Forgot your password?
typodupeerror
Security Businesses Apple

Securing Mac OS X Tiger 130

Posted by Zonk
from the intense-lockdown dept.
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
This discussion has been archived. No new comments can be posted.

Securing Mac OS X Tiger

Comments Filter:
  • by DrMrLordX (559371) on Saturday September 10, 2005 @03:23PM (#13527249)
    I put a tiger on a leash once.  It didn't work.  Don't try this at home, kids!
  • "long pdf"? (Score:4, Funny)

    by Anonymous Coward on Saturday September 10, 2005 @03:23PM (#13527255)
    Ah, good Slashdot.... Now it warns us that TFA is "long", even.
    But of course, I don't think anyone ever tries to RTFA, so the thoughtful gesture is lost on us....
    • Re:"long pdf"? (Score:2, Interesting)

      by ergo98 (9391)
      Ah, good Slashdot.... Now it warns us that TFA is "long", even.

      There have warnings accompanying long related articles for time eternal - some people come here primarily for discussion (sort of like an online book club). The article is a "necessary nuisance" for this bunch, hence the disclaimer. For those who actually come for information it isn't so much of a concern.

      Now since I'm here for discussion, what's the deal with .pdf's? It seems to be a running belief that putting one's poorly thought out, poorl
      • Re:"long pdf"? (Score:1, Offtopic)

        by Gropo (445879)
        It seems to be a running belief that putting one's poorly thought out, poorly edited words into pdf forms makes it professional - just like the big boys!
        Well how does THIS [mac.com] make you feel?
    • I think I suffered from "Didn't RTFB (read the 'explitive' blurb) and clicked on the link before I saw "long pdf"

      Adobe reader, good gosh.. you now know why it took me so long to make such a small comment
    • ...but does it have pictures?
    • Believe me, you haven't missed anything.

      Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and .app folder copied by user can be tainted anytime by anyone modifying one single file from terminal.

      It contains:
      Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs
  • by Poromenos1 (830658) on Saturday September 10, 2005 @03:35PM (#13527310) Homepage
    If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?
    • by Meshach (578918)
      I think the idea is that IT departments could save some time / money if out of box operating systems didn't have so many default holes. Also there will be a more forgiving margin of error
    • Having a secure default install means that the admins don't have to do nearly as much work to secure it. This means that you can get away with fewer administrators, and therefore, it has the potential of being cheaper for a company to get an OS that starts out secure.

      A company would be foolish not to consider the security of the default install of an OS and comparing it with the security of others.
      • This means that you can get away with fewer administrators...
        Which is the biggest roadblock keeping OSX from becoming popular in the corporate environment. Are you going to specify Macs if it means certain downsizing of your department in the near future? Are your fellow IT staff going to let you get away with it?
        • You're nuts if you think 'the biggest roadblock' is some tacit conspiracy by IT staffers.
        • by akac (571059)
          I don't think that makes any sense, frankly.

          Corporate IT departments prefer working on applications, servers, and such. They abhor "help desk" duty which is what setting up drive images, desktops, and scuh.

          So frankly, the IT department usually doesn't give a care what the desktop users use - its the help desk department that does.
    • by Anonymous Coward
      but don't you disable services/add firewalls as soon as you set up your OS?

      No, because these things should be done by default by the OS vendor.
    • by prichardson (603676) on Saturday September 10, 2005 @04:24PM (#13527561) Journal
      The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

      I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.
      • What you're saying is true (I'm sorry I spent my mod points, you're surely due some). This has been frustrating me about Windows since I was an NT4 admin years back. On the recommendation of a certain famous web designer, I tried out Linux.That really opened up my eyes to the beautifully simple approach Unices take towards multiuser security.
      • The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

        It comes from the basic approach to security that is different in windows from pretty much any other system. Other systems assume the user has no administrative privileges, and require positive credentials to gain those privileges.

        Windows assumes the user is also the administrator, and you must remove privileges from
    • You can only lock down an OS to a certain degree without impeding productivity of users. If the OS is insecure by default, locking it down could affect the functionality of the software users run on the machine. However, if you have a pretty secure system to start with your software is likely to function as it normally would.
    • by sld126 (667783) on Saturday September 10, 2005 @07:54PM (#13528674) Journal
      You're ignorant of the default services for OS X client.

      They're all turned off.

      Even on the server version, only SSH is turned on by default.

      Do you really need a firewall until you turn on any services? Most users will never do this. And they have a GUI for the firewall that allows holes for most typical services with just a check box.
       
  • by OneOver137 (674481) on Saturday September 10, 2005 @03:36PM (#13527316) Journal
    I remember they did a write up last year about securing OS X Panther.
  • Secure swap space (Score:5, Informative)

    by guildsolutions (707603) on Saturday September 10, 2005 @03:39PM (#13527334)
    One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment
    • by bradleyland (798918) on Saturday September 10, 2005 @04:05PM (#13527461)
      Law enforcement agencies annouce that "OS X Tiger" stands in the way of forensic investigation. Story at eleven.
      • Re:Wait for it... (Score:4, Interesting)

        by mcgroarty (633843) <brian.mcgroarty@NOSPAm.gmail.com> on Saturday September 10, 2005 @04:39PM (#13527641) Homepage
        When you encrypt files with Windows, a copy of the file's key is encrypted against the key of each user with access to the file. With Windows, there are several additional keys that all keys are encrypted against, reputedly for law enforcement activities. (I can't find anything backing up the law enforcement claim apart from conspiracy nutcake sites, but the fact remains that the unexplained extra keys do exist.)

        Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?

        • Is FileVault a free software program? I ask because parts of MacOS X are proprietary and parts are free software; if the program is non-free software, then I'd be curious to know how anyone could answer the question about how it encrypts in such a way that the answer would be informative.
          • FileVault is just an Automounted encrypted AES-128 disk image.
            In order to get the whole sequence mostly invisible to the user, they re-wrote the login code to enable the disk image to be mounted before your KeyChain was available (as the KeyChain is stored on the encrypted image.

            Parts of FileVault (the image mounter and stuff) are in Darwin and thus you can see the source, however hdiutil and hdid (control most of disk image subsystems) are not available as Apple considers them competitive advantages.
  • staying secure (Score:3, Insightful)

    by jacklexbox (912121) on Saturday September 10, 2005 @04:04PM (#13527460)
    Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."
  • by Anonymous Coward on Saturday September 10, 2005 @04:33PM (#13527606)
    http://www.nsa.gov/snac/ [nsa.gov]

    http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf [net-security.org]

    http://eq.rsug.itd.umich.edu/software/radmind/ [umich.edu]

    http://homepage.mac.com/hogfish/PhotoAlbum2.html [mac.com]

    Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.
  • I didn't see any mention of disabling this dangerous feature in the article.

    By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper [google.com].

    So it's advisable to somehow disable this functionalty.
    • Where is it storing the password as a Windows hash? As of 10.3 all new account passwords are stored using a ShadowHash (and not crypt) and if you change your password in the accounts prefpane and it was previously stored via crypt, it'll be upgraded to ShadowHash.
    • In Tiger, when enabling samba sharing, you have to choose which accounts to use and you are also warned about storing the passwords in a less secure way.
    • by Anonymous Coward on Saturday September 10, 2005 @06:32PM (#13528244)

      Cortana: "By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper"

      On Tiger, this is not true. In Tiger, one has to explicitly check a checkbox for each user, and enter that user's password, to allow those users to use Windows sharing. The sheet with these checkboxes states:

      "Sharing with Windows computers requires storing your password in a less secure manner. You must enter the password for each account that you want to enable."

      So, Windows file sharing is there, but Apple has not exactly made it easy to enable it.

      Given this UI, I guess that there is no way to secure this weakness in Windows file sharing without breaking compatibility.

  • Metadata in the PDF (Score:4, Interesting)

    by grondin (241140) on Saturday September 10, 2005 @05:46PM (#13527991)
    "martin" created this PDF document in MS Word 7 (using Acrobat 6 for Windows) on 8/19/05 at 7:07 am. The following meta-data was left in the PDF:
    <?xpacket begin='&#212;&#170;&#248;' id='W5M0MpCehiHzreSzNTczkc9d'?>
    <?adobe-xap-filte rs esc="CRLF"?>
    <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 2.9.1-13, framework 1.6'>
    <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax -ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
    <rdf:Desc ription rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Acrobat Distiller 6.0.1 (Windows)'></rdf:Description>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xap='http://ns.adobe.com/xap/1.0/' xap:CreatorTool='PScript5.dll Version 5.2.2' xap:ModifyDate='2005-08-19T13:07:33+01:00' xap:CreateDate='2005-08-19T13:07:33+01:00'></rdf:D escription>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID='uuid:e3821de7-3fc1-4e6a-a7b1-268 6024123c0'/>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'><dc:title><rdf:Alt><rd f:li xml:lang='x-default'>Microsoft Word - 7 - Securing Mac OS X 10 4 Tiger v1.0.doc</rdf:li></rdf:Alt></dc:title><dc:creator> <rdf:Seq><rdf:li>martin</rdf:li></rdf:Seq></dc:cre ator></rdf:Description>
    </rdf:RDF>
    </x:xmpmeta>
  • by sdpinpdx (66786) * <sdp@nOSPAM.scottp.us> on Saturday September 10, 2005 @08:27PM (#13528820) Journal
    You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.
  • Good guide overall (Score:3, Informative)

    by Durandal64 (658649) on Saturday September 10, 2005 @08:55PM (#13528934)
    I skimmed through it, and it's pretty thorough. Great for lab admins to have handy. I do wish they would have mentioned something about chroot for SFTP though.
    • by netsrek (76063)
      the standard chroot methods for openssh work under OS X, and if you build the binaries yourself, you don't need all the Frameworks that the Apple version requires.

      The problem with chrooting on 10.4 now is that Apple's network home mounting method borks if you have /./ in the path, so you have to do static mappings.

      small world Durandal. :)

      (dhaveconfig/netsrek)
  • Three thumbs up (Score:4, Interesting)

    by teaenay (844596) on Saturday September 10, 2005 @09:53PM (#13529145)
    As a Security Architect for a major bank in my country and an "I don't do windows" user at home (OS X, linux), I found this document to be a brilliant guide to securing an OS X client.

    I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.

    There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.

    Password policies! I had no idea Tiger could do that.

    After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.

    This is a very good article.

    • Re:Three thumbs up (Score:2, Interesting)

      by macshome (818789)
      Password policies! I had no idea Tiger could do that.

      It can starting with 10.3. I have an older article about it on my site here [afp548.com]. The article is from 10.3, but really just more of it works now on 10.4. Also look at the site for my login times script that uses pwpolicy to imitate the login hours policy that other OSes offer admins.

      Last year at MacWorld SF, I put together a pwpolicy GUI in AppleScript Studio for a live demo. I also did a minor bit of pwpolicy scripting at WWDC this year. If you have an
      • I just had a look quick look ADC Site, but I don't know where to find the demo. Can you point me at the right location?
        • Just log into the ADC site and then the 2005 WWDC sessions is the link in the top right corner. There are only three prominent links on the page, Store, Downloads, and WWDC sessions.
          • That only works for people who attended WWDC. No one else can view WWDC session stuff.

            I have an ADC Select membership and there is no WWDC option on the ADC site for me. (It only lists ADC Store, Downloads, and My Account)

            In past years there was a way to buy access to the WWDC session videos and stuff after WWDC was over. This year there doesn't appear to be an way to do so.
  • by Nick Driver (238034) on Saturday September 10, 2005 @11:43PM (#13529577)
    Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.

    1) Unplug it from any network.
    2) Strictly control whoever gets physical access.
    3) ???
    4) Security!

    Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.

    I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.
    • How about reading the article before commenting? What does "no open port by default" mean to you?

      To me, it means that you can put a mac on a network in the default configuration and have a 100% secure configuration.

      With OS X, you can get security with the following:
      1. Setup regular accounts for other users who share your computer. keeping admin account to yourself and not enabling root.
      2. There is no step 2.

      This prescription works for anyone other than say the NSA or CIA.

      • Open Ports (Score:3, Interesting)

        by Nick Driver (238034)
        What does "no open port by default" mean to you?

        An OS without *any* open ports can still be vulnerable, by merely having a TCP/IP stack connected to a public network. Even if the stack merely can only respond to ICMP packets (no tcp or udp ports open, nor any other IP protocols enabled), it can still theoretically be vulnerable to DoS attacks via ICMP.

        TFA makes no mention whatsoever of disabling ICMP.
        • Stop spreading FUD to the uninitiated. You are either trolling or you know just enough to be dangerous. A DoS is a Denial of Service which may temporarily block access to a network or worst case crash the stack possibly forcing a reboot. Big deal. I believe I was responding to exploits which could be used to "run" code.

          Nobody is going to DoS a workstation anyway. Come on let's be realistic here.

  • is the fact, that it could be replaced with FreeBSD securing guide, but not vice-versa. Hmm.
  • I have long since disabled password logins in favour of public key, due to all the scripting probing going on these days...or at least I thought I had. I had set PasswordAuthentication in /etc/sshd_config to no, but was alarmed to discover a coworker logging in with his password the other day.

    Knowing that this was a new development in Tiger, I compared the new config file with an older one from Panther and noticed the line #UsePAM no. Uncommenting this finally disabled passwords, which implies that the

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...