Friday, July 19, 2013

Guidelines for Securing Operating System Part 3 - Macintosh

Hey all my dear readers! I hope you all are doing great :) The last two posted were quite Interesting right? Let's continue with the flow and let me bring the Part 3 to that Guidelines Post, the last one in this series of 3 posts.

Please note: This Post is quite Specific to Mac OS X

Enabling and Locking down the Login Window

The following steps would help secure login screen by disabling the auto-login feature. It is a good practice to disable it and enter password whenever you wish to access your PC.
  • Click Apple Menu -> System Preferences -> Accounts -> Login Options -> Display Login Window As -> Name and Password
  • Uncheck Automatically login and:
  • Check Hide the Sleep, Restart, and Shutdown buttons
  • Uncheck Enable fast users switching, if not used

Configure Accounts Preferences

The following steps will help you change your Account password. It is a good practice to regularly change passwords.
  • From the Apple menu, choose System Preferences. From the View menu, choose Accounts and select the user name whose password you want to change.
  • Click Reset Password(Mac OS X v10.3/v10.4) or Change Password(Mac OS X 10.5+).
  • Enter a new Password in both the Password and Verify fields. Click Reset/Change Password again.
  • If a dialogue box appears with a message Your Keychain password password will be changed to your new account password, click OK.

Creating Accounts

Always make sure that an account is not shared by several users. Try and make separate accounts for separate users. This makes the things private for each user, i.e. their Home Directories stay private and hidden from each other. Individual accounts thus maintain accountability. Administrator users should use their administrator accounts ONLY for administrative purposes.

Secure the Guest Account

Guest Account should be used only for temporary access to the system. The guest account should be disabled by default as it does not require a password to login to the computer. If the guest account is enabled, enable the Parental Controls to limit what the users can do. If the user permits the guest account to access the shared folders, then an attacker can easily attempt to access shared folders without a password.

Controlling Local Accounts with Parental Controls

  • Open the System Preferences and click Accounts
  • If the lock icon is locked, click the lock icon and enter the Administrator name and password.
  • Select the user account to be managed with parental controls and check the Enable Parental Controls box.
  • Click Open Parental Controls..., click System, Content, Mails & other messages, Time Limits, and the number of logs and the set the values as required.

Use Keychain Settings

A keychain stores passwords on a disk in an encrypted form and it is difficult for non-root user to sniff a password between applications.

  • Click Applications -> Utilities -> Keychain Access -> Edit -> Change Settings for keychain "login"
  • Check lock after, change minutes of inactivity to desired minutes, check Lock when sleeping, and click Save.

Use Apple Software Update

Mac OS X includes an automatic software update tool to patch the majority of Apple Applications. You might think of it being similar to the familiar Windows Update, or Microsoft Update to be precise. Software Update often includes important security updates, which should be applied to the user's machine. To navigate the software update:

  • Open software update preferences and click the Scheduled Check pane.
  • Check download important updates automatically and Check for updates.

Securing Date and Time preferences

Open Date & Time preferences. In the Date & Time pane, enter a secure and trusted NTP server in the set Date & Time automatically field. Click Time Zone button -> Choose a Time Zone.

Securing Network Preferences

It is recommended to disable unused Hardware devices listed in Network Preferences.

  • Open Network Preferences. From the list of Hardware devices, select the hardware device that connects the network.
  • From the Configure pop-up menu, choose Manually.
  • Enter the user's static IP Address, subnet mask, router, DNS server, and search domain configuration settings.
  • Click Advanced. In the configure IPv6 pop-up menu, choose Off and then click OK.

Enable Screen Saver Password

To prevent unauthorized access to the system, enable screen saver password.

  • From the Apple menu, select System Preferences, click Security, and click the Lock icon to make changes.
  • If prompted, type the admin user name and password
  • In the Security window, click the General tab and check Require password to wake this computer from sleep or screen saver(Leopard) or Require password immediately after sleep or screen saver begins(Snow Leopard).
  • In addition to this, secure the system by selecting: Disable Automatic login, Require password to unlock each System Preference, Use secure Virtual Memory, Click the lock icon to prevent further changes.
  • Close the Security Window and restart your machine.

Set up FileVault to keep Home Folder Secure

Steps to setup File Vault:

  • Click System Preferences -> Security -> FileVault -> Set Master Password.
  • Create the master password for the Computer, but ensure that that this password is different from the user account password.
  • Verify the password and Click OK

Firewall Security

Firewall should be used to block unauthorized programs from accepting new network connections. To improve the firewall security:

  • Click System Preferences -> Security -> Firewall
  • Click the lock icon to make changes.
  • If prompted, type the admin user name and password.
  • By deafult, the firewall allows all incoming connections, change the option by clicking the second (Allow only essential services) or third option (Set access for specific services and applications).
  • Now choose which application(s) you want the firewall to allow and which to block.
  • Click the lock icon to prevent further changes and close the security Window

No comments:

Post a Comment

Kindly keep the comments clean and make quality comments that would be worthy in making this blog better! :)