Hardening OS X : Computer Security

Basic computer setup and security compiled for Mac OS X 10.3 (Panther) and 10.4 (Tiger)

I have assembled a much more thorough guide on my business site. If you are an OS X administrator or if you are simply interested in hardening your Mac computer, see osx_hardening.pdf available at www.FireProofSocks.com.

I spend a lot of time with computers... it's my job. Most of the time, people worry about patching up their Windows machines -- and for good reason! Brian Bondari has written up a nice guide for implementing a Secure Windows Setup, but the purpose of my page here is to list the steps for securing a Mac OS X computer, including commands for lab managers and network admins who have to manage a large number of these computers. In the last week, there have been 3 security exploits / viruses for OS X. No OS is completely secure! So it begins...

4 simple things you can do to protect their computer

  1. For everyday use, run as a limited user! I don't care if you rigged an election, aggressively invaded a foreign country, or slept with an intern -- you simply don't need to run as the Admin of your computer, no matter what OS you use! If you just bought your Apple computer, don't let their glitzy setup fool you! It'll ask for your name and and password, but this is to setup the Admin account, and it should be treated accordingly. After you've set up the Admin account, you can alwasy go back to System Preferences and add a standard account for everyday use. Trust me. You don't want the computer booting automatically into an account with full Admin priveleges. If nothing else it's far, far easier to find and backup all your files if you're running as a limited user; they will all be in your home directory. If you're Admin... who knows where you could have stashed them...

    What if you already set up your account, and whoops! It's an admin account? What do you do? In Mac OS X, changing this is really easy. I appreciate the ease of it because this same thing is a holy pain in the arse on Windows. I'm assuming you've got one account on your computer and it's an admin account. Go to the Apple Menu, System Preferences, and open up the Accounts panel. Click the (+) to add an account, and check the box to let that user "Administer this computer." You are temporarily creating a second admin account. Be sure you give it a good password and that you remember it! It's the ultimate in rookie computing to forget your admin password. Now, log out. Don't just do a fast user switch. Log out completely, then log into the new admin account you just created. Go back to System Preferences, Accounts, and find your original user. Uncheck the box for that account that allows it to administer the computer. Poof. You've now changed your regular account into a limited user account and you've created a new admin account that you'll hardly ever use. That's the point: only use the admin account when you absolutely need to.

  2. Turn ON your Firewall! It's under System Preferences --> Sharing. Microsoft got ridiculed for shipping Windows with this turned off, and Apple may be next in line for a kick to the groin. If you need to open a port for some service, that's always possible later, but TURN IT ON AND LEAVE IT ON.

  3. Turn ON Automatic updates! If you are the only person using your computer, and you are its administrator, you should turn this feature on by going to the Apple Menu, System Prefs, and find the Software Update panel. Check the box so this runs, preferably DAILY, if your internet connection can handle it.

  4. Turn OFF "Open 'Safe' Files After Downloading" The most recent security hole (as of this writing) exploits the fact that many people leave this checked. Go to Safari, Preferences, and on the General tab, uncheck this box. That will prevent any nasty code from auto-executing. This particular hole is not so much a problem if you are running as a limited user because the malicious code executes with the privileges of the user you are logged in as. A limited user can't do that much damage, but your computer can be completely hosed if you were dumb enough to be logged in as an admin.

  5. Block Pop-ups in Safari! Again, why the @#$& this isn't turned on by default, I don't know, but there's no reason to let those maggot-sucking advertisers ruin your browsing.