Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Securing Mac OS X Tiger 130

Posted by Zonk from the intense-lockdown dept.
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
This discussion has been archived. No new comments can be posted.

Securing Mac OS X Tiger More

Securing Mac OS X Tiger

Comments Filter:

  • CIA still using OS X? (Score:3, Interesting)

    by OneOver137 ( 674481 ) on Saturday September 10, 2005 @03:36PM (#13527316) Journal
    I remember they did a write up last year about securing OS X Panther.

  • Re:"long pdf"? (Score:2, Interesting)

    by ergo98 ( 9391 ) on Saturday September 10, 2005 @04:04PM (#13527458) Homepage Journal
    Ah, good Slashdot.... Now it warns us that TFA is "long", even.

    There have warnings accompanying long related articles for time eternal - some people come here primarily for discussion (sort of like an online book club). The article is a "necessary nuisance" for this bunch, hence the disclaimer. For those who actually come for information it isn't so much of a concern.

    Now since I'm here for discussion, what's the deal with .pdf's? It seems to be a running belief that putting one's poorly thought out, poorly edited words into pdf forms makes it professional - just like the big boys! It reminds me of the idiotic days when a couple of big boys put flash intro pages, with the nonsense scrolling/zooming in text that became so cliched. Suddenly every small shop did the same, as if this cargo cult would make them a big shop. Really was silly.

  • Re:Does default matter? (Score:5, Interesting)

    by prichardson ( 603676 ) on Saturday September 10, 2005 @04:24PM (#13527561) Journal
    The thing that I notice about Windows security in corporate environments is that even when it's so restrictive that using your computer becomes almost impossible, there are still ways around it.

    I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.

  • Re:Wait for it... (Score:4, Interesting)

    by mcgroarty ( 633843 ) <brian DOT mcgroarty AT gmail DOT com> on Saturday September 10, 2005 @04:39PM (#13527641) Homepage
    When you encrypt files with Windows, a copy of the file's key is encrypted against the key of each user with access to the file. With Windows, there are several additional keys that all keys are encrypted against, reputedly for law enforcement activities. (I can't find anything backing up the law enforcement claim apart from conspiracy nutcake sites, but the fact remains that the unexplained extra keys do exist.)

    Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?

  • Windows password hash storage (Score:2, Interesting)

    by cortana ( 588495 ) <sam@[ ]ots.org.uk ['rob' in gap]> on Saturday September 10, 2005 @04:47PM (#13527678) Homepage
    I didn't see any mention of disabling this dangerous feature in the article.

    By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper [google.com].

    So it's advisable to somehow disable this functionalty.

  • Re:You should also run Apple's bundled secure scri (Score:3, Interesting)

    by hawaiian717 ( 559933 ) on Saturday September 10, 2005 @05:00PM (#13527734) Homepage
    No, it doesn't. It just marks as deleted all the inodes for all the files on your disk. Do this, then give the disk to someone with EnCase, and watch them promptly recreate every file on your disk.

  • Re:"long pdf"? Not missed much... (Score:3, Interesting)

    by justsomebody ( 525308 ) on Saturday September 10, 2005 @05:04PM (#13527753) Journal
    Believe me, you haven't missed anything.

    Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and .app folder copied by user can be tainted anytime by anyone modifying one single file from terminal.

    It contains:
    Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs, changing user home directories from 022 to 027, tcp_wrappers, xinetd, and other services, file vault, encrypted disk images...

    Basicaly the only positive thing I got from reading it, was how insecure default OSX (talking about DEFAULT here, not what is possible. Mac line was always "Just works") really is. It is more or less as secure as Windows 98 with few bugs taken out and few new entred.

  • Re:You should also run Apple's bundled secure scri (Score:3, Interesting)

    by justsomebody ( 525308 ) on Saturday September 10, 2005 @05:21PM (#13527831) Journal
    Yeah, right. At what cost? Count downtime and all service costs.

    Windows has the same feature, so what?
    On Linux you can install libtrash or any other kind of protection, which is much nicer than any filesystem default, so what?
    On VAX all the versions were collected, so what??

    It is downtime and service needed that counts not someone with EnCase. Problem is that you can do rm / by default and not what it does and not wheter Mac is holy or not.

  • Metadata in the PDF (Score:4, Interesting)

    by grondin ( 241140 ) on Saturday September 10, 2005 @05:46PM (#13527991)
    "martin" created this PDF document in MS Word 7 (using Acrobat 6 for Windows) on 8/19/05 at 7:07 am. The following meta-data was left in the PDF:
    <?xpacket begin='&#212;&#170;&#248;' id='W5M0MpCehiHzreSzNTczkc9d'?>
    <?adobe-xap-filte rs esc="CRLF"?>
    <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='XMP toolkit 2.9.1-13, framework 1.6'>
    <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax -ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
    <rdf:Desc ription rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:pdf='http://ns.adobe.com/pdf/1.3/' pdf:Producer='Acrobat Distiller 6.0.1 (Windows)'></rdf:Description>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xap='http://ns.adobe.com/xap/1.0/' xap:CreatorTool='PScript5.dll Version 5.2.2' xap:ModifyDate='2005-08-19T13:07:33+01:00' xap:CreateDate='2005-08-19T13:07:33+01:00'></rdf:D escription>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/' xapMM:DocumentID='uuid:e3821de7-3fc1-4e6a-a7b1-268 6024123c0'/>
    <rdf:Description rdf:about='uuid:3e9566a3-e8e6-4d67-b622-3d681f9c54 d2' xmlns:dc='http://purl.org/dc/elements/1.1/' dc:format='application/pdf'><dc:title><rdf:Alt><rd f:li xml:lang='x-default'>Microsoft Word - 7 - Securing Mac OS X 10 4 Tiger v1.0.doc</rdf:li></rdf:Alt></dc:title><dc:creator> <rdf:Seq><rdf:li>martin</rdf:li></rdf:Seq></dc:cre ator></rdf:Description>
    </rdf:RDF>
    </x:xmpmeta>

  • Three thumbs up (Score:4, Interesting)

    by teaenay ( 844596 ) on Saturday September 10, 2005 @09:53PM (#13529145)
    As a Security Architect for a major bank in my country and an "I don't do windows" user at home (OS X, linux), I found this document to be a brilliant guide to securing an OS X client.

    I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.

    There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.

    Password policies! I had no idea Tiger could do that.

    After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.

    This is a very good article.

  • Re:Three thumbs up (Score:2, Interesting)

    by macshome ( 818789 ) on Saturday September 10, 2005 @11:22PM (#13529492) Homepage
    Password policies! I had no idea Tiger could do that.

    It can starting with 10.3. I have an older article about it on my site here [afp548.com]. The article is from 10.3, but really just more of it works now on 10.4. Also look at the site for my login times script that uses pwpolicy to imitate the login hours policy that other OSes offer admins.

    Last year at MacWorld SF, I put together a pwpolicy GUI in AppleScript Studio for a live demo. I also did a minor bit of pwpolicy scripting at WWDC this year. If you have an ADC membership you can watch that preso. It was fun when the demo Mac started to fall apart while I was trying to code...

  • Open Ports (Score:3, Interesting)

    by Nick Driver ( 238034 ) on Sunday September 11, 2005 @01:06AM (#13529882)
    What does "no open port by default" mean to you?

    An OS without *any* open ports can still be vulnerable, by merely having a TCP/IP stack connected to a public network. Even if the stack merely can only respond to ICMP packets (no tcp or udp ports open, nor any other IP protocols enabled), it can still theoretically be vulnerable to DoS attacks via ICMP.

    TFA makes no mention whatsoever of disabling ICMP.

Slashdot Top Deals

Always draw your curves, then plot your reading.

Close