Macintosh computer security is not top of mind for midmarket company IT managers. But, in addition to clusters of Mac desktops that may be in the design and marketing departments, managers should be particularly concerned about Macintosh laptop security.
In this tip, we'll look at four basic steps you can take to implement Macbook security, from best security practices to security software for Macintosh.
LIMIT USER PRIVILEGES
By default, all users are admins for their systems, but they don't need to be. The risks are similar to those on Windows computers, where if the machine is compromised, the bad guy has high privileges. Administrators should have two accounts: one to perform administrative chores, and one as a normal user. That way, they are only using the more privileged account when necessary, said Daniel Cuthbert, principal consultant for Corsaire Ltd., a Surrey, U.K.-based security firm.
This is also essential if you are serious about hardening your Macs and keeping them hardened. Without admin rights, users can't undo the secure settings you've configured on each machine. Mac users are accustomed to running as admin; Macs are primarily designed for individual rather than network use, but this shouldn't be an issue as long as they have access to the applications and file shares they need to do their work.
"You need to ensure that the computer is still running a secure policy," said Cuthbert. "Users are very good at making things insecure in the name of usability."
User can be assigned to groups for purposes of granting permissions to network directories and files.
Beginning with Mac OS 10.4, you can use access control lists, which provide more granular control options than the basic Unix file permission settings. ACLs allow you to assign file and directory permissions to roles, that is users or a group of users, instead of just groups. ACLs allow a number of permissions in addition to the Unix read, write and execute permissions, including delete, append and change ownership. ACLs assigned to directories can be inherited by subdirectories and files.
Root is disabled by default (Mac OS X is based on BSD Unix), and should remain disabled, which reduces the exposure to many common Unix attacks. Instead, you can use the Unix sudo command, which requires admin privileges to grant root capabilities for specific administrative purposes, such as assigning user or group privileges, setting password policies, etc. As admin, you can grant users or groups access to specific commands without their having to know the root password, thereby enforcing the principle of least privilege.
HARDEN YOUR MACS
All network services are disabled by default. Allow only those services that a user explicitly needs, Cuthbert said, based on an access control policy enforced by the client firewall that comes with the OS. In addition to the Mac stateful packet inspection firewall, Mac OS X 10.5, also known as Leopard, includes application firewall capabilities that allow you to control incoming traffic by application. There are also a number of third-party commercial Mac client firewalls, which offer better interfaces, good logging capabilities and more granular application control.
Parental controls, which are designed to limit your kids to using a handful of safe applications, are a surprisingly good tool for locking down computer access. Cuthbert said a large banking client used parental controls to create limited users for its design team, limiting them to essential apps, such as Photoshop, Safari and email.
USE ANTIVIRUS, EVEN IF YOU DON'T NEED IT
The amount of malware targeting Macintosh is infinitesimal compared to Windows. Although the Mac OS market share is growing, it's still only around 5% globally and perhaps between 7% and 8% in the U.S., based on several sources. So, fear, uncertainty and doubt (FUD) aside, it's hardly a sure bet that cybercriminals will divert any appreciable attention to Macs.
All that being said, a commercial AV product on each Mac is a small investment against the chance that your users will fall victim to some new Trojan. Major commercial AV vendors offer Mac versions of their products, so adding a few licenses won't sting. However, management support will vary. For example, McAfee supports both Windows and Mac through its ePolicy Orchestrator management console, but many of the others are standalone SOHO products or have central console management for Mac clients only. You can also consider Macintosh-specific security vendors, such as Intego Inc.
ENCRYPT SENSITIVE DATA
Like their Windows user colleagues, your C-level executives, and perhaps other employees toting Macbooks, are putting sensitive data at risk every day. Data is data. If the laptop is lost or stolen or compromised in some way, the risk is the same.
If you are deploying FDE, look to encryption vendors that support Mac, such as Check Point Software Technologies Ltd. and PGP Corp., which manage both Windows and Mac devices from their central consoles. OS X includes FileVault, which encrypts the user home directory, and Disk Utility, which can be used to create an encrypted disk image, but these are single-user tools.
You can manage Mac security computer by computer, using scripts if you have some Unix fluency to set your configurations and enforce software updates. Or, you can invest in a Mac Server, which will give you central management capabilities.
Basic understanding of Unix will be helpful to the non-Mac manager, especially for scripting and command line administration. The interface is, of course, user friendly, but investing some effort in learning your way around Macs is worthwhile.
"Take a little time to get up to speed," said Alan Oppenheimer, president of Ashland, Ore.-based Open Door Networks Inc. "An SMB IT person does not have to be a Mac expert, but you do need to understand how to secure Mac in an Internet environment. That's the most import thing.
Send comments on this technical tip to email@example.com
This was first published in November 2009