Hardening OS X

The purpose of this document is to provide a basic understanding of operating systems and vulnerabilities with hardening practices for ensuring Apple’s operating system OS X is secured. Also included within this document are methods for ensuring that a web server is secured.

“Every Mac is secure — right out of the box — thanks to the proven foundation of Mac OS X (Apple Inc., 2009).” Although this statement is true in the aspect that you physically have control of your Mac and that it hasn’t yet been configured to go onto a network, this doesn’t mean that the system should be ran without first securing the system, simply because Apple Inc. says that it is more secure. When a new computer is purchased or a computer has an operating system newly installed onto it, the computer may need additional configurations in order to protect the system from potential threats. There are steps that should be taken to protect or make the computer more secure prior to ever start leisurely using the system.

Apple has made a valiant effort to make their operating system more secure for the standard user to use with confidence straight after purchasing or installing Apple’s operating system OS X, however there are still additional steps that should be taken to harden the system prior to casual or business use. One of the initial steps to ensuring that OS X is more secure is to configure the system with individual user account for all individuals who will be using the system. This means that there are no “shared” accounts for all users to use and nobody should be logged in as the administrator, otherwise known as root. All user accounts should be using strong passwords that meet or exceed the minimum strong password requirements. The next step to ensuring the user accounts have an additional layer of security is to go into the system preferences and turn on “FileVault” for all the user accounts. Apple’s FileVault uses a 256-bit AES encryption to encrypt the users home directory (Apple Inc., 2007). Once the user accounts are properly configured it is important to start locking the system down. To lock the system down it is important to ensure the firewall is enabled. The next step should be to turn on the automatic updates and then to run the update to ensure all the latest patches have been applied. After the security updates have been applied it is instrumental to the system security to ensure any unused or any unneeded services are turned off. Properly configured user accounts and operating system add different layers to security of the system.

After the system security configurations are made it is a good idea to start locking down the applications. One of the biggest vulnerabilities happens when a user is surfing the Internet and downloads applications. Some of the security configurations can be applied to Apple‚Äôs web browser known as Safari. First it is important to ensure Safari is configured to block pop-up windows. The next step to securing Safari is to turn OFF “Open ‘Safe’ Files After Downloading.” Another good step to that is nice, but not a necessity is to use Safari‚Äôs ‚ÄúPrivate Browsing‚Äù whenever possible. In the event a system is authorized to run a service, such as a web service, it is important to ensure that service is properly secured. One method to ensuring a service is secured is to ensure the latest version of the web server is being used and any security updates have been applied. For example it may be a good idea to run the service under a ‚Äúwheel‚Äù or system account as opposed to running it under a user account. Next it is important to configure the users of that service have the proper permissions. The next step to locking down a service is to adjust any file permissions so that only authorized users can access or modify files. After any configuration changes have been made to the different applications on the system it may be necessary to install 3rd party applications, such as antivirus software to further add additional security. Application security may need to be applied to any and all applications on a particular system, but that may depend on the system and its uses.

The final step that is going to be mentioned should be the first step to ensuring any system is more secure is to ensure all users are properly trained on the system and are aware of any “acceptable use” policies that may be put in place to aid is securing devices on a network. No matter what configurations that may have been made, software that is in place, one of the biggest threats to a system is a user of the system. This means that users shouldn’t be allowed to readily go out and visit “Warez” sites or other known threatening websites. Users should also be aware that downloading and installing software applications from the Internet could compromise security to that system. In the event that a user is a minor, it may be necessary for an adult to use parental controls as well as monitoring the minor while they use the system. A properly trained user can aid in ensuring a system is more secure and remains secure.

In conclusion, properly configuring user accounts, system configurations, application configurations, and installing any 3rd party applications will provide a layered approach to hardening a system. Even after a system is properly configured it is important to ensure all users of that system are trained or monitored. After all configurations and training have been completed, it is then acceptable to connect the system to a properly configured and secured network for use.

Apple, Inc. (2009). Apple – Mac OS X Leopard – Technology – Security. Retrieved January 31st, 2009, from Apple – Mac OS X Leopard – Technology – Security Web site: http://www.apple.com/macosx/technology/security.html
Apple, Inc. (2007, November). Keeping safety simple.. Mac OS X Security , Retrieved January 31st, 2008, from [URL Removed Broken link]