Secure yourSnow Leopard

Benjamin Stanley

CertifiedTrainer

Mac OS X StructureUser Experience

Aqua Dashboard Spotlight Accessibility

Application Frameworks

Cocoa Carbon Java

Darwin

Graphics and Media

OpenGL Quartz Core Audio

Core Animation Core Image Core Video QuickTime

Structure of OSSafer BrowsingSystem Prefs that help with securityManaged prefs from serverKeychainHardware securityAVand a little about mobile

1

It helps to understand a little how the system is structuredDarwin Open Source kernel with user layers on top.Some separation between core OS and application space give us some security

2

Mac OS X Structure

Mac OS X Structure

In the file systemusers stuff and system stuff are separateusers only have access to their things - administrator needed for /Library and /System

3

There are actually more items than shown. MacOS X has two ways to hide filesStart the name with a full stop .or set an extended attribute called hidden - done via the terminal and the chflags commandDS_Store Desktop Services Store holds folder settings.Trashes holds trashed items!

4

Mac OS X Structure

• System Administrator (root)

• Administrator

• Standard

• Guest

• Sharing

sudo

Mac OS X Structure

Root cannot login by defaultDirectory Utility to enable and disable root user.sudo for an admin user to be root for a bit (5 mins)standard users see stuff lockedguest login must be enabled - home folder deleted at logoutsharing users only for remote access - no home so no login5

Look at Login Options1. Auto Login2. Login Window display3. Join a directory

6

Mac OS X Structure

• Directory

• Local

• Connected

• OD

• AD

• eDirectory

Mac OS X Structure

• Binding to AD

• Where is home?

• Local is good

• sync at logout

Need to think about where our users are locatedAlways a Local Datastore for local usersOpen Directory is our name for all directory stuffWe can connect to an other directory: AD, OD, eDirectory, any LDAP datasource

7

If we are binding to AD for Authentication....We use Directory Utility or Accounts System Preferencewhere is the home located?mobile account can cause sync issuesbest to keep things local and sync at logout

8

Mac OS X Structure

• Users on AD

• Permissions managed via OD

Safer Browsing

Ideal set up is to leave users on AD and manage through ODToday we will focus on local stuff - things are very similar when connected to OD

9

Safari 5 - ultra modern web browserHTML5 CSS3uses WebKit (apple invented) used by Google Android, Nokia Series 60, Palm WebOS, Google ChromeAntiphishing and malware technology

10

Safer Browsing

Safer Browsing

Lets have a look at Safari PreferencesOpen Safe files after downloading - turn off?Supports the Windows Attachment Monitor to notify AV software that a file has been downloaded and can prompt a scan of the downloaded file!

11

All downloads are tagged so Mac OS X knows where the files were obtained from.The website time and date, just get info on a downloaded file to see this.

12

Safer Browsing

safebrowsing.clients.google.com

Safer Browsing

Bank emails that contain links are often dubiousany links that are listed in the antiphishing list are flagged when the user access themPhishing websites are detected and a warning displayed.

13

Cookies should be set to only be accepted from the current domain. Some people object to being tracked so will disable cookies completely.Setting this to never may cause issues with VLE or school management tools.

14

Safer Browsing

Safer Browsing

You may be surprised to see how many sites use cookies to store user information and how long they will be kept as a record of your browsing history.Of course the remove button will tidy this list up.Cookies are stored in the Users Library folder in a folder called Cookies as a Property list file.~/Library/Cookies/Cookies.plist

15

Cookies and other browsing information can be cleared by choosing to Reset Safari from the Safari application menu.Choose what to reset then click Reset

16

System Preferences

Security

• Lock Screen

• Parental Controls

• Managed Preferences

We are going to look atSecurityParental Controls (local managed prefs)SharingSpotlight Hiding System Preferences

17

Security PreferencesRequire password Disable auto loginLog out after x minutes, problem with unsaved docs - demo on next slide

18

Security

Security

• Lock Screen

• Parental Controls

• Managed Preferences

Bit of an issue if documents are not saved/closedUser education is needed.

19

FileVault is for securing home foldersStrong 256-bit AES (Advanced Encryption Standard) encryptionMaster password must be set as a safety net in case user forgets password

20

Security

Parental Controls

Firewall - application level - easy for users, a fairly automatic process.When opening an app that needs net access user is asked to allow or deny.Enabling Stealth Mode stops ICMP (Internet Control Message Protocol) responses.

21

Parental Controls - Think of these as Local managed preferencesWe can choose what applications and access to hardware the user has.Simple Finder is useful and secure, but will quickly get in the way for advanced users.

22

Parental Controls

Sharing

Parental Controls - Think of these as Local managed preferencesContent filtering, dictionary and webWebsites can be specified on an allow and deny list

23

Mac OS X can share all sorts of things, hardware, connections, files, services, host.It is a good idea to turn off what isn’t required.Restrict access to certain users or groups for services you do enable.

24

Sharing

Sharing

for exampleWith remote login which gives command line access to the machine over the network using SSH we should restrict this to admin users only.

25

Selecting file sharing turns on AFP. Notice all public folders for local users are shared as read only (a drop box inside allows write only)To share via SMB, turn it on and enter password! stores as NTLMv2 for windows users

26

Spotlight Privacy

Software Update

Spotlight is our searching and indexing serviceIndexes everything, file names, contents, all metadataChoose what is shown in the results list Control what isn’t included in the Spotlight indexMight be worth adding USB sticks with confidential data to the privacy list so they are never indexed. Index is stored 27

Software updates from Apple for the OS and Apple softwareYou may want to disable auto checking and deploy manuallyAll updates now delivered with a certificate.Run your own software update server to mirror the updatesSecurity updates delivered as required, no release schedule (patching Tuesday)28

Network

Hide System Prefs

• Can lock

• Grey icon if managed

• Move to hide

• /System/Library/PreferencePanes

Good idea to disable network ports that are not needed.Just select the port and choose Make service inactive from the Action menu

29

We know can lock system prefsThrough managed preferences we can deny accessbut it may be better to hide them?

30

Hide System Prefs

Hide System Prefs

take accounts for example

31

if we trash it

32

Hide System Prefs

• Remove rather than hide

• /System/Library/PreferencePanes

Hide System PrefsAccounts.prefPane

it disappears!Not the best way

33

Bit silly to do that, so...Would be better to move to /Users/LocalAdminUser/Library/PreferencePanesso only that user can access

34

Managing Preferences

Managing Preferences

Talk about server side preference managementMore control over who can do whatControl from a central location - a Mac OS X server

35

Here’s what we haveLots of things to control and at various levelsuser, workgroup, computer and computer group

36

Managing Preferences

Managing Preferences

managed Finder preferencescontrol what users can access and what is show on the desktopSimple Finder gives minimal access

37

managed Finder commandsCommands to access other stuff can be de-activated

38

Managing Preferences

Managing Preferences

managed Media Access preferencesSelect what physical and virtual storage can be used.Block USB stick access or set to require authentication.

39

managed System Preferences preferencesHide system prefs from view - sensible

40

Keychain

Keychain

41

Stores passwords and other information securelyLogin.keychain is locked with the same password as the users account, unlocks on loginKeychain Access is the program to look after the keychainAny time the user clicks “Remember” password is stored in keychain

42

Keychain

Secure Erase & Format

Keychain Access preferences allow us to Lock the screen. Like turning on a screen saver and asking for password on wake

43

Empty trash from finder menuSecure empty trash like a 7 pass eraseCan use Disk Utility to erase free space, 7 pass or 35 pass!

44

Securing the Hardware

• Firmware Password

• utility on the Snow Leopard DVD

• via Deploy Studio script

• through Apple Remote Desktop

• Knowledge Base article HT1352

Securing the Hardware

Firmware password - set from a utility on the DVDRequests password if any keys held at startupDeployStudio post image task

http://support.apple.com/kb/HT1352http://developer.apple.com/samplecode/ApplyFirmwarePassword/

45

All macs (except macbook air and new mini) have a Kensington compatible lock slotMacPro has a side panel lock to restrict internal access

46

Anti-virus or not?

Anti-virus or not?

• Malware, Trojan or Virus

• RSPlug-F

• Leap-A

• Boonana

With any virus a glass of whisky or lemon and honey often help!

47

Current level of risk is minimal, arguably negligible, but real.Malware is in existence, and can do some nasty stuff.Remember system/user are separate - anything that asks for admin rights should be treated with respect.RSPlug-F - changes DNS settingsLeap-A OompaLoompa! application dressed as an image (no effect on standard user account)We should be nice to other computer users on our network - our mac could be a gateway in 48

Anti-virus or not?

Anti-virus or not?

Solutions availableIntego Virus BarrierMcAfee VirusScan for MacNorton for Mac 11 - Available as part of your Symantec package purchasable from RMClamXav - free open source solutionSophosWhatever you choose keep it up to date

49

Sophos have an iPhone app to show current threats, free from App StoreAnti-virus conclusion...minimal threat, run something just in case to protect your network - good idea to run something server side.

50

Mobile Security

Mobile Security

Snow Leopard has been our main topic todayBut think about security on mobile devices as their use becomes more widespread

51

iPod and iPad can be secured.Restrictions can be put in place for all iOS devices, restrictions hidden behind a passcode.Virus even less of an issue as all apps checked.

52

Training

AuthorisedTraining Centre

Thank youAny questions?

Benjamin Stanleyben@trilby.co.uk

slides and notes online from 3rd December

RM have a national training provider with NTIAuthorised Apple Training Centre delivering accredited, certified Apple coursesSnow 101 for client, Snow 201 for server, 301, 302, 303 for Deployment, Directory and Security & Mobility

53

We’ve covered a lot todayStructure of OS, Safer Browsing, System Prefs that help with securityManaged prefs from server, Keychain, Hardware security, AVand a little about mobileAny questions?

54