Mac OS X Security Configuration For Version 10.4 or Later Second Edition K Apple Inc. © 2007 Apple Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors. Apple 1 Infinite Loop Cupertino, CA 95014-2084 408-996-1010 www.apple.com The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the "keyboard" Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, FireWire, Keychain, Mac, Macintosh, the Mac logo, Mac OS, QuickTime, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries. Apple Remote Desktop, Finder, and Xgrid are trademarks of Apple Inc. The Bluetooth® word mark and logos are owned by the Bluetooth SIG, Inc. and any use of such marks by Apple Inc. is under license. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products. 019-0922/02-15-07 1 Contents Preface 9 9 9 10 11 11 11 12 13 13 14 15 16 16 16 16 17 18 18 18 18 18 19 19 21 21 21 22 23 23 23 About This Guide Target Audience What's New in Mac OS X Version 10.4 What's in This Guide Using This Guide Using Onscreen Help Mac Help The Mac OS X Server Suite Getting Documentation Updates Getting Additional Information Acknowledgments Introducing Mac OS X Security Architecture Security Architectural Overview UNIX Infrastructure Access Permissions Security Framework Layered Security Defense Built-In Security Services Keychain Services Secure Transport Services Certificate, Key, and Trust Services Authorization Services Smart Card Services Authorization versus Authentication Installing Mac OS X System Installation Overview Disabling the Open Firmware Password Installing from CD or DVD Installing from the Network Restoring from Preconfigured Disk Images Initializing System Setup Chapter 1 Chapter 2 3 23 24 25 25 26 27 27 28 28 29 29 29 30 Chapter 3 31 31 32 33 33 34 34 35 36 37 38 38 39 39 40 41 41 42 42 43 45 46 47 48 49 50 50 51 Using Setup Assistant Creating Initial System Accounts Setting Correct Time Settings Updating System Software Updating from an Internal Software Update Server Updating from Internet-Based Software Update Servers Updating Manually from Installer Packages Verifying the Integrity of Software Repairing Disk Permissions Kinds of Permissions POSIX Permissions Overview ACL Permissions Overview Using Disk Utility to Repair Disk Permissions Protecting Hardware and Securing Global System Settings Protecting Hardware Disabling Hardware Removing Mac OS 9 Using the Command Line to Remove Mac OS 9 Running Mac OS 9 from a CD or DVD Running Mac OS 9 from a Disc Image Securing System Startup Using the Open Firmware Password Application Configuring Open Firmware Settings Using Command-Line Tools to Secure Startup Requiring a Password for Single-User Mode Configuring Access Warnings Enabling Access Warnings for the Login Window Enabling Access Warnings for the Command Line Securing Accounts Types of User Accounts Guidelines for Creating Accounts Defining User IDs Securing Nonadministrator Accounts Securing Administrator Accounts Securing the System Administrator Account Understanding Directory Domains Understanding Network Services, Authentication, and Contacts Configuring LDAPv3 Access Configuring Active Directory Access Using Strong Authentication Using Password Assistant Chapter 4 4 Contents 52 52 52 53 53 54 55 56 57 Chapter 5 59 59 61 63 66 67 68 69 71 72 74 76 76 77 78 79 80 82 84 85 87 90 91 92 93 95 96 97 97 97 98 99 Using Smart Cards Using Tokens Using Biometrics Setting Global Password Policies Storing Credentials Using the Default User Keychain Securing Keychain Items Creating Additional Keychains Using Portable and Network-Based Keychains Securing System Preferences System Preferences Overview Securing .Mac Preferences Securing Accounts Preferences Securing Appearance Preferences Securing Bluetooth Preferences Securing CDs & DVDs Preferences Securing Classic Preferences Securing Dashboard and Exposé Preferences Securing Date & Time Preferences Securing Desktop & Screen Saver Preferences Securing Displays Preferences Securing Dock Preferences Securing Energy Saver Preferences Securing International Preferences Securing Keyboard & Mouse Preferences Securing Network Preferences Securing Print & Fax Preferences Securing QuickTime Preferences Securing Security Preferences Securing Sharing Preferences Securing Software Update Preferences Securing Sound Preferences Securing Speech Preferences Securing Spotlight Preferences Securing Startup Disk Preferences Securing Universal Access Preferences Securing Data and Using Encryption Understanding Permissions Setting POSIX Permissions Viewing POSIX Permissions Interpreting POSIX Permissions Chapter 6 Contents 5 100 100 100 100 101 101 102 102 103 104 105 105 106 107 107 108 109 109 110 111 111 Chapter 7 113 113 113 114 115 115 117 118 119 120 120 121 124 125 126 127 127 128 128 128 129 Modifying POSIX Permissions Setting File and Folder Flags Viewing Flags Modifying Flags Setting ACL Permissions Enabling ACL Modifying ACL Permissions Setting Global File Permissions Securing Your Home Folder Encrypting Home Folders Using FileVault Master Keychain Encrypting Portable Files Creating a New Encrypted Disk Image Creating an Encrypted Disk Image from Existing Data Creating Encrypted PDFs Securely Erasing Data Using Disk Utility to Securely Erase a Disk or Partition Using Command-Line Tools to Securely Erase Files Using Secure Empty Trash Using Disk Utility to Securely Erase Free Space Using Command-Line Tools to Securely Erase Free Space Securing Network Services Securing Apple Applications Securing Mail Securing Web Browsing Securing Instant Messaging Securing VPN Securing Firewall About Internet Sharing Enabling TCP Wrappers Securing SSH Enabling an SSH Connection Configuring a Key-Based SSH Connection Preventing Connections to Unauthorized Host Servers Using SSH as a Tunnel Securing Bonjour Securing Network Services Securing AFP Securing Windows Sharing Securing Personal Web Sharing Securing Remote Login Securing FTP Access 6 Contents 129 129 129 129 130 Chapter 8 131 131 131 132 132 133 134 135 135 137 137 138 138 139 139 140 140 140 141 141 142 142 142 142 143 143 143 143 144 144 144 145 145 145 145 146 Securing Apple Remote Desktop Securing Remote Apple Events Securing Printer Sharing Securing Xgrid Intrusion Detection Systems Validating System Integrity About Activity Analysis Tools Using Auditing Tools Configuring Log Files Configuring syslogd Local System Logging Remote System Logging About File Integrity Checking Tools About Antivirus Tools Security Checklist Installation Action Items Hardware and Core Mac OS X Action Items Account Configuration Action Items Securing System Software Action Items .Mac Preferences Action Items Accounts Preferences Action Items Appearance Preferences Action Items Bluetooth Preferences Action Items CDs & DVDs Preferences Actions Items Classic Preferences Action Items Dashboard and Exposé Preferences Action Items Date & Time Preferences Action Items Desktop & Screen Saver Preferences Action Items Dock Preferences Action Items Energy Saver Preferences Action Items Securing International Preferences Securing Keyboard & Mouse Preferences Network Preferences Action Items Print & Fax Preferences Action Items QuickTime Preferences Action Items Security Preferences Action Items Sharing Preferences Action Items Software Update Preferences Action Items Sound Preferences Action Items Speech Preferences Action Items Spotlight Preferences Action Items Appendix A Contents 7 146 146 146 148 Appendix B 149 149 149 150 151 151 152 152 155 167 Startup Disk Preferences Action Items Data Maintenance and Encryption Action Items Network Services Configuration Action Items System Integrity Validation Action Items Daily Best Practices Password Guidelines Creating Complex Passwords Using an Algorithm to Create a Complex Password Safely Storing Your Password Password Maintenance Email, Chat, and Other Online Communication Guidelines Computer Usage Guidelines Glossary Index 8 Contents This guide provides an overview of features in Mac OS X that can be used to enhance security, known as hardening your computer. This guide is designed to give instructions and recommendations for securing Mac OS X version 10.4 or later, and for maintaining a secure computer. Target Audience This guide is for users of Mac OS X version 10.4 or later. If you're using this guide, you should be an experienced Mac OS X user, be familiar with the Mac OS X user interface, and have at least some experience using the Terminal application's command-line interface. You should also be familiar with basic networking concepts. Some instructions in this guide are complex, and deviation could result in serious adverse effects on the computer and its security. These instructions should only be used by experienced Mac OS X users, and should be followed by thorough testing. What's New in Mac OS X Version 10.4 Mac OS X version 10.4 offers the following major security enhancements:  Access control lists. Provide flexible file system permissions that are fully compatible with Windows Server 2003 Active Directory environments and Windows XP clients.  Secure instant messaging. Your private, secure iChat Server, based on Jabber XMPP protocol, integrates with Open Directory for user accounts and authentication.  Software update server. By enabling the new Apple Software Update Server, administrators can control which updates their users can access and when.  Certificate management. Certificate Assistant is an easy-to-use utility that helps you request, issue, and manage certificates.  Smart cards as keychains. Use a smart card to authenticate to your system or Keychain. Preface 9 About This Guide  Secure erase. Secure erase follows the U.S. Department of Defense standard for the sanitation fro magnetic media.  VPN service is now Kerberized. Use Kerberos-based authentication for single sign-on to a VPN network.  Firewall enhanced. The firewall service has been enhanced to use the reliable open source IPFW2 software.  Antivirus and antispam. New adaptive junk mail filtering using SpamAssassin and virus detection and quarantine using ClamAV. What's in This Guide This guide can assist you in securing a client computer. It does not provide information about securing servers. For help with securing computers running Mac OS X Server version 10.4. or later, see Mac OS X Server Security Configuration. This guide includes the following chapters, arranged in the order that you're likely to need them when securely configuring your computer:  Chapter 1, "Introducing Mac OS X Security Architecture," explains the infrastructure of Mac OS X. It also discusses the different layers of security within Mac OS X.  Chapter 2, "Installing Mac OS X," describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them.  Chapter 3, "Protecting Hardware and Securing Global System Settings," explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect all users of the computer.  Chapter 4, "Securing Accounts," describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication.  Chapter 5, "Securing System Preferences," describes recommended settings to secure all Mac OS X system preferences.  Chapter 6, "Securing Data and Using Encryption," describes how to encrypt your data and how to use secure erase to ensure old data is completely removed.  Chapter 7, "Securing Network Services," describes how to protect the computer by securely configuring network services.  Chapter 8, "Validating System Integrity," describes how to use security audits to validate the integrity of your computer and data.  Appendix A, "Security Checklist," ...