Osx ML TT Security

This document is intended for Apple internal and channel audiences, and is for training purposes only.
OS X Mountain Lion
Technical Training:
Security
Apple Inc.
2013 Apple Inc. All rights reserved.
Apple, the Apple logo, AirPort, Bonjour,
FileVault, Finder, FireWire, Mac, MacBook,
MacBook Air, Mac OS, OS X, and Safari are
trademarks of Apple Inc., registered in the U.S.
and other countries. Apple Remote Desktop
and AirDrop are trademarks of Apple Inc.
The absence of an Apple product or service
name or logo from this page does not
constitute a waiver of Apples trademark or
other intellectual property rights concerning
that name or logo.
Intel is a trademark of Intel Corp. in the U.S.
and other countries.
IOS is a trademark or registered trademark of
Cisco in the U.S. and other countries and is
used under license.
Java is a registered trademark of Oracle and/or
its affiliates.
UNIX is a registered trademark of The Open
Group.
OS X version 10.8 is an Open Brand UNIX 03
Registered Product.
Other company and product names
mentioned herein are trademarks of their
respective companies. Mention of third-party
products is for informational purposes only
and constitutes neither an endorsement nor a
recommendation. Apple assumes no
responsibility with regard to the performance
or use of these products. All understandings,
agreements, or warranties, if any, take place
directly between the vendors and the
prospective users. Every effort has been made
to ensure that the information in this
document is accurate. Apple is not responsible
for printing or clerical errors.
July 11, 2013
This document is intended for Apple internal and channel audiences, and is for training purposes only.
Table of Contents
........................................................................................ Introduction 1
................................................................................................................ About this series 1
............................................................................................................. Security overview 1
....................................................................................................... About this document 3
.................................................................................. 1 Device Security 4
.................................................................................................... Securing the hardware 4
................................................................................................. Securing system startup 5
............................................................................................................ Locking the device 6
............................................................................... 2 Platform Security 9
...................................................................................................... Protecting the system 9
................................................................................................... Securing system access 11
...................................................................................... 3 Data Security 42
................................................................................................................. Encrypting data 42
....................................................................................................... Securely erasing data 53
............................................................................... 4 Network Security 57
........................................................................................ Securing Sharing preferences 57
........................................................................................... Making secure connections 76
............................................................................................... Exchanging data securely 78
............................................................................................ Resources 88
................................................................................................................ Security website 88
....................................................................................... Security configuration guides 88
................................................................................................................ Security updates 88
.................................................................................................... Technical white papers 88
............................................................................................................ Support resources 88
2013 Apple Inc. Apple confidentialfor internal and channel use only iii
Introduction
About this series
This guide is one of a four-part series designed to help IT professionals who are evaluating and
deploying OS X on Mac computers in commercial and government organizations. The other
guides in the series are:
OS X Technical Training: Integration
OS X Technical Training: Deployment
OS X Technical Training: Management
Security overview
A security strategy is fundamentally about managing risk. With OS X, a security strategy is
implemented thats central to the design of the operating system. To enhance security on your
computer, OS X provides the following features:
Modern security architectureOS X includes state-of-the-art, standards-based technologies
that enable Apple and third-party developers to build secure software for Mac. These
technologies support all aspects of system, data, and networking security required by todays
applications.
Secure default settingsWhen you take your Mac out of the box, its securely configured to
meet the needs of most common environments, so you dont need to be a security expert to
set up your computer. The default settings make it very difficult for malicious software to infect
your computer. You can further configure security on the computer to meet organizational or
user requirements.
Innovative security applicationsOS X includes features that take the worry out of using a
computer. For example, FileVault protects your documents by using strong encryption, an
integrated VPN client gives you secure access to networks over the Internet, and a powerful
firewall secures your home network.
Open source foundationOpen source methodology makes OS X a robust, secure operating
system, because its core components have been subjected to peer review for decades.
Problems can be quickly identified and fixed by Apple and the larger open source community.
OS X Technical Training: Security
2013 Apple Inc. Apple confidentialfor internal and channel use only 1
Layered security defense
OS X security is built on a layered defense for maximum protection. Security features such as the
following provide solutions for securing data at all levels, from the operating system and
applications to networks and the Internet.
Secure worldwide communicationFirewall and mail filtering help prevent malicious
software from compromising your computer.
Secure applicationsEncrypted disk images and FileVault 2 help prevent intruders from
viewing data on your computer.
Secure network protocolsSecure Sockets Layer (SSL) is a protocol that helps prevent
intruders from viewing information exchange across a network; Kerberos secures the
authentication process; and a firewall prevents unauthorized access to a computer or network.
Security servicesAuthentication using keychains, together with Portable Operating System
Interface (POSIX) and access control list (ACL) permissions, helps prevent intruders from using
your applications and accessing your files.
Secure boot and lock downFirmware Password Utility helps prevent people who can access
your hardware from gaining root-level access permissions to your computer files.
About this document
This document organizes these layers and technologies into the following chapters:
Device security
This chapter focuses on techniques and technologies that protect the device itself, including:
Securing the hardware with the security slot
Securing system startup with an EFI firmware password
Locking the Mac with the User Portal and Profile Manager in OS X Server
Platform security
This chapter focuses on techniques and technologies that protect the operating system,
including:
Protecting the systemUNIX infrastructure, security framework, signed applications,
mandatory access controls, sandboxing, Gatekeeper, enhanced quarantining, memory and
runtime protection
Securing system accessPermissions, accounts, passwords, restrictions, certificates and
keychains, and system preferences
Data security
This chapter focuses on techniques and technologies that protect data stored at rest on the Mac,
including:
Encrypting data using cryptography, encrypted disk images, encrypted PDFs, encrypted time
machine backups, and FileVault
Securely erasing data using Finder, Disk Utility, and the User Portal and Profile Manager in OS X
Server
Network security
This chapter focuses on techniques and technologies that protect the data transmitted between
devices, including:
Securing network accessSharing services, Bonjour, AirDrop, firewalls, 802.1X
Making secure connectionsSSL/TLS, VPN
Exchanging data securelyMail, web, Messages
Important: This document is intended for use by security professionals in sensitive environments.
Techniques and settings in this document affect system functionality and may not be
appropriate for every user or environment.
1 Device Security
The first layer is device security. Device security refers to built-in features and technologies that
help protect the Mac hardware, including securing the hardware and system startup and locking
the device.
Securing the hardware
Perhaps the most fundamental level of security is protection from unwanted physical access.
Someone who physically accesses your computer can compromise the computers security and
install malicious software or event-tracking and data-capturing services.
Use as many layers of physical protection as possible. Restrict access to rooms that contain
computers that store or access sensitive information. If possible, lock the computer in a locked or
secure container when it isnt in use, and bolt or fasten it to a wall or piece of furniture.
The hard disk is the most critical hardware component in your computer. Someone who removes
your hard disk and installs it in another computer can bypass safeguards you set up. Lock or
secure the computers internal hardware.
If you have a portable computer, keep it secure. Consider buying a computer bag with a locking
mechanism and lock the computer in the bag when you arent using it.
Security slot
Many of Apples desktop and portable computers include a security slot, also known as a
Kensington Security Slot, a K-Slot, or Kensington lock. Special locks with a key or combination
lock attached to a rubberized metal cable are inserted into the security slot. The end of the cable
has a small loop so you can wrap the cable around a stationary object, such as a heavy table, to
secure it in place.
Models with security slots Models without security slots
Mac Pro Mac mini
MacBook Pro MacBook Air
iMac MacBook Pro with Retina display
Securing system startup
Firmware passwords
All computers have firmware to control low-level hardware. A firmware password can be added
to the boot process so the computer restricts access to data stored on it. As with BIOS
passwords, firmware passwords in Mac computers are fairly simple to reset and dont provide any
encryption on the boot volume.
EFI
Mac computers with Intel processors use Extensible Firmware Interface (EFI) to control low-level
hardware. EFI is the hardware base layer for Intel-based Mac computers that contains the link
between the hardware and the operating system.
EFI manages which partition or disk to load OS X from and whether a user can enter single-user
mode. Single-user mode logs the user in as root, which is dangerous because root user access is
the most powerful level of access, and actions performed as root are anonymous. If you create an
EFI password, you prevent users from accessing single-user mode, loading unapproved partitions
or disks, and enabling target disk mode at startup.
Using the Firmware Password Utility
Intel-based computers can use the Firmware Password Utility to password-protect the hardware
layer. The OS X Recovery HD includes the Firmware Password Utility, which you can use to enable
an EFI password.
To use the Firmware Password Utility:
1. Restart your computer from the Recovery HD.
2. Choose Firmware Password Utility from the Utilities menu.
3. Click Turn On Firmware Password.
4. In the Password and Verify fields, enter a new EFI password and click OK.
5. Close the Firmware Password Utility.
You can test your settings by attempting to start up in single-user mode. Restart the
computer while holding down the Command and S keys. If the login window opens,
changes made by the Firmware Password Utility were successful.
After creating an EFI password, you must enter this password when you start the computer from
an alternate disk (in situations such as hard disk failure or file system repair).
WARNING: EFI settings are critical. Be careful when modifying EFI settings and when creating a
secure firmware password.
Resetting and bypassing EFI passwords
EFI passwords shouldnt be considered as a replacement for full disk encryption. EFI passwords
can be reverse engineered on older systems, so they shouldnt be the same as any other
passwords in use in the environment (for example, as a local administrative password).
This doesnt mean EFI passwords dont have a place in your organizations security plan. You can
use the nvram command to set an EFI password, but doing so involves using a complex
algorithm to translate the password into an easily reversible form. On newer Intel-based Mac
computers, the only way to bypass an EFI password is to take the computer to an Apple Store or
Apple Authorized Service Provider.
Locking the device
Profile Manager
Profile Manager is a service included with OS X Server that makes it easy for departments to
configure computers running OS X (v10.7 or later) and iOS devices so theyre set up to use
company or school resources and have the settings the organization requires.
Profile Manager consists of three parts that work together so organizations can specify how
client computers are configured, how to manage devices, and how to deliver configurations to
users and devices.
Web-based administration tool
IT administrators can use the Profile Manager web app to configure settings for devices, manage
enrolled devices and device groups, and execute or monitor tasks on enrolled devices.
Self-service user portal
Profile Managers user portal is an easy-to-use, secure website for distributing settings IT
administrators defined with the administration tool. Users connect to the web-based portal from
their device. After they log in, the settings that the IT administrators assigned to them are
available for download and installation. Users also use this site to enroll devices for Mobile Device
Management if the organization is using Profile Manager as an MDM server.
Mobile Device Management server
Profile Manager provides an MDM server so that IT administrators can remotely manage enrolled
computers running OS X Mountain Lion and iOS devices. After a device is enrolled with Profile
Manager, IT administrators can update the configuration over the network without user
interaction, as well as execute tasks such as reporting or locking and wiping the device.
For more information about enrolling devices with Profile Manger, see OS X Technical Training:
Management.
Locking a device with the User Portal
After you have enrolled a device with Profile Manager, the user responsible for it can perform
basic security tasks. The most basic is a remote lock, helpful when a device is misplaced or stolen.
To remotely lock a device with the User Portal:
1. Open a web browser and navigate to https://yourserver/profilemanager (where yourserver is
the name or IP address of your server running the Profile Manager service).
2. Authenticate as the user who enrolled the device.
The Devices tab shows enrolled devices.
3. Click Lock for the device you want to lock.
4. Enter a passcode when prompted.
When you lock a Mac with OS X (v10.7 or later), it immediately reboots to a PIN pad. Only the
PIN you created in the User Portal can unlock it.
Administrators can make sure the device is locked in Profile Manager.
Locking a device with Profile Manager
The Profile Manager portal lets administrators perform security tasks on remote devices.
To remotely lock a device with Profile Manager:
1. Open Server from the Applications folder.
2. Choose Profile Manager from the Services list.
3. Click Open Profile Manager in the lower-left corner of the Profile Manager area.
4. Authenticate with administrator credentials.
5. Choose Devices or Device Groups from the Library.
6. Choose the device or device group you want to lock.
7. Click the Action pop-up menu (the gear button) in the device or device group pane.
8. Choose Lock.
9. Enter a lock passcode that can be used to unlock the device.
10. Click Lock.
11. When you lock a Mac with OS X (v10.7 or later), it immediately reboots to a PIN pad. Only the
PIN you created in Profile Manager can unlock it.
12. Confirm that the lock has been completed in the Completed Tasks section of Profile
Manager.
2 Platform Security
The second layer is platform security. Platform security refers to built-in features and technologies
that help protect the operating system. This section describes how to protect the system and
secure access to the system.
Protecting the system
OS X security services are built on two open source standards:
Berkeley Software Distribution (BSD) is a form of UNIX that provides fundamental services,
including the OS X file system and file access permissions.
Common Data Security Architecture (CDSA) provides an array of security services, including
more specific access permissions, authentication of user identities, encryption, and secure data
storage.
Many the security features and technologies built into OS X work in the background, without
user intervention.
UNIX infrastructure
The OS X kernelthe heart of the operating systemis built from BSD and Mach. BSD provides
a user and group identification scheme and enforces access restrictions to files and system
resources based on user and group IDs. Mach provides access by controlling which tasks can
send a message to a Mach port. BSD security policies and Mach access permissions are an
essential part of security in OS X and are critical to enforcing local security.
Security framework
The security framework in OS X is an implementation of the Content Delivery and Security
Association (CDSA) architecture. It contains an expandable set of cryptographic algorithms to
perform code signing and encryption operations while maintaining the security of the
cryptographic keys. It also contains libraries that allow the interpretation of X.509 certificates.
The CDSA code is used by OS X features such as Keychain and URL access for protection of login
data.
Signed applications
Applications shipped with OS X are signed by Apple so your Mac can verify the identity and
integrity of the apps. Third-party software developers can also sign their software for the Mac,
such as apps on the Mac App Store. Application signing integrates with several other features to
enhance security.
Features such as parental controls, managed preferences, Keychain, and the firewall use
application signing to make sure that the applications they work with are the correct, unmodified
versions.
With Keychain, signing dramatically reduces the number of Keychain dialogs presented to users
because the system can validate the integrity applications that use Keychain. For parental
controls and managed preferences, the system uses signatures to verify that an application runs
unmodified.
The application firewall uses signatures to identify and verify the integrity of applications that are
granted network access. For parental controls and the firewall, unsigned applications are signed
by the system on an ad hoc basis to identify them and verify that they remain unmodified.
Mandatory access controls
OS X uses an access control policies known as mandatory access controls. These policies set
security restrictions created by the developer. Unlike discretionary controls, mandatory access
controls cant be overridden.
Mandatory access controls in OS X arent visible; theyre the underlying technology that helps
enable several important features including sandboxing, and a safety net feature for Time
Machine.
Mandatory access controls are integrated with the exec system service to prevent the execution
of unauthorized applications. This is the basis for application controls in parental controls in OS X
and managed preferences in OS X Server.
In the case of sandboxing, mandatory access controls restrict access to system resources as
determined by a special sandboxing profile provided for each sandboxed application. This means
that even processes running as root can have extremely limited access to system resources.
Time Machine is a good example of the difference between mandatory access controls and the
user privilege modelit allows files within Time Machine backups to be deleted only by
programs related to Time Machine. From the command line, no usernot even one logged in as
rootcan delete files in a Time Machine backup. Time Machine uses this strict policy because it
utilizes file system features in OS X. The policy prevents corruption in the backup directory by
preventing tools from deleting files from backups that may not consider the new file system
features.
Sandboxing
Sandboxing helps ensure that applications do only what theyre intended to do by placing
controls on applications to restrict what files and networks they can access and whether the
applications can be used to start other applications.
Apps purchased from the Mac App Store are sandboxed. In OS X, many of the systems helper
applications that normally communicate with the networksuch as mDNSResponder (Bonjours
underlying software) and the Kerberos KDCare sandboxed to guard against abuse by attackers
trying to access the system.
In addition, other programs that routinely take untrusted input (for instance, arbitrary files or
network connections), such as the Quick Look and Spotlight background daemons, are
sandboxed.
Enhanced quarantining
Applications that download files from the Internet or receive files from external sources (such as
mail attachments) can use the quarantine feature to provide a first line of defense against
malicious software such as Trojan horses. When an application receives an unknown file, it adds
metadata (quarantine attributes) to the file using functions found in Launch Services.
Files downloaded using Safari, Mail, and Messages are tagged with metadata indicating that they
are downloaded files, including the URL, date, and time of the download. This metadata is
propagated from archive files that are downloaded (such as ZIP or DMG files) so that any file
extracted from an archive is also tagged with the same information. This metadata is used by the
download inspector to prevent dangerous file types from being opened unexpectedly.
The first time you try to run an application that has been downloaded, Download Inspector
inspects the file, prompts you with a warning asking whether you want to run the application,
and displays the information on the date, time, and location of the download.
You can continue to open the application or cancel the attempt, which is appropriate if you dont
recognize or trust the application. The file and its contents are also inspected for malicious
software (malware). If malware is detected, a dialog appears with the name of the malware threat
contained in the file. It warns the user to move the file to the Trash or eject the image and delete
the source file to prevent damage to the computer. Malware patterns are continually updated
through software updates.
Memory and runtime protection
OS X running on a 64-bit chip supports memory and executable protection. Memory and
executable protection prevent specific types of malicious software from exploiting the memory
allocation or execution methods to force a processor to execute arbitrary code from another
processs memory area.
OS X has the following 64-bit protection features: no-execute stack, no-execute data, and no-
execute heap. In OS X, no-execute stack is available for 32- and 64-bit applications. For 64-bit
processes, OS X provides protection from code execution in both heap and stack data areas.
OS X also has Library Randomization, which uses shifting memory locations for operating system
processes each time the system starts up. Because an attacker cant depend on key system
processes running in known memory locations, its difficult to compromise the operating system.
OS X also has process sandboxing, which is a way of restricting what kinds of activities an
application can perform.
Gatekeeper
Gatekeeper is a feature in OS X Mountain Lion that works with the quarantining system and
application signatures to prevent applications from unknown source from running. By default,
signed applications from the Mac App Store and from registered developers are allowed to run
without warning. Any unsigned application from an unknown developer wont be allowed to run
without intervention from the user. This additional layer of notification prevents the casual use of
untrusted applications.
Gatekeeper settings can be set in the Security & Privacy pane of System Preferences or in
configuration profiles. Additional security policies can be managed from the command line using
the spctl tool.
Securing system access
In addition to the security services that run in the background, OS X also includes several features
and technologies that users can modify to enhance the security of the system. In this section,
youll learn about ways to secure access to the system using permissions, passwords, restrictions,
and System Preferences.
Authorization versus authentication
Authorization is the process by which an entity, such as a user or a computer, obtains the right to
perform a restricted operation. Authorization can also refer to the right itself, as in Anne has the
authorization to run that program. Authorization usually involves authenticating the entity and
then determining whether it has the correct permissions.
Authentication is the process by which an entity (such as the user) demonstrates that they are
who they say they are. For example, the user enters a password that only he or she could know,
which allows the system to authenticate that user. Authentication is normally a step in the
authorization process. Some applications and operating system components perform their own
authentication. Authentication might use authorization services when necessary.
Understanding the AuthPlugin architecture
AuthPlugins are used to control access to a service or application. Preinstalled AuthPlugins for OS
X are located in the /System/Library/CoreServices/SecurityAgentPlugins/ folder. These plug-ins
(and their associated rules and authorization rights for users) are defined in the
/etc/authorization database, and are queried by the Security Server.
When an application requests authorization rights from the Security Server, the Security Server
checks the rights database (/etc/authorization) to determine how to authenticate.
If necessary, the Security Server requests user interaction through the Security Agent. The
Security Agent then prompts the user to authenticate through the use of a password, smart card,
or biometric reader. Then the Security Agent sends the authentication information back to the
Security Server, which passes it back to the application.
The following graphic shows the workflow of the Security Server:

Access permissions
An important aspect of computer security is the granting or denying of access permissions
(sometimes called access rights). A permission is the ability to perform a specific operation, such
as gaining access to data or to execute code.
Permissions are granted at the folder, subfolder, file, and application level. Permissions are also
granted for specific data in files or application functions.
Permissions in OS X are controlled at many levels, from the Mach and BSD components of the
kernel through higher levels of the operating system, andfor networked applicationsthrough
network protocols.
You protect files and folders by setting permissions that restrict or allow users to access them. OS
X supports two methods of setting file and folder permissions:
Portable Operating System Interface (POSIX) permissionsStandard for UNIX operating
systems
Access Control Lists (ACLs) permissionsUsed by OS X, and compatible with Microsoft
Windows Server 2003, Microsoft Windows XP, and newer
ACLs use POSIX when verifying file and folder permissions. The process ACLs uses to determine if
an action is allowed or denied includes verification rules called access control entries (ACEs). If no
ACEs apply, standard POSIX permissions determine access.
Note: In this guide, the term privileges refers to the combination of ownership and permissions,
but the term permissions refers only to the permission settings that each user category can
have (Read & Write, Read Only, Write Only, and None).
POSIX permissions
OS X bases file permissions on POSIX standard permissions such as file ownership and access. You
can assign four types of standard POSIX access permissions to a share point, folder, or file: Read &
Write, Read Only, Write Only, and None.
You can assign standard POSIX access permissions to these categories of users:
OwnerA user who creates an item (file or folder) on the computer is its owner and has Read
& Write permissions for that item. By default, the owner of an item and the administrator can
change the items access privileges (allow a group or everyone to use the item). The
administrator can also transfer ownership of the shared item to another user.
GroupYou can put users who need the same access to files and folders into group accounts.
Only one group can be assigned access permissions to a shared item.
EveryoneThis is any registered user or guest who can log in to the file server.
In the Finder, Control-click a file and choose Get Info. Click the Sharing & Permissions disclosure
triangle to view POSIX permissions.
You can also use the command line to view and modify permissions using chown and chmod. For
more information, see the man pages for those commands.
ACL permissions
For greater flexibility in configuring and managing file permissions, OS X implements ACLs. An
ACL is an ordered list of rules called access control entries (ACEs) that control file permissions. Each
ACE contains the following components:
Userowner, group, and other
Actionread, write, or execute
Permissionallow or deny the action
The rules specify the permissions to be granted or denied to a group or user and control how the
permissions are propagated through a folder hierarchy.
ACLs in OS X let you set file and folder access permissions for multiple users and groups, in
addition to standard POSIX permissions. This makes it easy to set up collaborative environments
with smooth file sharing and uninterrupted workflows without compromising security.
To determine if an action is allowed or denied, ACEs are evaluated in order. The first ACE that
applies to a user and an action determines the permission and no further ACEs are assessed. If no
ACEs apply, standard POSIX permissions determine access.
You can set ACL permission for files. The chmod command enables an administrator to grant
read, write, and execute privileges to specific users for a single file.
Service access control lists
You can further secure sharing services by allowing access only to users you specified in service
access control lists (SACLs). You can create user accounts for sharing based on existing user
accounts on the system, and for entries in your address book.
Securing user home folders
To secure user home folders, change the permissions of each users home folder so the folder
isnt world-readable or world-searchable.
Permissions on the home folder of a user account allow other users to browse the folders
contents. However, users might inadvertently save sensitive files to their home folder, instead of
into the more-protected ~/Documents or ~/Desktop folders.
The ~/Public and ~/Public/Drop Box folders in each home folder may require world-readable or
world-writeable permissions if File Sharing or Web Sharing is enabled. If these services arent in
use, permissions on these folders can be safely changed to prevent other users from browsing or
writing to their contents.
In OS X, all users are a member of the staff group, not of a group that has the same name as their
user name.
Securing accounts
To securing user accounts you need to determine how accounts are used and set the level of
access for users.
When you define a users account you specify the information to prove the users identity, such as
user name, authentication method (password, digital token, smart card, or biometric reader), and
user identification number (user ID). Other information in a users account is needed by various
services to determine what the user is authorized to do and to personalize the users
environment.
Types of user accounts
When you log in to OS X, you use a nonadministrator or administrator account. The main
difference between the two types is that OS X provides safety mechanisms to prevent
nonadministrator users from editing key preferences, or performing actions critical to computer
security. Administrator users arent as limited as nonadministrator users.
You can further define nonadministrator and administrator accounts by specifying additional
user privileges or restrictions.
The following table shows the access provided to user accounts.
User account User access
Guest nonadministrator Restricted user access (disabled by default)
Standard nonadministrator Nonprivileged user access
Managed nonadministrator Restricted user access
Administrator Full computer configuration administration
System administrator (root) Unrestricted access to the computer
User
Always log in as a nonadministrator user unless you need administrator access for specific system
maintenance tasks that cant be accomplished by authenticating with the administrators account
while logged in as a normal user. Log out of the administrator account when you arent using the
computer as an administrator.
If youre logged in as an administrator, youre granted privileges and abilities that you might not
need. For example, you can potentially modify system preferences without being required to
authenticate and bypass a security safeguard that prevents malicious or accidental modification
of system preferences.
Guidelines for creating accounts
When you create user accounts, follow these guidelines:
Never create accounts that are shared by several users. Each user should have his or her own
standard or managed account.
Individual accounts are necessary to maintain accountability. System logs can track activities
for each user account, but if several users share the same account its difficult to track which
user performed an activity.
Each user needing administrator access should have an administrator account in addition to a
standard or managed account.
Administrator users should only use their administrator accounts for administrator purposes. By
requiring an administrator to have a personal account for typical use and an administrator
account for administrator purposes, you reduce the risk of an administrator performing actions
like accidentally reconfiguring secure system preferences.
Defining user IDs
A user ID is a number that uniquely identifies a user. OS X computers use the user ID to track a
users folder and file ownership. When a user creates a folder or file, the user ID is stored as the
creator ID. A user with that user ID has read and write permissions to the folder or file by default.
The user ID is a unique string of digits between 500 and 2,147,483,648. New users created using
the Users & Groups pane of System Preferences are assigned user IDs starting at 501. New users
can also be created using the command line, which allows the administrator to specify the user
ID for new users. When using the command line to create new users, its risky to assign the same
user ID to different users, because two users with the same user ID have identical directory and
POSIX file permissions.
Each user has a unique GUID that is generated when the user account is created. A users GUID is
associated with ACL permissions set on files or folders. By setting ACL permissions you can
prevent users with identical user IDs from accessing files and folders.
The user ID 0 is reserved for the root user. User IDs below 100 are reserved for system use. User
accounts with these user IDs shouldnt be deleted and shouldnt be modified except to change
the password of the root user.
In general, after a user ID is assigned and the user starts creating files and folders, you shouldnt
change the user ID.
One scenario in which you might need to change a user ID is when you merge users from
different servers onto a new server or cluster of servers. The same user ID might have been
associated with a different user on the previous server.
Securing the guest account
The guest account is used to give a user temporary access to your computer. The guest account
is disabled by default because it doesnt require a password to log in to the computer. If this
account is enabled and not securely configured, malicious users can gain access to your
computer without a password.
If you enable the guest account, you should also enable parental controls to limit what the user
can do. Enabling parental control on an account doesnt defend against a determined attacker
and shouldnt be used as the primary security mechanism.
Whether or not the guest account is enabled, disable guest account access to shared files and
folders by deselecting the Allow guest to connect to shared folders checkbox. If you allow the
guest account to access shared folders, an attacker can easily attempt to access shared folders
without a password.
When you finish setting permissions for the guest account, disable it by deselecting the Allow
guests to log into this computer.
Securing nonadministrator accounts
There are two types of nonadministrator user accounts:
Standard user accounts dont have administrator privileges and dont have parental controls
limiting their actions.
Managed user accounts dont have administrator privileges but have active parental controls.
Parental controls help deter unsophisticated users from performing malicious activities. They can
also help prevent users from accidentally installing malware on their computer.
Note: If your computer is connected to a network, you can manage preferences and account
information for managed users over the network.
When you create nonadministrator accounts, restrict the accounts so they can only use whats
required. For example, if users plan to store sensitive data on their local computer, disable the
ability to burn DVDs.
Managed user accounts
Parental controls provide administrators with tools to enforce a reasonable level of restrictions for
users of the computer.
Administrator users can use features like Simple Finder to limit opening a set of applications or
create a white list of web sites that users can visit. However, if attackers have physical access to
computer ports such asThunderbolt, USB, or FireWire, they can bypass parental controls by
mounting a disk image that contains malicious software.
These are the kind of simple things administrators of a public library or computer environment
can use to keep users from performing malicious activities.
Parental controls preferences
You can set limits for users on a Mac running OS X by using Parental Controls preferences. For
example, you might want to prevent users from being able to install or uninstall software, or you
might want to restrict access to specific administrator tools or utilities. You can set these
preferences according to your environment.
To securely configure an account with parental controls:
1. Open System Preferences, then click Users & Groups.
2. If the lock icon is locked, click it to unlock it and enter an administrator name and password.
3. Select the user account you want to manage with parental controls and select the Enable
Parental Controls checkbox.
4. Click Open Parental Controls.
5. Click Apps.
You can enable Simple Finder, which restricts an account to using applications listed on the
Dock. With Simple Finder enabled, users cant create or delete files. Simple Finder also
prevents users from changing their passwords.
Enabling Simple Finder isnt recommended, unless the computer is used in a kiosk-like
environment.
In the Apps pane, you can specify the applications the user has access to by selecting the
Limit Applications checkbox. Then you can select or deselect applications in the applications
list.
When you install third-party applications, you can add them to this list. Disable third-party
applications unless the user needs to use them securely. Third-party applications might give
a standard user some administrator abilities, which can be a security issue.
You can also prevent the user from modifying the Dock by deselecting Allow User to Modify
the Dock.
6. Click Web.
In the Web pane, you can restrict the websites that users can view by selecting Try to limit
access to adult websites automatically, and you can customize the list of adult sites by
clicking customize and adding the URL of sites to the Always allow these sites list or the
Never allow these sites list.
You can also select Allow access to only these websites, which prevents a user from
accessing any site not in the list. Expand the list by clicking the Add (+) button below the list
of sites.
7. Click People.
In the People pane, you can limit access to Game Center for multiplayer games and adding
friends.
Also in the People pane, you can limit Mail and Messages to go only to specific addresses in
the Only allow emailing and instant messaging with list. To add users to the list, click the
Add (+) button below the list.
You can also select the Send permission request to checkbox and enter an administrators
mail address. When a user attempts to send mail to someone not in the list, the mail is sent
to the administrator for permission to be sent.
8. Click Time Limits.
In the Time Limits pane, you can restrict the number of hours the computer is used by
selecting the Limit computer use to checkbox and setting the number of hours.
You can also set the times the computer can be accessed by selecting School nights: Sunday
through Thursday or Weekend: Friday and Saturday, and setting a time range.
9. Click Other.
In the Other pane, you can disable Dictation, hide profanity in the Dictionary, limit printer
administration, prevent disc burning, and disable changing the password.
Securing administrator accounts
The administrators account should be used only when absolutely necessary to accomplish
administrative tasks. To secure administrator accounts, restrict the distribution of administrator
accounts and limit the use of these accounts.
A user account with administrator privileges can perform standard user and administrator tasks
such as:
Creating user accounts
Adding users to the Admin group
Enabling or disabling sharing
Enabling, disabling, or changing firewall settings
Changing other protected areas in System Preferences
Installing system software
Securing the system administrator account
The most powerful user account in OS X is the system administrator, or root account. The root
account is primarily used for performing UNIX commands and actions that involve critical system
files. By default, the root account on OS X is disabled and its recommended that you keep it
disabled.
Using strong authentication
Authentication is the process of verifying the identity of a user. OS X supports local and network-
based authentication to ensure that only users with valid authentication credentials can access
the computers data, applications, and network services.
You can require passwords to log in, to wake the computer from sleep or a screen saver, to install
applications, or to change system settings. OS X also supports authentication methods such as
smart cards, digital tokens, and biometric readers.
Strong authentication uses combinations of the following authentication dimensions to make
identification more reliable and certain:
What the user knows, such as a password or PIN
What the user has, such as one-time-password (OTP) token or smart card
What the user is, such as a fingerprint, retina scan, or DNA sample
Using Password Assistant to generate or analyze passwords
OS X includes Password Assistant, an application that analyzes the complexity of a password or
generates a complex password for you. You can specify the length and type of password youd
like to generate.
You can open Password Assistant from some applications. For example, when you create an
account or change passwords in Users & Groups preferences, you can use Password Assistant to
help you create a secure password.
You can choose from the following types of passwords:
ManualYou enter a password and then Password Assistant tells you how strong the password
is. If the quality level is low, Password Assistant gives tips for increasing it.
MemorableAccording to your password length requirements, Password Assistant generates a
list of memorable passwords in the Suggestion menu.
Letters & NumbersAccording to your password length requirements, Password Assistant
generates a list of passwords with a combination of letters and numbers.
Numbers OnlyAccording to your password length requirements, Password Assistant generates
a list of passwords containing only numbers.
RandomAccording to your password length requirements, Password Assistant generates a list
of passwords containing random characters (which includes mixed upper and lowercase,
punctuation, and numbers).
FIPS-181 compliantAccording to your password length requirements, Password Assistant
generates a password that is FIPS-181 compliant (which includes only the 26 lowercase letters of
the English alphabet).
Password policies
A variety of password policies are available to clients running in an Open Directory environment.
These should meet the requirements of your organizations security policy. In this example, youll
configure Open Directory password policies globally and then specifically for the user Jimmy
Foster. You can use a different account for testing if you want.
To set up Open Directory password policies for a user:
1. Open Server.
2. Click Open Directory in the Services list.
3. Expand the action menu at the bottom of the window.
4. Choose Edit Global Password Policy.
Configure the global password policies for the Open Directory service. These policies control
login for accounts and set controls on passwords for all users in the directory service.
5. After setting the global password policies, click OK.
To add additional settings for specific users using Workgroup Manager:
1. Download and install Workgroup Manager from Apples support website at
http://support.apple.com/kb/DL1567.
2. Open /Applications/Workgroup Manager and authenticate to Open Directory.
3. Click the user or users you want to set up.
4. Click Advanced.
5. Click the Options button below the User Password Type section.
6. Configure specific settings for each user, such as controlling when to disable accounts and
when to require the user to change passwords.
7. When youre finished managing these settings, click OK.
Note: When using Active Directory, the AD password policies are recognized and enforced by
OS X. Users are notified about expiring passwords and can change their passwords in OS X.
Keychains
All users find themselves authenticating to and accessing an ever-increasing number of
protected services. These services include email, file sharing, social networking, banking, and
system administration. With so many credentials, users and administrators need an easy way to
store and retrieve credentials on demand without risking exposure to unauthorized access. To
address this need, OS X provides a feature called keychains.
A keychain is a container for securely storing user and system credentials on the local system, so
they can be retrieved quickly. Each keychain can hold a collection of credentials and protect
them with a single password. Keychains store encrypted passwords, certificates, and other private
values (called secure notes). These values are accessible only by unlocking the keychain using the
keychain password and only by applications that are approved and added to the access control
application list.
Keychains and the corresponding services are integrated so deeply into OS X that its a required
service that cant be disabled or shut off. Each new system account has four default keychains,
each providing a specific purpose, protection, and storage. The default keychains are described
below.
LoginStored in /Users/<shortname>/Library/Keychains/login.keychain, the login keychain
allows users on OS X to start with an empty keychain called login where they can store their
own credentials. All passwords, keys, secure notes, and user identities should be stored here. OS
X populates the keychain with certificates acquired during the parsing of digitally signed email
messages in the Mail app. The login keychain is protected with a passphrase thats the same as
the users login password, but it can be changed.
Directory ServicesLocally configured Directory Servers can be enabled to search external
directory services, such as Active Directory, LDAP, and NIS for certificates and retrieve X.509
certificates for users.
SystemThe System keychain is managed by the operating system and system administrator
account. It is stored in /Library/Keychains/System.keychain. It is used for machine (system)
authentication to network services and storing corporate Root Certificate Authority (CA)
certificates for systemwide trust. The System keychain is always accessible by the operating
system, no matter what user is logged in.
Important: Any network services with machine authentication, such as 802.1X, VPN, and WPA/
WPA2, requires that the credentials and any corresponding trust chain be stored in the System
keychain if those certificates were issued from a corporate CA or from any Root CA not
included in the System Roots.
System RootsThe System Roots keychain is managed by the operating system and is used
for storing the pretrusted Root CA certificates of OS X. It is stored in /System/Library/
Keychains/SystemRootCertificates.keychain. Administrators can alter the trust on any of the
root certificates to reflect desired systemwide CA trust, but they cant remove or delete any
root certificates from this keychain. Apple updates the certificates in this keychain during OS X
Software and Security Updates.
Storing credentials in keychains
OS X includes Keychain Access, an application that manages collections of passwords and
certificates in a single secure place called a keychain. You can create multiple keychains, each of
which appears in a keychain list in Keychain Access. Each value is called a key item. You can create
a key item in any user-created keychain.
Each item in a keychain has an Access Control List (ACL) that can be populated with applications
that have authority to use that item. A further restriction can be added that forces an application
with access to confirm the keychain password.
Every keychain in the keychain list can be used by the system and administrator for locating and
retrieving appropriate credentials. By using keychains, you no longer need to remember
passwords for multiple accounts, so the passwords you choose can be very complex and can
even be randomly generated.
OS X Keychain services enable you to create keychains and provide secure storage of keychain
items. After a keychain is created, you can add, delete, and edit keychain items, such as
passwords, keys, certificates, and notes. A user can unlock a keychain with a single password and
applications can then use that keychain to store and retrieve data, such as passwords.
Using the default user keychain
When a users account is created, a default keychain called login is created for that user. The
password for the login keychain is initially set to the users login password and is unlocked when
the user logs in. It remains unlocked unless the user locks it, or until the user logs out.
When an application must store an item in a keychain, it stores it in the keychain designated as
the users default keychain.
You should secure the login keychain so the user must unlock it when he or she logs in, or after
waking the computer from sleep.
To secure the login keychain:
1. Open Keychain Access from the Utilities folder.
2. If you dont see a list of keychains, click Show Keychains.
3. Select the login keychain.
4. Choose Edit > Change Password for Keychain login.
5. Enter the current password, and create and verify a password for the login keychain.
After you create a login keychain password thats different from the normal login password,
your keychain isnt unlocked at login.
To create a secure password, use Password Assistant. For information, see Using Password
Assistant to generate or analyze passwords in this chapter.
6. Choose Edit > Change Settings for Keychain login.
7. Select Lock when sleeping.
8. Secure each login keychain item.
Creating additional keychains
A user can create additional keychains, each of which can have different settings and purposes.
Users might want to group credentials for mail accounts into one keychain. Because mail
programs query the server frequently to check for mail, it isnt practical for users to
reauthenticate when such a check is performed.
Users could create a keychain and configure its settings, so that theyre required to enter the
keychain password at login and whenever the computer is awakened from sleep.
Users can then move all items containing credentials for mail applications into that keychain and
set each item so that only the mail application associated with that credential can automatically
access it. This forces other applications to authenticate for access to that credential.
Configuring a keychains settings for use by mail applications might be unacceptable for other
applications. If users have web-based mail accounts they dont use often, they should store
keychain settings in a keychain configured to require reauthentication for every access.
You can also create multiple keychains to accommodate varying degrees of security. Separating
keychains based on security, prevents exposing sensitive credentials to less sensitive applications
with credentials on the same keychain.
To create a keychain and customize its authentication settings:
1. In Keychain Access, choose File > New Keychain.
2. Enter a name, select a location for the keychain, and click Create.
3. Enter a password for the keychain, then enter it again in the Verify field, and click OK.
If you need help choosing a good password, click the key button to the right of the
Password field.
4. If you dont see a list of keychains in the sidebar, click Show Keychains in the View menu.
5. Select the new keychain.
6. Choose Edit > Change Settings for Keychain keychain_name, and authenticate, if
requested.
7. Change the Lock after # minutes of inactivity setting based on the access frequency of the
security credentials included in the keychain.
If the security credentials are accessed frequently, deselect Lock after # minutes of
inactivity. If the security credentials arent accessed frequently, select Lock after # minutes of
inactivity and select a value, such as 15. If you password protect your screensaver, consider
setting this value to the idle time required for your screensaver to start.
8. Select Lock when sleeping.
9. Drag the security credentials from other keychains to the new keychain and authenticate, if
requested.
You should have keychains that only contain related certificates. For example, a mail
keychain should only contain mail items.
10. If youre asked to confirm access to the keychain, enter the keychain password and click
Allow Once.
After confirming access, Keychain Access moves the security credential to the new keychain.
To secure a keychain item:
1. In Keychain Access, select a keychain and then select an item.
2. Click the Information (i) button in the bottom status bar.
3. Click Access Control and then authenticate if requested.
4. Select Confirm before allowing access.
After you enable this option, OS X prompts you before giving a security credential to an
application. You shouldnt select Allow all applications to access this item. When this is
selected OS X doesnt prompt you before granting any application access the security
credential when the keychain is unlocked. This is a security risk.
5. Select Ask for Keychain password.
After enabling this, you must provide the keychain password before applications can access
security credentials.
You should enable this for critical items, such as your personal identity (your public key
certificates and the corresponding private key), which are needed for signing or decrypting
information. You can also place these items in their own keychains.
6. Remove nontrusted applications listed in Always allow access by these applications by
selecting each application and clicking the Remove () button.
Applications in this list prompt the user to enter the keychain password before the
application can access security credentials.
Note: You can also create and manage keychains from the command line using the security
and systemkeychain tools. For more information, see the corresponding security and
systemkeychain man pages in Terminal.
Using portable and network-based keychains
If youre using a notebook computer, consider storing your keychains on a portable drive, such as
a USB flash memory drive. You can remove the portable drive from the portable computer and
store it separately when the keychains arent in use.
Storing your keychains on a portable drive provides an extra layer of protection if the notebook
is stolen or misplaced. Anyone attempting to access data on the portable computer needs the
portable computer, portable drive, and the password for the keychain stored on the portable
drive.
To use a portable drive to store keychains, move your keychain files to the portable drive and
configure Keychain Access to use the keychains on the portable drive. The default location for
your keychain is ~/Library/Keychains/, but you can store keychains in other locations.
You can further protect portable keychains by storing them on biometric USB flash memory
drives.
Check with your organization to see if the policy allows using portable drives to store keychains.
To set up a keychain for use from a portable drive:
2. If you dont see a list of keychains, click Show Keychains.
3. Choose Edit > Keychain List.
4. Note the location of the keychain you want to set up. The default location is ~/Library/
Keychains/.
5. Click Cancel.
6. Select the keychain you want set up.
7. Choose File > Delete Keychain keychain_name.
8. Click Delete References.
9. In Finder, copy the keychain files from the previously noted location to the portable drive.
10. Move the keychain to the Trash on the computer and use Secure Empty Trash to securely
erase the keychain file stored on the computer.
For information, see Securely erasing data in Chapter 3, Data Security.
11. Double-click the keychain file on your portable drive to add it to your keychain search list.
Using Kerberos
Kerberos is an authentication protocol used for systemwide single sign-on, allowing users to
authenticate to multiple services without having to reenter passwords or send passwords over
the network. Every system generates its own principals, allowing it to offer secure services that
are fully compatible with other Kerberos-based implementations.
OS X uses Kerberos v5 to make it easier to share services with other computers. You dont need a
key distribution center (KDC) to use Kerberos authentication between two OS X computers.
When you connect to a computer that supports Kerberos, youre granted a ticket that permits
you to continue to use services on that computer, without reauthentication, until your ticket
expires.
For example, consider two OS X computers named Mac01and Mac02. Mac02 has screen
sharing and file sharing turned on. If Mac01 connects to a shared folder on Mac02, Mac01 can
subsequently connect to screen sharing on Mac02 without supplying login credentials again.
This Kerberos exchange is only attempted if you connect using Bonjour, navigate to the
computer in the Finder, or use the Go menu in the Finder to connect to a server using the local
hostname of the computer name (for example, computer_name.local).
You can also use the kinit, kdestroy, and kpasswd commands to manage Kerberos tickets.
For more information, see the man pages for these commands.
Public Key Infrastructure (PKI)
The Public Key Infrastructure (PKI) includes certificate, key, and trust services functions to:
Create, manage, and read certificates
Add certificates to a keychain
Create encryption keys
Manage trust policies and certificate verification/validation
These functions are used when the services call Common Security Service Manager (CSSM)
functions. This is transparent to users.
About certificates
A certificate is a piece of cryptographic information that enables the secure transfer of
information over the Internet. Certificates are used by web browsers, mail applications, and
online chat applications. In OS X, certificates are part of your digital identity and are stored in
your keychain.
When you communicate with a secure site, information exchanged with the site is encrypted.
This protects your login information, credit card numbers, addresses, and other secure data.
Certificates are signed and issued by trusted organizations, such as Thawte or Entrust called
certificate authorities (CA). When you go to a secure website, OS X checks the sites certificate and
compares it with certificates that are known to be legitimate. If the websites certificate isnt
recognized, or if the site doesnt have one, you receive a message.
The validity of a certificate is verified electronically using the public key infrastructure (PKI).
Certificates consist of your public key, the identity of the organization, the CA that signed your
certificate, and other data that may be associated with your identity.
A certificate is usually restricted for particular uses, such as digital signatures, encryption, use with
web servers, and so on. This is called the key use restriction. Although its possible to create one
certificate for multiple uses, its unusual to make one for all possible uses. Creating a certificate for
multiple uses is also less secure.
A certificate is valid only for a limited time; it then becomes invalid and must be replaced with a
newer version. The CA can also revoke a certificate before it expires.
If you need to send a certificate to someone, you can export it using Keychain Access, and then
send it through email or by other means. Likewise, if someone sends you a certificate, you can
add it to your keychain by dragging it onto the Keychain Access icon, or by using the Import
menu in Keychain Access.
Creating a self-signed certificate
You can create a certificate using the Certificate Assistant in Keychain Access. The certificate you
create is called a self-signed certificate. Self-signed certificates dont provide the trust level of a
certificate signed by a CA.
By default, certificates created with the RSA algorithm using Certificate Assistant have a 2048 bit
key size. Keys less than 1024 bits are expected to be broken within the expiration time of the
certificate issued.
To create a self-signed certificate:
2. Choose Keychain Access > Certificate Assistant > Create a Certificate.
3. Enter a name for the certificate.
4. From the Identity Type pop-up menu, choose one of the following:
Self Signed Root: A self-signed root certificate is a root CA that someone makes for
immediate use as a certificate. Such certificates dont benefit from the security of
certificate chains and certificate policies. Most computers dont accept a self-signed
certificate unless the certificates owner tells them to first, and some computers dont
accept them under any circumstances. However, they are easy and quick to make, and are
often used for testing purposes in place of certificates signed by a proper CA.
Leaf certificate: A leaf is a certificate signed by an intermediate or root CA. A leaf certificate
benefits from the security of certificate chains and certificate policies. A leaf is situated at
the bottom of a certificate chain.
5. From the Certificate Type pop-up menu, choose the specific purpose that your certificate will
be used for.
6. If you want to manually specify the information in the certificate, such as key pairs,
extensions, and encryption, select Let me override defaults.
7. Click Create.
8. When prompted You are about to create a self-signed certificate, click Continue.
9. Review the certificate and click Done.
Managing certificates in a keychain
Digital certificates are used to validate users and hosts on the Internet. When you receive
certificates from the Internet, you can add them to your keychain for quick access to secure
websites and other resources. After a certificate is added, it can be used by other compatible
applications.
To add a certificate to a keychain:
1. Drag the certificate file to the Keychain Access icon or double-click the certificate file.
You can also add a certificate to a keychain by choosing File > Import in Keychain Access.
If you want to view the contents of the certificate before you add it, click View Certificates in
the dialog, and then click OK when youre done.
2. Choose a keychain from the pop-up menu and click Add.
3. If youre asked to provide a name and password, enter the name and password for an
administrator user on this computer.
For Keychain Access to recognize a certificate file, the file must have an extension that
identifies it as containing certificates.
The following types of certificates are recognized by Keychain Access:
PKCS12 DER encoded-extension .p12 or .pfx
PKCS7 DER or PEM encoded-extension .cer, .crt, .der, .pem, .p7r, .p7b, .p7m, .p7c, or .p7s
To access and view keychain contents:
2. Select a keychain from the list in the sidebar.
The right side of the Keychain Access window displays all items currently stored within that
keychain, with the following column headings:
Name is the name of the keychain item (for example, mail.company.com).
Kind is the type of keychain item, such as certificate or Internet password.
Date Modified is the date when the keychain item was last modified.
Expires is the date when the keychain item expires (for example, the expiration date of a
certificate).
Keychain is the name of the keychain where the item is stored.
3. Click any keychain item to see top-level information about it.
4. Double-click the keychain item or click the Information (i) button at the bottom of the
window to bring up the information pane for the selected item.
5. Drag any keychain item to another location to copy it.
To select categories of Keychain items:
2. Select the item category you want by clicking its name in the Category list.
The right side of the Keychain Access window now displays all items of the type you chose
currently stored within the selected keychain. In the My Certificates category, all X.509
identities (certificate and corresponding private key) are displayed. To refine whats listed,
enter information in the search field in the upper-right corner of the window.
To set up directory services to search for certificates:
2. Choose Preferences from the Keychain Access menu.
3. Click General.
4. Select the Search directory services for certificates checkbox to enable the system to search
all directory services configured for the system.
5. Close the Preferences window.
To set up certificate revocation checking:
2. Choose Preferences from the Keychain Access menu.
3. Click Certificates.
4. Select an option from the Online Certificate Status Protocol (OCSP) menu:
Off
Best attempt
Require if certificate indicates
5. To enforce OCSP verification for all certificates, hold down the Option key while choosing
from this menu.
6. Select an option for the Certificate Revocation List (CRL).
7. To enforce CRL verification for all certificates, hold down the Option key while choosing from
this menu.
8. When both OCSP and CRL are enabled, select which protocol response has priority, or
whether to require both responses for full validation.
Note: If you select Require both and either server doesnt respond, the system wont be able
to verify the certificate, and you wont be able to use this certificate.
To import items into a keychain with the GUI:
1. Double-click any valid credential such as an X.509 identity file (.p12 file).
Keychain Access automatically opens and asks if you want to add the certificate(s) from the
file to a keychain.
2. Select the keychain where you want to import the itemeither the login keychain for user
credentials or the system keychain for system-wide credentials.
3. Click the desired Trust button.
When importing an X.509 Identity (.p12 file), you must enter the password used when the
wrapped file was created.
You can now view the item(s) in the selected keychain.
To import items into a keychain with Keychain Access:
2. Choose Import Items from the File menu.
3. Find the file you want to import.
4. Select the keychain where you want to import the item, either the login keychain for user
credentials or the system keychain for systemwide credentials.
5. Click the desired Trust button.
6. Click Open.
You can now view the item(s) in the selected keychain.
To export items from a keychain:
2. Find the item you want to export by selecting the appropriate keychain or category, or
entering words in the search field.
3. Choose Export Items from the Keychain Access File menu.
4. In the Save File dialog, select where to export the item(s).
5. Click Save.
6. If the items you want to export are encrypted in the keychain, enter a password to protect
them. Use a strong password to make sure an unauthorized user cant unlock the credential.
Youll need to enter the keychain password to unlock it.
7. Click Allow.
The items are now stored at your selected location.
To export public items from a keychain via drag and drop:
2. Find the item you want to export by selecting the appropriate keychain or category, or enter
words in the search field.
3. Select a public item in the keychain, such as an X.509 certificate.
4. To export the item, drag it to a file system location.
5. Release to create the file.
Securing a certificate from another CA
Many environments use a Windows-based Certificate Authority (CA). The CA can distribute
certificates to client systems, including those with OS X installed.
If youre using a CA, it needs to be in a format that OS X understands. Common certificate formats
include (but arent limited to):
.cer, .crt, .derBinary certificates
.pemBase64 DER certificates
.p12Public and private certificates
Mac computers running OS X can also obtain client certificates via SCEP and in configuration
profile payloads. See http://support.apple.com/kb/HT5357 for more information.
To install a .cer certificate:
1. In Safari, download the certificate from a CA.
2. Click the Downloads button in Safari.
3. Double-click the certificate. Keychain Access opens.
4. In the Add Certificates pane, choose the keychain where you want to install the certificate. To
make certificates available to all users, choose the System Keychain; otherwise choose a user
keychain such as login.
5. Click OK.
6. If youre installing the certificate into the System Keychain then enter a user or administrative
account in the Authenticate screen,.
7. Click Always Trust.
8. Click the keychain where you imported the certificate.
9. Click the certificate to make sure its valid.
Application restrictions
You can use Profile Manager to restrict OS X applications. For more information about managing
restrictions with Profile Manager, see OS X Technical Training: Management.
Securing System Preferences
System Preferences has many configurable preferences you can use to customize system
security. This section summarizes preferences included with OS X and describes recommended
modifications to improve security.
System Preferences overview
To view system preferences, choose System Preferences in the Apple menu (!). When you
modify settings for one account, make sure the settings are mirrored on all other accounts, unless
theres an explicit need for different settings.
Some critical preferences require that you authenticate before you modify their settings. To
authenticate, click the lock (see the images below) and enter an administrators name and
password (or use a digital token, smart card, or biometric reader).
If you log in as a user with administrator privileges, these preferences are unlocked unless you
select Require an administrator password to access system preferences with lock icons in
Security preferences.
If you log in as a standard user these preferences remain locked. After unlocking preferences, you
can lock them again by clicking the lock.
System Preferences that require authentication include:
Security & Privacy
Energy Saver
Print & Scan
Network
Sharing
Users & Groups
Parental Controls
Date & Time
Software Update
Time Machine
Startup Disk
Securing Users & Groups preferences
Use Users & Groups preferences to change or reset account passwords, to enable parental
controls, or to modify login options for each account. If youre the administrator, you can reset
other user account passwords by selecting the account and clicking Reset Password.
Note: Password policies arent enforced when you change the password on an administrator
account or when you reset another users password using an administrators account. Therefore,
when you reset passwords as an administrator, you should follow the password policy set by your
organization.
Securing Date & Time preferences
Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect
date and time settings can cause security issues.
You can use Date & Time preferences to set the date and time based on a Network Time Protocol
(NTP) server.
If you require automatic date and time, use a trusted internal NTP server.
To securely configure Date & Time preferences:
1. Open Date & Time preferences.
2. In the Date & Time pane, select the Set date and time automatically checkbox and choose a
secure and trusted NTP server in the Set date and time automatically pop-up menu.
3. Click Time Zone.
4. Choose a time zone from the Closest City pop-up menu.
Securing Desktop & Screen Saver preferences
You can use Security & Privacy preferences to password protect your screen saver so
unauthorized users cant access your computer while youre away. You can use several other
authentication methods to unlock the screen saver, including digital tokens, smart cards, and
biometric readers.
You should also set a short inactivity interval to decrease the amount of time the unattended
computer is unlocked. For information about requiring authentication for screen savers, see
Securing Security & Privacy preferences.
Securing Energy Saver preferences
You can use the Energy Saver Sleep pane to configure a period of inactivity before a computer,
display, or hard disk enters sleep mode.
If the computer receives directory services from a network that manages its client computers
while your computer is in sleep mode, the computer is considered unmanaged and isnt detected
as being connected to the network. If you want your computer to be visible to the network,
configure the display and hard disk to sleep, but not the computer.
You can reactivate the computer (see Securing Security & Privacy preferences ) the same way
you unlock a screen saver, with a password, digital token, smart card, or biometric reader.
You can also make settings depending on your power supply (power adapter, UPS, or battery).
You should configure the computer so it only wakes when you physically access the computer.
Dont set the computer to restart after a power failure.
To securely configure Energy Saver preferences:
1. Open Energy Saver preferences.
2. Set Computer sleep to Never.
3. Select Put hard disks to sleep when possible.
4. Deselect Wake for network access and Restart automatically if the computer freezes.
Securing Network preferences
You should disable unused hardware devices listed in Network preferences because enabled
unused devices (such as Wi-Fi and Bluetooth) are a security risk. Only hardware thats installed on
the computer is listed in Hardware preferences.
When configuring your computer for network access, use a static IP address when possible. A
DHCP IP address should be used only if necessary.
Some organizations use IPv6, a new version of the Internet protocol (IP). The primary advantage
of IPv6 is that it increases the address size from 32 bits (the current IPv4 standard) to 128 bits.
An address size of 128 bits is large enough to support a large number of addresses. This allows
more addresses or nodes than are otherwise available. IPv6 also provides more ways to set up
the address and simplifies autoconfiguration.
By default IPv6 is configured automatically, and the default settings are sufficient for most
computers that use IPv6. You can also configure IPv6 manually. If your organizations network
cant use or doesnt require IPv6, turn it off.
To securely configure Network preferences:
1. Open Network preferences.
2. From the list of hardware devices, select one you dont use.
3. Click the Action pop-up menu below the list of hardware devices and choose Make Service
Inactive.
4. Repeat steps 2 and 3 to deactivate all the devices you dont use.
5. From the list of hardware devices, select the hardware device you use to connect to your
network (for example, Wi-Fi or Ethernet).
6. From the Configure IPv4 pop-up menu, choose Manually.
7. Enter your static IP address, Subnet Mask, Router, DNS Server, and Search Domain
configuration settings.
8. Click Apply.
Securing Parental Controls preferences
You can set parental controls to customize access for each account individually. You cant enable
parental controls for an administrator account that is currently logged in to the computer.
To secure Parental Controls preferences:
1. Open Parental Controls preferences.
2. Select the account you want to activate parental controls for.
If the account you want to manage isnt listed, open Users & Groups preferences and click
the lock to authenticate, if its locked. From the accounts list, select the account you want to
manage. Then select the Enable Parental Control checkbox and click Open Parental Controls.
3. In the Apps pane, select Limit Applications to restrict application access to specific
applications.
4. In the Allowed Apps list, select the applications that the user can access.
5. Click the Other tab and limit tasks you dont want the user to perform, such as changing
printer settings, burning CDs and DVDs, or changing the password.
6. Select the Web pane.
7. In the Web pane, limit website access to specific sites by selecting Allow access to only these
websites.
8. Click the Add (+) button, select Add bookmark from the pop-up menu, and enter the
website name and address.
Securing Security & Privacy preferences
Security & Privacy preferences cover a range of OS X security features, including login options,
FileVault, firewall, and privacy protection.
General tab
Consider the following security related settings in the General tab:
Require passwordRequire a password to wake this computer from sleep or screen saver. This
helps prevent unauthorized access on unattended computers. Although there is a lock button for
Security preferences, users dont need to be authorized as an administrator to make changes.
Enable this password requirement for every user account on the computer.
Disable automatic loginDisabling automatic login is necessary for any level of security. If you
enable automatic login, an intruder can log in without authenticating.
Password-protect System Preferences (Advanced)Some system preferences are unlocked
when you log in with an administrator account. By requiring a password, digital token, smart
card, or biometric reader to unlock secure system preferences, you require extra authentication.
This helps prevent accidental modification of system preferences.
Automatic logout (Advanced)Although you might want to enable automatic logout based on
inactivity, there are reasons why you should disable this feature. First, it can disrupt your
workflow. Second, it can close applications or processes without your approval (but a password-
protected screen saver wont close applications). Third, because automatic logout can be
interrupted, it provides a false sense of security. Applications can prevent successful automatic
logout. For example, if you edit a file in a text editor, the editor might ask if you want to save the
file before you log out.
Infrared receiver (Advanced)If you arent using a remote control, disable the infrared receiver.
This prevents unauthorized users from controlling your computer through the infrared receiver. If
you use an Apple IR Remote Control, pair it to your computer by clicking Pair. When you pair it,
no other IR remote can control your computer.
FileVault tab
OS X includes FileVault 2 , which encrypts your computers boot volume.
FileVault 2 uses AES-XTS-128 encryption standard keys, with a 256-bit volume encryption key.
A recovery key is automatically generated when you set up FileVault for the first time. You need
that recovery key or a login password to access the data on a FileVault 2 volume.
Important: Store your password and recovery key in a safe place and dont share it with others. If
you forget or lose both your password and your recovery key, the data on a FileVault 2 encrypted
volume cant be accessed.
FileVault 2 and recovery keys are covered in more detail in Chapter 3, Data Security.
Firewall tab
When you turn on a firewall using the Firewall pane, only signed software is allowed to receive
incoming connections. You can click Firewall Options to specify which incoming connections are
blocked or allowed.
Note: You should block all incoming connections and allow only basic Internet services.
You can enable stealth mode to prevent the computer from responding or acknowledging to
uninvited access.
Privacy tab
Location Services: If you disable location services, information about the location of your
computer wont be provided to applications.
To securely configure Security & Privacy preferences:
1. Open Security & Privacy preferences.
2. In the General pane, select the following:
Require password __ after sleep or screen saver begins
Disable automatic login
3. Click the Advanced button and make the following changes:
Deselect the Log out after __ minutes of inactivity checkbox.
Select Require administrator password to access locked preferences
Select the Disable remote control infrared receiver checkbox.
4. In the Firewall pane, click Turn On Firewall.
5. Click Firewall Options and select Enable Stealth ModeBlock all incoming connections and
Enable stealth mode.
6. Add specific services and applications to the list and set them to allow or block incoming
connections.
7. In the Privacy pane, deselect the Enable Location Services checkbox.
8. In the FileVault pane, click Turn On FileVault.
9. Record your recovery key in a safe location and click continue.
10. Select Do not store the recovery key with Apple and click Continue.
11. Click Restart to start the encryption process.
Securing Sharing preferences
By default, every service listed in Sharing preferences is disabled. Dont enable these services
unless you use them. The following services are described in detail in Securing Sharing
preferences in Chapter 4, Network Security.
Service Description
DVD or CD Sharing Allows users of other computers to use the DVD or CD drive on your
computer remotely.
Screen Sharing Allows users of other computers to remotely view and control your
computer.
File Sharing Allows other users to access the Public folder on your computer and
allows administrators to access all volumes.
Printer Sharing Allows other users on the network to use printers connected to your
computer.
Scanner Sharing Allows other users to use a scanner connected to your computer.
Remote Login Allows users of other computers to access your computer using SSH.
Remote Management Allows other users to access your computer using Apple Remote
Desktop.
Service Description
Remote Apple Events Allows applications on other OS X computers to send Apple events
to your computer.
Internet Sharing Allows other users to connect with computers on your local
network, through your internet connection.
Bluetooth Sharing Allows other Bluetooth-enabled computers and devices to share
files with your computer.
By default, your computers host name is typically firstname lastnames computer, where firstname
and lastname are the system administrators first name and last name, respectively, and computer
is the type of computer or Computer. You can change your computers name in Sharing
preferences in the Computer Name field.
When users use Bonjour to discover available services, your computer appears as hostname.local.
To increase privacy, change your computers host name so youre not identified as the owner of
your computer.
Securing Startup Disk preferences
You can use Startup Disk preferences to make your computer start up from a CD, a network
volume, a different disk or disk partition, or another operating system.
Be careful when selecting a startup volume:
Choosing a network install image reinstalls your operating system and might erase the
contents of your hard disk.
If you choose a Thunderbolt or FireWire volume, your computer starts up from the disk
plugged into the current port for that volume. If you connect a different disk to that port, your
computer starts from the first valid OS X volume available to the computer (if you havent
enabled the firmware password).
When you enable a firmware password, the FireWire volume you select is the only volume that
can start the computer. The computer firmware locks the FireWire Bridge Chip GUID as a
startup volume instead of the hard disks GUID (as is done with internal hard disks). If the disk
inside the FireWire drive enclosure is replaced by a new disk, the computer can start from the
new disk without the firmware password. To avoid this intrusion make sure your hardware is
physically secured. Your computer firmware can also have a list of FireWire volumes that are
approved for system startup.
In addition to choosing a new startup volume from Startup Disk preferences, you can restart in
Target Disk Mode. When your computer is in Target Disk Mode, another computer can connect to
your computer and access your computers hard disk, gaining full access to all files on your
computer. All file permissions for your computer are disabled in Target Disk Mode.
To enter Target Disk Mode, hold down the T key during startup. You can disable this startup
keyboard shortcut by setting an EFI password. If you set an EFI password, you can still restart in
Target Disk Mode using Startup Disk preferences.
To select a startup disk:
1. Open Startup Disk preferences.
2. Select a volume to use to start up your computer.
3. Click Restart.
A confirmation dialog will appear.
4. Click Restart to confirm your selection and to restart from the selected volume.
3 Data Security
The third layer is data security. Data security refers to built-in features and technologies that help
protect the data stored at rest on the device. This section describes how to encrypt data and
securely erase it.
Encrypting data
Improved cryptography
OS X includes Elliptical Curve Cryptography (ECC) support in most of its encryption technologies.
ECC-based signatures have size and performance advantages. An ECC key can be
cryptographically stronger than a DSA or RSA key of the same length. This means that a smaller
ECC-based key (and therefore a faster key to process) can be just as strong as a very long RSA-
based one.
In OS X, ECC is supported in the following areas: TLS/SSL, S/MIME, Apples Certificate Assistant,
and Apples certtool command-line tool.
Encrypted storage
With the Disk Utility tool included in OS X you can create encrypted disk images, so you can
safely mail documents, files, and folders to friends and colleagues, save the encrypted disk image
to a CD or DVD, or store it on the local system or a network file server. Legacy FileVault also uses
this same encrypted disk image technology to protect user home folders.
Enhanced encrypted disk image cryptography
A disk image is a file that appears as a volume on your hard disk. It can be copied, moved, or
opened. When the disk image is encrypted, files or folders placed in it are encrypted using 128-bit
or even stronger 256-bit AES encryption.
To see the contents of the disk image, including metadata such as file name, date, size, or other
properties, a user must enter the password or have an entry in their keychain that contains the
correct password.
The file is decrypted in real time, as its used. For example, if you open a QuickTime movie from an
encrypted disk image, OS X decrypts only the portion of the movie currently playing.
Encrypting portable files
If you want to protect files youre transferring over a network or saving to removable media, you
should encrypt a disk image or encrypt the files and folders. FileVault doesnt protect files
transmitted over the network or saved to removable media.
Using a server-based encrypted disk image has the added benefit of encrypting network traffic
between the computer and the server hosting the mounted encrypted disk image.
Creating an encrypted disk image
To encrypt and securely store data, you can create a read/write image or a sparse image:
A read/write image uses the space that was defined when the image was created. For
example, if the maximum size of a read/write image is set to 10 GB, the image uses 10 GB of
space even if it contains only 2 GB of data.
A sparse image consumes only the amount of space the data needs. For example, if the
maximum size of a sparse image is 10 GB and the data is only 2 GB, the image consumes only
2 GB of space.
If an unauthorized administrator could access your computer, you should create an encrypted
blank disk image instead of creating an encrypted disk image from existing data.
Creating an encrypted image from existing data copies the data from an unprotected area to the
encrypted image. If the data is sensitive, create the image before creating the documents. This
creates the working copies, backups, or caches of files in encrypted storage from the start.
Note: To prevent errors when a file system inside a sparse image has more free space than the
volume holding the sparse image, hierarchical file system (HFS) volumes inside sparse images
report an amount of free space slightly less than the amount of free space on the volume the
image resides on.
To create an encrypted disk image:
1. Open Disk Utility.
2. Choose File > New > Blank Disk Image.
3. Enter a name for the image in the Save As field, and choose where to store it.
4. In the Name field, enter the name you want to appear when the image is mounted.
5. Choose the size of the image from the Size pop-up menu.
Make sure the size of the image is large enough for your needs. You cant increase the size of
an image after creating it.
6. Choose a format from the Format pop-up menu.
7. Choose an encryption method from the Encryption pop-up menu. 128-bit AES and 256-bit
AES are strong encryption formats.
8. Choose a partition type from the Partitions pop-up menu. The default is Single partition -
Apple Partition Map.
9. Choose a format from the Image Format pop-up menu.
10. Click Create. Enter a password and verify it.
If you want to access Password Assistant, just click the key icon next to the Password field.
For more information, see Using Password Assistant to generate or analyze passwords in
Chapter 2, Platform Security.
11. Deselect Remember password (add to Keychain) and click OK.
Creating an encrypted disk image from existing data
If you need to maintain data confidentiality when transferring files from your computer but you
dont need to encrypt files on your computer, then you can create a disk image from existing
data. Examples include plain-text file transfers across a network, such as mail attachments or FTP,
or copying to removable media, such as a CD or floppy disk.
If you plan to add files to this image instead of creating an image from existing data, then you
can create an encrypted disk image and add your existing data to it.
To create an encrypted disk image from existing data:
1. Open Disk Utility.
2. Choose File > New > Disk Image from Folder.
3. Select a folder and click Image.
4. Enter a name for the image in the Save As field, and choose where to store it.
5. Choose a format from the Image Format pop-up menu.
The compressed disk image format can help you save hard disk space by reducing your disk
image size.
6. Choose an encryption method from the Encryption pop-up menu. 128-bit AES or 256-bit AES
provide strong encryption.
7. Click Save.
8. Enter a password and verify it.
If you want to access Password Assistant, just click the key icon next to the Password field.
For more information, see Using Password Assistant to generate or analyze passwords in
Chapter 2, Platform Security.
9. Deselect Remember password (add to Keychain) and click OK.
Creating encrypted PDFs
You can quickly create password-protected, read-only PDF documents of confidential or personal
data. However, using an encrypted disk image is more secure than using an encrypted PDF.
Some applications dont support printing to PDF. In this case, create an encrypted disk image. For
information, see Creating an encrypted disk image from existing data above.
To create an encrypted PDF, read-only document:
1. Open the document.
2. Choose File > Print.
Some applications dont allow printing from the File menu. These applications might allow
printing from other menus.
3. Click PDF and choose Save as PDF.
4. Click Security Options and select one or more of the following options:
Require password to open document
Require password to copy text, images, and other content
Require password to print document
When you require a password for the PDF, the PDF becomes encrypted.
5. Enter a password, verify it, and click OK.
6. Enter a name for the document, choose a location, and click Save.
7. Test the encryption by opening the PDF.
Encrypting Time Machine backups
Time Machine backups saved on local volumes can be encrypted with a password.
Note: If Time Machine detects that Legacy FileVault (container-based) is still in use by one or
more users on the computer, Time Machine setup will notify the user and the backup will only
occur when the user is logged out.
When a drive is initially inserted, youre prompted to use it as a Time Machine target. You can
choose to encrypt the Time Machine target.
If you dont configure the drive as an encrypted Time Machine backup volume when its initially
inserted, you can use the Time Machine pane in System Preferences to configure it.
To configure the volume as an encrypted Time Machine target:
1. Open System Preferences.
2. Click Time Machine.
3. Click Options.
4. Click the Add icon (+).
5. Select any files or folders you want to exclude from the backup.
6. Click Exclude.
7. Click Save.
8. Back in the main window, click Select Disk.
9. Select the drive you want to use.
10. Select the Encrypt backups checkbox.
11. Click Use Disk.
If the disk is used to back up an account with Legacy FileVault enabled, youll receive an error
indicating that Legacy FileVault data can only be backed up while the user is logged out.
12. Enter a backup password in the Backup password field. Time Machine uses this password to
encrypt the backup disk you selected. For help creating a strong password, click the key icon
next to the Backup Password field.
13. Reenter the password in the Verify password field.
14. Click Encrypt Disk to begin encryption and backup.
Backups will now be encrypted and all files stored inside the encrypted Time Machine
location will be protected. Youll need to reenter the same Backup Password when you want
to recover a system from this encrypted Time Machine Backup.
FileVault 2 full volume encryption
FileVault 2 offers full volume encryption for data-at-rest (DAR) protection and is built into OS X.
FileVault 2 keeps all files on a Mac secure, even if the computer is lost or stolen, using XTS-
AES-128 (with 256-bit keys) data encryption at the volume level.
FileVault 2 is recommended for any Mac that stores sensitive information, including portable
computers that could be lost and whose critical data could be exploited. With FileVault 2 turned
on, all information on the computer is kept safe.
This section explains how to enable FileVault 2 full volume encryption for the current system disk.
To enable FileVault 2:
1. Open System Preferences from the Apple menu.
2. Click Security & Privacy.
3. Click the lock and authenticate with an administrator account.
4. Click FileVault.
Note: A Legacy FileVault button appears if FileVault was enabled before upgrading to OS X.
For more details, see Migrating from FileVault to FileVault 2 in this chapter.
5. Click Turn On FileVault.
6. Click Enable User for each authorized user who will need to unlock the protected disk at
system boot.
7. When prompted, have the user enter their login password.
A checkmark appears next to the name of users who have passwords provided, the Enable
User button appears next to users who still require passwords, and the Set Password button
appears next to users who dont have any password set.
Note: Users not explicitly set up here may still be able to log in after the system disk has
been unlocked by an authorized user.
8. Click Continue when you have finished setting up the users you want to unlock this device.
9. Record the recovery key somewhere secure and click Continue.
10. Choose whether to have Apple store and protect the recovery key. To store the recovery key
with Apple:
a. Select Store the recovery key with Apple to store the protected key with Apple.
b. Select three security questions you can easily answer.
c. Enter your responses below each question. Youll need to enter the same responses if
you need to retrieve the recovery key.
The recovery key is wrapped by a key generated from your security questions and
answers.
11. To choose not to store the recovery key with Apple:
a. Select Do not store the recovery key with Apple.
b. Click Continue.
12. Click Restart to restart the Mac and start the encryption process.
To verify FileVault 2 full disk encryption status:
3. Click FileVault.
4. Note FileVault status:
FileVault is turned on for the disk <disk name>. This indicates full volume encryption has
been enabled for the disk.
FileVault is turned off for the disk <disk name>. This indicates full volume encryption has
not been enabled for the disk.
A recovery key has been set. This indicates that a 24-character recovery string has been
given to the user.
This is in contrast to environments where a FileVault Master Identity has be configured. In
this case the status reads: A recovery key has been set by your company,school, or
institution
Encryption Finished. This indicates that the drive has completed the conversion process and
is now fully encrypted.
To disable FileVault 2 full volume encryption:
3. Click FileVault.
4. Click the Turn Off FileVault button.
5. Click Turn Off Encryption to confirm you want to turn off FileVault.
To set a Master Password (create a FileVault Master Recovery Key pair):
2. Click Users & Groups.
3. Click the lock icon to make changes, and enter administrator credentials.
4. Click the Action pop-up menu and choose Change Master Password.
5. Enter the current master password.
6. Enter a Master Password in the New Master Password field and again in the Verify field. You
can also type a hint to help you remember the Master Password. Youll need the Master
Password to unlock access to the FileVault Master Recovery Key during account recovery.
7. Click OK to set the Master Password and create a FileVault Master Key pair.
Migrating from FileVault to FileVault 2
You can encrypt an entire volume with OS X and FileVault 2, protecting all system and user data.
If youve been using FileVault (a container-based encrypted home directory solution) and have
upgraded to OS X Mountain Lion, consider disabling the older container-based FileVault (Legacy
FileVault). When you open System Preferences and click Security & Privacy, OS X automatically
detects whether youre using Legacy FileVault and offers to disable it.
FileVault 2 Master Passwords
Secure management of private key escrow for access to the FileVault Master Identity is crucial.
the Master Password alone does not give any ability to decrypt a volume, it is simply the
password used to access the FileVaultMaster keychain in which the private key resides, if created
with the System Preferences GUI tool.
For more information about deploying FileVault 2 and master passwords, see Best Practices for
Deploying FileVault 2.
Securely erasing data
When you erase a file, you remove information that the file system uses to find the file. The files
location on the disk is marked as free space. If other files have not written over the free space, its
possible to retrieve the file and its contents.
OS X provides the following ways to securely erase files.
Zero-out erase
7-pass erase
35-pass erase
A zero-out erase sets all data bits on the disk to 0, whereas a 7-pass erase and a 35-pass erase use
algorithms to overwrite the disk. A 7-pass erase follows the Department of Defense standard for
the sanitization of magnetic media. A 35-pass erase uses the extremely advanced Gutmann
algorithm to help eliminate the possibility of data recovery.
The zero-out erase is the quickest. The 35-pass erase is the most secure, but its also 35 times
slower than the zero-out erase.
Each time you use a 7-pass or 35-pass secure erase, the following seven-step algorithm is used to
prevent the data from ever being recovered:
Step 1Overwrite file with a single character
Step 2Overwrite file with zeroes
Step 4Overwrite file with random characters
Step 5Overwrite file with zeroes
Step 7Overwrite file with random characters
Configuring the Finder to always securely erase
In OS X you can configure the Finder to always securely erase items placed in the Trash. Emptying
Trash securely takes longer, but it prevents data in the Trash from being restored.
To configure the Finder to always perform a secure erase:
1. In the Finder, choose Finder > Preferences.
2. Click Advanced.
3. Select Empty Trash securely.
Using Disk Utility to securely erase a disk or partition
You can use Disk Utility to securely erase a partition, using a zero-out erase, a 3-pass erase, or a 7-
pass erase.
Note: If you have a partition with OS X installed and you want to securely erase an unmounted
partition, you dont need to use your installer. You can use Disk Utility (located in /Applications/
Utilities/).
WARNING: Securely erasing a partition is irreversible. Before erasing the partition, back up critical
files you want to keep.
To securely erase a partition using Disk Utility:
1. Restart the computer while holding down the Option key.
2. Select the restore partition.
3. Skip the language selection step.
4. Choose Utilities > Disk Utility.
5. Select the partition you want to securely erase.
6. Select a partition, not a drive.
Partitions are contained in drives and are indented one level in the list on the left.
7. Click Erase, choose Mac OS Extended Journaled, and then click Security Options.
8. Choose an erase option and click OK.
9. Click Erase.
Securely erasing a partition can take time, depending on the size of the partition and the
method you choose.
Wiping a Mac computer with the User Portal
In the User Portal you can perform basic security tasks for Mac computers you enrolled using
Profile Manager. A remote wipe is the most intrusive action because it erases all data on the
computer.
Important: Before setting up remote wipe on a system with OS X installed, make sure its using
FileVault 2 to fully encrypt the hard drive.
To wipe a Mac computer remotely with the User Portal:
1. Open a web browser and navigate to https://yourserver/profilemanager (where yourserver is
the name or IP address of your server running the Profile Manager service).
2. Authenticate as the user who enrolled the computer.
3. The Devices tab shows enrolled Mac computers. If a passcode field appears, the Mac has
already been locked, which is a common preliminary measure in wiping devices. Enter the
passcode and click the Wipe button for the appropriate computer and confirm the action.
4. The Mac will be wiped, and all data erased.
5. Go to the Completed Tasks section of Profile Manager to make sure the Mac has been wiped.
Wiping a Mac with Profile Manager
Administrators can use Profile Manager to perform security tasks on remote Mac computers.
To remotely wipe a Mac with Profile Manager:
1. Open Server from /Applications.
2. Select Profile Manager from the Services list.
3. Click Open Profile Manager.
4. Authenticate with administrator credentials.
5. Choose Devices or Device Groups from the Library list.
6. Choose the device or device group you want to wipe.
7. In the Action pop-up menu in the device or device group pane, choose Wipe.
8. The Mac is wiped and all data erased.
9. Go to the Completed Tasks section of Profile Manager to make sure the Mac has been wiped.
4 Network Security
The fourth layer is network security. Network security refers to built-in features and technologies
that help protect data thats transmitted between devices. This section describes how to secure
network access, make secure connections and exchange data securely.
Securing Sharing preferences
Securely configuring network services is an important step in protecting your computer from
network attacks.
Organizations depend on network services to communicate with other computers on private
networks and wide area networks. Improperly configured network services can provide an
avenue for attacks.
You can configure your computer to share files, folders, and other services with other computers
on your network. You can even share your website hosted by your computer.
When sharing these services, make sure your computer has the most current Apple updates and
turn off services youre not using. Also, make sure you set permissions for each service to prevent
access by unauthorized users.
By default, most of the sharing services discussed in this section are turned off and should be off
when not in use. This prevents unauthorized users from accessing your computer.
DVD or CD sharing
You can enable DVD or CD sharing on a Mac or Windows computer, to use the Remote Disc
feature of MacBook Air, or to share read-only data stored on your DVD or CD. While you share
your optical disc drive, a user of another computer can view and access data stored on the DVD
or CD in your optical disc drive.
Data transmitted between computers isnt encrypted or secure, so only use this service in a
secure environment. To prevent unauthorized users from accessing your shared optical disc
drive, select the Ask me before allowing others to use my DVD drive checkbox to require users
to request permission before they can access a DVD or CD in your Mac or Windows-based optical
disc drive.
Screen sharing (VNC)
Screen sharing is based on virtual network computing (VNC). You can set up your computer
using VNC so that others can share your screen. While you share your screen, a user of another
computer can see whats on your screen and can open, move, and close files and windows, open
applications, and even restart your computer.
Screen sharing allows anyone with permission to control your computer. Data transmitted
between computers isnt encrypted or secure so only use this service in a secure environment.
Restricting screen sharing access to specific users
The default setting for screen sharing is to only allow users in the Administrators group. You can
change this to allow access to individual users. If you create a sharing user account, user
Password Assistant to create a strong password.
You can also select VNC viewers may control screen with password. The VNC password is
different from the user name and password required to access the computer. Use Password
Assistant to create a strong password.
File sharing (AFP and SMB)
You can set up your computer to share files and folders with other users on your network using
Apple Filing Protocol (AFP) and/or Server Message Block (SMB). You can give users permission to
read, write, and modify files and folders in the shared folder on your computer.
When you share files and folder on your computer, you permit users to access the files on your
computer. Permitting access requires you to set who has access to your files, the permissions they
have, and the protocol used to access these shared files.
To securely set up file sharing, you must configure permissions for your users. If you dont, you
create an access point for a malicious user to access your files and folders.
When using AFP, user names and passwords are encrypted when the user authenticates to your
computer to access files. When using SMB, passwords are also encrypted when attempting to
authenticate. However, SMB passwords arent securely stored on your computer.
Configuring file sharing access to specific folders and users
The default setting for file sharing is to only allow a standard user access to the home folder.
Administrative users have access to the home folder and the root level of any connected
volumes, including the boot volume. Click the Add (+) sign under Shared Folders to share other
folders.
You can also restrict each users file permissions for each files youre sharing by using the
triangles next to the user name (No Access, Read & Write, Read Only, or Write Only (Drop Box)). If
you create a sharing user account, create a strong password using Password Assistant.
To share files with Windows users, you must use SMB. When you create the password for
Windows users, create a strong password using Password Assistant The password you enter is
stored in a less secure hash form on the computer. In case an attacker manages to get access to
the volume as root and gains access to the file containing the hashed passwords, a brute force
attach can easier crack the password stored for a user with SMB file sharing enabled. As a result,
you should disable per-user SMB sharing when not needed.
Remote Login (SSH)
Remote Login allows users to connect to your computer through secure shell (SSH). By enabling
Remote Login, you activate more secure versions of commonly used nonsecure tools.
Restricting Remote Login access to specific users
You can securely configure Remote Login by restricting access to specific users. The default
setting All users includes all users on your local computer and all users in the directory server
youre connected to so you should change it to Only these users.
Remote management
You can use Apple Remote Desktop (ARD) to perform remote management tasks such as screen
sharing. An ARD manager with full privileges can run remote management tasks as the root user.
Limiting an ARD managers privileges increases security. When you set privileges, you can also
disable or limit an administrators access to an ARD client.
You can set a VNC password that authorized users need to access your computer. The most
secure way is to require authorized users to request permission to access your computer screen.
Restricting remote management access to specific users
To use ARD to share your screen, you must securely turn on remote management in Sharing
preferences.
The default setting for remote management should be changed from All users to Only these
users. The default setting All users includes all users on your local computer and all users in the
directory server youre connected to.
Any account using ARD should have limited privileges to prevent remote users from having full
control of your computer. You can securely configure ARD by restricting access to specific users.
You can also restrict each users privileges by setting ARD options. For example, dont give a
standard user the ability to change settings or delete items.
For more information, see the Apple Remote Desktop Administrators Guide.
Remote Apple Events (RAE)
If you enable Remote Apple Events (RAE), you allow your computer to respond to events sent by
other computers on your network. These events include AppleScript programs. A malicious
AppleScript program can do things like delete the Documents folder in a users home folder.
Restricting Remote Apple Events access to specific users
If you enable RAE, do so on a trusted private network and disable it immediately after
disconnecting from the network. The default setting for RAE should be changed from All users
to Only these users. The default setting All users includes all users on your local computer and
all users in the directory server youre connected to.
When securely configuring RAE, restrict remote events to only be accepted from specific users so
unauthorized users cant send malicious events to your computer. If you create a sharing user
account, use Password Assistant to create a strong password.
Internet sharing
Although Internet sharing is a convenient way to share Internet access, enabling it is a security
risk. Internet sharing also violates many organizational security policies because it exposes the
organizations network.
Internet sharing in Sharing preferences is preconfigured. Enabling Internet sharing activates
DHCP, NAT, and Firewall services, which are unconfigurable.
Restricting Internet sharing access to specific users
If you need to share your Internet connection using Wi-Fi, use the Wi-Fi options to secure Wi-Fi
and prevent access to your computer from unauthorized users.
When configuring Wi-Fi options to secure Internet sharing, choose a channel from the channel
pop-up menu and enable encryption using WPA2.
Use Password Assistant to create a strong password for the connection. When you finish sharing
your Internet connection, turn the service off.
Bluetooth sharing
If you have a Bluetooth module installed in your computer or youre using an external USB
Bluetooth module, you can set up your computer to use Bluetooth to share files with other
Bluetooth-enabled computers or devices.
You can choose to accept or refuse files sent to your computer and choose which folder other
devices can browse.
Restricting Bluetooth Sharing access to specified users
If youre in an environment where you would like to share files with another computer or device,
use the Bluetooth sharing options and Bluetooth preferences to securely enable Bluetooth and
avoid unauthorized access to your computer.
Bluetooth should always require pairing and be set to Ask What to Do when receiving or sharing
items.
When configuring Bluetooth preferences, to secure Bluetooth sharing, use the Discoverable
option only while youre setting up the Bluetooth computer or device. After the device is
configured, disable the Discoverable option to prevent unauthorized users from discovering your
Bluetooth connection.
In the Advanced section of Bluetooth preferences, make sure that Allow Bluetooth devices to
wake this computer isnt selected.
Securing Bonjour (mDNS)
Bonjour is a protocol for discovering file, print, chat, music sharing, and other services on IP
networks. Bonjour responds to service inquiries from other computers and provides information
about available services. Users and applications on your local network can use Bonjour to quickly
determine which services are available on your computer, and you can use it to determine which
services are available on theirs. This easy exchange of information makes service discovery very
convenient, but it also incurs a security risk.
Aside from the information exchanged by Bonjour, network services pose a security risk because
of the potential for implementation errors that could allow remote attackers to access your
system. Bonjour mitigates these risks by sandboxing.
When you use Bonjour you should connect only to secure, trusted local networks. You should
also verify that Network preferences enables only required networking connections. This reduces
the chance of connecting to an nonsecure network.
Before using Bonjour to connect to a service, verify that the service is legitimate and not
spoofed. If you connect to a spoofed service, you might download malicious files.
If you cant trust all services on your local network, dont use Bonjour. You can use Terminal to
modify the mDNSResponder.plist file to disable Bonjour advertising. In Terminal, enter:
sudo launchctl unload -w /System/Library/LaunchDaemons/
com.apple.mDNSResponder.
You can also block Bonjour from receiving and accepting Bonjour traffic by creating a firewall
rule using pf. This prevents your computer from receiving potentially malicious Bonjour traffic
from the network.
Important: Some applications can share data such as contact information, photos, and music.
When these application share data, they use Bonjour to let other network users know what
youre sharing.
If Bonjour is disabled, you must manually configure network printers. Disabling Bonjour can also
disable functionality in other applications that rely on Bonjour. For example, you might
experience issues with sharing calendar and address book entries, and finding Messages buddies.
If disabling Bonjour interferes with other applications that the user needs, remove the
<string>-NoMulticastAdvertisements</string> from the mDNSResponder.plist file.
Then unblock UDP port 5353 on your firewall.
AirDrop
AirDrop is the Apple implementation of the Wi-Fi Direct protocol. AirDrop enables users to find
other nearby users (via Bonjour, Apples multicast DNS implementation) and share files with
them.
Users need to have AirDrop open to be visible to other users. This prevents unknown users from
hijacking files. In addition, users must deliberately accept AirDrop file transfers from other users.
The intentional nature of activating AirDrop, coupled with the accept dialog provides a strong
measure of security and prevention.
AirDrop creates a firewall-protected connection between users who are sharing files with one
another, so other users cant access their computer over that connection. Files are encrypted
using TLS for secure transfer.
To use AirDrop on a supported Mac:
1. Click the AirDrop icon in the Finder sidebar (or select AirDrop from the Go menu) to display
nearby systems.
2. If a nearby colleague wants to exchange files with you, they click the AirDrop icon in the
Finder sidebar. Youll both see each others computers listed in the AirDrop window.
3. To transfer a file, drag the file to the other persons AirDrop icon. The other person will be
prompted to accept the file. A colored circle in the AirDrop icon indicates transfer progress.
4. To disable AirDrop, close the Finder window or click another sidebar item.
To disable AirDrop on a supported Mac:
AirDrop is a great feature for many environments, but some organizations may want to disable it
to meet its information assurance guidelines.
To disable AirDrop, enter the following command in Terminal:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool YES
To reenable AirDrop, send the same command with a boolean payload of NO:
sudo defaults write /Library/Preferences/
com.apple.NetworkBrowser DisableAirDrop -bool NO
To make AirDrop disappear from the Finder, restart the system or restart the Finder with the
following command.
sudo killall Finder
To use the Custom Settings feature:
You can use Mobile Configuration (.mobileconfig) files to change default domains. Environments
using OS X Server or a third-party Mobile Device Management (MDM) solution can use the
Custom Settings feature to assign a value to the com.apple.NetworkBrowser defaults domain.
1. Open the Server application from a server with OS X Server installed.
2. Click the Profile Manager service.
4. Authenticate when prompted.
5. To customize settings, select the device or device group you want to customize.
6. Click Edit.
7. Select Custom Settings and then click Configure.
8. Enter com.apple.NetworkBrowser into the Preference Domain field.
9. Rename the initial key DisableAirDrop.
10. Choose Boolean from the Type menu.
11. Select the Value checkbox.
12. Click OK.
13. Send the profile to the Mac. Restart the Mac, and verify that the key is enforced.
Application-based and IP firewalls
An application-based firewall makes it easier for nonexperts to get the benefits of firewall
protection. The firewall allows or blocks incoming connections on a per-application basis rather
than on a per-port basis.
Users can restrict firewall access to essential network services (such as those needed for DHCP,
BOOTP, IPsec VPNs, and Bonjour), or they can allow (or block) access to selected applications on
an individual basis.
The application firewall uses digital signatures to verify the identity of applications. If you select
an unsigned application, OS X signs it to uniquely identify it. The application firewall also has the
ability to permit all signed software to automatically receive incoming connections.
Expert users may want to use the ipfw firewall. ipfw handles packets at the protocol layer of the
networking stack, but the application firewall is an application layer filter. ipfw rules take
precedence.
Network firewalls
Network firewalls can help protect client computers in any organization. Although most systems
inside a corporate network are protected at the network perimeter, client computers can be
exposed to a variety of threats, whether theyre used inside or outside the office. Therefore, you
should set up a firewall on each client system.
Most security environments use a layered approach to security, which includes a software
firewall. OS X includes three firewalls. The first is an application layer firewall, which validates the
processes that are attempting to communicate and determines how theyre allowed to
communicate. A finer grained port-based firewall (pf) is included as well and is configured and
controlled by the pfctl utility. The ipfw firewall is also present in OS X but deprecated in v10.8
and higher, though it is still frequently used by large organizations.
Depending on security requirements, organizations can use one firewall or a combination of
both. When both are enabled, the resulting traffic passing through must meet all rules defined by
both firewalls. Because the ipfw firewall is packet based and operates at a lower level than the
application-based firewall, its ruleset is enforced first.
Application layer firewall
By default, OS X uses an application layer firewall to secure network traffic by leveraging an
application signing framework to limit which applications are allowed to establish network
sockets to communicate with other hosts. This is different from ipfw, which uses ports rather
than applications to limit network traffic.
Note: ipfw is still available if you want to use it. You can run both firewalls.
Application sources are tracked based on signatures and signature checking when initiating
connections. Once an application can make a network connection, the application layer firewall
tracks whether it can be used for incoming traffic.
When using the application layer firewall and an application tries to establish a connection on
the network for the first time, the user is prompted to accept the communication. The application
connection is only allowed through the firewall after the user accepts the communication. You
can configure the firewall to deny all incoming communication so users arent prompted to
accept incoming traffic.
Configuring the application-layer firewall
The Security & Privacy pane in System Preferences is the easiest way to configure the application
layer firewall in OS X.
To configure the application layer firewall:
3. Click Firewall.
4. Click Turn On Firewall.
Items that have been enabled in the Sharing pane in System Preferences are now allowed to
accept incoming connections. The only other services that allow incoming connections are
essential services such as configd for network configuration, mDNSResponder for
discovering services, and the racoon process for IPsec.
5. Click Firewall Options.
6. Select Block all incoming connections to block all connections for nonessential services.
Services required for basic Internet services, such as DHCP, Bonjour (mDNS), and IPsec, will
still be allowed through the firewall.
7. If you want to add an application, click the Add (+) button, navigate to the app, and select it.
8. Click the Add button.
9. In the menu to the right of the application name, choose whether the application will allow
or deny incoming connections.
The application now appears in the list of allowed applications.
If you select Enable stealth mode, you prevent the firewall from sending acknowledgement
attempts to open sockets without ICMP applications, such as Ping, running. Instead, the
firewall just mimics what would occur if a computer werent running at the IP address being
scanned. Without stealth mode, the computer could let a possible attacker know that the
ports are closed, alerting them to the presence of the host. Stealth mode is enabled for TCP
traffic, but not UDP traffic.
You can also prevent any signed software (software signed by a valid certificate authority)
from providing network services. To do this, click Firewall Options and deselect
Automatically allow signed software to receive incoming connections.
Network access control (802.1X)
Wi-Fi and Ethernet networks can be protected by the Institute of Electrical and Electronics
Engineers (IEEE) 802.1X standard. 802.1X is the most widely accepted form of port-based network
access control Extensible Authentication Protocol (EAP) is an authentication framework used for
keys.
The 802.1X standard enhances the security of LANs by preventing unauthorized devices from
gaining access to the network through wired or wireless LAN connections. It supports a wide
range of authentication methods, including TLS, EAPFAST, TTLS, LEAP, MD5, and PEAP.
You might need to connect to a wireless (IEEE 802.11) or Ethernet (IEEE 802.3) network that is
protected by the 802.1X standard if youre in an education or business environment. In an 802.1X
secured environment, a computer cant gain access to network services, such as email or the
Internet, until its authenticated.
To connect an OS X computer to a network using 802.1X, you must first install a configuration
profile on the computer with the appropriate 802.1X settings. When configuring 802.1X settings
for OS X, youll need one or all of the following information depending on the security method
being used:
User name and password
Wireless network name (case sensitive)
Authentication methods and options
Server certificate or certificate chain
If youre using TLS, you need a user or machine identity (certificate or private key), commonly
distributed in a .p12 file (PKCS12).
Using certificates in an 802.1X environment
802.1X uses a server and client certificate. These certificates must meet specific requirements on
the server and on the client for successful authentication.
When you connect to an 802.1X network, you may be presented with a certificate trust dialog
asking if you want to continue with the authentication to the server. In the dialog, you can select
Always Trust the certificate, or click Continue to authenticate a single time.
Certificates are stored in Keychain Access. All user profile certificates are installed in the Login
Keychain section of Keychain Access; all Login Window and System profile certificates are
installed in the System Keychain section of Keychain Access.
One purpose of the certificate trust dialog is to inform you when a server presents a certificate
that hasnt been explicitly trusted. Another purpose is to allow you to examine the certificate to
ensure that its appropriate for the network youre authenticating to.
You should carefully examine certificates and not just blindly accept them. People can set up a
rogue access point with their own certificate, and if you continue with the authentication, the
rogue access point could gather your password from the authentication exchanges.
A certificate may contain SHA-1, SHA-2, or MD5 fingerprints, which uniquely identify the
certificate. Verify each certificate in the list, and if youre confident in the validity, trust the
certificates. If youre unsure, consult with your system administrator before continuing.
When selecting a certificate for your 802.1X configuration, it must be the specific certificate for
access to the RADIUS server youre connecting to.
Some 802.1X networks require you to obtain a certificate of authority. Ask your network
administrator how to obtain a 802.1X certificate for your network.
The certificate creation process involves the following:
Generating a private key and Certificate Signing Request (CSR)
Providing the CSR to the certificate authority (CA)
CA signing the CSR and issuing the certificate
Importing the certificate into the keychain to establish the connection between the private key
and certificate
Theres a distinction between a certificate you have the private key for, usually referred to as an
identity, and just a certificate. A certificate is the public part of public key infrastructure, and
allows people to verify that you hold the private key. A private key is only held by the person or
entity defined in the subject of the certificate, and must be stored securely.
Its also possible that you have the identity (certificate + private key) in the form of a PKCS12
(.p12, .pfx) file. You can double-click this file to import it into the keychain.
Extensible Authentication Protocol (EAP) methods
OS X supports six EAP methods of authentication, though not all EAP methods are supported
across both Ethernet and Wi-Fi interfaces. The following are supported EAP methods of
authentication.
TLS (requires a certificate)
TTLS
LEAP
PEAP
EAP-FAST
EAP-SIM
WPA2/AES 802.1XPEAP
802.1X is the most widely accepted form of port-based network access control. Extensible
Authentication Protocol (EAP) is an authentication framework used for keys. Supported EAP
authentication protocols include Protected Extensible Authentication Protocol (PEAP), which is
used to encapsulate EAP traffic within Transport Layer Security (TLS).
PEAP authenticates clients to a network using a users username and password as well as a
certificate. OS X supports 802.1X PEAP connectivity.
WPA2/AES 802.1XEAP-TLS
EAP-TLS uses PKI to secure communication with an authentication server (for example RADIUS).
EAP-TLS authenticates clients to a network using a users user name and password, which are
sent to the authentication server, as well as a certificate. OS X supports 802.1X EAP-TLS
connectivity.
WPA2/AES 802.1XEAP-TTLS
EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol similar to TLS, except that
client systems can authenticate against the PKI server, simplifying setup.
WPA2/AES 802.1X EAP-FAST
Flexible Authentication via Secure Tunneling (FAST) is Ciscos replacement for LEAP.
Certificates in EAP-FAST are optional, because EAP-FAST uses a Protected Access Credential (PAC)
to generate a TLS tunnel to authentication servers.
Connecting to an 802.1X network
OS X supports connecting to WEP, WPA, WPA2, WEP Enterprise, WPA Enterprise, and WPA2
Enterprise networks. OS X also supports most 802.1X options. 802.1X configurations must be
imported using a configuration profile (.mobileconfig file).
The modern method to secure a network interface is to install an SSL certificate on client systems
to secure network traffic. After a certificate has been installed, there are a number of 802.1X
implementations that can be leveraged.
802.1X is used to force authentication against a centralized authentication mechanism (generally
RADIUS) to gain access to a network. This is known as Network Access Control. Mac computers
can join an 802.1X network as a standards-compliant supplicant. After joining, the Mac can
authenticate against the Authenticator using a variety of standards-based protocols, including
multifactor authentication mechanisms. This helps further secure both wired and wireless
environments over non-Network Access Control scenarios by putting clients that havent
authenticated to the Authenticator into an unauthorized state, limiting communications to only
bastion hosts that provide authentication.
802.1X authentication (as a client) is implemented in OS X via an installed configuration profile
that can be viewed in the Network pane in System Preferences for each network interface that
will be used.
The following examples outline the steps for setting up a Mac to communicate with an 802.1X
environment.
In many environments, the distribution of the SSL certificate occurs during the imaging process.
This SSL certificate is used to establish a trust relationship with servers, enabling traffic to be
encrypted more than would otherwise be possible.
802.1X uses the SSL certificate to encapsulate network traffic, as well as a users user name and
password. This multifactor form of security is widely spread. Implementation of the client side of
802.1X is covered in the next few sections.
Creating 802.1X profiles for OS X
802.1X profiles are created and distributed using the Profile Manager or iPhone Configuration
Utility. The following examples show how to create an 802.1X configuration profile for installation
on an OS X computer. For the purpose of the examples, the configuration profiles will be
deployed to client systems to set up the 802.1X profiles.
There are three basic steps to creating 802.1X profiles for Mac computers running OS X:
Create a configuration profile to hold the 802.1X settings.
Add an optional certificate that can be used to authenticate to the 802.1X network.
Create a network payload in the profile that contains specific settings for a particular 802.1X
network.
Important: Make sure your Profile Manger service is running and accessible on the network by
the device you want to install the profile on. The device must also be enrolled with the Profile
Manager service for management.
For more information about setting up Profile Manger and enrolling devices, see the OS X
Technical Training: Management document in this series.
To create a configuration profile:
1. From the server, open the Server application.
2. Click Profile Manager in the left sidebar.
4. Select a device, user, or group to create the profile.
5. Click the Edit button. If it isnt available, click the Add button (+) to create a new
configuration.
6. Add an optional certificate for 802.1X authentication to the profile:
7. Click Certificate in the left sidebar.
8. Click the Configure button.
9. Enter a name for the certificate profile.
10. Click Add Certificate.
11. Browse to the certificate file (for example .cer, .pem, .p12) and select it.
12. Click Choose.
13. In the Passphrase field, enter the passphrase for the certificate and click OK.
To add specific 802.1X settings to the profile:
1. Click Network in the left sidebar.
2. Click Configure.
3. Choose an interface from the Network Interface pop-up menu .
For Wi-Fi interfaces:
Choose Wi-Fi from the Network Interface menu.
Enter the name (SSID) of the wireless network in the Service Set Identifier
(SSID) field.
Select the Hidden Network checkbox if the SSID is hidden.
In the Security Type menu, choose WPA/WPA2 Enterprise.
4. Click the Protocols tab.
5. Under Accepted EAP Types, select the protocol supported by your 802.1X network.
Note: Profile Manager is context-awareand will display the appropriate settings for the type
of protocol you choose.
6. Enter details associated with the protocol that you selected.
The example screenshot below shows the details associated with PEAP.
7. Click OK.
8. Click Save.
9. Deploy the profile to the Mac and verify that you can connect to the 802.1X network.
Importing and exporting 802.1X profiles
After .mobileconfig files have been created, profiles can be installed on client computers to
deploy the 802.1X settings for the environment. You can install profiles as part of an imaging
workflow, install them on computers over the network, or have users manually install them.
Important: Depending on the CA used, a trust profile might need to be installed in advance.
This section explains how to install the profile with 802.1X settings, first exporting the profile to
create a file that can be distributed.
To export a configuration profile:
1. Open the Profile Manager webpage (https://<server name>/profilemanager).
2. Browse to the profile you want to export and select it.
3. Click Download.
4. Copy the profile to a secure location.
To install a configuration profile:
1. Double-click the configuration profile to open it. (It may open automatically depending on
your browser settings.)
2. Click Show Profile.
3. Make sure the settings are correct.
4. Click Continue.
5. Click Show Details and confirm the identity of the profile.
6. Click Install.
7. Because 802.1X requires a local administrator for configuration, provide the local
administrators user name and password.
Note: To see profiles (and remove them, if needed), use the Profiles pane in System
Preferences, which will only appear after a profile has been installed.
Connecting via 802.1X
To see settings and establish a manual connection with 802.1X:
2. Click Network.
3. Click the interface with an 802.1X profile.
You should see an 802.1X field.
4. Click the Connect button.
To set the connection to occur automatically:
1. Click Advanced.
2. Click the 802.1X tab.
3. Select the checkbox labeled Enable automatic connection.
Making secure connections
Network security
Secure Transport is used to implement SSL and Transport Layer Security (TLS) protocols. These
protocols provide secure communications over a TCP/IP connection such as the Internet by using
encryption and certificate exchange. A firewall can then filter communication over a TCP/IP
connection by permitting or denying access to a computer or a network.
VPN compatibility and integration
OS X includes a universal VPN client with support built into the Network preferences pane, so you
have everything you need to establish a secure connection. The VPN client supports L2TP over
IPsec and PPTP, which make Apples VPN client compatible with the most popular VPN servers,
including those from Microsoft and Cisco.
You can also use digital certificates and one-time password tokens from RSA or CRYPTOcard for
authentication with the VPN client. One-time password tokens provide a randomly generated
passcode number that must be entered with the VPN passworda great option for those who
require extremely robust security.
The L2TP VPN client can also be authenticated using credentials from a Kerberos server. In either
case, you can save the settings for each VPN server you routinely use as a location, so you can
reconnect without reconfiguring your system each time.
Apples L2TP VPN client can connect you to protected networks automatically by using its VPN
On Demand feature. VPN On Demand can detect when you want to access a network thats
protected by a VPN server and can start the connection process for you. This means that your
security is increased because VPN connections can be closed when not in use,.
In OS X, the VPN client includes support for Cisco Group Filtering. It also supports DHCP over PPP
to dynamically acquire additional configuration options such as static routes and search domains.
Securing remote access communication
You can secure remote access to other networks by using a VPN. A VPN consists of computers or
networks (nodes) connected by a private link that transmits encrypted data. This link simulates a
local connection, as if the remote computer were attached to the LAN.
VPN security
There are three encrypted transport protocols: Layer Two Tunneling Protocol and Secure Internet
Protocol (L2TP/IPsec), PointtoPoint Tunneling Protocol (PPTP), and Cisco IPsec.
L2TP/IPsec
L2TP is an extension of PPTP used by Internet service providers to enable a VPN over the
Internet. IPsec is a set of security protocols. When you combine IPsec with LT2P, IPsec encrypts the
data to ensure data integrity and L2TP creates the tunnel for the data to be transferred.
L2TP/IPsec uses strong IPsec encryption to tunnel data to and from network nodes. Its based on
Ciscos Layer 2 Forwarding (L2F) protocol.
IPsec requires security certificates (self-signed or signed by a CA such as VeriSign) or a predefined
shared secret between connecting nodes. The shared secret must be entered on both the server
and the client.
The shared secret isnt a password for authentication, nor does it generate encryption keys to
establish secure tunnels between nodes. Its a token that the key management systems use to
trust each other.
L2TP is OS X Servers preferred VPN protocol because it has superior transport encryption and
can be authenticated using Kerberos.
PPTP
PPTP is a commonly used Windows standard VPN protocol. PPTP offers good encryption (if
strong passwords are used) and supports a number of authentication schemes. It uses the user
password to produce an encryption key.
By default, PPTP supports 128-bit (strong) encryption. PPTP also supports the 40-bit (weak)
security encryption.
You must use PPTP if you have Windows clients with versions earlier than Windows XP or if you
have Mac clients with OS X v10.2 or earlier.
Cisco IPsec
VPN support in OS X was enhanced with the addition of Cisco IPsec. Previously, IPsec was utilized
by L2TP, but was not a directly configurable service. Cisco IPsec support in OS X provides support
for machine authentication using a shared secret or X.509 identity with the association to
Groups.
L2TP/IPsec and Cisco IPsec provide the highest level of security because they use IPsec. PPTP
doesnt use IPsec, which makes it less secure.
To configure OS X to connect to a VPN server:
1. Open System Preferences, then click Network.
2. Click the Add (+) button at the bottom of the network connection services list and then
choose VPN from the Interface pop-up menu.
3. From the VPN Type pop-up menu, choose L2TP over IPsec, PPTP, or Cisco IPsec according to
your network.
4. Enter a VPN service name in the Service Name field, then click Create.
5. Enter the DNS name or IP address in the Server Address field (such as
gateway.example.com).
6. Enter the users short name in the Account Name field.
7. Click Authentication Settings and enter the User Authentication and Machine Authentication
configuration information.
8. Click OK.
Exchanging data securely
Securing Mail
You can change Mail preferences to enhance security. Depending on your mail server settings,
consider changing Mail preferences to use SSL and a Kerberos-based authentication method.
These settings must match those provided by your mail server.
Only send mail that is digitally signed and encrypted. Digitally signed messages let your
recipients verify your identity as the sender and provide assurance that the message wasnt
tampered with in transit. Encrypted messages keep the contents of the message private and
readable only by the intended recipient.
You can only send encrypted messages to recipients if you receive a digitally signed message
from them or if you have access to their public key. Recipients receive your public key when they
receive your signed messages. This certificate-based system is referred to as public key
infrastructure (PKI) messaging.
Mail recognizes sender and recipient certificates. It notifies you that a certificate was included by
displaying a Signed (checkmark) icon and an Encrypted (closed lock) icon.
When sending signed or encrypted mail, the senders certificate must contain the case-sensitive
mail address listed in Mail preferences.
To further enhance security, disable the display of remote images in HTML messages in Mails
Viewing preferences. Bulk mailers use image-tracking mechanisms to find individuals who open
junk mail. If you dont load remote images, you help reduce spam.
If you use a third-party mail application, consider applying similar security guidelines. For more
information, open Mail Help and search for security.
Enabling account security
You can configure Mail to send and receive secure mail by using SSL to provide a secure
connection to the mail server. OS X supports SSLv2, SSLv3, and TLSv1. SSL uses public key
encryption to provide authentication of the server to the client, and to protect email
communications between machines.
If youre using SSL to connect to your mail server, your password and data are securely
transmitted. However, you can further secure your password by using a strong authentication
method that provides additional password protection, as well as stronger identity validation. You
can protect your password by using one of the following authentication methods:
MD5 Challenge-Response
Kerberos Version5 (GSSAPI)
NTLM
Note: Password is the default selection. Using Password for this option doesnt provide additional
authentication or password protection.
The authentication method you choose should match the configuration of the mail server for the
account being established. The server and the client must be configured with the same
authentication method to communicate properly.
To use a secure connection to the mail server:
1. Choose Mail > Preferences and then click Accounts.
2. Select an account and then click Advanced.
3. Select Use SSL.
The port number changes to port 993 for IMAP accounts and to port 995 for POP accounts.
Verify that this port is the same port used by SSL on your mail server. If not, change the port
to match the incoming port on the mail server for this account.
4. From the Authentication pop-up menu, select one of the following authentication methods:
External (TLS client Certificate)
NTLM
Authenticated POP (APOP) (POP accounts only)
Password
5. Click Account Information.
6. From the Outgoing Mail Server (SMTP) pop-up menu, select Edit SMTP Server List.
7. From the server list, select your outgoing mail server and then click Advanced.
8. Select Secure Socket Layer (SSL).
Verify that this port is the same port used by SSL on your mail server. If not, change the port
to match the outgoing port on the mail server for this account.
9. From the Authentication pop-up menu, select one of the following authentication methods:
NTLM
10. Close the Preferences window and then click Save in the message that appears.
Remote content and hidden addresses
The above measures provide security while transmitting messages between client and server.
However, these precautions cant guarantee that the sender isnt malicious. Users should never
open attachments from unknown senders or display remote content without confirming the
senders identity.
An email can be created to display anything in the To: line in a graphical, user-friendly
application such as Mail. The Mail application default is set to display the user-friendly name
rather than the actual email address in the To: line. This should be changed to display the email
address of the sender.
Also, Mail display remote images in HTML messages by default. Because these images are
displayed immediately, before the user can determine whether the sender is known, this remote
content shouldnt be displayed.
To turn off Smart Addresses and remote images:
1. Choose Mail > Preferences and then click Viewing.
2. Disable Display remote images in HTML messages.
3. Disable Use Smart Addresses.
4. Close the Preferences window.
Enabling S/MIME in Mail
Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to sign mail, and can be enabled
if a mail encryption certificate for the user account is available from the OS X keychain.
Important: Before enabling S/MIME for an email account, you should verify that a certificate has
already been installed. For details on installing certificates, see Chapter 2, Platform Security.
To enable S/MIME:
1. Open Mail on a system that has a configured account.
2. Choose Preferences from the Mail menu.
3. Click Accounts.
4. Choose the appropriate certificate from the TLS Certificate menu. (This information is loaded
from the users keychain.)
5. Close Accounts.
Signed and encrypted mail can be sent when the certificate is enabled. Compose a new
message, click the icons for Sign and/or Encrypt in the menu bar, and click OK.
Signing and encrypting Mail messages
To send a signed message, you must have a digital identity in your keychain. Your digital identity
is the combination of a personal certificate and a corresponding private key. You can view digital
identities in your keychain by opening Keychain Access and clicking My Certificates in the
Category list.
If you only have the certificate portion of your digital identity, you cant send signed messages.
You must have the corresponding private key. Also, if people use your certificate to send you an
encrypted message, you must have your private key installed on the computer that youre trying
to view the message on. Otherwise, you cant view the encrypted message.
An encrypted message (including attachments) offers a higher level of security than a signed
message. To send an encrypted message, you must have a digital identity and each recipients
certificate must be installed in Keychain Access.
To sign and encrypt a message:
1. Choose File > New Message and choose the account in the Account pop-up menu that has a
personal certificate installed in your keychain.
A Signed icon (a checkmark) on the upper right side above the message text indicates the
message will be signed when you send it.
2. Address the message to recipients.
If youre sending the message to a mailing list, send it unsigned. Many mailing lists reject
signed messages because the signature is an attachment. To send the message unsigned,
click the Signed icon. An x replaces the checkmark.
An Encrypted (closed lock) icon appears next to the Signed icon if you have a personal
certificate for a recipient in your keychain. The icon indicates the message will be encrypted
when you send it.
If you dont have a certificate for all recipients, youre asked to cancel the message or send
the message unencrypted. To send the message unencrypted, click the Encrypted icon. An
open lock icon replaces the closed lock icon.
If your recipients use Mail, theyll see security headers marked Signed and Encrypted in the
messages they receive. If theyre using a mail application that doesnt use signed and
encrypted messages, the certificate might be in the form of an attachment. If recipients save
the attachment as a file, they can add your certificate to their keychains.
Using antivirus tools
Installing antivirus tools helps protect your computer from viruses, and helps prevent your
computer from becoming a host used to spread viruses to other computers. These tools quickly
identify suspicious content and compare them to known malicious content.
In addition to using antivirus tools, follow computer usage habits that avoid virus infection. For
example, dont download or open content you didnt request, and never open a file sent to you
by someone you dont know.
When you use antivirus tools, make sure you have the latest virus definition files. The protection
provided by antivirus tools depends on the quality of your virus definition files. If your antivirus
program supports it, enable automatic downloading of virus definitions.
Safari security
Safari offers several kinds of enhanced security for web browsing. It supports the built-in
malware scanning function, so downloaded files are checked for specific Trojan horse attacks.
Safari also includes a fraudulent site detection feature. It works like this: Google maintains a
blacklist of known and highly suspected malware-transmitting sites and phishing sites
(harvesters of sensitive data). Google adds a hash of each sites URL to a database that some web
browsers can use at safebrowsing.clients.google.com.
When Safari starts, it downloads an abbreviated list of these sites hashes. When you navigate to a
web site, Safari checks the blacklist. If the website youre accessing matches a hash, Safari
contacts Google for complete URL information. If its a positive match, Safari warns you that you
may be attempting to access a malware site or phishing site.
Safari stores data in the folder at /private/var/folders/ in folders with two- letter names. The full
path is /private/var/folders/xx/yy/-Caches-/com.apple.Safari, where xx and yy are unique codes.
When you access that folder, you see Safaris cache file Cache.db and Googles Safe Browsing
initiative blacklist file SafeBrowsing.db.
Setting web browsing security with Safari
You can change Safari preferences to enhance security. By customizing your Safari preferences
you can prevent information on your computer or about your computer from being
compromised or exposed to an attacker.
In particular, consider changing Safari preferences to disable AutoFill options, to not open safe
files after downloading, to disable cookies (from sites you visit), to disable JavaScript, and to ask
before sending nonsecure forms.
After disabling cookies, remove existing cookies using the Details button in Safari Privacy
preferences. For websites that require cookies, enable cookies and then disable them after
visiting the site.
Enabling and disabling cookies can be time-consuming if you visit many sites that use cookies.
Consider using multiple accounts with different cookie settings. For example, your personal
account might allow all cookies, but your more secure account has restrictive cookie settings.
JavaScript has built-in security restrictions that limit JavaScript applications and prevent them
from compromising your computer. However, by disabling JavaScript, you can further secure your
computer from unauthorized JavaScript applications attempting to run on your computer.
When using Safari, use private browsing. Private browsing prevents Safari from logging actions,
adding webpages to history, keeping items in the Downloads window, saving information for
AutoFill, and saving Google searches. You can still use the Back and Forward buttons to navigate
through visited sites. After you close the window, the Back and Forward history is removed.
After using Safari, empty the cache. Caching improves performance and reduces network load by
storing viewed webpages and webpage content on your local hard disk, but its a security risk
because these files arent removed.
Safari supports server-side and client-side authentication using X.509 certificates. Server-side
authentication occurs when you access webpages that use an https URL. When Safari uses client-
side authentication, it provides the server with a credential that can be a certificate in your
keychain, or it can be from a smart card (which is treated like a keychain).
For information about how to perform these tasks and for other Safari security tips, open Safari
Help and search for security.
Verifying server Identity
When you receive a certificate from a server, your computer verifies the authenticity of the
certificate by checking the signature inside the certificate to determine if its from a trusted
certificate authority (CA). Some websites have extended validation (EV) certificates, which require
more extensive investigation by the certifying agencies. Safari supports EV certificates.
There are two common methods for verifying the validity of a certificate: Online Certificate Status
Protocol (OCSP) and Certificate Revocation List (CRL).
Information about the status of certificates is stored on a revocation server. The OS X security
system can check with the revocation server to validate the certificate. The trusted commercial
CA certificates are installed on your computer and verify certificates you receive.
OCSP and CRL are set to Best Attempt by default. This means that the computer tries to connect
to check the validity of a certificate, but if checking fails, may still trust the certificate. To change
the validation settings, use Keychain Access > Preferences, and then click Certificates.
You can also visually inspect certificates using Safari or Keychain Access.
Safari warns you if a certificate is invalid. If a certificate warning appears, dont proceed to the
site. If you continue to the site, your private information can be exposed. If you encounter a
certificate warning, contact the administrator of the site youre attempting to visit and let them
know.
You can also manually check the validity of a certificate. While using Safari, click the lock in the
upper-right corner of the page. A certificate drop-down page appears and a green check icon
indicates that the certificate can be trusted. You can continue to move up the chain of
certificates, checking their validity and verifying the green check icon is there.
If a certificate is invalid, the lock icon turns red. The invalid certificate also has a red x icon
indicating its invalid.
You can use Certificate Assistant in Keychain Access to evaluate a certificate and determine if its
genuine. Software that uses certificates, such as a mail application or web browser, usually
evaluates certificates before using them. However, Certificate Assistant lets you evaluate
certificates given to you with a greater amount of control and detail.
To visually validate a certificate using Certificate Assistant:
2. Choose Keychain Access > Certificate Assistant > Open.
3. Read the introduction and click Continue.
4. Select View and evaluate certificates then click Continue.
5. Select a trust policy.
For an explanation about the trust policy, click Learn More.
To evaluate an email certificate, select S/MIME (Secure Multipurpose Internet Mail
Exchange) and enter the mail address of the sender.
To evaluate a web server, select SSL (Secure Sockets Layer) and enter the host servers
URL. If you want to ask the host for the certificates, select Ask Host For Certificates.
For any other type of certificate, select Generic (certificate chain validation only).
To evaluate Code Signing, select Code Signing.
6. Click Continue.
7. Click the Add (+) button and select the certificate you want to evaluate. You can add and
evaluate multiple certificates.
To include other certificates from your keychain when evaluating the certificate chain, select
Include certificates from my keychain. For example, if the root and intermediate certificates
for your selected certificate are in your keychain, selecting this button includes them in the
evaluation.
The default certificate evaluated is always the user certificate, or leaf. If the certificate you
want to evaluate is an intermediate or root certificate, click Make Leaf.
Client-side authentication
Some applications or services require a digital certificate to authenticate. Digital certificates can
be stored in a smart card and can also include a photograph of the authorized user to further
protect a certificate from being used by an unauthorized user.
By using a certificate as an authentication and identification method, the service or application
can verify the identity of the person who provided the certificate and ensure it's the same person
who provided the data. The certificate is also signedin this case by the CA who issued the
certificate.
Managing data communication and execution
Safari and OS X tag every downloaded file with the extended attribute com.apple.quarantine. The
attribute contains information about when and where the file was downloaded. When you
attempt to open a downloaded application, OS X reminds you where it came from before
opening it for the first time, so you can be sure its legitimate.
Opening safe files
When Open safe files after downloading is selected in Safari preferences, files that are
considered safe are opened after downloading. These include pictures, movies, sounds, text files,
PDFs, disk images, and ZIP archives.
Before a file is opened, Safari examines the following content factors to verify that the file is safe:
The file extension
The MIME type
Whats inside the file
Sometimes malware tries to disguise itself as safe, but OS X checks for signs that indicate this.
If Safari considers that a downloaded file is safe, Safari opens the file after it downloads.
If the downloaded file is an archive (.zipfile), Safari decompresses it.
If the downloaded file is a disk image (.imgfile), Safari mounts the image volume.
Other types of files might not be safe. Applications, scripts, web archives, and archives that
contain applications or scripts can harm your computer. Not all such files are unsafe, but you
should be careful when opening a downloaded file.
Note: Although Safari, Messages, and Mail offer Download Validation for increased security, no
software can detect all potentially dangerous file types.
If Download Validation determines that a downloaded file is unsafe, youre prompted to
download or cancel the download. If you download the file, its placed in your download location
as configured in Safari preferences. If you cancel, the file isnt saved.
When you attempt to open a quarantined file, the file is also checked for known instances of
malware. If malware is discovered, a warning appears. Click Move to Trash to delete the file. If its
a disk image, eject the image and delete the source file.
If Download Validation cant determine that a downloaded file is safe, its stored in your default
download directory in the same way it is if the Open safe files after downloading preference
was disabled. The file is named the same as the original file with .download at the end of it. You
can move the file to the Trash or manually inspect it.
Nonsecure forms
Sometimes, forms you complete in Safari are submitted in a nonsecure way to a secure website.
Safari is set to display a message when this is about to happen, so you can prevent the form from
being submitted if youre concerned about the security of your information. For example, if the
protocol being used to send the forms doesnt use encryption or uses clear text, Safari will
consider it nonsecure and display a message.
If you dont want to see this message, choose Preferences from the Safari menu and click
Security. Deselect the checkbox labeled Warn when visiting a fraudulent website.
AutoFill
Safari can use information from various sources to complete forms that are on many webpages:
Personal information, such as mailing addresses, email addresses, and phone numbers are
retrieved from your Address Book card.
Usernames and passwords that you enter on websites are saved in your keychain and retrieved
when you try to log in later. (Some websites dont allow you to save your user name and
password.)
Any other information that you enter on a website is saved in Safaris cache to be reused later.
If you want to customize which information Safari uses to complete web forms, choose
Preferences from the Safari menu and click AutoFill. Then select the items you want Safari to use.
To complete individual fields in a form, select a text box and start typing. If Safari matches saved
information for the field, it finishes entering the text for you. If several items match what you
typed, a menu appears. Press the arrow keys to select the correct item and press Return.
Items that are completed using AutoFill appear in yellow in the webpage. If a website form
includes items that Safari doesnt recognize, you must complete them.
If you enter a user name and password, Safari asks if you want to save the information. Click Yes
to save the name and password. Click Not Now if you dont want to save the information yet.
Click Never for this Website if you dont want to be asked to save the name and password for
the website again.
To change or delete saved user names and passwords or other information, click the Edit button
next to the related checkbox in the AutoFill preferences pane.
Controlling web content
A plug-in is software installed on your computer that provides additional capabilities to
applications. Safari uses plug-ins to handle multimedia content on webpages, such as pictures,
music, and video. For example, the QuickTime Internet plug-in allows Safari to display media
content. To see the plug-ins available to Safari, choose Installed Plug-ins from the Help menu.
You can disable plug-ins by removing them form the /Library/Internet Plug-Ins/ folder.
The Java plug-in is enabled by default and handles Java applets on webpages. If youre not using
Java, disable the Java plug-in.
Some webpages display pop-up windows. For example, a webpage might use a pop-up window
to request your user name or to display ads.
Blocking pop-up windows stops windows that appear when you open or close a page. It doesnt
block pop-up windows that open when you click a link.
If you block pop-up windows, you might miss important information for a webpage.
To disable plug-ins and block pop-ups:
1. Open Safari.
2. Choose Safari > Preferences.
3. Click Security.
4. Deselect Allow all other plug-ins, Allow Java, and Enable JavaScript, and select Block
pop-up windows..
A warning appears explaining information you may miss when you block pop-ups. Click
Block to confirm you want to block pop-ups.
5. Close Safari preferences.
Cookies
A cookie is a small file created by a website to store information. The cookie is stored on your
computer. Cookies are normally helpful and harmless. Its rare to encounter a bad cookie.
When you visit a website that uses cookies, the site asks Safari to put cookies on your computer.
When you return to the site later, Safari sends back the cookies that belong to the site. The
cookies tell the site who you are, so the site can show you information thats appropriate for you.
Cookies store information that identifies you, such as your user ID for a website and your website
preferences. A website has access only to the information you provide. A website cant determine
your mail address unless you provide it. A website cant gain access to other information on your
computer.
When you use the default cookie preferences in Safari, you wont know when Safari is accepting
or sending cookies. You can change your cookies preferences so that Safari doesnt accept
cookies or so it accepts them only from limited sources. These settings can be changed in the
Privacy pane in Safaris preferences.
Securing file downloads
If you navigate to a downloadable file with Safari (for example, by clicking a download link), OS X
provides download validation to warn you about unsafe file types. Cancel the download if you
have doubts about the integrity of the file.
If you download a file by Command-clicking or selecting Download Linked File from a contextual
menu, the download isnt inspected by the OS X download validation, and it isnt opened. Inspect
the downloaded file using the Finder. If you were expecting a document and the Finder indicates
that its an application, dont open the file. Instead, delete it immediately.
When distinguishing between legitimate and malicious applications, the most important
indicator is where you get the file. Only download and install applications from trusted sources,
such as well-known application publishers, authorized resellers, or other well-known distributors.
Use antivirus software to scan files before installing them.
Using instant message security with Messages
You can use Messages to communicate with other Messages users who are members of the same
Messages server. Messages uses Bonjour to find other Messages instances on your local network.
Although Messages can be configured with security, you disable messaging services unless your
organization requires them.
If your organization runs an internal Messages server, the server can use SSL to certify the identity
of the server and establish secure, encrypted data exchange between a Messages user and the
server. Consider only accepting messages from specific people or from people on your buddy
list. This helps prevent information phishing through Messages.
Messages AV security
When you share your screen with an Messages buddy, the buddy has the same access to your
computer that you have. Share your screen only with trusted parties, and be particularly careful if
you receive a request to share your screen from someone who isnt on your buddy list.
If the request comes from someone in your Bonjour list, remember that the persons name isnt
necessarily accurate, so his or her identity is uncertain. To prevent unauthorized users from
instant messaging you, you can reject their request to send you messages.
Although every screen-sharing connection uses encryption, the highest level of security requires
both participants to have iCloud accounts with encryption enabled or a certificate created by
Certificate Assistant. If this is the case, youll see a lock icon in the screen-sharing window. To
quickly end a screen-sharing session, press Control-Esc (Escape).
Enabling Messages privacy
To prevent messages temporarily, set your status to Offline or Invisible, or log out by choosing
Messages > Log Out.
You can also specify that messages from specific people be blocked or allowed. Blocked people
cant send you messages or see when youre online.
To block people:
1. Choose Messages > Preferences and then click Accounts.
2. Select the account you want to set privacy options for.
iMessage, Bonjour and Jabber accounts dont have privacy options.
3. Click Privacy.
4. From the Privacy Level list, select an option.
If you select Allow specific people, click the Edit List button, click the Add (+) button, and
then enter the names or IDs for those you want to allow. Anyone not added to the list is
blocked.
If you select Block specific people, click the Edit List button, click the Add (+) button, and
then enter the names or IDs for those you want to block. Anyone not on the list is allowed.
To quickly add a person to the list of blocked people, click the Block button that appears in
the message window when you get a message from that person.
You cant see or send messages to people you have blocked.
For more information, open Messages Help and search for security.
Resources
Security website
The Apple security website offers a section dedicated to the security of Apple products:
https://ssl.apple.com/support/security/
At this website, youll find valuable security-related information, including:
Securely communicating with Apple
PGP key information
Checking security in your system
Security notifications
Collaboration with other security groups
Apple Web Server Notifications
Security configuration guides
Apple maintains a list of security configuration guides to aid administrators of
OS X and OS X Server. These guides are the byproduct of collaborative review and vetting with
the National Security Agency. They include best practices, checklists, scripts, and in-depth analysis
on the security architecture and components. The guides are available to the general public and
can be downloaded from the following sources:
http://www.apple.com/support/security/guides
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
operating_systems.shtml#AppleMac
Security updates
Each Apple security updates are posted on the Apple Support website at
http://support.apple.com/kb/HT1222. Click the link for each update to view a description and
corresponding CVE IDs referencing any vulnerabilities patched with each update.
Updates are also distributed through Apples software update server.
Security updates downloaded from either of these sources are signed using Apples product
security PGP key. See How to use the Apple Product Security PGP Key for more information
about this key and its use.
Technical white papers
http://training.apple.com/osx
Support resources
http://www.apple.com/support/osx/security/

Osx ML TT Security

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Osx ML TT Security

Uploaded by

Copyright:

Available Formats

This document is intended for Apple internal and channel audiences, and is for training purposes only.

You might also like