Mac OS X is a powerful Unix-based operating system, and with that power comes the responsibility to minimize security risks. If your computer may be used by other people, it’s wise to secure it against users who may not realize the consequences of their actions, or those who may intend to wreak havoc. If you’re connecting your computer to the Internet, it’s necessary to take preventive measures to guard against unwanted connections over the network.
Mac OS X is a true multiuser operating system. In Mac OS X, you have complete control over who can do what, but you must realize that exercising that control is essential if you intend to have a shared computer that doesn’t self-destruct after one or two adventurous users decide to play around.
Problems due to local users might not seem likely, but an unmanaged public computer can easily be turned into a powerful tool of attack—sometimes unintentionally. (As you learned in Chapter 34, “Sharing Files and Running Network Services,” and will explore further in just a moment, even turning on network services can expose your computer to risk from malicious strangers.)
Much of local system security is common sense coupled with a reasonable amount of watchfulness. Because implementing a local security policy is easier than maintaining network security, that’s where we start.
Your first decision is what type of computer you’re setting up.
If the machine is destined to be in a public library and serve as both a Unix and a Macintosh workstation, your security considerations are far more complicated than if it sits at your desk and has only you as a user.
Let’s take a look at a series of steps you can take to minimize the risks to your system. Some obviously don’t apply to your particular circumstances, but they’re worth noting regardless.
Many people aren’t clear on what happens when you create a user in Mac OS X. As you learned in Chapter 33, “Sharing Your Computer with Multiple Users,” two types of user accounts can be created in the Accounts pane of the System Preferences: normal users and admin users. The only difference when setting up accounts is checking the box that reads Allow User to Administer This Computer.
Many systems that I’ve visited have had all the users set to be administrators. When asked why, the owners replied that they wanted everyone to be able to use the computer to its fullest. An understandable sentiment, but the implications of using this setting are enormous. A user who has this check box set can
Add or delete users and their files
Remove software installed in the systemwide Applications folder
Change or completely remove network settings
Activate or disable the Web service, FTP service, or SSH (secure shell)
Although it’s unlikely that users who are given administrative privileges could completely destroy the system, ‘they can make life difficult for others even if they don’t mean to.
To remove administrative access from an existing user, follow these steps:
Open the System Preferences.
Click the Accounts item under the System section.
Select the name of the user to edit in the list along the left.
Open the Security section and uncheck the Allow User to Administer This Computer box, as shown in Figure 35.1.
By the Way
If you try to change the administrative access for the first-created user account, the Security options are grayed out. That account must remain an administrative account.
If your computer has only a few accounts for people you know, this security precaution is probably the only one you need. However, if you want your system to be a bit more impenetrable, keep reading.
It’s obvious that Apple wanted to create a system that would be friendly and accessible for any level of user. In doing so, it also set a few defaults that make it easy for a public system to be “cracked” by a persistent attacker with direct access to the machine. One precaution that’s easy to take is not to display login names on the Login Preferences panel. To shut off this feature, follow these steps:
Open System Preferences.
Click the Accounts button in the System section.
Choose the Login Options button at the bottom of the list of users.
Click the Display Login Window as Name and Password radio button to select it.
Close the panel to save the settings.
Now, let’s take a look at ‘ways to secure your system online.
There are two steps to network security: figuring out what your machine is doing and disabling those things that you’d rather it not do. Neither of these tasks is as easy as it sounds because you must check a number of places before you can be sure that your machine is secure. The end result, however, is a Mac OS X computer that you can leave online without worrying about the consequences.
As discussed in Chapter 34, your Mac OS X computer has several built-in methods of sharing information over the Web—through network shares, FTP, and more. Each of these features relies on a special Mac OS X background application called a server daemon, or simply a service. As its name implies, a service provides additional functionality to the system. With network services, this functionality can be accessed remotely over a network connection. Therein lies the potential for a cracker to access and modify your computer, and is the primary source of our concern.
Each network service that runs on your computer requires a port that can be used to accept incoming connections. Think of network ports as power receptacles with multiple outlets. Connections to your computer are “plugged” in to the outlet and then communications can begin. Mac OS X has the capability to accept many incoming connections via many different ports. You can enable many of the commonly-used ports under the Services section of the Sharing Preferences, as detailed in Chapter 34.
By the Way
If you need to run services, as with some types of file sharing or instant messaging, that use some of the less common ports, you can activate them under the Firewall section of the Sharing preference pane. Click the button labeled new and choose a port name or, if none apply, choose Other. If you choose other, you will neet to set the port number or range; talk to your system administrator if you feel there are custom settings you should configure.
The biggest risk of having several network services active is that there could be a bug or backdoor associated with one of them. The Mac OS X architecture uses complex applications to provide its network services. Improperly setting up one of these services, or failing to keep your system updated, could open your account to being accessed by an unauthorized user who can tamper with your files. Even worse, it is possible for an intruder to take over your machine and use it to launch attacks on even more computers!
When your computer is connected to the Internet via a direct connection to a cable modem or DSL line, it can be a direct target for attack from outside. The more network services that are running, the greater the chance that a potential intruder can discover and compromise your system.
Your first concern should be the network services that Apple included with your system. Although it’s tempting to go through your system and activate every feature, doing so isn’t always a good idea. If you turn on everything in the Sharing Preferences pane, your system would have the following services and ports active:
FTP Access (port 20 or 21)—. FTP is a quick and easy way to send and retrieve files from a computer. FTP Sharing starts an FTP server on your computer. Unfortunately, it provides no password encryption and is often targeted by attackers. If you don’t have to use FTP, don’t enable it.
Remote Login—ssh (port 22)—. The secure shell enables remote users to connect to your computer and control it from the command line. It’s a useful tool for servers, but only presents a security risk to home users.
Personal Web Sharing (port 80)—. Your personal Web server is server called Apache. Apache is a stable program and should be considered the least of your concerns, unless you’ve manually customized its configuration files.
Windows File Sharing (port 139)—. Enables Windows users to access the shared folders on your computers.
svrloc (port 427)—. The Service Locator Protocol allows remote computers to detect what services are available on your computer over the Internet.
afpovertcp (port 548)—. The Apple File Protocol is used to share your disks and folders over a network. If you have Personal File Sharing turned on, be aware that potentially anyone on the Internet can connect to your computer.
Printer Sharing (port 631)—. Enables other users on the network to use printers connected to your computer.
ppc (port 3031)—. Program-to-program communication enables remote applications to connect to your computer and send it commands. It’s unlikely that you would need this feature in day-to-day use. PPC is controlled by the Remote Apple Events setting in the Sharing Preferences panel.
To disable any of these built-in network services, follow these steps:
Open the System Preferences pane.
Click the Sharing item under the Internet & Network section.
In the Services preferences, uncheck the boxes for the listed services to toggle them on and off, as shown in Figure 35.2.
The “ultimate” solution to network security is the use of a firewall, a piece of hardware or software that sits between your computer and the Internet. As network traffic comes into the computer, the firewall looks at each piece of information, determines whether it’s acceptable, and, if necessary, keeps the data from getting to your machine.
By the Way
You might be asking yourself, “If a firewall can be a piece of software that runs on my computer, how can it both look at network traffic and keep it from reaching my machine?” After all, to look at the information and determine whether it’s trouble, the data obviously must have reached my computer!
That’s true, but firewall software operates at a low level, intercepting network traffic before your computer has a chance to process it and make it available to components such as your Web server or FTP server.
A software firewall is the quickest way to get unwanted traffic blocked from your machine.
Mac OS X includes a built-in personal firewall, accessible from the Firewall section of the System Preferences Sharing pane shown in Figure 35.3.
To activate the firewall, click the Start button. Checked boxes appear next to those services/ports that you’ve turned on under the Services pane of the Sharing Preferences pane.
Because disabling a port disables its service and unenabled ports require no securing, you must go to the Services pane to change the status of the services in the Firewall pane.
In addition to starting or stopping your personal firewall, you can add and delete additional ports to be opened between your computer and the outside world. This may be necessary for some people who want to play games online, use some specific file sharing or Internet chat software, or interact in other ways via a network. Consult your system administrator or ISP if you have questions.
Did you Know?
If you need even more flexibility, several other firewall builder packages make it easy to point-and-click your way through setting up a firewall on your computer. You may want to consult another source, such as Maximum Mac OS X Security, by John and William Ray (Sams Publishing, 2003), for deeper coverage of security issues.
A growing number of network hardware appliances can virtually eliminate the threat of attack by making your computer unreachable from the Internet. Although slightly more expensive than a software-only solution, they provide a worry-free answer to the problem of network security!
Here are a few Mac-friendly firewall solutions you might be interested in checking out:
Apple AirPort—. The Apple wireless network server can make an effective firewall when configured with the option to Share a Single IP Address Using DHCP (Dynamic Host Configuration Protocol) and NAT (Network Address Translation). Although more expensive than other options, it’s a Mac-friendly solution and a great way to gain security and go wireless at the same time.
LinkSys cable/DSL routers (www.linksys.com)—. Largely responsible for creating the first mass-produced personal firewall, LinkSys has a variety of different options available for home users. LinkSys offers both traditional wired and wireless products.
NetGear routers (www.netgear.com)—. Much like the LinkSys routers, the NetGear offerings are available in wired and wireless configurations and feature easy Web configuration and an attractive price point.
By the Way
As you shop for a hardware firewall, you might notice that many of the devices you see are advertised as routers. A router is simply a generic term for a network device that moves network information from one place to another. For your personal system, it routes information from your computer to the Internet and vice versa.
During the process of routing data, the device also performs its firewall activity.
The biggest drawback to using a personal hardware firewall is that if you run a Web server (or other processes that enable people to connect to your machine over the Internet), you must specially configure the firewall to let requests pass through to your computer. This isn’t usually difficult, but it requires more than simply plugging it in and having it work.
Mac OS X security presents several challenges for Mac users. Its underlying Unix subsystem makes it an attractive target for network crackers as well as any unscrupulous person who might have access to the system. In this chapter, you learned several ways to help protect your system from both local and network attacks by limiting access to critical features and shutting off network services that you might not need. The topic of security is broad, so consider chapter only a start to maintaining a secure computer—not an end-all guide.