Security threats Toolkit

Locking down OSX

Michael Mullins Tech Republic

Published: 01 Aug 2005 18:25 BST

With its foundation deeply buried in UNIX, Mac OS X is incredibly secure. Even out of the box, this system comes to you in a very secure state.

The default features included in the Mac make it an excellent choice for users worried about hackers and viruses. Let's take a look at some of OS X's built-in features that make this system so secure out of the box.

It has a secure default configuration: By default, OS X closes all of the communication ports, and it disables all native services, including personal file sharing, Windows file sharing, personal Web sharing, remote login, FTP access, remote Apple events, and printer sharing.
It includes a personal firewall: enabling OS X's personal firewall denies all inbound connections except for those you specifically allow. Unlike other personal firewalls, you must explicitly identify the traffic you want to allow the first time you turn on the firewall. In addition, the firewall includes a 'Stealth Mode', which won't acknowledge the system's existence to would-be hackers looking for machines to attack.
It automatically updates the machine: This feature allows your Mac to download software updates and security patches automatically. In addition, Apple digitally signs its updates, so you can be sure they come from a trusted source.
It features FileVault encryption: FileVault protects the data on your machine using AES-128 encryption, rather than the weaker Data Encryption Standard X (DESX) algorithm used by the Windows Encrypting File System (EFS).
It offers a secure Keychain: The Keychain automatically stores all password information to use encrypted disk images and to log onto file servers, FTP servers, and Web servers. This feature enables you to create and use complex passwords without writing them down or trying to remember them.
It includes a permanent deletion feature: When you delete a file or folder, the Secure Erase Trash feature immediately overwrites the file with invalid information, making the file disappear completely and removing the possibility of recovering the data.

Of course, it's important to remember that even with all of these native security features, nothing is secure until you've verified it — and incorporated some security best practices. The following three best practices are the most common security recommendations within the overall UNIX community. You can accomplish all three tasks via the System Preferences dialog box.

Create an additional non-administrative account for daily use: Remember: Admin or root accounts are for tasks — not browsing the network and reading email.
Use the OS X screensaver with a password: This habit ensures that your machine remains inaccessible whenever you're away from the keyboard.
Turn on network time synchronisation: If you plan to maintain and use log files (and Macs log a lot of information), this step makes sure the timestamp in the system logs is accurate.

Final thoughts
While OS X is secure out of the box, you should still take some time and browse through its different features. Make sure to verify that the level of security is consistent with your needs.

For more information, check out the National Security Agency's Apple Mac OS X Guide and Corsaire's selection of security white papers.