Basic Security Guideline for Mac OS X Leopard (10.5) Desktop Computers DRAFT

Introduction

This document was prepared as a guideline for securing Mac OS X desktops running Leopard (10.5). "Basic" and "Level-2" Security settings are required for all workstations that work with private data.  "Basic" is required and "Level-2" is recommended for all other workstations on the University network. Consult with your local technical support staff.

“Basic” Security Settings for Macintosh Computer running Leopard

This is required for all workstations on the University network, including those that work with private data.

System Preferences	Leopard Default Setting	Minimum Required Setting
Software Updates	Update Weekly and Download important updates automatically	Update Daily and Download important updates automatically
Sharing-Services Tab	No sharing options enabled	Disabled: Web Sharing and Internet Sharing
Security-Firewall	Allow all incoming connections	Set access for specific services and applications
Symantec AntiVirus Settings		Minimum Required Setting
Norton Auto-Protect/Symantec*		Installed
Live Update		Enabled
Virus Definition File Age		7 days or less
File System RealTime Protect		Enabled

 

"Level-2" Security Settings for Macintosh Computer running Leopard 

These additional settings are required for workstations that work with private data and are recommended for all other workstations on the University network.

Settings	Leopard Default Setting	Minimum Required Setting
Accounts/Login Options- Auto- Login	Disabled	Automatic Login: Disabled
Accounts/Guest Account	Unchecked	Uncheck "Allow guests to log into this computer"
Network-Other Interfaces	Not  Installed	Remove 6to4 if installed
Network-IPv6	Enabled for IPV6 on each interface	IPv6 Off (Found in each interfaces advanced options, under 'TCP/IP')
Network-Airport	Enabled	For desktop computers: Turn off AirPort unless required for business reason
Network-Airport-Advanced-Airport	Not checked, allows all users to control AirPort	For desktop computers: require administrator password to control AirPort
Bluetooth	On and Discoverable	Bluetooth Power: Off (If required, turn Bluetooth on and do not check Discoverable)
Security-FileVault	Disabled	FileVault protection is on. FileVault must be turned on individually for each user to be effective.
Security-FileVault Master password	Password is unset	Master password is set
Security-Require password to wake	Unchecked	Check Require password to wake this computer
Security-Automatic login	Unchecked	Check Disable automatic login
Security-Unlock secure system preference	Unchecked	Check Require password to unlock each secure system preference
Security-Firewall	Allow all incoming connections	"Allow Only essential services".
Safari-Preferences-General	Checked	Uncheck "Open 'safe' files after downloading"
Syslog settings	24 hour retention of logs	Retain logs for 90 days. Edit file “/System/Library/LaunchDaemons/com.apple.syslogd.plist” and add these lines just after “<string>/usr/sbin/syslogd</string>”: <string>-ttl</string> <string>7776000</string> And reboot the machine.  This keeps logs for 90 days.

Other Settings:

• The Empty Trash Securely feature has a bug in it and is not usable due to extreme slowness.  When the bug is fixed, the setting will be added to the Level-2 Security settings.
• Verify ‘root’ is locked.  To verify that an OS X (not OS X Server) host has its root account disabled, the following command can be used:

          sudo egrep ^root /etc/master.passwd

        A correct response will look something like:

            root:*:0:0::0:0:System Administrator:/var/root:/bin/sh

        The key thing is that asterisk in the second field.

• Remote access, use SSH on port 22.  Do not allow remote login from the root user.  Limit access to a list of IP addresses.  For more information, see SSH Defense presentation.
• If services are required and the firewall setting is blocking them, then set “Allow for specific services and applications” and install a 3rd party tool 'WaterRoof'.  When downloading WaterRoof use the latest non-beta version. In WaterRoof click on 'Rule Sets' and then choose “Basic configuration and services” and select services to be passed, such as SSH.

Similar "Basic" and "Level-2" settings are recommended for Macintosh servers.

Together the "Basic" and "Level-2" Security Settings help meet 6 steps in the Securing Private Data Standard http://www.umn.edu/oit/security/privatedata.html

Resources and Links

• Securing Private Data: http://www.umn.edu/oit/security/privatedata.html
• Mac OS X Basic Security Presentations: http://www.umn.edu/oit/security/compsec_presentations.html
• OIT Security & Assurance: http://www.umn.edu /oit/security/index.htm
• OIT Technology helpline (1-HELP): http://1help.umn.edu/
• Safe Computing: Secure a University Machine http://safecomputing.umn.edu/