Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Mac OS X Tiger

Posted by Zonk on from the intense-lockdown dept.

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

25 of 130 comments (clear)

  1. I once tried to secure a tiger by DrMrLordX · · Score: 5, Funny

    I put a tiger on a leash once.  It didn't work.  Don't try this at home, kids!

    1. Re:I once tried to secure a tiger by kcarlin · · Score: 5, Funny

      You should try the cage. I works for me.

      Does the tiger let you out for walks?

      --
      Free Adam Smith! (Or best offer.)
  2. "long pdf"? by Anonymous Coward · · Score: 4, Funny

    Ah, good Slashdot.... Now it warns us that TFA is "long", even.
    But of course, I don't think anyone ever tries to RTFA, so the thoughtful gesture is lost on us....

  3. Does default matter? by Poromenos1 · · Score: 4, Insightful

    If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
    1. Re:Does default matter? by prichardson · · Score: 4, Interesting

      The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

      I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.

      --
      Help I'm a rock.
    2. Re:Does default matter? by Halfbaked+Plan · · Score: 3, Insightful

      You're nuts if you think 'the biggest roadblock' is some tacit conspiracy by IT staffers.

      --
      resigned
    3. Re:Does default matter? by sld126 · · Score: 4, Informative

      You're ignorant of the default services for OS X client.

      They're all turned off.

      Even on the server version, only SSH is turned on by default.

      Do you really need a firewall until you turn on any services? Most users will never do this. And they have a GUI for the firewall that allows holes for most typical services with just a check box.

      --
      You're just jealous because the voices only talk to me.
  4. Nice to see you... by Anonymous Coward · · Score: 5, Funny

    Nice to see Roy Horn has recovered enough to post on slashdot.

  5. Re:CIA still using OS X? by OneOver137 · · Score: 4, Informative

    Oops, guess it was the NSA

  6. Secure swap space by guildsolutions · · Score: 5, Informative

    One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment

  7. staying secure by jacklexbox · · Score: 3, Insightful

    Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."

  8. Wait for it... by bradleyland · · Score: 5, Funny

    Law enforcement agencies annouce that "OS X Tiger" stands in the way of forensic investigation. Story at eleven.

    1. Re:Wait for it... by mcgroarty · · Score: 4, Interesting
      When you encrypt files with Windows, a copy of the file's key is encrypted against the key of each user with access to the file. With Windows, there are several additional keys that all keys are encrypted against, reputedly for law enforcement activities. (I can't find anything backing up the law enforcement claim apart from conspiracy nutcake sites, but the fact remains that the unexplained extra keys do exist.)

      Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?

  9. Read before you sudo rm -rf / by JonTurner · · Score: 5, Informative

    Mildly funny, but also a bit irresponsible without a warning:

    Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.

    Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.

    Another tip: never enter console commands you don't understand.

    1. Re:Read before you sudo rm -rf / by eneville · · Score: 3, Insightful

      An especially never enter console commands on /. rated anything other than informative, even that is a bad idea. Never enter a console command without first reading the man page, yes it's long and could be a bore, but its not as boring as restoring from backups (if you have backsups of some important directory that you forgot about).

      --
      Why UNIX?
  10. More securing OS X links/pdf's etc by Anonymous Coward · · Score: 5, Informative

    http://www.nsa.gov/snac/

    http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf

    http://eq.rsug.itd.umich.edu/software/radmind/

    http://homepage.mac.com/hogfish/PhotoAlbum2.html

    Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.

  11. Next time... by Farrside · · Score: 4, Funny

    Grab it by the toe.

    Wear good earplugs.

  12. Re:CIA still using OS X? by Been+on+TV · · Score: 4, Informative

    NSA did a pretty good writeup of Securing Mac OS X Panther Server earlier this year. One can still apply all the recommendations to Tiger Server.

    --
    The future is in beta
  13. Metadata in the PDF by grondin · · Score: 4, Interesting
    "martin" created this PDF document in MS Word 7 (using Acrobat 6 for Windows) on 8/19/05 at 7:07 am. The following meta-data was left in the PDF:
    <?xpacket begin='&#212;&#170;&#248;' id='W5M0MpCehiHzreSzNTczkc9d'?>
    <?adobe-xap-filte rs esc="CRLF"?>
    <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 2.9.1-13, framework 1.6'>
    <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax -ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
    <rdf:Desc ription rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Acrobat Distiller 6.0.1 (Windows)'></rdf:Description>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xap='http://ns.adobe.com/xap/1.0/' xap:CreatorTool='PScript5.dll Version 5.2.2' xap:ModifyDate='2005-08-19T13:07:33+01:00' xap:CreateDate='2005-08-19T13:07:33+01:00'></rdf:D escription>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID='uuid:e3821de7-3fc1-4e6a-a7b1-268 6024123c0'/>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'><dc:title><rdf:Alt><rd f:li xml:lang='x-default'>Microsoft Word - 7 - Securing Mac OS X 10 4 Tiger v1.0.doc</rdf:li></rdf:Alt></dc:title><dc:creator> <rdf:Seq><rdf:li>martin</rdf:li></rdf:Seq></dc:cre ator></rdf:Description>
    </rdf:RDF>
    </x:xmpmeta>
  14. Re:Windows password hash storage by kekeruusperi · · Score: 3, Informative

    In Tiger, when enabling samba sharing, you have to choose which accounts to use and you are also warned about storing the passwords in a less secure way.

  15. Re:Windows password hash storage by Anonymous Coward · · Score: 5, Informative

    Cortana: "By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper"

    On Tiger, this is not true. In Tiger, one has to explicitly check a checkbox for each user, and enter that user's password, to allow those users to use Windows sharing. The sheet with these checkboxes states:

    "Sharing with Windows computers requires storing your password in a less secure manner. You must enter the password for each account that you want to enable."

    So, Windows file sharing is there, but Apple has not exactly made it easy to enable it.

    Given this UI, I guess that there is no way to secure this weakness in Windows file sharing without breaking compatibility.

  16. Re:Most secure? Says: mi2g by Anonymous Coward · · Score: 4, Informative

    London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.

    http://www.macworld.com/news/2004/11/02/mi2g/index .php

  17. Move your keychain file to a removable disk by sdpinpdx · · Score: 4, Informative

    You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.

  18. Three thumbs up by teaenay · · Score: 4, Interesting
    As a Security Architect for a major bank in my country and an "I don't do windows" user at home (OS X, linux), I found this document to be a brilliant guide to securing an OS X client.

    I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.

    There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.

    Password policies! I had no idea Tiger could do that.

    After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.

    This is a very good article.

  19. Easy as any O/S to secure... by Nick+Driver · · Score: 4, Insightful

    Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.

    1) Unplug it from any network.
    2) Strictly control whoever gets physical access.
    3) ???
    4) Security!

    Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.

    I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.