Secure your Snow Leopard Benjamin Stanley apple Certified Trainer Structure of OS Safer Browsing System Prefs that help with security Managed prefs from server Keychain Hardware security AV and a little about mobile 1
Mac OS X Structure User Experience Aqua Dashboard Spotlight Accessibility Application Frameworks Cocoa Carbon Java Graphics and Media Core Animation Core Image Core Video QuickTime OpenGL Quartz Core Audio Darwin It helps to understand a little how the system is structured Darwin Open Source kernel with user layers on top. Some separation between core OS and application space give us some security 2
Mac OS X Structure In the file system users stuff and system stuff are separate users only have access to their things - administrator needed for /Library and /System 3
Mac OS X Structure There are actually more items than shown. MacOS X has two ways to hide files Start the name with a full stop. or set an extended attribute called hidden - done via the terminal and the chflags command DS_Store Desktop Services Store holds folder settings.trashes holds trashed items! 4
Mac OS X Structure System Administrator (root) Administrator sudo Standard Guest Sharing Root cannot login by default Directory Utility to enable and disable root user. sudo for an admin user to be root for a bit (5 mins) standard users see stuff locked guest login must be enabled - home folder deleted at logout sharing users only for remote access - no home so no login 5
Mac OS X Structure Look at Login Options 1. Auto Login 2. Login Window display 3. Join a directory 6
Mac OS X Structure Directory Local Connected OD AD edirectory Need to think about where our users are located Always a Local Datastore for local users Open Directory is our name for all directory stuff We can connect to an other directory: AD, OD, edirectory, any LDAP datasource 7
Mac OS X Structure Binding to AD Where is home? Local is good sync at logout If we are binding to AD for Authentication... We use Directory Utility or Accounts System Preference where is the home located? mobile account can cause sync issues best to keep things local and sync at logout 8
Mac OS X Structure Users on AD Permissions managed via OD Ideal set up is to leave users on AD and manage through OD Today we will focus on local stuff - things are very similar when connected to OD 9
Safer Browsing Safari 5 - ultra modern web browser HTML5 CSS3 uses WebKit (apple invented) used by Google Android, Nokia Series 60, Palm WebOS, Google Chrome Antiphishing and malware technology 10
Safer Browsing Lets have a look at Safari Preferences Open Safe files after downloading - turn off? Supports the Windows Attachment Monitor to notify AV software that a file has been downloaded and can prompt a scan of the downloaded file! 11
Safer Browsing All downloads are tagged so Mac OS X knows where the files were obtained from. The website time and date, just get info on a downloaded file to see this. Phishing websites are detected and a warning displayed. 12
Safer Browsing Cookies should be set to only be accepted from the current domain. Some people object to being tracked so will disable cookies completely. Setting this to never may cause issues with VLE or school management tools. 13
Safer Browsing You may be surprised to see how many sites use cookies to store user information and how long they will be kept as a record of your browsing history. Of course the remove button will tidy this list up. Cookies are stored in the Users Library folder in a folder called Cookies as a Property list file. ~/Library/Cookies/Cookies.plist 14
Safer Browsing Cookies and other browsing information can be cleared by choosing to Reset Safari from the Safari application menu. Choose what to reset then click Reset 15
System Preferences We are going to look at Security Parental Controls (local managed prefs) Sharing Spotlight Hiding System Preferences 16
Security Lock Screen Parental Controls Managed Preferences Security Preferences Require password Disable auto login Log out after x minutes, problem with unsaved docs - demo on next slide 17
Security Bit of an issue if documents are not saved/closed User education is needed. 18
Security Lock Screen Parental Controls Managed Preferences FileVault is for securing home folders Strong 256-bit AES (Advanced Encryption Standard) encryption Master password must be set as a safety net in case user forgets password 19
Security Firewall - application level - easy for users, a fairly automatic process. When opening an app that needs net access user is asked to allow or deny. Enabling Stealth Mode stops ICMP (Internet Control Message Protocol) responses. 20
Parental Controls Parental Controls - Think of these as Local managed preferences We can choose what applications and access to hardware the user has. Simple Finder is useful and secure, but will quickly get in the way for advanced users. 21
Parental Controls Parental Controls - Think of these as Local managed preferences Content filtering, dictionary and web Websites can be specified on an allow and deny list 22
Sharing Mac OS X can share all sorts of things, hardware, connections, files, services, host. It is a good idea to turn off what isn t required. Restrict access to certain users or groups for services you do enable. 23
Sharing for example With remote login which gives command line access to the machine over the network using SSH we should restrict this to admin users only. 24
Sharing Selecting file sharing turns on AFP. Notice all public folders for local users are shared as read only (a drop box inside allows write only) To share via SMB, turn it on and enter password! stores as NTLMv2 for windows users 25
Spotlight Privacy Spotlight is our searching and indexing service Indexes everything, file names, contents, all metadata Choose what is shown in the results list Control what isn t included in the Spotlight index Might be worth adding USB sticks with confidential data to the privacy list so they are never indexed. Index is stored in.spotlight-v100 at the root. 26
Software Update Software updates from Apple for the OS and Apple software You may want to disable auto checking and deploy manually All updates now delivered with a certificate. Run your own software update server to mirror the updates Security updates delivered as required, no release schedule (patching Tuesday) 27
Network Good idea to disable network ports that are not needed. Just select the port and choose Make service inactive from the Action menu 28
Hide System Prefs Can lock Grey icon if managed Move to hide /System/Library/PreferencePanes We know can lock system prefs Through managed preferences we can deny access but it may be better to hide them? 29
Hide System Prefs take accounts for example 30
Hide System Prefs if we trash it 31
Hide System Prefs Remove rather than hide /System/Library/PreferencePanes it disappears! Not the best way 32
Hide System Prefs Accounts.prefPane Bit silly to do that, so... Would be better to move to /Users/LocalAdminUser/Library/PreferencePanes so only that user can access 33
Managing Preferences Talk about server side preference management More control over who can do what Control from a central location - a Mac OS X server 34
Managing Preferences Here s what we have Lots of things to control and at various levels user, workgroup, computer and computer group 35
Managing Preferences managed Finder preferences control what users can access and what is show on the desktop Simple Finder gives minimal access 36
Managing Preferences managed Finder commands Commands to access other stuff can be de-activated 37
Managing Preferences managed Media Access preferences Select what physical and virtual storage can be used. Block USB stick access or set to require authentication. 38
Managing Preferences managed System Preferences preferences Hide system prefs from view - sensible 39
Keychain 40
Keychain Stores passwords and other information securely Login.keychain is locked with the same password as the users account, unlocks on login Keychain Access is the program to look after the keychain Any time the user clicks Remember password is stored in keychain 41
Keychain Keychain Access preferences allow us to Lock the screen. Like turning on a screen saver and asking for password on wake 42
Secure Erase & Format Empty trash from finder menu Secure empty trash like a 7 pass erase Can use Disk Utility to erase free space, 7 pass or 35 pass! 43
Securing the Hardware Firmware Password utility on the Snow Leopard DVD via Deploy Studio script through Apple Remote Desktop Knowledge Base article HT1352 Firmware password - set from a utility on the DVD Requests password if any keys held at startup DeployStudio post image task 44 http://support.apple.com/kb/ht1352 http://developer.apple.com/samplecode/applyfirmwarepassword/
Securing the Hardware All macs (except macbook air and new mini) have a Kensington compatible lock slot MacPro has a side panel lock to restrict internal access 45
Anti-virus or not? With any virus a glass of whisky or lemon and honey often help! 46
Anti-virus or not? Malware, Trojan or Virus RSPlug-F iworks-a Leap-A Current level of risk is minimal, arguably negligible, but real. Malware is in existence, and can do some nasty stuff. Remember system/user are separate - anything that asks for admin rights should be treated with respect. RSPlug-F - changes DNS settings Leap-A OompaLoompa! application dressed as an image (no effect on standard user account) We should be nice to other computer users on our network - our mac could be a gateway in from a USB stick. 47
Anti-virus or not? Solutions available Intego Virus Barrier McAfee VirusScan for Mac Norton for Mac 11 ClamXav - free open source solution Sophos Whatever you choose keep it up to date 48
Anti-virus or not? Sophos have an iphone app to show current threats, free from App Store Anti-virus conclusion... minimal threat, run something just in case to protect your network - good idea to run something server side. 49
Mobile Security Snow Leopard has been our main topic today But think about security on mobile devices as their use becomes more widespread 50
Mobile Security ipod and ipad can be secured. Restrictions can be put in place for all ios devices, restrictions hidden behind a passcode. Virus even less of an issue as all apps checked. 51
Training apple Authorised Training Centre RM have a national training provider with NTI Authorised Apple Training Centre delivering accredited, certified Apple courses Snow 101 for client, Snow 201 for server, 301, 302, 303 for Deployment, Directory and Security & Mobility 52
Thank you Any questions? Benjamin Stanley ben@trilby.co.uk We ve covered a lot today Structure of OS, Safer Browsing, System Prefs that help with security Managed prefs from server, Keychain, Hardware security, AV and a little about mobile Any questions? 53