Mac OS X Security Configuration - Apple OS X Security Configuration For Mac OS X Version 10.6 Snow Leopard. K ... iPhoto, iSight, iTunes, Keychain, Mac, MacBook, MacBook Air, Macintosh,

  • View
    221

  • Download
    3

Embed Size (px)

Text of Mac OS X Security Configuration - Apple OS X Security Configuration For Mac OS X Version 10.6 Snow...

  • Mac OS XSecurity Configuration

    For Mac OS X Version 10.6 Snow Leopard

  • K

    Apple Inc. 2010 Apple Inc. All rights reserved.

    The owner or authorized user of a valid copy of Mac OS X software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services.

    Every effort has been made to ensure that the information in this manual is accurate. Apple is not responsible for printing or clerical errors.

    Apple1 Infinite LoopCupertino, CA 95014408-996-1010www.apple.com

    The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

    Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, Back to My Mac, Bonjour, Boot Camp, ColorSync, Expos, FileVault, FireWire, iCal, iChat, iMac, iPhoto, iSight, iTunes, Keychain, Mac, MacBook, MacBook Air, Macintosh, Mac OS, QuickTime, Safari, Snow Leopard, Spaces, Spotlight, Tiger, Time Machine, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries.

    Apple Remote Desktop, Finder, and QuickTime Broadcaster are trademarks of Apple Inc.

    MobileMe is a service mark of Apple Inc.

    Adobe and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

    The Bluetooth word mark and logos are registered trademarks owned by Bluetooth SIG, Inc. and any use of such marks by Apple is under license.

    Intel, Intel Core, and Xeon are trademarks of Intel Corp. in the U.S. and other countries.

    Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

    UNIX is a registered trademark of The Open Group.

    X Window System is a trademark of the Massachusetts Institute of Technology.

    This product includes software developed by the University of California, Berkeley, FreeBSD, Inc., The NetBSD Foundation, Inc., and their respective contributors.

    Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.

    019-1828/2010-05

  • 3

    1

    Contents

    Preface 11 About This Guide11

    Audience

    11

    Whats in This Guide

    12

    Using This Guide

    13

    Using the Command-Line Instructions from This Guide

    13

    Using Onscreen Help

    13

    Mac Help

    13

    Related Snow Leopard Server Security Guide

    14

    Viewing PDF Guides on Screen

    14

    Printing PDF Guides

    14

    Getting Documentation Updates

    15

    Getting Additional Information

    16

    Acknowledgments

    Chapter 1 17 Introduction to Mac OS X Security Architecture18

    Security Architectural Overview

    18

    UNIX Infrastructure

    18

    Access Permissions

    19

    Security Framework

    20

    Layered Security Defense

    20

    Network Security

    21

    Credential Management

    21

    Public Key Infrastructure (PKI)

    22

    Whats New in Snow Leopard v10.6

    22

    Existing Security Features in Snow Leopard

    23

    Signed Applications

    23

    Mandatory Access Controls

    24

    Sandboxing

    24

    Managed User Accounts

    25

    Enhanced Quarantining

    26

    Application-Based and IP Firewalls

    26

    Memory and Runtime Protection

    27

    Securing Sharing and Collaborative Services

  • 4

    Contents

    27

    Service Access Control Lists

    27

    VPN Compatibility and Integration

    27

    Improved Cryptography

    28

    Extended Validation Certificates

    28

    Wildcard in Identity Preferences

    28

    Enhanced Command-Line Tools

    28

    FileVault and Encrypted Storage

    29

    Enhanced Encrypted Disk Image Cryptography

    29

    Smart Card Support for Unlocking Encrypted Storage

    30

    Enhanced Safari 4.0 Security

    Chapter 2 31 Installing Mac OS X31

    System Installation Overview

    31

    Installing from DVD

    32

    Installing from the Network

    33

    Restoring from Preconfigured Disk Images

    33

    Initial System Setup

    33

    Using Setup Assistant

    34

    Creating Initial System Accounts

    35

    Setting Correct Time Settings

    35

    Turning Off Auto-login

    35

    Updating System Software

    36

    Updating from an Internal Software Update Server

    37

    Updating from Internet Software Update Servers

    38

    Updating Manually from Installer Packages

    40

    Verifying the Integrity of Software

    40

    Repairing Disk Permissions

    41

    POSIX Permissions Overview

    41

    ACL Permissions Overview

    41

    Using Disk Utility to Repair Disk Permissions

    Chapter 3 43 Securing System Hardware43

    Protecting Hardware

    44

    Preventing Wireless Eavesdropping

    45

    Understanding Wireless Security Challenges

    45

    About OS Components

    45

    Removing Wi-Fi Support Software

    46

    Removing Bluetooth Support Software

    47

    Removing IR Support Software

    48

    Preventing Unauthorized Recording

    48

    Removing Audio Support Software

    49

    Removing Video Recording Support Software

    51

    Preventing Data Port Access

  • Contents

    5

    51

    Removing USB Support Software

    52

    Removing FireWire Support Software

    53

    System Hardware Modifications

    Chapter 4 54 Securing Global System Settings54

    Securing System Startup

    55

    Protecting Intel-Based Mac Systems

    55

    Using the Firmware Password Utility

    56

    Using Command-Line Tools for Secure Startup

    57

    Configuring Access Warnings

    57

    Enabling Access Warnings for the Login Window

    58

    Understanding the AuthPlugin Architecture

    59

    Using the BannerSample Project

    60

    Enabling Access Warnings for the Command Line

    61

    Turning On File Extensions

    Chapter 5 62 Securing System Preferences62

    System Preferences Overview

    64

    Securing MobileMe Preferences

    67

    Securing Accounts Preferences

    70

    Securing Appearance Preferences

    72

    Securing Bluetooth Preferences

    73

    Securing CDs & DVDs Preferences

    75

    Securing Date & Time Preferences

    77

    Securing Desktop & Screen Saver Preferences

    79

    Securing Display Preferences

    79

    Securing Dock Preferences

    80

    Securing Energy Saver Preferences

    83

    Securing Expos & Spaces Preferences

    84

    Securing Language & Text Preferences

    84

    Securing Keyboard Preferences

    84

    Securing Mouse Preferences

    85

    Securing Network Preferences

    87

    Network Access Control (802.1X)

    88

    User Profile

    88

    Login Window Profile

    88

    System Profile

    89

    System Profile Plus Login Window Profile

    89

    About Certificates in an 802.1X Environment

    90

    Extensible Authentication Protocol (EAP) Methods

    91

    Connecting to a 802.1X Network

    93

    Securing Managed User Accounts Preferences

    96

    Securing Print & Fax Preferences

  • 6

    Contents

    99

    Securing Security Preferences

    99

    General Security

    100

    FileVault Security

    101

    Firewall Security

    104

    Securing System Swap and Hibernation Storage

    105

    Securing Sharing Preferences107 Securing Software Update Preferences109 Securing Sound Preferences110 Securing Speech Preferences111 Securing Spotlight Preferences114 Securing Startup Disk Preferences115 Securing Time Machine Preferences117 Securing Universal Access Preferences

    Chapter 6 118 Securing Accounts118 Types of User Accounts119 Guidelines for Creating Accounts119 Defining User IDs120 Securing the Guest Account121 Securing Nonadministrator Accounts121 Controlling Local Accounts with Parental Controls124 Securing External Accounts124 Protecting Data on External Volumes124 Securing Directory-Based Accounts124 Securing Administrator Accounts125 Securing the System Administrator Account127 Understanding Directory Domains128 Understanding Network Services, Authentication, and Contacts129 Configuring LDAPv3 Access129 Configuring Active Directory Access130 Using Strong Authentication130 Using Password Assistant to Generate or Analyze Passwords131 Using Kerberos132 Using Smart Cards133 Using Tokens133 Using Biometrics134 Setting Global Password Policies134 Storing Credentials135 Using the Default User Keychain136 Creating Additional Keychains137 Securing Keychains and Their Items138 Using Smart Cards as Keychains139 Using Portable and Network-Based Keychains

  • Contents 7

    140 About Certificates140 Creating a Self-Signed Certificate141 Adding Certificates to a Keychain

    Chapter 7 143 Securing Data and Using Encryption143 Understanding Permissions144 Setting POSIX Permissions144 Viewing POSIX Permissions145 Interpreting POSIX Permissions146 Modifying POSIX Permissions146 Setting File and Folder Flags146 Viewing Flags146 Modifying Flags147 Se