xap-filte rs esc="CRLF"?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 2.9.1-13, framework 1.6'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax -ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
<rdf:Desc ription rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Acrobat Distiller 6.0.1 (Windows)'></rdf:Description>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xap='http://ns.adobe.com/xap/1.0/' xap:CreatorTool='PScript5.dll Version 5.2.2' xap:ModifyDate='2005-08-19T13:07:33+01:00' xap:CreateDate='2005-08-19T13:07:33+01:00'></rdf:D escription>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID='uuid:e3821de7-3fc1-4e6a-a7b1-268 6024123c0'/>
<rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'><dc:title><rdf:Alt><rd f:li xml:lang='x-default'>Microsoft Word - 7 - Securing Mac OS X 10 4 Tiger v1.0.doc</rdf:li></rdf:Alt></dc:title><dc:creator> <rdf:Seq><rdf:li>martin</rdf:li></rdf:Seq></dc:cre ator></rdf:Description>
</rdf:RDF>
</x:xmpmeta>

Three thumbs up

[teaenay]

As a Security Architect for a major bank in my country and an "I don't do windows" user at home (OS X, linux), I found this document to be a brilliant guide to securing an OS X client.

I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.

There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.

Password policies! I had no idea Tiger could do that.

After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.

This is a very good article.