Securing Mac OS X Tiger 130
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
Does default matter? (Score:5, Insightful)
Re:Does default matter? (Score:3, Insightful)
Re:Learn about Apple's misdeeds and mischief (Score:1, Insightful)
staying secure (Score:3, Insightful)
Re:Does default matter? (Score:1, Insightful)
No, because these things should be done by default by the OS vendor.
Re:Read before you sudo rm -rf / (Score:3, Insightful)
Re:Does default matter? (Score:3, Insightful)
Re:Does default matter? (Score:3, Insightful)
Corporate IT departments prefer working on applications, servers, and such. They abhor "help desk" duty which is what setting up drive images, desktops, and scuh.
So frankly, the IT department usually doesn't give a care what the desktop users use - its the help desk department that does.
Re:Most secure? Says: mi2g (Score:2, Insightful)
I think there might be two problems with the information assuming the numbers are normalized on installs vs succesful compromises. First, Mac OS X is the most widely sold UNIX like OS in the world. Its hard to believe that OS X and BSD counted together is more than Linux. Most other surveys put them at about the same percentage. If you look at servers then linux would blow out OS X and probably BSD. Desktops i think linux would do better than BSDs aside from OS X. Second, it would be nice to see data on how well trained the sys admins were on the systems. Many people don't know linux well enough to properly secure it. An OSX destkop ships in a safer default than most linux distros. In fact, if you look at the bloated distros they ship with several programs that do the same thing. (KDE and Gnome along with software) 4 browsers, 3 email clients, probably 20 text editors, etc. OS X server and Linux are both a pain in the ass for different reasons. I think they give a false sense of security because of the user interface. (graphical and not distros like gentoo or debian that don't include x11 by default) Windows has the same problem. If you meet a windows admin who's never touched the registry then you know they are an idiot. Likewise, if someone hasn't touch a config file in
Obscurity only goes so far. I'd also like to know what caused the linux distros to get attacked. Was it a kernel flaw, service issue, common open source software? For example, many operating systems come with a webserver now (apache or iis). Is there a pattern on services?
I write this on a redhat EL 3.0 workstation install. I've noticed that i get about the same number of security updates in a month for my windows box and this redhat machine. Today i had to install 5 patches to redhat. (last patched a week ago) and i patched windows a few days ago and had 3. My ibook g4 laptop with tiger on it has had about 7 security patches in the last month and countless new versions of software like quicktime, itunes, etc. I've always wondered if apple hides security updates in new versions of software and doesn't tell anyone. My point is that all my operating systems seem to require the same amount of security patching in desktop scenarios. My FreeBSD file server and webservers tend to need 1-2 patches a month as part of the userland and then new versions of software add up for say 20-25 portupgrades a month. And that does not include apache, mysql or php which i manually compile and install.
Numbers without more background are not that helpful.
Re:Move your keychain file to a removable disk (Score:2, Insightful)
Easy as any O/S to secure... (Score:5, Insightful)
1) Unplug it from any network.
2) Strictly control whoever gets physical access.
3) ???
4) Security!
Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.
I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.