Apple laptop security
                                                Doug Lawhead
                                       ...
Purpose

      The purpose of this document is to outline the methods for securing data on
Macintosh computers through the...
4.   Lock access to the desktop.
   5.   Turn off file sharing.
   6.   Enable the firewall.
   7.   Turn on FileVault.
  ...
Enable a screensaver hot corner, sleep

      Click the “Desktop and Screensaver’s” icon in System Preferences. Click the
...
Security preferences pane




                            5
Turn off file sharing

      Click the Sharing icon in System Preferences. To make changes to the Sharing
preferences the ...
Enable a firewall

      The Apple OS X operating system includes a built in firewall. A firewall blocks
unwanted network ...
To activate FileVault click the
“Turn on FileVault” button in the
Security pane. If a “Master Password” has
not been set f...
Resetting a user password for an encrypted home folder

        If you have forgotten your login password and your home fo...
take longer than expected. However, files deleted this way are completely overwritten by
meaningless data and are nearly i...
Upcoming SlideShare
Loading in...5
×

Data Security for Macintosh Computers Through Utilization of ...

542

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
542
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Data Security for Macintosh Computers Through Utilization of ...

  1. 1. Apple laptop security Doug Lawhead June 7, 2005 Data Security for Macintosh Computers Through Utilization of Built-in Features of the OS X Operating System Doug Lawhead Macintosh Support College of Arts and Humanities Eastern Illinois University June 7, 2005 1
  2. 2. Purpose The purpose of this document is to outline the methods for securing data on Macintosh computers through the use of features built into the OS X 10.3 “Panther” and 10.4 “Tiger” operating systems. Sources The resource for much of the information contained in this document is the Mac Help feature under the Finder’s Help menu. Key words used in separate Mac Help searches included “Master Password” and “FileVault” and “empty trash” and “firewall” and “file sharing.” Additional information is available at: http://docs.info.apple.com/article.html?artnum=152336 http://docs.info.apple.com/article.html?artnum=152352 http://www.apple.com/macosx/features/filevault/ http://docs.info.apple.com/article.html?artnum=151615 http://docs.info.apple.com/article.html?artnum=106461 Introduction Even though these methods are available on and may be used with any Macintosh computer running Apple OS X 10.3 or 10.4 operating systems, this document is primarily aimed at users of Macintosh laptop computers. While any networked computer is susceptible to attack and theft of data laptop computers are, by their nature, exposed to additional risks, primarily theft, loss and wireless attack. A laptop computer is much more likely to be stolen or lost than a desktop computer. Unless the data is protected, the thief or finder of the laptop will have access to all data on the computer. Also, wireless network cards are very common in laptop computers. This gives a hacker another entryway to the computer. In fact, the user of a wireless equipped laptop does not even need to be connected to a network for the attack to occur. They only need to be within range of a hacker’s wireless computer. These threats may be minimized, if not totally eliminated, through the use of features built into the Apple Panther and Tiger operating systems, namely proper use of “File Sharing” and the “Security” pane and its “FileVault” which are all available in the System Preferences application and with proper use of the Internet Connect Application. There are nine simple steps to protecting the computer: 1. Set a user password. 2. Disable automatic log in when the computer starts. 3. Enable a screensaver hot corner. 2
  3. 3. 4. Lock access to the desktop. 5. Turn off file sharing. 6. Enable the firewall. 7. Turn on FileVault. 8. Place an Airport control in the Finder menu bar. 9. Securely empty the trash. Set a user password If you as the user do not have a password, set one. Launch the System Preferences application, found in the Applications folder on the hard drive. A shortcut to System Preferences is located by default in the Dock unless it has been removed by the user. Another shortcut is available under the blue apple in the upper left of the desktop. Next, click the “Accounts” icon in the System Preferences pane. In the ensuing window click on your user account then on the “Password” tab. Enter a password in the password field. System Preferences Select a password that you will not forget, but do not make it something that is too simple, such as your name, a family member’s name or a pet’s name or anything else about you that is readily available. Longer passwords that are alphanumeric combinations are more effective than short ones. Most security experts recommend a 13-character password. Additional tips for setting passwords are available at http://docs.info.apple.com/article.html?artnum=106521 . Disable automatic log in when the computer starts After setting a user password and with the “Account’s” pane still open, click on the words “Login Options” at the lower left of the window. In the window that opens make sure the box is blank next to the words “Automatically log in as.” Now, when the computer is started it will boot to a login window where you must enter the password created above. You may select the type of login window that is displayed by picking a window that shows a list of users or one with blank fields where you must enter both the user name and password. The list of users is the most insecure method. (Why give a thief half the information they need?) Warning: unless FileVault is enabled, anyone with a system installer disk may use it to reset any user passwords and access the computer. Click the “Show All” button in the top left of the System Preferences pane. 3
  4. 4. Enable a screensaver hot corner, sleep Click the “Desktop and Screensaver’s” icon in System Preferences. Click the screensaver tab, select a screensaver and set a time for it to start. Consider not using the computer name saver because this will probably display a user name, giving a hacker or thief part of the information they need to break into your computer. Click the “Hot Corners” button at the bottom of the window and use the scroll bars (below) that appear to set a hot corner to activate the screensaver. This will make the screensaver immediately accessible if you need to turn your attention away from the computer. In the next step the computer will be configured to require a password to wake it from screensaver mode or sleep. If you wish to configure sleep settings for the computer, click the show all button in System Preferences, click on the “Energy Saver” icon then set the sleep time settings. Note: a Macintosh laptop may be put into sleep mode by closing the display. Lock access to the desktop With a user password and screensaver configured it is now possible to prevent most unauthorized users from accessing the computer. (Remember, someone with a system disk can still break in.) Click the show all button in System Preferences then click the “Security” icon. Click to put checkmarks in the boxes that will enable “Require password to wake this computer from sleep and screensaver” and “Disable automatic login.” It is also probably a good idea to enable “Require password to unlock each secure system preference.” Use of the logout feature is probably Security not necessary because requiring a password to wake from sleep or screensaver will achieve essentially the same results without the risk of loosing an unsaved document. Now, no matter weather the user is logged out or if the computer is asleep or in screensaver a password is required to access the computer. 4
  5. 5. Security preferences pane 5
  6. 6. Turn off file sharing Click the Sharing icon in System Preferences. To make changes to the Sharing preferences the user will need to click the lock icon in the lower left and enter a password if “Require password to unlock each secure system preference” was enabled in the Security preferences pane (above). Click the “Services” tab in the sharing pane. By default, all of the services listed on the left of the window are usually turned off, but occasionally one may be turned on accidentally or by the installation of an application. Turn off all the services unless one is required for a task, then turn it off as soon as it is no longer needed. In the example shown at right, Apple Remote Desktop is enabled. To turn it off click the “Stop” button in the window. Note: A service does not need to be turned on for the computer’s user to use the service. For example, FTP access does not need to be enabled for the computer’s user to launch and use an FTP application such as Fetch to send files to a web site. Not enabling the FTP access prevents a hacker from using FTP to steal files from the computer. If a service is desired, click its checkbox. The “Stop” button shown above changes to a clickable “Start” button. 6
  7. 7. Enable a firewall The Apple OS X operating system includes a built in firewall. A firewall blocks unwanted network communications with your computer and protects it from hackers on not only the network you are connected to, but also the Internet. In order to use Mac OS X services, such as Apple Remote Desktop access as shown in the example, Windows sharing, or FTP access, you need to open ports in the firewall to allow traffic for that service to and from your computer. When you select a service in the Services pane of Sharing preferences, it is automatically selected in the Firewall pane, and the port is opened. To enable the firewall click the “Firewall” tab in the Sharing pane. Click the “Start” button to turn on the firewall and prevent incoming network communications with all services except those check in the list. More detailed information about using the firewall is available at http://docs.info.apple.com/article.html?artnum=151615 Turn on FileVault “FileVault, found in the “Security” pane of the System Preferences application encrypts information in the user’s home folder. This literally scrambles the data so that the information is secure if the computer is lost or stolen. FileVault uses the Advanced Encryption Standard with 128-bit keys (AES-128). When FileVault is turned on the user is prompted to create a master password for the computer if one has not already been created. Before turning on FileVault,make sure you have the same amount of empty space on the disk that contains your home folder as the amount of space your home folder takes up. For example, if your home folder’s size is 30 MB, make sure you have 30 MB of free space available. This space temporarily required during the encryption process. Also, in order for FileVault to be totally affective all the documents you wish to protect must be somewhere in the home folder. Items at the base level of the hard drive will not be encrypted. The home folder, by default, contains folders for documents, music, photos and movies. A Library folder contains user specific system and application preferences. There is also a shared folder that is available to other users of the computer. The home folder is located in Users folder. NEVER move the home folder to another location on the hard drive. 7
  8. 8. To activate FileVault click the “Turn on FileVault” button in the Security pane. If a “Master Password” has not been set for the computer the user will be prompted (right) to set one after clicking the “Turn on FileVault” button. The master password is a safety net that allows an administrative user to login in case the user password is forgotten. The Master Password should be different from your user password and should follow the same standards as those discussed earlier. Instruction for using the Master Password to enter the computer appear on page 7 of this document under the heading “Resetting a user password for an Master Password configuration pane. encrypted home folder.” Enter the password in the “Master Password” field, enter it again in the “Verify” field, add a hint if you desire then click the OK button. Click "Turn on FileVault" and read the message that appears. If you want to continue click "Turn on FileVault" in this dialog or click Cancel to prevent the process. If you continue the computer will begin encrypting the files in the home folder. While the home folder is being encrypted you will not be able to log in to your account or use your computer to do other tasks. The process could take several minutes depending on the size of the home folder. When the encryption process is finished you must log back in to your account to continue working. Your home folder icon will change to show that it is protected by FileVault. Changing a master password Once a master password is set for your computer, you can change it. Note: As discussed earlier, a master password is not the same as your user account (login) password. To change the master password launch the System Preferences application and click the Security icon. If the Security preferences pane is locked click the lock icon and type an administrator name and password. Click the Change button. Type the current master password in the appropriate field, then type the new master password. Type it again in the verify box and then, if you desire, enter a hint to help you remember the master password if you forget it. Click the OK button. 8
  9. 9. Resetting a user password for an encrypted home folder If you have forgotten your login password and your home folder is being protected by FileVault, you must know the master password to get access to your account. If you do not know the master password or the user password there is no way to access the data. It is lost forever. Not even Apple can get to the data. If you have forgotten your user password go ahead and attempt to log in to your account. After three unsuccessful attempts to log in the password hint will appear if you entered one when the password was created. If the hint does not help you remember the password click the “Forgot Password” button. Type (or have the computer's administrator type) the master password and click Continue. Read the warning message about your keychain and click OK to proceed, or click Cancel to stop. Type a new login password for your account then type it again to verify it. Type a hint that will help you remember your password if you forget it later then click “Login. If a master password is not set on the computer you can use the “Change Password” utility on a system installer disk. Place an Airport control in the Finder menu bar Placing an Airport wireless control in the menu bar will make it very easy to turn Airport off and on, join wireless networks, monitor the strength of a wireless connection or create a computer-to-computer Airport network. If you want to create a Computer-to-Computer network, make control/status sure the "Allow this computer to create networks" checkbox is selected in the AirPort pane of Network preferences in System Preferences. To place an Airport control / status icon in the menu bar launch the “Internet Connect” application found in the Applications folder. Select the appropriate checkbox and quit the application. Now, if a wireless connection is not needed it is a simple process of clicking on the status icon in the menu bar and selecting “Turn Airport Off.” Airport may be turned on the same way. Available wireless networks are also listed under Internet the icon. Connect Secure empty trash Moving files to the trash and then selecting “Empty trash” from the Finder menu does not completely remove files from the Macintosh computer. Emptying the trash removes only the data the computer needs to locate that file. These so called deleted files may still be recovered from the computer by using data recovery software. To securely delete files from the computer choose Finder > Secure Empty Trash rather than the Empty trash selection. Depending on the size of the file or files being deleted this may 9
  10. 10. take longer than expected. However, files deleted this way are completely overwritten by meaningless data and are nearly impossible to recover. If an item is locked you cannot put it in the Trash. When a locked file is dragged to the trash a message appears that says the operation cannot be completed because the item is locked. Select the item and choose File > Get Info, then deselect the Locked checkbox in the Info window. If you do not own the item you may need to provide an administrator's name and password to put the item in the trash. 10

×