STANDARDS & GUIDELINES
GUIDELINE—Mac OS X Desktop Computer Security (Appendix P)
Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer
GUIDELINE
A guideline is highly recommended.
IntroductionThis document was prepared as a guideline for securing Mac OS X desktops. "Basic" and "Level-2" Security settings are required for all workstations that work with private data. "Basic" is required and "Level-2" is recommended for all other workstations on the University network. Consult with your local technical support staff. “Basic” Security Settings for Macintosh Computer
This is required for all workstations on the University network, including those that work with private data.
| System Preferences |
Minimum Required Setting |
| Software Updates |
Update Daily and Download important updates in the background |
| Sharing-Services Tab |
Personal File Sharing Off (All services listed are NOT checked) |
| Sharing- Internet Tab |
Internet Sharing Off |
| Sharing-Firewall Tab |
Firewall On & only Allow (checked) Network Time |
| |
|
| Symantec AntiVirus Settings |
Minimum Required Setting |
| Norton Auto-Protect/Symantec* |
Installed |
| Live Update |
Enabled |
| Virus Definition File Age |
7 days or less |
| File System RealTime Protect |
Enabled |
* Recommend installing SAV 10.X "Level-2" Security Settings for Macintosh Computers
These additional settings are required for workstations that work with private data and are recommended for all other workstations on the University network.
| Settings |
Minimum Required Setting |
| Accounts- Auto-Login |
Disable (uncheck Automatically log in as: ) |
| Accounts- Display login window as |
Check Name and password |
| |
|
| Bluetooth |
Bluetooth Power: Off (If required, Turn Bluetooth on and do not check Discoverable) |
| |
|
| Network-IPv6 |
IPv6 Off |
| |
|
| Security-FileVault |
FileVault protection is on. Recommended on desktops and required on laptops. |
| Security-Master password |
Master password is set |
| Security-Require password to wake |
Check Require password to wake this computer |
| Security-Automatic login |
Check Disable automatic login |
| Security-Unlock secure system preference |
Check Require password to unlock each secure system preference |
Other Settings:
- Verify ‘root’ is locked. To verify that an OS X (not OS X Server) host has its root account disabled, the following command can be used:
sudo egrep ^root /etc/master.passwd
A correct response will look something like:
root:*:0:0::0:0:System Administrator:/var/root:/bin/sh
The key thing is that asterisk in the second field.
- Remote access, use SSH on port 22. Do not allow remote login from the root user. Limit access to a list of IP addresses. For more information, see SSH Defense presentation.
Similar "Basic" and "Level-2" settings are recommended for Macintosh servers. Together the "Basic" and "Level-2" Security Settings help meet 6 steps in the Securing Private Data Standard
http://www.umn.edu/oit/security/privatedata.html Resources and Links
|
