Securing Mac OS X Tiger

Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."

Does default matter?

[Poromenos1]

If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?

Re:Does default matter?

[Meshach]

I think the idea is that IT departments could save some time / money if out of box operating systems didn't have so many default holes. Also there will be a more forgiving margin of error

Re:Learn about Apple's misdeeds and mischief

[Anonymous Coward]

Wow, bundling iTunes (a program which lets you load MP3s onto an iPod) with an iPod. What blatant disregard for the consumer, who is powerless to install other iPod interface software [ephpod.com] or buy a different MP3 player.

staying secure

[jacklexbox]

Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."

Re:Does default matter?

[Anonymous Coward]

but don't you disable services/add firewalls as soon as you set up your OS?

No, because these things should be done by default by the OS vendor.

Re:Read before you sudo rm -rf /

[eneville]

An especially never enter console commands on /. rated anything other than informative, even that is a bad idea. Never enter a console command without first reading the man page, yes it's long and could be a bore, but its not as boring as restoring from backups (if you have backsups of some important directory that you forgot about).

Re:Does default matter?

[Halfbaked Plan]

You're nuts if you think 'the biggest roadblock' is some tacit conspiracy by IT staffers.

Re:Does default matter?

[akac]

I don't think that makes any sense, frankly.

Corporate IT departments prefer working on applications, servers, and such. They abhor "help desk" duty which is what setting up drive images, desktops, and scuh.

So frankly, the IT department usually doesn't give a care what the desktop users use - its the help desk department that does.

Re:Most secure? Says: mi2g

[laffer1]

This is very interesting. The article points out that small businesses and individuals get cracked more than big organizations. It also points out that more people use Windows and Linux than Mac OS X and BSD. I wonder if the numbers take that into account. Are the Linux statistics balanced with the windows counts, etc?

I think there might be two problems with the information assuming the numbers are normalized on installs vs succesful compromises. First, Mac OS X is the most widely sold UNIX like OS in the world. Its hard to believe that OS X and BSD counted together is more than Linux. Most other surveys put them at about the same percentage. If you look at servers then linux would blow out OS X and probably BSD. Desktops i think linux would do better than BSDs aside from OS X. Second, it would be nice to see data on how well trained the sys admins were on the systems. Many people don't know linux well enough to properly secure it. An OSX destkop ships in a safer default than most linux distros. In fact, if you look at the bloated distros they ship with several programs that do the same thing. (KDE and Gnome along with software) 4 browsers, 3 email clients, probably 20 text editors, etc. OS X server and Linux are both a pain in the ass for different reasons. I think they give a false sense of security because of the user interface. (graphical and not distros like gentoo or debian that don't include x11 by default) Windows has the same problem. If you meet a windows admin who's never touched the registry then you know they are an idiot. Likewise, if someone hasn't touch a config file in /etc or used a terminal on OS X server or linux they are an idiot. BSD people have no choice :)

Obscurity only goes so far. I'd also like to know what caused the linux distros to get attacked. Was it a kernel flaw, service issue, common open source software? For example, many operating systems come with a webserver now (apache or iis). Is there a pattern on services?

I write this on a redhat EL 3.0 workstation install. I've noticed that i get about the same number of security updates in a month for my windows box and this redhat machine. Today i had to install 5 patches to redhat. (last patched a week ago) and i patched windows a few days ago and had 3. My ibook g4 laptop with tiger on it has had about 7 security patches in the last month and countless new versions of software like quicktime, itunes, etc. I've always wondered if apple hides security updates in new versions of software and doesn't tell anyone. My point is that all my operating systems seem to require the same amount of security patching in desktop scenarios. My FreeBSD file server and webservers tend to need 1-2 patches a month as part of the userland and then new versions of software add up for say 20-25 portupgrades a month. And that does not include apache, mysql or php which i manually compile and install.

Numbers without more background are not that helpful.

Re:Move your keychain file to a removable disk

[Horst Graben]

That is incorrect - both the 15" and 17" PowerBook G4 come with a PC card slot.

Easy as any O/S to secure...

[Nick Driver]

Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.

1) Unplug it from any network.
2) Strictly control whoever gets physical access.
3) ???
4) Security!

Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.

I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.