Mac Initial Security Guide
The purpose of this document is to provide an overview of the basic security configuration for a stand-alone Macintosh desktop or laptop computer in use at LBL. Stand-alone, in this context, means that the computer is not bound to a workgroup or Active Directory. This document is intended to primarily be a security guide, however, it does address other system configuration options as required to provide fundamentals required for overall system security. Some of the points in this guide are also covered in Minimum Security Requirements which establishes a baseline for security of systems on the LBNL network.
Installing a clean system
Key steps in ensuring a secure computer is to ensure that there is no malicious software installed, that there are not insecure services running, and that security settings are not misconfigured. One way to ensure this is by erasing the disk and reinstalling. Even when systems arrive “preinstalled” from the vendor, it is difficult to know if any other software was installed or if improper settings were configured or even if other accounts were created. Instead of auditing a system to verify these settings, it is often easier to simply reinstall the computer. All Macs come with a recovery partition.
There are more advanced mechanisms for reinstalling Macs or ensuring that a particular software image is installed, but for stand alone systems, it is often easiest to boot to the recovery HD and reinstall. This is done by rebooting the Mac and holding down “Command + R” while it boots. This will pull a recent version of the Mac OS from the Apple servers and reinstall it. There are other guides for going through the reinstall steps, but the Mac reinstall steps are very simple, there are no complex choices to make and it runs to completion in about an hour.
*Warning* Doing a clean install assumes that this is a brand new computer or is otherwise a computer with nothing of value on it. If you are reinstalling a previously used system, you need to ensure that you have a recent backup.
The first time the system boots you will be greeted by the first-startup welcome screen, this will be followed by some one time setup questions. Apple ID can be configured later, so it can be skipped. Registration can also be performed later, or information can be filled in to be sent to Apple. It is a good idea to create a separate “admin” account on the computer, even if it is a single user computer. Ideally, all software installs and system configuration would be done from this separate account. If the primary USER account of the system does not have admin privilege, this can prevent various attacks via email and web use from having a bigger security impact. Otherwise, this initial account will be the admin account on the system. Once you enter a password for your account(s) make sure to check the "Require password to unlock screen" box.
Once the initial account is created, the Apple Software Updates configuration screen appears. Select to check for updates once per day and to automatically download them. Timely installs of security updates is one of the most important security defenses. Finally it is recommended to run a software update which can be found on the apple icon on the upper left of the menu.
Initial Security Checklist
With the system in a known clean state and an admin account created, it is important to go through and configure security settings. Mac OS has a reputation for being “secure by default”, but that mostly means that it is not running many network services out-of-the-box that can be attacked. There is still a lot to be done to increase the security of a Macintosh. The following are recommendations for securing a newly installed Mac, stepping through the important system settings found in “System Preferences...” under the Apple menu.
Security and Privacy
Apple has collected a number of important features under the “Security & Privacy” preferences screen. The “General” tab contains security settings that don’t fit under other other screens. The “FileVault” and “Firewall” apply to those specific security functions.
Require password immediately after sleep or screen saver begins
This setting turns the screen saver setting into a security setting. Immediately after the screen saver activates, a user will be required to enter in their password to access the computer. This prevents unauthorized access to the computer when the user isn’t present.
Disable automatic login
The following setting should be checked. Disabling automatic login means that users have to sign in after a reboot. This is a good thing, otherwise, someone with physical access could simply reboot the computer to be able to access all of the users files.
Allow apps downloaded from
This by default is set to allow only programs from the official app store and trusted developers. This will help deter malicious applications from being installed.
FileVault is Apple’s built in user encryption. It encrypts a user’s home directory, so all of the files, documents and photos are protected from being read. It works by creating a sparse disk image file and is encrypted with the user’s password. This disk image is then mounted when the user logs in, so that they can read and manipulate all of their files. There is a slight performance overhead. However, the user’s content is protected even if an attacker physically steals the computer and removes the hard drive and attaches it to another computer. The user’s content is unreadable without the FileVault password.
Currently, FileVault is most valuable on laptops where there is a much higher risk of an attacker gaining possession of the computer or hard disk. FileVault can be used for network homes, but this should be verified with the System Administrator. FileVault does work with Time Machine, but may present issues with other backup solutions. Therefore, FileVault is not a generally recommended solution, though it may be appropriate in many instances. It is recommended that if FileVault is utilized, that a Master FileVault password is set and a copy of that password kept in escrow with a System Admin or supervisor.
By default, the Apple application firewall is off. Make sure that it is turned on to prevent unauthorized programs from listening on the network. Note that OS X has more than one firewall. It includes a second “packet filtering” firewall that is off by default and can no longer be configured via the OSX GUI. Because by default, Apple doesn’t offer services unless enabled, this isn’t a big problem. Laptop users, especially those that are traveling and using foreign wireless network, might consider going into “Firewall Options” and setting “Block all incoming connections.”
This section contains settings on whether the system or specific apps have access to your location. It also shows permissions requested by applications to access contacts, calendars and an opt in to send diagnostic and usage data to Apple.
Desktop and Screen Saver
An important tab to check here is screen saver. Set the “start screen saver:” to a low number like 5 minutes. This is not to save the screen from phosphor burn, but rather lowers the window of opportunity for an attacker to gain access to the computer, if the user steps away without explicitly locking the screen. This number can be adjusted to suit the working environment of the user, for example, if they do a lot of reading without mousing, or for presentations. Another option to consider setting is “Hot Corners”, which will bind a function call to having the mouse moved into one of the screen corners. By binding “Start Screen Saver” or “Put Display to Sleep” to one more corners, the user will have a very easy way to turn on the screen saver before they step away from the computer. For those who prefer keybindings "ctrl + shift + eject" will put the display to sleep immediately.
The Sharing screen allows you to offer various services to the network. By default, these are all off. This is where the “secure by default” idea of Macintosh comes from. It actually means that by default, none of the sharing services built into Macintosh are listening on the network.
One very important setting to check is the “Computer Name:” parameter. The name gets used to identify the computer on the network in various contexts. Most obviously to other Macs this is the bonjour name. However, this name is also used with the DHCP service to set the Internet Protocol (IP) address of the computer. One problem Macintosh computers have using the “Automatic” network (i.e. DHCP) settings at places that allow computers to request a hostname (as at LBL) is that space characters in the “Computer Name” can cause errors in the name setting protocol. The DHCP server cannot parse them properly and many Macintosh computers end up with a hostname that resembles their MAC address. This can make it difficult to connect back to the computer because the expected hostname isn’t functional. The solution is to set a “Computer Name” that has no spaces or other “funny” characters like the apostrophe on it. By default, Mac will set a hostname like “Initial Users’s Computer” and this may break the DHCP hostname negotiation.
Users & Groups
Some of the most important security options are under the “Accounts” tab. In addition to being the mechanism for adding and controlling new users to the system, there are some basic default settings under the “Login Options” box.
The “Automatic login” option should already be set to “Off” due to the checkbox under the Security panel. Set the “Display login window as:” option to “Name and password” as this will avoid sharing extra information about legitimate users of the system with anyone who sees the login screen. Attackers would have to guess username as well as password instead of simply the password. Uncheck “show password hints” as this gives extra information to would-be attackers. Fast user switching should also be disabled. It is a convenience, but shares many system resources between the users that are logged in and isn’t designed for use in a higher security environment.
This section is worth checking if your device has been inherited from a previous user. Bluetooth device history survives factory resets. It would be best to delete any devices in this list that do not belong to you, note that the remove icon does not appear unless the bluetooth is turned off. Best practice would be to leave bluetooth off if the user is not using a bluetooth device.
Setting Automatic should be sufficient for most circumstances as a client. Specific settings may be required for your particular wireless networking environment. All currently utilized wireless security software utilized at LBL, including WPA2 and username/password encryption is supported out-of-the-box in all recent OS X distributions. Some desktops by also come with Wi-Fi in addition to Ethernet. When utilizing a physical connection it is recommended to turn off wireless.
All LBNL Unix / Linux and OS X Desktop computers must syslog to the LBNL central syslog server. This does not apply to ESnet, NERSC, and UCB computers.
This will send a copy of important system messages to the LBL security group to detect potential security problems. Because laptop systems move around, it is not a requirement for laptops to syslog. Currently there is no software tool to enable syslogging, but it can be configured through the terminal. Open the terminal application by navigating to Application, then Utilities. It can also be found by typing "terminal" in spotlight. Copy and paste the following command into the terminal:
This will prompt for your password. Once you enter it you are done and may exit the terminal.
The following programs are required and available for download on software.lbl.gov
Make sure to install anti-virus software. Macs can get viruses as well of course, and Sophos is the currently recommended anti-virus software. Be sure to update after it is installed.
IBM Tivoli BigFix
This will help with keep applications up to date on the workstation. This will monitor and update major outdated software such as Java runtime environment, Skype and Adobe Flash. For more information on BigFix go here.
Qualys Browser Check
This tool addresses some of the limitations of BigFix, which is it's ability to identify and update browser plugins. This will work on Safari, Chrome and Firefox.
This section contains some extra tips and tricks