Key Mac OS X Security Features

« Previous article.
Next article. »

Jul
19

By: switchtoamac at: 10:47 AM on July 19, 2006 | Comments (4)

Computer users who are looking for a secure operating system need not look further than Mac OS X.  In a prior post, I described the Key Isolation Features in Mac OS X.  In this post I'll describe how Apple ships every Mac with default out-of-the-box security.  I will then outline some hardening tasks one can undertake to a make a Mac more secure.  The goal of this post is to describe to those not familiar with OS X how secure a Mac is and can be.  For those tired of viruses, spyware, malware, and security vulnerabilities, the inherent security features in Mac OS X could be reason enough to provoke the decision to make the switch.

Apple's Mac OS X operating system offers one of the most secure default installations of any desktop operating system on the market; this is especially true for version 10.4 Tiger.  Out of the box, a Mac is configured to be safe as soon as you connect it to the Internet.  You can secure a Mac even further by enabling additional features and options within Mac OS X.  The benefit is that you don't need to be a security expert to do so.

Although Mac OS X is a derivative of BSD UNIX and it leverages open source foundations, Apple has approached system security with the understanding that today's computing relies heavily on the Internet and associated technologies.  Without getting into the technical implementation and design of Mac OS X, rest assured that Apple has taken a big picture approach to security as it applies to operating system design and implementation.  A byproduct of this approach is a significant reduction in the risk of unauthorized access and malicious code (viruses, worms, Trojans, etc ...) execution on a Mac.


Default Security

Communication Ports
Computer users who use the Internet know that they can "surf" the Web.  What exactly is surfing?  When you connect to a website on the Internet, your computer is basically connecting to another computer.  The remote computer could be running Mac OS X, UNIX, Windows, Linux, or another operating system.  Behind the scenes, a computer and its underlying operating system accomplish communication with other computers and services by using ports and specific protocols.  Examples of protocols include HTTP, HTTPS, TCP/IP and FTP.  Each protocol has a specific "language" that it uses to do its work.  Taken together, communication ports and protocols allow your computer to communicate with other computers and services on a network (private and public).  Examples of services that participate in communication include printer sharing, personal file sharing, and remote login.

Insecure ports in conjunction with insecure system configurations are common entry points that intruders and malicious code use to exploit, penetrate, and compromise computer systems and networks.  An insecure port acts as a doorway into a system and many malware programs targeted towards the Windows environment look for these "open" ports.  Hackers have even created specialized scanning programs that look for open ports on computers.  Once found, the programs then attempt to exploit and gain access to those systems.

Mac OS X ships with secured (closed) communication ports allowing your computer and network to be protected out of the box.  When a new Mac is started for the first time, Mac OS X goes through a utility called Setup Assistant.  One part of the Setup Assistant is a section that setups of an Internet Connection.  After completing that section, Mac OS X automatically configures a Mac to connect to the Internet; this is done behind the scenes.  Users with administrator privileges will be able to open additional ports on an as needed basis.  For example, if a certain application needs to use a specific port it can be manually opened or the service that uses that port can be activated.

Download Validation
Mac OS X 10.4 Tiger has a feature that automatically inspects downloads for safety.  Apple calls this feature "Download Validation".  It's an intelligence feature that performs checks against potentially unsafe content.  In Tiger, applications Safari, iChat, and Mail implement download validation. 

When you download a file, in either Safari, iChat, or Mail, it is automatically and intelligently analyzed to determine if an application exists in the download.  If Safari, iChat, or Mail determined that they are about to handle potentially unsafe content, it will present a warning to the user with two options, cancel or continue.  The possible warnings fall into the following categories:

  • "Are you sure you want to download the application?"
  • "Are you sure you want to continue downloading?"
  • "The safety of this file cannot be determined. Are you sure you want to download?"

This security feature is significant because you may think you are downloading a file but you are actually downloading a potentially harmful application.  On its own, Windows is unable to perform such as sanity check.

Attachments
Windows users know that e-mail attachments can cause mayhem on their systems.  All too often, Windows users are sent emails from untrusted sources with attachments or what appears to be attachments when in reality, the item contained in the attachment is malicious code.  On a PC, all it takes is to configure the email program to automatically open attachments and the damage is done. 

On a Mac however, attachments sent via e-mail or through programs such as iChat are not opened automatically.  Apple realized that attachments are often the source of destructive programs and malicious code and as a result, Apple's Mail program does not automatically open attachments.  Attachments go through the download validation check to determine if they can potentially contain unsafe files.

The onus is on the end user as to what attachments to open.  From a common sense standpoint, you should only open attachments from trusted sources.  If you get an email containing an attachment from someone you don't know or from an unknown source, be cautious and think twice about the need to download and open the attachment.


Hardening Practices

This section will describe techniques to "harden" or secure a Mac even further.  Mac OS X has numerous system level setting and preferences relating to security.  You can access these areas via:

Apple Menu > System Preferences > Security 


Recommendations
A good common sense practice is to check the "Require password to wake this computer from sleep or screen saver".  When enabled, the logged in user's password will be required before access is granted.

By checking the "Disable automatic login" box, you ensure that that all users on they system enter their username and password before they are granted access to a Mac.  This is a must use option.  Even if you are the only person using your Mac, you should enable this feature.  Imagine if your Mac gets stolen and this feature was not enabled.  The thief would get unrestricted access to your files and documents by simply turning on your Mac.

Although OS X gives you the option to log a user off the system after a set period of inactivity, I don't recommend it because there are times where things come up and you simply forget that you were using your Mac.  The password protection feature for sleep and screensaver will suffice.

An operating system and applications use numerous temporary files in order to function.   By checking “Use secure virtual memory”, you enable a feature that tells Mac OS X to encrypt those temporary files (also called swap files or virtual files) so that they cannot be read.  It's a good practice to enable this option.

Firewall
Mac OS X ships with an IPFirewall (IPFW).  The Mac OS X firewall and some network services are disabled when your Mac is shipped.  The firewall can be easily enabled and configured via the Firewall tab in the Sharing section of System Preferences by following these steps in the following post.  Scroll down to the section titled "Enable the Firewall".

For advanced users, the graphical user interface (GUI) doesn't provide access to the full features and capabilities of the Mac OS X IPFW firewall.  Just know that the firewall can be configured with additional features such as logging and rules.  Note that only incoming connections can be monitored and controlled with the OS X firewall.  You can always install a third-party firewall if you desire additional features, would like to monitor outgoing connections, or would like more control over the behavior and capabilities of the firewall.

Services
Services work hand-in-hand with the Firewall.  In order to use a service, you must first enable it.  If you need to enable a service, you do it via the Services tab.  For example, if you would like to use FTP you enable the FTP checkbox.

To demonstrate the firewall works directly with services, click on the Firewall tab an you will see that the firewall settings have been automatically updated.

If you just performed these steps on your Mac and you don't need to use FTP, please undo your changes by going back to the Services tab and unchecking the FTP box.

This example demonstrates that the services you enable via the Services tab automatically get enabled on the Firewall.  This happens because the role of the firewall is to manage ports.  A service needs a port enabled in order to function, if a service is activated, the associated port for that service must be opened on the firewall.  There are a few exceptions to this behavior because the following services are not available in the Services tab but are visible in the Firewall tab:

  • iChat Bonjour
  • iTunes Music Sharing
  • iPhoto Bonjour Sharing
  • Network Time

These four are blocked by default and so are their associated ports.  Unless you need to use them, do not enable them.  If an application wants to use a feature, for example iTunes Music Sharing, it will notify you and you have the ability to allow or deny it.


Data Protection

File Vault
Mac OS X provides a great built in data encryption feature called FileVault.  According to Apple, "FileVault secures your entire home folder by encrypting its contents."  In other words, FileVault protects the logged in user's home directory from unauthorized access via encryption and decryption technology.  Definitions of encryption and decryption can be found at Google.   FileVault protects this data using AES 128-bit encryption (the same strength encryption that the US Federal government recommends to secure sensitive documents), rather than the weaker Data Encryption Standard X (DESX) encryption used by Windows Encrypting File System (EFS) in Windows XP and Windows 2003.

FileVault is accessed via:
Apple Menu > System Preferences > Security
 

To activate FileVault click the “Turn on FileVault” button. If a “Master Password” has not been set for the system the user will be prompted to set one immediately after clicking the “Turn on FileVault” button.  The "master password" for  the system can decrypt all FileVault protected folders on the system.  This is a failsafe measure in case an individual user forgets his or her login password.


Encrypted Disk Images
 
With Disk Utility, you can easily create an encrypted disk image that provides an easy way to protect important files. An encrypted disk image must be mounted (opened) before the contents can be accessed. Once mounted, a password or keychain with the correct password will be required to decrypt the disk image.  Note that you are not actually encrypting files but rather creating an encrypted storage location whether it's a disk or some alternate storage device.  An encrypted disk image behaves as any other image when mounted.  You'll be able to move/copy files to and from the mounted disk image just like any other volume.  You can encrypt an existing folder or create a new blank encrypted disk image.


Closing

Apple provides you with a relatively safe out-of-the-box Mac but you can take steps to secure it further.  At a minimum, you should enable the Firewall and only enable the Services you need to use.  You can take advantage of additional security features in Mac OS X such as disabling automatic login, requiring a password to access your Mac, and leveraging OS X's data protection features.  The decision is up to you.  But never loose sight of one very important part of using a computer, common sense.  Don't download files from websites that you cannot trust and do not open arbitrary and random email attachments. 

One can make the argument that OS X's security features are enough to encourage people to make the switch.  Having said that, by following the steps in this post and by using common sense, you'll have a safe computing experience on your Mac, mush safer than that other operating system ;-)

A future post will discuss the Mac OS X Keychain. 

4 Reader Comments

nice overview. looking forward to your future keychain discussion. keep up the good work as this site is a great resource for new and potential mac users

I would really like to know how to set these defaults via the terminal/shell script.

Great summary, thanks.

Good summary as Chris said, but it does not compare Mac's features to others'. What convinces consumers to get a Mac over, say, a PC with Windows or a Linux distribution? The features in this article are standard features that all up-to-date OSes are equipped with. What makes Macs BETTER, not just GOOD? PCs are "GOOD", too, so this article doesn't convince me to get a Mac at all.

Speak your mind - Leave a Comment