- Jan 24, 2011
- 9,378
1. Disable automatic login
Most Mac users only have one account on their systems, so having the system automatically login for them makes perfect sense. Doesn't it?
NO!
Think about it, if anyone gets hold of your precious Mac, all they'd have to do is switch it on, and within seconds they can be rifling through all your documents and dirty secrets.
Turning off automatic login is a simple yet effective way of adding a small amount of security to your system. To turn off automatic login open System Preferences and go to Accounts. Find the option called "Login Options", choose this and set automatic login to off.
2. Set a firmware password
An easy way to bypass security measures on any machine is to boot the system using a Live CD (for example). In the case of OS X, boot from an OS X Installation disk which allows you to make changes like reseting the administrator password, or make changes to partitions and disks.
By setting a firmware password you help to prevent attackers from:
Booting a Live CD
Running any applications from an OS X Installation disk
Booting the machine into Target Disk mode and accessing data without logging in
Rather than trying to cover all the ins and outs of setting a firmware password I'll point you to the Apple support article on the subject: http://support.apple.com/kb/ht1352.
3. Encryption is a good idea
Encrypting all of your personal and private files means that if your computer is stolen it becomes far far harder for anyone to access your data.
Apple provides functionality to encrypt your entire home directory called FileVault. This will encrypt everything inside of your home directory, but will not encrypt anything outside of it. For those that only want to protect the data inside their home directory this may be a good solution.
If there is sensitive data outside of the home directories that you need to protect then a full disk encryption solution is worth looking into. This will encrypt everything on a disk, and means that data stored in temp files, and application directories are also secured.
Sophos offers a business class full disk encryption product for Mac OS X called SafeGuard Disk Encryption for Mac. An additional benefit of full disk encryption is that it prevents someone from booting the system and reading the memory through the FireWire interface.
Encrypting the virtual memory on your system is a wise choice, and something that Apple does turn on by default in 10.6 Snow Leopard.
For older versions of OS X it is strongly recommended that you turn on 'secure virtual memory' in System Preferences. This will prevent others from connecting to your physical machine and reading the data in the virtual memory.
4. Be smart with your passwords
Your Password is more or less the one thing that keeps your system and your data safe from others. It makes sense to invest in making it as hard to crack as possible.
Apple provides a tool to help select a secure password called Password Assistant. To use the Password Assistant open System Preferences -> System -> Accounts -> Create a user or Change Password -> Click the key icon.
The Password Assistant provides several options to help you generate a password (Memorable, Letters & Numbers, Numbers Only, Random, FIPS-181 compliant), or you can manually enter a password.
Whichever you choose Password Assistant will show you the Quality (or strength) of your password. Watch this video for advice on choosing a complex password you can remember.
5. Securing your Keychain
It is a good idea to make sure that your Keychain has a different password to that of your user account.
The Keychain stores internet passwords, SSL Certificates, notes and more in a nice convenient encrypted store. By default your Keychain has the same password as your user account, which is great as it means your Keychain automatically unlocks and allows any running application to request data from it!
Its like SSO (Single Sign On) gone bad. . . Changing your Keychain password will mean that when an application wants some data you will have to enter your Keychain password.
This is a little inconvenient but means that anyone that cracks your account password doesn't get instant access to everything in your Keychain, and that you will know whenever an application is trying to gain access to your secured data.
To change your Keychain password open up the Keychain Access application in the Utilities directory. Then click on the Edit menu and select Change Password for Keychain "login".
6. Never run as an administrative account
If you talk to any Linux or Unix user you will quickly find out that they rarely login as a user that has administrative privileges. The reason for this? If your account is compromised, the attacker has only gained access to your data, but hasn't gained access to the entire system.
Running as a normal user on any operating system is a sensible thing, and OS X is no different.
Make your everyday account a Standard user, and then authenticate as an Admin account when the system requests it.
Source
Most Mac users only have one account on their systems, so having the system automatically login for them makes perfect sense. Doesn't it?
NO!
Think about it, if anyone gets hold of your precious Mac, all they'd have to do is switch it on, and within seconds they can be rifling through all your documents and dirty secrets.
Turning off automatic login is a simple yet effective way of adding a small amount of security to your system. To turn off automatic login open System Preferences and go to Accounts. Find the option called "Login Options", choose this and set automatic login to off.
2. Set a firmware password
An easy way to bypass security measures on any machine is to boot the system using a Live CD (for example). In the case of OS X, boot from an OS X Installation disk which allows you to make changes like reseting the administrator password, or make changes to partitions and disks.
By setting a firmware password you help to prevent attackers from:
Booting a Live CD
Running any applications from an OS X Installation disk
Booting the machine into Target Disk mode and accessing data without logging in
Rather than trying to cover all the ins and outs of setting a firmware password I'll point you to the Apple support article on the subject: http://support.apple.com/kb/ht1352.
3. Encryption is a good idea
Encrypting all of your personal and private files means that if your computer is stolen it becomes far far harder for anyone to access your data.
Apple provides functionality to encrypt your entire home directory called FileVault. This will encrypt everything inside of your home directory, but will not encrypt anything outside of it. For those that only want to protect the data inside their home directory this may be a good solution.
If there is sensitive data outside of the home directories that you need to protect then a full disk encryption solution is worth looking into. This will encrypt everything on a disk, and means that data stored in temp files, and application directories are also secured.
Sophos offers a business class full disk encryption product for Mac OS X called SafeGuard Disk Encryption for Mac. An additional benefit of full disk encryption is that it prevents someone from booting the system and reading the memory through the FireWire interface.
Encrypting the virtual memory on your system is a wise choice, and something that Apple does turn on by default in 10.6 Snow Leopard.
For older versions of OS X it is strongly recommended that you turn on 'secure virtual memory' in System Preferences. This will prevent others from connecting to your physical machine and reading the data in the virtual memory.
4. Be smart with your passwords
Your Password is more or less the one thing that keeps your system and your data safe from others. It makes sense to invest in making it as hard to crack as possible.
Apple provides a tool to help select a secure password called Password Assistant. To use the Password Assistant open System Preferences -> System -> Accounts -> Create a user or Change Password -> Click the key icon.
The Password Assistant provides several options to help you generate a password (Memorable, Letters & Numbers, Numbers Only, Random, FIPS-181 compliant), or you can manually enter a password.
Whichever you choose Password Assistant will show you the Quality (or strength) of your password. Watch this video for advice on choosing a complex password you can remember.
5. Securing your Keychain
It is a good idea to make sure that your Keychain has a different password to that of your user account.
The Keychain stores internet passwords, SSL Certificates, notes and more in a nice convenient encrypted store. By default your Keychain has the same password as your user account, which is great as it means your Keychain automatically unlocks and allows any running application to request data from it!
Its like SSO (Single Sign On) gone bad. . . Changing your Keychain password will mean that when an application wants some data you will have to enter your Keychain password.
This is a little inconvenient but means that anyone that cracks your account password doesn't get instant access to everything in your Keychain, and that you will know whenever an application is trying to gain access to your secured data.
To change your Keychain password open up the Keychain Access application in the Utilities directory. Then click on the Edit menu and select Change Password for Keychain "login".
6. Never run as an administrative account
If you talk to any Linux or Unix user you will quickly find out that they rarely login as a user that has administrative privileges. The reason for this? If your account is compromised, the attacker has only gained access to your data, but hasn't gained access to the entire system.
Running as a normal user on any operating system is a sensible thing, and OS X is no different.
Make your everyday account a Standard user, and then authenticate as an Admin account when the system requests it.
Source
