Follow Island in the Net on

How to secure your Mac - Part 1

So you just got your new Mac and are excited to start using it. You've heard a lot about how Macs are easy to use and how secure they are. You've seen the ads on TV showing how Windows is susceptible to viruses and hacking and Macs are (supposedly) immune. Apple's marketing machine and Steve Jobs reality distortion field are in full effect. Your're ready to hit the on button and get to playing. Well ... Halt! The truth is no computer system, including your shiny new Mac, is immune from attack. There are a few steps you can take to make sure you new Mac is setup to stay as safe as possible. I'll be detailing these steps in a series of blog postings. Mac OS X (Snow Leopard) has quite a few security features. OS X can prevents hackers or malicious code from harming your computer by restricting actions by applications and services, securing files and network services, and limiting what users can do. I'll be breaking the blogs steps down following this loose outline.

  • Accounts
    • Standard and Administrator Accounts
    • Creating strong passwords
    • Auto-login
  • Network
    • Wireless Network Security
    • Virtual Private Network
    • Bluetooth Security
  • Firewall
    • File System
    • FileVault
    • Master Password
  • Applications and Services
    • Disable unused services
    • Secure services - restrict access levels by user
    • Bluetooth Sharing
    • Application Firewall
    • Parental controls
    • Software Update

Don't be an Administrator

Mac OS X has three account types - Administrator, Standard, and Managed (with Parental Controls).

Administrator: An administrator account user can create, delete, and modify accounts, install software, and change system settings. Since administrators have such broad access, you should limit the number of administrator accounts created.

Standard: Standard account users cannot administer other accounts, but can install software for their own use and change settings related to their accounts.

Managed with Parental Controls: In an account managed by parental controls the administrator can place restrictions on: inappropriate Internet content, the amount of computer use, and access to applications, email, iChat.

When you take your Mac out of the box, it is securely configured to meet the needs of most common environments, so you don’t need to be a security expert to set up your computer. When you first setup your Mac, OS X will prompt you to you create your first user account. To keep things simple Apple set this by default to be a system administrator account. Operating your Mac with an account with such high level access leaves you vulnerable to malicious software that may have installed itself when your clicked that innocent looking video link in an email from your friend (except it was from a hacker using your friends email account). The Administrator should be used only when absolutely necessary to perform administrative tasks.

Create a Standard Account

The best security practice with any computer, is to create individual standard user accounts for each person who regularly uses the computer. Each user will have a separate home folder and can adjust his or her own account preferences without affecting the accounts of others users. In this way, only applications trusted by the user may receive administrative privileges, and malicious software may be kept from compromising the operating system.  This is how most large companies create and manage user account for all their computer systems.

To create a standard user account in OS X (10.5 or 10.6) launch System Preferences->Accounts and click on the "+". Enter a full name and a short name (short name can be anything), password, and a password hint. Don't use a password hint that makes it obvious what the actual password would be.

Click the little lock icon and OS X will provide help with generating strong easy to remember passwords. I like to use short phrases to generate my password - using the first letter of each word in the phrase. I also like to throw in a few non-alpha characters. For example, "Mac user are the most creative!" would lead to password "Muatmc!".

When a user attempts to install an application or change a system preference he/she will need to enter the user name and password for the administrator account. Most of us don't have a need to change system preferences or install applications very often so this is a minor inconvenience for an increase in system security.

Login Options

There are some other account settings that help prevent others from getting access to your sensitive information. To enable these options click on the "Login Options" (the little house icon) in the Accounts pane of System Preferences. OS X allows you to setup an account so that your Mac automatically logs into that account on boot up. If you enable this option, anyone with physical access to your Mac ( a thief for example ) would be able to gain easy access to all your files. Turn it off.

Stay tuned

In the next article I will give some advice on securing your wireless network and locking down your Macs networking services.