Mac OS X Security for Administrators: Lockdown

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

In 1984, I was introduced to my first home computer: a Macintosh. It was straightforward, easy to use and fit neatly on my desk. I pretty much used Mac through most of my life until I got into security.

It was then that I realized that most issues were related to and targeted at Windows and *Nix environments. These were also the main enterprise platforms so, naturally, I turned my attention in that direction.

Today, I get to enjoy life on a MacBook Pro, but this time it is within a corporation. Which got me to thinking…

What about corporate security for OS X? Where does it fit into the picture?

This is the first in a series of articles about Mac OS X security requirements, setup and configuration to the point of cloning lots of OS X systems to ensure that standardization is met across the corporation for those systems.

OS X Today

Originally, Apple OS (Mac OS 1.x – 9.x) was heavily tied to hardware except for that short period in the mid-90s when Apple allowed third party hardware vendors. This created a relatively closed system with few vulnerabilities. Part of this was also due to a smaller audience and dedicated network type (AppleTalk) until the Internet blossomed.

There were a few viruses and minor compromises but these often paled compared to what Windows experienced. It wasn’t unusual for Mac environments to go without firewalls or anti-virus because hacking incidents and malware were so rare that it made little sense to spend resources on them.

With the advent of OS X, and its history steeped in NeXT and BSD, the possibility of attack widened a bit. The advantage was that both historically maintained strong security, so OS X had a good heritage from the start. It’s evident in the basic reminder that to perform any installation requires admin rights and not all users on the desktop will have that (thus, reducing the possibility of poor software getting installed).

Nonetheless, by basing the 10th version of the Mac OS (a.k.a. OS X) on BSD, it did open the floodgates for more applications and more kernel level activities. Thus, the potential of breaking systems opened up. So this means that there is more of a need to be careful as to what is done on a Mac now than when I bought my Quadra 650, the first Mac I paid for with my own cash.

Locking Down OS X

One of the first things I had to do was lock the system down. The NSA certainly has a guide but it was a bit dated given that it was written in early 2007 so I opted instead to look at Corsaire’s White Paper on Securing OS X Leopard (10.5).

It’s interesting to note that Apple got OS 10.3.6 EAL 3+ certified (if you install the Common Criteria tools) but doesn’t seem to have 10.5 on the roadmap for certification – they may be waiting until the next big release to do so.

So my first task would be to install this.

I decided to check it out first to see what adjustments this would make to the system. I downloaded the tools for OS 10.5.x and installed them. I then went through the guide that indicated how to perform adjustments.

Although the guide was written for 10.3.6 (Panther) it’s pretty much valid for Tiger and Leopard.

For Leopard, some of the items were already adjusted prior to installing the Common Criteria tools, like the removal of OS 9. But there were a few steps that needed doing.

Some of them are obvious but sometimes forgotten since they are the simplest of settings to be done. Time to fire up the command line interface (CLI), which can be found in the Applications folder -> Terminal.

Changing minimum requirements for password strength. CLI: pwpolicy -n /NetInfo/DefaultLocalNode -a setglobalpolicy minChars=x where x is the number of minimum characters;
Configure the secure shell by editing the /etc/sshd_config file by using sudo vi /etc/sshd_config (pretty much all major CLI stuff will require the use of sudo);
Disable the usage of password hints by changing the RetriesUntilHint to 0. CLI: sudo vi /Library/Preferences/com.apple.loginwindow.plist;
The following modifications can be done in the System Preferences pane:

Security Control Panel (i.e., requiring a password for wake-up or unlocking; disable automatic login);
Enable the Screensaver and to have it start after a period of idle time (say 5-15 min) through the Desktop and Screen Saver control;
Disable autorun of music and picture CDs as well as video DVDs through the CDs & DVDs control;
Disable Sharing in the Sharing Control panel; removing any option to autologin, remove the sleep, restart and shutdown buttons at the login and deselecting fast user switching in Accounts;
Set a firmware password and removing the ability to be booted from other media sources by turning on the Open Firmware control

Enabled auditing by adding an AUDIT=-YES- to the hostconfig by editing it with sudo vi /etc/hostconfig

Once it’s finished you can get a clearer picture as to the results:

It’s not an accurate scan in this case because I performed it from the localhost to the localhost, but when scanning another OS X machine, this makes it easier. Using the basic scan (nmap localhost), I did find tcp port 631 (internet printing protocol) open.

Ah-ha!

That’d be my networked Samsung CLP-610 printer. I go to System Preferences and ensure that I don’t have printer sharing on. This port is open so I can see how much ink is left on the printer, what its status is, IP address if changed, etc. It allows me to manage the printer remotely, although I’ve yet to find the virtual paper loader.

A more intensive scan (nmap -sV -v -v -v -v -v -v -v -v -v -v -PS -O -packet-trace -sS -PP -PM localhost) attempts all ports and provides 100% OS detection (as seen in the screen above). And yet, it still has just the one port open: tcp 631.

Not bad!

In future articles, I’ll take a look at software firewall options for OS X since a lot of users are being given nifty MacBooks and MacBook Pros to lug about airports. I’ll also look at some of the wireless sniffing options.

Even though the history of Mac has been solid from a security standpoint — and it remains relatively solid today &mdash it doesn’t mean that we should sit on our laurels.

This article was first published on EnterpriseITPlanet.com.