Secure yourSnow Leopard

Benjamin Stanley

CertifiedTrainer

1

Structure of OSSafer BrowsingSystem Prefs that help with securityManaged prefs from serverKeychainHardware securityAVand a little about mobile

Mac OS X Structure

This chapter provides a high-level introduction to Mac OS X, describing its overall architecture and developmenttools support. The goal of this chapter is to orient you to the Mac OS X operating system and to give you areference point from which to explore the available tools and technologies described throughout thisdocument. Developers who are already familiar with the Mac OS X system architecture and technologiesmay want to skip this chapter.

Note: For a listing of commonly used Mac OS X terms, see “Glossary” (page 159).

A Layered Approach

The implementation of Mac OS X can be viewed as a set of layers. At the lower layers of the system are thefundamental services on which all software relies. Subsequent layers contain more sophisticated servicesand technologies that build on (or complement) the layers below. Figure 1-1 provides a graphical view ofthis layered approach, highlighting a few of the key technologies found in each layer of Mac OS X.

Figure 1-1 Layers of Mac OS X

User Experience

Aqua Dashboard Spotlight Accessibility

Application Frameworks

Cocoa Carbon Java

Darwin

Graphics and Media

OpenGL Quartz Core Audio

Core Animation Core Image Core Video QuickTime

The bottom layer consists of the core environment layer, of which Darwin is the most significant component.Darwin is the name given to the FreeBSD environment that comprises the heart of Mac OS X. FreeBSD is avariant of the Berkeley Software Distribution UNIX environment, which provides a secure and stable foundationfor building software. Included in this layer are the kernel environment, device drivers, security support,interprocess communication support, and low-level commands and services used by all programs on thesystem. Besides Darwin, this layer contains several core services and technologies, many of which are simplyhigher-level wrappers for the data types and functions in the Darwin layer. Among the available core services

A Layered Approach 172008-10-15 | © 2004, 2008 Apple Inc. All Rights Reserved.

CHAPTER 1

Mac OS X System Overview

2

It helps to understand a little how the system is structuredDarwin Open Source kernel with user layers on top.Some separation between core OS and application space give us some security

Mac OS X Structure

3

In the file systemusers stuff and system stuff are separateusers only have access to their things - administrator needed for /Library and /System

Mac OS X Structure

4

There are actually more items than shown. MacOS X has two ways to hide filesStart the name with a full stop .or set an extended attribute called hidden - done via the terminal and the chflags commandDS_Store Desktop Services Store holds folder settings.Trashes holds trashed items!

Mac OS X Structure

• System Administrator (root)

• Administrator

• Standard

• Guest

• Sharing

sudo

5

Root cannot login by defaultDirectory Utility to enable and disable root user.sudo for an admin user to be root for a bit (5 mins)standard users see stuff lockedguest login must be enabled - home folder deleted at logoutsharing users only for remote access - no home so no login

Mac OS X Structure

6

Look at Login Options1. Auto Login2. Login Window display3. Join a directory

Mac OS X Structure

• Directory

• Local

• Connected

• OD

• AD

• eDirectory

7

Need to think about where our users are locatedAlways a Local Datastore for local usersOpen Directory is our name for all directory stuffWe can connect to an other directory: AD, OD, eDirectory, any LDAP datasource

Mac OS X Structure

• Binding to AD

• Where is home?

• Local is good

• sync at logout

8

If we are binding to AD for Authentication....We use Directory Utility or Accounts System Preferencewhere is the home located?mobile account can cause sync issuesbest to keep things local and sync at logout

Mac OS X Structure

• Users on AD

• Permissions managed via OD

9

Ideal set up is to leave users on AD and manage through ODToday we will focus on local stuff - things are very similar when connected to OD

Safer Browsing

10

Safari 5 - ultra modern web browserHTML5 CSS3uses WebKit (apple invented) used by Google Android, Nokia Series 60, Palm WebOS, Google ChromeAntiphishing and malware technology

Safer Browsing

11

Lets have a look at Safari PreferencesOpen Safe files after downloading - turn off?Supports the Windows Attachment Monitor to notify AV software that a file has been downloaded and can prompt a scan of the downloaded file!

Safer Browsing

12

All downloads are tagged so Mac OS X knows where the files were obtained from.The website time and date, just get info on a downloaded file to see this.Phishing websites are detected and a warning displayed.

Safer Browsing

13

Cookies should be set to only be accepted from the current domain. Some people object to being tracked so will disable cookies completely.Setting this to never may cause issues with VLE or school management tools.

Safer Browsing

14

You may be surprised to see how many sites use cookies to store user information and how long they will be kept as a record of your browsing history.Of course the remove button will tidy this list up.Cookies are stored in the Users Library folder in a folder called Cookies as a Property list file.~/Library/Cookies/Cookies.plist

Safer Browsing

15

Cookies and other browsing information can be cleared by choosing to Reset Safari from the Safari application menu.Choose what to reset then click Reset

System Preferences

16

We are going to look atSecurityParental Controls (local managed prefs)SharingSpotlight Hiding System Preferences

Security

• Lock Screen

• Parental Controls

• Managed Preferences

17

Security PreferencesRequire password Disable auto loginLog out after x minutes, problem with unsaved docs - demo on next slide

Security

18

Bit of an issue if documents are not saved/closedUser education is needed.

Security

• Lock Screen

• Parental Controls

• Managed Preferences

19

FileVault is for securing home foldersStrong 256-bit AES (Advanced Encryption Standard) encryptionMaster password must be set as a safety net in case user forgets password

Security

20

Firewall - application level - easy for users, a fairly automatic process.When opening an app that needs net access user is asked to allow or deny.Enabling Stealth Mode stops ICMP (Internet Control Message Protocol) responses.

Parental Controls

21

Parental Controls - Think of these as Local managed preferencesWe can choose what applications and access to hardware the user has.Simple Finder is useful and secure, but will quickly get in the way for advanced users.

Parental Controls

22

Parental Controls - Think of these as Local managed preferencesContent filtering, dictionary and webWebsites can be specified on an allow and deny list

Sharing

23

Mac OS X can share all sorts of things, hardware, connections, files, services, host.It is a good idea to turn off what isn’t required.Restrict access to certain users or groups for services you do enable.

Sharing

24

for exampleWith remote login which gives command line access to the machine over the network using SSH we should restrict this to admin users only.

Sharing

25

Selecting file sharing turns on AFP. Notice all public folders for local users are shared as read only (a drop box inside allows write only)To share via SMB, turn it on and enter password! stores as NTLMv2 for windows users

Spotlight Privacy

26

Spotlight is our searching and indexing serviceIndexes everything, file names, contents, all metadataChoose what is shown in the results list Control what isn’t included in the Spotlight indexMight be worth adding USB sticks with confidential data to the privacy list so they are never indexed. Index is stored in .Spotlight-V100 at the root.

Software Update

27

Software updates from Apple for the OS and Apple softwareYou may want to disable auto checking and deploy manuallyAll updates now delivered with a certificate.Run your own software update server to mirror the updatesSecurity updates delivered as required, no release schedule (patching Tuesday)

Network

28

Good idea to disable network ports that are not needed.Just select the port and choose Make service inactive from the Action menu

Hide System Prefs

• Can lock

• Grey icon if managed

• Move to hide

• /System/Library/PreferencePanes

29

We know can lock system prefsThrough managed preferences we can deny accessbut it may be better to hide them?

Hide System Prefs

30

take accounts for example

Hide System Prefs

31

if we trash it

Hide System Prefs

• Remove rather than hide

• /System/Library/PreferencePanes

32

it disappears!Not the best way

Hide System PrefsAccounts.prefPane

33

Bit silly to do that, so...Would be better to move to /Users/LocalAdminUser/Library/PreferencePanesso only that user can access

Managing Preferences

34

Talk about server side preference managementMore control over who can do whatControl from a central location - a Mac OS X server

Managing Preferences

35

Here’s what we haveLots of things to control and at various levelsuser, workgroup, computer and computer group

Managing Preferences

36

managed Finder preferencescontrol what users can access and what is show on the desktopSimple Finder gives minimal access

Managing Preferences

37

managed Finder commandsCommands to access other stuff can be de-activated

Managing Preferences

38

managed Media Access preferencesSelect what physical and virtual storage can be used.Block USB stick access or set to require authentication.

Managing Preferences

39

managed System Preferences preferencesHide system prefs from view - sensible

Keychain

40

Keychain

41

Stores passwords and other information securelyLogin.keychain is locked with the same password as the users account, unlocks on loginKeychain Access is the program to look after the keychainAny time the user clicks “Remember” password is stored in keychain

Keychain

42

Keychain Access preferences allow us to Lock the screen. Like turning on a screen saver and asking for password on wake

Secure Erase & Format

43

Empty trash from finder menuSecure empty trash like a 7 pass eraseCan use Disk Utility to erase free space, 7 pass or 35 pass!

Securing the Hardware

• Firmware Password

• utility on the Snow Leopard DVD

• via Deploy Studio script

• through Apple Remote Desktop

• Knowledge Base article HT1352

44

Firmware password - set from a utility on the DVDRequests password if any keys held at startupDeployStudio post image task

http://support.apple.com/kb/HT1352http://developer.apple.com/samplecode/ApplyFirmwarePassword/

Securing the Hardware

45

All macs (except macbook air and new mini) have a Kensington compatible lock slotMacPro has a side panel lock to restrict internal access

Anti-virus or not?

46

With any virus a glass of whisky or lemon and honey often help!

Anti-virus or not?

• Malware, Trojan or Virus

• RSPlug-F

• iWorkS-A

• Leap-A

47

Current level of risk is minimal, arguably negligible, but real.Malware is in existence, and can do some nasty stuff.Remember system/user are separate - anything that asks for admin rights should be treated with respect.RSPlug-F - changes DNS settingsLeap-A OompaLoompa! application dressed as an image (no effect on standard user account)We should be nice to other computer users on our network - our mac could be a gateway in from a USB stick.

Anti-virus or not?

48

Solutions availableIntego Virus BarrierMcAfee VirusScan for MacNorton for Mac 11ClamXav - free open source solutionSophosWhatever you choose keep it up to date

Anti-virus or not?

49

Sophos have an iPhone app to show current threats, free from App StoreAnti-virus conclusion...minimal threat, run something just in case to protect your network - good idea to run something server side.

Mobile Security

50

Snow Leopard has been our main topic todayBut think about security on mobile devices as their use becomes more widespread

Mobile Security

51

iPod and iPad can be secured.Restrictions can be put in place for all iOS devices, restrictions hidden behind a passcode.Virus even less of an issue as all apps checked.

Training

AuthorisedTraining Centre

52

RM have a national training provider with NTIAuthorised Apple Training Centre delivering accredited, certified Apple coursesSnow 101 for client, Snow 201 for server, 301, 302, 303 for Deployment, Directory and Security & Mobility

Thank youAny questions?

Benjamin Stanleyben@trilby.co.uk

53

We’ve covered a lot todayStructure of OS, Safer Browsing, System Prefs that help with securityManaged prefs from server, Keychain, Hardware security, AVand a little about mobileAny questions?