Basic OS X Hardening

apple-logo.jpgBasic computer setup and security compiled for Mac OS X 10.3 (Panther), 10.4 (Tiger), and 10.5 (Leopard)

I spend a lot of time with computers… it’s my job. Most of the time, people worry about patching up their Windows machines — and for good reason! Similar to our (slightly dated) Windows Security Guide, the purpose of this page here is to list the steps for securing a Mac OS X computer, including commands for lab managers and network admins who have to manage a large number of these computers. In the last week, there have been 3 security exploits / viruses for OS X. No OS is completely secure! So it begins…

4 simple things you can do to protect your computer

1. For everyday use, run as a limited user!

I don’t care if you rigged an election, aggressively invaded a foreign country, or slept with an intern — you simply don’t need to run as the Admin of your computer, no matter what OS you use! If you just bought your Apple computer, don’t let their glitzy setup fool you! It’ll ask for your name and and password, but this is to setup the Admin account, and it should be treated accordingly. After you’ve set up the Admin account, you can always go back to System Preferences and add a standard account for everyday use.

Trust me. You don’t want the computer booting automatically into an account with full Admin privileges. If nothing else, it’s far, far easier to find and backup all your files if you’re running as a limited user; all your files will all be in your home directory. If you’re Admin… who knows where you could have stashed them… good luck finding them all. What if you already set up your account, and whoops! It’s an admin account? What do you do? In Mac OS X, changing this is really easy. I appreciate the ease of it because this same thing is a holy pain in the arse on Windows.

I’m assuming you’ve got one account on your computer and it’s an admin account. Go to the Apple Menu → System Preferences, and open up the Accounts panel. Click the (+) to add an account, and check the box to let that user “Administer this computer.” You are temporarily creating a second admin account. Be sure you give it a good password and that you remember it! It’s the ultimate in rookie computing to forget your admin password.

Now, log out. Don’t just do a fast user switch. Log out completely, then log into the new admin account you just created. Go back to System Preferences → Accounts, and find your original user. Uncheck the box for that account that allows it to administer the computer. Poof. You’ve now changed your regular account into a limited user account and you’ve created a new admin account that you’ll hardly ever use. That’s the point: only use the admin account when you absolutely need to.

2. Turn ON your Firewall!

It’s under System Preferences → Sharing. Microsoft got ridiculed for shipping Windows with this turned off, and Apple should be next in line for a kick to the groin. If you need to open a port for some service, that’s always possible later, but TURN IT ON AND LEAVE IT ON.

3. Turn ON Automatic updates!

If you are the only person using your computer, and you are its administrator, you should turn this feature on by going to the Apple Menu, System Prefs, and find the Software Update panel. Check the box so this runs, preferably DAILY, if your internet connection can handle it.

4. Turn OFF “Open ‘Safe’ Files After Downloading”

The most recent security hole (as of this writing) exploits the fact that many people leave this checked. Go to the Safari menu → Preferences, and on the General tab, uncheck this box. That will prevent any nasty code from auto-executing.

This particular hole is not so much a problem if you are running as a limited user because the malicious code executes with the privileges of the current logged-in user. A limited user can’t do that much damage, but your computer can be completely hosed if you were dumb enough to be logged in as an admin.

Oh, and one more thing – Block Pop-ups in Safari! Again, why the @#$& this isn’t turned on by default, I don’t know, but there’s no reason to let those maggot-sucking, pop-up-producing advertisers ruin your browsing.