Wednesday, June 11, 2008

Mac Security Advise For Enterprise Users

One of the useful email lists I belong to is the 'Mac OS X enterprise deployment project.' You can join the list and view archives at:

In April I wrote up a quick article in response to someone's question about preventative maintenance for Mac OS X Server. Interest was expressed in my publishing the article formally on the Internet, so it is provided below. The information is a bit high end, directed specifically to enterprise users of Mac systems. But serious Mac security newbies will find a lot of useful references as well.



From: Derek Currie
Date: April 15, 2008 10:57:25 PM EDT
To: Mac OS X enterprise deployment project
Subject: Re: Apple's guidelines for preventative maintenance for XServes and/or OS X Server.

On Apr 15, 2008, at 04/15, 4:19 PM, Rich Trouton wrote:
"Does anyone know if Apple has posted specifications or guidelines for preventative maintenance for XServes and/or OS X Server? We're doing our regular security re-certification, and one of the things we're being asked for is documentation of how we're doing routine and preventative maintenance "in accordance with manufacturer or vendor specifications and/or organizational requirements." Right now, we don't have organizational requirements, so I'm trying to find Apple's specifications and I'm not finding them. Tempting as it may be, I don't think our re-certification folks are going to accept "there aren't any specifications, so I guess I don't have to do anything" as an valid answer."

Actually, Apple do provide some relevant documentation. See #6 ahead. But first let me provide a long winded brain storm:

1) Detail your backup strategy. I consider making backups the #1 rule of computing and the first step in computer security. Apple provide TimeMachine in Leopard Server.

2) Talk about KeyChain for storing and protecting passwords. I also use 1Password, and excellent shareware program.

3) Discuss what encryption you are using to protect critical data. You can use FileVault or use encrypted disk images created in Disk Utility. (Personally I use an encrypted .sparseimage for storing my database of server clients and other critical odds and ends I would never want stolen). Leopard server offers 256 bit encryption. You shouldn't need anything stronger. As long as you use a ridiculously un-guessable password, theoretically it would take the length of the life of the universe to crack.

Sideline Rant:

If you're not using encryption, start using it already. I know you know this, but for everyone else: Federal servers are now notorious for having been cracked by the Red Hacker Alliance in China, among others. If the data is seriously encrypted, they're wasting their time. Many businesses now demand encryption. Here is a blurb from the SANS Institute's security newsletter NewsBites Vol. 10 Num. 28 regarding some incredible ignorance at the NIH:

On Apr 8, 2008, at 04/08, 5:00 PM, The SANS Institute wrote:

-- NIH Workers May Not Store Sensitive Data on MacBooks
(April 4 & 7, 2008)

A National Institutes of Health (NIH) agency memo forbids employees from storing sensitive data on MacBook laptop computers. As of April 4, all NIH laptops running Windows or Linux operating systems must have the Pointsec encryption tool; Windows Vista users may also use that operating system's BitLocker disk encryption tool. There is presently a beta version of Pointsec for MacBooks, but not an approved version. The ban on MacBooks holding sensitive data applies to contractors as well as in-house employees.

[Editor's Note
(Schultz): As said so many previous times, nothing serves as a wake-up call for security as much as a serious security-related incident.
(Liston): Note: The issue here is the lack of an approved version of whole-disk encryption, not with OSX itself. Apple Fanboys: Return to standby. Nothing to see here-- you may safely return to caressing your MacBooks and iPhones.]

Obviously FileVault would be 'approved' if they bothered to notice it was there in Mac OS X.

(Also note that I pointed out Mr. Liston's lack of professionalism in an email I sent all over SANS. I got into a friendly back and forth with the President of SANS, a very nice fellow. He assured me of Mr. Liston's skills and privately told me that he pulls troll manoeuvres such as the above as a way of blowing off steam during a long boring day of security analysis, wink wink. Hopefully my efforts will shut the guy up in the future).

4) Discuss the fact that Mac OS X uses the PDF document format as part of its foundation, and that any PDF can be locked such that only a user with its password can open it. Discuss how locked PDFs are used in the work environment.

5) Discuss your implementation of PGP or GPG (the free Open Source version of PGP) in your work environment. Sources:

6) Apple has some security documents relevant to Mac OS X Server:

a) Mac OS X Server - Security Configuration - For Version 10.4 or Later - Second Edition

- If an update is provided specific to Leopard Server, it will be posted on the Security Configuration Guides page:

b) Mac OS X, Mac OS X Server: Protection for sensitive files when using Apache on an HFS+ volume

c) Mac OS X: How to keep network computers secure

d) Mac OS X Leopard - Features - Security

7) Apple also offer their Security-Announce mailing list. You can get it via email or via RSS:

Bonus Points:

1) Some nifty security statistics from March 2008 to quote in defense of Mac OS X's excellent security record:

An excerpt from the Zone-H Statistics Report 2005-2007, the number of registered computer attacks:

OS ________ | Year 2005 | Year 2006 | Year 2007
MacOSX ________ 2.139 _____ 2.247 _____ 1.488
Windows 2003 _ 72.377 ___ 183.953 ___ 114.137

To quote M. Sharp from Insanely-Great Mac:
"Assuming that the Mac's server market share is growing—the most-recent data on Apple sales I could find (Q2 of last year) had unit volume up 78 percent—then the above figures indicate that attacks are declining absolutely even as the number of servers increases proportionately and absolutely."

2) Apple provide references to security related software from third-party vendors at their 'Macintosh Products Guide' pages:

a) Go to the Mac Software/Products and Utilities page. In the 'Sub-category' popup menu choose "Security" and hit the Search button. Today there are 135 security related apps listed.

b) Go to the Mac Software/Servers, Networking & Communications page. In the 'Sub-category' popup menu choose "Security" and hit the Search button. Today there are 20 related apps listed.

You could also search for software firewalls, hardware firewalls, etc.

That should get you going!


Derek Currie

© 2008-04-15 Derek Gordon Currie