Apple has released “Mac OS X Security Configuration For Version 10.5 Leopard” a 240-page guide which provides instructions and recommendations for securing Mac OS X version 10.5 or later, and for maintaining a secure computer.
Mac OS X v10.5 offers the following major security enhancements:
• Better Trojan horse protection. Mac OS X v10.5 marks files that are downloaded to help prevent users from running malicious downloaded applications.
• Stronger runtime security. New technologies such as library randomization and sandboxing help prevent attacks that hijack or modify the software on your system.
• Easier network security. After you’ve activated the new Mac OS X v10.5 application firewall, it configures itself so you get the benefits of firewall protection without needing to understand the details of network ports and protocols.
• Improved secure connectivity. Virtual private network (VPN) support has been enhanced to connect to more of the most popular VPN servers—without additional software.
• Meaningful security alerts. When users receive security alerts and questions too frequently, they may fall into reflexive mode when the system asks a security-related question, clicking OK without thought. Mac OS X v10.5 minimizes the number of security alerts that you see, so when you do see one, it gets your attention.
Apple’s “Mac OS X 10.5 Leopard Security Configuration” guide includes the following chapters:
• Chapter 1, “Introduction to Mac OS X Security Architecture,” explains the infrastructure of Mac OS X. It also discusses the layers of security in Mac OS X.
• Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them.
• Chapter 3, “Protecting System Hardware,” explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect users of the computer.
• Chapter 4, “Securing Global System Settings,” describes how to secure global system settings such as firmware and Mac OS X startup. There is also information on setting up system logs to monitor system activity.
• Chapter 5, “Securing Accounts,” describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication.
• Chapter 6, “Securing System Preferences,” describes recommended settings to secure Mac OS X system preferences.
• Chapter 7, “Securing Data and Using Encryption,” describes how to encrypt data and how to use Secure Erase to verify that old data is completely removed.
• Chapter 8, “Securing System Swap and Hibernation Storage,” describes how to secure your system swap and hibernation space of sensitive information.
• Chapter 9, “Avoiding Multiple Simultaneous Account Access,” describes how to avoid fast user switching and local account access to the computer.
• Chapter 10, “Ensuring Data Integrity with Backups,” describes the Time Machine architecture and how to securely backup and restore your computer and data.
• Chapter 11, “Information Assurance with Applications,” describes how to protect your data while using Apple applications.
• Chapter 12, “Information Assurance with Services,” describes how to secure your computer services. It also describes how to protect the computer by securely configuring services.
• Chapter 13, “Advanced Security Management,” describes how to use security audits to validate the integrity of your computer and data.
• Appendix A, “Security Checklist,” provides a checklist that guides you through securing your computer.
• Appendix B, “Security Scripts,” provides a script template for creating a script to secure your computer.
In addition, the Glossary defines terms you’ll encounter as you read the guide.
Apple’s “Mac OS X Security Configuration For Version 10.5 Leopard” guide (3.4MB, .pdf) is here.
Microsoft is reported to be in the process of releasing their security guide. They are keeping it very simple. It’s one sentence and is believed to say, “If you’re serious about security then buy a Mac.”
the security manual for WIndows is much simpler…
do not turn this machine on ever
Step 1 – turn on firewall.
Step 2 – don’t install Winblows.
Step 3 – enjoy your Mac.
“Meaningful security alerts. When users receive security alerts and questions too frequently, they may fall into reflexive mode when the system asks a security-related question, clicking OK without thought. Mac OS X v10.5 minimizes the number of security alerts that you see, so when you do see one, it gets your attention.”
Hello, Microsucks! Are you listening?
Cubert,
Actually, that whole “too many messages” thing is a problem that appears to infest Microsoft.
An example is Internet Explorer, which – as a default – installs with debug and error messages turned on: if you access a site where the Active Server or other application server hasn’t been rigourously debugged, it’s possible – as a simple user of a supermarket’s shopping basket – to get an error message that means absolutely nothing to you.
However, Safari – which ships with debugging turned off – executes the same page without any problem and (it would appear) without any kind of data error; in other words, it’s an error, but not an error that stops the transaction or causes a corruption.
If that’s the case, why report it? Why turn on a debug environment that doesn’t mean anything to over 99% of all users?
MCCFR,
But then, Microsoft does lots of things and advertises lots of features that doesn’t mean anything to over 99% of all users … That’s kinda MS in a nutshell actually.
This reminds me of a series of such guides released by one of the security agencies (NSA, I think). Remarkably (to some, not to us), the Windows XP version was far larger than that for OS X. In other words, OS X is far more secure out of the box, and less is required to meet even high security standards.
One of my responsibilities at my former employer was “securing” our Windows servers according to LEM standards. It was so complex an undertaking we’d first run a “checker” which would spit out a report of deviations, and the requisite changes required to meet the standard, which would require hours of mods to the registry and permissions and turn off myriad services (the print spooler, for example). On one occasion, the required change so messed up the box it had to be rebuilt. I’m done with that.
About time. Now I can just point people to the PDF if they need to be security anal.
Actually, Leopard has some issues with the whole “too many alerts thing”. I downloaded Firefox and installed it. Now EVERY time I run it, I get that annoying alert “This application was downloaded from the Internet, are you sure you want to run it?”
I downloaded a bunch of shareware games from APPLE’s website, and each one gives me that same damn annoying message when I open it up. Apple: PLEASE MAKE IT STOP!
I like it. NIce to have a document from Apple on this.
At the end of the document they should have in BOLD “Don’t Use Windows”.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
@sn
Me too. So I was interested to see an article today on Mac Fixit by Ted Landau that addresses this and other things.
http://www.macfixit.com/article.php?story=20080602100629270
sn & LSQ,
Run the installer once, then throw it away.
“Apple would like to thank the National Security Agency, the National Institute of Standards and Technology, and the Defense Information Systems Agency for their assistance in creating and editing the security configuration guides for Mac OS X v10.5 client and server.”
Big brother’s watching us!
@sn,
Are you running Firefox from the disc image you downloaded to install it?
The pdf should be required bedtime reading for MicroBallsmer.
But then, no.
M$ may get some ideas for a change on how to program.
Now if they can just get back to fixing OS X 10.5.3… life would be all smiles!