Data Security for Macintosh Computers Through Utilization of ...
Apple laptop security
June 7, 2005
Data Security for Macintosh Computers
Through Utilization of Built-in Features
of the OS X Operating System
College of Arts and Humanities
Eastern Illinois University
June 7, 2005
The purpose of this document is to outline the methods for securing data on
Macintosh computers through the use of features built into the OS X 10.3 “Panther” and
10.4 “Tiger” operating systems.
The resource for much of the information contained in this document is the Mac
Help feature under the Finder’s Help menu. Key words used in separate Mac Help
searches included “Master Password” and “FileVault” and “empty trash” and “firewall”
and “file sharing.” Additional information is available at:
Even though these methods are available on and may be used with any Macintosh
computer running Apple OS X 10.3 or 10.4 operating systems, this document is primarily
aimed at users of Macintosh laptop computers. While any networked computer is
susceptible to attack and theft of data laptop computers are, by their nature, exposed to
additional risks, primarily theft, loss and wireless attack.
A laptop computer is much more likely to be stolen or lost than a desktop computer.
Unless the data is protected, the thief or finder of the laptop will have access to all data
on the computer. Also, wireless network cards are very common in laptop computers.
This gives a hacker another entryway to the computer. In fact, the user of a wireless
equipped laptop does not even need to be connected to a network for the attack to occur.
They only need to be within range of a hacker’s wireless computer.
These threats may be minimized, if not totally eliminated, through the use of
features built into the Apple Panther and Tiger operating systems, namely proper use of
“File Sharing” and the “Security” pane and its “FileVault” which are all available in the
System Preferences application and with proper use of the Internet Connect Application.
There are nine simple steps to protecting the computer:
1. Set a user password.
2. Disable automatic log in when the computer starts.
3. Enable a screensaver hot corner.
4. Lock access to the desktop.
5. Turn off file sharing.
6. Enable the firewall.
7. Turn on FileVault.
8. Place an Airport control in the Finder menu bar.
9. Securely empty the trash.
Set a user password
If you as the user do not have a password, set one.
Launch the System Preferences application, found in the
Applications folder on the hard drive. A shortcut to
System Preferences is located by default in the Dock
unless it has been removed by the user. Another shortcut is
available under the blue apple in the upper left of the
desktop. Next, click the “Accounts” icon in the System
Preferences pane. In the ensuing window click on your
user account then on the “Password” tab. Enter a password
in the password field. System Preferences
Select a password that you will not forget, but do not make it something that is too
simple, such as your name, a family member’s name or a pet’s name or anything else
about you that is readily available. Longer passwords that are alphanumeric combinations
are more effective than short ones. Most security experts recommend a 13-character
password. Additional tips for setting passwords are available at
Disable automatic log in when the computer starts
After setting a user password and with the “Account’s” pane still open, click on the
words “Login Options” at the lower left of the window. In the window that opens make
sure the box is blank next to the words “Automatically log in as.” Now, when the
computer is started it will boot to a login window where you must enter the password
created above. You may select the type of login window that is displayed by picking a
window that shows a list of users or one with blank fields where you must enter both the
user name and password. The list of users is the most insecure method. (Why give a thief
half the information they need?)
Warning: unless FileVault is enabled, anyone with a system installer disk may
use it to reset any user passwords and access the computer.
Click the “Show All” button in the top left of the System Preferences pane.
Enable a screensaver hot corner, sleep
Click the “Desktop and Screensaver’s” icon in System Preferences. Click the
screensaver tab, select a screensaver and set a time for it to start. Consider not using the
computer name saver because this will probably display a user name, giving a hacker or
thief part of the information they need to break into your computer.
Click the “Hot Corners” button at the bottom of the window and use the scroll bars
(below) that appear to set a hot corner to activate the screensaver. This will make the
screensaver immediately accessible if you need to turn your attention away from the
computer. In the next step the computer will be configured to require a password to wake
it from screensaver mode or sleep.
If you wish to configure sleep settings for the computer, click the show all button in
System Preferences, click on the “Energy Saver” icon then set the sleep time settings.
Note: a Macintosh laptop may be put into sleep mode by closing the display.
Lock access to the desktop
With a user password and screensaver configured it is now
possible to prevent most unauthorized users from accessing the
computer. (Remember, someone with a system disk can still
break in.) Click the show all button in System Preferences then
click the “Security” icon. Click to put checkmarks in the boxes
that will enable “Require password to wake this computer from
sleep and screensaver” and “Disable automatic login.” It is also
probably a good idea to enable “Require password to unlock each
secure system preference.” Use of the logout feature is probably
not necessary because requiring a password to wake from sleep or
screensaver will achieve essentially the same results without the risk of loosing an
unsaved document. Now, no matter weather the user is logged out or if the computer is
asleep or in screensaver a password is required to access the computer.
Turn off file sharing
Click the Sharing icon in System Preferences. To make changes to the Sharing
preferences the user will need to click the lock icon in the lower left and enter a password
if “Require password to unlock each secure system preference” was enabled in the
Security preferences pane (above).
Click the “Services” tab in
the sharing pane. By default,
all of the services listed on the left
of the window are usually turned
off, but occasionally one may be
turned on accidentally or by the
installation of an application. Turn
off all the services unless one is
required for a task, then turn it off
as soon as it is no longer needed.
In the example shown at right,
Apple Remote Desktop is enabled.
To turn it off click the “Stop”
button in the window. Note: A
service does not need to be
turned on for the computer’s
user to use the service. For
example, FTP access does not need to be enabled for the computer’s user to launch
and use an FTP application such as Fetch to send files to a web site. Not enabling
the FTP access prevents a hacker from using FTP to steal files from the computer.
If a service is desired, click its checkbox. The “Stop” button shown above changes
to a clickable “Start” button.
Enable a firewall
The Apple OS X operating system includes a built in firewall. A firewall blocks
unwanted network communications with your computer and protects it from hackers on
not only the network you are connected to, but also the Internet. In order to use Mac OS
X services, such as Apple Remote Desktop access as shown in the example, Windows
sharing, or FTP access, you need to open ports in the firewall to allow traffic for that
service to and from your computer. When you select a service in the Services pane of
Sharing preferences, it is automatically selected in the Firewall pane, and the port is
To enable the firewall click the “Firewall” tab in
the Sharing pane.
Click the “Start” button to turn on the firewall
and prevent incoming network communications with
all services except those check in the list.
More detailed information about using the
firewall is available at
Turn on FileVault
“FileVault, found in the “Security” pane of the System Preferences application
encrypts information in the user’s home folder. This literally scrambles the data so that
the information is secure if the computer is lost or stolen. FileVault uses the Advanced
Encryption Standard with 128-bit keys (AES-128). When FileVault is turned on the user
is prompted to create a master password for the computer if one has not already been
Before turning on FileVault,make sure you have the same amount of empty space
on the disk that contains your home folder as the amount of space your home folder takes
up. For example, if your home folder’s size is 30 MB, make sure you have 30 MB of free
space available. This space temporarily required during the encryption process. Also, in
order for FileVault to be totally affective all the documents you wish to protect must be
somewhere in the home folder. Items at the base level of the hard drive will not be
encrypted. The home folder, by default, contains folders for documents, music, photos
and movies. A Library folder contains user specific system and application preferences.
There is also a shared folder that is available to other users of the computer. The home
folder is located in Users folder. NEVER move the home folder to another location on
the hard drive.
To activate FileVault click the
“Turn on FileVault” button in the
Security pane. If a “Master Password” has
not been set for the computer the user will
be prompted (right) to set one after
clicking the “Turn on FileVault” button.
The master password is a safety net that
allows an administrative user to login in
case the user password is forgotten. The
Master Password should be different from
your user password and should follow the
same standards as those discussed earlier.
Instruction for using the Master Password
to enter the computer appear on page 7 of
this document under the heading
“Resetting a user password for an Master Password configuration pane.
encrypted home folder.”
Enter the password in the “Master Password” field, enter it again in the “Verify”
field, add a hint if you desire then click the OK button.
Click "Turn on FileVault" and read the message that appears. If you want to
continue click "Turn on FileVault" in this dialog or click Cancel to prevent the process. If
you continue the computer will begin encrypting the files in the home folder. While the
home folder is being encrypted you will not be able to log in to your account or use your
computer to do other tasks. The process could take several minutes depending on the size
of the home folder. When the encryption process is finished you must log back in to your
account to continue working. Your home folder icon will change to show that it is
protected by FileVault.
Changing a master password
Once a master password is set for your computer, you can change it.
Note: As discussed earlier, a master password is not the same as your user account
To change the master password launch the System Preferences application and
click the Security icon. If the Security preferences pane is locked click the lock icon and
type an administrator name and password. Click the Change button.
Type the current master password in the appropriate field, then type the new master
password. Type it again in the verify box and then, if you desire, enter a hint to help you
remember the master password if you forget it. Click the OK button.
Resetting a user password for an encrypted home folder
If you have forgotten your login password and your home folder is being protected
by FileVault, you must know the master password to get access to your account. If you
do not know the master password or the user password there is no way to access the data.
It is lost forever. Not even Apple can get to the data.
If you have forgotten your user password go ahead and attempt to log in to your account.
After three unsuccessful attempts to log in the password hint will appear if you entered
one when the password was created. If the hint does not help you remember the password
click the “Forgot Password” button. Type (or have the computer's administrator type) the
master password and click Continue. Read the warning message about your keychain and
click OK to proceed, or click Cancel to stop. Type a new login password for your account
then type it again to verify it. Type a hint that will help you remember your password if
you forget it later then click “Login.
If a master password is not set on the computer you can use the “Change Password”
utility on a system installer disk.
Place an Airport control in the Finder menu bar
Placing an Airport wireless control in the menu bar will make it
very easy to turn Airport off and on, join wireless networks, monitor the
strength of a wireless connection or create a computer-to-computer Airport
network. If you want to create a Computer-to-Computer network, make control/status
sure the "Allow this computer to create networks" checkbox is selected in the AirPort
pane of Network preferences in System Preferences.
To place an Airport control / status icon in the menu bar launch the
“Internet Connect” application found in the Applications folder. Select the
appropriate checkbox and quit the application. Now, if a wireless
connection is not needed it is a simple process of clicking on the status
icon in the menu bar and selecting “Turn Airport Off.” Airport may be
turned on the same way. Available wireless networks are also listed under Internet
the icon. Connect
Secure empty trash
Moving files to the trash and then selecting “Empty trash” from the Finder menu
does not completely remove files from the Macintosh computer. Emptying the trash
removes only the data the computer needs to locate that file. These so called deleted files
may still be recovered from the computer by using data recovery software. To securely
delete files from the computer choose Finder > Secure Empty Trash rather than the
Empty trash selection. Depending on the size of the file or files being deleted this may
take longer than expected. However, files deleted this way are completely overwritten by
meaningless data and are nearly impossible to recover.
If an item is locked you cannot put it in the Trash. When a locked file is dragged to
the trash a message appears that says the operation cannot be completed because the item
is locked. Select the item and choose File > Get Info, then deselect the Locked checkbox
in the Info window. If you do not own the item you may need to provide an
administrator's name and password to put the item in the trash.