Download Mac OS X Server Security Configuration

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
page
111
page
112
page
113
page
114
page
115
page
116
page
117
page
118
page
119
page
120
page
121
page
122
page
123
page
124
page
125
page
126
page
127
page
128
page
129
page
130
page
131
page
132
page
133
page
134
page
135
page
136
page
137
page
138
page
139
page
140
page
141
page
142
page
143
page
144
page
145
page
146
page
147
page
148
page
149
page
150
page
151
page
152
page
153
page
154
page
155
page
156
page
157
page
158
page
159
page
160
page
161
page
162
page
163
page
164
page
165
page
166
page
167
page
168
page
169
page
170
page
171
page
172
page
173
page
174
page
175
page
176
page
177
page
178
page
179
page
180
page
181
page
182
page
183
page
184
page
185
page
186
page
187
page
188
page
189
page
190
page
191
page
192
page
193
page
194
page
195
page
196
page
197
page
198
page
199
page
200
page
201
page
202
page
203
page
204
page
205
page
206
page
207
page
208
page
209
page
210
page
211
page
212
page
213
page
214
page
215
page
216
page
217
page
218
page
219
page
220
page
221
page
222
page
223
page
224
page
225
page
226
page
227
page
228
page
229
page
230
page
231
page
232
page
233
page
234
page
235
page
236
page
237
page
238
page
239
page
240
page
241
page
242
page
243
page
244
page
245
page
246
page
247
page
248
page
249
page
250
page
251
page
252
page
253
page
254
page
255
page
256
page
257
page
258
page
259
page
260
page
261
page
262
page
263
page
264
page
265
page
266
page
267
page
268
page
269
page
270
page
271
page
272
page
273
page
274
page
275
page
276
page
277
page
278
page
279
page
280
page
281
page
282
page
283
page
284
page
285
page
286
page
287
page
288
page
289
page
290
page
291
page
292
page
293
page
294
page
295
page
296
page
297
page
298
page
299
page
300
page
301
page
302
page
303
page
304
page
305
page
306
page
307
page
308
page
309
page
310
page
311
page
312
page
313
page
314
page
315
page
316
page
317
page
318
page
319
page
320
page
321
page
322
page
323
page
324
page
325
page
326
page
327
page
328
page
329
page
330
page
331
page
332
page
333
page
334
page
335
page
336
page
337
page
338
page
339
page
340
page
341
page
342
page
343
page
344
page
345
page
346
page
347
page
348
page
349
page
350
page
351
page
352
page
353
page
354
page
355
page
356
page
357
page
358
page
359
page
360
page
361
page
362
page
363
page
364
page
365
page
366
page
367
page
368
page
369
page
370
page
371
page
372
page
373
page
374
page
375
page
376
page
377
page
378
page
379
page
380
page
381
page
382
page
383
page
384
page
385
page
386
page
387
page
388
page
389
page
390
page
391
page
392
page
393
page
394
page
395
page
396
page
397
page
398
page
399
page
400
page
401
page
402
page
403
page
404
page
405
page
406
page
407
page
408
page
409
page
410
page
411
page
412
page
413
page
414
page
415
page
416
page
417
page
418
page
419
page
420
page
421
page
422
page
423
page
424
page
425
page
426
page
427
page
428
page
429
page
430
page
431
page
432
page
433
page
434
page
435
page
436
page
437
page
438
page
439
page
440
page
441
page
442
page
443
page
444
page
445
page
446
page
447
page
448
page
449
page
450
page
451
page
452
page
453
page
454
page
455
page
456
Document related concepts

Human–computer interaction wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
MacOSXServer
SecurityConfiguration
ForMacOSXServerVersion10.6
SnowLeopard
KAppleInc.
©2010AppleInc.Allrightsreserved.
Theownerorauthorizeduserofavalidcopyof
MacOSXsoftwaremayreproducethispublicationfor
thepurposeoflearningtousesuchsoftware.Nopartof
thispublicationmaybereproducedortransmittedfor
commercialpurposes,suchassellingcopiesofthis
publicationorforprovidingpaid-forsupportservices.
Everyefforthasbeenmadetoensurethatthe
informationinthismanualisaccurate.Appleisnot
responsibleforprintingorclericalerrors.
Apple
1InfiniteLoop
Cupertino,CA95014
408-996-1010
www.apple.com
TheApplelogoisatrademarkofAppleInc.,registered
intheU.S.andothercountries.Useofthe“keyboard”
Applelogo(Option-Shift-K)forcommercialpurposes
withoutthepriorwrittenconsentofApplemay
constitutetrademarkinfringementandunfair
competitioninviolationoffederalandstatelaws.
Apple,theApplelogo,Airport,Bonjour,FileVault,
FireWire,iCal,iChat,iMac,iSight,iTunes,Keychain,Mac,
MacOS,QuickTime,Safari,SnowLeopard,Spotlight,
Tiger,TimeMachine,Xgrid,Xsan,andXserveare
trademarksofAppleInc.,registeredintheU.S.andother
countries.
AppleRemoteDesktop,Finder,andQuickTime
BroadcasteraretrademarksofAppleInc.
MobileMeisaservicemarkofAppleInc.
TheBluetooth®wordmarkandlogosareregistered
trademarksownedbyBluetoothSIG,Inc.andanyuseof
suchmarksbyAppleisunderlicense.
Intel,IntelCore,andXeonaretrademarksofIntelCorp.
intheU.S.andothercountries.
Java™andallJava-basedtrademarksandlogosare
trademarksorregisteredtrademarksofSun
Microsystems,Inc.intheU.S.andothercountries.
UNIXisaregisteredtrademarkofTheOpenGroup.
Thisproductincludessoftwaredevelopedbythe
UniversityofCalifornia,Berkeley,FreeBSD,Inc.,The
NetBSDFoundation,Inc.,andtheirrespective
contributors.
Othercompanyandproductnamesmentionedherein
aretrademarksoftheirrespectivecompanies.Mention
ofthird-partyproductsisforinformationalpurposes
onlyandconstitutesneitheranendorsementnora
recommendation.Appleassumesnoresponsibilitywith
regardtotheperformanceoruseoftheseproducts.
019-1875/2010-06
2
Contents
Preface
17
17
17
20
20
21
21
21
22
22
23
AboutThisGuide
Audience
What’sinThisGuide
UsingThisGuide
UsingOnscreenHelp
SnowLeopardServerAdministrationGuides
ViewingPDFGuidesonScreen
PrintingPDFGuides
GettingDocumentationUpdates
GettingAdditionalInformation
Acknowledgments
Chapter1
24
25
25
25
26
27
27
28
28
29
29
30
30
31
32
32
33
33
33
34
35
IntroductiontoSnowLeopardServerSecurityArchitecture
SecurityArchitecturalOverview
UNIXInfrastructure
AccessPermissions
SecurityFramework
LayeredSecurityDefense
NetworkSecurity
CredentialManagement
PublicKeyInfrastructure(PKI)
What’sNewinSnowLeopardServerSecurity
ExistingSecurityFeaturesinSnowLeopardServer
SignedApplications
MandatoryAccessControls
Sandboxing
ManagedUserAccounts
EnhancedQuarantining
MemoryandRuntimeProtection
SecuringSharingandCollaborativeServices
ServiceAccessControlLists
VPNCompatibilityandIntegration
ImprovedCryptography
3
4
35
35
35
36
36
36
37
ExtendedValidationCertificates
WildcardinIdentityPreferences
EnhancedCommand-LineTools
FileVaultandEncryptedStorage
EncryptedDiskImageCryptography
SmartCardSupportforUnlockingEncryptedStorage
EnhancedSafari4.0Security
Chapter2
38
38
39
40
40
40
41
41
41
42
42
42
43
43
43
44
44
45
46
47
48
50
50
51
51
InstallingSnowLeopardServer
InstallationOverview
PreparinganAdministratorComputer
SettingUpNetworkInfrastructure
StartingUpforInstallation
StartingUpfromtheInstallDVD
StartingUpfromanAlternatePartition
StartingUpfromaNetBootEnvironment
RemoteAccessDuringInstallation
ServerAdminDuringInstallation
SSHDuringInstallation
VNCDuringInstallation
AboutDefaultInstallationPasswords
PreparingDisksforInstallingSnowLeopardServer
SecurelyErasingaDiskforInstallation
InstallingServerSoftware
EnablingtheFirewall
ApplyingSoftwareandSecurityUpdates
UpdatingfromanInternalSoftwareUpdateServer
UpdatingfromInternetSoftwareUpdateServers
UpdatingManuallyfromInstallerPackages
VerifyingtheIntegrityofSoftware
SettingUpServicesandUsers
AboutSettingsEstablishedDuringServerSetup
EnablingtheFirmwarePassword
Chapter3
52
52
53
54
54
55
55
56
57
SecuringSystemHardware
ProtectingHardware
PreventingWirelessEavesdropping
UnderstandingWirelessSecurityChallenges
AboutOSComponents
RemovingWi-FiSupportSoftware
RemovingBluetoothSupportSoftware
RemovingIRSupportSoftware
PreventingUnauthorizedRecording
Contents
57
58
59
60
61
62
RemovingAudioSupportSoftware
RemovingVideoRecordingSupportSoftware
PreventingDataPortAccess
RemovingUSBSupportSoftware
RemovingFireWireSupportSoftware
SystemHardwareModifications
Chapter4
63
63
64
64
65
66
67
68
69
70
SecuringGlobalSystemSettings
SecuringSystemStartup
UsingtheFirmwarePasswordUtility
UsingCommand-LineToolsforSecureStartup
ConfiguringAccessWarnings
EnablingAccessWarningsfortheLoginWindow
UnderstandingtheAuthPluginArchitecture
TheBannerSampleProject
EnablingAccessWarningsfortheCommandLine
TurningOnFileExtensions
Chapter5
71
71
72
73
73
74
74
75
75
75
76
76
77
78
78
79
79
80
81
82
83
83
84
84
85
SecuringLocalServerAccounts
TypesofUserAccounts
GuidelinesforCreatingAccounts
DefiningUserIDs
SecuringtheGuestAccount
SecuringNonadministratorAccounts
SecuringExternalAccounts
ProtectingDataonExternalVolumes
SecuringDirectory-BasedAccounts
AvoidingSimultaneousLocalAccountAccess
SecuringAdministratorAccounts
AboutTieredAdministrationPermissions
DefiningAdministrativePermissions
AvoidingSharedAdministratorAccounts
SecuringtheDirectoryDomainAdministratorAccount
ChangingSpecialAuthorizationsforSystemFunctions
SecuringtheSystemAdministratorAccount
RestrictingsudoUsage
UnderstandingDirectoryDomains
UnderstandingNetworkServices,Authentication,andContacts
ConfiguringLDAPv3Access
ConfiguringActiveDirectoryAccess
UsingStrongAuthentication
UsingPasswordAssistanttoGenerateorAnalyzePasswords
UsingKerberos
Contents
5
86
86
87
87
88
89
89
91
91
92
Chapter6
6
94
94
96
99
102
103
105
107
109
111
111
112
115
116
116
116
117
117
118
118
120
122
122
123
125
126
128
129
130
133
134
136
UsingSmartCards
UsingTokens
UsingBiometrics
SettingGlobalPasswordPolicies
StoringCredentialsinKeychains
UsingtheDefaultUserKeychain
CreatingAdditionalKeychains
SecuringKeychainsandTheirItems
UsingSmartCardsasKeychains
UsingPortableandNetworkKeychains
SecuringSystemPreferences
SystemPreferencesOverview
SecuringMobileMePreferences
SecuringAccountsPreferences
SecuringAppearancePreferences
SecuringBluetoothPreferences
SecuringCDs&DVDsPreferences
SecuringDate&TimePreferences
SecuringDesktop&ScreenSaverPreferences
SecuringDisplayPreferences
SecuringDockPreferences
SecuringEnergySaverPreferences
SecuringExposé&SpacesPreferences
SecuringLanguage&TextPreferences
SecuringKeyboardPreferences
SecuringMousePreferences
SecuringBluetoothSettings
RestrictingAccesstoSpecifiedUsers
SecuringNetworkPreferences
DisablingUnusedHardwareDevices
SecuringPrint&FaxPreferences
SecuringSecurityPreferences
GeneralSecurity
FileVaultSecurity
SecuringSharingPreferences
SecuringSoftwareUpdatePreferences
SecuringSoundPreferences
SecuringSpeechPreferences
SecuringSpotlightPreferences
SecuringStartupDiskPreferences
SecuringTimeMachinePreferences
SecuringUniversalAccessPreferences
Contents
Chapter7
137
137
138
SecuringSystemSwapandHibernationStorage
SystemSwapFileOverview
EncryptingSystemSwap
Chapter8
139
139
140
140
141
141
142
143
143
143
143
144
145
145
146
147
150
151
152
153
153
155
155
156
157
158
158
159
159
160
160
161
161
SecuringDataandUsingEncryption
AboutTransportEncryption
AboutPayloadEncryption
AboutFileandFolderPermissions
SettingPOSIXPermissions
ViewingPOSIXPermissions
InterpretingPOSIXPermissions
ModifyingPOSIXPermissions
SettingFileandFolderFlags
ViewingFlags
ModifyingFlags
SettingACLPermissions
EnablingACLPermissions
ModifyingACLPermissions
ChangingGlobalUmaskforStricterDefaultPermissions
RestrictingSetuidPrograms
SecuringUserHomeFolders
EncryptingHomeFolders
OverviewofFileVault
ManagingFileVault
ManagingtheFileVaultMasterKeychain
EncryptingPortableFiles
CreatinganEncryptedDiskImage
CreatinganEncryptedDiskImagefromExistingData
CreatingEncryptedPDFs
SecurelyErasingData
ConfiguringFindertoAlwaysSecurelyErase
UsingDiskUtilitytoSecurelyEraseaDiskorPartition
UsingCommand-LineToolstoSecurelyEraseFiles
UsingSecureEmptyTrash
UsingDiskUtilitytoSecurelyEraseFreeSpace
UsingCommand-LineToolstoSecurelyEraseFreeSpace
DeletingPermanentlyfromTimeMachineBackups
Chapter9
163
163
164
164
165
ManagingCertificates
UnderstandingPublicKeyInfrastructure
PublicandPrivateKeys
Certificates
AboutCertificateAuthorities(CAs)
Contents
7
8
165
165
165
167
168
169
170
170
170
172
173
173
174
174
175
175
AboutIdentities
Self-SignedCertificates
AboutIntermediateTrust
CertificateManagerinServerAdmin
ReadyingCertificates
CreatingaSelf-SignedCertificate
StoringthePrivateKey
RequestingaCertificatefromaCA
CreatingaCA
ImportingaCertificateIdentity
ManagingCertificates
EditingaCertificate
DistributingaCAPublicCertificatetoClients
DeletingaCertificate
RenewinganExpiringCertificate
ReplacinganExistingCertificate
Chapter10
176
176
176
177
178
178
179
179
180
181
182
182
182
183
183
SettingGeneralProtocolsandAccesstoServices
SettingGeneralProtocols
DisablingNTPService
DisablingSNMP
EnablingSSH
AboutRemoteManagement(ARD)
RemoteManagementBestPractices
LimitingRemoteManagementAccess
DisablingRemoteManagementAccess
RemoteAppleEvents(RAE)
RestrictingAccesstoSpecificUsers
SettingtheServer’sHostName
SettingtheDateandTime
SettingUpCertificates
SettingServiceAccessControlLists(SACLs)
Chapter11
185
185
186
187
187
189
190
190
191
191
SecuringRemoteAccessServices
SecuringRemoteSSHLogin
ConfiguringSSH
ModifyingtheSSHConfigurationFile
GeneratingKeyPairsforKey-BasedSSHConnections
UpdatingSSHKeyFingerprints
ControllingAccesstoSSH
SSHMan-in-the-MiddleAttacks
TransferringFilesUsingSFTP
SecuringVPNService
Contents
192
193
194
195
196
196
197
197
VPNandSecurity
ConfiguringL2TP/IPSecSettings
ConfiguringPPTPSettings
VPNAuthenticationMethod
UsingVPNServicewithUsersinaThird-PartyLDAPDomain
OfferingSecurIDAuthenticationwithVPNService
EncryptingObserveandControlNetworkData
EncryptingNetworkDataDuringFileCopyandPackageInstallations
Chapter12
198
198
199
200
200
200
201
202
203
203
204
205
207
208
210
210
SecuringNetworkInfrastructureServices
UsingIPv6Protocol
IPv6-EnabledServices
SecuringDHCPService
DisablingUnnecessaryDHCPServices
ConfiguringDHCPServices
AssigningStaticIPAddressesUsingDHCP
SecuringDNSService
UnderstandingBIND
TurningOffZoneTransfers
DisablingRecursion
PreventingSomeDNSAttacks
SecuringNATService
ConfiguringPortForwarding
DisablingNATPortMappingProtocol
SecuringBonjour(mDNS)
Chapter13
213
213
214
214
214
215
216
217
218
219
220
220
ConfiguringtheFirewall
AboutFirewallProtection
PlanningFirewallSetup
ConfiguringtheFirewallUsingServerAdmin
StartingFirewallService
CreatinganIPAddressGroup
CreatingFirewallServiceRules
CreatingAdvancedFirewallRules
EnablingStealthMode
ViewingtheFirewallServiceLog
ConfiguringtheFirewallManually
UnderstandingIPFWRulesets
Chapter14
222
222
223
223
SecuringCollaborationServices
SecuringiCalService
DisablingiCalService
SecurelyConfiguringiCalService
Contents
9
10
225
225
225
226
229
229
229
230
230
231
231
231
232
ViewingiCalServiceLogs
SecuringiChatService
DisablingiChatService
SecurelyConfiguringiChatService
ViewingiChatServiceLogs
SecuringWikiService
DisablingWikiService
SecurelyConfiguringWikiServices
ViewingWikiServiceLogs
SecuringPodcastProducerService
DisablingPodcastProducerService
SecurelyConfiguringPodcastProducerService
ViewingPodcastProducerServiceLogs
Chapter15
233
234
234
235
235
236
237
237
238
239
240
241
241
245
245
250
SecuringMailService
DisablingMailService
ConfiguringMailServiceforSSL
EnablingSecureMailTransportwithSSL
EnablingSecurePOPAuthentication
ConfiguringSSLTransportforPOPConnections
EnablingSecureIMAPAuthentication
ConfiguringSSLTransportforIMAPConnections
EnablingSecureSMTPAuthentication
ConfiguringSSLTransportforSMTPConnections
UsingACLsforMailServiceAccess
LimitingJunkMailandViruses
ConnectionControl
FilteringSMTPConnections
MailScreening
ViewingMailServiceLogs
Chapter16
251
252
252
253
253
SecuringAntivirusServices
SecurelyConfiguringandManagingAntivirusServices
EnablingVirusScanning
ManagingClamAVwithClamXav
ViewingAntivirusServicesLogs
Chapter17
254
254
254
254
255
255
SecuringFileServicesandSharepoints
SecurityConsiderations
RestrictingAccesstoFileServices
RestrictingAccesstoEveryone
RestrictingAccesstoNFSSharePoints
RestrictingGuestAccess
Contents
255
256
256
257
258
259
262
263
264
265
265
267
267
268
268
RestrictingFilePermissions
ProtocolSecurityComparison
DisablingFileSharingServices
ChoosingaFileSharingProtocol
ConfiguringAFPFileSharingService
ConfiguringFTPFileSharingService
ConfiguringNFSFileSharingService
ConfiguringSMBFileSharingService
ConfiguringSharePoints
DisablingSharePoints
RestrictingAccesstoaSharePoint
AFPSharePoints
SMBSharePoints
FTPSharePoints
NFSSharePoints
Chapter18
271
272
272
273
274
276
278
278
279
280
280
280
281
282
282
282
283
SecuringWebService
DisablingWebService
ManagingWebModules
DisablingWebOptions
UsingRealmstoControlAccess
EnablingSecureSocketsLayer(SSL)
UsingaPassphrasewithSSLCertificates
ViewingWebServiceLogs
SecuringWebDAV
SecuringBlogServices
DisablingBlogServices
SecurelyConfiguringBlogServices
SecuringTomcat
SecuringMySQL
DisablingMySQLService
SettingUpMySQLService
ViewingMySQLServiceandAdminLogs
Chapter19
284
284
285
287
288
289
291
292
293
SecuringClientConfigurationManagementServices
ManagingApplicationsPreferences
ControllingUserAccesstoApplicationsandFolders
AllowingSpecificDashboardWidgets
DisablingFrontRow
AllowingLegacyUserstoOpenApplicationsandFolders
ManagingDockPreferences
ManagingEnergySaverPreferences
ManagingFinderPreferences
Contents
11
12
295
298
299
301
302
303
303
304
306
307
308
308
309
310
ManagingLoginPreferences
ManagingMediaAccessPreferences
ManagingMobilityPreferences
ManagingNetworkPreferences
ManagingParentalControlsPreferences
HidingProfanityinDictionary
PreventingAccesstoAdultWebsites
AllowingAccessOnlytoSpecificWebsites
SettingTimeLimitsandCurfewsonComputerUsage
ManagingPrintingPreferences
ManagingSoftwareUpdatePreferences
ManagingAccesstoSystemPreferences
ManagingUniversalAccessPreferences
EnforcingPolicy
Chapter20
311
311
311
312
314
SecuringNetBootService
SecuringNetBootService
DisablingNetBootService
LimitNetBootServiceClients
ViewingNetBootServiceLogs
Chapter21
315
315
316
317
SecuringSoftwareUpdateService
DisablingSoftwareUpdateService
LimitingAutomaticUpdateAvailability
ViewingSoftwareUpdateServiceLogs
Chapter22
318
318
319
319
321
322
323
SecuringNetworkAccounts
AboutOpenDirectoryandActiveDirectory
SecuringDirectoryAccounts
ConfiguringDirectoryUserAccounts
ConfiguringGroupAccounts
ConfiguringComputerGroups
ControllingNetworkViews
Chapter23
324
325
325
326
327
329
329
330
331
SecuringDirectoryServices
OpenDirectoryServerRoles
ConfiguringtheOpenDirectoryServicesRole
StartingKerberosAfterSettingUpanOpenDirectoryMaster
ConfiguringOpenDirectoryforSSL
ConfiguringOpenDirectoryPolicies
SettingtheGlobalPasswordPolicy
SettingaBindingPolicyforanOpenDirectoryMasterandReplicas
SettingaSecurityPolicyforanOpenDirectoryMasterandReplicas
Contents
Chapter24
333
333
334
334
335
335
SecuringRADIUS
DisablingRADIUS
SecurelyConfiguringRADIUSService
ConfiguringRADIUStoUseCertificates
EditingRADIUSAccess
ViewingRADIUSServiceLogs
Chapter25
337
337
338
338
339
340
342
SecuringPrintService
DisablingPrintService
SecuringPrintService
ConfiguringPrintServiceAccessControlLists(SACLs)
ConfiguringKerberos
ConfiguringPrintQueues
ViewingPrintServiceandQueueLogs
Chapter26
344
344
345
346
347
347
348
348
349
353
SecuringMultimediaServices
DisablingQTSS
SecurelyConfiguringQTSS
ConfiguringaStreamingServer
ServingStreamsThroughFirewallsUsingPort80
StreamingThroughFirewallsorNetworkswithAddressTranslation
ChangingthePasswordRequiredtoSendanMP3BroadcastStream
UsingAutomaticUnicast(Announce)withQTSSonaSeparateComputer
ControllingAccesstoStreamedMedia
ViewingQTSSLogs
Chapter27
354
354
355
355
356
356
357
357
357
358
359
SecuringGridandClusterComputingServices
UnderstandingXgridService
DisablingXgridService
AboutAuthenticationMethodsforXgrid
SingleSign-On
Password-BasedAuthentication
NoAuthentication
SecurelyConfiguringXgridService
DisablingtheXgridAgent
LimitingtheXgridAgent
ConfiguringanXgridController
Chapter28
361
361
ManagingWhoCanObtainAdministrativePrivileges(sudo)
ManagingthesudoersFile
Chapter29
363
363
363
ManagingAuthorizationThroughRights
UnderstandingthePolicyDatabase
TheRightsDictionary
Contents
13
14
365
366
366
366
366
Rules
ManagingAuthorizationRights
CreatinganAuthorizationRight
ModifyinganAuthorizationRight
ExampleAuthorizationRestrictions
Chapter30
368
368
369
370
370
370
371
372
372
372
373
374
375
375
376
376
377
377
378
378
379
MaintainingSystemIntegrity
UsingDigitalSignaturestoValidateApplicationsandProcesses
ValidatingApplicationBundleIntegrity
ValidatingRunningProcesses
AuditingSystemActivity
InstallingAuditingTools
EnablingAuditing
SettingAuditMechanisms
UsingAuditingTools
UsingtheauditTool
UsingtheauditreduceTool
UsingtheprauditTool
DeletingAuditRecords
AuditControlFiles
ManagingandAnalyzingAuditLogFiles
UsingActivityAnalysisTools
ValidatingSystemLogging
Configuringsyslogd
LocalSystemLogging
RemoteSystemLogging
ViewingLogsinServerAdmin
AppendixA
380
380
380
381
382
382
382
383
383
383
384
385
385
386
387
UnderstandingPasswordsandAuthentication
PasswordTypes
AuthenticationandAuthorization
OpenDirectoryPasswords
ShadowPasswords
CryptPasswords
OfflineAttacksonPasswords
PasswordGuidelines
CreatingComplexPasswords
UsinganAlgorithmtoCreateaComplexPassword
SafelyStoringYourPassword
PasswordMaintenance
AuthenticationServices
DeterminingWhichAuthenticationOptiontoUse
PasswordPolicies
Contents
387
388
389
AppendixB
390
390
391
391
392
393
393
393
393
394
394
394
394
395
395
395
395
396
396
396
396
397
397
397
397
398
398
398
398
398
399
399
399
400
400
401
401
401
402
SingleSign-OnAuthentication
KerberosAuthentication
SmartCardAuthentication
SecurityChecklist
InstallationActionItems
HardwareandCoreSnowLeopardServerActionItems
GlobalSettingsforSnowLeopardServerActionItems
AccountConfigurationActionItems
SystemSoftwareActionItems
MobileMePreferencesActionItems
AccountsPreferencesActionItems
AppearancePreferencesActionItems
BluetoothPreferencesActionItems
CDs&DVDsPreferencesActionsItems
Exposé&SpacesPreferencesActionItems
Date&TimePreferencesActionItems
Desktop&ScreenSaverPreferencesActionItems
DisplayPreferencesActionItems
DockPreferencesActionItems
EnergySaverPreferencesActionItems
KeyboardandMousePreferencesActionItems
NetworkPreferencesActionItems
Print&FaxPreferencesActionItems
QuickTimePreferencesActionItems
SecurityPreferencesActionItems
SharingPreferencesActionItems
SoftwareUpdatePreferencesActionItems
SoundPreferencesActionItems
SpeechPreferencesActionItems
SpotlightPreferencesActionItems
StartupDiskPreferencesActionItems
TimeMachinePreferencesActionItems
DataMaintenanceandEncryptionActionItems
AccountPoliciesActionItems
SharePointsActionItems
AccountConfigurationActionItems
ApplicationsPreferencesActionItems
DockPreferencesActionItems
EnergySaverPreferencesActionItems
FinderPreferencesActionItems
LoginPreferencesActionItems
MediaAccessPreferencesActionItems
Contents
15
16
403
403
403
404
404
404
405
405
405
407
407
407
407
408
408
408
408
409
410
410
410
411
411
412
412
412
413
413
413
414
MobilityPreferencesActionItems
NetworkPreferencesActionItems
PrintingPreferencesActionItems
SoftwareUpdatePreferencesActionItems
AccesstoSystemPreferencesActionItems
UniversalAccessPreferencesActionItems
CertificatesActionItems
GeneralProtocolsandServiceAccessActionItems
RemoteAccessServicesActionItems
NetworkandHostAccessServicesActionItems
IPv6ProtocolActionItems
DHCPServiceActionItems
DNSServiceActionItems
FirewallServiceActionItems
NATServiceActionItems
BonjourServiceActionItems
CollaborationServicesActionItems
MailServiceActionItems
FileServicesActionItems
AFPFileSharingServiceActionItems
FTPFileSharingServiceActionItems
NFSFileSharingServiceActionItems
SMBActionItems
WebServiceActionItems
ClientConfigurationManagementServicesActionItems
DirectoryServicesActionItems
PrintServiceActionItems
MultimediaServicesActionItems
GridandClusterComputingServicesActionItems
ValidatingSystemIntegrityActionItems
AppendixC
415
Scripts
Index
445
Contents
AboutThisGuide
UsethisguideasanoverviewofMacOSXv10.6
SnowLeopardServersecurityfeaturesthatcanenhance
securityonyourcomputer.
ThisguidegivesinstructionsforsecuringSnowLeopardServer,andforsecurely
managingserversandclientsinanetworkedenvironment.Italsoprovidesinformation
aboutthemanyrolesSnowLeopardServercanassumeinanetwork.
Audience
AdministratorsofservercomputersrunningSnowLeopardServeraretheintended
audienceforthisguide.
Ifyou’reusingthisguide,youshouldbeanexperiencedSnowLeopardServeruser,be
familiarwiththeWorkgroupManagerandServerAdminapplications,andhaveatleast
someexperienceusingtheTerminalapplication’scommand-lineinterface.
Youshouldalsohaveexperienceadministeringanetwork,befamiliarwithbasic
networkingconcepts,andbefamiliarwiththeSnowLeopardServeradministration
guides.
Someinstructionsinthisguidearecomplex,anddeviationfromthemcouldresultin
seriousadverseeffectsontheserveranditssecurity.Theseinstructionsshouldonlybe
usedbyexperiencedSnowLeopardServeradministrators,andshouldbefollowedby
thoroughtesting.
What’sinThisGuide
Thisguideexplainshowtosecureserversandsecurelymanageserverandclient
computersinanetworkedenvironment.Itdoesnotprovideinformationabout
securingclients.ForhelpwithsecuringcomputersrunningSnowLeopard,see
MacOSXSecurityConfiguration.
Thisguidecannotcoverallpossiblenetworkconfigurationsinwhich
SnowLeopardServermightbeused.Goodnetworksecurityanddesignmustbeused
forthisinformationtobeeffective,andanyoneusingthisguideneedstobefamiliar
withUNIXsecuritybasics,suchassettingfilepermissions.
PrefaceAboutThisGuide
17
Thisguideincludesthefollowingchapters,arrangedintheorderthatyou’relikelyto
needthemwhensecurelyconfiguringaserver.
 Chapter1,“IntroductiontoSnowLeopardServerSecurityArchitecture,”provides
anoverviewofthesecurityarchitectureandfeaturesofSnowLeopardServer.This
chapterdescribesthesecurityframework,accesspermissions,built-insecurity
services,anddirectoryservices.
 Chapter2,“InstallingSnowLeopardServer,”describeshowtosecurelyinstall
SnowLeopardServerlocallyorremotely.Thischapteralsoincludesinformation
aboutupdatingsystemsoftware,repairingdiskpermissions,andsecurelyerasing
data.
 Chapter3,“SecuringSystemHardware,”describeshowtophysicallyprotectyour
hardwarefromattacks.
 Chapter4,“SecuringGlobalSystemSettings,”describeshowtosecuresettingsthat
affectallusersofthecomputer.
 Chapter5,“SecuringLocalServerAccounts,”describesthetypesofuseraccountsand
howtosecurelyconfigureanaccount.Thisincludessecuringaccountsusingstrong
authentication.
 Chapter6,“SecuringSystemPreferences,”helpsyouconfigurelocalserveraccounts
securely.Thisincludesthesecureconfigurationoflocalsystempreferences,setting
upstrongauthenticationandcredentialstorage,andsecuringdata.
 Chapter7,“SecuringSystemSwapandHibernationStorage,”describeshowtoscrub
yoursystemswapandhibernationspaceofsensitiveinformation.
 Chapter8,“SecuringDataandUsingEncryption,”describeshowtoencryptdataand
howtouseSecureErasetoensureolddataiscompletelyremoved.
 Chapter9,“ManagingCertificates,”describeshowtogenerate,request,anddeploy
certificates.
 Chapter10,“SettingGeneralProtocolsandAccesstoServices,”helpsyouconfigure
generalnetworkmanagementprotocolsandrestrictaccesstootherservices.
 Chapter11,“SecuringRemoteAccessServices,”tellsyouhowtocreateremote
connectionstoyourserverusingencryption.
 Chapter12,“SecuringNetworkInfrastructureServices,”explainshowtoconnect
clientcomputersandconfigureafirewall.
 Chapter13,“ConfiguringtheFirewall,”describeshowtoconfiguretheIPFW2firewall.
 Chapter14,“SecuringCollaborationServices,”describeshowtosecurelyconfigure
iChat,iCal,Wiki,andPodcastProducerservices.
 Chapter15,“SecuringMailService,”explainshowtosetupmailservicetouse
encryptionandfilterforspamandviruses.
 Chapter16,“SecuringAntivirusServices,”describeshowtoenableandmanage
antivirusservicestoprotectyourmailandfiles.
18
PrefaceAboutThisGuide
 Chapter17,“SecuringFileServicesandSharepoints,”explainshowtoconfigurefile
servicestoenablesecuredatasharing.
 Chapter18,“SecuringWebService,”describeshowtosetupawebserverandsecure
websettingsandcomponents.
 Chapter19,“SecuringClientConfigurationManagementServices,”helpsyouset
policiesandenforcethemusingWorkgroupManager.
 Chapter20,“SecuringNetBootService,”tellsyouhowtoconfigureNetBootsecurely
toprovideimagestoclients.
 Chapter21,“SecuringSoftwareUpdateService,”describeshowtosecurelyconfigure
softwareupdateservices.
 Chapter22,“SecuringNetworkAccounts,”describessecuritysettingsrelatedto
manageduserandgroupaccounts.
 Chapter23,“SecuringDirectoryServices,”explainshowtoconfigureOpenDirectory
servicerolesandpasswordpolicies.
 Chapter24,“SecuringRADIUS,”tellshowtosecurelyconfigureRADIUS.
 Chapter25,“SecuringPrintService,”explainshowtosetupprintqueuesandbanner
pages.
 Chapter26,“SecuringMultimediaServices,”providessecurityinformationto
configureastreamingserver.
 Chapter27,“SecuringGridandClusterComputingServices,”explainshowtosecurely
configureanXgridagentandcontroller.
 Chapter28,“ManagingWhoCanObtainAdministrativePrivileges(sudo),”describes
howtorestrictaccesstothesudocommand.
 Chapter29,“ManagingAuthorizationThroughRights,”explainsthepolicydatabase
andhowtocontrolauthorizationbymanagingrightsinthepolicydatabase.
 Chapter30,“MaintainingSystemIntegrity,”describeshowtousesecurityauditsand
loggingtovalidatetheintegrityofyourserveranddata.
 AppendixA,“UnderstandingPasswordsandAuthentication,”describesOpen
Directoryauthentication,shadowandcryptpasswords,Kerberos,LDAPbind,and
singlesign-on.
 AppendixB,“SecurityChecklist,”providesachecklistthatguidesyouthrough
securingyourserver.
 AppendixC,“Scripts,”providescommand-linecommandsandscriptsforsecuring
yourserver.
Note:BecauseApplefrequentlyreleasesnewversionsandupdatestoitssoftware,
imagesshowninthisbookmightbedifferentfromwhatyouseeonyourscreen.
PrefaceAboutThisGuide
19
UsingThisGuide
Thefollowinglistcontainssuggestionsforusingthisguide:
 Readtheguideinitsentirety.Subsequentsectionsmightbuildoninformationand
recommendationsdiscussedinpriorsections.
 Theinstructionsinthisguideshouldalwaysbetestedinanonoperational
environmentbeforedeployment.Thisnonoperationalenvironmentshouldsimulate,
asmuchaspossible,theenvironmentwherethecomputerwillbedeployed.
 ThisinformationisintendedforcomputersrunningSnowLeopardServer.Before
securelyconfiguringaserver,determinewhatfunctionthatparticularserverwill
performandapplysecurityconfigurationswhereapplicable.
 UsethesecuritychecklistinAppendixBtotrackandrecordeachsecuritytaskand
notewhatsettingsyouchanged.Thisinformationcanbehelpfulwhendeveloping
asecuritystandardwithinyourorganization.
Important:Anydeviationfromthisguideshouldbeevaluatedtodeterminewhat
securityrisksitmightintroduce.Takemeasurestomonitorormitigatethoserisks.
UsingOnscreenHelp
YoucangettaskinstructionsonscreeninHelpViewerwhileyou’remanaging
SnowLeopardServer.Youcanviewhelponaserveroranadministratorcomputer.
(AnadministratorcomputerisacomputerrunningSnowLeopardServerwiththe
serveradministrationtoolsinstalled)
TogethelpforanadvancedconfigurationofSnowLeopardServer:
m OpenServerAdminorWorkgroupManagerandthen:
 UsetheHelpmenutosearchforataskyouwanttoperform.
 ChooseHelp>ServerAdminHelporHelp>WorkgroupManagerHelptobrowse
andsearchthehelptopics.
Theonscreenhelpcontainsinstructionstakenfromtheadvancedadministration
guidesdescribedin“SnowLeopardServerAdministrationGuides,”next.
Toseethemostrecentserverhelptopics:
m MakesuretheserveroradministratorcomputerisconnectedtotheInternetwhile
you’regettinghelp.
HelpViewerautomaticallyretrievesandcachesthemostrecentserverhelptopics
fromtheInternet.WhennotconnectedtotheInternet,HelpViewerdisplayscached
helptopics.
20
PrefaceAboutThisGuide
SnowLeopardServerAdministrationGuides
GettingStartedcoversinstallationandsetupforstandardandworkgroupconfigurations
ofSnowLeopardServer.Foradvancedconfigurations,AdvancedServerAdministration
coversplanning,installation,setup,andgeneralserveradministration.
Asuiteofadditionalguidescoversadvancedplanning,setup,andmanagement
ofindividualservices.YoucangettheseguidesinPDFformatfromthe
SnowLeopardServerdocumentationwebsite:
www.apple.com/server/macosx/resources/documentation.html
ViewingPDFGuidesonScreen
WhilereadingthePDFversionofaguideonscreen:
 Showbookmarkstoseetheguide’soutline,andclickabookmarktojumptothe
correspondingsection.
 Searchforawordorphrasetoseealistofplaceswhereitappearsinthedocument.
Clickalistedplacetoseethepagewhereitoccurs.
 Clickacross-referencetojumptothereferencedsection.Clickaweblinktovisitthe
websiteinyourbrowser.
PrintingPDFGuides
Ifyouwanttoprintaguide,youcantakethesestepstosavepaperandink:
 Saveinkortonerbynotprintingthecoverpage.
 SavecolorinkonacolorprinterbylookinginthepanesofthePrintdialogforan
optiontoprintingraysorblackandwhite.
 Reducethebulkoftheprinteddocumentandsavepaperbyprintingmorethan
onepagepersheetofpaper.InthePrintdialog,changeScaleto115%(155%for
GettingStarted).ThenchooseLayoutfromtheuntitledpop-upmenu.Ifyourprinter
supportstwo-sided(duplex)printing,selectoneoftheTwo-Sidedoptions.
Otherwise,choose2fromthePagesperSheetpop-upmenu,andoptionallychoose
SingleHairlinefromtheBordermenu.(Ifyou’reusingMacOSXv10.4Tigeror
earlier,theScalesettingisinthePageSetupdialogandtheLayoutsettingsarein
thePrintdialog.)
Youmaywanttoenlargetheprintedpagesevenifyoudon’tprintdoublesided,because
thePDFpagesizeissmallerthanstandardprinterpaper.InthePrintdialogorPageSetup
dialog,trychangingScaleto115%(155%forGettingStarted,whichhasCD-sizepages).
PrefaceAboutThisGuide
21
GettingDocumentationUpdates
Periodically,Applepostsrevisedhelppagesandneweditionsofguides.Somerevised
helppagesupdatethelatesteditionsoftheguides.
 Toviewnewonscreenhelptopicsforaserverapplication,makesureyourserveror
administratorcomputerisconnectedtotheInternetandclick“Latesthelptopics”or
“Stayingcurrent”inthemainhelppagefortheapplication.
 TodownloadthelatestguidesinPDFformat,gototheMacOSXServer
documentationwebsite:
www.apple.com/server/resources/
 AnRSSfeedlistingthelatestupdatestoMacOSXServerdocumentationand
onscreenhelpisavailable.ToviewthefeeduseanRSSreaderapplication,suchas
SafariorMail:
feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml
GettingAdditionalInformation
Formoreinformation,consulttheseresources:
 ReadMedocuments—getimportantupdatesandspecialinformation.Lookforthem
ontheserverdiscs.
 MacOSXServerwebsite(www.apple.com/server/macosx)—enterthegatewayto
extensiveproductandtechnologyinformation.
 SnowLeopardServerSupportwebsite(www.apple.com/support/macosxserver)—
accesshundredsofarticlesfromApple’ssupportorganization.
 AppleDiscussionswebsite(discussions.apple.com)—sharequestions,knowledge,and
advicewithotheradministrators.
 AppleMailingListswebsite(www.lists.apple.com)—subscribetomailinglistssoyou
cancommunicatewithotheradministratorsusingemail.
 AppleTrainingandCertificationwebsite(www.apple.com/training)—honeyourserver
administrationskillswithinstructor-ledorself-pacedtraining,anddifferentiate
yourselfwithcertification.
 AppleProductSecurityMailingListswebsite(lists.apple.com/mailman/listinfo/securityannounce/)—Mailinglistsforcommunicatingbyemailwithotheradministrators
aboutsecuritynotificationsandannouncements.
 OpenSourcewebsite(developer.apple.com/darwin/)—AccesstoDarwinopensource
code,developerinformation,andFAQs.
 AppleProductSecuritywebsite(www.apple.com/support/security/)—Accessto
securityinformationandresources,includingsecurityupdatesandnotifications.
22
PrefaceAboutThisGuide
Foradditionalsecurity-specificinformation,consulttheseresources:
 NSAsecurityconfigurationguides(www.nsa.gov/snac/)—TheNationalSecurity
Agency(NSA)providesinformationaboutsecurelyconfiguringproprietaryandopen
sourcesoftware.
 NISTSecurityConfigurationChecklistsRepository(checklists.nist.gov/repository/
category.html)—ThisistheNationalInstituteofStandardsandTechnology(NIST)
repositoryforsecurityconfigurationchecklists.
 DISASecurityTechnicalImplementationGuide(www.disa.mil/gs/dsn/policies.html)—
ThisistheDefenseInformationSystemsAgency(DISA)guideforimplementing
securegovernmentnetworks.ADepartmentofDefense(DoD)PKICertificateis
requiredtoaccessthisinformation.
 CISBenchmarkandScoringTool(www.cisecurity.org/bench_osx.html)—Thisisthe
CenterforInternetSecurity(CIS)benchmarkandscoringtoolusedtoestablishCIS
benchmarks.
Acknowledgments
ApplewouldliketothanktheNSA,NIST,andDISAfortheirassistanceincontributing
tothesecurityconfigurationguidesforSnowLeopardandSnowLeopardServer.
PrefaceAboutThisGuide
23
1
Introductionto
SnowLeopardServerSecurity
Architecture
1
Usethischaptertolearnaboutthefeaturesin
SnowLeopardServerthatcanenhancesecurityon
yourcomputer
Whetheryou’reahomeuserwithabroadbandInternetconnection,aprofessionalwith
amobilecomputer,oranITmanagerwiththousandsofnetworkedsystems,youneed
tosafeguardtheconfidentialityofinformationandtheintegrityofyourcomputers.
WithSnowLeopardServer,asecuritystrategyisimplementedthatiscentraltothe
designoftheoperatingsystem.Toenhancesecurityonyourcomputer,
SnowLeopardServerprovidesthefollowingfeatures.
 Modernsecurityarchitecture.SnowLeopardincludesstate-of-the-art,standardsbasedtechnologiesthatenableAppleandthird-partydeveloperstobuildsecure
softwarefortheMac.Thesetechnologiessupportallaspectsofsystem,data,and
networkingsecurityrequiredbytoday’sapplications.
 Securedefaultsettings.WhenyoutakeyourMacoutofthebox,itissecurely
configuredtomeettheneedsofmostcommonenvironments,soyoudon’tneed
tobeasecurityexperttosetupyourcomputer.Thedefaultsettingsmakeitvery
difficultformalicioussoftwaretoinfectyourcomputer.Youcanfurtherconfigure
securityonthecomputertomeetorganizationaloruserrequirements.
 Innovativesecurityapplications.SnowLeopardincludesfeaturesthattakethe
worryoutofusingacomputer.Forexample,FileVaultprotectsyourdocuments
byusingstrongencryption,anintegratedVPNclientgivesyousecureaccessto
networksovertheInternet,andapowerfulfirewallsecuresyourhomenetwork.
 Opensourcefoundation.OpensourcemethodologymakesSnowLeopardarobust,
secureoperatingsystem,becauseitscorecomponentshavebeensubjectedtopeer
reviewfordecades.ProblemscanbequicklyidentifiedandfixedbyAppleandthe
largeropensourcecommunity.
24
 Rapidresponse.Becausethesecurityofyourcomputerisimportant,Apple
respondsrapidlytoprovidepatchesandupdates.Appleworkswithworldwide
partners,includingtheComputerEmergencyResponseTeam(CERT),tonotify
usersofpotentialthreats.Ifvulnerabilitiesarediscovered,thebuilt-inSoftware
Updatetoolnotifiesusersofsecurityupdates,whichareavailableforeasy
retrievalandinstallation.
SecurityArchitecturalOverview
SnowLeopardServersecurityservicesarebuiltontwoopensourcestandards:
 BerkeleySoftwareDistribution(BSD):BSDisaformofUNIXthatprovides
fundamentalservices,includingtheSnowLeopardServerfilesystemandfile
accesspermissions.
 CommonDataSecurityArchitecture(CDSA):CDSAprovidesanarrayofsecurity
services,includingmorespecificaccesspermissions,authenticationofuseridentities,
encryption,andsecuredatastorage.
UNIXInfrastructure
TheSnowLeopardServerkernel—theheartoftheoperatingsystem—isbuiltfrom
BSDandMach.
Amongotherthings,BSDprovidesbasicfilesystemandnetworkingservicesand
implementsauserandgroupidentificationscheme.BSDenforcesaccessrestrictions
tofilesandsystemresourcesbasedonuserandgroupIDs.
Machprovidesmemorymanagement,threadcontrol,hardwareabstraction,and
interprocesscommunication.Machenforcesaccessbycontrollingwhichtaskscan
sendamessagetoaMachport.(AMachportrepresentsataskorsomeother
resource.)BSDsecuritypoliciesandMachaccesspermissionsconstituteanessential
partofsecurityinSnowLeopardServer,andarecriticaltoenforcinglocalsecurity.
AccessPermissions
Animportantaspectofcomputersecurityisthegrantingordenyingofaccess
permissions(sometimescalledaccessrights).Apermissionistheabilitytoperform
aspecificoperation,suchasgainingaccesstodataortoexecutecode.
Permissionsaregrantedattheleveloffolders,subfolders,files,orapplications.
Permissionsarealsograntedforspecificdatainfilesorapplicationfunctions.
PermissionsinSnowLeopardServerarecontrolledatmanylevels,fromtheMach
andBSDcomponentsofthekernelthroughhigherlevelsoftheoperatingsystem,
and—fornetworkedapplications—throughnetworkprotocols.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
25
AuthorizationVersusAuthentication
Authorizationistheprocessbywhichanentity,suchasauseroracomputer,obtains
therighttoperformarestrictedoperation.Authorizationcanalsorefertotheright
itself,asin“Annehastheauthorizationtorunthatprogram.”Authorizationusually
involvesauthenticatingtheentityandthendeterminingwhetherithasthecorrect
permissions.
Authenticationistheprocessbywhichanentity(suchastheuser)demonstratesthat
theyarewhotheysaytheyare.Forexample,theuser,enteringapasswordwhichonly
heorshecouldknow,allowsthesystemtoauthenticatethatuser.Authenticationis
normallydoneasastepintheauthorizationprocess.Someapplicationsandoperating
systemcomponentsperformtheirownauthentication.Authenticationmightuse
authorizationserviceswhennecessary.
SecurityFramework
ThesecurityframeworkinSnowLeopardisanimplementationoftheCDSA
architecture.Itcontainsanexpandablesetofcryptographicalgorithmstoperform
codesigningandencryptionoperationswhilemaintainingthesecurityofthe
cryptographickeys.ItalsocontainslibrariesthatallowtheinterpretationofX.509
certificates.
TheCDSAcodeisusedbySnowLeopardfeaturessuchasKeychainandURLAccess
forprotectionoflogindata.
ApplebuiltthefoundationofSnowLeopardandmanyofitsintegratedserviceswith
opensourcesoftware—suchasFreeBSD,Apache,andKerberos,amongothers—that
hasbeenmadesecurethroughyearsofpublicscrutinybydevelopersandsecurity
expertsaroundtheworld.
Strongsecurityisabenefitofopensourcesoftwarebecauseanyonecaninspect
thesourcecode,identifytheoreticalvulnerabilities,andtakestepstostrengthen
thesoftware.
Appleactivelyparticipateswiththeopensourcecommunitybyroutinelyreleasing
updatesofSnowLeopardServerthataresubjecttoindependentdevelopers’ongoing
review—andbyincorporatingimprovements.Anopensourcesoftwaredevelopment
approachprovidesthetransparencynecessarytoincreaseSnowLeopardServer
security.
26
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
LayeredSecurityDefense
SnowLeopardServersecurityisbuiltonalayereddefenseformaximumprotection.
Securityfeaturessuchasthefollowingprovidesolutionsforsecuringdataatalllevels,
fromtheoperatingsystemandapplicationstonetworksandtheInternet.
Secure Worldwide Communication
Secure Applications
Secure Network Protocols
Security Services
Secure Boot/”Lock Down”
Internet
Applications
Network
Operating System
Hardware
 Secureworldwidecommunication:Firewallandmailfilteringhelpprevent
malicioussoftwarefromcompromisingyourcomputer.
 Secureapplications:EncryptedDiskImagesandFileVaulthelppreventintruders
fromviewingdataonyourcomputer.
 Securenetworkprotocols:SecureSocketsLayer(SSL)isaprotocolthat
helpspreventintrudersfromviewinginformationexchangeacrossanetwork,
andKerberossecurestheauthenticationprocess,andafirewallprevents
unauthorizedaccesstoacomputerornetwork.
 SecurityServices:Authenticationusingkeychains,togetherwithPOSIXandACL
permissions,helpspreventintrudersfromusingyourapplicationsandaccessing
yourfiles.
 Securebootandlockdown:TheFirmwarePasswordUtilityhelpspreventpeople
whocanaccessyourhardwarefromgainingroot-levelaccesspermissionstoyour
computerfiles.
NetworkSecurity
SecureTransportisusedtoimplementSSLandTransportLayerSecurity(TLS)protocols.
TheseprotocolsprovidesecurecommunicationsoveraTCP/IPconnectionsuchas
theInternetbyusingencryptionandcertificateexchange.Afirewallcanthen
filtercommunicationoveraTCP/IPconnectionbypermittingordenyingaccessto
acomputeroranetwork.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
27
CredentialManagement
Akeychainisusedtostorepasswords,keys,certificates,andotherdataplacedinthe
keychainbyauser.Duetothesensitivenatureofthisinformation,keychainsuse
cryptographytoencryptanddecryptsecrets,andtheysafelystoresecretsandrelated
datainfiles.
SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandsecurely
storekeychainitems.Afterakeychainiscreated,youcanadd,delete,andeditkeychain
items,suchaspasswords,keys,certificates,andnotesforusers.
Ausercanunlockakeychainthroughauthentication(byusingapassword,digital
token,smartcard)andapplicationscanthenusethatkeychaintostoreandretrieve
data,suchaspasswords.
PublicKeyInfrastructure(PKI)
ThePublicKeyInfrastructure(PKI)includescertificate,key,andtrustservicesinclude
functionsto:
 Create,manage,andreadcertificates
 Addcertificatestoakeychain
 Createencryptionkeys
 Managetrustpolicies
ThesefunctionsareusedwhentheservicescallCommonSecurityServiceManager
(CSSM)functions.Thisistransparenttousers.
28
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
What’sNewinSnowLeopardServerSecurity
SnowLeopardServeroffersthefollowingmajorsecurityenhancements:
 Increasedsecurityformemoryandprotection:SnowLeopardServerrunning
onthe64-bitchipimprovessupportformemoryandexecutableprotection
againstarbitrarycodeexecution.Technologiessuchasexecutedisable,library
randomization,andsandboxinghelppreventattacksthattrytohijackormodify
thesoftwareonyourcomputer.
 BetterTrojanhorseprotection:SnowLeopardServermaintainsprofilesforknown
malicioussoftware,andpreventsitsdownloadthroughmanyapplications.
 IncreasedVPNcompatibility:Virtualprivatenetwork(VPN)supporthasbeen
enhancedtosupportCiscoIPSecVPNconnectionswithoutadditionalsoftware.
 ImprovedCryptologytechnologies:SnowLeopardServerincludesEllipticalCurve
Cryptography(ECC)supportinmostofitsencryptiontechnologies.
 SupportforExtendedValidationCertificates:ExtendedValidation(EV)Certificates
requirestheCertificateAuthoritytoinvestigatetheidentityofthecertificateholder
beforeissuingacertificate.
 SupportforwildcardsindomainsforKeychainAccessidentitypreferences:This
allowsaclientcertificate-authenticatedconnectionstomultipleserversorpaths
definedwithinasingleIDPref.
 Updatedsecuritycommand-linetools:Thesecurityandnetworksetupcommandlinetoolshavebeenenhanced.
 EnhancedSafari4.0security:Safarihasenhanceddetectionoffraudulentsites.It
alsorunsmanybrowserplug-insasseparateprocessesforenhancedsecurityand
stability.
ExistingSecurityFeaturesinSnowLeopardServer
SnowLeopardServercontinuestoincludethefollowingsecurityfeaturesand
technologiestoenhancetheprotectionofyourcomputerandyourpersonal
information.
 Applicationsigning:Thisenablesyoutoverifytheintegrityandidentityof
applicationsonyourMac.
 Mandatoryaccesscontrol:Theseenforcerestrictionsonaccesstosystemresources.
 Quarantinedapplications:MacOSXv10.6tagsandmarksdownloadedfileswith
first-runwarningstohelppreventusersfrominadvertentlyrunningmalicious
downloadedapplications.
 Runtimeprotection:Technologiessuchasexecutedisable,libraryrandomization,
andsandboxinghelppreventattacksthattrytohijackormodifythesoftwareon
yoursystem.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
29
 Meaningfulsecurityalerts:Whenusersreceivesecurityalertsandquestionstoo
frequently,theymayfallintoreflexivemodewhenthesystemasksasecurity-related
question,clickingOKwithoutthought.MacOSXv10.6minimizesthenumberof
securityalertsthatyousee,sowhenyoudoseeone,itgetsyourattention.
SignedApplications
Bysigningapplications,yourMaccanverifytheidentityandintegrityofanapplication.
ApplicationsshippedwithSnowLeopardServeraresignedbyApple.Inaddition,
third-partysoftwaredeveloperscansigntheirsoftwarefortheMac.Applicationsigning
doesn’tprovideintrinsicprotection,butitintegrateswithseveralotherfeaturesto
enhancesecurity.
Featuressuchasparentalcontrols,managedpreferences,Keychain,andthefirewalluse
applicationsigningtoverifythattheapplicationstheyareworkingwitharethecorrect,
unmodifiedversions.
WithKeychain,theuseofsigningdramaticallyreducesthenumberofKeychaindialogs
presentedtousersbecausethesystemcanvalidatetheintegrityofanapplicationthat
usestheKeychain.Withparentalcontrolsandmanagedpreferences,thesystemuses
signaturestoverifythatanapplicationrunsunmodified.
Theapplicationfirewallusessignaturestoidentifyandverifytheintegrityof
applicationsthataregrantednetworkaccess.Inthecaseofparentalcontrolsand
thefirewall,unsignedapplicationsaresignedbythesystemonanadhocbasis
toidentifythemandverifythattheyremainunmodified.
MandatoryAccessControls
SnowLeopardServerusesanaccesscontrolmechanismknownasmandatoryaccess
controls.AlthoughtheMandatoryAccessControltechnologyisnotvisibletousers,itis
includedinSnowLeopardServertoprotectyourcomputer.
Mandatoryaccesscontrolsarepoliciesthatcannotbeoverridden.Thesepoliciesset
securityrestrictionscreatedbythedeveloper.Thisapproachisdifferentfrom
discretionaryaccesscontrolsthatpermituserstooverridesecuritypoliciesaccording
totheirpreferences.
MandatoryaccesscontrolsinSnowLeopardServeraren’tvisibletousers,butthey
aretheunderlyingtechnologythathelpsenableseveralimportantnewfeatures,
includingsandboxing,parentalcontrols,managedpreferences,andasafetynet
featureforTimeMachine.
30
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
TimeMachineillustratesthedifferencebetweenmandatoryaccesscontrolsandthe
userprivilegemodel—itallowsfileswithinTimeMachinebackupstobedeletedonly
byprogramsrelatedtoTimeMachine.Fromthecommandline,nouser—noteven
oneloggedinasroot—candeletefilesinaTimeMachinebackup.
TimeMachineusesthisstrictpolicybecauseitutilizesfilesystemfeaturesin
SnowLeopardServer.Thepolicypreventscorruptioninthebackupdirectoryby
preventingtoolsfromdeletingfilesfrombackupsthatmaynotrecognizethenewfile
systemfeatures.
Mandatoryaccesscontrolsareintegratedwiththeexecsystemservicetopreventthe
executionofunauthorizedapplications.Thisisthebasisforapplicationcontrolsin
parentalcontrolsinSnowLeopardandmanagedpreferencesinSnowLeopardServer.
Mandatoryaccesscontrolsenablestrongparentalcontrols.Inthecaseofthenew
sandboxingfacility,mandatoryaccesscontrolsrestrictaccesstosystemresources
asdeterminedbyaspecialsandboxingprofilethatisprovidedforeachsandboxed
application.Thismeansthatevenprocessesrunningasrootcanhaveextremely
limitedaccesstosystemresources.
Sandboxing
Sandboxinghelpsensurethatapplicationsdoonlywhatthey’reintendedtodoby
placingcontrolsonapplicationsthatrestrictwhatfilestheycanaccess,whetherthe
applicationscantalktothenetwork,andwhethertheapplicationscanbeusedto
launchotherapplications.
InSnowLeopardServer,manyofthesystem’shelperapplicationsthatnormally
communicatewiththenetwork—suchasmDNSResponder(thesoftwareunderlying
Bonjour)andtheKerberosKDC—aresandboxedtoguardthemfromabuseby
attackerstryingtoaccessthesystem.
Inaddition,otherprogramsthatroutinelytakeuntrustedinput(forinstance,arbitrary
filesornetworkconnections),suchasXgridandtheQuickLookandSpotlight
backgrounddaemons,aresandboxed.
Sandboxingisbasedonthesystem’smandatoryaccesscontrolsmechanism,which
isimplementedatthekernellevel.Sandboxingprofilesaredevelopedforeach
applicationthatrunsinasandbox,describingpreciselywhichresourcesareaccessible
totheapplication.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
31
ManagedUserAccounts
Parentalcontrolsprovidecomputeradministratorswiththetoolstoenforcea
reasonablelevelofrestrictionsforusersofthecomputer.
AdministratoruserscanusefeatureslikeSimpleFindertolimitthelaunchingofaset
ofapplicationsorcreateawhitelistofwebsitesthatuserscanvisit.However,ifan
attackerhasphysicalaccesstothecomputerportssuchasUSBorFireWire,Parental
controlscanbebypassedbymountingadiskimagethatcontainmalicioussoftware.
Youcansecuretheseportsbydisablingthem.Forinformationaboutdisabling
hardware,seeChapter3,“SecuringSystemHardware.”
ThisisthekindofsimpleUIadministratorsofapublicusecomputerenvironmentcan
usetorestrictaccesstoapplicationsorsitestokeepusersfromperformingmalicious
activities.Itisnotafool-proofsecuritysystemforlocalusers.
InSnowLeopardServer,youuseWorkgroupManagertomanagepreferencesforusers
ofSnowLeopardsystems.
EnhancedQuarantining
ApplicationsthatdownloadfilesfromtheInternetorreceivefilesfromexternalsources
(suchasmailattachments)canusetheQuarantinefeaturetoprovideafirstlineof
defenseagainstmalicioussoftwaresuchasTrojanhorses.Whenanapplicationreceives
anunknownfile,itaddsmetadata(quarantineattributes)tothefileusingfunctions
foundinLaunchServices.
FilesdownloadedusingSafari,Mail,andiChataretaggedwithmetadataindicating
thattheyaredownloadedfilesandreferringtotheURL,date,andtimeofthe
download.Thismetadataispropagatedfromarchivefilesthataredownloaded(such
asZIPorDMGfiles)sothatanyfileextractedfromanarchiveisalsotaggedwith
thesameinformation.Thismetadataisusedbythedownloadinspectortoprevent
dangerousfiletypesfrombeingopenedunexpectedly.
Thefirsttimeyoutrytorunanapplicationthathasbeendownloaded,Download
Inspectorinspectsthefile,promptsyouwithawarningaskingwhetheryouwant
toruntheapplication,anddisplaystheinformationonthedate,time,andlocation
ofthedownload.
Youcancontinuetoopentheapplicationorcanceltheattempt,whichisappropriate
ifyoudon’trecognizeortrusttheapplication.Afteranapplicationisopened,this
messagedoesnotappearagainforthatapplicationandthequarantineattributes
arelifted.
32
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
Thismechanismdramaticallyreducesthenumberofwarningsrelatedtodownloads
thatyousee.Suchmessagesappearonlywhenyouattempttolaunchadownloaded
application.Whenyoudoseeawarning,youaregivenusefulinformationaboutthe
sourceofthedownloadthatcanhelpyoumakeaninformeddecisionaboutwhether
toproceed.
Thefileanditscontentsarealsoinspectedformalicioussoftware(malware).Ifmalware
isdetected,adialogappearswiththenameofthemalwarethreatcontainedinthefile.
ItwarnstheusertomovethefiletotheTrashorejecttheimageanddeletethesource
filetopreventdamagetothecomputer.Malwarepatternsarecontinuallyupdated
throughsoftwareupdates.
MemoryandRuntimeProtection
SnowLeopardServerrunningona64-bitchipsupportsmemoryandexecutable
protection.Memoryexecutionpreventionworkstohinderspecifictypesofmalicious
software,thosethatrelyonexecutingarbitrarycodefromanareawhichexpectedto
containdataandnotcode.
SnowLeopardhasthefollowing64-bitprotectionfeatures:no-executestack,
noexecutedata,andno-executeheap.InSnowLeopard,no-executestackisavailable
for32-and64-bitapplications.For64-bitprocesses,SnowLeopardprovidesprotection
fromcodeexecutioninbothheapandstackdataareas.Stackprotectionisavailablefor
both32-bitand64-bitprocesses.Itdetectscertaincasesofstackmemorycorruption
whichcouldleadtoarbitrarycodeexecutionandterminatestheprocess.
SnowLeopardServeralsohasLibraryRandomization.LibraryRandomizationuses
shiftingmemorylocationsforoperatingsystemprocesseseachtimethesystemstarts
up.Becauseanattackercannotdependonkeysystemprocessesrunninginknown
memorylocations,itishardertocompromisetheoperatingsystem.
SnowLeopardServeralsohasprocesssandboxing,whichisawayofrestrictingwhat
kindsofactivitiesanapplicationcanperform.
SecuringSharingandCollaborativeServices
InSnowLeopardServer,youcanconfigureandsecuresharingservicesbyusingservice
accesscontrollists(SACLs)andasecureconnection.
ServiceAccessControlLists
Youcanfurthersecuresharingservicesbyallowingaccessonlytousersthatyou
specifiedinaserviceaccesscontrollists(SACLs).Youcancreateuseraccountsfor
sharingbasedonexistinguseraccountsonthesystem,andforentriesinyouraddress
book.SharingservicesbecomemoresecurewithSACLs.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
33
VPNCompatibilityandIntegration
SnowLeopardServersupportsstandards-basedL2TP/IPSecandPPTPtunneling
protocolstoprovideencryptedVPNconnectionsforMacandWindowssystems
—andeveniPhone.TheseVPNservicesusesecureauthenticationmethods,
includingMS-CHAPv2andnetwork-layerIPSec.Inaddition,theL2TPVPNserver
canauthenticatedusersusingcredentialsfromaKerberosserver.
TouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryor
LinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.Ifyou
needtouseMSCHAPv2toauthenticateusers,youcan’tofferVPNserviceforusers
inathird-partyLDAPdomain.
Apple’sVPNservercanauthenticateusingRSASecurity’sSecureID.Thisprovidesstrong
two-factorauthentication.Ituseshardwareandsoftwaretokenstoverifyuseridentity.
However,SecurIDauthenticationcannotbesetupfromServerAdminandrequires
additionalmanualsetup.
Built-inVPNClient
InSnowLeopard,theVPNclientbuiltintoNetworkPreferencesincludessupport
forCiscoGroupFilteringandDHCPoverPPPtodynamicallyacquireadditional
configurationoptionssuchasstaticroutesandsearchdomains.
Youcanalsousedigitalcertificatesandone-timepasswordtokensfromRSAor
CRYPTOcardforauthenticationwiththeVPNclient.Theone-timepasswordtokens
providearandomlygeneratedpasscodenumberthatmustbeenteredwiththe
VPNpassword—agreatoptionforthosewhorequireextremelyrobustsecurity.
Inaddition,theL2TPVPNclientcanbeauthenticatedusingcredentialsfromaKerberos
server.Ineithercase,youcansavethesettingsforeachVPNserveryouroutinelyuseas
alocation,soyoucanreconnectwithoutreconfiguringyoursystemeachtime.
Apple’sL2TPVPNclientcanconnectyoutoprotectednetworksautomaticallybyusing
itsVPN-on-demandfeature.VPN-on-demandcandetectwhenyouwanttoaccessa
networkthatisprotectedbyaVPNserverandcanstarttheconnectionprocessforyou.
ThismeansthatyoursecurityisincreasedbecauseVPNconnectionscanbeclosed
whennotinuse,andyoucanworkmoreefficiently.
InSnowLeopard,theVPNclientincludessupportforCiscoGroupFiltering.Italso
supportsDHCPoverPPPtodynamicallyacquireadditionalconfigurationoptionssuch
asStaticRoutesandSearchDomains.
34
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
ImprovedCryptography
SnowLeopardServerincludesEllipticalCurveCryptography(ECC)supportinmostof
itsencryptiontechnologies.ECCencryptionisanadditionalmathematicalmodelfor
generatingandreadingencryptionkeys.SnowLeopardsupportsEllipticCurveDigital
SignatureAlgorithm(ECDSA)forsigningandkeyexchange.
ECC-basedsignatureshavesizeandperformanceadvantages.AnECCkeyofagiven
lengthcanbecryptographicallystrongerthanaDSAorRSAkeyofthesamelength.
ThismeansthatasmallerECC-basedkey(andthereforeafasterkeytoprocess)canbe
justasstrongasaverylongRSA-basedone.
ECCissupportedinthefollowingareas:TLS/SSL,S/MIME,Apple'sCertificateAssistant,
andApple'scerttool command-linetool.
ExtendedValidationCertificates
ExtendedValidation(EV)certificatesareaspecialtypeofX.509certificatethatrequires
theCertificateAuthority(CA)toinvestigatetheidentityofthecertificateholderbefore
theCAcanissuethecertificate.
CAswhowanttoissueEVcertificatesmustprovideaninvestigationprocessthatpasses
anindependentaudit,andalsoestablishesthelegalidentityandlegalclaimtothe
domainnameofthecertificateapplicant.
WildcardinIdentityPreferences
WildcardscannowbeusedindomainsforKeychainAccessidentitypreferences.This
allowsclientcertificate-authenticatedconnectionstomultipleserversorpathsdefined
withinasingleIDPref.
ThisisoftenusedwithcertificatesusedbyCommonAccessCards(CACs).Formore
informationonSmartCards,see“SmartCardSupportforUnlockingEncryptedStorage”
onpage36.
EnhancedCommand-LineTools
Thesecuritycommand-linetoolhasexpandedfunctionsinSnowLeopard.
Additionally,networksetuphasbeenenhancedtohandleimportingandexporting
802.1XprofilesaswellassetaTLSidentityonauserprofile.
Formoreinformation,seethetools’respectivemanpages.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
35
FileVaultandEncryptedStorage
TheDiskUtilitytoolincludedinMacOSXenablesyoutocreateencrypteddisk
images,soyoucansafelymailvaluabledocuments,files,andfolderstofriendsand
colleagues,savetheencrypteddiskimagetoCDorDVD,orstoreitonthelocal
systemoranetworkfileserver.
FileVaultalsousesthissameencrypteddiskimagetechnologytoprotectuserfolders.
EncryptedDiskImageCryptography
Adiskimageisafilethatappearsasavolumeonyourharddisk.Itcanbecopied,
moved,oropened.Whenthediskimageisencrypted,filesorfoldersplacedinitare
encryptedusing128-bitorevenstronger256-bitAESencryption.
Toseethecontentsofthediskimage,includingmetadatasuchasfilename,date,
size,orotherproperties,ausermustenterthepasswordorhaveakeychainwiththe
correctpassword.
Thefileisdecryptedinrealtime,asitisused.Forexample,ifyouopenaQuickTime
moviefromanencrypteddiskimage,MacOSXdecryptsonlytheportionofthemovie
currentlyplaying.
SmartCardSupportforUnlockingEncryptedStorage
Smartcardsenableyoutocarrydigitalcertificateswithyou.WithSnowLeopardServer,
youcanuseyoursmartcardwheneveranauthenticationdialogispresented.
SnowLeopardServerhasthefollowingtokenmodulestosupportthisrobust,
two-factorauthenticationmechanismandJavaCard2.1standards:
Â
Â
Â
Â
BelgiumNationalIdentificationCard(BELPIC)
U.S.DepartmentofDefenseCommonAccessCard(CAC)
JapanesegovernmentPKI(JPKI)
U.S.FederalGovernment“PersonalIdentityVerification,alsocalledFIPS-201(PIV)
Othercommercialsmartcardvendorsprovidetokenmodulestosupportintegrationof
theirsmartcardwiththeSnowLeopardSmartCardarchitecture.
SimilartoanATMcardandaPINcode,two-factorauthenticationreliesonsomething
youhaveandsomethingyouknow.Ifyoursmartcardislostorstolen,itcannotbe
usedunlessyourPINisalsoknown.
36
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
SnowLeopardServerhasadditionalfunctionalityforsmartcarduse,suchas:
 Locksystemonsmartcardremoval.YoucanconfigureyourMactolockthesystem
whenyouremoveyoursmartcard.
 Unlockkeychain.Whenyouinsertasmartcard,thekeychaincanbeunlockedand
thenyourstoredinformationandcredentialscanbeused.
 UnlockFileVault.YoucanuseasmartcardtounlockyourFileVaultencryptedhome
directory.Youcanenablethisfunctionbyusingaprivatekeyonasmartcard.
EnhancedSafari4.0Security
Safarioffersseveralkindsofenhancedsecurityforwebbrowsing.Itsupportsthe
built-inmalwarescanningfunction,sodownloadedfilesarecheckedforspecific
TrojanHorseattacks.
Safarialsoincludesafraudulentsitedetectionfeature.Itworkslikethis:
Googlemaintainsablacklistofknownandhighly-suspectedmalware-transmittingsites
andand“phishing”sites(harvestersofsensitivedata).Googleaddsahashofeachsite’s
URLtoadatabasethatsomewebbrowserscanuseatsafebrowsing.clients.google.com.
WhenSafarilaunches,itdownloadsanabbreviatedlistofthesesites’hashes.When
younavigatetoawebsite,Safaricheckstheblacklist.Ifthewebsiteyou’reaccessing
matchesahash,SafaricontactsGoogleforcompleteURLinformation.Ifitisapositive
match,Safariwarnsyouthatyoumaybeattemptingtoaccessamalwaresiteor
phishingsite.
Safaristoresthedatainthefolderat/private/var/folders/infolderswithtwo-letter
names.Thefullpathis/private/var/folders/xx/yy/-Caches-/com.apple.Safari,where“xx”
and“yy”areuniquecodes.Whenyoufindthatfolder,you’llseetwofiles:Cache.db
andSafeBrowsing.db.
Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture
37
2
InstallingSnowLeopardServer
2
Usethischaptertocustomizethedefaultinstallation
ofSnowLeopardServerforyourspecificnetwork
securityneeds.
AlthoughthedefaultinstallationofMacOSXishighlysecure,youcancustomizeitfor
yournetworksecurityneeds.Bysecurelyconfiguringthestagesoftheinstallationand
understandingMacOSXpermissions,youcanhardenyourcomputertomatchyour
securitypolicy.
Important:Whenpossible,computersshouldremainisolatedfromtheoperational
networkuntiltheyarecompletelyandsecurelyconfigured.Useanisolatedtest
networkforinstallationandconfiguration.
InstallationOverview
DetailedinstructionsforSnowLeopardServerInstallationarefoundintheAdvanced
ServerAdministrationguide.Thissectioncontainsbasicpracticesconsistantwith
asecureinstallationofSnowLeopardServer.
IfSnowLeopardServerwasalreadyinstalledonthecomputer,considerreinstallingit.
ByreformattingthevolumeandreinstallingSnowLeopardServer,youavoid
vulnerabilitiescausedbypreviousinstallationsorsettings.
Becausesomerecoverabledatamightremainonthecomputer,securelyerasethe
partitionyou’reinstallingSnowLeopardServeron.Formoreinformation,see“Securely
ErasingaDiskforInstallation”onpage43.
Ifyoudecideagainstsecurelyerasingthepartition,securelyerasefreespaceafter
installingSnowLeopardServer.Formoreinformation,see“UsingDiskUtilityto
SecurelyEraseFreeSpace”onpage160.
38
Thereareseveralwaystoinstalltheoperatingsystem,dependingonyourenvironment
andinstallationstrategy.Ingeneral,allinstallationshaveafewcommonsteps:
 Prepareanadministratorcomputer.
 Setupnetworkinfrastructure.
 Startupfromadiskotherthanthetargetvolume(forexample,theInstalltionDisc).
 Preparethetargetdisk.
 StarttheinstallationviaServerAssistant,commandline,orVNC.
 Enablethefirewall,blockingallincomingconnections.
 Applysoftwareupdatesandsecurityupdates.
 Configuretheserverandsetupservices.
 EnabletheFirmwarePassword.
PreparinganAdministratorComputer
Youcanuseanadministratorcomputertoinstall,setup,andadminister
SnowLeopardServeronanothercomputer.Anadministratorcomputerisacomputer
withSnowLeopardServerorSnowLeopardthatyouusetomanageremoteservers.
YoucannotruntheserveradministrationtoolsfromaLeopardorLeopardServer
computer.
WhenyouinstallandsetupSnowLeopardServeronacomputerthathasadisplay
andkeyboard,it’salreadyanadministratorcomputer.Tomakeacomputerwith
SnowLeopardintoanadministratorcomputer,youmustinstalladditionalsoftware.
Important:IfyouhaveadministrativeapplicationsandtoolsfromLeopardServeror
earlier,donotusethemwithSnowLeopardServer.
ToinstallSnowLeopardServeradministrationtools:
1 MakesurethecomputerhasSnowLeopardinstalled.
2 Makesurethecomputerhasatleast1GBofRAMand1GBofunuseddiskspace.
3 InserttheMacOSXServerInstallDisc.
4 OpentheOtherInstallersfolder.
5 OpenserveradministrationSoftware.mpkgtostarttheInstallerandthenfollowthe
onscreeninstructions.
Chapter2InstallingSnowLeopardServer
39
SettingUpNetworkInfrastructure
Beforeyoucaninstall,youmustsetuporhavethefollowingsettingsforyour
networkservice:
 DNS:Youmusthaveafullyqualifieddomainnameforeachserver’sIPaddessinthe
DNSsystem.TheDNSzonemusthavethereverse-lookuprecordforthenameand
addresspair.Nothavingastable,functioningDNSsystemwithreverselookupleads
toservicefailuresandunexpectedbehaviors.
 StaticIPAddress:MakesureyoualreadyhaveastaticIPaddressplannedand
assignedtotheserver.
 DHCP:DonotassigndynamicIPaddressestoservers.IfyourservergetsitsIP
addressthroughDHCP,setupastaticmappingintheDHCPserversoyourserver
gets(viaitsEthernetaddress)thesameIPaddresseverytime.
 Firewallorrouting:Inadditiontoanyfirewallrunningonyourserver,thesubnet
routermighthavespecificnetworktrafficrestrictionsinplace.Makesuretheserver’s
IPaddressisavailableforthetrafficitwillhandleandtheservicesyouwillrun.
StartingUpforInstallation
Thecomputercan’tinstalltoitsownstartupvolume,soyoumuststartupinsome
otherway,suchas:
 TheInstallationDVD
 Alternatevolumes(secondpartitionsontheharddiskorexternalFireWiredisks)
Forinformationonusingalternatevolumes,seetheAdvancedServerAdministration
guide.
 NetBoot(ifthenetworkandNetBootserversaretrusted)
ForinformationonusingNetBootservers,seetheSystemImagingandSoftware
UpdateAdministrationguide.
StartingUpfromtheInstallDVD
Thecomputermustinstallfromthesamediskorimagethatstartedupthecomputer.
Mountinganothersharepointwithaninstallerwon’twork.Theinstallerusessomeof
thefilesactiveinthebootedsystempartitionforthenewinstallation.
TheeasiestandmostsecurewaytoinstallSnowLeopardServeristoinstallitphysically
atthecomputer,knownasalocalinstallation,usingtheDVD.Whenperformingalocal
installation,itisrecommended,ifapplicable,thattheentiredrivebereformattedusing
atleasta7-passsecureerase,ratherthanonlyreformattingthepartitionwhere
SnowLeopardServeristobeinstalled,incasesensitiveinformationwasleftonthe
otherpartitions.
40
Chapter2InstallingSnowLeopardServer
IfthetargetserverisanXservewithabuilt-inDVDdrive,starttheserverusingthe
InstallDVDbyfollowingtheinstructionsintheXserveUser’sGuideforstartingfrom
asystemdisc.
StartingUpfromanAlternatePartition
Forasingle-serverinstallation,preparingtostartupfromanalternatepartitioncanbe
moretime-consumingthanusingtheInstallDVD.Thetimerequiredtoimage,scan,
andrestoretheimagetoastartuppartitioncanexceedthetimetakentoinstallonce
fromtheDVD.
However,ifyouarereinstallingregularly,orifyouarecreatinganexternalFireWire
drive-basedinstallationtotaketovariouscomputers,orifyouneedsomeotherkind
ofmassdistribution(suchasclusteredXserveswithoutDVDdrivesinstalled),this
methodcanbeveryefficient.
Note:Whencreatingabootableexternaldisk,usetheGUIDPartitioningformat.
StartingUpfromaNetBootEnvironment
IfyouhaveanexistingNetBootinfrastructure,thisistheeasiestwaytoperformmass
installationanddeployment.Thismethodcanbeusedforclustersthathavenooptical
driveorexistingsystemsoftware.
Thismethodcanalsobeusedinenvironmentswherelargenumbersofserversmust
bedeployedinanefficientmanner.
Thissectionwon’ttellyouhowtocreatethenecessaryNetBootinfrastructure.Ifyou
wanttosetupNetBootandNetInstalloptionsforyournetwork,servers,andclient
computers,seethemanualsatwww.apple.com/server/resources/.
RemoteAccessDuringInstallation
SnowLeopardServerhasseveralremoteaccessservicesactiveduringinstallation.It
providesServerAdminadministration,SSHaccessandVNCaccesswhenstartingfrom
theinstallationdisk.
Important:BeforeyouinstallorreinstallSnowLeopardServer,makesurethenetwork
issecurebecauseremoteaccesstechnologiescanpotentiallygiveothersaccesstothe
computeroverthenetwork.Forexample,designthenetworktopologysoyoucan
maketheservercomputer’ssubnetaccessibleonlytotrustedusers.
Chapter2InstallingSnowLeopardServer
41
ServerAdminDuringInstallation
Acomputerthatstartedupfromtheinstallationdiscbroadcastsitsinstallation
availabilityviaBonjourtothelocalnetwork.Youcanfindserversthatareawaiting
installbyfindingtheBonjourservicename“_sa-rspndr._tcp.”
Youcanusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucan
installserversoftware.Enterthefollowingfromacomputeronthesamelocalnetwork
astheserver:
dns-sd -B _sa-rspndr._tcp.
AdministratorcomputersrunningServerAdmin’sServerAssistantcanprovideadefault
passwordandcompleteinstallationremotely.ServerAdmintrafficisencrypted.
SSHDuringInstallation
Whenyoustartupacomputerfromaserverinstallationdisc,SSHstartssothatremote
installationscanbeperformedviathecommandline.SSHserviceisgrantedtotheroot
userprovidingthedefaultpassword.
VNCDuringInstallation
VNCenablesyoutouseaVNCviewer(likeScreenSharingorAppleRemoteDesktop)to
viewtheuserinterfaceasifyouwereusingtheremotecomputer’skeyboard,mouse,
andmonitor.
Allthethingsyoucandoatthecomputerusingthekeyboardandmouseareavailable
remotely,aswellaslocally.Thisexcludeshardwarerestarts(usingthepowerbuttonto
shutdownandrestartthecomputer),otherhardwaremanipulation,orholdingdown
keysduringstartup.VNCviewersareavailableforallpopularcomputingplatforms.
VNCtrafficisnotsecurewithoutadditionalprecautions.EstablishanSSHtunnel
betweenthelocalhostandtheremoteservertosecurelyperformtheinstallationby
redirectingtheVNCtrafficthroughthetunnel.
Forexample,toredirectAppleRemoteDesktoptrafficthroughanSSHtunnel,enter:
ssh -v -L 2501:local_host:5900 target_server -l target_server_username
42
Chapter2InstallingSnowLeopardServer
AboutDefaultInstallationPasswords
Serverserialnumbersareusedformorethaninventorytracking.Theserver’sbuilt-in
hardwareserialnumberisusedasthedefaultpasswordforremoteinstallation.
Thepasswordiscasesensitive.
Tofindaserver’sserialnumber,lookforalabelontheserver.Ifyou’reinstalling
onanoldercomputerthathasnobuilt-inhardwareserialnumber,use12345678
forthepassword.
IfyoureplaceamainlogicboardonanIntelXserve,thebuilt-inhardwarepassword
is“SystemS”(noquotes).
PreparingDisksforInstallingSnowLeopardServer
BeforeperformingacleaninstallationofSnowLeopardServer,youcanpartitionthe
servercomputer’sharddiskintomultiplevolumes,createaRAIDset,orerasethe
targetdiskorpartition.
Ifyou’reusinganinstallationdiscforSnowLeopardServerorlater,youcanperform
thesetasksfromanothernetworkedcomputerusingVNCviewersoftware,suchas
AppleRemoteDesktop,beforebeginningacleaninstallation.
WARNING:Beforepartitioningadisk,creatingaRAIDset,orerasingadiskor
partitiononaserver,preserveuserdatayouwanttosavebycopyingittoanother
diskorpartition.
SecurelyErasingaDiskforInstallation
Whenperforminganinstallation,itisrecommended,ifapplicable,thattheentiredrive
bereformattedusingatleasta7-passsecureerase,ratherthanonlyreformattingthe
partitionwhereSnowLeopardServeristobeinstalled,incasesensitiveinformation
wasleftontheotherpartitions.
Youhaveseveraloptionsforerasingadisk,dependingonyourpreferredtoolsandyour
computingenvironment:
 ErasingadiskusingDiskUtility:YoucanusetheInstallertoopenDiskUtilityand
thenuseittoerasethetargetvolumeoranothervolume.Youcanerasethetarget
andallothervolumesusingtheMacOSExtendedformatorMacOSExtended
(Journaled)format.Youcaneraseothervolumesusingthoseformats,aswellas
MacOSExtendedformat(Case-Sensitive)format,orMacOSExtended(Journaled,
Case-Sensitive)format.
Chapter2InstallingSnowLeopardServer
43
Youcanfindinstructionsforpartitioningtheharddiskintomultiplevolumes,
creatingaRAIDset,anderasingthetargetdiskorpartitionbyviewingDiskUtility
Help.ToviewDiskUtilityHelp,openDiskUtilityonanotherMaccomputerwith
MacOSXv10.6andchooseHelp>DiskUtilityHelp.
 Erasingadiskusingthecommandline:Youcanusethecommandlinetoerase
disksusingthetooldiskutil.Erasingadiskusingdiskutilresultsinlosingallvolume
partitions.Thecommandtoeraseacompletediskis:
sudo diskutil secureErase 2 format name device
Forexample:
sudo diskutil secureErase 2 JournaledHFS+ MacProHD disk0
Thereisalsoanoptiontosecurelydeletedatabyoverwritingthediskwithrandom
datamultipletimes.Formoredetails,seediskutil’smanpage.
Toeraseasinglevolumeonadisk,aslightlydifferentcommandisused:
diskutil eraseVolume format name device
Forexample:
diskutil eraseVolume JournaledHFS+ UntitledPartition /Volumes/
OriginalPartition
Forcompletecommandsyntaxfordiskutil,consultthetool’smanpage.
InstallingServerSoftware
Whenthetargetcomputerisstarted,youuseServerAdmin’sServerAssistant(locally
orremotely),VNCcontrol,ortheinstallercommand-linetooltostartinstallation.
FordetailedinstructionsonusingoneofthesemethodstoinstallSnowLeopardServer,
seetheAdvancedServerAdministrationguide.
EnablingtheFirewall
Afterconfiguration,enablethefirewalltopreventunauthorizedconnectionstothe
serverwhileyoucompletesetup.Foramorecomprehensivetreatmentoffirewall
configuration,seeChapter13,“ConfiguringtheFirewall.”
Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdeniesaccess
toincomingpacketsfromremotecomputersexceptthroughportsforremote
configuration.Thisprovidesahighlevelofsecurity.
Statefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyour
computerarealsopermitted.Youcanthenaddrulestopermitserveraccesstoclients
whorequireaccesstoservices.
Important:Usegreatcareinremotelychanginganyfirwallconfigurationbecauseof
theriskofdisablingcommunicationstotheremotehost.
44
Chapter2InstallingSnowLeopardServer
Toenablethefirewall:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 FromtheexpandedServerslist,selectFirewall.
IfFirewallisnotlistedasanavailableservicetoconfigure,addittheserverviewby
doingthefollowing:
a Intheserverlistontheleft,selecttheservername.
b ClicktheSettingsbuttoninthetoolbarandthenclicktheServicestab.
c SelectthecheckboxforFirewallservice.
4 ClicktheStartFirewallbuttonbelowtheServerslist.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Firewall Service
# --------------------------------------------------------------------#
# Add Firewall to the services view
# --------------------------------sudo serveradmin settings
info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured
= yes
# Start Firewall service
# ---------------------sudo serveradmin start ipfilter
ApplyingSoftwareandSecurityUpdates
AfterinstallingSnowLeopardServer,installthelatestapprovedsecurityupdates.
Beforeconnectingyourcomputertoanetworktoobtainsoftwareupdates,enable
thefirewallusingServerAdmintoallowonlyessentialservices.
Important:Ifyouhavenotsecuredandvalidatedsettingsfornetworkservices,donot
enableyournetworkconnectiontoinstallsoftwareupdates.Forinformation,see
“SecuringNetworkInfrastructureServices”onpage198.
Untilyousecurelyconfigurenetworkservicessettings,limityourupdateinstallationto
usingthemanualmethodofinstallingsoftwareupdates.Formoreinformation,see
“UpdatingManuallyfromInstallerPackages”onpage48.
Chapter2InstallingSnowLeopardServer
45
SnowLeopardServerincludesSoftwareUpdate,anapplicationthatdownloadsand
installssoftwareupdatesfromApple’sSoftwareUpdateserverorfromaninternal
softwareupdateserver.
YoucanconfigureSoftwareUpdatetocheckforupdatesautomatically.Youcanalso
configureSoftwareUpdatetodownload,butnotinstall,updates,ifyouwanttoinstall
themlater.
Beforeinstallingupdates,checkwithyourorganizationfortheirpolicyondownloading
updates.Theymightpreferthatyouuseaninternalsoftwareupdateserver,which
reducestheamountofexternalnetworktrafficandletstheorganizationqualify
softwareupdatesusingorganizationconfigurationsbeforeupdatingsystems.
Important:SecurityupdatespublishedbyApplecontainfixesforsecurityissuesand
areusuallyreleasedinresponsetoaspecificknownsecurityproblem.Applyingthese
updatesisessential.
Softwareupdatesareobtainedandinstalledinseveralways:
 UsingSoftwareUpdatetodownloadandinstallupdatesfromaninternalsoftware
updateserver
 UsingSoftwareUpdatetodownloadandinstallupdatesfromInternet-based
softwareupdateservers
 Manuallydownloadingandinstallingupdatesasseparatesoftwarepackages
UpdatingfromanInternalSoftwareUpdateServer
Yourcomputercanlookforsoftwareupdatesonaninternalsoftwareupdateserver.
Byusinganinternalsoftwareupdateserver,youreducetheamountofdatatransferred
outsideofthenetwork,andyourorganizationcancontrolwhichupdatescanbe
installedonyourcomputer.
IfyourunSoftwareUpdateonawirelessnetworkoruntrustednetwork,youmight
downloadmaliciousupdatesfromaroguesoftwareupdateserver.However,Software
UpdatewillnotinstallapackagethathasnotbeendigitallysignedbyApple.If
SoftwareUpdatedoesnotinstallapackage,deleteitfrom/Library/Updates/;then
downloadtheupdateagain.
Youcanconnectyourcomputertoanetworkthatmanagesitsclientcomputers,which
enablesthenetworktorequirethatthecomputeruseaspecifiedsoftwareupdate
server.Or,youcanmodifythe/Library/Preferences/com.apple.SoftwareUpdate.plistfile
byenteringthefollowingcommandinaTerminalwindowtospecifyyoursoftware
updateserver.
46
Chapter2InstallingSnowLeopardServer
Fromthecommandline:
#
#
#
#
#
#
#
#
#
#
Updating from an Internal Software Update Server
-----------------------------------------------Default Settings.
blank
Software updates are downloaded from one of the following software update
servers hosted by Apple.
swscan.apple.com:80
swquery.apple.com:80
swcdn.apple.com:80
# Suggested Settings.
# Specify the software update server to use.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate
CatalogURL http://swupdate.apple.com:8088/index-leopardsnowleopard.merged-1.sucatalog
# Available Settings.
# Replace swupdate.apple.com with the fully qualified domain name (FQDN)
# or IP address of your software update server.
# To switch your computer back to the default Apple update server.
# sudo defaults delete com.apple.SoftwareUpdate CatalogURL
UpdatingfromInternetSoftwareUpdateServers
BeforeconnectingtotheInternet,makesureyournetworkservicesaresecurely
configured.Forinformation,see“SecuringNetworkInfrastructureServices”on
page198.
Ifyouareanetworkadministrator,insteadofusingyouroperationalcomputerto
checkforandinstallupdates,considerusingatestcomputertodownloadupdates
andverifyfileintegritybeforeinstallingupdates.Formoreinformationaboutverifying
fileintegrity,see“VerifyingtheIntegrityofSoftware”onpage50.
Youcanthentransfertheupdatepackagestoyouroperationalcomputer.For
instructionsoninstallingtheupdates,see“UpdatingManuallyfromInstallerPackages”
onpage48.
YoucanalsodownloadsoftwareupdatesforAppleproductsat
www.apple.com/support/downloads/.
Important:Makesureupdatesareinstalledwhenthecomputercanberestarted
withoutaffectingusersaccessingtheserver.
Chapter2InstallingSnowLeopardServer
47
TodownloadandinstallsoftwareupdatesusingSoftwareUpdate:
1 ChooseApple()>SoftwareUpdate.
AfterSoftwareUpdatelooksforupdatestoyourinstalledsoftware,itdisplaysalistof
updates.Togetolderversionsofupdates,gotothesoftwareupdatewebsiteat
www.apple.com/support/downloads/.
2 Selecttheupdatesyouwanttoinstall,andchooseUpdate>InstallandKeepPackage.
Whenyoukeepthepackage,itisstoredintheuser’sDownloadsfolder(user_name/
Downloads/).
Ifyoudonotwanttoinstallupdates,clickQuit.
3 Acceptthelicensingagreementstostartinstallation.
Someupdatesmightrequireyourcomputertorestart.IfSoftwareUpdateasksyou
torestartthecomputer,doso.
Fromthecommandline:
#
#
#
#
#
#
#
Updating from Internet Software Update Server
----------------------------------Default Settings.
The softwareupdate command checks and lists available
updates for download. Software Update preferences are set to the
command-line equivalent of.
sudo softwareupdate --list --schedule on
# Suggested Settings.
# Download and install software updates:
sudo softwareupdate --download --all --install
#
#
#
#
#
Available Settings.
Use the following commands to view softwareupdate options.
sudo softwareupdate -h
or
man softwareupdate
UpdatingManuallyfromInstallerPackages
YoucanmanuallydownloadsoftwareupdatesforAppleproductsfrom
support.apple.com/downloads/,preferablyusingacomputerdesignatedfor
downloadingandverifyingupdates.Performeachdownloadseparatelyso
fileintegritycanbeverifiedbeforeinstallingtheupdates.
Youcanreviewthecontentsofeachsecurityupdatebeforeinstallingit.To
seethecontentsofasecurityupdate,gotoApple’sSecuritySupportPageat
www.apple.com/support/security/andclicktheSecurityUpdatespagelink.
48
Chapter2InstallingSnowLeopardServer
Tomanuallydownload,verify,andinstallsoftwareupdates:
1 Gotosupport.apple.com/downloads/anddownloadthesoftwareupdateson
acomputerdesignatedforverifyingsoftwareupdates.
Note:UpdatesprovidedthroughSoftwareUpdatemightsometimesappearearlier
thanstandaloneupdates.
2 Foreachupdatefiledownloaded,reviewtheSHA-1digest(alsoknownasachecksum),
whichshouldbepostedonlinewiththeupdatepackage.
3 Inspectdownloadedupdatesforviruses.
4 Verifytheintegrityofeachupdate.
Formoreinformation,see“VerifyingtheIntegrityofSoftware”onpage50.
5 Transfertheupdatepackagesfromyourtestcomputertoyourcurrentcomputer.
Thedefaultdownloadlocationforupdatepackagesis/Library/Updates/.Youcan
transferupdatepackagestoanylocationonyourcomputer.
6 Double-clickthepackage.
Ifthepackageislocatedinadiskimage(dmg)file,double-clickthedmgfileandthen
double-clickthepackage.
7 Proceedthroughtheinstallationsteps.
8 Ifrequested,restartthecomputer.
Installthesystemupdateandtheninstallsubsequentsecurityupdates.Installthe
updatesinorderbyreleasedate,oldesttonewest.
Fromthecommandline:
#
#
#
#
Updating Manually from Installer Packages
----------------------------------Default Settings.
None
# Suggested Settings.
# Download software updates.
sudo softwareupdate --download --all
# Install software updates.
sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume
#
#
#
#
#
Available Settings.
Use the following commands to view installer options.
sudo installer -h
or
man installer
Chapter2InstallingSnowLeopardServer
49
VerifyingtheIntegrityofSoftware
SoftwareimagesandupdatescanincludeanSHA-1digest,whichisalsoknownasa
cryptographicchecksum.YoucanusethisSHA-1digesttoverifytheintegrityofthe
software.SoftwareupdatesretrievedandinstalledautomaticallyfromSoftwareUpdate
verifythechecksumbeforeinstallation.
Fromthecommandline:
#
#
#
#
Verifying the Integrity of Software
----------------------------------Default Settings.
None
# Suggested Settings.
# Use the sha1 command to display a file's SHA-1 digest.
# Replace $full_path_filename with the full path filename of the update
# package or image that SHA-1 digest is being checked for.
sudo /usr/bin/openssl sha1 $full_path_filename
#
#
#
#
#
#
Available Settings.
Use the following command to view the version of OpenSSl installed on
your computer.
sudo openssl version
Use the following command to view openssl options.
man openssl
Ifprovided,theSHA-1digestforeachsoftwareupdateorimageshouldmatchthe
digestcreatedforthatfile.Ifnot,thefilewascorrupted.Obtainanewcopy.
SettingUpServicesandUsers
Afterinstallation,theserverisreadyforconfigurationandlocaladministrator
accountcreation.
AnunconfiguredserverbroadcastsitsinstallationavailabilityviaBonjourtothelocal
network.YoucanfindserversthatareawaitinginstallbyfindingtheBonjourservice
name“_svr-unconfig._tcp.”
Theeasiestwayoffindingaserverthatneedsconfigurationisbyusingthetools
installedontheadministrationcomputer:ServerAdminorServerPreferences.
Thesetoolscandetectserverswaitingconfigurationonthelocalsubnet,available
viaBonjour.
50
Chapter2InstallingSnowLeopardServer
Ifyouaretryingtofindserversawaitingconfigurationusingthecommandline,you
canusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucaninstall
serversoftware.Enterthefollowingfromacomputeronthesamelocalnetworkas
theserver:
dns-sd -B _sa-unconfig._tcp.
AdministratorcomputersrunningServerAdmin’sServerAssistantcanprovideadefault
passwordandcompleteinstallationremotely.ServerAdmintrafficisencrypted.
Ineithercase,theloginnameandpasswordaredescribedinthesection“About
DefaultInstallationPasswords”onpage43.
AboutSettingsEstablishedDuringServerSetup
Duringserversetup,thefollowingbasicserversettingsareestablished:
 Thelanguagetouseforserveradministrationandthecomputerkeyboardlayout
isdefined.
 Theserversoftwareserialnumberisset.
 Atimezoneisspecified,andnetworktimeserviceissetup.
 Aserveradministratorlocaluserisdefinedandthelocaladministrator’shomefolder
iscreated.
 ThedefaultSSHandAppleRemoteDesktopstateisenabled.
 Networkinterfaces(ports)areconfigured.
TCP/IPandEthernetsettingsaredefinedforeachportyouwanttoactivate.
 Networknamesaredefined.
TheprimaryDNSnameandcomputernamearedefinedbytheadministrator,and
thelocalhostnameisderivedfromthecomputername.
 BasicDirectoryinformationissetup.(Optional)
TheserverissetupasanOpenDirectoryMaster,oritissettoobtaindirectory
informationfromanotheradirectoryservice,orthedirectorysetupcanbedeferred
untilfirstlogin.
 Someservicesarechosenandconfigured.
Foralistofwhichservicesareenabledatstartup,seetheAdvancedServer
Administrationguide.
EnablingtheFirmwarePassword
AfterinstallingSnowLeopardServer,enabletheExtensibleFirmwareInterface(EFI)
passwordusingtheFirmwarePasswordUtility.Thispreventsunauthorizedusersfrom
startinguptheservertoinstallagainorchangesettings.
FormoreinformationabouttheFirmwarePasswordUtility,seeChapter4,“Securing
GlobalSystemSettings.”
Chapter2InstallingSnowLeopardServer
51
3
SecuringSystemHardware
3
Usethischaptertosecurethesystemhardwarebydisabling
theOperatingSystem(OS)componentsandkernel
extensions.
AfterinstallingandsettingupMacOSXServer,makesureyouprotectyoursystemby
disablingspecifichardwareOScomponentsandkernelextensions.
Important:Thisdocumentisintendedforusebysecurityprofessionalsinsensitive
environments.Implementingthetechniquesandsettingsfoundinthisdocument
impactssystemfunctionalityandmightnotbeappropriateforeveryuseror
environment.
ProtectingHardware
Thefirstlevelofsecurityisprotectionfromunwantedphysicalaccess.Ifsomeonecan
physicallyaccessacomputer,itbecomesmucheasiertocompromisethecomputer’s
security.Whensomeonehasphysicalaccesstothecomputer,theycaninstallmalicious
softwareorevent-trackinganddata-capturingservices.
Thephysicalsecurityofaserverisanoftenoverlookedaspectofcomputersecurity.
Anyonewithphysicalaccesstoacomputer(forexample,toopenthecase,orplugina
keyboard,andsoforth)hasalmostfullcontroloverthecomputerandthedataonit.
Forexample,someonewithphysicalaccesstoacomputercan:
 Restartthecomputerfromanotherexternaldisc,bypassinganyexistinglogin
mechanism.
 Removeharddisksanduseforensicdatarecoverytechniquestoretrievedata.
 Installhardware-basedkey-loggersonthelocaladministrationkeyboard.
Inyourownorganizationandenvironment,youmustdecidewhichprecautionsare
necessary,effective,andcost-effectivetoprotectthevalueofyourdataandnetwork.
52
Forexample,inanorganizationwherefloor-to-ceilingbarriersmightbeneededto
protectaserverroom,securingtheairductsleadingtotheroommightalsoneedto
beconsidered.Otherorganizationsmightonlyneedalockedserverrackoran
firmwarepassword.
Useasmanylayersofphysicalprotectionaspossible.Restrictaccesstoroomsthat
containcomputersthatstoreoraccesssensitiveinformation.Provideroomaccessonly
tothosewhomustusethosecomputers.Ifpossible,lockthecomputerinalockedor
securecontainerwhenitisnotinuse,andboltorfastenittoawallorpieceof
furniture.
Theharddiskisthemostcriticalhardwarecomponentinyourcomputer.Takespecial
caretopreventaccesstotheharddisk.Ifsomeoneremovesyourharddiskandinstalls
itinanothercomputer,theycanbypasssafeguardsyousetup.Lockorsecurethe
computer’sinternalhardware.
Ifyoucan’tguaranteethephysicalsecurityoftheharddisk,considerusingFileVaultfor
eachhomefolder.FileVaultencryptshomefoldercontentandguardsagainstthe
contentbeingcompromised.Formoreinformation,see“EncryptingHomeFolders”on
page151.
FileVaultdoesnotprotectagainstthethreatofanattackertamperingwithfilesonthe
diskandreinstallingthedrive.Forexample,anattackercouldinstallamodifiedkernel,
anduseittoobtainyourFileVaultpasswordbyloggingyourkeyboardkeystrokes.
Topreventsuchanattack,lockyourcomputerwhenitisunattended.Also,ifyoushare
yourcomputerwithothers,limitthosewhohavesudoerpermissions.Forinformation
aboutlimitingsudoers,see“SecuringDirectoryAccounts”onpage319.
Ifyouhaveaportablecomputer,keepitsecure.Lockituporhideitwhenitisnotin
use.Whentransportingthecomputer,neverleaveitinaninsecurelocation.Consider
buyingacomputerbagwithalockingmechanismandlockthecomputerinthebag
whenyouaren’tusingit.
PreventingWirelessEavesdropping
IfyouhaveinstalledSnowLeopardServeronacomputerwithwirelessnetworkaccess
(forexample,ithasanAirportcardorotherwi-ficardinstalled),considerdisabling
wirelessaccesstopreventeavesdroping.
Althoughwirelesstechnologygivesyournetworkmoreflexibilitywithyourusers,it
cancausesecurityvulnerabilitiesyoumaybeunawareof.Whereverpossible,disable
wirelessaccessforsecurityreasons.Whenusingawirelessaccesspoint,makesureyou
properlyconfigurethesecuritysettingstopreventunauthorizedusersfromattempting
toaccessyournetwork.
Chapter3SecuringSystemHardware
53
Wirelessaccesspointsthathaveaccesstoyourservershouldrequireencryptionofthe
connection,userauthentication(throughtheuseofcertificatesorsmartcards),and
time-outsforconnections.
IfyouneedtouseWi-Fi,seeSnowLeopardSecurityConfigurationforinformationabout
howtoleverage802.1XforsecuringyourWi-Fitraffic.
UnderstandingWirelessSecurityChallenges
MostMaccomputershaveabuilt-inwirelessnetworkcard.Userscanconfiguretheir
computertobeawirelessaccesspointtosharetheirInternetconnectionwithother
users.However,suchawirelessaccesspointisn’tusuallysecure,therebycreatinga
pointofaccessforanattacker.
Anyonewithinwirelessrangecangainaccesstoyournetworkbyusinganauthorized
user’sinsecurelyconfiguredwirelessLAN.Thesepossiblepointsofaccesscanbevery
large,dependingonthenumberofuserswithwirelesstechnologyontheircomputers.
Thechallengeariseswhentryingtopreventusersfromcreatingaccesspointstoyour
networkortryingtoidentifywheretheaccesspointsareandwhoisattemptingtouse
them.
Manyorganizationsrestricttheuseofwirelesstechnologyintheirnetwork
environment.However,mostMaccomputershavewirelesscapabilitybuiltin,so
turningitoffmightnotmeetyourorganization’swirelesstechnologyrestrictions.You
mightneedtoremovecomponentsfromMacOSXtodisablethemfrombeingturned
oninSystemPreferences.
AboutOSComponents
Specialhardware,suchaswirelessnetworkingcardsandaudio/videocomponents,
needdriversoftwarethatrunsatthekernellevel.Thisdriversoftwareisimplemented
askernelextensions(“kexts”)inMacOSXandarealsoknownasOScomponents.
ThesekernelextensionscanberemovedfromMacOSXtopreventtheuseofapiece
ofhardware.
DisablingorremovingOScomponentsorkernelextensionsaltersthebehavioror
performanceofthesystem.
Important:MacOSXsometimeshasupdatestospecificOScomponents.Whenyour
computerinstallstheseupdatesthecomponentisoverwrittenorreinstalledifitwas
previouslyremoved.Thisthenreenablesthehardwareyouwanteddisabled.Whenyou
installupdatesmakesurethattheinstallationdoesnotreenableanOScomponentyou
wanteddisabled.
54
Chapter3SecuringSystemHardware
RemovingWi-FiSupportSoftware
UsethefollowinginstructionsforremovingAirportsupport.Thistaskrequiresyouto
haveadministratorprivileges.
YoucanalsohaveanAppleAuthorizedTechnicianremoveAirporthardwarefromyour
Applecomputer.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
ToremovekernelextensionsforAirporthardware:
1 Openthe/System/Library/Extensionsfolder.
2 DragthefollowingfiletotheTrash:
IO80211Family.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library/)aredeletedandrebuiltbySnowLeopard.
4 ChooseFinder>SecureEmptyTrashtodeletethefiles.
5 Restartthesystem.
Fromthecommandline:
# ------------------------------------------------------------------# Protecting System Hardware
# ------------------------------------------------------------------# Securing Wi-Fi Hardware
# ----------------------# Remove AppleAirport kernel extensions.
sudo srm -r /System/Library/Extensions/IO80211Family.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
RemovingBluetoothSupportSoftware
UsethefollowinginstructionstoremoveBluetoothsupportforperipheralssuchas
keyboards,mice,orphones.Thistaskrequiresyoutohaveadministratorprivileges.
YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inBluetooth
hardwarefromyourApplecomputer.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
Chapter3SecuringSystemHardware
55
ToremovekernelextensionsforBluetoothhardware:
1 Openthe/System/Library/Extensionsfolder.
2 DragthefollowingfilestotheTrash:
IOBluetoothFamily.kext
IOBluetoothHIDDriver.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library/)aredeletedandrebuiltbySnowLeopardServer.
4 ChooseFinder>SecureEmptyTrashtodeletethefiles.
5 Restartthesystem.
Fromthecommandline:
#
#
#
#
Removing BlueTooth Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove Bluetooth kernel extensions.
# Remove Bluetooth kernel extensions.
sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kext
sudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
RemovingIRSupportSoftware
UsethefollowinginstructionstoremoveIRhardwaresupport.Thistaskrequiresyouto
haveadministratorprivileges.
YoucanalsohaveanAppleAuthorizedTechnicianremoveIRhardwarefromyour
Applecomputer.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
ToremovekernelextensionsforIRhardwaresupport:
1 Openthe/System/Library/Extensionsfolder.
56
Chapter3SecuringSystemHardware
2 DragthefollowingfiletotheTrash:
AppleIRController.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library)aredeletedandrebuiltautomaticallybyMacOSX.
4 ChooseFinder>SecureEmptyTrashtodeletethefile.
5 Restartthesystem.
FromtheCommandLIne:
#
#
#
#
Removing IR Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove IR kernel extensions.
sudo srm -rf /System/Library/Extensions/AppleIRController.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
PreventingUnauthorizedRecording
Yourcomputermightbeinanenvironmentwhererecordingdevicessuchascameras
ormicrophonesarenotpermitted.Youcanprotectyourorganization’sprivacyby
disablingthesedevices.Thistaskrequiresyoutohaveadministratorprivileges.
Note:Someorganizationsinsertadummyplugintotheaudioinputandoutputports
toensurethataudiohardwareisdisabled.
RemovingAudioSupportSoftware
Usethefollowinginstructionstoremovesupportforthemicrophoneandaudio
subsystem.Thismaydisableaudioplayback.
YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inmicrophone
hardwarefromyourApplecomputer.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
Chapter3SecuringSystemHardware
57
Toremovekernelextensionsforaudiohardware:
1 Openthe/System/Library/Extensionsfolder.
2 Toremovesupportforaudiocomponentssuchasthemicrophone,dragthefollowing
filestotheTrash:
AppleUSBAudio.kext
IOAudioFamily.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library/)aredeletedandrebuiltbySnowLeopardServer.
4 ChooseFinder>SecureEmptyTrashtodeletethefile.
5 Restartthesystem.
Fromthecommandline:
#
#
#
#
Securing Audio Support Software
----------------------------Default setting:
kext files are installed and loaded.
# Suggested Setting.
# Remove Audio Recording kernel extensions.
sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext
sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
RemovingVideoRecordingSupportSoftware
Usethefollowinginstructionstoremovesupportforanexternalorbuilt-iniSight
camera.
Note:ThesupportforexternaliSightcamerasshouldberemovedonallmachines.
RemovingonlysupportforinternaliSightcamerasstillleavessupportforexternal
cameras.
YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-invideocamera
hardwarefromyourApplecomputer.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
58
Chapter3SecuringSystemHardware
Toremovekernelextensionsforvideohardware:
1 Openthe/System/Library/Extensionsfolder.
2 ToremovesupportfortheexternaliSightcamera,dragthefollowingfiletotheTrash:
Apple_iSight.kext
3 Toremovesupportforthebuilt-iniSightcamera,Control-clickIOUSBFamily.kextand
selectShowPackageContents.
4 Openthe/Contents/PlugIns/folder.
5 DragthefollowingfiletotheTrash:
AppleUSBVideoSupport.kext
6 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library/)aredeletedandrebuiltbySnowLeopardServer.
7 ChooseFinder>SecureEmptyTrashtodeletethefile.
8 Restartthesystem.
Fromthecommandline:
#
#
#
#
Securing Video Recording Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove Video Recording kernel extensions.
# Remove external iSight camera.
sudo srm -rf /System/Library/Extensions/Apple_iSight.kext
# Remove internal iSight camera.
sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\
AppleUSBVideoSupport.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
PreventingDataPortAccess
Computerdataportscanbeeasilycompromisedifyourcomputerisunattendedfor
alongperiodoftimeorisstolen.Topreventyourcomputerfrombeingcompromised,
keepitinalockedenvironmentorhiddenwhenyouarenotusingit.
Chapter3SecuringSystemHardware
59
Youcanprotectyoursystembypreventinganunauthorizeduserfromusingyour
dataports.ThispreventsusersfrombootingtoadifferentvolumeusingaUSB
Flashdrive,USB,orFireWireexternalharddrive.Thistaskrequiresyoutohave
administratorprivileges.
Also,bysettingafirmwarepasswordusingtheFirmwarePasswordUtility,youcan
preventaphysicalDirectMemoryAccess(DMA)attackoverFireWire.Whenthe
firmwarepasswordisset,anyexternaldeviceisdenieddirectaccesstocomputer
memorycontent.FormoreinformationabouttheFirmwarePasswordUtility,see
“UsingtheFirmwarePasswordUtility”onpage64.
RemovingUSBSupportSoftware
UsethefollowinginstructionstoremoveUSBmassstoragedeviceinput/output
supportsuchasUSBFlashdrivesandexternalUSBharddrives.
TheremovalofthiskernelextensiononlyaffectsUSBmassstoragedevices.Itdoes
notaffectotherUSBdevicessuchasaUSBprinter,mouse,orkeyboard.Thistask
requiresyoutohaveadministratorprivileges.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
Toremovekernelextensionsforspecifichardware:
1 Openthe/System/Library/Extensionsfolder.
2 ToremovesupportforUSBmassstoragedevices,dragthefollowingfiletotheTrash:
IOUSBMassStorageClass.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(located
in/System/Library/)aredeletedandrebuiltbySnowLeopardServer.
4 ChooseFinder>SecureEmptyTrashtodeletethefile.
5 Restartthesystem.
60
Chapter3SecuringSystemHardware
Fromthecommandline:
#
#
#
#
#
Securing USB Support Software
----------------------------Remove USB kernel extensions.
Default setting.
kext files are installed and loaded.
# Suggested Setting:
sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
RemovingFireWireSupportSoftware
UsethefollowinginstructionstoremoveFireWireinput/outputsupportsuchas
externalFireWireharddisks.Thistaskrequiresyoutohaveadministratorprivileges.
Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.
Toremovekernelextensionsforspecifichardware:
1 Openthe/System/Library/Extensionsfolder.
2 ToremovesupportforFireWiremassstoragedevices,dragthefollowingfileto
theTrash:
IOFireWireSerialBusProtocolTransport.kext
3 OpenTerminalandenterthefollowingcommand:
sudo touch /System/Library/Extensions
Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions
folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/
System/Library/)aredeletedandrebuiltbySnowLeopardServer.
4 ChooseFinder>SecureEmptyTrashtodeletethefile.
5 Restartthesystem.
Chapter3SecuringSystemHardware
61
Fromthecommandline:
#
#
#
#
Securing FireWire Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove FireWire kernel extensions.
sudo srm -rf /System/Library/Extensions/\
IOFireWireSerialBusProtocolTransport.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
SystemHardwareModifications
Removingkernelextensionsdoesnotpermanentlydisablecomponents.Youneed
administrativeaccesstorestoreandreloadthem.
Althoughdisablinghardwareinthismannerisnotassecureasphysicallydisabling
hardware,itismoresecurethandisablinghardwarethroughSystemPreferences.
Thismethodofdisablinghardwarecomponentsmightnotbesufficienttomeet
anorganization’ssecuritypolicy.Consultyourorganization’soperationalpolicyto
determineifthismethodisadequate.
Ifyourenvironmentdoesnotpermittheuseofthefollowinghardwarecomponents,
youmustphysicallydisablethem:
 Airport
 Bluetooth
 Microphone
 Camera
 IRPort
Important:Attemptingtoremovecomponentswillvoidyourwarranty.
Note:Ifyouareinagovernmentorganizationandneedaletterofvolatilityfor
Appleproducts,[email protected].
62
Chapter3SecuringSystemHardware
4
SecuringGlobalSystemSettings
4
Usethischaptertolearnhowtosecureglobalsystem
settings,securefirmwareandMacOSXstartup,andtouse
accesswarnings.
AfterinstallingandsettingupSnowLeopardServer,makesureyouprotectyour
hardwareandsecureglobalsystemsettings.
SecuringSystemStartup
Whenacomputerstartsup,itfirststartsExtensibleFirmwareInterface(EFI).EFIisthe
softwarelinkbetweenthemotherboardhardwareandthesoftwareoperatingsystem.
EFIdeterminewhichpartitionordisktoloadMacOSXfrom.Italsodetermines
whethertheusercanentersingle-usermode.
Single-usermodelogstheuserinasroot.Thisisdangerousbecauserootuseraccessis
themostpowerfullevelofaccess,andactionsperformedasrootareanonymous.
IfyoucreateanEFIpassword,youpreventusersfromaccessingsingle-usermode.
Thepasswordalsostopsusersfromloadingunapprovedpartitionsordisksandfrom
enablingtargetdiskmodeatstartup.
AftercreatinganEFIpassword,youmustenterthispasswordwhenyoustartthe
computerfromanalternatedisk(forsituationssuchasharddiskfailureorfilesystem
repair).
Tosecurestartup,performoneofthefollowingtasks:
 UsetheFirmwarePasswordUtilitytosettheEFIFirmwarepassword.
 Verifyandsetthesecuritymodefromthecommandline.
WARNING:EFIsettingsarecritical.Takegreatcarewhenmodifyingthesesettingsand
whencreatingasecureFirmwarepassword.
63
AnEFIFirmwarepasswordprovidessomeprotection,butitcanberesetifauser
hasphysicalaccesstothemachineandchangesthephysicalmemoryconfiguration
ofthemachine.
EFIpasswordprotectioncanbebypassediftheuserchangesthephysicalmemory
configurationofthemachineandthenresetsthePRAMthreetimes(byholdingdown
Command,Option,P,andRkeysduringsystemstartup).
UsingtheFirmwarePasswordUtility
TheSnowLeopardServerinstallationdiscincludesFirmwarePasswordUtility,which
youcanusetoenableanEFIpassword.
MaccomputerswithIntelprocessorsuseEFItocontrollow-levelhardware.EFIis
similartoBIOSonanx86PCandisthehardwarebaselayerforallcomputersthat
canrunSnowLeopardServer.Byprotectingitfromunauthorizedaccessyoucan
preventattackersfromgainingaccesstoyourcomputer.
TousetheFirmwarePasswordUtility:
1 LoginwithanadministratoraccountandopentheFirmwarePasswordUtility(located
ontheMacOSXinstallationdiscin/Applications/Utilities/).
2 ClickNew.
3 Select“Requirepasswordtostartthiscomputerfromanothersource.”
TodisabletheEFIpassword,deselect“Requirepasswordtostartthiscomputerfrom
anothersource.”Youwon’tneedtoenterapasswordandverifyit.DisablingtheEFI
passwordisonlyrecommendedforinstallingMacOSX.
4 InthePasswordandVerifyfields,enteranewEFIpasswordandclickOK.
5 ClosetheFirmwarePasswordUtility.
Youcantestyoursettingsbyattemptingtostartupinsingle-usermode.Restartthe
computerwhileholdingdowntheCommandandSkeys.Iftheloginwindowloads,
changesmadebytheFirmwarePasswordUtilityweresuccessful.
UsingCommand-LineToolsforSecureStartup
YoucanalsoconfigureEFIfromthecommandlinebyusingthenvramtool.However,
youcanonlysetthesecurity-modeenvironmentvariable.
Youcansetthesecuritymodetooneofthefollowingvalues:
 None:Thisisthedefaultvalueofsecurity-modeandprovidesnosecuritytoyour
computer’sEFI.
 Command:ThisvaluerequiresapasswordifchangesaremadetoEFIorifauser
attemptstostartupfromanalternatevolumeordevice.
 Full:Thisvaluerequiresapasswordtostartuporrestartyourcomputer.Italso
requiresapasswordtomakechangestoEFI.
64
Chapter4SecuringGlobalSystemSettings
Forexample,tosetthesecurity-modetofullyouwouldusethefollowingcommand:
sudo nvram security-mode=full
TosecurelysetthepasswordforEFI,usetheFirmwarePasswordUtility.
Fromthecommandline:
#
#
#
#
#
#
Securing Global System Settings
------------------------------------------------------------------------Configuring Firmware Settings
---------------------------------Default Setting.
security-mode is off
# Suggested Setting.
# Secure startup by setting security-mode. Replace $mode-value with
# “command” or “full.”
sudo nvram security-mode=”$mode-value”
# Verify security-mode setting.
sudo nvram -x -p
#
#
#
#
#
#
#
#
#
#
Available Settings.
security-mode.
“command”
“full”
Use the following command to view the current nvram settings.
nvram -x -p
Use the following commands to view nvram options.
nvram -h
or
man nvram
ConfiguringAccessWarnings
YoucanusealoginwindoworTerminalaccesswarningtoprovidenoticeof
acomputer’sownership,towarnagainstunauthorizedaccess,ortoremind
authorizedusersoftheirconsenttomonitoring.
Chapter4SecuringGlobalSystemSettings
65
EnablingAccessWarningsfortheLoginWindow
Beforeenablinganaccesswarning,reviewyourorganization’spolicyforwhatto
useasanaccesswarning.
Whenausertriestoaccessthecomputer’sloginwindow(locallyorthrough
AppleRemoteDesktop),theuserseestheaccesswarningyoucreate,suchas
thefollowing:
Tocreatealoginwindowaccesswarning:
1 OpenTerminalandverifythatyourlogged-inaccountcanusesudotoperforma
defaultswrite.
2 Changeyourloginwindowaccesswarning:
sudo defaults write /Library/Preferences/com.apple.loginwindow
LoginwindowText “Warning Text”
ReplaceWarning
Textwithyouraccesswarningtext.
3 Logouttotestyourchanges.
YouraccesswarningtextappearsbelowtheMacOSXsubtitle.
Fromthecommandline:
# Enabling Access Warning for the Login Window
# ---------------------------------# Create a login window access warning.
sudo defaults write /Library/Preferences/com.apple.loginwindow
LoginwindowText “Warning Text”
# You can also used the BannerSample project to create an access warning.
66
Chapter4SecuringGlobalSystemSettings
UnderstandingtheAuthPluginArchitecture
AuthPluginsareusedtocontrolaccesstoaserviceorapplication.Preinstalled
AuthPluginsforSnowLeopardServerarelocatedinthe/System/Library/CoreServices/
SecurtiyAgentPlugins/folder.Theseplug-ins(andtheirassociatedrulesand
authorizationrightsforusers)aredefinedinthe/etc/authorizationdatabase,and
arequeriedbytheSecurityServer.
Formoreinformationabout/etc/authorization,seeChapter29,“Managing
AuthorizationThroughRights,”onpage363.
ThefollowinggraphicshowstheworkflowoftheSecurityServer.
Security
Agent
Applications
1
5
Authorization
Credentail
Biometric
4
3
Juan Chavez
Security
Server
Request
authorization
for right
Request user
interaction
if necessary
Password :
Password
2
Smart Card
Rights Database
/etc/authorization
Whenanapplicationrequestsauthorizationrightsfromthesecurityserverthe
securityserverinterrogatestherightsdatabase(/etc/authorization)todetermine
themechanismstobeusedforauthentication.
Ifnecessary,thesecurityserverrequestsuserinteractionthroughthesecurity
agent.Thesecurityagentthenpromptstheusertoauthenticatethroughtheuse
ofapassword,smartcard,orbiometricreader.
Thenthesecurityagentsendstheauthenticationinformationbacktothesecurity
server,whichpassesitbacktotheapplication.
Chapter4SecuringGlobalSystemSettings
67
TheBannerSampleProject
Ifyourcomputerhasdevelopertoolsinstalled,thesamplecodeforthebannersample
projectislocatedin/Developer/examples/security/bannersample.Youcanmodifyand
customizethissamplebannercodeforyourorganization.
Afteryoucompilethecodeyoucanplaceitinthe/Library/Security/
SecurityAgentPlugins/folder.Thenmodifythekeysystem.login.consoleinthe/etc/
authorizationfileusingTerminal.
Formoreinformationaboutthebannersample,seethebannersampleREADMEfile.
Tomodifythe/etc/authorizationfile:
1 OpenTerminal.
2 Enterthefollowingcommand:
sudo pico /etc/authorization
3 Locatethesystem.login.consolekey.
4 Add<string>bannersample:test</string>above<string>
siffer,privileged</string>,asshowninboldbelow:
builtin:smartcard-
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for general use, yet.</string>
<key>mechanisms</key>
<array>
<string>bannersample:test</string>
<string>builtin:smartcard-sniffer,privileged</string>
5 Savechangesandexittheeditor.
6 Restartthecomputerandverifythatthebannerappears.
ForadditionalinformationorsupportfortheBannerSampleprojectcontact
[email protected].
68
Chapter4SecuringGlobalSystemSettings
EnablingAccessWarningsfortheCommandLine
Beforeenablinganaccesswarning,reviewyourorganization’spolicyforwhattouseas
anaccesswarning.
WhenauseropensTerminallocallyorconnectstothecomputerremotely,theuser
seestheaccesswarningyoucreate.
Thefollowingtaskmustbeperformedbyanadministratoruserusinganytexteditor.
Tocreateacommand-lineaccesswarning:
1 OpenTerminal.
2 Enterthefollowingcommandtocreatethe/etc/motdfile:
sudo touch /etc/motd
3 Enterthefollowingcommandtoeditthe/etc/motdfile:
sudo pico /etc/motd
4 Enteryouraccesswarningmessage.
5 Savechangesandexitthetexteditor.
6 OpenanewTerminalwindowtotestchanges.
YouraccesswarningtextappearsabovethepromptinthenewTerminalwindow.
Fromthecommandline:
# Enabling Access Warning for the Command Line
# ---------------------------------# Create a command-line access warning.
sudo touch /etc/motd
sudo chmod 644 /etc/motd
sudo echo “Warning Text” >> /etc/motd
Chapter4SecuringGlobalSystemSettings
69
TurningOnFileExtensions
Bymakingthefileextensionvisible,youcandeterminethetypeoffileitisandthe
applicationitisassociatedwith.
Toturnfileextensionson:
1 OpenFinder.
2 FromtheFindermenu,selectPreferences.
3 ClickAdvancedandselectthe“Showallfilenameextensions”checkbox.
70
Chapter4SecuringGlobalSystemSettings
5
SecuringLocalServerAccounts
5
Usethischaptertolearnhowtosecureaccountsbyassigning
useraccounttypes,configuringdirectoryaccess,usingstrong
authenticationprocedures,andsafelystoringcredentials.
Securinguseraccountsrequiresdetermininghowaccountsareusedandsettingthe
levelofaccessforusers.
Whenyoudefineauser’saccountyouspecifytheinformationtoprovetheuser’s
identity,suchasusername,authenticationmethod(password,digitaltoken,
smartcard,orbiometricreader),anduseridentificationnumber(userID).Other
informationinauser’saccountisneededbyvariousservicestodeterminewhat
theuserisauthorizedtodoandtopersonalizetheuser’senvironment.
TypesofUserAccounts
WhenyoulogintoSnowLeopardServer,youuseanonadministratororadministrator
account.ThemaindifferenceisthatSnowLeopardServerprovidessafetymechanisms
topreventnonadministratorusersfromeditingkeypreferences,orfromperforming
actionscriticaltocomputersecurity.Administratorusersarenotaslimitedas
nonadministratorusers.
Youcanfurtherdefinenonadministratorandadministratoraccountsbyspecifying
additionaluserprivilegesorrestrictions.
Thefollowingtableshowstheaccessprovidedtouseraccounts.
UserAccount
UserAccess
Guestnonadministrator
Restricteduseraccess(disabledbydefault)
Standardnonadministrator
Nonprivilegeduseraccess
Managednonadministrator
Restricteduseraccess
Delegatedserveradministrator
Administerspecifiedserviceconfiguration
Administrator
Fullserverconfigurationadministration
71
UserAccount
UserAccess
Directorydomainadministrator
Administertheconfigureddomainsontheserver
Systemadministrator(root)
Unrestrictedaccesstotheserver
Unlessyouneedadministratoraccessforspecificsystemmaintenancetasksthat
cannotbeaccomplishedbyauthenticatingwiththeadministrator’saccountwhile
loggedinasanormaluser,alwaysloginasanonadministratoruser.Logoutof
theadministratoraccountwhenyouarenotusingthecomputerasanadministrator.
Neverbrowsetheweborcheckemailwhileloggedintoanadministrator’saccount.
Ifyouareloggedinasanadministrator,youaregrantedprivilegesandabilitiesthat
youmightnotneed.Forexample,youcanpotentiallymodifysystempreferences
withoutbeingrequiredtoauthenticate.Thisauthenticationbypassesasecurity
safeguardthatpreventsmaliciousoraccidentalmodificationofsystempreferences.
Note:Thischapterdescribeshowtosecurelocalaccountsconfiguredon
SnowLeopardServer.Formoreinformationaboutsecuringuserandgroupnetwork
accountsusingWorkgroupManager,seeChapter22,“SecuringNetworkAccounts.”
GuidelinesforCreatingAccounts
Whenyoucreateuseraccounts,followtheseguidelines:
 Nevercreateaccountsthataresharedbyseveralusers.Eachusershouldhavehisor
herownstandardormanagedaccount.
Individualaccountsarenecessarytomaintainaccountability.Systemlogscantrack
activitiesforeachuseraccount,butifseveraluserssharethesameaccountitis
difficulttotrackwhichuserperformedanactivity.Similarly,ifseveraladministrators
shareasingleadministratoraccount,itbecomeshardertotrackwhichadministrator
performedanaction.
Ifsomeonecompromisesasharedaccount,itislesslikelytobenoticed.Usersmight
mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser
sharingtheaccount.
 Eachuserneedingadministratoraccessshouldhaveanadministratoraccountin
additiontoastandardormanagedaccount.
Administratorusersshouldonlyusetheiradministratoraccountsforadministrator
purposes.Byrequiringanadministratortohaveapersonalaccountfortypicaluse
andanadministratoraccountforadministratorpurposes,youreducetheriskofan
administratorperformingactionslikeaccidentallyreconfiguringsecuresystem
preferences.
72
Chapter5SecuringLocalServerAccounts
DefiningUserIDs
AuserIDisanumberthatuniquelyidentifiesauser.SnowLeopardServercomputers
usetheuserIDtotrackauser’sfolderandfileownership.Whenausercreatesafolder
orfile,theuserIDisstoredasthecreatorID.AuserwiththatuserIDhasreadandwrite
permissionstothefolderorfilebydefault.
TheuserIDisauniquestringofdigitsbetween500and2,147,483,648.Newusers
createdusingtheAccountspaneofSystemPreferencesareassigneduserIDsstarting
at501.
ItisriskytoassignthesameuserIDtodifferentusers,becausetwouserswiththe
sameuserIDhaveidenticaldirectoryandPOSIXfilepermissions.However,each
userhasauniqueGUIDthatisgeneratedwhentheuseraccountiscreated.Your
GUIDisassociatedwithACLpermissionsthataresetonfilesorfolders.Bysetting
ACLpermissionsyoucanpreventuserswithidenticaluserIDsfromaccessingfiles
andfolders.
TheuserID0isreservedfortherootuser.UserIDsbelow100arereservedfor
systemuse.UseraccountswiththeseuserIDsshouldnotbedeletedandshould
notbemodifiedexcepttochangethepasswordoftherootuser.
Ifyoudon’twanttheusernametoappearintheloginwindowofaclientcomputer,
assignauserIDoflessthan500andenterthefollowingcommandinaTerminal
window:
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users
-bool YES
UsernamesneverappearintheloginwindowinSnowLeopardServer.
Ingeneral,afterauserIDisassignedandtheuserstartscreatingfilesandfolders,
youshouldn’tchangetheuserID.
OnepossiblescenarioinwhichyoumightneedtochangeauserIDiswhenmerging
usersfromdifferentserversontoanewserverorclusterofservers.ThesameuserID
mighthavebeenassociatedwithadifferentuseronthepreviousserver.
SecuringtheGuestAccount
Theguestaccountisusedtogiveausertemporaryaccesstoyourcomputer.Theguest
accountisdisabledbydefaultbecauseitdoesnotrequireapasswordtologintothe
computer.Theguestaccountshouldremaindisabled.Ifthisaccountisenabledandnot
securelyconfigured,malicioususerscangainaccesstoyourcomputerwithouttheuse
ofapassword.
Chapter5SecuringLocalServerAccounts
73
Insecuritysensitiveenvironmentstheguestaccountshouldremaindisabled.Ifyou
enabletheguestaccount,enableparentalcontrolstolimitwhattheusercando.
Enablingparentalcontrolonanaccountdoesnotdefendagainstadetermined
attackerandshouldnotbeusedastheprimarysecuritymechanism.
Whetherornottheguestaccountisenabled,disableguestaccountaccessto
sharedfilesandfoldersbydeselectingthe“Allowguesttoconnecttosharedfolders”
checkbox.Ifyoupermittheguestaccounttoaccesssharedfolders,anattackercan
easilyattempttoaccesssharedfolderswithoutapassword.
Whenyoufinishwiththisaccount,disableitbydeselectingthe“Allowgueststo
logintothiscomputer.”Thispreventstheguestuseraccountfromlogginginto
thecomputer.
SecuringNonadministratorAccounts
Therearetwotypesofnonadministratoruseraccounts:standardandmanaged.
 Standarduseraccounts,whichdon’thaveadministratorprivilegesanddon’thave
parentalcontrolslimitingtheiractions.
 Manageduseraccounts,whichdon’thaveadministratorprivilegesbuthaveactive
parentalcontrols.Parentalcontrolshelpdeterunsophisticatedusersfromperforming
maliciousactivities.Theycanalsohelppreventusersfrommisusingtheircomputer.
Note:Ifyourcomputerisconnectedtoanetwork,amanagedusercanalsobeauser
whosepreferencesandaccountinformationaremanagedthroughthenetwork.
Whencreatingnonadministratoraccounts,restricttheaccountssotheycanonly
usewhatisrequired.Forexample,ifyouplantostoresensitivedataonyourlocal
computer,disabletheabilitytoburnDVDs.
SecuringExternalAccounts
Anexternalaccountisamobileaccountthathasitslocalhomefolderstoredon
avolumeinanexternaldrive.Whenanexternalaccountlogsin,MacOSXonly
showstheexternalaccountthattheuserloggedinwith.Theexternaluseraccount
cannotviewotheraccountsonthecomputer.
ExternalaccountsrequireSnowLeopardorlaterandanexternalorejectable
volumethatisformattedasMacOSXExtendedformat(HFSPlus).Ifyouusean
externalaccount,useFileVaulttoprotectthecontentofyourhomefolderin
caseyourexternalvolumeisstolenorlost.
Forinformationaboutexternalaccounts,seetheUserManagementguide.
74
Chapter5SecuringLocalServerAccounts
ProtectingDataonExternalVolumes
Bydefault,auser’shomefolderisnotencrypted.Ifauserstorestheirhomefolderon
anexternalvolumeusinganexternalaccount,theusermustsecurethedataonthe
externalvolume.Tosecuretheexternalvolume:
 Thevolumemustbeabletoprocessanexternalauthentication,suchasaPINor
smartcardbeforeitismountedorreadable.
 Theuser’shomefoldershoulduseFileVaultorotherencryptionmechanismsto
securethedata.
SecuringDirectory-BasedAccounts
Adirectory-basedaccountisanaccountlocatedonadirectoryserver.Adirectory
servercontainsuseraccountrecordsandimportantdataforauthenticatingusers.
Ifyourcomputerisconnectedtoadirectoryserver,youcanadddirectoryusersto
yourcomputerandgrantthemaccess.Youcanrestrictadirectoryuseraccountby
usingParentalControls.
Accesstodirectoryserversisusuallytightlyrestrictedtoprotectthedataonthem.
AvoidingSimultaneousLocalAccountAccess
Monitoringuseraccountsandactivitiesisimportanttosecuringyourcomputer.
Thisenablesyoutodetermineifanaccountiscompromisedorifauserisperforming
malicioustasks.
AvoidingFastUserSwitching
AlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultiplelocal
usersonasinglecomputer,avoidenablingit.
FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult
totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground
whileanotheruserisusingthecomputer.
Also,anyexternalvolumesattachedtothecomputeraremountedwhenanotheruser
logsin,grantingallusersaccesstothevolumeandignoringaccesspermissions.
AvoidingSharedUserAccounts
Avoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintain
accountability.Eachusershouldhavehisorherownstandardormanagedaccount.
Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe
sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly,
ifseveraladministratorsshareasingleadministratoraccount,itbecomesharderto
trackwhichadministratorperformedaspecificaction.
Chapter5SecuringLocalServerAccounts
75
Ifsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmight
mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser
sharingtheaccount.
SecuringAdministratorAccounts
Eachadministratorshouldhavetwoaccounts:astandardaccountfordailyuseandan
administratoraccountforadministratoraccess.Rememberthatthenonadministrative
accountshouldbeusedformostdailyactivity,especiallywhenaccessingthenetwork
orInternet.
Theadministrator’saccountshouldonlybeusedwhenabsolutelynecessaryto
accomplishadministrativetasks.Tosecureadministratoraccounts,restrictthe
distributionofadministratoraccountsandlimittheuseoftheseaccounts.
Auseraccountwithadministratorprivilegescanperformstandarduserand
administratortaskssuchas:
Â
Â
Â
Â
Â
Â
Â
Â
Creatinguseraccounts
AddinguserstotheAdmingroup
ChangingtheFileVaultmasterpassword
Enablingordisablingsharing
Enabling,disabling,orchangingfirewallsettings
ChangingotherprotectedareasinSystemPreferences
Installingsystemsoftware
Escalatingprivilegestoroot
AboutTieredAdministrationPermissions
MacOSXServercanuseanotherlevelofaccesscontrolforaddedsecurity.
Administratorscanbeassignedtoservicestheycanconfigure.Theselimitationsare
enactedonaserver-by-serverbasis.Thismethodcanbeusedbyanadministratorwith
norestrictionstoassignadministrativedutiestootherusers.
InpreviousreleasesofMacOSXServer,thereweretwoclassesofusers:adminand
everyoneelse.Adminuserscanmakeanychangetothesettingsofanyserviceor
changeanydirectorydataincludingpasswordsandpasswordpolicies.
InSnowLeopardServer,youcannowgrantindividualsandgroupsspecific
administrativepermissionswithoutaddingthemtotheUNIX“admin”group.Inother
words,youcanmakethemserviceadministrators.
Therearetwolevelsofpermissions:
 Administer:ThislevelofpermissionisanalogoustobeingintheUNIXadmingroup.
Youcanchangeanysettingontheserverforthedesignatedserverandserviceonly.
76
Chapter5SecuringLocalServerAccounts
 Monitor:ThislevelofpermissionallowsyoutoviewOverviewpanes,Logpanes,
andotherinformationpanesinServerAdmin,aswellasgeneralserverstatusdatain
serverstatuslists.Youdonothaveaccesstosavedservicesettings.
Anyuserorgroupcanbegiventhesepermissionsforallservicesorforselected
services.Thepermissionsarestoredonaper-serverbasis.
Theonlyusersthatcanchangethetieredadministrationaccesslistareusersthatarein
theUNIXadmingroup.
Thisresultsinatieredadministrationmodel,wheresomeadministratorshavemore
privilegesthanothersforassignedservices.Thisresultsinamethodofaccesscontrol
forindividualserverfeaturesandservices.
Forexample,Alice(theleadadministrator)hascontroloverallservicesonagiven
serverandcanlimittheabilityofotheradmingroupusers(likeBobandCathy)to
changesettingsontheserver.ShecanassignDNSandFirewallserviceadministration
toBob,whileleavingmailserviceadministrationtoCathy.
Inthisscenario,Cathycan’tchangethefirewalloranyserviceotherthanmail.Likewise,
Bobcan’tchangeanyservicesoutsideofhisassignedservices.
TieredadministrationcontrolsareeffectiveinServerAdminandtheserveradmin
command-linetool.TheyarenoteffectiveagainstmodifyingUNIXconfigurationfiles
throughoutthesystem.ProtectUNIXconfigurationfileswithPOSIX-typepermissionsor
ACLs.
Youcandeterminewhichservicesotheradmingroupuserscanmodify.Todothis,the
administratormakingthedeterminationmusthavefull,unmodifiedaccess.
ServerAdminupdatestoreflectwhatoperationsarepossibleforauser’spermissions.
Forexample,someservicesarehiddenortheSettingspaneisdimmedwhenyoucan
onlymonitorthatservice.
Becausethefeatureisenforcedontheserverside,thepermissionsalsoimpactthe
usageofserveradmin,dscl,dsimport,andpwpolicycommand-linetoolsbecausethese
toolsarelimitedtothepermissionsconfiguredfortheadministratorinuse.
DefiningAdministrativePermissions
Youcandecideifauserorgroupcanmonitororadministeraserverorservicewithout
givingthemthefullpowerofaUNIXadministrativeuser.Assigningeffective
permissionstouserscreatesatieredadministration,wheresomebutnotall
administrativedutiescanbecarriedoutbydesignatedindividuals.
Chapter5SecuringLocalServerAccounts
77
Toassignpermissions:
1 OpenServerAdmin.
2 Selectaserver,clicktheSettingsbuttoninthetoolbar,andthenclicktheAccesstab.
3 ClicktheAdministratorstab.
4 Selectwhethertodefineadministrativepermissionsforallservicesontheserverorfor
selectservices.
5 Ifyoudefinepermissionsbyservice,selecttherelatedcheckboxforeachserviceyou
wanttoturnon.
Ifyoudefinepermissionsbyservice,besuretoassignadministratorstoallactive
servicesontheserver.
6 ClicktheAdd(+)buttontoaddauserorgroupfromtheusersandgroupwindow.
Toremoveadministrativepermissions,selectauserorgroupandclicktheRemove(-)
button.
7 Foreachuserorgroup,selectthepermissionslevelnexttotheuserorgroupname.
YoucanchooseMonitororAdminister.
ThecapabilitiesofServerAdmintoadministertheserverarelimitedbythissetting
whentheserverisaddedtotheServerlist.
AvoidingSharedAdministratorAccounts
Avoidcreatingaccountsthataresharedbyseveraladministrators.Individualaccounts
maintainaccountability.Eachusershouldhavehisorherownaccount.
Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe
sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.For
example,ifseveraladministratorsshareasingleadministratoraccount,itbecomes
hardertotrackwhichadministratorperformedaspecificaction.
Ifsomeonecompromisesasharedadministratoraccount,itislesslikelytobenoticed.
Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactions
byanadministratorsharingtheaccount.
SecuringtheDirectoryDomainAdministratorAccount
AdirectorydomaincanresideonacomputerrunningSnowLeopardServer(for
example,theLDAPfolderofanOpenDirectorymaster,orotherread/writedirectory
domain)oritcanresideonanon-Appleserver(forexample,anon-AppleLDAPor
ActiveDirectoryserver).Onlyadirectorydomainadministratorcanchangethe
directorydomain,includingthemanagedaccountsinthedirectorydomain.
Whenconfiguringadirectorydomainadministratoraccount,followthesamesecurity
guidelinesasyouwouldwithanyotheradministratoraccount.
78
Chapter5SecuringLocalServerAccounts
ChangingSpecialAuthorizationsforSystemFunctions
Youcanmodifythe/etc/authorizationconfigurationfiletochangeauthorizationsfor
administratorsandstandardusers.
WARNING:Changestothisfilecanhaveunanticipatednegativeresults.Editwith
caution.
Tomodifyauthorizationbychangingthe/etc/authorizationfile:
1 Editthe/etc/authorizationfileusingthepicotool,whichallowsforsafeediting
ofthefile.
Thecommandmustberunasroot:
sudo pico /etc/authorization
2 Whenprompted,entertheadministratorpassword.
Thisdisplaysapropertylistforauthorization,listingallavailablekeys.
3 Locatethekeyyouwanttomodify.
Forexample,tochangewhohasaccesstounlockthescreensaver,modifythe
system.login.screensaverkeybychangingtherule:
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
to
<key>rule</key>
<string>authenticate-session-owner</string>
Doingthisrestrictstheadministratorfromunlockingthescreensaver.
4 Saveandquitpico.
SecuringtheSystemAdministratorAccount
ThemostpowerfuluseraccountinSnowLeopardisthesystemadministratoror
rootaccount.Bydefault,therootaccountonSnowLeopardServerisenabledand
usesthesamepasswordasthefirstcreatedadminuser.Youshoulddisableit
usingthefollowingcommand:
dsenableroot -d
Important:Thesystemadministratororrootaccountshouldonlybeusedwhen
absolutelynecessary.
ThemostpowerfuluseraccountinMacOSXisthesystemadministratororroot
account.Bydefault,therootaccountonMacOSXisdisabledanditisrecommended
youdonotenableit.
Chapter5SecuringLocalServerAccounts
79
TherootaccountisprimarilyusedforperformingUNIXcommands.Generally,
actionsthatinvolvecriticalsystemfilesrequireyoutoperformthoseactionsasroot.
However,usingthesudocommand,itispossibletoperformroot-levelactionson
anas-neededbasis.
IfyouareloggedinasaSnowLeopardServeradministrator,youperformcommands
asrootbyusingthesudocommand.SnowLeopardServerlogsactionsperformed
usingthesudocommand.Thishelpsyoutrackmisuseofthesudocommandon
acomputer.Keepinmindthattheselogscanbeeditediftheyarestoredlocally,so
onlygrantsudoprivilegestotrustedusers.
Youcanusethesucommandtologintothecommandlineasanotheruserifyou
havethatuser’spassword.Thisincludestherootuser,iftherootaccountisenabled.
Whenyouareloggedinasroot,youcanusethesucommandtochangeusers
withoutapassword.
Ifmultipleuserscanloginasroot,youcannottrackwhichuserperformedrootactions.
Donotallowdirectrootlogin,becausethelogscannotidentifywhichadministrator
loggedin.Instead,loginusingaccountswithadministratorprivilege,andthenusethe
sudocommandtoperformactionsasroot.
Iftherootaccountisenabled,youcandisableitbyusinganadministrativeaccount
andthedsenablerootcommand.Forexample,thefollowingcommanddisablesthe
rootaccount.
sudo dsenableroot -d
ForinstructionsabouthowtorestrictrootuseraccessinDirectoryUtility,open
MacHelpandsearchfor“DirectoryUtility.”
RestrictingsudoUsage
Bydefault,sudoisenabledforadministratorusers.Fromthecommandline,youcan
disablerootloginorrestricttheuseofsudo.Limittheadministratorsallowedtouse
sudotothosewhoneedtoruncommandsasroot.
Thecomputerusesafilenamed/etc/sudoerstodeterminewhichuserscanusesudo.
Youcanmodifyrootuseraccessbychangingthe/etc/sudoersfiletorestrictsudo
accesstospecificaccounts,andallowthoseaccountstoperformspecificallyallowed
commands.Thisgivesyoucontroloverwhatuserscandoasroot.
Torestrictsudousagebychangingthe/etc/sudoersfile:
1 Astherootuser,usethefollowingcommandtoeditthe/etc/sudoersfile,whichallows
forsafeeditingofthefile.
sudo visudo
80
Chapter5SecuringLocalServerAccounts
2 Whenprompted,entertheadministratorpassword.
Thereisatimeoutvalueassociatedwithsudo.Thisvalueindicatesthenumberof
minutesuntilsudopromptsforapasswordagain.Thedefaultvalueis5,whichmeans
thatafterissuingthesudocommandandenteringthecorrectpassword,additional
sudocommandscanbeenteredfor5minuteswithoutreenteringthepassword.
Thisvalueissetinthe/etc/sudoersfile.Formoreinformation,seethesudoandsudoers
manpages.
3 IntheDefaultsspecificationsectionofthefile,addthefollowinglines.
Defaults timestamp_timeout=0
Defaults tty_tickets
Theselineslimittheuseofthesudocommandtoasinglecommandper
authenticationandalsoensurethat,evenifatimeoutisactivated,latersudo
commandsarelimitedtotheterminalwhereauthenticationoccurred.
4 Restrictwhichadministratorsareallowedtorunsudobyremovingthelinethatbegins
with%adminandaddthefollowingentryforeachuser,substitutingtheuser’sshort
namefortheworduser:
user
ALL=(ALL) ALL
Doingthismeansthatwhenanadministratorisaddedtothecomputer,the
administratormustbeaddedtothe/etc/sudoersfileasdescribed,iftheadministrator
needstousesudo.
5 Saveandquitvisudo.
Formoreinformation,entermanpicoormanvisudoinaTerminalwindow.For
informationabouthowtomodifythe/etc/sudoersfile,seethesudoersmanpage.
UnderstandingDirectoryDomains
Useraccountsarestoredinadirectorydomain.Yourpreferencesandaccount
attributesaresetaccordingtotheinformationstoredinthedirectorydomain.
Localaccountsarehostedinalocaldirectorydomain.Whenyoulogintoalocal
account,youauthenticatewiththatlocaldirectorydomain.Userswithlocalaccounts
typicallyhavelocalhomefolders.Whenausersavesfilesinalocalhomefolder,the
filesarestoredlocally.Tosaveafileoverthenetwork,theusermustconnecttothe
networkanduploadthefile.
Networkaccountsarehostedinanetworkdirectorydomain,suchasaLightweight
DirectoryAccessProtocol(LDAP)orNetworkInformationService(NIS)directory.When
youlogintoanetworkaccount,youauthenticatewiththenetworkdirectorydomain.
Userswithnetworkaccountstypicallyhavenetworkhomefolders.Whentheysavefiles
intheirnetworkhomefolders,thefilesarestoredontheserver.
Chapter5SecuringLocalServerAccounts
81
Mobileaccountscacheauthenticationinformationandmanagedpreferences.Auser’s
authenticationinformationismaintainedonthedirectoryserverbutiscachedonthe
localcomputer.Withcachedauthenticationinformation,ausercanloginusingthe
sameusernameandpassword(oradigitaltoken,smartcard,orbiometricreader),
eveniftheuserisnotconnectedtothenetwork.
Userswithmobileaccountshavelocalandnetworkhomefoldersthatcombinetoform
portablehomedirectories.Whenuserssavefiles,thefilesarestoredinalocalhome
folder.Theportablehomedirectoryisasynchronizedsubsetofauser’slocaland
networkhomefolders.Forinformationaboutprotectingyourhomefolder,see
Chapter8,“SecuringDataandUsingEncryption.”
UnderstandingNetworkServices,Authentication,andContacts
YoucanuseDirectoryUtilitytoconfigureyourcomputertouseanetworkdirectory
domain.DirectorysearchservicesthatarenotusedshouldbedisabledintheServices
paneofDirectoryUtility.
DirectoryUtilitycanbeaccessedfromAccountpreferencesbyclickingLoginOptions
andthenclickingJoinorEditandthenclickingOpenDirectoryUtility.
YoucanenableordisableeachkindofdirectoryserviceprotocolinDirectoryUtility.
SnowLeopardServerdoesn’taccessdisableddirectoryservices,exceptforthelocal
directorydomain,whichisalwaysaccessed.Inadditiontoenablinganddisabling
services,youcanuseDirectoryUtilitytochoosethedirectorydomainsyouwantto
authenticatewith.
DirectoryUtilitydefinestheauthenticationsearchpolicythatSnowLeopardusesto
locateandretrieveuserauthenticationinformationandotheradministrativedatafrom
directorydomains.
Theloginwindow,Finder,andotherpartsofSnowLeopardusethisauthentication
informationandadministrativedata.Fileservice,mailservice,andotherservices
providedbyMacOSXServeralsousethisinformation.
DirectoryUtilityalsodefinesthecontactssearchpolicythatSnowLeopardusesto
locateandretrievename,address,andothercontactinformationfromdirectory
domains.AddressBookcanusethiscontactinformation,andotherapplicationscanbe
programmedtouseitaswell.
Theauthenticationandcontactssearchpolicyconsistsofalistofdirectorydomains
(alsoknownasdirectorynodes).Theorderofdirectorydomainsinthelistdefinesthe
searchpolicy.
82
Chapter5SecuringLocalServerAccounts
Startingatthetopofthelist,SnowLeopardServersearcheseachlisteddirectory
domaininturnuntilitfindstheinformationitneedsorreachestheendofthelist
withoutfindingtheinformation.
FormoreinformationaboutusingDirectoryUtility,seeOpenDirectoryAdministration.
ConfiguringLDAPv3Access
SnowLeopardServerprimarilyusesOpenDirectoryasitsnetwork-baseddirectory
domain.OpenDirectoryusesLDAPv3asitsconnectionprotocol.LDAPv3includes
severalsecurityfeaturesthatyoushouldenableifyourserversupportsthem.Enabling
everyLDAPv3securityfeaturemaximizesyourLDAPv3security.
Tomakesureyoursettingsmatchyournetwork’srequiredsettings,contactyour
networkadministrator.Wheneverpossible,allLDAPconnectionsshouldbeconfigured
tobeencryptedusingSSL.
WhenconfiguringLDAPv3,donotaddDHCP-suppliedLDAPserverstoautomatic
searchpoliciesifyoucannotsecurethenetworkthecomputerisrunningon.Ifyoudo,
someonecancreatearogueDHCPserverandarogueLDAPdirectoryandthencontrol
yourcomputerastherootuser.
ForinformationaboutchangingthesecuritypolicyforanLDAPconnectionorabout
protectingcomputersfrommaliciousDHCPservers,seeOpenDirectoryAdministration.
ConfiguringActiveDirectoryAccess
LeopardsupportsmutualauthenticationwithActiveDirectoryservers.Kerberosisa
ticket-basedsystemthatenablesmutualauthentication.Theservermustidentifyitself
byprovidingatickettoyourcomputer.Thispreventsyourcomputerfromconnecting
torogueservers.
Leopardalsosupportsdigitalsigningandencryptedpacketsecuritysettingsusedby
ActiveDirectory.Thesesettingareenabledbydefault.
MutualauthenticationoccurswhenyoubindtoActiveDirectoryservers.
Ifyou’reconnectingtoanActiveDirectoryserverwithHighlySecure(HISEC)templates
enabled,youcanusethird-partytoolstofurthersecureyourActiveDirectory
connection.
WhenyouconfigureActiveDirectoryaccess,thesettingsyouchoosearegenerally
dictatedbytheActiveDirectoryserver’ssettings.Tomakesureyoursettingsmatch
yournetwork’srequiredsettings,contactyournetworkadministrator.
Chapter5SecuringLocalServerAccounts
83
Donotuse“Allowadministrationby”settinginsensitiveenvironments.Itcancause
untendedprivilegeescalationissuesbecauseanymemberofthegroupspecifiedwill
haveadministratorprivilegesonyourcomputer.Additionally,youshouldonlyconnect
totrustednetworks.
FormoreinformationaboutusingDirectoryUtilitytoconnecttoActiveDirectory
servers,seeOpenDirectoryAdministration.
UsingStrongAuthentication
Authenticationistheprocessofverifyingtheidentityofauser.SnowLeopardServer
supportslocalandnetwork-basedauthenticationtoensurethatonlyuserswithvalid
authenticationcredentialscanaccessthecomputer’sdata,applications,andnetwork
services.
Youcanrequirepasswordstologin,towakethecomputerfromsleeporfromascreen
saver,toinstallapplications,ortochangesystemsettings.SnowLeopardServeralso
supportsauthenticationmethodssuchassmartcards,digitaltokens,andbiometric
readers.
Strongauthenticationiscreatedbyusingcombinationsofthefollowingauthentication
dimensions:
 Whattheuserknows,suchasapasswordorPINnumber
 Whattheuserhas,suchasaonetimepassword(OTP)tokenorsmartcard,
 Whattheuseris,suchasafingerprint,retinascan,orDNAsample
Usingacombinationofthesedimensionsmakesauthenticationmorereliableanduser
identificationmorecertain.
UsingPasswordAssistanttoGenerateorAnalyzePasswords
MacOSXincludesPasswordAssistant,anapplicationthatanalyzesthecomplexityofa
passwordorgeneratesacomplexpasswordforyou.Youcanspecifythelengthand
typeofpasswordyou’dliketogenerate.
Youcanchoosefromthefollowingtypesofpasswords:
 Manual:YouenterapasswordandthenPasswordAssistantgivesyouthequality
levelofyourpassword.Ifthequalitylevelislow,PasswordAssistantgivestipsfor
increasingthequalitylevel.
 Memorable:Accordingtoyourpasswordlengthrequirements,PasswordAssistant
generatesalistofmemorablepasswordsintheSuggestionmenu.
 Letters&Numbers:Accordingtoyourpasswordlengthrequirements,Password
Assistantgeneratesalistofpasswordswithacombinationoflettersandnumbers.
 NumbersOnly:Accordingtoyourpasswordlengthrequirements,Password
Assistantgeneratesalistofpasswordscontainingonlynumbers.
84
Chapter5SecuringLocalServerAccounts
 Random:Accordingtoyourpasswordlengthrequirements,PasswordAssistant
generatesalistofpasswordscontainingrandomcharacters.
 FIPS-181compliant:Accordingtoyourpasswordlengthrequirements,Password
AssistantgeneratesapasswordthatisFIPS-181compliant(whichincludesmixed
upperandlowercase,punctuation,andnumbers).
YoucanopenPasswordAssistantfromsomeapplications.Forexample,whenyou
createanaccountorchangepasswordsinAccountspreferences,youcanusePassword
Assistanttohelpyoucreateasecurepassword.
UsingKerberos
Kerberosisanauthenticationprotocolusedforsystemwidesinglesign-on,allowing
userstoauthenticatetomultipleserviceswithoutreenteringpasswordsorsending
themoverthenetwork.Everysystemgeneratesitsownprincipals,allowingittooffer
secureservicesthatarefullycompatiblewithotherKerberos-basedimplementations.
Note:SnowLeopardServersupportsKerberosv5butdoesnotsupportKerberosv4.
SnowLeopardServerusesKerberostomakeiteasiertoshareserviceswithother
computers.Akeydistributioncenter(KDC)serverisnotrequiredtouseKerberos
authenticationbetweentwocomputersrunningSnowLeopardServer.
WhenyouconnecttoacomputerthatsupportsKerberos,youaregrantedaticketthat
permitsyoutocontinuetouseservicesonthatcomputer,withoutreauthentication,
untilyourticketexpires.
Forexample,considertwocomputersrunningSnowLeopardServernamed“Mac01”
and“Mac02.”Mac02hasscreensharingandfilesharingturnedon.IfMac01connectsto
asharedfolderonMac02,Mac01cansubsequentlyconnecttoscreensharingon
Mac02withoutsupplyinglogincredentialsagain.
ThisKerberosexchangeisonlyattemptedifyouconnectusingBonjourifyounavigate
tothecomputerinFinder,oryouusetheGomenuinFindertoconnecttoaserver
usingthelocalhostnameofthecomputername.
Normally,afteryourcomputerobtainsaKerberosticketinthismanner,keepthat
Kerberosticketuntilitexpires.However,ifyouwanttomanuallyremoveyourKerberos
ticket,youcandosousingtheKerberosutilityinSnowLeopardServer.
TomanuallyremoveaKerberosticket:
1 OpenKeychainAccess(in/Applications/Utilities).
2 FromtheKeychainAccessmenu,chooseTicketViewer.
3 IntheKerberosapplication’sTicketCachewindow,findthekeythatlookslikethis:
yourusername@LKDC:SHA1...
Itisfollowedbyalongstringofalphanumericcharacters.
Chapter5SecuringLocalServerAccounts
85
4 Click“DestroyTicket”todeletethatkey.
Youcanalsousethekinit,kdestroy,andkpasswdcommandstomanageKerberos
tickets.Formoreinformation,seethekinit,kdestroy,andkpasswdmanpages.
UsingSmartCards
Asmartcardisaplasticcard(similarinsizetoacreditcard)orUSBdonglethathas
memoryandamicroprocessorembeddedinit.Thesmartcardcanstoreandprocess
informationsuchaspasswords,certificates,andkeys.
Themicroprocessorinsidethesmartcardcandoauthenticationevaluationoffline
beforereleasinginformation.
Beforethesmartcardprocessesinformation,youmustauthenticatewiththesmart
cardbyaPINorbiometricmeasurement(suchasafingerprint),whichprovidesan
additionallayerofsecurity.
SmartcardsupportisintegratedintoSnowLeopardServerandcanbeconfiguredto
workwiththefollowingservices:
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Cryptographiclogin(localornetworkbasedaccounts)
UnlockofFileVaultenabledaccounts
Unlockkeychains
Signedandencryptedemail(S/MIME)
Securingwebaccess(HTTPS)
VPN(L2TP,PPTP,SSL)
802.1X
Screensaverunlock
Systemadministration
KeychainAccess
UsingTokens
Youcanuseadigitaltokentoidentifyauserforcommerce,communication,oraccess
control.Thistokencanbegeneratedbysoftwareorhardware.
SomecommontokensaretheRSASecurIDandtheCRYPTOCardKT-1devices.These
hardwaredevicesgeneratetokenstoidentifytheuser.Thegeneratedtokensare
specifictothatuser,sotwouserswithdifferentRSASecurIDsordifferentCRYPTOCard
KT-1shavedifferenttokens.
Youcanusetokensfortwo-factorauthentication.Two-factorreferstoauthenticating
throughsomethingyouhave(suchasaone-time-passwordtoken)andsomethingyou
know(suchasafixedpassword).Theuseoftokensincreasesthestrengthofthe
authentication.TokensarefrequentlyusedforVPNauthentication.
86
Chapter5SecuringLocalServerAccounts
UsingBiometrics
MacOSXsupportsbiometricsauthenticationtechnologiessuchasthumbprintreaders.
Password-protectedwebsitesandapplicationscanbeaccessedwithoutrequiringthe
usertorememberalonglistofpasswords.
Somebiometricdevicesallowyoutoauthenticatebyplacingyourfingeronapad.
Unlikeapassword,yourfingerprintcanneverbeforgottenorstolen.Fingerprint
identificationprovidespersonalauthenticationandnetworkaccess.
Theuseofbiometricscanenhanceauthenticationbyusingsomethingthatisapartof
you(suchasyourfingerprint).
SettingGlobalPasswordPolicies
Toconfigureapasswordpolicythatcanapplygloballyortoindividualusers,usethe
pwpolicycommand-linetool.
GlobalpasswordpoliciesarenotimplementedinMacOSX;instead,passwordpolicies
aresetforeachuseraccount.
Youcansetspecificrulesgoverningthesizeandcomplexityofacceptablepasswords.
Forexample,youcanspecifyrequirementsforthefollowing:
 Minimumandmaximumcharacterlength
 Alphabeticandnumericcharacterinclusion
 Maximumnumberoffailedloginsbeforeaccountlockout
Torequirethatanauthenticator’spasswordbeaminimumof12charactersandhave
nomorethan3failedloginattempts,enterthefollowinginaTerminalwindow:
sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=12
maxFailedLoginAttempts=3”
Foradvancedpasswordpolicies,usePasswordServerinMacOSXServer.Youcanuseit
tosetglobalpasswordpoliciesthatspecifyrequirementsforthefollowing:
 Passwordexpirationduration
 Specialcharacterinclusion
 Mixed-casecharacterinclusion
 Passwordreuselimits
Youcanusepwpolicytosetapasswordpolicythatmeetsyourorganization’spassword
standards.Formoreinformationabouthowtousepwpolicy,enterman pwpolicyina
Terminalwindow.
Chapter5SecuringLocalServerAccounts
87
StoringCredentialsinKeychains
SnowLeopardServerincludesKeychainAccess,anapplicationthatmanages
collectionsofpasswordsandcertificatesinasinglecredentialstorecalledakeychain.
Eachkeychaincanholdacollectionofcredentialsandprotectthemwithasingle
password.
Keychainsstoreencryptedpasswords,certificates,andotherprivatevalues(called
securenotes).Thesevaluesareaccessibleonlybyunlockingthekeychainusingthe
keychainpasswordandonlybyapplicationsthatareapprovedandaddedtotheaccess
controlapplicationlist.
Youcancreatemultiplekeychains,eachofwhichappearsinakeychainlistinKeychain
Access.Eachkeychaincanstoremultiplevalues.Eachvalueiscalledakeyitem.Youcan
createakeyiteminanyuser-createdkeychain.
Whenanapplicationmuststoreaniteminakeychain,itstoresitinthekeychain
designatedasyourdefault.Thedefaultisnamed“login,”butyoucanchangethatto
anyuser-createdkeychain.Thedefaultkeychainnameisdisplayedinbold.
EachiteminakeychainhasanAccessControlList(ACL)thatcanbepopulatedwith
applicationsthathaveauthoritytousethatkeychainitem.Afurtherrestrictioncanbe
addedthatforcesanapplicationwithaccesstoconfirmthekeychainpassword.
Themainissuewithrememberingpasswordsisthatyou’relikelytomakeallpasswords
identicalorkeepawrittenlistofpasswords.Byusingkeychains,youcangreatlyreduce
thenumberofpasswordsyouneedtoremember.Becauseyounolongerneedto
rememberpasswordsformultipleaccounts,thepasswordsyouchoosecanbevery
complexandcanevenberandomlygenerated.
Keychainsprovideadditionalprotectionforpasswords,passphrases,certificates,and
othercredentialsstoredonthecomputer.Insomecases,suchasusingacertificateto
signamailmessage,thecertificatemustbestoredinakeychain.
Ifacredentialmustbestoredonthecomputer,storeandmanageitusingKeychain
Access.Checkyourorganization’spolicyonkeychainuse.
Duetothesensitivenatureofkeychaininformation,keychainsusecryptographyto
encryptanddecryptsecrets,andtheysafelystoresecretsandrelateddatainfiles.
SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandprovide
securestorageofkeychainitems.Afterakeychainiscreated,youcanadd,delete,and
editkeychainitems,suchaspasswords,keys,certificates,andnotes.Ausercanunlock
akeychainwithasinglepasswordandapplicationscanthenusethatkeychaintostore
andretrievedata,suchaspasswords.
88
Chapter5SecuringLocalServerAccounts
Note:Youcanusethesecurityandsystemkeychaincommandstoadminister
keychains,manipulatekeysandcertificates,anddojustaboutanythingtheSecurity
frameworkcando.Formoreinformationaboutthiscommand,seeitsmanpage.
UsingtheDefaultUserKeychain
Whenauser’saccountiscreated,adefaultkeychainnamed“login”iscreatedforthat
user.Thepasswordfortheloginkeychainisinitiallysettotheuser’sloginpassword
andisunlockedwhentheuserlogsin.Itremainsunlockedunlesstheuserlocksit,or
untiltheuserlogsout.
Youshouldchangethesettingsfortheloginkeychainsotheusermustunlockitwhen
heorshelogsin,orafterwakingthecomputerfromsleep.
Tosecuretheloginkeychain:
1 OpenKeychainAccess.
2 Ifyoudonotseealistofkeychains,clickShowKeychains.
3 Selecttheloginkeychain.
4 ChooseEdit>ChangePasswordforKeychain“login.”
5 Enterthecurrentpassword,andcreateandverifyapasswordfortheloginkeychain.
Afteryoucreatealoginkeychainpasswordthatisdifferentfromthenormallogin
password,yourkeychainisnotunlockedatlogin.
Tohelpyoucreateamoresecurepassword,usePasswordAssistant.Forinformation,
see“UsingPasswordAssistanttoGenerateorAnalyzePasswords”onpage84.
6 ChooseEdit>ChangeSettingsforKeychain“login.”
7 Select“Lockwhensleeping.”
8 Deselect“SynchronizethiskeychainusingMobileMe.”
9 Secureeachloginkeychainitem.
Forinformation,see“SecuringKeychainsandTheirItems”onpage91.
CreatingAdditionalKeychains
Whenauseraccountiscreated,itcontainsonlytheinitialdefaultkeychainnamed
“login.”Ausercancreateadditionalkeychains,eachofwhichcanhavedifferent
settingsandpurposes.
Forexample,ausermightwanttogroupcredentialsformailaccountsintoone
keychain.Becausemailprogramsquerytheserverfrequentlytocheckformail,it
isnotpracticalfortheusertoreauthenticatewhensuchacheckisperformed.
Theusercancreateakeychainandconfigureitssettings,sothatheorsheisrequired
toenterthekeychainpasswordatloginandwheneverthecomputerisawakened
fromsleep.
Chapter5SecuringLocalServerAccounts
89
Heorshecanthenmoveallitemscontainingcredentialsformailapplicationsinto
thatkeychainandseteachitemsothatonlythemailapplicationassociatedwiththat
credentialcanautomaticallyaccessit.Thisforcesotherapplicationstoauthenticate
toaccessthatcredential.
Configuringakeychain’ssettingsforusebymailapplicationsmightbeunacceptable
forotherapplications.Ifauserhasaninfrequentlyusedweb-basedaccount,it
ismoreappropriatetostorekeychainsettingsinakeychainconfiguredtorequire
reauthenticationforeveryaccessbyanyapplication.
Youcanalsocreatemultiplekeychainstoaccommodatevaryingdegreesofsensitivity.
Byseparatingkeychainsbasedonsensitivity,youpreventtheexposureofsensitive
credentialstolesssensitiveapplicationswithcredentialsonthesamekeychain.
Tocreateakeychainandcustomizeitsauthenticationsettings:
1 InKeychainAccess,chooseFile>NewKeychain.
2 Enteraname,selectalocationforthekeychain,andclickCreate.
3 Enterapassword,verifyit,andclickOK.
4 Ifyoudonotseealistofkeychains,clickShowKeychains.
5 Selectthenewkeychain.
6 ChooseEdit>ChangeSettingsforkeychain“keychain_name,”andauthenticate,if
requested.
7 Changethe“Lockafter#minutesofinactivity”settingbasedontheaccessfrequency
ofthesecuritycredentialsincludedinthekeychain.
Ifthesecuritycredentialsareaccessedfrequently,donotselect“Lockafter#minutesof
inactivity.”
Ifthesecuritycredentialsareaccessedfrequently,select“Lockafter#minutesof
inactivity”andselectavalue,suchas15.Ifyouuseapassword-protectedscreensaver,
considersettingthisvaluetotheidletimerequiredforyourscreensavertostart.
Ifthesecuritycredentialsareaccessedinfrequently,select“Lockafter#minutesof
inactivity”andspecifyavalue,suchas1.
8 Select“Lockwhensleeping.”
9 Dragthesecuritycredentialsfromotherkeychainstothenewkeychainand
authenticate,ifrequested.
Youshouldhavekeychainsthatonlycontainrelatedcertificates.Forexample,you
canhaveamailkeychainthatonlycontainsmailitems.
90
Chapter5SecuringLocalServerAccounts
10 Ifyouareaskedtoconfirmaccesstothekeychain,enterthekeychainpasswordand
clickAllowOnce.
Afterconfirmingaccess,KeychainAccessmovesthesecuritycredentialtothe
newkeychain.
11 Secureeachiteminthesecuritycredentialsforyourkeychain.
SecuringKeychainsandTheirItems
Keychainscanstoremultipleencrypteditems.Youcanconfigureitemssoonlyspecific
applicationshaveaccess.(However,youcannotsetAccessControlforcertificates.)
Tosecureakeychainitem:
1 InKeychainAccess,selectakeychainandthenselectanitem.
2 ClicktheInformation(i)button.
3 ClickAccessControlandthenauthenticateifrequested.
4 Select“Confirmbeforeallowingaccess.”
Afteryouenablethisoption,SnowLeopardServerpromptsyoubeforegivinga
securitycredentialtoanapplication.
Ifyouselect“Allowallapplicationstoaccessthisitem,”youallowanyapplicationto
accessthesecuritycredentialwhenthekeychainisunlocked.Whenaccessingthe
securitycredential,thereisnouserprompt,soenablingthisisasecurityrisk.
5 Select“AskforKeychainpassword.”
Afterenablingthis,youmustprovidethekeychainpasswordbeforeapplicationscan
accesssecuritycredentials.
Enablingthisisimportantforcriticalitems,suchasyourpersonalidentity(yourpublic
keycertificatesandthecorrespondingprivatekey),whichareneededwhensigningor
decryptinginformation.Theseitemscanalsobeplacedintheirownkeychains.
6 Removenontrustedapplicationslistedin“Alwaysallowaccessbytheseapplications”
byselectingeachapplicationandclickingtheRemove(–)button.
Applicationslistedhererequiretheusertoenterthekeychainpasswordtoaccess
securitycredentials.
UsingSmartCardsasKeychains
SnowLeopardServerintegratessupportforhardware-basedsmartcardsasdynamic
keychainswhereanyapplicationusingkeychainscanaccessthatsmartcard.Asmart
cardcanbethoughtofasaportableprotectedkeychain.
Smartcardsareseenbytheoperatingsystemasdynamickeychainsandareaddedto
thetopoftheKeychainAccesslist.Theyarethefirstsearchedinthelist.Theycanbe
treatedasotherkeychainsontheuser’scomputer,withthelimitationthatuserscan’t
addothersecureobjects.
Chapter5SecuringLocalServerAccounts
91
Whenyouattachasupportedsmartcardtoyourcomputer,itappearsinKeychain
Access.Ifmultiplesmartcardsareattachedtoyourcomputer,theyappearatthetopof
thekeychainlistalphabeticallyasseparatekeychains.
YoucanmanuallyunlockandchangethePINusingKeychainAccess.Whenchanging
thePINonyoursmartcarditisthesameaschangingthepasswordonaregular
keychain.
InKeychainAccess,selectyoursmartcardandunlockitbydouble-clickingit.Ifitisnot
unlocked,youarepromptedtoenterthepasswordforthesmartcard,whichisthe
sameasthePIN.EnterthePINandKeychainAccesstoviewthePIN-protecteddataon
thatsmartcard.
UsingPortableandNetworkKeychains
Ifyou’reusingaportablecomputer,considerstoringyourkeychainsonaportable
drive,suchasaUSBflashmemorydrive.Youcanremovetheportabledrivefromthe
portablecomputerandstoreitseparatelywhenthekeychainsarenotinuse.
Anyoneattemptingtoaccessdataontheportablecomputerneedstheportable
computer,portabledrive,andpasswordforthekeychainstoredontheportabledrive.
Thisprovidesanextralayerofprotectionifthelaptopisstolenormisplaced.
Touseaportabledrivetostorekeychains,moveyourkeychainfilestotheportable
driveandconfigureKeychainAccesstousethekeychainsontheportabledrive.
Thedefaultlocationforyourkeychainis~/Library/Keychains/.However,youcanstore
keychainsinotherlocations.
YoucanfurtherprotectportablekeychainsbystoringthemonbiometricUSBflash
memorydrives,orbystoringportabledrivecontentsinanencryptedfile.For
information,see“EncryptingPortableFiles”onpage155.
Checkwithyourorganizationtoseeiftheyallowportabledrivestostorekeychains.
Tosetupakeychainforusefromaportabledrive:
1 OpenKeychainAccess.
2 Ifyoudonotseealistofkeychains,clickShowKeychains.
3 ChooseEdit>KeychainList.
4 Notethelocationofthekeychainyouwanttosetup.
Thedefaultlocationis~/Library/Keychains/.
5 ClickCancel.
6 Selectthekeychainyouwantsetup.
7 ChooseFile>DeleteKeychain“keychain_name.”
92
Chapter5SecuringLocalServerAccounts
8 ClickDeleteReferences.
9 Copythekeychainfilesfromthepreviouslynotedlocationtotheportabledrive.
10 MovethekeychaintotheTrashanduseSecureEmptyTrashtosecurelyerasethe
keychainfilestoredonthecomputer.
Forinformation,see“UsingSecureEmptyTrash”onpage160.
11 OpenFinderanddouble-clickthekeychainfileonyourportabledrivetoaddittoyour
keychainsearchlist.
Chapter5SecuringLocalServerAccounts
93
6
SecuringSystemPreferences
6
UsethischaptertosetSnowLeopardServersystem
preferencestoenhancesystemsecurityandfurtherprotect
againstattacks.
SystemPreferenceshasmanyconfigurablepreferencesthatyoucanusetocustomize
systemsecurity.YoucanalsomanagethesepreferencesusingWorkgroupManager.
SystemPreferencesOverview
SnowLeopardServerincludessystempreferencesthatyoucanusetocustomize
security.Whenmodifyingsettingsforoneaccount,makesureyoursettingsare
mirroredonallotheraccounts,unlessthereisanexplicitneedfordifferentsettings.
YoucanviewsystempreferencesbychoosingApple>SystemPreferences.Inthe
SystemPreferenceswindow,clickapreferencetoviewit.
Somecriticalpreferencesrequirethatyouauthenticatebeforeyoumodifytheir
settings.Toauthenticate,youclickthelock(seetheimagesbelow)andenter
anadministrator’snameandpassword(oruseadigitaltoken,smartcard,or
biometricreader).
Ifyouloginasauserwithadministratorprivileges,thesepreferencesareunlocked
unlessyouselect“RequirepasswordtounlockeachSystemPreferencespane”in
Securitypreferences.Formoreinformation,see“SecuringSecurityPreferences”on
page122.
94
Ifyouloginasastandarduser,thesepreferencesremainlocked.Afterunlocking
preferences,youcanlockthemagainbyclickingthelock.
Preferencesthatrequireauthenticationincludethefollowing:
 Accounts
 Date&Time
 EnergySaver
 MobileMe
 Network
 Print&Fax
 Security
 Sharing
 StartupDisk
 TimeMachine
ThischapterlistseachsetofpreferencesincludedwithSnowLeopardServerand
describesmodificationsrecommendedtoimprovesecurity.
Chapter6SecuringSystemPreferences
95
SecuringMobileMePreferences
MobileMeisasuiteofInternettoolsthathelpyousynchronizedataandother
importantinformationwhenyou’reawayfromthecomputer.
Insensitiveenvironmentsdon’tuseMobileMe.Ifyoumuststorecriticaldata,onlystore
itonyourlocalcomputer.Youshouldonlytransferdataoverasecurenetwork
connectiontoasecureinternalserver.
IfyouuseMobileMe,enableitonlyforuseraccountsthatdon’thaveaccesstocritical
data.AvoidenablingMobileMeforadministratororrootuseraccounts.
LeavetheoptionsdisabledintheSyncpaneofMobileMepreferences(shownbelow).
96
Chapter6SecuringSystemPreferences
LeaveRegisteredComputerforsynchronizationblankintheAdvancedsettingsofthe
Syncpane(shownbelow).
LeaveiDiskSyncing(shownbelow)disabledbydefault.IfyoumustuseaPublicfolder,
enablepasswordprotection.
Chapter6SecuringSystemPreferences
97
TodisableMobileMepreferences:
1 OpenMobileMepreferences.
2 Deselect“SynchronizewithMobileMe.”
3 MakesuretherearenocomputersregisteredforsynchronizationintheAdvanced
settingsoftheSyncpane.
4 MakesureiDiskSyncingisdisabledintheiDiskpane.
Fromthecommandline:
#
#
#
#
#
#
#
#
#
#
#
#
------------------------------------------------------------------Securing System Preferences
------------------------------------------------------------------Securing MobileMe Preferences
------------------------Default Setting.
If a MobileMe account is entered during setup, MobileMe is configured
for that account.
Use the following command to display current MobileMe settings.
efaults -currentHost read com.apple.<Preferenceidentifier>
Use the following command to view all current settings for currenHost.
defaults -currentHost read
# Suggested Setting.
#Disable Sync options.
sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer
1
# Disable iDisk Syncing.
sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool
no
# Available Settings.
# None
98
Chapter6SecuringSystemPreferences
SecuringAccountsPreferences
UseAccountspreferencestochangeorresetaccountpasswords(shownbelow),
toenableParentalControls,ortomodifyloginoptionsforeachaccount.
Youshouldimmediatelychangethepasswordofthefirstaccountthatwascreatedon
yourcomputer.Ifyouareanadministrator,youcanresetotheruseraccountpasswords
byselectingtheaccountandclickingResetPassword.
Note:Ifyouareanadministrator,passwordpoliciesarenotenforcedwhenyouchange
yourpasswordorwhenyouchangeanotheruser’spassword.Therefore,whenyouare
changingpasswordsasanadministrator,makesureyoufollowthepasswordpolicyyou
set.Formoreinformationaboutpasswordpolicies,see“SettingGlobalPassword
Policies”onpage87.
Chapter6SecuringSystemPreferences
99
Thepasswordchangedialogandtheresetdialog(shownbelow)provideaccessto
PasswordAssistant,anapplicationthatcananalyzethestrengthofyourpasswordand
assistyouincreatingamoresecurepassword.Formoreinformation,see“Using
PasswordAssistanttoGenerateorAnalyzePasswords”onpage84.
Considerthefollowingloginguidelines:
 Disableautomaticloginifenabled.
 Requirethattheuserenteranameandapassword,andthattheuserauthenticate
withouttheuseofapasswordhint.
 DisableRestart,Sleep,andShutDownbuttons—theusercannotrestartthe
computerwithoutpressingthepowerkeyorloggingin.
 Disablefastuserswitchingifenabled—itisasecurityriskbecauseitallowsmultiple
userstobesimultaneouslyloggedintoacomputer.
AlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultipleusers
onasinglecomputer,therearecasesinwhichyoumaynotwanttoenableit.
FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult
totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground
whileanotheruserisusingthecomputer.
Also,someexternalvolumesattachedtothecomputeraremountedwhenanother
userlogsin,grantingallusersaccesstothevolumeandignoringaccesspermissions.
Avoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintain
accountability.Eachusershouldhavehisorherownstandardormanagedaccount.
100
Chapter6SecuringSystemPreferences
Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe
sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly,if
severaladministratorsshareasingleadministratoraccount,itbecomeshardertotrack
whichadministratorperformedaspecificaction.
Ifsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmight
mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser
sharingtheaccount.
TosecurelyconfigureAccountspreferences:
1 OpenAccountspreferences.
2 SelectyouraccountandclickthePasswordtab;thenchangethepasswordbyclicking
theChangePasswordbutton.
Amenuappearsaskingyoutoinputtheoldpassword,newpassword,verificationof
thenewpassword,andapasswordhint.
Toresetauser’saccountpassword,selecttheaccountandclickRestPasswordbutton.
Thenenterthenewpasswordandverificationofthenewpassword,andleavethe
passwordhintblank.
3 Donotenterapasswordhint,thenclicktheChangePasswordbutton.
4 ClickLoginOptions.
Ascreensimilartothefollowingappears:
5 Under“Displayloginwindowas,”select“Nameandpassword”anddeselectallother
options.
Chapter6SecuringSystemPreferences
101
Fromthecommandline:
# Securing Accounts Preferences
# ----------------------------# Change an account's password on a client system.
# Don’t use this command if other users are also logged in.
sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass
# Change an account's password on a server.
# Don't use this command if other users are also logged in.
sudo dscl . passwd /Users/$User_name $Oldpass $Newpass
# Make sure there is no password hint set.
sudo defaults write /Library/Preferences/com.apple.loginwindow
RetriesUntilHint -int 0
# Disable Show the Restart, Sleep, and ShutDown Buttons.
sudo defaults write /Library/Preferences/com.apple.loginwindow
PowerOffDisable -bool yes
# Disable fast user switching. This command does not prevent multiple users
# from being logged in.
sudo defaults write /Library/Preferences/.GlobalPreferences
MultipleSessionEnabled -bool NO
# Disable Automatic login.
sudo defaults write /Library/Preferences/.GlobalPreferences\
com.apple.userspref.DisableAutoLogin -bool yes
SecuringAppearancePreferences
Onemethodtosecureappearancepreferencesistochangethenumberofrecent
itemsdisplayedintheApplemenutoNone.
Recentitemsareapplications,documents,andserversthatyou’verecentlyused.You
canaccessrecentitemsbychoosingApple>RecentItems.
Ifintrudersgainaccesstoyourcomputer,theycanuserecentitemstoquicklyview
yourmostrecentlyaccessedfiles.Additionally,intruderscanuserecentitemstoaccess
authenticationmechanismsforserversifthecorrespondingkeychainsareunlocked.
Removingrecentitemsprovidesaminimalincreaseinsecurity,butitcandetervery
unsophisticatedintruders.
102
Chapter6SecuringSystemPreferences
TosecurelyconfigureAppearancepreferences:
1 OpenAppearancepreferences.
Ascreensimilartothefollowingappears:
2 Setall“NumberofRecentItems”preferencestoNone.
Fromthecommandline:
#
#
#
#
Securing Appearance Preferences
----------------------------Default Setting.
MaxAmount 10
# Suggested Setting.
# Disable display of recent applications.
sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0
# Available Settings.
# MaxAmount 0,5,10,15,20,30,50
SecuringBluetoothPreferences
Bluetoothallowswirelessdevices,suchaskeyboards,mice,andmobilephones,to
communicatewiththecomputer.IfthecomputerhasBluetoothcapability,Bluetooth
preferencesbecomeavailable.Ifyoudon’tseeBluetoothpreferences,youcannotuse
Bluetooth.
Chapter6SecuringSystemPreferences
103
Note:Somehighsecurityareasdonotallowradiofrequency(RF)communicationsuch
asBluetooth.Consultyourorganizationalrequirementsforpossiblefurther
disablementofthecomponent.
WhenyoudisableBluetoothinSystemPreferences,youmustdisableBluetoothfor
everyuseraccountonthecomputer.
ThisdoesnotpreventusersfromreenablingBluetooth.Youcanrestrictauseraccount’s
privilegessotheusercannotreenableBluetooth,buttodothis,youremoveseveral
importantuserabilities,liketheuser’sabilitytochangehisorherpassword.Formore
information,see“TypesofUserAccounts”onpage71.
Note:ToremoveBluetoothsupportforperipherals,see“RemovingBluetoothSupport
Software”onpage55.
TosecurelyconfigureBluetoothpreferences:
1 OpenBluetoothpreferences.
Ascreensimilartothefollowingappears:
2 Deselect“On.”
104
Chapter6SecuringSystemPreferences
Fromthecommandline:
#
#
#
#
Securing Bluetooth Preferences
----------------------------Default Setting.
Turn Bluetooth on.
# Suggested Setting.
# Turn Bluetooth off.
sudo defaults write /Library/Preferences/com.apple.Bluetooth\
ControllerPowerState -int 0
# Available Settings.
# 0 (OFF) or 1 (On)
SecuringCDs&DVDsPreferences
TosecureCDsandDVDs,donotallowthecomputertoperformautomaticactions
whentheuserinsertsadisc.
WhenyoudisableautomaticactionsinSystemPreferences,youmustdisablethese
actionsforeveryuseraccountonthecomputer.
Thisdoesnotpreventusersfromreenablingautomaticactions.Topreventtheuser
fromreenablingautomaticactions,youmustrestricttheuser’saccountsotheuser
cannotopenSystemPreferences.Formoreinformationonrestrictingaccounts,see
“SecuringNonadministratorAccounts”onpage74.
TosecurelyconfigureCDs&DVDspreferences:
1 OpenCDs&DVDspreferences.
Ascreensimilartothefollowingappears:
Chapter6SecuringSystemPreferences
105
2 DisableautomaticactionswheninsertingmediabychoosingIgnoreforeach
pop-upmenu.
Fromthecommandline:
#
#
#
#
#
#
#
#
#
Securing CDs & DVDs Preferences
----------------------------Default Setting.
Preference file non existent: /Library/Preferences/com.apple.digihub
Blank CD: “Ask what to do”
Blank DVD: “Ask what to do”
Music CD: “Open iTunes”
Picture CD: “Open iPhoto”
Video DVD: “Open DVD Player”
# Suggested Setting.
# Disable blank CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.cd.appeared -dict action 1
# Disable music CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.music.appeared -dict action 1
# Disable picture CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.picture.appeared -dict action 1
# Disable blank DVD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.dvd.appeared -dict action 1
# Disable video DVD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.dvd.video.appeared -dict action 1
#
#
#
#
#
#
#
#
#
#
#
#
106
Available Settings.
action 1 = “Ignore”
action 2 = “Ask what to do”
action 5 = “Open other application”
action 6 = “Run script”
action 100 = “Open Finder”
action 101 = “Open itunes”
action 102 = “Open Disk Utility”
action 105 = “Open DVD Player”
action 106 = “Open iDVD”
action 107 = “Open iPhoto
action 109 = “Open Front Row”
Chapter6SecuringSystemPreferences
SecuringDate&TimePreferences
Correctdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos.
Incorrectdateandtimesettingscancausesecurityissues.
YoucanuseDate&Timepreferences(shownbelow)tosetthedateandtimebasedon
aNetworkTimeProtocol(NTP)server.
Ifyourequireautomaticdateandtime,useatrusted,internalNTPserver.
TosecurelyconfigureDate&Timepreferences:
1 OpenDate&Timepreferences.
2 IntheDate&Timepane,selectthe“Setdata&timeautomatically”checkboxandenter
asecureandtrustedNTPserverinthe“Setdate&timeautomatically”field.
3 ClicktheTimeZonebutton.
Chapter6SecuringSystemPreferences
107
Ascreensimilartothefollowingappears:
4 Chooseatimezone.
Fromthecommandline:
#
#
#
#
#
Securing Date & Time Preferences
----------------------------Default Setting.
NTP Server: time.apple.com
Time Zone: Set time zone automatically using current location
# Suggested Setting.
# Set the NTP server.
sudo cat >> /etc/ntp.conf << END server time.apple.com END
# Set the date and time.
sudo systemsetup -settimezone $Time_Zone
# Available Settings.
# NTP Server: Any valid NTP server
# Time Zone: /usr/share/zoneinfo
108
Chapter6SecuringSystemPreferences
SecuringDesktop&ScreenSaverPreferences
YoucanuseDesktop&ScreenSaverpreferences(shownbelow)toconfigurea
password-protectedscreensavertopreventunauthorizedusersfromaccessing
unattendedcomputers.
Youcanuseseveralauthenticationmethodstounlockthescreensaver,including
digitaltokens,smartcards,andbiometricreaders.
Youshouldalsosetashortinactivityintervaltodecreasetheamountoftimethe
unattendedcomputerisunlocked.Forinformationaboutrequiringauthentication
forscreensavers,see“SecuringSecurityPreferences”onpage122.
YoucanconfigureDesktop&ScreenSaverpreferencestoallowyoutoquicklyenable
ordisablescreensaversifyoumoveyourmousecursortoacornerofthescreen,as
shownbelow.(YoucanalsodothisbyconfiguringExposé&Spacespreferences.)
Chapter6SecuringSystemPreferences
109
Bydefault,anyadmincanunlockanyuser’sdisplay.
WhenyouconfigureDesktop&ScreenSaverpreferences,youconfigurethe
preferencesforeveryuseraccountonthecomputer.
Thisdoesn’tpreventusersfromreconfiguringtheirpreferences.Youcanrestrict
auser’saccountprivilegessotheusercannotreconfigurepreferences.Doingthis
removesseveralimportantuserabilities,liketheuser’sabilitytochangehisorher
password.Formoreinformation,see“TypesofUserAccounts”onpage71.
TosecurelyconfigureDesktop&ScreenSaverpreferences:
1 OpenDesktop&ScreenSaverpreferences.
2 ClicktheScreenSaverpane.
3 Set“Startscreensaver”toashortinactivitytime.
4 ClickHotCorners.
5 SetacornertoStartScreenSaverforquickenablingofthescreensaver,butdon’tset
ascreencornertoDisableScreenSaver.
110
Chapter6SecuringSystemPreferences
Fromthecommandline:
#
#
#
#
Securing Desktop & Screen Saver Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Set idle time for screen saver. Replace XX with the idle time in seconds.
sudo defaults -currentHost write com.apple.screensaver idleTime -int XX
# Set host corner to activate screen saver.
sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codecorner -int 5
# Set modifier key to 0 wvous-corner_code-modifier
sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codemodifier -int 0
#
#
#
#
#
#
Available Settings.
Corner options.
wvous-bl-corner (bottom-left)
wvous-br-corner(bottom-right)
wvous-tl-corner (top-left)
wvous-tr-corner (top-right)
SecuringDisplayPreferences
Ifyouhavemultipledisplaysattachedtoyourcomputer,beawarethatenabling
displaymirroringmightexposeprivatedatatoothers.Havingthisadditionaldisplay
providesextraopportunityforotherstoseeprivatedata.
SecuringDockPreferences
YoucanconfiguretheDocktobehiddenwhennotinuse.Thiscanpreventothers
fromseeingtheapplicationsonyourcomputer.
TosecurelyconfigureDockpreferences:
1 OpenDockpreferences.
Chapter6SecuringSystemPreferences
111
Thefollowingscreenappears:
2 Select“AutomaticallyhideandshowtheDock.”
Fromthecommandline:
#
#
#
#
Securing Dock Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Automatically hide and show Dock.
sudo defaults write /Library/Preferences/com.apple.dock autohide -bool YES
# Available Settings.
# autohide -bool YES
# autohide -bool NO
SecuringEnergySaverPreferences
YoucanuseEnergySaverSleeppreferences(shownbelow)toconfigureaperiodof
inactivitybeforeacomputer,display,orharddiskenterssleepmode.
Ifthecomputerreceivesdirectoryservicesfromanetworkthatmanagesitsclient
computers,whenthecomputerisinsleepmode,itisunmanagedandcannotbe
detectedasbeingconnectedtothenetwork.Toallowmanagementandnetwork
visibility,configurethedisplayandtheharddisktosleep,butnotthecomputer.
Youcanrequireauthenticationbyuseofapassword,digitaltoken,smartcard,or
biometricreadertoreactivatethecomputer(see“SecuringSecurityPreferences”on
page122).Thisissimilartousingapassword-protectedscreensaver.
112
Chapter6SecuringSystemPreferences
YoucanalsousetheOptionspane(shownbelow)tomakesettingsdependingonyour
powersupply(poweradapter,UPS,orbattery).Configurethecomputersoitonly
wakeswhenyouphysicallyaccessthecomputer.Also,don’tsetthecomputertorestart
afterapowerfailure.
TosecurelyconfigureEnergySaverpreferences:
1 OpenEnergySaverpreferences.
Ascreensimilartothefollowingappears:
2 FromtheSleeppane,set“Putthecomputertosleepwhenitisinactivefor”toNever.
3 Select“Puttheharddisk(s)tosleepwhenpossible”andthenclickthe“Options”pane.
4 Deselect“WakeforEthernetnetworkaccess”and“Startupautomaticallyafterapower
failure.”
Chapter6SecuringSystemPreferences
113
Fromthecommandline:
#
#
#
#
Securing Energy Saver Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Disable computer sleep.
sudo pmset -a sleep 0
# Enable hard disk sleep.
sudo pmset -a disksleep 1
# Disable Wake for Ethernet network administrator access.
sudo pmset -a womp 0
# Disable Restart automatically after power failure.
sudo pmset -a autorestart 0
# Available Settings.
# 0 (OFF) or 1 (ON)
114
Chapter6SecuringSystemPreferences
SecuringExposé&SpacesPreferences
Yourcomputershouldrequireauthenticationwhenwakingfromsleeporscreensaver.
YoucanconfigureExposé&Spacespreferences(shownbelow)toallowyoutoquickly
startthescreensaverifyoumoveyourmousecursortoacornerofthescreen,but
don’tconfigureacornertodisablethescreensaver.
Forinformationaboutrequiringauthenticationforthescreensaver,see“Securing
SecurityPreferences”onpage122.
DashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However,be
carefulwhenyouinstallthird-partyDashboardwidgets.YoucaninstallDashboard
widgetswithoutauthenticating.TopreventDashboardfromrunning,removethe
Dashboardapplicationfromthe/Applicationsfolder.
WhenyouconfigureExposé&Spacespreferences,youmustconfigurethese
preferencesforeveryuseraccountonthecomputer.
Thisdoesn’tpreventusersfromreconfiguringtheirpreferences.Youcanrestrictauser
account’sprivilegessotheusercannotreconfigurepreferences.Todothis,youremove
severalimportantuserabilities,liketheuser’sabilitytochangehisorherpassword.For
moreinformation,see“TypesofUserAccounts”onpage71.
IfyourorganizationdoesnotwanttouseDashboardbecauseofitspotentialsecurity
risk,youcandisableit.IftheuserhasaccesstotheTerminalapplication,Dashboard
canbere-enabledatanytime.
Chapter6SecuringSystemPreferences
115
Dashboardusesthecom.apple.dashboard.fetchservicetofetchupdatestowidgets
fromtheInternet.IfDashboardisdisabled,thisserviceshouldbedisabledaswell.This
servicemustbedisabledfromthecommandline,usingthecommandshowninthe
instructionsbelow.
Fromthecommandline:
#
#
#
#
Securing Exposé & Spaces Preferences
----------------------------Default Setting.
Enabled
# Suggested Setting.
# Disable dashboard.
sudo launchctl unload -w /System/Library/LaunchDaemons/
com.apple.dashboard.advisory.fetch.plist
# Available Settings.
# Enabled or Disabled
SecuringLanguage&TextPreferences
Nosecurity-relatedconfigurationisnecessary.However,ifyourcomputerusesmore
thanonelanguage,reviewthesecurityriskofthelanguagecharacterset.Consider
deselectingunusedpackagesduringMacOSXinstallation.
SecuringKeyboardPreferences
IfyouarenotusingaBluetoothkeyboard,turnBluetoothoff.Ifyouareusing
aBluetoothkeyboard,disableallowingBluetoothdevicestoawakethecomputer
intheadvancedsectionofBluetoothpreferences.Formoreinformationabout
Bluetooth,see“SecuringBluetoothSettings”onpage117.
SecuringMousePreferences
IfyouarenotusingaBluetoothmouse,turnBluetoothoff.IfyouareusingaBluetooth
mouse,disableallowingBluetoothdevicestoawakethecomputerintheadvanced
sectionofBluetoothpreferences.FormoreinformationaboutBluetooth,see“Securing
BluetoothPreferences”onpage103.
116
Chapter6SecuringSystemPreferences
SecuringBluetoothSettings
IfyouhaveaBluetoothmoduleinstalledinyourcomputerorifyouareusingan
externalUSBBluetoothmodule,youcansetupyourcomputertouseBluetooth
tosendandreceivefileswithotherBluetooth-enabledcomputersordevices.
Youcancontrolhowyourcomputerhandlesfilesthatareexchangedbetween
Bluetoothdevices.Youcanchoosetoacceptorrefusefilessenttoyourcomputer
andchoosewhichfolderotherdevicescanbrowse.
Bydefault,BluetoothSharingisturnedoffandshouldremainoffwhenitisnotused.
Thispreventsunauthorizedusersfromaccessingyourcomputer.
RestrictingAccesstoSpecifiedUsers
Ifyouareinanenvironmentwhereyouwouldliketosharefileswithanothercomputer
ordevice,usetheBluetoothSharingoptionsandBluetoothpreferencestosecurely
enableBluetoothandavoidunauthorizedaccesstoyourcomputer.
Bluetoothoptionsshouldalwaysrequirepairingandbesetto“AskWhattoDo”when
receivingorsharingitems.
WhenconfiguringBluetoothpreferences,tosecureBluetoothsharing,usethe
DiscoverableoptiononlywhileyouaresettinguptheBluetoothcomputeror
device.Afterthedeviceisconfigured,disabletheDiscoverableoptiontoprevent
unauthorizedusersfromdiscoveringyourBluetoothconnection.
IntheadvancedsectionofBluetoothpreferences,makesurethat“AllowBluetooth
devicestowakethiscomputer”and“Sharemyinternetconnectionwithother
Bluetoothdevices”arenotselected.
Fromthecommandline:
#
#
#
#
Bluetooth Sharing
----------------------------Default Setting.
Bluetooth Sharing: Disabled
# Suggested Setting.
# Disable Bluetooth Sharing.
sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled
0
#
#
#
#
Available Settings.
Bluetooth Sharing.
Disabled
Enabled
Chapter6SecuringSystemPreferences
117
SecuringNetworkPreferences
TosecureNetworkpreferences,disableunusedhardwaredeviceslistedinNetwork
preferencesandIPv6.YoushouldalsouseastaticIPaddresswhenpossible.ADHCPIP
addressshouldbeusedonlyifnecessary.
DisablingUnusedHardwareDevices
ConsiderdisablingunusedhardwaredeviceslistedinNetworkpreferences(shown
below).Enabled,unuseddevices(suchasAirPortandBluetooth)areasecurityrisk.
HardwareislistedinNetworkpreferencesonlyifthehardwareisinstalledinthe
computer.
Whenconfiguringyourcomputerfornetworkaccess,useastaticIPaddresswhen
possible.ADHCPIPaddressshouldbeusedonlyifnecessary.
SomeorganizationsuseIPv6,anewversionoftheInternetprotocol(IP).Theprimary
advantageofIPv6isthatitincreasestheaddresssizefrom32bits(thecurrentIPv4
standard)to128bits.
Anaddresssizeof128bitsislargeenoughtosupportalargenumberofaddresses.This
allowsmoreaddressesornodesthanareotherwiseavailable.IPv6alsoprovidesmore
waystosetuptheaddressandsimplifiesautoconfiguration.
BydefaultIPv6isconfiguredautomatically,andthedefaultsettingsaresufficient
formostcomputersthatuseIPv6.YoucanalsoconfigureIPv6manually.Ifyour
organization’snetworkcannotuseordoesnotrequireIPv6,turnitoff.
118
Chapter6SecuringSystemPreferences
TosecurelyconfigureNetworkpreferences:
1 OpenNetworkpreferences.
2 Fromthelistofhardwaredevices,selectthehardwaredeviceyoudon’tuse(for
example,Airport,Ethernet,orFireWire).
3 ClicktheActionbuttonbelowthelistofhardwaredevicesandselect“MakeService
Inactive.”
4 Repeatsteps2and3todeactivatethedevicesthatyoudon’tuse.
5 Fromthelistofhardwaredevices,selectthehardwaredeviceyouusetoconnectto
yournetwork(forexample,AirportorEthernet).
6 FromtheConfigureIPv4pop-upmenu,chooseManually.
EnteryourstaticIPaddress,SubnetMask,Router,DNSServer,andSearchDomain
configurationsettings.
7 ClickAdvanced.
Ascreensimilartothefollowingappears:
8 IntheConfigureIPv6pop-upmenu,chooseOff.
IfyoufrequentlyswitchbetweenAirPortandEthernet,youcandisableIPv6forAirPort
andEthernetoranyhardwaredevicethatyouusetoconnecttoyournetwork.
9 ClickOK.
Chapter6SecuringSystemPreferences
119
Fromthecommandline:
#
#
#
#
Securing Network Preferences
----------------------------Default Setting.
Enabled
# Suggested Setting.
# Disable IPv6.
sudo networksetup -setv6off $interface
# Available Settings.
# The interface value can be AirPort, Bluetooth, Ethernet, or FireWire
SecuringPrint&FaxPreferences
ThePrint&Faxpreferencesscreenlookslikethis:
Useprintersonlyinasecurelocation.Ifyouprintconfidentialmaterialinaninsecure
location,thematerialmightbeviewedbyunauthorizedusers.
Becarefulwhenprintingtoasharedprinter.Doingsoallowsothercomputersto
capturetheprintjobdirectly.Anothercomputercanbemaliciouslymonitoringand
capturingconfidentialdatabeingsenttotherealprinter.Inaddition,unauthorized
userscanadditemstoyourprintqueuewithoutauthenticating.
120
Chapter6SecuringSystemPreferences
YourprintercanbeaccessedusingtheCUPSwebinterface(http://localhost:631).By
default:
 TheCUPSwebinterfacecannotbeaccessedremotely.Itcanonlybeaccessedbythe
localhost.
 Thetitlesofallprintjobsareavailabletoallusersofthesystem.
 ThetitlesofallprintjobsareavailabletoeveryonewithaccesstotheCUPSweb
interface.
CUPSalsoofferstheabilitytobrowsethenetworkforavailableprinters.Manually
specifyingavailableprintersismoresecure.YoucancreatepoliciesinCUPSthatrestrict
usersfromsuchactionsascancelingjobsordeletingprintersusingtheCUPSweb
interface.FormoreinformationaboutcreatingCUPSpolicies,see:
http://localhost:631/help/policies.html
Toavoidanadditionalavenueofattack,don’treceivefaxesonyourcomputer.
TosecurelyconfigurePrint&Faxpreferences:
1 OpenPrint&Faxpreferencesandselectafaxfromtheequipmentlist.
2 ClickReceiveOptions.
Ascreensimilartothefollowingappears:
3 Deselect“Receivefaxesonthiscomputer.”
4 ClickOK.
5 Selectaprinterfromtheequipmentlist.
6 Deselect“Sharethisprinteronthenetwork.”
Chapter6SecuringSystemPreferences
121
Fromthecommandline:
#
#
#
#
Securing Print & Fax Preferences
----------------------------Default Setting.
Disabled
# Suggested Setting.
# Disable the receiving of faxes.
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist
# Disable printer sharing.
sudo cp /etc/cups/cupsd.conf $TEMP_FILE
if /usr/bin/grep "Port 631" /etc/cups/cupsd.conf
then
sudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE >\
/etc/cups/cupsd.conf
else
echo "Printer Sharing not on"
fi
# Available Settings.
# Enabled or Disabled
SecuringSecurityPreferences
ThesettingsinSecuritypreferencescoverarangeofSnowLeopardServersecurity
features,includingloginoptions,FileVault,andfirewallprotection.
GeneralSecurity
Considerthefollowinggeneralsecurityguidelines:
 Wakecomputer:Requireapasswordtowakethiscomputerfromsleeporscreen
saver.Thishelpspreventunauthorizedaccessonunattendedcomputers.Although
thereisalockbuttonforSecuritypreferences,usersdon’tneedtobeauthorized
asanadministratortomakechanges.Enablethispasswordrequirementforevery
useraccountonthecomputer.
 Automaticlogin:Disablingautomaticloginisnecessaryforanylevelofsecurity.
Ifyouenableautomaticlogin,anintrudercanloginwithoutauthenticating.Evenif
youautomaticallyloginwitharestricteduseraccount,itisstilleasiertoperform
maliciousactionsonthecomputer.
 LocationServices:Disablinglocationservicespreventsinformationaboutthe
locationofyourcomputerfrombeingprovidedtoapplications.
122
Chapter6SecuringSystemPreferences
 Infraredreceiver:Ifyouarenotusingaremotecontrol,disabletheinfraredreceiver.
Thispreventsunauthorizedusersfromcontrollingyourcomputerthroughthe
infraredreceiver.IfyouuseanAppleIRRemoteControl,pairittoyourcomputer
byclickingPair.Whenyoupairit,nootherIRremotecancontrolyourcomputer.
FileVaultSecurity
MacOSXincludesFileVault,whichencryptsinformationinyourhomefolder.
FileVaultusesthegovernment-approved128-bit(AES-128)encryptionstandardkeys,
andsupportstheAdvancedEncryptionStandardwith256-bit(AES-256)keys.For
moreinformationaboutdataencryption,seeChapter8,“SecuringDataandUsing
Encryption.”
FormoreinformationaboutFileVault,see“EncryptingHomeFolders”onpage151.
Chapter6SecuringSystemPreferences
123
TosecurelyconfigureSecuritypreferences:
1 OpenSecuritypreferences.
2 IntheGeneralpane,selectthefollowing:
 “Requirepasswordimmediatelyaftersleeporscreensaverbegins”
3 Selectthe“DisableLocationServices”checkbox,ifavailable.
4 Selectthe“Disableremotecontrolinfraredreceiver”checkbox.
5 IntheFileVaultpane,click“TurnonFileVault.”
6 EnterapasswordintheMasterPasswordandverifyfields.
7 Authenticatewithyouraccountpassword.
8 Select“Usesecureerase”andclick“TurnonFileVault.”
9 Restartthecomputer.
Fromthecommandline:
#
#
#
#
#
#
#
#
#
#
Securing Security Preferences
----------------------------Default Setting.
Required Password Wake: Disabled
Automatic Login: Disabled
Password Unlock Preferences: Enabled
Secure Virtual Memory is Enabled on Portable computer and is Disabled
on Desktop computers.
IR remote control: Enabled
FileVault: Disabled
# Suggested Setting.
# Enable Require password to wake this computer from sleep or screen saver.
sudo defaults -currentHost write com.apple.screensaver askForPassword -int
1
# Disable IR remote control.
sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController
DeviceEnabled -bool no
# Enable FileVault.
# To enable FileVault for new users, use this command.
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\
createmobileaccount
# Enable Firewall.
# Replace value with
# 0 = off
# 1 = on for specific services
# 2 = on for essential services
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int
value
124
Chapter6SecuringSystemPreferences
SecuringSharingPreferences
Bydefault,everyservicelistedinSharingpreferencesisdisabledexceptforremote
login(SSH).Donotenabletheseservicesunlessyouusethem.Thefollowingservices
aredescribedindetailinSnowLeopardSecurityConfiguration.
Service
Description
DVDorCDSharing
AllowsusersofothercomputerstoremotelyusetheDVDorCDdriveon
yourcomputer.
ScreenSharing
Allowsusersofothercomputerstoremotelyviewandcontrolthe
computer.
ScannerSharing
Allowsothercomputerstoaccessascannerconnectedtothiscomputer.
RemoteLogin
AllowsuserstoaccessthecomputerremotelybyusingSSH.Ifyourequire
theabilitytoperformremotelogin,SSHismoresecurethantelnet,which
isdisabledbydefault.
RemoteManagement
AllowsthecomputertobeaccessedusingAppleRemoteDesktop.
RemoteAppleEvents
AllowsthecomputertoreceiveAppleeventsfromothercomputers.
BluetoothSharing
AllowsotherBluetooth-enabledcomputersanddevicestosharefiles
withyourcomputer.
Bydefaultyourcomputer’shostnameistypicallyfirstname-lastname-computer,where
firstnameandlastnamearethesystemadministrator’sfirstnameandlastname,
respectively,andcomputeristhetypeofcomputeror“Computer.”
WhenusersuseBonjourtodiscoveravailableservices,yourcomputerappearsas
hostname.local.Toincreaseprivacy,changeyourcomputer’shostnamesoyouarenot
identifiedastheownerofyourcomputer.
Formoreinformationabouttheseservicesandthefirewallandsharingcapabilitiesof
SnowLeopard,seeSnowLeopardSecurityConfiguration.
TosecurelyconfigureSharingpreferences:
1 OpenSharingpreferences.
2 Changethedefaultcomputernametoanamethatdoesnotidentifyyouastheowner.
Chapter6SecuringSystemPreferences
125
Fromthecommandline:
#
#
#
#
Securing Sharing Preferences
----------------------------Default Setting.
$host_name = User's Computer
# Suggested Setting.
# Change computer name where $host_name is the name of the computer.
sudo systemsetup -setcomputername $host_name
# Change computer Bonjour host name.
sudo scutil --set LocalHostName $host_name
# Available Setting.
# The host name cannot contain spaces or other non-DNS characters.
SecuringSoftwareUpdatePreferences
YourSoftwareUpdatepreferencesconfigurationdependsonyourorganization’spolicy.
Forexample,ifyourcomputerisconnectedtoamanagednetwork,themanagement
settingsdeterminewhatsoftwareupdateservertouse.
InsteadofusingSoftwareUpdate(shownhere),youcanalsoupdateyourcomputerby
usinginstallerpackages.
Youcaninstallandverifyupdatesonatestcomputerbeforeinstallingthemon
youroperationalcomputer.Formoreinformationabouthowtomanuallyupdate
yourcomputer,see“UpdatingManuallyfromInstallerPackages”onpage48.
126
Chapter6SecuringSystemPreferences
Aftertransferringinstallerpackagestoyourcomputer,verifytheauthenticityof
theinstallerpackages.Formoreinformation,see“VerifyingtheIntegrityofSoftware”
onpage50.
WhenyouinstallasoftwareupdateusingSoftwareUpdateoraninstallerpackage,you
mustauthenticatewithanadministrator’snameandpassword.Thisreducesthechance
ofaccidentalormaliciousinstallationofsoftwareupdates.
SoftwareUpdatewillnotinstallasoftwarepackagethathasnotbeendigitallysigned
byApple.
TodisableautomatedSoftwareUpdates:
1 OpenSoftwareUpdatepreferences.
2 ClicktheScheduledCheckpane.
3 Deselect“Downloadimportantupdatesautomatically”and“Checkforupdates.”
Fromthecommandline:
#
#
#
#
#
Securing Software Updates Preferences
----------------------------Default Setting.
Check for Updates: Enabled
Check Updates: Weekly
# Suggested Setting.
# Disable check for updates and Download important updates automatically.
sudo softwareupdate --schedule off
# Available Setting.
# Check for Updates: Enabled or Disabled
# Check Updates: Daily, Weekly, Monthly
Chapter6SecuringSystemPreferences
127
SecuringSoundPreferences
ManyApplecomputersincludeaninternalmicrophone.YoucanuseSound
preferences(shownbelow)todisabletheinternalmicrophoneandthelineinport.
TosecurelyconfigureSoundpreferences:
1 OpenSoundpreferences.
Ascreensimilartothefollowingappears:
2 SelectInternalmicrophone(ifpresent),andset“Inputvolume”tozero.
3 SelectLineIn(ifpresent),andset“Inputvolume”tozero.
Thisensuresthat“LineIn”isthedeviceselectedratherthantheinternalmicrophone
whenSoundpreferencesisclosed.Thisprovidesprotectionfrominadvertentuseofthe
internalmicrophone.
Fromthecommandline:
#
#
#
#
Securing Sound Preferences
----------------------------Default Setting.
Internal microphone or line in:
Enabled
# Suggested Setting.
# Disable internal microphone or line in.
# This command does not change the input volume for input devices. It
# only sets the default input device volume to zero.
sudo osascript -e “set volume input volume 0”
# Available Setting.
# Internal microphone or line in:
128
Chapter6SecuringSystemPreferences
Enabled or Disabled
SecuringSpeechPreferences
SnowLeopardServerincludesspeechrecognitionandtext-to-speechfeatures,which
aredisabledbydefault.
Enablethesefeaturesonlyifyouworkinasecureenvironmentwherenoonecan
hearyouspeaktothecomputer,orhearthecomputerspeaktoyou.Alsomakesure
noaudiorecordingdevicescanrecordyourcommunicationwiththecomputer.
ThefollowingshowstheSpeechpreferencespane:
ThefollowingshowstheTexttoSpeechpane:
Ifyouenabletext-to-speech,useheadphonestokeepothersfromoverhearing
yourcomputer.
Chapter6SecuringSystemPreferences
129
TosecurelyconfigureSpeechpreferences:
1 OpenSpeechpreferences.
2 ClicktheSpeechRecognitionpaneandsetSpeakableItemsOnorOff.
Changethesettingaccordingtoyourenvironment.
3 ClicktheTexttoSpeechpaneandchangethesettingsaccordingtoyourenvironment.
Fromthecommandline:
#
#
#
#
#
Securing Speech Preferences
----------------------------Default Setting.
Speech Recognition: Disabled
Text to Speech: Enabled
# Suggested Setting.
# Disable Speech Recognition.
sudo defaults write
"com.apple.speech.recognition.AppleSpeechRecognition.prefs"
StartSpeakableItems -bool false
# Disable Text to Speech settings.
sudo defaults write "com.apple.speech.synthesis.general.prefs"
TalkingAlertsSpeakTextFlag -bool false
sudo defaults write "com.apple.speech.synthesis.general.prefs"
SpokenNotificationAppActivationFlag -bool false
sudo defaults write "com.apple.speech.synthesis.general.prefs"
SpokenUIUseSpeakingHotKeyFlag -bool false
sudo defaults delete "com.apple.speech.synthesis.general.prefs"
TimeAnnouncementPrefs
#
#
#
#
Available Setting.
Each item can be set to ON or OFF.
OFF: -bool false
ON: -bool true
SecuringSpotlightPreferences
YoucanuseSpotlighttosearchyourcomputerforfiles.Spotlightsearchesthename
andmeta-informationassociatedwitheachfileandthecontentsofeachfile.
Spotlightfindsfilesregardlessoftheirplacementinthefilesystem.Youmuststill
properlysetaccesspermissionsonfolderscontainingconfidentialfiles.Formore
informationaboutaccesspermissions,seeChapter8,“SecuringDataandUsing
Encryption.”
130
Chapter6SecuringSystemPreferences
TheSpotlightPreferencesSearchResultspaneappears:
ByplacingspecificfoldersordisksinthePrivacypane,youcanpreventSpotlightfrom
searchingthem.
Chapter6SecuringSystemPreferences
131
Disablethesearchingoffoldersthatcontainconfidentialinformation.Consider
disablingtop-levelfolders.Forexample,ifyoustoreconfidentialdocumentsin
subfoldersof~/Documents/,insteadofdisablingeachfolder,disable~/Documents/.
Bydefault,theentiresystemisavailableforsearchingusingSpotlight.
TosecurelyconfigureSpotlightpreferences:
1 OpenSpotlightpreferences.
2 IntheSearchResultspane,deselectcategoriesyoudon’twantsearchablebySpotlight.
3 ClickthePrivacypane.
4 ClicktheAddbutton,ordragafolderordiskintothePrivacypane.
FoldersanddisksinthePrivacypanearenotsearchablebySpotlight.
Note:TopreventusersfromreenablingSpotlight,removetherightstoaccessthe
.Spotlight-V100folderattherootlevelofyourdrive(/.Spotlight-V100/).
Fromthecommandline:
#
#
#
#
Securing Spotlight Preferences
----------------------------Default Setting.
ON for all volumes
# Suggested Setting.
# Disable Spotlight for a volume and erase its current meta data, where
# $volumename is the name of the volume.
sudo mdutil -E -i off $volumename
# Available Setting.
# Spotlight can be turned ON or OFF for each volume.
Formoreinformation,enterman
132
mdutilinaTerminalwindow.
Chapter6SecuringSystemPreferences
SecuringStartupDiskPreferences
YoucanuseStartupDiskpreferences(shownbelow)tomakeyourcomputer
startupfromaCD,anetworkvolume,adifferentdiskordiskpartition,oranother
operatingsystem.
Becarefulwhenselectingastartupvolume:
 Choosinganetworkinstallimagereinstallsyouroperatingsystemandmighterase
thecontentsofyourharddisk.
 IfyouchooseaFireWirevolume,yourcomputerstartsupfromtheFireWiredisk
pluggedintothecurrentFireWireportforthatvolume.Ifyouconnectadifferent
FireWiredisktothatFireWireport,yourcomputerstartsfromthefirstvalid
SnowLeopardServervolumeavailabletothecomputer(ifyouhavenotenabled
thefirmwarepassword).
 Whenyouenableafirmwarepassword,theFireWirevolumeyouselectistheonly
volumethatcanstartthecomputer.ThecomputerfirmwarelockstheFireWire
BridgeChipGUIDasastartupvolumeinsteadoftheharddisk’sGUID(asisdone
withinternalharddisks).IfthediskinsidetheFireWiredriveenclosureisreplaced
byanewdisk,thecomputercanstartfromthenewdiskwithoutusingthefirmware
password.Toavoidthisintrusionmakesureyourhardwareisphysicallysecured.
firmwarecanalsohavealistofFireWirevolumesthatareapprovedforsystem
startup.Forinformationaboutphysicallyprotectingyourcomputer,see“Protecting
Hardware”onpage52.
InadditiontochoosinganewstartupvolumefromStartupDiskpreferences,you
canrestartinTargetDiskMode.WhenyourcomputerisinTargetDiskMode,another
computercanconnecttoyourcomputerandaccessyourcomputer’sharddisk.The
othercomputerhasfullaccesstoallfilesonyourcomputer.Allfilepermissionsfor
yourcomputeraredisabledinTargetDiskMode.
Chapter6SecuringSystemPreferences
133
ToenterTargetDiskMode,holddowntheTkeyduringstartup.Youcanprevent
thestartupshortcutforTargetDiskModebyenablingafirmwarepassword.Ifyou
enableafirmwarepassword,youcanstillrestartinTargetDiskModeusingStartup
Diskpreferences.
Formoreinformationaboutenablingafirmwarepassword,see“UsingtheFirmware
PasswordUtility”onpage64.
Toselectastartupdisk:
1 OpenStartupDiskpreferences.
2 Selectavolumetousetostartupyourcomputer.
3 Clickthe“Restart”buttontorestartfromtheselectedvolume.
Fromthecommandline:
#
#
#
#
Securing Startup Disk Preferences
----------------------------Default Setting.
Startup Disk = “Macintosh HD”
# Suggested Setting.
# Set startup disk.
sudo systemsetup -setstartupdisk $path
# Available Setting.
# Startup Disk = Valid Boot Volume
SecuringTimeMachinePreferences
TimeMachine(shownbelow)makesanup-to-datecopyofeverythingonyour
Mac—digitalphotos,music,movies,downloadedTVshows,anddocuments—and
letsyoueasilygobackintimetorecoverfiles.
TimeMachineisoffbydefault.AfteryouenableTimeMachineforthefirsttime,no
authenticationisrequiredandsubsequentchangesrequireauthentication.
134
Chapter6SecuringSystemPreferences
Informationstoredonyourbackupdiskisnotencryptedandcanbereadby
othercomputersthatareconnectedtoyourbackupdisk.Keepyourbackupdisk
inaphysicallysecurelocationtopreventunauthorizedaccesstoyourdata.
ToenableTimeMachine:
1 OpenTimeMachinepreferences.
2 Slidetheswitchto“ON.”
Ascreensimilartothefollowingappears:
3 Selectthediskwherebackupswillbestored,andclick“Useforbackup.”
Chapter6SecuringSystemPreferences
135
Fromthecommandline:
#
#
#
#
Securing Time Machine Preferences
----------------------------Default Setting.
OFF
# Suggested Setting.
# Enable Time Machine.
sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1
# Available Setting.
# 0 (OFF) or 1 (ON)
SecuringUniversalAccessPreferences
UniversalAccesspreferencesaredisabledbydefault.However,ifyouuseanassistive
device,followtheseguidelines:
 Topreventpossiblesecurityrisks,seethedevicemanual.
 EnablingVoiceOverconfiguresthecomputertoreadthecontentsunderthecursor
outloud,whichmightdiscloseconfidentialdata.
 Thesedevicesallowaccesstothecomputerthatcouldrevealorstoreuserinput
information.
Fromthecommandline:
#
#
#
#
Securing Universal Access Preferences
----------------------------Default Setting.
OFF
# Suggested Setting.
# Disable VoiceOver service.
launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist
launchctl unload -w /System/Library/LaunchAgents/\
com.apple.ScreenReaderUIServer.plist
launchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist
# Available Setting.
# None
136
Chapter6SecuringSystemPreferences
7
SecuringSystemSwapand
HibernationStorage
7
Usethischaptertoprotectdatainswapfilesfrombeing
readable.
Thedatathatanapplicationwritestorandom-accessmemory(RAM)mightcontain
sensitiveinformation,suchasusernamesandpasswords.MacOSXwritesthecontents
ofRAMtoyourlocalharddisktofreememoryforotherapplications.TheRAMcontents
storedontheharddiskarekeptinafilecalledaswapfile.
Whilethedataisontheharddisk,itcanbeeasilyviewedoraccessedifthecomputeris
latercompromised.Youcanprotectthisdatabysecuringthesystemswapfileincase
ofanattackortheftofyourcomputer.
SystemSwapFileOverview
Whenyourcomputeristurnedoff,informationstoredinRAMislost,butinformation
storedbyvirtualmemoryinaswapfilecanremainonyourharddriveinunencrypted
form.TheMacOSXvirtualmemorysystemcreatesthisswapfileinordertoreduce
problemscausedbylimitedmemory.
ThevirtualmemorysystemcanswapdatabetweenyourharddiskandRAM.It’s
possiblethatsensitiveinformationinyourcomputer’sRAMwillbewrittentoyour
harddiskintheswapfilewhileyouareworking,andremainthereuntiloverwritten.
Thisdatacanbecompromisedifyourcomputerisaccessedbyanunauthorized
user,becausethedataisstoredontheharddiskunencrypted.
Whenyourcomputergoesintohibernation,itwritesthecontentofRAMtothe
/var/vm/sleepimagefile.ThesleepimagefilecontainsthecontentsofRAM
unencrypted,similartoaswapfile.
YoucanpreventyoursensitiveRAMinformationfrombeingleftunencryptedon
yourharddiskbyenablingsecurevirtualmemorytoencrypttheswapfileandthe
/var/vm/sleepimagefile(whereyourhibernationfilesarestored).
137
Note:UsingFileVaultincombinationwiththe“SecureVirtualMemory”featureprovides
protectionfromattacksonyoursensitivedatawhenitisstoredontheharddisk.
EncryptingSystemSwap
Youcanpreventsensitiveinformationfromremainingonyourharddiskandeliminate
thesecurityriskbyusingsecurevirtualmemory.Securevirtualmemoryencryptsthe
databeingwrittentodisk.
Youmustrestarttheserverforthechangetotakeeffect.
Toturnonsecurevirtualmemoryfromthecommandline:
#
# Securing System Swap and Hibernation Storage
# ----------------------------# Enable secure virtual memory.
sudo defaults write /Library/Preferences/com.apple.virtualMemory \
UseEncryptedSwap -bool YES
# Restart to take effect.
# sudo shutdown -r now
138
Chapter7SecuringSystemSwapandHibernationStorage
8
SecuringDataandUsing
Encryption
8
UsethischaptertolearnhowtosetPOSIX,ACL,andglobal
filepermissions,toencrypthomefoldersandportablefiles,
andtosecurelyerasedata.
Yourdataisthemostvaluablepartofyourcomputer.Byusingencryptionyoucan
protectdatainthecaseofanattackortheftofyourmobilecomputer.
Bysettingglobalpermissions,encryptinghomefolders,andencryptingportabledata
youcanbesureyourdataissecure.Inaddition,byusingthesecureerasefeatureof
SnowLeopard,deleteddataiscompletelyerasedfromthecomputer.
AboutTransportEncryption
Anydatathatistransferredtoorfromtheservercanbekeptsecurebyeither
encryptingthetransmission,thepayload,orboth.
Transferringdatasecurelyacrossanetworkinvolvesencryptingthepacketcontents
sentbetweencomputers.MacOSXServercanprovideTransportLayerSecurity(TLS)
anditspredecessor,SecureSocketsLayer(SSL)asthecryptographicprotocolsthat
providesecurecommunicationsontheInternetforsuchthingsaswebbrowsing,
mail,andotherdatatransfers.
Theseencryptionprotocolsallowclientandserverapplicationstocommunicatein
awaythathelpspreventeavesdropping,tampering,andmessageforgery.
TLSprovidesendpointauthenticationandcommunicationsprivacyovertheInternet
usingcryptography.Theseencryptedconnectionsauthenticatetheserver(soits
identityisensured)buttheclientremainsunauthenticated.
Tohavemutualauthentication(whereeachsideoftheconnectionisassuredofthe
identityoftheother),useapublickeyinfrastructure(PKI)fortheconnectingclients.
MacOSXServermakesuseofOpenSSLandhasintegratedtransportencryptioninto
thefollowingtoolsandservices:
139
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
Â
ServeradministrationusingServerAdminandServerPreferences
UserandgroupmanagementusingWorkgroupManager
AddressBookServer
iCalServer
iChatServer
MailService
OpenDirectory
PodcastProducer
RADIUS
SSH
VPN(L2TP)
Webservice
Eachservicerequirestransportencryptiontobeenabledindividually.For
moreinformationonsecuringdatatransmissionforaservice,seetheservice’s
configurationdetails.
AboutPayloadEncryption
Ratherthanencryptingthetransferofafileacrossthenetwork,youcanencryptthe
contentsofthefileinstead.Fileswithstrongencryptionmightbecapturedintransit,
butarestillunreadable.
Mosttransportencryptionrequirestheparticipationofbothpartiesinthetransaction.
Someservices(suchasSMTPmailservice)can’treliablyusesuchtechniques,so
encryptingthefileitselfistheonlymethodofreliablysecuringthefilecontent.
Tolearnmoreaboutencryptingyourfiles,see“EncryptingPortableFiles”onpage155.
AboutFileandFolderPermissions
Youprotectfilesandfoldersbysettingpermissionsthatrestrictorallowuserstoaccess
them.SnowLeopardsupportstwomethodsofsettingfileandfolderpermissions:
 PortableOperatingSystemInterface(POSIX)permissions—standardforUNIX
operatingsystems.
 AccessControlLists(ACLs)permissions—usedbyMacOSXandcompatiblewith
MicrosoftWindowsServer2003andMicrosoftWindowsXP.
ACLusesPOSIXwhenverifyingfileandfolderpermissions.TheprocessACLusesto
determineifanactionisallowedordeniedincludesspecificrulescalledaccesscontrol
entries(ACEs).IfnoACEsapply,standardPOSIXpermissionsdetermineaccess.
140
Chapter8SecuringDataandUsingEncryption
SettingPOSIXPermissions
SnowLeopardbasesfilepermissionsonPOSIXstandardpermissionssuchasfile
ownershipandaccess.Eachsharepoint,file,andfolderhasread,write,andexecute
permissiondefinedforthreecategoriesofusers:owner,group,andeveryone.
YoucanassignfourtypesofstandardPOSIXaccesspermissionstoasharepoint,
folder,orfile:Read&Write,ReadOnly,WriteOnly,andNone.
ViewingPOSIXPermissions
YoucanassignstandardPOSIXaccesspermissionstothesecategoriesofusers:
 Owner—Thisisauserwhocreatesanitem(fileorfolder)ontheserverthatisits
ownerandhasRead&Writepermissionsforthatfolder.Bydefaulttheowner
ofanitemandtheserveradministratorcanchangetheitem’saccessprivileges
(allowagrouporeveryonetousetheitem).Theadministratorcanalsotransfer
ownershipoftheshareditemtoanotheruser.
 Group—Youcanputuserswhoneedthesameaccesstofilesandfoldersinto
groupaccounts.Assignaccesspermissionstoashareditemtoonegrouponly.
Formoreinformationaboutcreatinggroups,seetheUserManagementguide.
 Everyone—Thisisanyuserwhocanlogintothefileserver(registeredusers
andguests).
BeforesettingorchangingPOSIXpermissions,viewthecurrentpermissionsettings.
Toviewfolderorfilepermissions:
1 OpenTerminal.
2 Runthelscommand:
ls -l
Outputsimilartothefollowingappears:
computer:~/Documents ajohnson$ ls -l
total 500
drwxr-xr-x 2 ajohnson staff
68 Apr 28 2006 NewFolder
-rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt
Note:The“~”referstoyourhomefolder,whichinthiscaseis/Users/ajohnson.
~/Documents/isthecurrentworkingfolder.
YoucanalsousetheFindertoviewPOSIXpermissions.IntheFinder,Control-click
afileandchooseGetInfo.OpentheOwnership&Permissionsdisclosuretriangleto
viewPOSIXpermissions.
Chapter8SecuringDataandUsingEncryption
141
InterpretingPOSIXPermissions
TointerpretPOSIXpermissions,readthefirst10bitsofthelongformatoutputlistedfor
afileorfolder.Forexample:
drwxr-xr-x 2 ajohnson staff
68 Apr 28 2006 NewFolder
-rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt
Inthisexample,NewFolderhasthePOSIXpermissionsdrwxr-xr-xandhasanowner
andgroupofajohnson.Permissionsareasfollows:
 The dofthePOSIXpermissionssignifiesthatnewfolderisafolder.
 Thefirstthreelettersafterthed(rwx)signifythattheownerhasread,write,and
executepermissionforthatfolder.
 Thenextthreecharacters,r-x,signifythatthegrouphasreadandexecute
permission.
 Thelastthreecharacters,r-x,signifythatallothershavereadandexecute
permission.
Inthisexample,userswhocanaccessajohnson’s~/Documents/foldercanopenthe
NewFolderfolderbutcan’tmodifyoropenthefile.txtfile.ReadPOSIXpermissionsare
propagatedthroughthefolderhierarchy.
AlthoughNewFolderhasdrwxr-xr-x privileges,onlyajohnsoncanaccessthefolder.
Thisisbecauseajohnson‘s~/Documents/folderhasdrwx------POSIXpermissions.
Bydefault,mostuserfoldershavedrwx------ POSIXpermissions.However,onlythe
~/,~/Sites/,and~/Public/foldershavedrwxr-xr-xpermissions.Thesepermissions
allowotherpeopletoviewfoldercontentswithoutauthenticating.Ifyoudon’twant
otherpeopletoviewthecontents,changethepermissionstodrwx------.
Inthe~/Public/folder,theDropBoxfolderhasdrwx-wx-wxPOSIXpermissions.This
allowsotheruserstoaddfilesintoajohnson‘sdropboxbuttheycan’tviewthefiles.
Youmightseeatforothers’privilegesonafolderusedforcollaboration.Thistis
sometimesknownasthestickybit.Enablingthestickybitonafolderpreventspeople
fromoverwriting,renaming,orotherwisemodifyingotherpeople’sfiles.Thiscanbe
commonifseveralpeoplearegrantedrwxaccess.
ThestickybitbeingsetcanappearastorT,dependingonwhethertheexecutebitis
setforothers:
 Iftheexecutebitappearsast,thestickybitissetandhassearchableandexecutable
permissions.
 IftheexecutebitappearsasT,thestickybitissetbutdoesnothavesearchableor
executablepermissions.
Formoreinformation,seethestickymanpage.
142
Chapter8SecuringDataandUsingEncryption
ModifyingPOSIXPermissions
AfteryourdeterminecurrentPOSIXpermissionsettings,youcanmodifythemusing
thechmodcommand.
TomodifyPOSIXpermissions:
1 InTerminal,enterthefollowingtoaddwritepermissionforthegrouptofile.txt:
chmod g+w file.txt
2 Viewthepermissionsusingthelscommand.
ls -l
3 Validatethatthepermissionsarecorrect.
computer:~/Documents ajohnsonls -l
total 12346
drwxr-xr-x 2 ajohnson staff
68 Apr 28 2006 NewFolder
-rw-rw-r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt
Formoreinformation,seethechmodmanpage.
SettingFileandFolderFlags
Youcanalsoprotectfilesandfoldersbyusingflags.Theseflags,orpermission
extensions,overridestandardPOSIXpermissions.Theycanonlybesetorunset
bythefile’sowneroranadministratorusingsudo.Useflagstopreventthesystem
administrator(root)frommodifyingordeletingfilesorfolders.
Toenableanddisableflags,usethechflagscommand.
ViewingFlags
Beforesettingorchangingfileorfolderflags,viewthecurrentflagsettings.
Todisplayflagssetonafolder:
ls -lo secret
-rw-r--r-- 1 ajohnson staff uchg 0 Mar
1 07:54 secret
Thisexampledisplaystheflagsettingsforafoldernamedsecret.
ModifyingFlags
Afteryourdeterminecurrentfileorfolderflagsettings,modifythemusingthechflags
command.
Tolockorunlockafolderusingflags:
sudo chflags uchg folderName
Chapter8SecuringDataandUsingEncryption
143
Inthisexample,thefoldernamedsecretislocked.
Tounlockthefolder,changeuchgtonouchg:
sudo chflags nouchg secret
WARNING:Thereisanschgoptionforthechflagscommand.Itsetsthesystem
immutableflag.Thissettingcanonlybeundonewhenthecomputerisinsingle-user
mode.IfthisisdoneonaRAID,XSan,orotherstoragedevicethatcannotbe
mountedinsingle-usermode,theonlywaytoundothesettingistoreformatthe
RAIDorXSandevice.
Formoreinformation,seethechflagsmanpage.
SettingACLPermissions
Forgreaterflexibilityinconfiguringandmanagingfilepermissions,
SnowLeopardServerimplementsACLs.AnACLisanorderedlistofrulescalledACEs
thatcontrolfilepermissions.EachACEcontainsthefollowingcomponents:
 User—owner,group,andother
 Action—read,write,orexecute
 Permission—allowordenytheaction
Therulesspecifythepermissionstobegrantedordeniedtoagrouporuserand
controlshowthepermissionsarepropagatedthroughafolderhierarchy.
ACLsinSnowLeopardServerletyousetfileandfolderaccesspermissionsformultiple
usersandgroups,inadditiontostandardPOSIXpermissions.Thismakesiteasytoset
upcollaborativeenvironmentsforfilesharinganduninterruptedworkflowswithout
compromisingsecurity.
SnowLeopardServerhasimplementedfilesystemACLsthatarefullycompatiblewith
MicrosoftWindowsServer2003andWindowsXP.
Todetermineifanactionisallowedordenied,ACEsareconsideredinorder.Thefirst
ACEthatappliestoauserandactiondeterminesthepermissionandnofurtherACEs
areevaluated.IfnoACEsapply,standardPOSIXpermissionsdetermineaccess.
144
Chapter8SecuringDataandUsingEncryption
EnablingACLPermissions
Bydefault,ACLsareenabledinSnowLeopardServer.Iftheyareturnedoff,youmust
enablethevolumetosupportACLs.
ThefollowingexampleusesthefsaclctlcommandtoenableACLsona
SnowLeopardServerstartupvolume:
sudo /usr/sbin/fsaclctl -p / -e
Formoreinformation,enterfsaclctlinaTerminalwindow.
ModifyingACLPermissions
YoucansetACLpermissionsforfiles.Thechmod commandenablesanadministratorto
grantread,write,andexecuteprivilegestospecificusersforasinglefile.
TosetACLpermissionsforafile:
1 Allowspecificuserstoaccessspecificfiles.
Forexample,toallowAnneJohnsonpermissiontoreadthefilesecret.txt,enterthe
followinginTerminal:
chmod +a “ajohnson allow read” secret.txt
2 Allowspecificgroupsofuserstoaccessspecificfiles.
Forexample,toallowtheengineersgrouppermissiontodeletethefilesecret.txt,enter
thefollowinginTerminal:
chmod +a “engineers allow delete” secret.txt
3 Denyaccessprivilegestospecificfiles.
Forexample,topreventTomClarkfrommodifyingthefilesecret.txt,enterthe
followinginTerminal:
chmod +a “tclark deny write” secret.txt
4 ViewandvalidatetheACLmodificationswiththelscommand:
ls -le secret.txt
-rw------- 1 ajohnson admin 43008 Apr 14 2006 secret.txt
0:
ajohnson allow read
1:
tclark deny write
2:
engineers allow delete
Formoreinformation,entermanchmod inaTerminalwindow.
Chapter8SecuringDataandUsingEncryption
145
ChangingGlobalUmaskforStricterDefaultPermissions
EveryfileorfolderhasPOSIXpermissionsassociatedwithit.Whenyoucreateafileor
folder,theumasksettingdeterminesthesePOSIXpermissions.
Theumaskvalueissubtractedfromthemaximumpermissionsvalue(777)to
determinethedefaultpermissionvalueofanewlycreatedfileorfolder.Forexample,a
umaskof022resultsinadefaultpermissionof755.
Thedefaultumasksetting022(inoctal)removesgroupandotherwritepermissions.
Groupmembersandotheruserscanreadandrunthesefilesorfolders.Changingthe
umasksettingto027enablesgroupmemberstoreadfilesandfoldersandprevents
othersfromaccessingthefilesandfolders.Ifyouwanttobetheonlyusertoaccess
yourfilesandfolders,settheumasksettingto077.
Tochangethegloballydefinedumasksetting,changetheumasksettingin/etc/
launchd.conf.
Youmustbeloggedinasauserwhocanusesudotoperformtheseoperationsand
youmustusethedecimalequivalent,notanoctalnumber.
Note:Usersandapplicationscanoverridedefaultumasksettingsatanytimefortheir
ownfiles.
WARNING:Manyinstallationsdependonthedefaultumasksetting.Therecanbe
unintendedandpossiblysevereconsequencestochangingit.Instead,useinherited
permissions,whichareappliedbysettingpermissionsonafolder.Allfilescontained
inthatfolderwillinheritthepermissionsofthatfolder.
Tochangetheglobalumaskfilepermission:
1 Signinasauserwhocanusesudo.
2 OpenTerminal.
3 Changetheumasksetting:
sudo echo “umask 027” >> /etc/launchd.conf
Thisexamplesetstheglobalumasksettingto027.
4 Logout.
Changestoumasksettingstakeeffectatthenextlogin.
UserscanusetheFinder’sGetInfowindoworthechmodcommand-linetooltochange
permissionsforfilesandfolders.
146
Chapter8SecuringDataandUsingEncryption
RestrictingSetuidPrograms
Whenappliedtoaprogram,thePOSIXsetuid(setuserID)permissionmeansthatwhen
theprogramruns,itwillrunattheprivilegelevelofthefile’sowner.ThePOSIXsetgid
(setgroupID)permissionisanalogous.Toseeanexampleofafilewiththesetuidbit,
runthelscommandonthepingprogramasfollows:
ls -l /sbin/ping
-r-sr-xr-x
1 root
wheel
68448 Nov 28
2007 /sbin/ping
Thesetuidbitisrepresentedwithan“s”inthefieldofpermissions,inthepositionthat
containsthefileowner’sexecutepermission.Theprogramrunswiththeprivilege
levelofthefile’sowner.Theownerofthefileisroot,sowhenpingisexecuted—no
matterwhoexecutesit—itrunsasroot.Forsetgidprograms,an“s”appearsinthe
groupexecutepermissionandthefilerunswiththeprivilegesofthegroupowner.
Thesetuidbitisnecessaryformanyprogramsonthesystemtoperformthespecific,
privilegedtasksforwhichtheyaredesignedfor.Thepingprogram,forexample,is
setuidbecauseitmustbeabletoengageinnetworkcommunicationthatisonly
possiblewithrootprivileges.
Tofindsetuidprogramsonthesystem,usethefollowingcommand:
sudo find / -perm -04000 -ls
Tofindsetgidprograms,use-02000insteadof-04000.
MacOSXincludesapproximately75setuidprograms.Manyoftheseprogramsneed
thesetuidbitfornormalsystemoperation.However,otherprogramsmayneedthe
setuidbitonlyifcertainfunctionalityisneeded,oronlyifadministratorsneedtouse
theprogram.
Becauseattackerstrytoinfluenceorco-opttheexecutionofsetuidprogramstotry
toelevatetheirprivileges,thereisbenefitinremovingthesetuidbitfromprograms
thatmaynotneedit.Thereisalsobenefitinrestrictingtoadministratorstherightto
executeasetuidprogram.
Ifaprogramisneededbuthashaditssetuidbitstripped,anadministratorcanrunthe
programusingsudo,whichrunstheprogramastherootuser.Anadministratorcan
alsotemporarilyenablethesetuidbitwhiletheprogramisneeded,andthendisableit
againafterward.
Chapter8SecuringDataandUsingEncryption
147
StrippingSetuidBits
Tostripthesetuidorsetgidbitfromaprogram,usethefollowingcommand:
sudo chmod -s programname
Thefollowingprogramscanhavetheirsetuidbitremoved,unlessneededforthe
purposeshowninthesecondcolumn::
Application
RelatedService
/System/Library/CoreServices/
AppleRemoteDesktop
RemoteManagement/ARDAgent.app/Contents/
MacOS/ARDAgent
/usr/bin/at
148
JobScheduler
/usr/bin/atq
JobScheduler
/usr/bin/atrm
JobScheduler
/usr/bin/crontab
JobScheduler
/usr/bin/postdrop
PostfixMail
/System/Library/PrivateFrameworks/
DesktopServicesPriv.framework/
Versions/A/Resources/Locum
PerformingPrivilegedFileOperationsusingFinder
/usr/bin/postqueue
PostfixMailQueue
/usr/bin/procmail
MailProcessor
/usr/bin/wall
UserMessaging
/usr/bin/write
UserMessaging
/usr/bin/chrfn
ChangeFingerInformation
/System/Library/Printers/IOMs/LPRIOM.plugin/
Contents/MacOS/LPRIOMHelper
Printing
/usr/sbin/traceroute
TraceNetworkPath
/usr/sbin/traceroute6
TraceNetworkPath
/sbin/mount_fs
MountingNFSFilesystems
/usr/bin/ipcs
IPCStatistics
/bin/rcp
RemoteAccess(unsecure)
/usr/bin/rlogin
RemoteAccess(unsecure)
/usr/bin/rsh
RemoteAccess(unsecure)
/usr/lib/sa/sadc
SystemActivityReporting
/usr/sbin/scselect
Allowingnon-administratorstochangeNetwork
Location
Chapter8SecuringDataandUsingEncryption
Important:TheRepairPermissionsfeatureofDiskUtilityreenablesthesetuidbiton
theseprograms.Softwareupdatesmayalsoreenablethesetuidbitontheseprograms.
Toachievesomepersistenceforthepermissionschange,createashellscripttostrip
thebitsandthenimplementalaunchdjob(fortherootaccount)toexecutethis
scripteveryhalfhour.Thisensuresthatnomorethanhalfanhourpassesfromthe
timeasystemupdateisapplieduntilthesetuidbitsareremoved.
Forinformationabouthowtosetupalaunchdjob,seeIntroductiontoCommand-Line
Administration,availableatwww.apple.com/server/macosx/resources/.
UsingACLstoRestrictUsageofSetuidPrograms
YoucanalsousetheACLfeatureofMacOSXtorestricttheexecutionofsetuid
programs.
Restrictingtheexecutionofsetuidprogramstoadministratorspreventsotherusers
fromexecutingthoseprograms.Itshouldalsopreventattackerswhohaveordinary
userprivilegesfromexecutingthesetuidprogramandtryingtoelevatetheirprivileges.
Allusersonthesystemareinthe“staff”group,sothecommandsbelowallow
membersoftheadmingrouptoexecute<programname>butdenythatrightto
membersofthestaffgroup:
sudo chmod +a “group:staff deny execute” <program name>
sudo chmod +a# 0 “group:admin allow execute” <program name>
ToviewtheACL:
ls -le <program name>
Theoutputlookssomethinglikethis:
-r-sr-xr-x+ 1 root wheel 12345 Nov 28 2007 <program name>
0:
group:admin allow execute
1:
group:staff deny execute
BecausetheACLisevaluatedinorderfromtoptobottom,usersintheadmingroup
arepermittedtoexecutetheprogram.Thefollowingruledeniesthatrighttoallusers.
Important:Althoughthe“RepairPermissions”featureofDiskUtilitydoesnotstrip
ACLsfromprograms,softwareupdatesmightstriptheseACLs.Inordertoachieve
somepersistencefortheACLs,createashellscripttosettheACLsandthenimplement
alaunchdrecurringevent(fortherootaccount)toexecutethisscript.
Forinformationabouthowtosetupalaunchdrecurringevent,consultIntroductionto
CommandLineAdministration,availableatwww.apple.com/server/macosx/resources/.
Chapter8SecuringDataandUsingEncryption
149
Alaunchdrecurringeventshouldensurethataspecifiedtimeperiod(orless)should
passfromthetimeasystemupdateisappliedandtheACLisreset.Becausethe
ACLdescribedaboveusesthe+a#optiontoplacerulesinanoncanonicalorder,its
reapplicationresultsinadditionalrules.Thefollowingscriptcansuccessfullyapply
–andreapply–therules:
chmod –a “group:admin allow execute” <program name>
chmod +a “group:staff deny execute” <program name>
chmod +a# 0 “group:admin allow execute” <program name>
SecuringUserHomeFolders
Tosecureuserhomefolders,changethepermissionsofeachuser’shomefoldersothe
folderisnotworld-readableorworld-searchable.
WhenFileVaultisnotenabled,permissionsonthehomefolderofauseraccountallow
otheruserstobrowsethefolder’scontents.However,usersmightinadvertentlysave
sensitivefilestotheirhomefolder,insteadofintothemore-protected~/Documents,
~/Library,or~/Desktopfolders.
The~/Sites,~/Public,and~/Public/DropBoxfoldersineachhomefoldermayrequire
world-readableorworld-writeablepermissionsifFileSharingorWebSharingis
enabled.Iftheseservicesarenotinuse,thepermissionsonthesefolderscanbe
safelychangedtopreventotherusersfrombrowsingorwritingtotheircontents.
Astheownerofhisorherhomefolder,theusercanalterthefolder’spermission
settingsatanytime,andcanchangethesesettingsback.
InSnowLeopardServerallusersareamemberofthe“staff”group,notofagroupthat
hasthesamenameastheirusername.
Note:Changingpermissionsonauser’shomedirectoryfrom750to700willdisable
Applefilesharing(usingthe~/Publicdirectory)andApplewebsharing(usingthe~/
Sitesdirectory).
Tochangehomefolderpermissions:
m Enterthefollowingcommand,replacingusernamewiththenameoftheaccount:
sudo chmod 700 /Users/username
Runthiscommandimmediatelyaftersomeonecreatesanaccount.
150
Chapter8SecuringDataandUsingEncryption
EncryptingHomeFolders
LeopardincludesFileVault,whichcanencryptyourhomefolderanditsfiles.Use
FileVaultonportablecomputersandothercomputerswhosephysicalsecurityyou
can’tguarantee.EnableFileVaultencryptionforyourcomputeranditsuseraccounts.
FileVaultmovesallcontentofyourhomefolderintoabundlediskimagethatsupports
AES-128encryption.SnowLeopardsupportsTigersparsediskimagecreatedusing
AES-128encryption.Thesparseformatallowstheimagetomaintainasizeproportional
toitscontents,whichcansavediskspace.
IfyouremovefilesfromaFileVault-protectedhomefolderittakestimetorecoverfree
spacefromthehomefolder.Afterthehomefolderisoptimized,youcanaccessfilesin
FileVault-protectedhomefolderswithoutnoticeabledelays.
Ifyou’reworkingwithconfidentialfilesthatyouplantoeraselater,storethosefilesin
separateencryptedimagesthatarenotlocatedinyourhomefolder.Youcanthen
erasethoseimageswithoutneedingtorecoverfreespace.Formoreinformation,see
“EncryptingPortableFiles”onpage155.
Ifyou’veinsecurelydeletedfilesbeforeusingFileVault,thesefilesarerecoverable
afteractivatingit.Topreventthis,whenyouinitiallyenableFileVault,securelyerase
freespace.Forinformation,see“UsingDiskUtilitytoSecurelyEraseFreeSpace”on
page160.
BecauseFileVaultisanencryptionofauser’slocalhomefolder,FileVaultdoesnot
encryptorprotectfilestransferredoverthenetworkorsavedtoremovablemedia,
soyou’llneedtoencryptspecificfilesorfolders.FileVaultcanonlybeenabledfor
localormobileaccountsandcannotbeenabledfornetworkhomefolders.
Toprotectfilesorfoldersonportablemediaoranetworkvolume,createanencrypted
diskimageontheportablemediaornetworkvolume.Thenmounttheseencrypted
diskimages,whichprotectdatatransmittedoverthenetworkusingAES-128
encryption.Whenusingthismethod,mounttheencrypteddiskimagefromone
computeratatimetopreventirreparablecorruptiontotheimagecontent.
Forinformationaboutencryptingspecificfilesorfoldersfortransferfromyournetwork
homefolder,see“EncryptingPortableFiles”onpage155.
WhenyousetupFileVault,youcreateamasterpassword.Ifyouforgetyourlogin
password,youcanuseyourmasterpasswordtorecoverencrypteddata.Ifyou
forgetyourloginpasswordandyourmasterpassword,youcannotrecoveryourdata.
Becauseofthis,considersealingyourmasterpasswordinanenvelopeandstoring
itinasecurelocation.
Chapter8SecuringDataandUsingEncryption
151
YoucanusePasswordAssistanttohelpcreateacomplexmasterpasswordthatcannot
beeasilycompromised.Forinformation,see“UsingPasswordAssistanttoGenerateor
AnalyzePasswords”onpage84.
EnablingFileVaultcopiesdatafromyourhomefolderintoanencryptedhomefolder.
Aftercopying,FileVaulterasestheunencrypteddata.
BydefaultFileVaultinsecurelyerasestheunencrypteddata,butifyouenablesecure
erase,yourunencrypteddataissecurelyerased.
OverviewofFileVault
SnowLeopardServerextendstheunlockingofFileVaulttoSmartCards,whichprovides
themostsecurepracticeforprotectingFileVaultaccounts.
AccountsprotectedbyFileVaultsupportauthenticationusingapassphraseor
aSmartCard.WithSmartCardauthentication,theAES-256symmetricDataKey(DK)
usedtoencrypttheuser’sdataisunwrappedusingaprivate(encryption)keyon
theSmartCard.Thedatawrittentoorreadfromdiskisencryptedanddecrypted
ontheflyduringaccess.
FileVaultencryptstheDataKey(DK)usingtheUserKey(UK1),whichcanbegenerated
fromyourpassphraseorfromthepublickeyonyourSmartCard.FileVaultseparately
encryptstheDataKeyusingtheFileVaultMasterKey(MK).
ThearchitecturaldesignofFileVaultmakesitpossiblefortheMKandUK1toencrypt
anddecryptfiles.Providingstrongencryptionprotectsuserdataatrestwhileensuring
accessmanagementbyITstaff.
TheeasiestmethodforcentralizedmanagementofFileVaultonaclientcomputeristo
useSnowLeopardServerandWorkGroupManagertoenforcetheuseofFileVaultand
theproperidentity.
152
Chapter8SecuringDataandUsingEncryption
ManagingFileVault
YoucansetaFileVaultmasterkeychaintodecryptanaccountthatusesFileVault
toencryptdata.ThenifusersforgettheirFileVaultaccountpassword(whichthey
usetodecryptencrypteddata)youcanusetheFileVaultmasterkeychaintodecrypt
thedata.
TocreatetheFileVaultmasterkeychain:
1 OpenSystemPreferences>Security.
2 ClickMasterPasswordandsetamasterpassword.
Selectastrongpasswordandconsidersplittingthepasswordintoatleasttwo
components(firsthalfandsecondhalf ).YoucanusePasswordAssistanttoensure
thatthequalityofthepasswordisstrong.
Toavoidhavingonepersonknowthefullpassword,haveseparatesecurity
administratorskeepeachpasswordcomponent.Thispreventsasinglepersonfrom
unlocking(decrypting)aFileVaultaccount.Formoreinformation,see“UsingPassword
AssistanttoGenerateorAnalyzePasswords”onpage84.
SettingamasterpasswordcreatesakeychaincalledFileVaultMaster.keychainin/
Library/Keychains/.TheFileVaultmasterkeychaincontainsaFileVaultrecoverykey
(self-signedrootcertificate)andaFileVaultmasterpasswordkey(privatekey).
3 DeletethecertificatenamedFileVaultMaster.cerinthesamelocationasthe
FileVaultMaster.keychain.
FileVaultMaster.cerisonlyusedforimportingthecertificateintothekeychain.Thisis
onlyacertificateanddoesnotcontaintheprivatekey,sothereisnosecurityconcern
aboutsomeonewithgainingaccesstothiscertificate.
4 MakeacopyofFileVaultMaster.keychainandputitinasecureplace.
5 DeletetheprivatekeyfromFileVaultMaster.keychaincreatedonthecomputerto
modifythekeychain.
DeletingthekeyensuresthatevenifsomeoneunlockstheFileVaultmasterkeychain
theycannotdecryptthecontentsofaFileVaultaccountbecausethereisnoFileVault
masterpasswordprivatekeyavailableforthedecryption.
ManagingtheFileVaultMasterKeychain
ThemodifiedFileVaultmasterkeychaincannowbedistributedtonetworkcomputers.
ThiscanbedonebytransferringFileVaultMaster.keychaintothecomputersbyusing
AppleRemoteDesktop,byusingadistributedinstallerexecutedoneachcomputer,by
usingvariousscriptingtechniques,orbyincludingitintheoriginaldiskimageifyour
organizationrestoressystemswithadefaultimage.
Chapter8SecuringDataandUsingEncryption
153
ThemasterkeychainprovidesnetworkmanagementofanyFileVaultaccountcreated
onanycomputerwiththemodifiedFileVaultMaster.keychainlocatedinthe/Library/
Keychains/folder.ThesecomputersindicatethatthemasterpasswordissetinSecurity
preferences.
WhenanaccountiscreatedandthemodifiedFileVaultmasterkeychainispresent,the
publickeyfromtheFileVaultrecoverykeyisusedtoencryptthedynamicallygenerated
AES128-bit(default)orAES256-bitsymmetrickeythatisusedfortheencryptionand
decryptionoftheencrypteddiskimage(FileVaultcontainer).
Todecryptaccesstotheencrypteddiskimage,theFileVaultmasterpasswordprivate
keyisrequiredtodecrypttheoriginaldynamicallygeneratedAES128-bitor256-bit
symmetrickey.
Theuser’soriginalpasswordcontinuestoworkasnormal,buttheassumptionhereis
thatthemasterpasswordserviceisbeingusedbecausetheuserhasforgottenthe
passwordortheorganizationmustperformdatarecoveryfromauser’scomputer.
TorecoveranetworkmanagedFileVaultsystemaccount:
1 RetrievethecopyofFileVaultMaster.keychainthatwasstoredbeforetheprivatekey
wasdeletingduringmodification.
2 Bringtogetherallsecurityadministratorsinvolvedingeneratingthemasterpassword.
Morethanoneindividualisneededifthemasterpasswordwassplitintopassword
components.
Note:TheadministratormusthaverootaccesstorestoretheFileVaultMaster.keychain
file.
3 Restoretheoriginalkeychaintothe/Library/Keychains/folderofthetargetcomputer,
replacingtheinstalledkeychain.
4 VerifythattherestoredFileVaultMaster.keychainfilehasthecorrectownershipand
permissionsset,similartothefollowingexample.
-rw-r--r-- 1 root admin 24880 Mar 2 18:18 FileVaultMaster.keychain
5 Verifythat“PasswordHints”isenabledbyloggingintotheFileVaultaccountyouare
attemptingtorecoverandincorrectlyentertheaccountpasswordthreetimes.
If“PasswordHints”isenabled,youaregrantedanadditionaltryafterthehintappeals.
6 Whenpromptedforthemasterpassword,havethesecurityadministratorscombine
theirpasswordcomponentstounlockaccesstotheaccount.
7 Whentheaccountisunlocked,provideanewpasswordfortheaccount.
Thepasswordisusedtoencrypttheoriginalsymmetrickeyusedtoencryptand
decryptthediskimage.
154
Chapter8SecuringDataandUsingEncryption
Note:ThisprocessdoesnotreencrypttheFileVaultcontainer.Itreencryptstheoriginal
symmetrickeywithakeyderivedfromthenewuseraccountpasswordyouentered.
Youarenowloggedintotheaccountandgivenaccesstotheuser’shomefolder.
8 DeletetheprivatekeyfromFileVaultMaster.keychainagain,orreplacethekeychainfile
withtheoriginalcopyofFileVaultMaster.keychainthatwasstoredbeforetheprivate
keywasdeleted.
Thisprocessdoesnotchangethepasswordusedtoprotecttheuser’soriginallogin
keychain,becausethatpasswordisnotknownorstoredanywhere.Instead,this
processcreatesaloginkeychainwiththepasswordenteredastheuser’snewaccount
password.
EncryptingPortableFiles
Toprotectfilesyouwanttotransferoveranetworkorsavetoremovablemedia,
encryptadiskimageorencryptthefilesandfolders.FileVaultdoesn’tprotectfiles
transmittedoverthenetworkorsavedtoremovablemedia.
Usingaserver-basedencrypteddiskimageprovidestheaddedbenefitofencrypting
networktrafficbetweenthecomputerandtheserverhostingthemountedencrypted
diskimage.
CreatinganEncryptedDiskImage
Toencryptandsecurelystoredata,youcancreatearead/writeimageorasparse
image:
 Aread/writeimageconsumesthespacethatwasdefinedwhentheimagewas
created.Forexample,ifthemaximumsizeofaread/writeimageissetto10GB,the
imageconsumes10GBofspaceevenifitcontainsonly2GBofdata.
 Asparseimageconsumesonlytheamountofspacethedataneeds.Forexample,
ifthemaximumsizeofasparseimageis10GBandthedataisonly2GB,theimage
consumesonly2GBofspace.
Ifanunauthorizedadministratormightaccessyourcomputer,creatinganencrypted
blankdiskimageispreferredtocreatinganencrypteddiskimagefromexistingdata.
Creatinganencryptedimagefromexistingdatacopiesthedatafromanunprotected
areatotheencryptedimage.Ifthedataissensitive,createtheimagebeforecreating
thedocuments.Thiscreatestheworkingcopies,backups,orcachesoffilesin
encryptedstoragefromthestart.
Note:Topreventerrorswhenafilesysteminsideasparseimagehasmorefreespace
thanthevolumeholdingthesparseimage,HFSvolumesinsidesparseimagesreport
anamountoffreespaceslightlylessthantheamountoffreespaceonthevolumethat
theimageresideson.
Chapter8SecuringDataandUsingEncryption
155
Tocreateanencrypteddiskimage:
1 OpenDiskUtility.
2 ChooseFile>New>BlankDiskImage.
3 Enteranamefortheimage,andchoosewheretostoreit.
4 ChoosethesizeoftheimagebyclickingtheSizepop-upmenu.
Makesurethesizeoftheimageislargeenoughforyourneeds.Youcannotincrease
thesizeofanimageaftercreatingit.
5 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu.
AES-128orAES-256isastrongencryptionformat.
6 ChooseaformatbyclickingtheFormatpop-upmenu.
Althoughthereissomeoverhead,thesparseformatallowstheimagetomaintaina
sizeproportionaltoitscontents(uptoitsmaximumsize),whichcansavediskspace.
7 ClickCreate.
8 Enterapassword,andverifyit.
YoucanaccessPasswordAssistantfromthiswindow.Formoreinformation,see“Using
PasswordAssistanttoGenerateorAnalyzePasswords”onpage84.
9 Deselect“Rememberpassword(addtoKeychain),”andclickOK.
CreatinganEncryptedDiskImagefromExistingData
Ifyoumustmaintaindataconfidentialitywhentransferringfilesfromyour
computerbutyoudon’tneedtoencryptfilesonyourcomputer,createadisk
imagefromexistingdata.
Suchsituationsincludeunavoidableplain-textfiletransfersacrossanetwork,suchas
mailattachmentsorFTP,orcopyingtoremovablemedia,suchasaCDorfloppydisk.
Ifyouplantoaddfilestothisimageinsteadofcreatinganimagefromexistingdata,
createanencrypteddiskimageandaddyourexistingdatatoit.Forinformation,see
“CreatinganEncryptedDiskImage”onpage155.
Tocreateanencrypteddiskimagefromexistingdata:
1 OpenDiskUtility.
2 ChooseFile>New>DiskImagefromFolder.
3 SelectafolderandclickImage.
4 Enteranamefortheimageandchoosewheretostoreit.
5 ChooseaformatbyclickingtheFormatpop-upmenu.
Thecompresseddiskimageformatcanhelpyousaveharddiskspacebyreducingyour
diskimagesize.
156
Chapter8SecuringDataandUsingEncryption
6 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu.
AES-128orAES-256providestrongencryption.
7 ClickSave.
8 Enterapasswordandverifyit.
YoucaneasilyaccessPasswordAssistantfromthiswindow.Formoreinformation,see
“UsingPasswordAssistanttoGenerateorAnalyzePasswords”onpage84.
9 Deselect“Rememberpassword(addtoKeychain)”andclickOK.
Youcanalsousethehdiutilcommandtocreateandformatencrypteddiskimages.
Formoreinformationaboutthiscommand,seeitsmanpage.
CreatingEncryptedPDFs
Youcanquicklycreatepassword-protected,read-onlyPDFdocumentsofconfidential
orpersonaldata.Toopenthesefilesyoumustknowthepasswordforthem.
SomeapplicationsdonotsupportprintingtoPDF.Inthiscase,createanencrypteddisc
image.Forinformation,see“CreatinganEncryptedDiskImagefromExistingData”on
page156.
Tocreateanencrypted,read-onlydocument:
1 Openthedocument.
2 ChooseFile>Print.
Someapplicationsdon’tallowyoutoprintfromtheFilemenu.Theseapplications
mightallowyoutoprintfromothermenus.
3 ClickPDFandchooseSaveasPDF.
4 ClickSecurityOptionsandselectoneormoreofthefollowingoptions:
 Requirepasswordtoopendocument
 Requirepasswordtocopytextimagesandothercontent
 Requirepasswordtoprintdocument
WhenyourequireapasswordforthePDF,itbecomesencrypted.
5 Enterapassword,verifyit,andclickOK.
6 Enteranameforthedocument,choosealocation,andclickSave.
7 Testyourdocumentbyopeningit.
Youmustenterthepasswordbeforeyoucanviewthecontentsofyourdocument.
Chapter8SecuringDataandUsingEncryption
157
SecurelyErasingData
Whenyoueraseafile,you’reremovinginformationthatthefilesystemusestofindthe
file.Thefile’slocationonthediskismarkedasfreespace.Ifotherfileshavenotwritten
overthefreespace,itispossibletoretrievethefileanditscontents.
SnowLeopardprovidesthefollowingwaystosecurelyerasefiles.
 Zero-outerase
 7-passerase
 35-passerase
Azero-outerasesetsalldatabitsonthediskto0,whilea7-passeraseanda35-pass
eraseusealgorithmstooverwritethedisk.A7-passerasefollowstheDepartmentof
Defensestandardforthesanitizationofmagneticmedia.A35-passeraseusesthe
extremelyadvancedGutmannalgorithmtohelpeliminatethepossibilityofdata
recovery.
Thezero-outeraseisthequickest.The35-passeraseisthemostsecure,butitisalso35
timesslowerthanthezero-outerase.
Eachtimeyouusea7-passor35-passsecureerase,thefollowingseven-stepalgorithm
isusedtopreventthedatafrombeingrecovered:
 Overwritefilewithasinglecharacter
 Overwritefilewithzeroes
 Overwritefilewithasinglecharacter
 Overwritefilewithrandomcharacters
 Overwritefilewithzeroes
 Overwritefilewithasinglecharacter
 Overwritefilewithrandomcharacters
ConfiguringFindertoAlwaysSecurelyErase
InSnowLeopardServeryoucanconfigureFindertoalwayssecurelyeraseitemsplaced
intheTrash.ThispreventsdatayouplaceintheTrashfrombeingrestored.Usingsecure
erasetakelongerthanemptyingtheTrash.
ToconfigureFindertoalwaysperformasecureerase:
1 InFinder,chooseFinder>Preferences.
2 ClickAdvanced.
3 Selectthe“EmptyTrashsecurely”checkbox.
158
Chapter8SecuringDataandUsingEncryption
UsingDiskUtilitytoSecurelyEraseaDiskorPartition
YoucanuseDiskUtilitytosecurelyeraseapartition,usingazero-outerase,a7-pass
erase,ora35-passerase.
Note:IfyouhaveapartitionwithSnowLeopardinstalledandyouwanttosecurely
eraseanunmountedpartition,youdon’tneedtouseyourinstallationdiscs.Inthe
Finder,openDiskUtility(locatedin/Applications/Utilities/).
WARNING:Securelyerasingapartitionisirreversible.Beforeerasingthepartition,
backupcriticalfilesyouwanttokeep.
TosecurelyeraseapartitionusingDiskUtility:
1 InsertthefirstoftheSnowLeopardinstallationdiscsintheopticaldrive.
2 RestartthecomputerwhileholdingdowntheCkey.
Thecomputerstartsupfromthediscintheopticaldrive.
3 Proceedpastthelanguageselectionstep.
4 ChooseUtilities>DiskUtility.
5 Selectthepartitionyouwanttosecurelyerase.
Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedone
levelinthelistontheleft.
6 ClickErase,choose“MacOSExtendedJournaled,”andthenclickSecurityOptions.
MacOSExtendeddiskformattingprovidesenhancedmultiplatforminteroperability.
7 ChooseaneraseoptionandclickOK.
8 ClickErase.
Securelyerasingapartitioncantaketime,dependingonthesizeofthepartitionand
themethodyouchoose.
UsingCommand-LineToolstoSecurelyEraseFiles
YoucanusethesrmcommandinTerminaltosecurelyerasefilesorfolders.Byusing
srm,youcanremoveeachfileorfolderbyoverwriting,renaming,andtruncatingthe
fileorfolderbeforeerasingit.Thispreventsotherpeoplefromundeletingorrecovering
informationaboutthefileorfolder.
Forexample,srmsupportssimplemethods,likeoverwritingdatawithasinglepassof
zeros,tomorecomplexones,likeusinga7-passor35-passerase.
Chapter8SecuringDataandUsingEncryption
159
Thesrmcommandcannotremoveawrite-protectedfileownedbyanotheruser,
regardlessofthepermissionsofthedirectorycontainingthefile.
WARNING:Erasingfileswithsrmisirreversible.Beforesecurelyerasingfiles,backup
criticalfilesyouwanttokeep.
Tosecurelyeraseafoldernamedsecret:
sudo srm -r -s secret
The-roptionremovesthecontentofthedirectory,andthe-soption(simple)
overwriteswithasinglerandompass.
Foramoresecureerase,usethe-m(medium)optiontoperforma7-passeraseofthe
file.The-soptionoverridesthe-moption,ifbotharepresent.Ifneitherisspecified,
the35-passisused.
Formoreinformation,seethesrm manpage.
UsingSecureEmptyTrash
SecureEmptyTrashusesa7-passerasetosecurelyerasefilesstoredintheTrash.
Dependingonthesizeofthefilesbeingerased,securelyemptyingtheTrashcan
taketimetocomplete.
WARNING:UsingSecureEmptyTrashisirreversible.Beforesecurelyerasingfiles,back
upcriticalfilesyouwanttokeep.
TouseSecureEmptyTrash:
1 OpentheFinder.
2 ChooseFinder>SecureEmptyTrash.
3 ClickOK.
UsingDiskUtilitytoSecurelyEraseFreeSpace
YoucanuseDiskUtilitytosecurelyerasefreespaceonpartitions,usingazero-out
erase,a7-passerase,ora35-passerase.
TosecurelyerasefreespaceusingDiskUtility:
1 OpenDiskUtility(locatedin/Applications/Utilities/).
2 Selectthepartitiontosecurelyerasefreespacefrom.
Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedone
levelinthelistontheleft.
3 ClickErase,andthenclickEraseFreeSpace.
160
Chapter8SecuringDataandUsingEncryption
4 ChooseaneraseoptionandclickEraseFreeSpace.
Securelyerasingfreespacecantaketime,dependingontheamountoffreespace
beingerasedandthemethodyouchoose.
5 ChooseDiskUtility>QuitDiskUtility.
UsingCommand-LineToolstoSecurelyEraseFreeSpace
Youcansecurelyerasefreespacefromthecommandlinebyusingthediskutil
command.However,ownershipoftheaffecteddiskisrequired.Thistoolallowsyouto
securelyeraseusingoneofthethreelevelsofsecureerase:
 1—Zero-outsecureerase(alsoknownassingle-pass)
 2—7-passsecureerase
 3—35-passsecureerase
Toerasefreespaceusinga7-passsecureerase(indicatedbythenumber2):
sudo diskutil secureErase freespace 2 /dev/disk0s3
Formoreinformation,seethediskutilmanpage.
Fromthecommandline:
# ------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space
# ------------------------------------------------------------------# Overwrite a device with zeroes.
sudo diskutil zeroDisk /dev/device
# Secure erase (7-pass) free space on a volume.
sudo diskutil secureErase freespace 2 /dev/device
# Secure erase (7-pass) a volume.
sudo diskutil secureErase 2 /dev/device
DeletingPermanentlyfromTimeMachineBackups
TimeMachineisbasedontheMacOSXHFS+filesystem.Ittracksfilechangesand
detectsfilesystempermissionsanduseraccessprivileges.
WhenTimeMachineperformstheinitialbackup,itcopiesthecontentsofyour
computertoyourbackupdrive.Everysubsequentbackupisanincrementalbackup,
whichcopiesonlythefilesthathavechangedsincethepreviousbackup.
YoucanpermanentlydeletefilesorfoldersfromyourcomputerandallTimeMachine
backupsusingTimeMachine.Thiskeepssensitivedatathatyounolongerneedfrom
beingrecovered.
Chapter8SecuringDataandUsingEncryption
161
TopermanentlydeletefilesorfoldersfromTimeMachinebackups:
1 Deletethefileorfolderfromyourcomputer.
2 OpenTimeMachine.
3 SelectthefileforfolderyouwanttopermanentlydeletefromTimeMachine.
4 ClicktheActionpop-upmenuandselect“DeleteAllBackupsof“FileorFoldername.”
5 Whenthewarningmessageappears,clickOKtopermanentlydeletethefileorfolder.
Allbackupcopiesofyourfileorfolderarepermanentlydeletedfromyourcomputer.
162
Chapter8SecuringDataandUsingEncryption
9
ManagingCertificates
9
UsethischaptertolearnhowSnowLeopardServersupports
servicesthatensureencrypteddatatransferthrough
certificates.
SnowLeopardServerusesaPublicKeyInfrastructure(PKI)systemtogenerateand
maintaincertificatesofidentities.ServerAdminmakesiteasytomanageSecure
SocketsLayer(SSL)certificatesthatcanbeusedbyweb,mail,directoryservices,
andotherservicesthatsupportthem.
Youcancreateaself-signedcertificateandgenerateaCertificateSigningRequest(CSR)
toobtainanSSLcertificatefromanissuingauthorityandinstallthecertificate.
FormoreinformationabouthowtouseSSLcertificateswithindividualservices,
seeChapter10,“SettingGeneralProtocolsandAccesstoServices.”Also,formore
informationaboutcertificatesusingthecommandline,seethemanpageofthe
securitycommand-linetool.
UnderstandingPublicKeyInfrastructure
SnowLeopardServersupportsservicesthatuseSSLtoensureencrypteddata
transfer.ItusesaPKIsystemtogenerateandmaintaincertificatesforusewith
SSL-enabledservices.
PKIsystemsallowthetwopartiesinadatatransactiontobeauthenticatedtoeach
other,andtouseencryptionkeysandotherinformationinidentitycertificatesto
encryptanddecryptmessagestravelingbetweenthem.
PKIenablesmultiplecommunicatingpartiestoestablishconfidentiality,message
integrity,andmessagesourceauthenticationwithoutexchangingsecretinformation
inadvance.
163
SSLtechnologyreliesonaPKIsystemforsecuredatatransmissionanduser
authentication.Itcreatesaninitialsecurecommunicationchanneltonegotiate
afaster,secretkeytransmission.SnowLeopardServerusesSSLtoprovide
encrypteddatatransmissionforMail,Web,andDirectoryservices.
PublicandPrivateKeys
WithinaPKI,twodigitalkeysarecreated:thepublickeyandtheprivatekey.
Theprivatekeyisn’tdistributedtoanyoneandisoftenencryptedbyapassphrase.
Thepublickeyisdistributedtoothercommunicatingparties.
Basickeycapabilitiescanbesummedupas:
Keytype
Capabilities
Public
 Canencryptmessagesthatcanonlybydecryptedbytheholderofthecorresponding
Privatekey.
 CanverifythesignatureonamessagetoensurethatitiscomingfromaPrivatekey.
Private
 Candigitallysignamessageorcertificate,claimingauthenticity.
 CandecryptmessagesthatwereencryptedwiththePublickey.
 CanencryptmessagesthatcanonlybedecryptedbythePrivatekeyitself.
Web,mail,anddirectoryservicesusethepublickeywithSSLtonegotiateasharedkey
forthedurationoftheconnection.
Forexample,supposeamailserversendsitspublickeytoaconnectingclientand
initiatesnegotiationforasecureconnection.Theconnectingclientusesthepublickey
toencryptaresponsetothenegotiation.Themailserver,becauseithastheprivate
key,candecrypttheresponse.Thenegotiationcontinuesuntilmailserverandclient
haveasharedsecrettoencrypttrafficbetweenthetwocomputers.
Certificates
Acertificateisanelectronicdocumentthatcontainsapublickeywithidentification
information(name,organzation,emailaddress,andsoon).Inapublickey
environment,acertificateisdigitallysignedbyaCertificateAuthority,oritsown
privatekey(thelatterbeingaself-signedcertificate).
Apublickeycertificateisafileinaspecifiedformat(MacOSXServerusesthex.509
format)thatcontains:
 Thepublickeyhalfofapublic-privatekeypair
 Thekeyuser’sidentityinformation,suchasaperson’snameandcontactinformation
 Avalidityperiod(howlongthecertificatecanbetrustedtobeaccurate)
 TheURLofsomeonewiththepowertorevokethecertificate(itsrevocationcenter)
 ThedigitalsignatureofaCA,orthekeyuser
164
Chapter9ManagingCertificates
AboutCertificateAuthorities(CAs)
ACAisanentitythatsignsandissuesdigitalidentitycertificatesclaimingthataparty
iscorrectlyidentified.Inthissense,aCAisatrustedthirdpartyusedbyotherparties
whenperformingtransactions.
Inx.509systemssuchasSnowLeopardServer,CAsarehierarchical,withCAsbeing
certifiedbyhigherCAs,untilyoureacharootauthority.ArootauthorityisaCAthat’s
trustedbytheparties,soitdoesn’tneedtobeauthenticatedbyanotherCA.The
hierarchyofcertificatesistop-down,withtherootauthority’scertificateatthetop.
ACAcanbeacompanythatsignsandissuesapublickeycertificate.Thecertificate
atteststhatthepublickeybelongstotheownerrecordedinthecertificate.
Inasense,aCAisadigitalnotarypublic.YourequestacertificatebyprovidingtheCA
withyouridentityinformation,contactinformation,andthepublickey.TheCAthen
verifiesyourinformationsouserscantrustcertificatesissuedforyoubytheCA.
AboutIdentities
Identitiesareacertificateandaprivatekey,together.Thecertificateidentifiestheuser,
andtheprivatekeycorrespondstothecertificate.Asingleusercanhaveseveral
identities;foranygivenusereachcertificatecanhaveadifferentname,emailaddress,
orissuer.
Theseidentitiesareusedfordifferentsecuritycontexts.Forexample,onecanbeused
tosignothers’certificates,onecanbeusedtoidentifytheuserbyemail,andthesedo
notneedtobethesameidentity.
InthecontextoftheMacOSXServerCertificateManager,identitiesinclude
asignedcertificateandbothkeysofaPKIkeypair.Theidentitiesareusedbythe
systemkeychainandareavailableforusebyservicesthatsupportSSL.
Self-SignedCertificates
Self-signedcertificatesarecertificatesthataredigitallysignedbytheprivatekey
correspondingtothepublickeyincludedinthecertificate.Thisisdoneinplaceof
aCAsigningthecertificate.Byself-signingacertificate,you’reattestingthatyouare
whoyousayyouare.Notrustedthirdpartyisinvolved.
AboutIntermediateTrust
IfyouareyourownCAandyourcertificatesarenottrustedbythedefaultshipping
rootcertificatesinMacOSX,yourclientscanstillbeconfiguredtotrustyour
certificatesthroughanintermediatetrust.
Trustistheabilityofaclienttobelievetheidentityofaserverwhenitconnects.
Atrustedserverisaknownserverthattheclientcantransactwithsecurely,without
interferencefromoutsideandunknownparties.
Chapter9ManagingCertificates
165
MacOSXclientsfollowx.509trustvalidationwhenacceptingcertificates,meaning
theyfollowthechainofcertificatesignersbackuntiltheyfindatrustedrootcertificate.
MacOSXletsyouspecifyatrustedanchor(inotherwords,acertificatethatisnot
arootCAcertificate,butthatyoutrust).Aclientcantrustacertificatecloserinthe
chainoftrust,orevenjustthesubmittedcertificateitself.
Trustingacertificatethatisn’tashippingrootanchorisintermediatetrust.To
accomplishthis,trustneedstobebestowedoncertificatesinsteadoftokeychains
(aswasdonepreviously).Inv10.4,trustwasgiventocertificatesinthekeychain
called“X509Anchors.”TheX509Anchorskeychainwasdeprecatedstartingwith
MacOSXv10.5.
InSnowLeopardServer,severalkeychainscanholdcertificates:
 SystemRootCertificates:Thiskeychainholdsrootcertificatesthatshipwith
MacOSX.Thecertificatesalreadyhavetrustgiventothem.
 System:Thiskeychainholdscertificatesthatthecomputeradministratorcanadd.All
usersonagivenclientcanreadfromthiskeychain.Thetrustsettingsofacertificate
inthiskeychaincanoverridethoseofacertificateinSystemRootCertificates.
 Anyotherkeychain:Thisholdscertificatesforagivenuserandisonlyaccessible
tothatuser.Thetrustsettingsofacertificateinthiskeychaincanoverridethoseof
acertificateinSystemRootCertificatesorSystem.
Trustedcertificatescanbeinanyoftheselocations,buttotrustacertificate,trust
settingsmustbegivenexplicitlytoacertificate.
Toconfigureclientstotrustacertificate:
1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer.
Thisispreferablydistributedusingnonrewritablemedia,suchasaCD-R.Using
nonrewritablemediapreventsthecertificatefrombeingcorrupted.
2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificate
wascopiedontotheclientcomputer.
3 DragthecertificatetotheSystemkeychainusingKeychainAccess.
Authenticateasanadministrator,ifrequested.
4 Double-clickthecertificatetogetthecertificatedetails.
5 Inthedetailswindow,clicktheTrustdisclosuretriangle.
6 Fromthepop-upmenunextto“Whenusingthiscertificate,”select“AlwaysTrust”
Youhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby.
166
Chapter9ManagingCertificates
Fromthecommandline
Aftercopyingthecertificatetothetargetclientcomputer,performthefollowing,
replacing<certificate>withthefilepathtothecertificate:
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/
System.keychain <certificate>
Youcanusethesecuritytooltosaveandrestoretrustsettingsaswell.Formore
informationonusingthesecuritycommand-linetool,seethesecuritymanpage.
CertificateManagerinServerAdmin
SnowLeopardServer’sCertificateManagerisintegratedintoServerAdmintohelpyou
create,use,andmaintainidentitiesforSSL-enabledservices.
TheServerAdmininterfaceisshownbelow,withtheCertificateManagerselected.
CertificateManagerprovidesintegratedmanagementofSSLcertificatesin
SnowLeopardServerforservicesthatallowtheuseofSSLcertificates.On
installation,theservercreatesaself-signedcertificateforimmediateusefrom
informationyouputinduringserversetup.
CertificateManagerusesMacOSX’sCertificateAssistanttocreateself-signed
certificatesandcertificate-signingrequests(CSRs)toobtaincertificatessigned
byaCA.Thecertificates,self-signedorsignedbyaCA,arethenaccessibleby
servicesthatsupportSSL.
Chapter9ManagingCertificates
167
CertificateManagerinServerAdmindoesn’tallowyoutosignandissuecertificates
asaCA,nordoesitallowyoutosignandissuecertificatesasarootauthority.Ifyou
needthesefunctions,youcanuseCertificateAssistantinKeychainAccess(locatedin
/Applications/Utilities/).Itprovidesthesecapabilitiesandothersforworkingwithx.509
certificates.
IdentitiesthatwerecreatedandstoredinOpenSSLfilescanalsobeimportedinto
CertificateManager.TheyareaccessibletoservicesthatsupportSSL.Self-signedand
CA-issuedcertificatesyoucreatedinCAAssistantcanbeusedinCertificateManager
byimportingthecertificate.
CertificateManagerdisplaysthefollowingforeachcertificate:
 Thedomainnamethecertificatewasissuedfor
 Theexpirationdateofthecertificate
 Whenselected,thedetailedcontentsofthecertificate
WhencertificatesandkeysareimportedviaCertificateManager,theyareputin
the/etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesfor
everyidentity:
Â
Â
Â
Â
Thecertificate
Thepublickey
Thetrustchain
Theconcatenatedversionofthecertificateplusthetrustchain(forusewith
someservices)
Thecertificateandtrustchainareownedbytherootuserandthewheelgroup,with
permissionssetto644.Thepublickeyandconcatenationfileareownedbytheroot
userandthecertusersgroup,withpermissionssetto640.
Eachfilehasthefollowingnamingconvention:
<commonname>.<SHA1hashofthecertificate>.<cert|chain|concat|key>.pem
Forexample,thecertificateforawebserveratexample.commightlooklikethis:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
ReadyingCertificates
BeforeyoucanuseSSLinMacOSXServer’sservices,youmustcreateorimport
certificates.Youcancreateself-signedcertificates,createcertificatesandthengenerate
aCertificateSigningRequest(CSR)tosendtoaCA,orimportcertificatespreviously
createdwithOpenSSL.
168
Chapter9ManagingCertificates
IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforuseby
MacOSXServerservices.TheOpenSSLkeysandcertificatesmustbeinPEMformat.
SelectaCAtosignyourcertificaterequest.Ifyoudon’thaveaCAtosignyourrequest,
considerbecomingyourownCAandthenimportyourCAcertificatesintotheroot
trustdatabaseofyourmanagedmachines.
WhenyousetupMacOSXServer,theServerAssistantcreatesaself-signed
certificatebasedoninformationyouprovidedwhenit’sfirstinstalled.Itcanbeused
foranyservicethatsupportsSSL.Whenyourclientschoosetotrustthecertificate,
SSLconnectionscanbeusedwithoutuserinteractionfromthatpointon.
Thisinitialself-signedcertificateisusedbyServerAdminandServerPreferencesto
encryptadministrativefunctions.
CreatingaSelf-SignedCertificate
Aself-signedcertificateisgeneratedatserversetup.Althoughitisavailableforuse,
youmaywanttocustomizetheinformationinthecertificate,soyouwouldcreate
anewself-signedcertificate.ThisisespeciallyimportantifyouplanonhavingaCA
signyourcertificate.
Whenyoucreateaself-signedcertificate,CertificateManagercreatesaprivate–public
keypairintheSystemkeychainwiththekeysizespecified(512-2048bits).Itthen
createsthecorrespondingself-signedcertificate.
Ifyou’reusingaself-signedcertificate,considerusinganintermediatetrustforitand
importthecertificateintotheSystemkeychainonallclientcomputers(ifyouhave
controlofthecomputers).Formoreinformationaboutusingintermediatetrust,see
“AboutIntermediateTrust”onpage165.
Tocreateaself-signedcertificate:
1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.
2 ClickCertificates.
3 ClicktheAdd(+)buttonandchooseCreateaCertificateIdentity.
CertificateAssistantlaunches,populatedwithinformationneededtogeneratethe
certificate.
4 Ifyouoverridethedefaults,choose“Letmeoverridedefaults”andfollowtheonscreen
instructions.
5 Whenfinished,clickContinue.
6 ConfirmthecertificatecreationbyclickingContinue.
TheCertificateAssistantgeneratesakeypairandcertificate.CertificateManager
encryptsthefileswitharandompassphrase,putsthepassphraseintheSystem
keychain,andputstheresultingPEMfilesin/etc/certificates/.
Chapter9ManagingCertificates
169
StoringthePrivateKey
Theprivatekeyshouldbegeneratedonacomputerthatisnotconnectedtoyour
internalnetwork.Foraddedsecurity,youcanstorethekeychaincontainingtheprivate
keyonUSBstoragesoyoucankeeptheCAprivatekeyunavailablewhenconnectedto
thenetwork.
RequestingaCertificatefromaCA
CertificateManagerhelpsyoucreateaCSRtosendtoyourdesignatedCA.
YouneedacertificatefortheCAtosign.Youcanusetheonethatwasgeneratedat
serversetup,butmorelikelyyouwillwanttogenerateonethathasallthedetails
theCArequiresbeforesigning.Ifyouneedtogenerateacertificatebeforegettingit
signed,see“CreatingaSelf-SignedCertificate”onpage169.
Torequestasignedcertificate:
1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.
2 ClickCertificates.
3 Selectthecertificateyouwantsigned.
4 ClicktheActionbuttonbelowthecertificateslistandchoose“GenerateCertificate
SigningRequest(CSR).”
5 CertificatemanagercreatesthesigningrequestandshowstheASCIItextversionin
thesheet.
6 ClickSavetosavetheCSRtothedisk.
YourCAwillhaveinstructionsonhowtotransfertheCSRtothesigner.SomeCAs
requireyoutouseawebinterface;othersrequiresendingtheCSRinthebodyof
amailmessage.FollowtheinstructionsgivenbytheCA.
TheCAwillreturnanewlysignedcertificate,whichreplacestheoneyougenerated.
Forinstructionsonwhattodonowwithyournewlysignedcertificate,see“Replacing
anExistingCertificate”onpage175.
CreatingaCA
Tosignanotheruser’scertificate,youmustcreateaCA.SometimesaCAcertificate
isreferredtoasarootoranchorcertificate.Bysigningacertificatewiththeroot
certificate,youbecomethetrustedthirdpartyinthatcertificate’stransactions,
vouchingfortheidentityofthecertificateholder.
Ifyouarealargeorganization,youmightdecidetoissueorsigncertificatesfor
peopleinyourorganizationtousethesecuritybenefitsofcertificates.However,
externalorganizationsmightnottrustorrecognizeyoursigningauthority.
170
Chapter9ManagingCertificates
TocreateaCA:
1 StartKeychainAccess.
KeychainAccessisfoundinthe/Applications/Utilities/directory.
2 IntheKeychainAccessmenu,selectCertificateAssistant>CreateaCertificate
Authority.
TheCertificateAssistantstarts.ItwillguideyouthroughtheprocessofmakingtheCA.
3 ChoosetocreateaSelfSignedRootCA.
4 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue.
YouneedthefollowinginformationtocreateaCA:
 Anemailaddress
 Thenameoftheissuingauthority(youoryourorganization)
YoualsodecideifyouwanttooverridethedefaultsandwhethertomakethisCAthe
organization’sdefaultCA.IfyoudonothaveadefaultCAfortheorganization,allow
theCertificateAssistanttomakethisCAthedefault.
Inmostcircumstances,donotoverridethedefaults.Ifyoudonotoverridethedefaults,
skiptostep16.
5 Ifyouoverridethedefaults,providethefollowinginformationinthenextfewscreens:
Â
Â
Â
Â
Auniqueserialnumberfortherootcertificate
ThenumberofdaystheCAfunctionsbeforeexpiring
ThetypeofusercertificatethisCAissigning
WhethertocreateaCAwebsiteforuserstoaccessforCAcertificatedistribution
6 ClickContinue.
7 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue.
YouneedthefollowinginformationtocreateaCA:
Â
Â
Â
Â
Â
Anemailaddressoftheresponsiblepartyforcertificates
Thenameoftheissuingauthority(youoryourorganization)
Theorganizationname
Theorganizationunitname
Thelocationoftheissuingauthority
8 SelectakeysizeandanencryptionalgorithmfortheCAcertificate,andthenclick
Continue.
Alargerkeysizeismorecomputationallyintensivetouse,butmuchmoresecure.The
algorithmyouchoosedependsmoreonyourorganizationalneedsthanatechnical
consideration.
DSAandRSAarestrongencryptionalgorithms.DSAisaUnitedStatesFederal
Governmentstandardfordigitalsignatures.
Chapter9ManagingCertificates
171
9 Selectakeysizeandanencryptionalgorithmforthecertificatestobesigned,and
thenclickContinue.
10 SelecttheKeyUsageExtensionsyouneedfortheCAcertificate,andthenclick
Continue.
Ataminimum,youmustselectSignatureandCertificateSigning.
11 SelecttheKeyUsageExtensionsyouneedforthecertificatestobesigned,andthen
clickContinue.
DefaultkeyuseselectionsarebasedonthetypeofkeyselectedearlierintheAssistant.
12 SpecifyotherextensionstoaddtheCAcertificateandclickContinue.
13 Selectthekeychain“System”tostoretheCAcertificate.
14 ChoosetotrustcertificatesonthiscomputersignedbythecreatedCA.
15 ClickContinueandauthenticateasanadministratortocreatethecertificateand
keypair.
16 ReadandfollowtheinstructionsonthelastpageoftheCertificateAssistant.
Youcannowissuecertificatestotrustedparties.
ImportingaCertificateIdentity
YoucanimportapreviouslygeneratedOpenSSLcertificateandprivatekeyinto
CertificateManager.Theitemsarelistedasavailableinthelistofidentitiesandare
availabletoSSL-enabledservices.
TheOpenSSLkeysandcertificatesmustbeinPEMformat.
ToimportanexistingOpenSSLstylecertificate:
1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.
2 ClickCertificates.
3 ClicktheAdd(+)buttonandchooseImportaCertificateIdentity.
4 DragthePEMfilecontainingtheprivatekeytothesheet.
5 DragthePEMfilecontainingthepubliccertificatetothesheet.
6 Ifneeded,dragassociatednonidentitycertificatestothesheetaswell.
7 ClicktheImportbutton.
Ifprompted,entertheprivatekeypassphrase.
172
Chapter9ManagingCertificates
ManagingCertificates
Afteryoucreateandsignacertificate,youwon’tdomuchmorewithit.Because
certificatescannotbeedited,youcandelete,replace,orrevokecertificatesafterthey
arecreated.YoucannotchangecertificatesafteraCAsignsthem.
Iftheinformationacertificatepossesses(suchascontactinformation)isnolonger
accurate,orifyoubelievetheprivatekeyiscompromised,deletethecertificate.
IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforuseby
services.TheOpenSSLkeysandcertificatesmustbeinPEMformat.
IfyouchosecustomlocationsforyourSSLcertificateswithSnowLeopardServer,you
mustimportthemintoCertificateManagerifyouwantthemtobeavailablefor
services.
Customfilesystemlocationsforcertificatescannotbemanagedforservicesusing
ServerAdminforSnowLeopardServer.Tousecustomfilelocations,editthe
configurationfilesdirectly.
WhencertificatesandkeysareimportedviaCertificateManager,theyareputinthe/
etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesforevery
identity:
Â
Â
Â
Â
Thecertificate
Thepublickey
Thetrustchain
Theconcatenatedversionofthecertificateplusthetrustchain(forusewithsome
services)
Eachfilehasthefollowingnamingconvention:
<commonname>.<SHA1hashofthecertificate>.<cert|chain|concat|key>.pem
Forexample,thecertificateforawebserveratexample.commightlooklikethis:
www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem
Afterthecertificatesareimported,CertificateManagerencryptsthefileswitharandom
passphrase.ItputsthepassphraseintheSystemkeychain,andputstheresultingPEM
filesin/etc/certificates/.
EditingaCertificate
Afteryouaddacertificatesignature,youcan’teditthecertificate.Youmustreplaceit
withonegeneratedfromthesameprivatekey.
Forinstructionsonhowtodothis,see“ReplacinganExistingCertificate”onpage175.
Chapter9ManagingCertificates
173
DistributingaCAPublicCertificatetoClients
Ifyou’reusingself-signedcertificates,awarningappearsinmostuserapplications
sayingthattheCAisnotrecognized.Othersoftware,suchastheLDAPclient,refuses
touseSSLiftheserver’sCAisunknown.
MacOSXServershipsonlywithcertificatesfromwell-knowncommercialCAs.To
preventthiswarning,yourCAcertificatemustbedistributedtoeveryclientcomputer
thatconnectstothesecureserver.
Todistributeyourcertificatetoyourclients:
1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer.
Considerusingnonrewritablemedia,suchasaCD-R.Usingnonrewritablemedia
preventsthecertificatefrombeingcorrupted.
2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificate
wascopiedontotheclientcomputer.
3 DragthecertificatetotheSystemkeychainusingKeychainAccess.
4 Authenticateasanadministrator,ifrequested.
5 Double-clickthecertificatetogetthecertificatedetails.
6 Inthedetailswindow,clicktheTrustdisclosuretriangle.
7 Fromthepop-upmenunextto“Whenusingthiscertificate,”select“AlwaysTrust.”
Youhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby.
Fromthecommandline:
# ------------------------------------------------------------------# Adding the security tool edit trust settings
# ------------------------------------------------------------------# Where <certificate> is the local file path to the certificate.
#
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/
System.keychain <certificate>
DeletingaCertificate
Whenacertificatehasexpiredorbeencompromised,youmustdeleteit.
Todeleteacertificate:
1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.
2 ClickCertificates.
3 SelecttheCertificateIdentitytodelete.
4 ClicktheRemove(-)buttonandselectDelete.
174
Chapter9ManagingCertificates
5 ClickSave.
RenewinganExpiringCertificate
Certificateshaveanexpirationdateandmustberenewedperiodically.Renewinga
certificateisthesameasreplacingacertificatewithanewlygeneratedonewithan
updatedexpirationdate.
Torenewanexpiringcertificate:
1 RequestacertificatefromtheCA.
IfyouareyourownCA,createoneusingyourownrootcertificate.
2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate.
3 ClickCertificates.
4 SelecttheCertificateIdentitytorenew.
5 ClicktheActionbuttonandselect“ReplaceCertificatewithSignedorRenewed
Certificate.”
6 Dragtherenewedcertificatetothesheet.
7 ClickReplaceCertificate.
ReplacinganExistingCertificate
IfyouchangetheDNSnameoftheserveroranyvirtualhostsontheserver,youmust
replaceanexistingcertificatewithanupdatedone.
Toreplaceanexpiringcertificate:
1 RequestacertificatefromtheCA.
IfyouareyourownCA,createoneusingyourownrootcertificate.
2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate.
3 ClickCertificates.
4 SelecttheCertificateIdentitytoreplace.
5 ClicktheActionbuttonandselect“ReplaceCertificatewithSignedorRenewed
Certificate.”
6 Dragthereplacementcertificatetothesheet.
7 ClickReplaceCertificate.
Chapter9ManagingCertificates
175
10
SettingGeneralProtocolsand
AccesstoServices
10
UsethischaptertolearnhowtouseServerAdminto
configureaccesstoservicesandtosetgeneralprotocols.
ServerAdminhelpsyouconfigureandmanageservers.Youcansetgeneralprotocols,
nameorrenamecomputers,setthedateandtime,managecertificates,andsetuser
accesstospecificservices.
SettingGeneralProtocols
SnowLeopardServerincludesbasicnetworkmanagementprotocols,including
networktimeprotocol(NTP)andsimplenetworkmanagementprotocol(SNMP).
Unlessthesearerequired,theyshouldbedisabled.
DisablingNTPService
NTPallowscomputersonanetworktosynchronizeDate&Timesettings.Client
computersspecifytheirNTPserverintheDate&TimepanelofSystemPreferences.
NTPclientaccessistypicallyrequired.Ifso,enableitonasingle,trustedserveronthe
localnetwork.Thisserviceshouldbedisabledonallotherservers.
Formoreinformationabouttheopensourceimplementation,seewww.ntp.org.
TodisableNTPservice:
1 OpenServerAdminandconnecttotheserver.
2 ClickSettings,thenclickDate&Time.
3 UnlessNTPisnotrequired,makesureyourserverisconfiguredto“Setdate&time
automatically.”
4 Fromthepop-upmenu,choosetheserveryouwanttoactasatimeserver.
5 ClickGeneral.
6 Deselectthe“NetworkTimeServer(NTP)”checkbox.
7 ClickSave.
176
Fromthecommandline:
# --------------------------------------------------------------------# Setting General Protocols
# --------------------------------------------------------------------#
# Disable NTP Client access.
# ----------sudo systemsetup -setusingnetworktime off
#
# Disable NTP service.
#-----------sudo serveradmin settings info:ntpTimeServe = no
DisablingSNMP
SNMPsoftwareallowsothercomputerstomonitorandcollectdataonthestate
ofacomputerrunningSnowLeopardServer.Thishelpsadministratorsidentify
computersthatwarrantattention,butuseofthisserviceisnotrecommended.
TodisableSNMP:
1 OpenServerAdminandconnecttotheserver.
2 ClickSettings.
3 ClickGeneral.
4 Deselect“NetworkManagementServer(SNMP).”
5 ClickSave.
Fromthecommandline:
#
# Disable SNMP.
# -----------sudo serveradmin settings info:enableSNMP = no
# or alternatively.
#sudo service org.net-snmp.snmpd stop
Chapter10SettingGeneralProtocolsandAccesstoServices
177
EnablingSSH
SnowLeopardServeralsoincludessecureshell(SSH).SSHallowsyoutologinto
othercomputersonanetwork,executecommandsremotely,andmovefilesfromone
computertoanother.Itprovidesstrongauthenticationandsecurecommunication,
andisthereforerecommendedifremoteloginisrequired.Formoreinformation,see
www.openssh.org.
ToenableSSH:
1 OpenServerAdminandconnecttotheserver.
2 ClickSettings.
3 ClickGeneral.
4 Select“RemoteLogin(SSH).”
5 ClickSave.
Fromthecommandline:
#
# Enable SSH.
# ---------sudo service ssh start
# or alternatively.
# sudo serveradmin settings info:enableSSH = yes
AboutRemoteManagement(ARD)
YoucanuseARDtoperformremotemanagementtaskssuchasscreensharing.When
sharingyourscreenprovideaccessonlytospecificuserstopreventunauthorized
accesstoyourcomputerscreen.Youmustalsodeterminetheprivilegesuserswillhave
whenviewingyourscreen.
ARDisturnedoffbydefaultandshouldremainoffwhenitisnotbeingused.This
preventsunauthorizedusersfromattemptingtoaccessyourcomputer.
YoucanadministerARDusingabuilt-incommand-linetoolcalledkickstart.Youcan
findmoreinformationaboutthetoolanditscapabilitiesbyusingitsbuilt-inhelp.
Accessthehelpbyenteringthefollowingcommand:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -help
FormoreinformationaboutARDanditsusesandcapabilities,seeAppleRemote
DesktopAdministratorGuide.
178
Chapter10SettingGeneralProtocolsandAccesstoServices
RemoteManagementBestPractices
AnARDmanagerwithfullprivilegescanrunthesetasksastherootuser.Bylimiting
theprivilegesthatanARDmanagerhas,youincreasesecurity.Whensettingprivileges,
disableorlimitanadministrator’saccesstoanARDclient.
YoucansetaVNCpasswordthatrequiresauthorizeduserstouseapasswordto
accessyourcomputer.Themostsecurewayistorequireauthorizeduserstorequest
permissiontoaccessyourcomputerscreen.
RemoteManagmentcanactasastandardVNCserver,acceptingconnectionsfrom
VNCclients.EnablingVNCaccessisnotrecommended.
IfusersconnecttoyourcomputerusingVNC,requirethattheyuseapasswordby
enabling“VNCviewermaycontrolscreenwithpassword.”UsePasswordAssistantto
createastrongpasswordforVNCusers.
LimitingRemoteManagementAccess
Usersthathaveaccesstoscreencontrolandcommand-linecodeexecutionusing
AppleRemoteDesktopeffectivelyhaverootuseraccessonthecomputer,eveniftheir
useraccountisastandardaccount.Youshouldlimitwhatusersareallowedtodowith
RemoteManagement.
Changethedefaultsettingforremotemanagementfrom“Allusers”to“Onlythese
users.”Thedefaultsetting“Allusers”includesallusersonyourlocalcomputerandall
usersinthedirectoryserveryouareconnectedto.
AnyaccountusingARDshouldhavelimitedprivilegestopreventremoteusersfrom
havingfullcontrolofyourcomputer.
YoucansecurelyconfigureARDbyrestrictingaccesstospecificusers.Youcanalso
restricteachuser’sprivilegesbysettingARDoptions.Limittheuser’sprivilegesto
theuser’spermissiononthecomputer.Forexample,youmightnotwanttogive
astandardusertheabilitytochangeyoursettingsordeleteitems.
ToLimitRemoteManagementAccess:
1 Ontheserver,openSystemPreferencesandclickSharing.
Ifthepreferencepaneislocked,clickthelockandentertheusernameandpassword
ofauserwithadministratorprivilegesonthecomputer.
2 SelectRemoteManagementintheSharingpane.
3 Select“Onlytheseusers,”clickAdd(+),selectusers,andclickSelect.
4 Selectauserinthelisttochangethatuser’sadministratorprivileges.
5 ClickOptions.
6 MakethechangestotheaccessprivilegesandthenclickOK.
Chapter10SettingGeneralProtocolsandAccesstoServices
179
Yourchangestakeeffectimmediately.
YoucanholddowntheOptionkeywhileclickinganaccessprivilegecheckbox
toautomaticallyselectallaccesscheckboxes.
Formoreinformationabouttheprivilegeslist,see“AppleRemoteDesktop
AdministratorAccess”intheseeAppleRemoteDesktopAdministratorGuide.
7 Ifyou’rechangingaccessforseveralusers,repeatthisforeachuser.
Fromthecommandline:
#
# Remote Management (ARD)
# ----------------------------# Limiting Remote Management Access
# Repeat for each specified user.
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -activate -configure -access -on -users
$ARD_USERNAME -privs <none|all|ControlObserve|DeleteFiles|ControlObserve|TextMessages|ShowO
bserve|OpenQuitApps|GenerateReports|RestartShutDown|SendFiles|ChangeSe
ttings|ObserveOnly> -restart
# Specify the user
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAME
DisablingRemoteManagementAccess
YoucandisableRemoteManagementinseveraldifferentways.Youcan:
 Disableaccessforallusers.
 StoptheARDAgentprocesstemporarily.
 Disabletheserviceentirely.
YoumightwanttokeepthecomputerrunningasanARDTaskServerbutnotletusers
controlitremotely.Insuchacase,youwoulddisableaccessfortheusers,butleavethe
agentrunningandtheserviceintact.
Ifyoustoptheagent,itrelaunchesatsystemrestart,soitdoesn’tremainpermanently
disabled.
Todisableaccessforallusers:
1 Ontheserver,openSystemPreferencesandclickSharing.
Ifthepreferencepaneislocked,clickthelockandentertheusernameandpassword
ofauserwithadministratorprivilegesonthecomputer.
2 SelectRemoteManagementintheSharingpane.
3 Selectauserfromthe“Onlytheseusers”list.
180
Chapter10SettingGeneralProtocolsandAccesstoServices
4 ClickRemove(-).
5 Repeatforeachuser.
TostoptheAgentprocess:
1 OpenTerminal.app.
2 Enterthefollowingcommand:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -agent -stop
Todisabletheservice:
1 OpenServerAdminandconnecttotheserver.
2 ClickSettings.
3 ClickGeneral.
4 Deselect“RemoteManagement.”
5 ClickSave.
Fromthecommandline:
#
## Disable Remote Management
# --------------------------# To remove user access:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -activate -configure -access -off
# To stop the ARD agent:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -agent -stop
# To disable the service:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\
Resources/kickstart -deactivate -stop
#or alternatively.
# sudo serveradmin settings info:enableARD = no
RemoteAppleEvents(RAE)
IfyouenableRemoteAppleEvents(RAE),youallowyourcomputertorespondto
eventssentbyothercomputersonyournetwork.TheseeventsincludeAppleScript
programs.AmaliciousAppleScriptprogramcandothingslikedeleteyour
~/Documents/folder.
RAEisturnedoffbydefaultandshouldremainoffwhenitisnotused.Thisprevents
unauthorizedusersfromaccessingyourcomputer.
Chapter10SettingGeneralProtocolsandAccesstoServices
181
Fromthecommandline:
#
# Remote Apple Events (RAE)
# ----------------------------# Disable Remote Apple Events.
sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plist
RestrictingAccesstoSpecificUsers
AvoidenablingRAE.IfyouenableRAE,dosoonatrustedprivatenetworkanddisable
itimmediatelyafterdisconnectingfromthenetwork.Changethedefaultsettingfor
RAEfrom“Allusers”to“Onlytheseusers.”Thedefaultsetting“Allusers”includesall
usersonyourlocalcomputerandallusersinthedirectoryserveryouareconnectedto.
WhensecurelyconfiguringRAE,restrictremoteeventstoonlybeacceptedfrom
specificusers.Thispreventsunauthorizedusersfromsendingmaliciouseventsto
yourcomputer.Ifyoucreateasharinguseraccount,createastrongpasswordusing
PasswordAssistant.AvoidacceptingeventsfromMacOS9computers.Ifyouneed
toacceptMacOS9events,usePasswordAssistanttocreateastrongpassword.
SettingtheServer’sHostName
YoucanchangeyourcomputernameandlocalhostnameinServerAdmin.When
otherusersuseBonjourtodiscoveryouravailableservices,theserverisdisplayedas
hostname.local.
Toincreaseyourprivacy,changethehostnameofyourcomputersoyourcomputer
cannotbeeasilyidentified.Thenameshouldnotindicatethepurposeofthecomputer,
andtheword“server”shouldnotbeusedasthenameorpartofthename.
SettingtheDateandTime
Correctdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos.
Incorrectdateandtimesettingscancausesecurityissues.YoucanuseServerAdmin
toconfigureyourcomputertosetthedateandtimebasedonanNTPserver.Ifyou
requireautomaticdateandtime,useatrusted,internalNTPserver.
182
Chapter10SettingGeneralProtocolsandAccesstoServices
SettingUpCertificates
CertificateManagerisintegratedintoServerAdmintohelpyoucreate,use,and
maintainidentitiesforSSL-enabledservices.CertificateManagerprovidesintegrated
managementofSSLcertificatesinSnowLeopardServerforservicesthatallowthe
useofSSLcertificates.
Formoreinformationaboutsettingupcertificates,see“CertificateManagerinServer
Admin”onpage167.
SettingServiceAccessControlLists(SACLs)
YouuseaServiceAccessControlList(SACL)toenforcewhocanuseaspecificservice.
Itisnotameansofauthentication.Itisalistofthosewhohaveaccessrightstouse
theservice.
SACLsallowyoutoaddalayerofaccesscontrolontopofstandardandACL
permissions.
Auserorgroupnotinaservice’sSACLcannotaccesstheservice.Forexample,to
preventusersfromaccessingAFPsharepointsonaserver,includinghomefolders,
removetheusersfromtheAFPservice’sSACL.
ServerAdmininSnowLeopardServerallowsyoutoconfigureSACLs.OpenDirectory
authenticatesuseraccounts,andSACLsauthorizeuseofservices.IfOpenDirectory
authenticatesyou,theSACLfortheloginwindowdetermineswhetheryoucanlogin,
theSACLforAFPservicedetermineswhetheryoucanconnectforApplefileservice,
andsoon.
Someservicesalsodeterminewhetherauserisauthorizedtoaccessspecificresources.
Thisauthorizationcanrequireretrievingadditionaluseraccountinformationfromthe
directorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembership
informationtodeterminewhichfoldersandfilestheuserisauthorizedtoreadand
writeto.
TosetSACLpermissionsforaservice:
1 OpenServerAdminandconnecttotheserver.
2 ClickAccess.
3 ClickServices
4 Torestrictaccesstoallservicesortodeselectthisoptiontosetaccesspermissionsper
service,select“Forallservices.”
5 Ifyoudeselect“Forallservices,”selectaservicefromtheServicelist.
6 Toprovideunrestrictedaccesstoservices,click“Allowallusersandgroups.”
Toprovideaccesstospecificusersandgroups:
Chapter10SettingGeneralProtocolsandAccesstoServices
183
a Select“Allowonlyusersandgroupsbelow.”
b ClicktheAdd(+)buttontoopentheUsers&Groupsdrawer.
c DragusersandgroupsfromtheUsers&Groupsdrawertothelist.
7 ClickSave.
Youcanlimitaccesstocommand-linetoolsthatmightrunservicesbylimitingthe
useofthesudocommand.Formoreinformation,see“ManagingthesudoersFile”on
page361.
Fromthecommandline:
# Set SACL permissions for a service.
# ---------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP
184
Chapter10SettingGeneralProtocolsandAccesstoServices
11
SecuringRemoteAccessServices
11
UsethischaptertolearnhowtosecureRemoteAccess
services.
Manyorganizationshaveindividualswhoneedtoconnecttonetworkresources
remotely.Thiscancreateadditionalvulnerabilitiesunlessyourremoteaccessservices
aresecurelyconfigured.
SnowLeopardServerallowsremoteaccessusingremoteloginandVPNservices.
Theseservicesshouldbedisabledunlesstheyarerequired.
RemoteAccessservicesviaremoteloginconsistsoftwocomponentseachusingthe
SecureShell(SSH)servicetoestablishanencryptedtunnelbetweenclientandserver.
“SecuringRemoteSSHLogin”onpage185discussessecuringtheservercomponent,
while“ConfiguringSSH”onpage186discussessecuringtheclientcomponent.
Foradditionalinformationaboutconfiguringremoteaccessservices,seetheNetwork
ServicesAdministrationguide.
SecuringRemoteSSHLogin
RemoteLoginallowsuserstoconnecttoyourcomputerthroughSSH.Byenabling
RemoteLogin,youactivatemoresecureversionsofcommonlyusedinsecuretools.
BeawareofthefollowingSSHtools:
 sshd:Daemonthatactsasaservertoallothercommands
 ssh:Primaryusertoolforremoteshellandport-forwardingsessions
 scp:Securecopy,atoolforautomatedfiletransfers
 sftp:SecureFTP,areplacementforFTP
185
ThefollowingtableliststoolsenabledwithRemoteLoginandtheirinsecure
counterparts.
SecureRemoteLoginTool
InsecureTool
ssh
telnet
slogin
login
scp
rcp
sftp
ftp
SSHcreatesasecureencryptedchannelthatprotectscommunicationwithyour
computers.Donotuseolderservicesthatdonotencrypttheircommunications,
suchasTelnetorRSH—theyallownetworkeavesdropperstointerceptpasswords
orotherdata.
Unlessyoumustremotelylogintothecomputeroruseanotherprogramthat
dependsonSSH,disabletheremoteloginservice.However,ServerAdminrequires
SSH.Ifyoudisableremotelogin,youcannotuseServerAdmintoremotelyadminister
theserver.
Todisableremotelogin:
1 OpenSystemPreferences.
2 ClickSharing.
3 IntheServicelist,deselectRemoteLogin.
ConfiguringSSH
SSHletsyousendsecure,encryptedcommandstoaremotecomputer,asifyou
weresittingatthecomputer.UsethesshtoolinTerminaltoopenacommand-line
connectiontoaremotecomputer.Whiletheconnectionisopen,commandsyou
enterareperformedontheremotecomputer.
Note:YoucanuseanyapplicationthatsupportsSSHtoconnecttoacomputerrunning
SnowLeopardorSnowLeopardServer.
SSHworksbysettingupencryptedtunnelsusingpublicandprivatekeys.Hereis
adescriptionofanSSHsession:
1 Thelocalandremotecomputersexchangetheirpublickeys.
Ifthelocalcomputerhasneverencounteredagivenpublickeybefore,SSHprompts
youwhethertoaccepttheunknownkey.
2 Thetwocomputersusethepublickeystonegotiateasessionkeythatisusedto
encryptsubsequentsessiondata.
186
Chapter11SecuringRemoteAccessServices
3 TheremotecomputerattemptstoauthenticatethelocalcomputerusingRSAorDSA
certificates.Ifthisisnotpossible,thelocalcomputerispromptedforastandardusername/passwordcombination.
Forinformationaboutsettingupcertificateauthentication,see“GeneratingKeyPairs
forKey-BasedSSHConnections”onpage187.
4 Aftersuccessfulauthentication,thesessionbegins.Eitheraremoteshell,asecurefile
transfer,aremotecommand,orsoon,beginsthroughtheencryptedtunnel.
ModifyingtheSSHConfigurationFile
MakingchangestotheSSHconfigurationfileenablesyoutosetoptionsforeachssh
connection.Youcanmakethesechangessystemwideorforspecificusers.Tomakethe
changesystemwide,changetheoptionsinthe/etc/ssh_configfile,whichaffectsssh
usersonthecomputer.Tomakethechangeforasingleuser,changetheoptionsinthe
username/.ssh/configfile.
Thesshconfigurationfilehasconnectionoptionsandotherspecificationsforanssh
host.AhostisspecifiedbytheHostdeclaration.Bydefault,theHostdeclarationisan
asterisk(*),indicatingthatanyhostyouareconnectingtowillusetheoptionslisted
belowtheHostdeclaration.
YoucanaddaspecifichostandoptionsforthathostbyaddinganewHostdeclaration.
ThenewHostdeclarationwillspecifyanameoraddressinplaceoftheasterisk.You
canthensettheconnectionoptionforthehostbelowtheHostdeclaration.Thishelps
secureyursshsessionsinenvironmentswithvaryingsecuritylevels.
Forexample,ifyouareconnectingtoaserverusingsshthroughtheInternet,the
servermightrequireamoresecureorstricterconnection.However,ifyouarein
amoresecureenvironment,suchasyourownpersonalnetwork,youcannotrequire
thesamestrictconnectionoptions.
Formoreinformationaboutsshconfigurationfileoptions,seethesshmanpages.
ToenableSSH,see“EnablingSSH”onpage178.
GeneratingKeyPairsforKey-BasedSSHConnections
Bydefault,SSHsupportstheuseofpassword,key,andKerberosauthentication.The
standardmethodofSSHauthenticationistosupplylogincredentialsintheformof
ausernameandpassword.Identitykeypairauthenticationenablesyoutologinto
theserverwithoutsupplyingapassword.
Thisprocessworksasfollows:
1 Aprivateandapublickeyaregenerated,eachassociatedwithausernametoestablish
thatuser’sauthenticity.
2 Whenyouattempttologinasthatuser,theusernameissenttotheremotecomputer.
Chapter11SecuringRemoteAccessServices
187
3 Theremotecomputerlooksintheuser’s.ssh/folderfortheuser’spublickey.
ThisfolderiscreatedafterusingSSHthefirsttime.
4 Achallengeisthensenttotheuserbasedonhisorherpublickey.
5 Theuserverifieshisorheridentitybyusingtheprivateportionofthekeypairto
decodethechallenge.
6 Afterthechallengeisdecoded,theuserisloggedinwithouttheneedforapassword.
Thisisespeciallyusefulwhenautomatingremotescripts.
Key-basedauthenticationrequirespossessionoftheprivatekeyinsteadofapassword
tologin.Aprivatekeyismuchhardertoguessthanapassword.However,ifthehome
folderwheretheprivatekeyisstorediscompromised—assumingtheprivatekeyisnot
protectedbyapassword—thenthisprivatekeycanbeusedtologintoothersystems.
Passwordauthenticationcanbecompromisedwithoutneedingaprivatekeyfile.
IftheserverusesFileVaulttoencryptthehomefolderoftheuseryouwanttouseSSH
toconnectas,youmustbeloggedinontheservertouseSSH.Alternatively,youcan
storethekeysfortheuserinalocationthatisnotprotectedbyFileVault.However,this
isnotsecure.
Togeneratetheidentitykeypair:
1 Enterthefollowingcommandonthelocalcomputer.
ssh-keygen -t dsa
2 Whenprompted,enterafilenametosavethekeysintheuser’sfolder.
3 Enterapasswordfollowedbypasswordverification(emptyfornopassword).
Forexample:
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in frog.
Your public key has been saved in frog.pub.
The key fingerprint is:
4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96 [email protected]
Thiscreatestwofiles.Youridentificationorprivatekeyissavedinonefile(froginour
example)andyourpublickeyissavedintheother(frog.pubinourexample).Thekey
fingerprint,derivedcryptographicallyfromthepublickeyvalue,isalsodisplayed.This
securesthepublickey,makingitcomputationallyinfeasibleforduplication.
Note:ThelocationoftheserverSSHkeyis/etc/ssh_host_key.pub.Backupyourkeyin
caseyouneedtoreinstallyourserversoftware.Ifyourserversoftwareisreinstalled,you
canretaintheserveridentitybyputtingthekeybackinitsfolder.
188
Chapter11SecuringRemoteAccessServices
4 Copytheresultantpublicfile,whichcontainsthelocalcomputer’spublickey,tothe
.ssh/folderintheuser’shomefolderontheremotecomputer.
Thenexttimeyoulogintotheremotecomputerfromthelocalcomputer,youwon’t
needtoenterapassword(unlessyouenteredoneinStep3above).
Note:IfyouareusinganOpenDirectoryuseraccountandhaveloggedinusingthe
account,youdonotneedtosupplyapasswordforSSHlogin.OnSnowLeopardServer
computers,SSHusesKerberosforsinglesign-onauthenticationwithanyuseraccount
thathasanOpenDirectorypassword(butKerberosmustberunningontheOpen
Directoryserver).FormoreinformationseetheOpenDirectoryAdministration.
UpdatingSSHKeyFingerprints
ThefirsttimeyouconnecttoaremotecomputerusingSSH,thelocalcomputer
promptsforpermissiontoaddtheremotecomputer’sfingerprint(orencrypted
publickey)toalistofknownremotecomputers.Youmightseeamessagelikethis:
The authenticity of host "server1.example.com" can’t be established.
RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.
Are you sure you want to continue connecting (yes/no)?
Thefirsttimeyouconnect,youhavenowayofknowingwhetherthisisthecorrect
hostkey.Whenyourespond“yes,”thehostkeyistheninsertedintothe~/.ssh/
known_hostsfilesoitcanbecomparedinlatersessions.Besurethisisthecorrect
keybeforeacceptingit.Ifatallpossible,provideuserswiththeencryptionkey
throughFTP,mail,oradownloadfromtheweb,sotheycanverifytheidentityof
theserver.
Ifyoulaterseeawarningmessageaboutaman-in-the-middleattackwhenyoutryto
connect,thekeyontheremotecomputermightnolongermatchthekeystoredon
thelocalcomputer.Thiscanhappenifyou:
 ChangeyourSSHconfigurationonthelocalorremotecomputer.
 Performacleaninstallationoftheserversoftwareonthecomputeryouare
attemptingtologintousingSSH.
 StartupfromaSnowLeopardServerCDonthecomputeryouareattemptingtolog
intousingSSH.
 AttempttouseSSHtologintoacomputerthathasthesameIPaddressasa
computerthatyoupreviouslyusedSSHwithonanothernetwork.
Toconnectagain,deletetheentriescorrespondingtotheremotecomputeryouare
accessing(whichcanbestoredbybothnameandIPaddress)in~/.ssh/known_hosts.
Important:Removinganentryfromtheknown_hostsfilebypassesasecurity
mechanismthathelpsyouavoidimpostersandman-in-the-middleattacks.Besureyou
understandwhythekeyontheremotecomputerhaschangedbeforeyoudeleteits
entryfromtheknown_hostsfile.
Chapter11SecuringRemoteAccessServices
189
ControllingAccesstoSSH
YoucanuseServerAdmintocontrolwhichuserscanopenacommand-line
connectionusingthesshtoolinTerminal.Userswithadministratorprivileges
arealwaysallowedtoopenaconnectionusingSSH.Thesshtoolusesthe
SSHservice.
Forinformationaboutrestrictinguseraccesstoservices,see“SettingServiceAccess
ControlLists(SACLs)”onpage183.
SSHMan-in-the-MiddleAttacks
Anattackermightbeabletoaccessyournetworkandcompromiserouting
information,sothatpacketsintendedforaremotecomputerareroutedtothe
attackerwhoimpersonatestheremotecomputertothelocalcomputerand
thelocalcomputertotheremotecomputer.
Here’satypicalscenario:AuserconnectstotheremotecomputerusingSSH.Bymeans
ofspoofingtechniques,theattackerposesastheremotecomputerandreceivesthe
informationfromthelocalcomputer.Theattackerthenrelaystheinformationtothe
intendedremotecomputer,receivesaresponse,andthenrelaystheremotecomputer’s
responsetothelocalcomputer.Throughouttheprocess,theattackerisawareof
informationthatgoesbackandforth,andcanmodifyit.
Thefollowingmessagecanindicateaman-in-the-middleattackwhenconnectingto
theremotecomputerusingSSH.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Protectagainstthistypeofattackbyverifyingthatthehostkeysentbackisthe
correcthostkeyforthecomputeryouaretryingtoreach.Bewatchfulforthewarning
message,andalertyouruserstoitsmeaning.
190
Chapter11SecuringRemoteAccessServices
TransferringFilesUsingSFTP
SFTPisasecureFTPprotocolthatusesSSHtotransferfiles.SFTPencryptscommands
anddata,preventingpasswordsandsensitiveinformationfrombeingtransmittedover
thenetwork.AlwaysuseSFTPinsteadofFTP.
TotransferafileusingSFTP:
1 OpenTerminal.
2 StarttheSFTPsession.
sftp username@hostname
ReplaceusernamewithyourusernameandhostnamewiththeIPaddressorhostname
oftheserveryouareconnectingto.
3 Enteryourpasswordwhenprompted.
Youarenowconnectedsecurelytotheserver.
4 UsetheSFTPcommandstotransferfilesfromtheprompt.
sftp>
Usetheputcommandtotransferafilefromthelocalcomputertotheremote
computer.Usethegetcommandtotransferafilefromtheremotecomputerto
thelocalcomputer.
5 Enterthefollowingtotransferapicturefilefromtheremotecomputertothelocal
computer.
sftp> get picture.png /users/annejohnson picture.png
6 TodisconnectandendtheSFTPsession,enterexitattheprompt.
SecuringVPNService
ByconfiguringaVirtualPrivateNetwork(VPN)onyourserver,youcangiveusers
amoresecurewayofremotelycommunicatingwithcomputersonyournetwork.
AVPNconsistsofcomputersornetworks(nodes)connectedbyaprivatelinkof
encrypteddata.Thislinksimulatesalocalconnection,asiftheremotecomputerwere
attachedtotheLAN.
VPNssecurelyconnectusersworkingawayfromtheoffice(forexample,athome)to
theLANthroughaconnectionsuchastheInternet.Fromtheuser’sperspective,the
VPNconnectionappearsasadedicatedprivatelink.
VPNtechnologycanalsoconnectanorganizationtobranchofficesovertheInternet
whilemaintainingsecurecommunications.TheVPNconnectionacrosstheInternetacts
asaWANlinkbetweenthesites.
Chapter11SecuringRemoteAccessServices
191
VPNshaveseveraladvantagesfororganizationswhosecomputerresourcesare
physicallyseparated.Forexample,eachremoteuserornodeusesthenetwork
resourcesofitsInternetServiceProvider(ISP)ratherthanhavingadirect,wiredlink
tothemainlocation.
VPNandSecurity
VPNsincreasesecuritybyrequiringstrongauthenticationofidentityandencrypted
datatransportbetweenthenodesfordataprivacyanddependability.Thefollowing
sectionscontaininformationaboutsupportedtransportsandauthenticationmethods.
TransportProtocols
Therearetwoencryptedtransportprotocols:LayerTwoTunnelingProtocol,Secure
InternetProtocol(L2TP/IPSec)andPoint–to–PointTunnelingProtocol(PPTP).Youcan
enableeitherorbothoftheseprotocols.Eachhasitsownstrengthsandrequirements.
L2TP/IPSec
L2TP/IPSecusesstrongIPSecencryptiontotunneldatatoandfromnetworknodes.
ItisbasedonCisco’sL2Fprotocol.
IPSecrequiressecuritycertificates(self-signedorsignedbyaCAsuchasVerisign)or
apredefinedsharedsecretbetweenconnectingnodes.
Thesharedsecretmustbeenteredontheserverandtheclient.
Thesharedsecretisnotapasswordforauthentication,nordoesitgenerateencryption
keystoestablishsecuretunnelsbetweennodes.Itisatokenthatthekeymanagement
systemsusetotrusteachother.
L2TPisSnowLeopardServer’spreferredVPNprotocolbecauseithassuperiortransport
encryptionandcanbeauthenticatedusingKerberos.
PPTP
PPTPisacommonlyusedWindowsstandardVPNprotocol.PPTPoffersgood
encryption(ifstrongpasswordsareused)andsupportsanumberofauthentication
schemes.Itusestheuser-providedpasswordtoproduceanencryptionkey.
Bydefault,PPTPsupports128-bit(strong)encryption.PPTPalsosupportsthe40-bit
(weak)securityencryption.
PPTPisnecessaryifyouhaveWindowsclientswithversionsearlierthanWindowsXP
orifyouhaveMacOSXv10.2clientsorearlier.
192
Chapter11SecuringRemoteAccessServices
ConfiguringL2TP/IPSecSettings
UseServerAdmintodesignateL2TPasthetransportprotocol.Ifyouenablethis
protocol,youmustalsoconfigureconnectionsettings.Youmustdesignatean
IPSecsharedsecret(ifyoudon’tuseasignedsecuritycertificate),theIPaddress
allocationrangetobegiventoyourclients,andthegroupthatwillusetheVPN
service(ifneeded).IfyouuseL2TPandPPTP,provideeachprotocolwithaseparate,
nonoverlappingaddressrange.
WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswith
thefollowingsettings:
 Forthe“any”addressgroup,enableGRE,ESP,VPNL2TP(port1701),andVPNISAKMP/
IKE(port500).
 Forthe“192.168-net”addressgroup,choosetoallowalltraffic.
ToconfigureL2TPsettings:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofserversappears.
3 FromtheexpandedServerslist,selectVPN.
4 ClickSettings,thenclickL2TP.
5 Selectthe“EnableL2TPoverIPSec”checkbox.
6 Inthe“StartingIPaddress”field,setthebeginningIPaddressoftheVPNallocation
range.
Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.128.
7 Inthe“EndingIPaddress”field,settheendingIPaddressoftheVPNallocationrange.
Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.255.
8 (Optional)Toload-balancetheVPN,selecttheEnableLoadBalancingcheckboxand
enteranIPaddressintheClusterIPaddressfield.
9 ChooseaPPPauthenticationtype.
IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberos
authenticationserver,fromtheAuthenticationpop-upmenuselectKerberos.
Otherwise,chooseMS-CHAPv2.
IfyouchooseRADIUS,enterthefollowinginformation:
PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver.
SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver.
SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver.
SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver.
Chapter11SecuringRemoteAccessServices
193
10 IntheIPSecAuthenticationsection,enterthesharedsecretorselectthecertificate
touse.
Thesharedsecretisacommonpasswordthatauthenticatesmembersofthecluster.
IPSecusesthesharedsecretasapresharedkeytoestablishsecuretunnelsbetween
clusternodes.
11 ClickSave.
ConfiguringPPTPSettings
UseServerAdmintodesignatePPTPasthetransportprotocol.
Ifyouenablethisprotocol,youmustalsoconfigureconnectionsettings.Youshould
designateanencryptionkeylength(40-bitor128-bit),theIPaddressallocationrange
tobegiventoyourclients,andthegroupthatwillusetheVPNservice(ifneeded).
IfyouuseL2TPandPPTP,providetheprotocolswithaseparate,nonoverlapping
addressrange.
WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswith
thefollowingsettings:
 Forthe“any”addressgroup,enableGRE,ESP,VPNL2TP(port1701),andIKE(port
500).
 Forthe“192.168-net”addressgroup,choosetoallowalltraffic.
ToconfigurePPTPsettings:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofserversappears.
3 FromtheexpandedServerslist,selectVPN.
4 ClickSettings,thenclickPPTP.
5 Select“EnablePPTP.”
6 Ifneeded,select“Allow40-bitencryptionkeysinadditionto128-bit”topermit40-bit
and128-bitkeyencryptionaccesstoVPN.
WARNING:40-bitencryptionkeysaremuchlesssecurebutcanbenecessaryfor
someVPNclientapplications.
7 Inthe“StartingIPaddress”field,setthebeginningIPaddressoftheVPNallocation
range.
Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.128.
194
Chapter11SecuringRemoteAccessServices
8 Inthe“EndingIPaddress”field,settheendingIPaddressoftheVPNallocationrange.
Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.255.
9 ChooseaPPPauthenticationtype.
IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberos
authenticationserver,fromtheAuthenticationpop-upmenuselectKerberos.
Otherwise,chooseMS-CHAPv2.
IfyouchooseRADIUS,enterthefollowinginformation:
PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver.
SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver.
SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver.
SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver.
10 ClickSave.
VPNAuthenticationMethod
SnowLeopardServerL2TPVPNusesKerberosv5orMicrosoft’sChallengeHandshake
AuthenticationProtocolversion2(MS-CHAPv2)forauthentication.SnowLeopard
ServerPPTPVPNusesMS-CHAPv2forauthentication.
KerberosisasecureauthenticationprotocolthatusesaKerberosKeyDistribution
Serverasatrustedthirdpartytoauthenticateaclienttoaserver.
MS-CHAPv2authenticationencodespasswordswhenthey’resentoverthenetwork,
andstorestheminascrambledformontheserver.Thismethodoffersgoodsecurity
duringnetworktransmission.ItisalsothestandardWindowsauthenticationscheme
forVPN.
SnowLeopardServerPPTPVPNcanalsouseotherauthenticationmethods.Each
methodhasitsownstrengthsandrequirements.Theseotherauthenticationmethods
forPPTParenotavailableinServerAdmin.
Touseanalternativeauthenticationscheme(forexample,touseRSASecurity’s
SecurIDauthentication),youmustedittheVPNconfigurationfilemanually.The
configurationfileislocatedat/Library/Preferences/SystemConfiguration/
com.apple.RemoteAccessServers.plist.
Formoreinformation,see“OfferingSecurIDAuthenticationwithVPNService”on
page196.
Chapter11SecuringRemoteAccessServices
195
UsingVPNServicewithUsersinaThird-PartyLDAPDomain
TouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryor
LinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.Ifyou
needtouseMSCHAPv2toauthenticateusers,youcan’tofferVPNserviceforusers
inathird-partyLDAPdomain.
OfferingSecurIDAuthenticationwithVPNService
RSASecurityprovidesstrongauthentication.Ituseshardwareandsoftwaretokensto
verifyuseridentity.SecurIDauthenticationisavailableforL2TPandPPTPtransports.
Fordetailsandproductofferings,seewww.rsasecurity.com.
SnowLeopardServerVPNservicecanofferSecurIDauthentication,butitcannotbeset
upinServerAdmin.YoucanuseServerAdmintoconfigurestandardVPNservices,but
ServerAdmindoesnothaveaninterfaceforchoosingyourauthenticationmethod.
Ifyoumustdesignateanauthenticationscheme(suchasRSASecuritySecurID)other
thanthedefault,changetheVPNconfigurationmanually.
Foradditionalinformation,seetheRSASecurIDReadyImplementationGuide,locatedon
thewebatrsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdf.
TomanuallyconfigureRSASecuritySecurIDauthentication:
1 OpenTerminal.
2 Createafoldernamed/var/aceonyourSnowLeopardServer.
sudo mkdir /var/ace
Authenticate,ifrequested.
3 InFinder,chooseGo>GotoFolder.
4 Type/var/ace.
5 ClickGo.
6 Copythesdconf.recfilefromaSecurIDserverto/var/ace/.
Youseeadialogindicatingthatthe/var/ace/foldercannotbemodified.Click
Authenticatetoallowthecopy.
7 ConfiguretheVPNservice(PPTPorL2TP)onyourSnowLeopardServertoenable
EAP-SecurIDauthenticationfortheprotocolsyouwanttouseitwith.
EnterthefollowinginTerminal,replacingprotocolwitheitherpptporl2tp:
sudo serveradmin settings
vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorEAPPlugins:\
_array_index:0 = "EAP-RSA"
sudo serveradmin settings
vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorProtocol:\
_array_index: = "EAP"
196
Chapter11SecuringRemoteAccessServices
8 CompletetheremainderofSnowLeopardServerVPNserviceconfigurationusingthe
ServerAdmin.
EncryptingObserveandControlNetworkData
AlthoughAppleRemoteDesktop(“RemoteManagement”)sendsauthentication
information,keystrokes,andmanagementcommandsencryptedbydefault,youmight
wantadditionalsecurity.YoucanchoosetoencryptallObserveandControltraffic,
ataperformancecost.
EncryptionisdoneusinganSSHtunnelbetweenparticipatingcomputers.Touse
encryptionforObserveandControltasks,thetargetcomputersmusthaveSSHenabled
(“RemoteLogin”inthecomputer’sSharingPreferencepane).Additionally,firewalls
betweentheparticipatingcomputersmustbeconfiguredtopasstrafficonTCPport22
(SSHwellknownport).
IfyouaretryingtocontrolaVNCserverthatisnotaremotedesktop,itcannotsupport
RemoteDesktopkeystrokeencryption.IfyoutrytocontrolthatVNCserver,youget
awarningthatthekeystrokesaren’tencrypted,whichyoumustacknowledgebefore
youcancontroltheVNCserver.Ifyouchosetoencryptallnetworkdata,thenyou
cannotcontroltheVNCserverbecauseRemoteDesktopcannotopenthenecessary
SSHtunneltotheVNCserver.
ToenableObserveandControltransportencryption:
1 ChooseRemoteDesktop>Preferences.
2 ClicktheSecuritybutton.
3 Inthe“Controllingcomputers”section,select“Encryptallnetworkdata.”
EncryptingNetworkDataDuringFileCopyandPackageInstallations
RemoteDesktopcansendfilesforCopyItemsandInstallPackagesviaencrypted
transport.Thisoptionisnotenabledbydefault,andyoumustenableitexplicitlyfor
eachcopytask,orinaglobalsettinginRemoteDesktop’spreferences.Eveninstaller
packagefilescanbeinterceptedifnotencrypted.
Toencryptindividualfilecopyingandpackageinstallationtasks:
m IntheCopyItemstaskorInstallPackagestaskconfigurationwindowofRemote
Desktop,select“Encryptnetworkdata.”
Tosetadefaultencryptionpreferenceforfilecopies:
1 IntheRemoteDesktopPreferenceswindow,selecttheSecuritypane.
2 Select“EncrypttransferswhenusingCopyItems,”or“Encrypttransferswhenusing
InstallPackages”asneeded.
Alternatively,youcanencryptafilearchivebeforecopyingit.Theencryptedarchive
canbeintercepted,butitwouldbeunreadable.
Chapter11SecuringRemoteAccessServices
197
12
SecuringNetworkInfrastructure
Services
12
UsethischaptertolearnhowtosecureNetworkandHost
Accessservices.
YoucantailornetworkandhostaccessservicesinSnowLeopardServertoprotect
yourcomputerandnetworkusers.Properconfigurationofservicesisimportantand
helpscreateahardenedshellprotectingyournetwork.
SnowLeopardServerincludesseveralnetworkandhostaccessservicesthathelp
youmanageandmaintainyournetwork.Thissectiondescribesrecommended
configurationsforsecuringyournetworkservices.
Foradditionalinformationaboutconfiguringnetworkandhostaccessservices,see
NetworkServicesAdministration.
UsingIPv6Protocol
InternetProtocolVersion6(IPv6)istheInternet’snext-generationprotocoldesignedto
replacethecurrentInternetProtocol,IPVersion4(IPv4,orjustIP).
IPv6improvesroutingandnetworkautoconfiguration.Itincreasesthenumberof
networkaddressestoover3x1038,andeliminatestheneedforNetworkAddress
Translation(NAT).IPv6isexpectedtograduallyreplaceIPv4overanumberofyears,
thoughthetwowillcontinuetocoexistduringthistransition.
SnowLeopardServer’snetworkservicesarefullyIPv6capableandreadytotransition
tothenextgenerationaddressing,aswellasbeingfullyabletooperatewithIPv4.
SnowLeopardServerfullysupportsIPv6,whichisconfigurablefromNetwork
preferences.DisabletheIPv6protocolifyourserverandclientsdonotrequireit.
Disablingtheprotocolpreventspotentialvulnerabilitiesonyourcomputer.For
informationaboutdisablingIPv6,see“SecuringNetworkPreferences”onpage118.
198
ToenableIPv6:
1 OpenNetworkpreferences.
2 Inthenetworkconnectionsserviceslist,clicktheservicetoconfigure.
3 ClickAdvanced.
4 ClickTCP/IP.
5 ChooseAutomaticallyfromtheConfigureIPv6pop-upmenu.
IfyouchooseManually,youmustknowyourassignedIPv6address,yourrouter’s
IPaddress,andaprefixlength.
6 ClickOK.
7 ClickApply.
Fromthecommandline:
# --------------------------------------------------------------------# Enabling IPv6
# --------------------------------------------------------------------# Enable IPv6.
# ------------------------------sudo networksetup -setv6on [networkservice]
IPv6-EnabledServices
ThefollowingservicesinSnowLeopardServersupportIPv6addressing:
 DNS(BIND)
 Firewall
 Mail(POP/IMAP/SMTP)
 Windows(SMB/CIFS)
 Web(Apache2)
TheseservicessupportIPv6addresses,butnotinServerAdmin.IPv6addressesfailif
enteredinIPaddressfieldsinServerAdmin.YoucanconfigureIPv6addressesforthese
serviceswithcommand-linetoolsandbyeditingconfigurationfiles.
Anumberofcommand-linetoolsinstalledwithSnowLeopardServersupportIPv6
(forexample,ping6andtraceroute6).
FormoreinformationaboutIPv6,seewww.ipv6.org.
Chapter12SecuringNetworkInfrastructureServices
199
SecuringDHCPService
SnowLeopardServerincludesdynamichostconfigurationprotocol(DHCP)service
software,whichallowsittoprovideIPaddresses,LDAPserverinformation,andDNS
serverinformationtoclients.
DisablingUnnecessaryDHCPServices
UsingDHCPisnotrecommended.AssigningstaticIPaddresseseasesaccountability
andmitigatestherisksposedbyarogueDHCPserver.IfDHCPuseisnecessary,only
onesystemshouldactastheDHCPserverandtheserviceshouldbedisabledonall
othersystems.
TodisabletheDHCPservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectDHCPintheComputers&Serviceslist.
3 ClickStopDHCP.
4 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing DHCP Service
# --------------------------------------------------------------------# Disable DHCP Service
# -------------------sudo serveradmin stop dhcp
ConfiguringDHCPServices
TouseaserverasaDHCPserver,configuretheDHCPserviceinServerAdmintonot
distributeDNS,LDAP,andWINSinformation.Thisisasecuritymeasuremeantto
protectclientsystems.
WhenclientsystemsacceptdynamicallyassignedDNS,LDAP,andWINSaddresses,
theybecomevulnerabletocertainformsofnetworkbasedattacksfromrogueDHCP
servers.Usersmayunknowinglyberedirectedtomaliciouswebsitesorservers.
ToconfiguretheDHCPservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectDHCPintheComputers&Serviceslist.
3 SelectSubnets.
4 Selectasubnet.
5 ClickDNS.
200
Chapter12SecuringNetworkInfrastructureServices
6 Deleteanynameserverslisted.
7 ClickLDAP.
8 Deleteanyserverinformationthatappears.
9 ClickWINS.
10 DeletetheWINSinformation.
11 ClickSave.
Fromthecommandline:
# Configuring DHCP Services
# ------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no value
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_serv
er:_array_index:0 = ""
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_
index:0 = -empty_array
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT
SET"
AssigningStaticIPAddressesUsingDHCP
YoucanuseServerAdmintoassignIPaddressestospecificcomputers.Thishelps
simplifyconfigurationwhenusingDHCPandletsyouhavesomestaticserversor
services.
ToavoidpotentialaddressconflictsandpreventhackersfromeasilyobtainingvalidIP
addresses,useastaticmaptotracknetworkactivity.Astaticmapconsistsofaspecific
IPaddressassignedtoanetworkdevice.
ToassignastaticIPaddresstoadevice,youneedthedevice’sEthernetaddress
(sometimescalleditsMACaddressorhardwareaddress).Eachnetworkinterfacehas
itsownEthernetaddress.
Ifyouhaveacomputerthatmovesbetweenwiredandwirelessnetworks,itusestwo
Ethernetaddresses:oneforthewiredconnection,andoneforthewirelessconnection.
ToassignastaticIPaddress:
1 OpenServerAdminandconnecttotheserver.
2 SelectDHCPintheComputers&Serviceslist.
3 ClickStaticMaps.
4 ClickAddComputer.
Chapter12SecuringNetworkInfrastructureServices
201
5 Enterthenameofthecomputer.
6 IntheNetworkInterfaceslist,clickthecolumntoenterthefollowinginformation:
MACAddressofthecomputerthatneedsastaticaddress.
IPaddressyouwanttoassigntothecomputer.
7 IfthecomputerhasothernetworkinterfacesthatrequirestaticIPaddresses,clickthe
Add(+)buttonandentertheIPaddressforeachinterface.
8 ClickOK.
9 ClickSave.
Fromthecommandline:
# Set a DHCP client's static IP address
# ------------------------------------# Each computer needs its own GUID within the static map array.
# Increment the array index value for network interfaces
# for a single computer.
serveradmin settings
dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_i
ndex:0 = $ASSIGNED_IP_ADDRESS
serveradmin settings
dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_i
ndex:0 = $COMPUTER_MAC_ADDRESS
serveradmin settings
dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name =
$COMPUTER_NAME
SecuringDNSService
SnowLeopardServerusesBerkeleyInternetNameDomain(BIND)v9.4.1forits
implementationofDNSprotocols.BINDisanopensourceimplementationandis
usedbymostnameserversontheInternet.
IfyourserverisnotintendedtobetheauthoritativeDNSserverforyournamespace,
disabletheDNSserviceinServerAdmin.
TodisabletheDNSservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectDNSintheComputers&Serviceslist.
3 ClickStopDNS.
4 ClickSave.
202
Chapter12SecuringNetworkInfrastructureServices
Fromthecommandline:
# --------------------------------------------------------------------# Securing DNS Service
# --------------------------------------------------------------------# Disable DNS Service.
# ------------------sudo serveradmin stop dns
UnderstandingBIND
BINDisthesetofprogramsusedbySnowLeopardServerthatimplementsDNS.One
ofthoseprogramsisthenamedaemon,ornamed.TosetupandconfigureBIND,you
mustchangetheconfigurationfileandthezonefile.Theconfigurationfileis
/etc/named.conf.
Thezonefilenameisbasedonthenameofthezone.Forexample,thezonefile
example.comis/var/named/example.com.zone.
Ifyoueditnamed.conftoconfigureBIND,don’tchangetheinetsettingsofthe
controlsstatement.Otherwise,ServerAdmincan’tretrievestatusinformationforDNS.
Theinetsettingsshouldlooklikethis
controls {
inet 127.0.0.1 port 54 allow {any;}
keys { "rndc-key"; };
};
UsingServerAdminaftereditingBINDconfigurationfilesmightoverwritechanges.
FormoreinformationaboutDNSandBIND,seethefollowing:
 DNSandBIND,5thedition,byPaulAlbitzandCricketLiu(O’ReillyandAssociates,
2006)
 TheInternationalSoftwareConsortiumwebsite:www.isc.organdwww.isc.org/sw/
bind
 TheDNSResourcesDirectory:www.dns.net/dnsrd
TurningOffZoneTransfers
Unlessyoursiterequiresthem,useServerAdmintoturnoffzonetransfersand
recursiveDNSqueries.
ToturnoffzonetransfersandrecursiveDNSqueries:
1 OpenServerAdminandconnecttotheserver.
2 SelectDNSintheComputers&Serviceslist.
Chapter12SecuringNetworkInfrastructureServices
203
3 ClickZones.
4 Selecttheprimaryzoneyouwanttochange.
5 ClickGeneral.
6 Deselect“Allowszonetransfer”topreventhostsonthenetworkfromgettingcopiesof
theprimaryzonedata.
Ifneeded,setupzonetransferssotheyonlyoccurbetweentrustedservers.This
requiresmanuallyeditingtheBINDconfigurationfiles.
7 ClickSave.
DisablingRecursion
RecursionfullyresolvesdomainnamesintoIPaddresses.Applicationsdependonthe
DNSservertoperformthisfunction.OtherDNSserversthatqueryyourDNSservers
don’tneedtoperformtherecursion.
Topreventmalicioususersfromchangingtheprimaryzone’srecords(referredtoas
cachepoisoning)andtopreventunauthorizeduseoftheserverforDNSservice,you
canrestrictrecursionusingServerAdmin.However,ifyoupreventyourprivatenetwork
fromusingrecursion,userscan’tuseyourDNSservicetolookupnamesoutsideof
yourzones.
DisablerecursiononlyifnoclientsareusingthisDNSserverfornameresolutionand
noserversareusingitforforwarding.
Ifyoursiterequiresrecursion,allowrecursivequeriesonlyfromtrustedclientsandnot
fromexternalnetworks.
Ifyouenablerecursion,considerdisablingitforexternalIPaddressesbutenablingit
forinternalIPaddresses.ThisrequiresmanuallyeditingtheBINDconfigurationfiles.
Todisablerecursion:
1 OpenServerAdminandconnecttotheserver.
2 SelectDNSintheComputers&Serviceslist.
3 ClickSettings.
4 Removeallentriesexcept“localhost”fromthe“Acceptrecursivequeriesfromthe
followingnetworks”listusingtheRemove(–)button.
5 ClickSave.
Makesurethatforwardandreversezonesareestablishedandfullypopulated.
Otherwise,anyOpenDirectoryserverusingtheDNSservicewillnotworkcorrectly.
204
Chapter12SecuringNetworkInfrastructureServices
PreventingSomeDNSAttacks
DNSserversaretargetedbymaliciouscomputerusers(hackers).DNSserversare
susceptibletoseveralkindsofattacks.Bytakingextraprecautions,youcanprevent
theproblemsanddowntimeassociatedwithhackers.
SeveralkindsofsecurityattacksareassociatedwithDNSservice:
Â
Â
Â
Â
Â
DNScachepoisoning
Servermining
DNSserviceprofiling
Denialofservice(DoS)
Servicepiggybacking
DNSCachePoisoning
DNScachepoisoning(aformofDNSspoofing)istheaddingoffalsedatatotheDNS
server’scache.Thisenableshackersto:
 RedirectrealdomainnamequeriestoalternativeIPaddresses.
Forexample,afalsifiedArecordforabankcouldpointacomputeruser’sbrowserto
adifferentIPaddressthatiscontrolledbythehacker.Aduplicatewebsitecouldfool
usersintogivingtheirbankaccountnumbersandpasswordstothehacker.
Also,afalsifiedmailrecordcouldenableahackertointerceptmailsenttoorfroma
domain.Ifthehackerthenforwardsthatmailtothecorrectmailserveraftercopying
themail,thiscangoundetected.
 PreventproperdomainnameresolutionandaccesstotheInternet.
ThisisthemostbenignofDNScachepoisoningattacks.ItmakesaDNSserver
appeartobemalfunctioning.
Themosteffectivemethodtopreventtheseattacksisvigilance.Thisincludes
maintainingup-to-datesoftware.
IfexploitsarefoundinthecurrentversionofBIND,theexploitsarepatchedanda
securityupdateismadeavailableforSnowLeopardServer.Applyallsuchsecurity
patches.
ServerMining
Serverminingisthepracticeofgettingacopyofacompleteprimaryzoneby
requestingazonetransfer.Inthiscase,ahackerpretendstobeasecondaryzoneto
anotherprimaryzoneandrequestsacopyoftheprimaryzone’srecords.
Withacopyofyourprimaryzone,thehackercanseewhatkindsofservicesadomain
offersandtheIPaddressesoftheserversthatofferthem.Heorshecanthentry
specificattacksbasedonthoseservices.Thisisreconnaissancebeforeanotherattack.
Chapter12SecuringNetworkInfrastructureServices
205
Topreventthisattack,disablezonetransfers.Ifrequired,specifywhichIPaddresses
havepermissiontorequestzonetransfers(yoursecondaryzoneservers)anddeny
allothers.
ZonetransfersareaccomplishedoverTCPonport53.Tolimitzonetransfers,blockzone
transferrequestsfromanyonebutyoursecondaryDNSservers.
TospecifyzonetransferIPaddresses:
1 CreateafirewallfilterthatpermitsonlyIPaddressesthatareinsideyourfirewallto
accessTCPport53.
2 Followtheinstructionsin“CreatingAdvancedFirewallRules”onpage217usingthe
followingsettings:
Â
Â
Â
Â
Â
Packet:Allow
Port:53
Protocol:TCP
SourceIP:theIPaddressofyoursecondaryDNSserver
DestinationIP:theIPaddressofyourprimaryDNSserver
DNSServiceProfiling
Anothercommonreconnaissancetechniqueusedbymalicioususersistoprofileyour
DNSservice.FirstahackermakesaBINDversionrequest.Theserverreportswhat
versionofBINDisrunning.Thenthehackercomparestheresponsetoknownexploits
andvulnerabilitiesforthatversionofBIND.
Topreventthisattack,configureBINDtorespondwithsomethingotherthanwhatitis.
ToalterBIND’sversionresponse:
1 Openacommand-linetexteditor(forexamplevi,emacs,orpico).
2 Opennamed.confforediting.
3 Totheoptionsbracketsoftheconfigurationfile,addthefollowing:
version
"[your text, maybe ‘we're not telling!’]";
4 Savenamed.conf.
DenialofService(DoS)
Thiskindofattackiscommonandeasy.Ahackersendssomanyservicerequestsand
queriesthataserverusesallitsprocessingpowerandnetworkbandwidthtryingto
respond.Thehackerpreventslegitimateuseoftheservicebyoverloadingit.
Itisdifficulttopreventthistypeofattackbeforeitbegins.Constantmonitoringofthe
DNSserviceandserverloadenablesanadministratortocatchtheattackearlyand
mitigateitsdamagingeffect.
206
Chapter12SecuringNetworkInfrastructureServices
TheeasiestwaytopreventthisattackistoblocktheoffendingIPaddresswithyour
firewall.Unfortunately,thismeanstheattackisalreadyunderwayandthehacker’s
queriesarebeingansweredandtheactivitylogged.
ServicePiggybacking
ThisattackisdonenotsomuchbymaliciousintrudersbutbycommonInternetusers
wholearnthetrickfromotherusers.TheymightfeelthattheDNSresponsetimewith
theirownISPistooslow,sotheyconfiguretheircomputertoqueryanotherDNS
serverinsteadoftheirownISP’sDNSservers.Effectively,therearemoreusersaccessing
theDNSserverthanwereplannedfor.
YoucanpreventthistypeofattackbylimitingordisablingDNSrecursion.Ifyouplanto
offerDNSservicetoyourLANusers,theyneedrecursiontoresolvedomainnames,but
don’tprovidethisservicetoInternetusers.
Topreventrecursionentirely,see“DisablingRecursion”onpage204.
ThemostcommonbalanceispermittingrecursionforrequestscomingfromIP
addressesinyourownrangebutdenyingrecursiontoexternaladdresses.
ARPSpoofing
Thistypeofattack,alsoknownasARPpoisoning,allowsanattackertotakeover
acomputer’sIPaddressbymanipulatingtheARPcachesofotherhostsonthenetwork.
Theattackermustbeonthesamenetworkasthecomputeritisattackingorthehost
thatthecomputeriscommunicatingwith.
TheattackercanalsouseARPspoofingforaman-in-the-middleattack,whichforwards
trafficfromacomputertotheattacker’scomputer.Thisallowstheattackertoview
packetsandlookforpasswordsandconfidentialdata.ARPspoofingcanalsobeused
tocreateaDoSattack,stoppingallnetworktraffic.
ByconfiguringyournetworkwithstaticIPaddressesandmonitoringyournetwork
traffic,youcankeepunauthorizedusersfrommaliciouslyusingyournetwork.
SecuringNATService
NATisaprotocolyouusetogivemultiplecomputersaccesstotheInternetusingonly
oneassignedpublicorexternalIPaddress.NATpermitsyoutocreateaprivatenetwork
thataccessestheInternetthroughaNATrouterorgateway.NATissometimesreferred
toasIPmasquerading.
TheNATservicefurtherenhancessecuritybylimitingcommunicationbetweenyour
privatenetworkandapublicnetwork(suchastheInternet):
 Communicationfromacomputeronyourprivatenetworkistranslatedfrom
aprivateIPaddresstoasharedpublicIPaddress.MultipleprivateIPaddresses
areconfiguredtouseasinglepublicIPaddress.
Chapter12SecuringNetworkInfrastructureServices
207
 Communicationtoyourprivatenetworkistranslatedandforwardedtoaninternal
privateIPaddress(IPforwarding).Theexternalcomputercannotdeterminethe
privateIPaddress.Thiscreatesabarrierbetweenyourprivatenetworkandthepublic
network.
 Communicationfromapublicnetworkcannotcomeintoyourprivatenetwork
unlessitisrequested.Itisonlyallowedinresponsetointernalcommunication.
Note:IfusingNAT,considercombiningNATroutingwithothernetworkservices.
TheNATroutertakesalltrafficfromyourprivatenetworkandremembersinternal
addressesthathavemaderequests.WhentheNATrouterreceivesaresponseto
arequest,itforwardsittotheoriginatingcomputer.Trafficthatoriginatesfromthe
InternetdoesnotreachcomputersbehindtheNATrouterunlessportforwarding
isenabled.
Important:FirewallservicemustbeenabledforNATtofunction.
IfyourserverisnotintendedtobeaNATserver,deactivatetheNATserversoftware.
TodisableNATservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectNATintheComputers&Serviceslist.
3 ClickStopNAT.
4 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing NAT Service
# --------------------------------------------------------------------# Disable NAT service.
# ------------------sudo serveradmin stop nat
ConfiguringPortForwarding
YoucandirecttrafficcomingintoyourNATnetworktoaspecificIPaddressbehindthe
NATgateway.Thisiscalledportforwarding.
Portforwardingcanbeusedtorouteexternal-facinguncommonopenportsonthe
firewalltocommoninternalports,obsfucatingwhatservicesareactivethroughthe
NATbarrier.Thispracticeisnotreliableandshouldnotbesolelydependedontohide
activeservicesonthecomputer.
208
Chapter12SecuringNetworkInfrastructureServices
Portforwardingletsyousetupcomputersontheinternalnetworkthathandle
incomingconnectionswithoutexposingothercomputerstooutsideconnections.For
example,youcouldsetupawebserverbehindtheNATserviceandforwardincoming
TCPconnectionrequestsonport80tothedesignatedwebserver.
Youcan’tforwardthesameporttomultiplecomputers,butyoucanforwardmany
portstoonecomputer.EnablingportforwardingrequirestheuseoftheTerminal
applicationandadministratoraccesstorootprivilegesthroughsudo.
Youmustalsocreateaplistfile.Thecontentsoftheplistfileareusedtogenerate
/etc/nat/natd.conf.apple,whichispassedtotheNATdaemonwhenitisstarted.
Donottrytoedit/etc/nat/natd.conf.appledirectly.Ifyouuseaplisteditorinsteadofa
command-linetexteditor,alterthefollowingproceduretosuit.
Toconfigureportforwarding:
1 Ifthefile/etc/nat/natd.plistdoesn’texist,makeacopyofthedefaultNATdaemonplist.
sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist
2 UsingaTerminaleditor,addthefollowingblockofXMLtextto/etc/nat/natd.plist
beforethetwolinesattheendofthefile(</dict>and</plist>),substitutingyour
settingswhereindicatedbyitalics:
<key>redirect_port</key>
<array>
<dict>
<key>proto</key>
<string>tcp or udp</string>
<key>targetIP</key>
<string>LAN_ip</string>
<key>targetPortRange</key>
<string>LAN_ip_range</string>
<key>aliasIP</key>
<string>WAN_ip</string>
<key>aliasPortRange</key>
<string>WAN_port_range</string>
</dict>
</array>
3 Saveyourfilechanges.
4 EnterthefollowingcommandsintheTerminal:
sudo serveradmin stop nat
sudo serveradmin start nat
5 Verifythatyourchangesremainbyinspectingthe/etc/nat/natd.conf.applefile.
Chapter12SecuringNetworkInfrastructureServices
209
Thechangesmade,exceptforcommentsandthosesettingsthatServerAdmincan
change,areusedbyserverconfigurationtools(ServerAdmin,GatewaySetupAssistant,
andsudoserveradmin).
6 ClickSave.
7 StartNATservice.
DisablingNATPortMappingProtocol
NATPortMappingProtocol(NAT-PMP)allowsacomputerbehindtheNATrouterto
automaticallyconfiguretheroutertoallowcomputersoutsidetheprivatenetwork
tocontactitself.NAT-PMPautomatestheprocessofportforwarding,allowingthe
internalnetworkcomputerscontroltheforwarding.
Ifyoudonotwantyourinternalclientstochangeport-forwardingrulesdisable
NAT-PMP.
ToconfigureNATservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectNATintheComputers&Serviceslist.
3 ClickSettings.
4 Deselect“EnableNATPortMappingProtocol.”
5 ClickSave.
SecuringBonjour(mDNS)
Bonjourisaprotocolfordiscoveringfile,print,chat,musicsharing,andotherservices
onIPnetworks.Bonjourlistensforserviceinquiriesfromothercomputersandprovides
informationaboutavailableservices.Usersandapplicationsonyourlocalnetworkcan
useBonjourtoquicklydeterminewhichservicesareavailableonyourcomputer,and
youcanuseittodeterminewhichservicesareavailableontheirs.
Thiseasyexchangeofinformationmakesservicediscoveryveryconvenient,butit
alsoincursasecurityrisk.Bonjourbroadcaststheservicesthatarepresentandthe
servicesyouhaveavailable.Theserisksmustbeweighedagainsttheutilityofrunning
anetworkservicesuchasBonjour.
AsidefromtheinformationfreelyexchangedbyBonjour,networkservicesinherently
incurasecurityriskduetothepotentialforimplementationerrorstoallowremote
attackerstoaccessyoursystem.However,Bonjourmitigatestheserisksby
implementingsandboxing.
ToreducethesecurityriskofrunningBonjour,connectonlytosecure,trustedlocal
networks.AlsoverifythatNetworkpreferencesenablesonlyrequirednetworking
connections.Thisreducesthechanceofconnectingtoaninsecurenetwork.
210
Chapter12SecuringNetworkInfrastructureServices
BeforeusingBonjourtoconnecttoaservice,verifythattheserviceislegitimateand
notspoofed.Ifyouconnecttoaspoofedservice,youmightdownloadmaliciousfiles.
Ifyoucannottrustallservicesonyourlocalnetwork,thenBonjourshouldnotbeused.
WARNING:CarefullyfollowthesestepstodisableBonjour.Amalformedor
problematicmDNSResponder.plistfilecanpreventyourMacfromstartingup.Use
TimeMachinetoperformafullbackupofyourcomputerbeforeproceeding.
TodisableBonjouradvertising,enterthefollowingcommands:
1 MakeabackupcopyofthemDNSResponder.plistfile.
2 OpenTerminalandopenthemDNSResponder.plistfileusingyourpreferredtexteditor.
Forexample:
sudo vi “/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist”
3 IntheProgramArgumentskeyoftheplistfile,addthefollowingstringtothe
<array>...</array>section.
<string>-NoMulticastAdvertisements</string>
Forexample:
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
<string>-NoMulticastAdvertisements</string>
</array>
4 SavethechangestothemDNSResponder.plistfile.
Important:Ifyoueditedthefileusingemacs,removetheemacsbackupfile(the
filewithatildeattheendofthename,“/System/Library/LaunchDaemons/
com.apple.mDNSResponder.plist~”)oryourMacwillnotstartup.
YoumustalsoblockBonjourfromlisteningforandacceptingBonjourtrafficby
creatingafirewallruleusingipfw.Thispreventsyourcomputerfromreceiving
potentiallymaliciousBonjourtrafficfromthenetwork.Ifyouhaven’tsetupIPFW
torunwhenthecomputerstartsup,seeChapter13,“ConfiguringtheFirewall.”
Addthefollowingruletothe/etc/ipfw.confinthesamewaythatyouedited/System/
Library/LaunchDaemons/com.apple.mDNSResponder.plistinthesectionabove.
Chapter12SecuringNetworkInfrastructureServices
211
ToblockBonjourlistening:
#
#
#
#
#
Block Bonjour listening.
------------------------Default Setting.
Bonjour is enabled
Firewall is disabled
# Suggested Setting.
# Add the following line to /etc/ipfw.conf.
add 00001 deny udp from any to me dst-port 5353
# Reload the firewall rules.
sudo /sbin/ipfw flush
sudo /sbin/ipfw /etc/ipfw.conf
IfBonjourisdisabled,youmustmanuallyconfigurenetworkprinters.DisablingBonjour
canalsodisablefunctionalityinotherapplicationsthatrelyonBonjourorpossibly
makethemunusable.
IfdisablingBonjourinterfereswithotherapplicationsthatareneededbytheuser,
removethe<string>-NoMulticastAdvertisements</string>fromthe
mDNSResponder.plistfile.ThenunblockUDPport5353onyourfirewall.
212
Chapter12SecuringNetworkInfrastructureServices
13
ConfiguringtheFirewall
13
UsethischaptertolearnhowconfiguretheIPFW2firewall.
Usingafirewalltofilternetworktrafficfromahostoranetworkofhostsprevents
attackersfromgainingaccesstoyourcomputer.
AboutFirewallProtection
Firewallserviceissoftwarethatprotectsnetworkapplicationsrunningonyour
SnowLeopardServercomputer.
Turningonfirewallserviceissimilartoinstallingafiltertolimitaccesstoyournetwork.
firewallservicescansincomingIPpacketsandrejectsoracceptsthesepacketsbased
onrulesyouusetoconfigurefirewallservice.
Youcanmonitoractivityinvolvingyourfirewallbyenablingfirewalllogging.Firewall
loggingcreatesalogfilethattracksactivitysuchasthesourcesandconnection
attemptsblockedbythefirewall.YoucanviewthislogintheConsoleutility.
YoucanrestrictaccesstoanyIPservicerunningontheserver,andyoucancustomize
rulesforincomingclientsorforarangeofclientIPaddresses.
Important:Firewallservicecandisruptnetworkcommunicationsanditsconfiguration
canbecomplicatedtoimplement.Donotimplementrecommendationswithout
understandingtheirpurposeorimpact.
ServicessuchasWebandFTPservicesareidentifiedonyourserverbyaTransmission
ControlProtocol(TCP)orUserDatagramProtocol(UDP)portnumber.Whena
computertriestoconnecttoaservice,firewallservicescanstherulelistforamatching
portnumber.
Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdenies
accesstoincomingpacketsfromremotecomputersexceptthroughportsforremote
configuration.Thisprovidesahighlevelofsecurity.
213
Statefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyour
computerarealsopermitted.Youcanthenaddrulestopermitserveraccesstothose
clientswhorequireaccesstoservices.
Important:Youshouldnotperformanyfirwallconfigurationremotelybecauseofthe
riskofdisablingcommunicationstotheremotehost.
PlanningFirewallSetup
Planyourfirewallservicebydecidingwhichservicesyouwanttoprovideaccessto.
Mail,Web,andFTPservicesgenerallyrequireaccessbycomputersontheInternet.
FileandPrintservicesaremostlikelyrestrictedtoyourlocalsubnet.
Afteryoudecidewhichservicestoprotectusingfirewallservice,determinewhich
IPaddressesyouwanttoaccessyourserver.Thencreatetheappropriaterules.
Afterthefirewallserviceisconfigured,networkusersmightrequestthattherules
bechangedtoallowadditionalservices.Thesechangesshouldberesistedandan
approvalprocessshouldbeputinplacetomonitorthesechanges.
ConfiguringtheFirewallUsingServerAdmin
Advancedconfigurationserversuseipfw2forfirewallservice.Theapplication-level
firewallisavailableonlytostandardandworkgroupconfigurationinstallations.
StartingFirewallService
Bydefault,firewallserviceblocksincomingTCPconnectionsanddeniesUDPpackets,
exceptthosereceivedinresponsetooutgoingrequestsfromtheserver.
Beforeyouturnonfirewallservice,makesureyou’vesetuprulespermittingaccess
fromIPaddressesyouchoose;otherwise,noonecanaccessyourserver.
Ifyouaddorchangearuleafterstartingfirewallservice,thenewruleaffects
connectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyall
accesstoyourFTPserverafterstartingfirewallservice,computersconnected
toyourFTPserveraredisconnected.
Tostartfirewallservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClicktheStartFirewallbuttonbelowtheServerslist.
214
Chapter13ConfiguringtheFirewall
Fromthecommandline:
# --------------------------------------------------------------------# Securing Firewall Service
# --------------------------------------------------------------------# Start firewall service.
# ---------------------sudo serveradmin start ipfilter
CreatinganIPAddressGroup
BygroupingIPaddressesyoucansimultaneouslysetfirewallrulesforlargenumbers
ofnetworkdevicesandallowformuchbetterorganization.Thisenhancesthesecurity
ofyournetwork.
Thesegroupsareusedtoorganizeandtargettherules.The“any”addressgroupisfor
alladdresses.TwootherIPaddressgroupsarepresentbydefault,intendedforthe
entire“10.0.0.0”rangeofprivateaddressesandtheentire“192.168.0.0”rangeofprivate
addresses.
Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandCIDR
notation(192.168.2.0/24),orIPaddressandnetmasknotation(192.168.2.0:255.255.255.0).
Bydefault,anIPaddressgroupiscreatedforallincomingIPaddresses.Rulesapplied
tothisgroupaffectallincomingnetworktraffic.
Tocreateanaddressgroup:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClickSettings,thenclickAddressGroups.
4 BelowtheIPAddressGroupslist,clicktheAdd(+)button.
5 IntheGroupnamefield,enteragroupname.
6 Entertheaddressesandsubnetmaskyouwanttherulestoaffect.
UsetheAdd(+)andDelete(–)buttons.
ToindicateanyIPaddress,usetheword“any.”
7 ClickOK.
8 ClickSave.
Chapter13ConfiguringtheFirewall
215
CreatingFirewallServiceRules
Bydefault,firewallservicepermitsallUDPconnectionsandblocksincomingTCP
connectionsonportsthatarenotessentialforremoteadministrationoftheserver.
Also,bydefault,statefulrulesareinplacethatpermitspecificresponsestooutgoing
requests.
Beforeyouturnonfirewallservice,makesureyou’vesetuprulespermittingaccess
fromIPaddressesyouchoose;otherwise,noonecanaccessyourserver.
Youcaneasilypermitstandardservicesthroughthefirewallwithoutadvancedand
extensiveconfiguration.Standardservicesinclude:
 SSHaccess
 Webservice
 AppleFileservice
 WindowsFileservice
 FTPservice
 PrinterSharing
 DNS/MulticastDNS
 ICMPEchoReply(incomingpings)
 IGMP
 PPTPVPN
 L2TPVPN
 QTSSmediastreaming
 iTunesMusicSharing
Ifyouaddorchangearuleafterstartingfirewallservice,thenewruleaffects
connectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyallaccessto
yourFTPserverafterstartingfirewallservice,computersconnectedtoyourFTPserver
aredisconnected.
Toconfigurefirewallstandardservices:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClickSettings,thenclickServices.
4 FromtheEditServicesforpop-upmenu,selectanaddressgroup.
5 Fortheaddressgroup,choosetopermitalltrafficfromanyportortopermittrafficon
designatedports.
216
Chapter13ConfiguringtheFirewall
6 Foreachserviceyouwanttheaddressgrouptouse,selectAllow.
Ifyoudon’tseetheserviceyouneed,addaportanddescriptiontotheserviceslist.
Tocreateacustomrule,see“CreatingAdvancedFirewallRules”onpage217.
7 ClickSave.
CreatingAdvancedFirewallRules
YouusetheAdvancedSettingspaneinServerAdmintoconfigurespecificrulesfor
firewallservice.FirewallrulescontainoriginatinganddestinationIPaddresseswith
subnetmasks.Theyalsospecifywhattodowithincomingnetworktraffic.Youcan
applyaruletoallIPaddresses,aspecificIPaddress,orarangeofIPaddresses.
Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandsubnet
maskinCIDRnotation(192.168.2.0/24),orIPaddressandsubnetmaskinnetmask
notation(192.168.2.0:255.255.255.0).
Tosetupanadvancedfirewallrule:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClickSettings,thenclickAdvanced.
4 ClicktheAdd(+)button.
Alternatively,youcanselectarulesimilartotheoneyouwanttocreate,clickDuplicate,
andthenclickEdit.
5 IntheActionpop-upmenu,selectwhetherthisrulepermitsordeniesaccess.
IfyouchooseOther,entertheneededaction(forexample,log).
6 FromtheProtocolpop-upmenu,chooseaprotocol.
IfyouchooseOther,entertheneededprotocol(forexample,icmp,esp,ipencap).
7 FromtheServicepop-upmenu,chooseaservice.
Toselectanonstandardserviceport,chooseOther.
8 Ifneeded,choosetologallpacketsthatmatchtherule.
9 Forthesourceoffilteredtraffic,chooseanaddressgroupfromtheAddresspop-up
menu.
Ifyoudon’twanttouseanexistingaddressgroup,enterthesourceIPaddressrange
(usingCIDRnotation)youwanttofilter.
Ifyouwantittoapplytoanyaddress,choose“any”fromthepop-upmenu.
10 Ifyouselectedanonstandardserviceport,enterthesourceportnumber.
11 Forthedestinationoffilteredtraffic,chooseanaddressgroupfromtheSourcepop-up
menu.
Chapter13ConfiguringtheFirewall
217
Ifyoudon’twanttouseanexistingaddressgroup,enterthedestinationIPaddress
range(usingCIDRnotation).
Ifyouwantittoapplytoanyaddress,choose“any”fromthepop-upmenu.
12 Ifyouselectedanonstandardserviceport,enterthedestinationportnumber.
13 FromtheInterfacepop-upmenuthatthisrulewillapplyto,chooseInorOut.
Inreferstothepacketsbeingsenttotheserver.
Outreferstothepacketsbeingsentfromtheserver.
14 IfyouselectOther,entertheinterfacename(en0,en1,fw1,andsoon).
15 ClickOK.
16 ClickSavetoapplytheruleimmediately.
EnablingStealthMode
Youcanhideyourfirewallbychoosingnottosendaconnectionfailurenotificationto
anyconnectionthatisblockedbythefirewall.Thisiscalledstealthmodeandit
effectivelyhidesyourserver’sclosedports.
Forexample,ifanetworkintrudertriestoconnecttoyourserver,eveniftheportis
blocked,heorsheknowsthatthereisaserverandcanfindotherwaystointrude.
Ifstealthmodeisenabled,insteadofbeingrejected,thehackerwon’treceive
notificationthatanattemptedconnectiontookplace.
Toenablestealthmode:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClickSettings,thenclickAdvanced.
4 Select“EnableforTCP,”“EnableforUDP,”orboth,asneeded.
5 ClickSave.
Fromthecommandline:
# Enable stealth mode.
# ------------------sudo serveradmin settings ipfilter:blackHoleTCP = true
sudo serveradmin settings ipfilter:blackHoleUDP = true
218
Chapter13ConfiguringtheFirewall
ViewingtheFirewallServiceLog
EachruleyousetupinServerAdmincorrespondstorulesintheunderlyingfirewall
software.Logentriesshowyouwhentherulewasapplied,theIPaddressoftheclient
andserver,andotherinformation.
Thelogviewshowsthecontentsof/var/log/ipfw.log.Youcanrefinetheviewusingthe
textfilterbox.
Toviewthefirewallservicelog:
1 OpenServerAdminandconnecttotheserver.
2 SelectFirewallintheComputers&Serviceslist.
3 ClickLog.
Tosearchforspecificentries,usetheFilterfieldabovethelog.
Fromthecommandline:
# View the firewall service log.
# ----------------------------sudo tail /var/log/ipfw.log
ThefiltersyoucreateinServerAdmincorrespondtorulesintheunderlyingfiltering
software.Logentriesshowyoutheruleapplied,theIPaddressoftheclientandserver,
andotherinformation.Formoreinformationaboutrulesandwhattheymean,see
“CreatingAdvancedFirewallRules”onpage217.
Herearesomeexamplesoffirewalllogentriesandhowtoreadthem.
LogExample1
Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP
10.221.41.33:2190 192.168.12.12:80 in via en0
Thisentryshowsthatfirewallserviceusedrule65000todeny(unreach)theremote
clientat10.221.41.33:2190fromaccessingserver192.168.12.12onwebport80through
Ethernetport0.
LogExample2
Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721
192.168.12.12:515 in via en0
Thisentryshowsthatfirewallserviceusedrule100topermittheremoteclientat
10.221.41.33:721toaccesstheserver192.168.12.12ontheLPRprintingport515through
Ethernetport0.
Chapter13ConfiguringtheFirewall
219
LogExample3
Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152
192.168.12.12:660 out via lo0
ThisentryshowstheNATdivertruleappliedtoanoutboundpacket.Inthiscaseit
divertstheruletoserviceport660,whichistheporttheNATdaemonuses.
ConfiguringtheFirewallManually
TheIPFW2firewall(alsoreferredtohereasIPFW)allowsforthecreationofcomplex
andpowerfulpacketfilteringrulesets.Thisfirewallcanbedifficulttoconfigure,andcan
alsodisruptnetworkcommunicationsifimproperlyconfigured.Itrequiresmanually
writtenrules,andthesystemmustbeconfiguredtoreadthoserulesatstartup.
ConfiguringIPFWrulesetsrequiresahigherlevelofexpertisethanmanysystem
administrationtasks.IfanadministratorisnotmindfuloftheIPFWrulesetonthe
system,confusioncanarisewhensomenetworkconnectivityisnotavailablethat
shouldbe.
UnderstandingIPFWRulesets
AnIPFWconfigurationorrulesetisalistofrulesthataredesignedtomatchpackets
andtakeappropriateaction.IPFWrulesarenumberedfrom1to65535.Thepacket
passedtothefirewalliscomparedagainsteachoftherules(innumericalorder).When
thepacketmatchesarule,thecorrespondingactionistaken.
AmorecompletedescriptionofthecapabilitiesandconfigurationofIPFWcanbe
foundintheipfwmanpage.
TheIPFWrulesetcanbestoredasalistofIPFWrulesinsideatextfile.Traditionally,the
file/etc/ipfw.confisusedtostoretheserules.
ToviewenforcedIPFWrules,runthecommand:
sudo ipfw print
Thedefaultoutputshouldappearsomethinglikethis:
65535 allow ip from any to any
ThislineshowsthatthedefaultconfigurationallowsalltrafficthroughtheIPFW
firewall,performingnofiltering.LikeallIPFWrules,itconsistsofarulenumber(65535);
anaction(allow);andbody(ipfromanytoany).
Inthiscase,thebody(ipfromanytoany)matchesallIPpackets.Thisalsohappensto
beaspecialrule,calledthedefaultrule.Itisthehighest-numberedrulepossibleandis
compileddirectlyintothekernel.
220
Chapter13ConfiguringtheFirewall
Becausenoruleshaveactuallybeenaddedtothesystem,allpacketsarepassedto
thisdefaultrule,whichallowsthemallthrough.However,iftheStealthModefeature
isenabledonthesystem,thenthefollowinglineappearsfirstinthelist:
33300 deny icmp from any to me in icmptypes 8
ThisruleshowstheimplementationofStealthMode,droppingincomingpingecho
requests,whichisICMPtype8.Becauseitisalowerrulenumber(andthusappears
earlierwhenlisted),itisconsultedbeforethedefaultrule.
Chapter13ConfiguringtheFirewall
221
14
SecuringCollaborationServices
14
Usethischaptertolearnhowtosecurecollaborationservices.
Collaborationserviceshelpusersshareinformationforincreasedproductivity.Securing
theaccessandtransferofsharedinformationprotectsyourdata.
Collaborationservicespromoteinteractionsamongusers,facilitatingteamworkand
productivity.ThischapterdescribeshowtosecureiCal,iChat,Wiki,andPodcast
Producercollaborationservices.
Forinformationaboutconfiguringcollaborationservices,seeiCalServerAdministration,
iChatServiceAdministration,WebTechnologiesAdministration,andPodcastProducer
Administration.
SecuringiCalService
SecurityforiCalserviceconsistsoftwomainareas:
 Securingtheauthentication:Thismeansusingamethodofauthenticatingusers
thatissecureanddoesn’tpasslogincredentialsincleartextoverthenetwork.The
high-securityauthenticationusedpervasivelyinSnowLeopardServerisKerberosv5.
Tolearnhowtoconfiguresecureauthentication,see“ChoosingandEnablingSecure
AuthenticationforiCalService”onpage223.
 Securingthedatatransport:Thismeansencryptingthenetworktrafficbetween
thecalendarclientandthecalendarserver.Whenthetransportisencrypted,noone
cananalyzethenetworktrafficandreconstructthecontentsofthecalendar.iCal
serviceusesSSLtoencryptthedatatransport.
TolearnhowtoconfigureandenableSSLforiCalservice,see“Configuringand
EnablingSecureNetworkTrafficforiCalService”onpage224.
222
DisablingiCalService
IfyourserverisnotintendedtobeaniCalserver,disabletheiCalserversoftware.
Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.
TodisableiCalservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectiCalintheComputers&Serviceslist.
3 ClickStopiCal.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Collaboration Services
# --------------------------------------------------------------------# --------------------------------------------------------------------# Securing iCal service
# --------------------------------------------------------------------# Disable iCal service.
# ------------------------------sudo serveradmin stop calendar
SecurelyConfiguringiCalService
TosecurelyconfigureiCalservice,youmustsecureauthenticationanddatatransport.
ChoosingandEnablingSecureAuthenticationforiCalService
UsersauthenticatetoiCalservicethroughoneofthefollowingmethods:
 Kerberosv5:ThismethodusesstrongencryptionandisusedinSnowLeopardfor
singlesign-ontoservicesofferedbySnowLeopardServer.
 Digest:(RFC2617)Thismethodsendssecureloginnamesandencryptedpasswords
withouttheuseofatrustedthird-party(liketheKerberosrealm),andisusable
withoutmaintainingaKerberosinfrastructure.
 Any:ThismethodincludesKerberosv5andDigestauthentication.Theclientcan
choosethemostrelevantmethodforwhatitcansupport.
YoucansettherequiredauthenticationmethodusingServerAdmin.Toenablethe
highestsecurity,chooseamethodotherthan“Any.”
Tochooseanauthenticationmethod:
1 InServerAdmin,selectaserverandchoosetheiCalservice.
2 ClicktheSettingsbuttoninthetoolbar.
3 SelectthemethodfromtheAuthenticationpop-upmenu.
Chapter14SecuringCollaborationServices
223
4 ClickSave,thenrestarttheservice.
Fromthecommandline:
# Choose an authentication method for iCal service.
# -----------------------------------------------# To enable all auth methods:
sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"
sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"
sudo serveradmin stop calendar; sudo serveradmin start calendar
# To
sudo
sudo
sudo
choose Digest auth only:
serveradmin settings calendar:Authentication:Kerberos:Enabled = "no"
serveradmin settings calendar:Authentication:Digest:Enabled = "yes"
serveradmin stop calendar; sudo serveradmin start calendar
# For Kerberos only:
sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"
sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no"
sudo serveradmin stop calendar; sudo serveradmin start calendar
ConfiguringandEnablingSecureNetworkTrafficforiCalService
WhenyouenableSecureSocketsLayer(SSL),youencryptalldatasentbetweenthe
iCalserverandtheclient.ToenableSSL,youmustselectacertificate.Ifyouusethe
defaultself-signedcertificate,theclientsmustchoosetotrustthecertificatebefore
theycanmakeasecureconnection.
ToenablesecurenetworktrafficusingSSLtransport:
1 InServerAdmin,selectaserverandchoosetheiCalservice.
2 ClicktheSettingsbuttoninthetoolbar.
3 ClickEnableSecureSocketsLayer(SSL).
4 ChooseaTCPportforSSLtocommunicateon.
Thedefaultportis8443.
5 Choosethecertificatetobeusedforencryption.
6 ClickSave,thenrestarttheservice.
Fromthecommandline:
# Enable secure network traffic using SSL transport.
# -------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443
224
Chapter14SecuringCollaborationServices
ViewingiCalServiceLogs
iCalserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack
communicationthroughtheiCalservice.YoucanaccesstheiCalservicelog,/var/log/
system.logusingServerAdmin.
ToviewtheiCalservicelog:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 ClickiCal.
4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
# View the iCal service log
# -------------------------sudo tail /var/log/caldavd/access.log
SecuringiChatService
TheiChatserviceprovidesasecurewayforuserstochat.TouseiChatserviceon
aserver,usersmustbedefinedindirectoriestheserverusestoauthenticateusers.
Formoreinformationaboutconfiguringsearchpathstodirectories,seetheOpen
DirectoryAdministration.
DisablingiChatService
IfyourserverisnotintendedtobeaniChatserver,disabletheiChatserversoftware.
Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.
TodisableiChatservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectiChatintheComputers&Serviceslist.
3 ClickStopiChat.
Fromthecommandline:
# Disable iChat service.
# -------------------------sudo serveradmin stop jabber
Chapter14SecuringCollaborationServices
225
SecurelyConfiguringiChatService
IfyourorganizationrequirestheuseofiChatservice,configureittouseSSL.SSL
communicationcertifiestheidentityoftheserverandestablishessecure,encrypted
dataexchange.
YouidentifyanSSLcertificateforiChatservicetousethefirsttimeyousetupiChat
service,butyoucanuseadifferentcertificatelater.Youcanuseaself-signedcertificate
oracertificateimportedfromaCA.Formoreinformationaboutdefining,obtaining,
andinstallingcertificatesonyourserver,see“ReadyingCertificates”onpage168.
SendingmessagestomultiplerecipientsoveraninternaliChatseverdoesnotrequire
aMobileMeidentity.TheinternaliChatserver(jabberd)requiresaserver-sideSSL
certificatethatisusedbyeachclienttoestablishanSSLsession(similartoawebaccess
session).AMobileMecertificateisrequiredtoestablishencryptedsessionsbetween
twoiChatclientscommunicatingusingtext,audio,andvideo.
TosecurelyconfigureiChatservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectiChatintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 ClicktheAdd(+)buttontoaddhostdomains.
TheHostDomainslistdesignatesthedomainnamesyouwantiChattosupport.
Initially,theserverhostnameisshown.Youcanaddorremoveothernamesthat
resolvetotheiChatserviceIPaddresssuchasaliasesdefinedinDNS.Whenstarting
iChat,youmustspecifyaDNSfortheservice.
HostdomainsareusedtoconstructJabberIDs,whichidentifyiChatusers.Anexample
[email protected].
5 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate.
ThemenulistsallSSLcertificatesthathavebeeninstalledontheserver.
Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificate
pop-upmenu.
6 ChoosethemethodofauthenticationfromtheAuthenticationpop-upmenu:
ChooseStandardifyouwantiChattoonlyacceptpasswordauthentication.
ChooseKerberosifyouwantiChattoonlyacceptKerberosauthentication.
ChooseAnyMethodifyouwantiChattoacceptpasswordandKerberosauthentication.
7 TopermitiChattocommunicatewithotherXMPP-compliantchatservers,select
“EnableXMPPserver-to-serverfederation.”
8 IfyouareusingacertificatewithiChat,select“Requiresecureserver-to-server
federation.”
226
Chapter14SecuringCollaborationServices
ThisoptionrequiresanSSLcertificatetobeinstalled,whichisusedtosecurethe
server-to-serverfederation.
9 Torestrictserver-to-servercommunicationtoserversthatarelisted,select“Allow
federationwiththefollowingdomains.”
YoucanaddorremovedomainsusingtheAdd(+)orDelete(–)buttonsbelowthelist.
10 ClickSave,andthenclickStartService.
11 MakesuretheiChatserver’sOpenDirectorysearchpathincludesdirectorieswhere
usersandgroupmembersthatyouwanttocommunicateusingiChatserviceare
defined.
TheOpenDirectoryAdministrationGuideexplainshowtosetupsearchpaths.
AnyuserorgroupmemberdefinedintheOpenDirectorysearchpathisnow
authorizedtouseiChatserviceontheserver,unlessyoudenythemaccessto
iChatservice.
Fromthecommandline:
# Securely configure iChat service.
# To select an iChat server certificate:
sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/
Default.crtkey"
# (Or replace the path with the full path to the certificate that you want
# to select.)
# Restart the service if it is running:
sudo serveradmin stop jabber; sudo serveradmin start jabber
# To
sudo
sudo
sudo
select an iChat server auth method use one of the following:
serveradmin settings jabber:authLevel = "ANYMETHOD"
serveradmin settings jabber:authLevel = "KERBEROS"
serveradmin settings jabber:authLevel = "STANDARD"
# Then restart the service:
sudo serveradmin stop jabber
sudo serveradmin start jabber
UsingCertificatestoSecureS2SCommunication
UsingServerAdmin,youcansecureS2Scommunicationwithcertificates.
Bydefault,iChatselectsaportusingapreinstalled,self-signedSSLcertificate.Youcan
selectyourowncertificate.Theselectedcertificateisusedforclient-to-server
communicationsonports5222and5223andforserver-to-servercommunications.
Chapter14SecuringCollaborationServices
227
Jabberprovidesthefollowingports:
 5222acceptsTLSencryption
 5223acceptsSSLencryption
SSLencryptsyourchatmessageoverthenetworkbetweenclient-to-serverandserverto-serverconnections.However,ifyouriChatserverisloggingchatmessages,your
messagesarestoredinaunencryptedformatthatcanbeeasilyviewedbyyourserver
administrator.
Toselectacertificate:
1 OpenServerAdminandconnecttotheserver.
2 SelectiChatintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate.
ThemenulistsallSSLcertificatesthatareinstalledontheserver.
Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificate
pop-upmenu.
5 ClickSave.
Fromthecommandline:
#
# Select a certificate.
# -------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/
Default.crtkey"
AdditionalSecurityEnhancements
Foradditionalsecurityenhancements,youcanfurtherrestricttheiChatserviceby
usingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganization’s
networkenvironment.
YoucanconfigureSACLstorestrictiChataccesstospecificusersorgroups.Formore
informationaboutconfiguringSACLs,see“SettingServiceAccessControlLists(SACLs)”
onpage183.
YoucanconfigurefirewallrulesthatpreventiChatconnectionsfromunintended
sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216.
228
Chapter14SecuringCollaborationServices
ViewingiChatServiceLogs
iChatserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack
communicationthroughtheiChatservice.AccesstheiChatservicelog,/var/log/
system.log,usingServerAdmin.
ToviewtheiChatservicelog:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 ClickiChat.
4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
# View the iChat service log.
# -------------------------sudo tail /var/log/server.log | grep jabberd
SecuringWikiService
Thelevelofwebsitesecuritydeterminesthelevelofwikisecurity.Wikisecurityis
establishedwhenthewebsitethatthewikiisconfiguredonissecure.
DisablingWikiService
Ifyourserverdoesnotprovidewikiservice,disablethewikiportionofthewebservice
software.Disablingwikiservicedoesnotpreventpotentialvulnerabilitieswithother
websiteshostedontheserver.
Todisablewikiservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites.
4 Selectthewebsitethathoststhewiki.
5 ClickWebServices.
6 DeselectWikis.
Chapter14SecuringCollaborationServices
229
Fromthecommandline:
# --------------------------------------------------------------------# Securing Wiki Service
# --------------------------------------------------------------------# Disable Wiki service.
# ------------------sudo serveradmin stop teams
SecurelyConfiguringWikiServices
Methodsyoucanusetohelpsecuredatamovingtoandfromyourwikiincludethe
following:
 SetupSSLforthewebsiteyourwikiisrunningon.SSLprovidessecurityforasite
anditsusersbyauthenticatingtheserver,encryptinginformation,andmaintaining
messageintegrity.Formoreinformation,see“EnablingSecureSocketsLayer(SSL)”
onpage276.
 Restrictusersandgroupsthatcancreatewikipagesonyourwebsitebyaddingusers
andgroupstothewebserviceslist.Formoreinformation,see“SecuringWeb
Service”onpage271.
ViewingWikiServiceLogs
Wikiserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack
communicationthroughthewikiservice.Accessthewikiservicelogs,/Library/Logs/
wikid/error.logand/Library/Logs/wikid/access.log,usingServerAdmin.
Toviewthewikiservicelog:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 ClickWiki.
4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
#
# View the wiki service log.
# -------------------------sudo tail /Library/Logs/wikid/access.log
230
Chapter14SecuringCollaborationServices
SecuringPodcastProducerService
TosecurePodcastProducerservice,disableitifyoudon’tuseit.Ifyouusetheservice,
useServerAdmintocontrolaccesstoworkflowsandcameras.
DisablingPodcastProducerService
IfyourserverisnotaPodcastProducerserver,disablethePodcastProducerserver
software.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.
TodisablePodcastProducerservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectPodcastProducerintheComputers&Serviceslist.
3 ClickStopPodcastProducer.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Podcast Producer Service
# --------------------------------------------------------------------# Disable Podcast Producer service.
# -------------------------------sudo serveradmin stop pcast
SecurelyConfiguringPodcastProducerService
ToprotectthePodcastProducerservicefrombeingexploited,controlaccessto
workflowsandcamerasusingServerAdmin.
Tocontrolaccesstoaworkflow:
1 OpenServerAdmin.
2 SelectPodcastProducerintheComputers&Serviceslist.
3 ClickWorkflows.
4 SelectaworkflowintheWorkflowlist.
5 Torestrictaccesstotheworkflow,click“Allowaccesstoworkflownameforthefollowing
usersandgroups.”
6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcan
accesstheselectedworkflow.
IntheUsersandGroupswindow,clickUsersanddraguserstothelist.
IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist.
Todeleteusersandgroupsfromthelist,selectthemandclick(-).
7 ClickSave.
Chapter14SecuringCollaborationServices
231
Tocontrolaccesstoacamera:
1 OpenServerAdmin.
2 IntheComputersandServiceslist,selectPodcastProducer.
3 ClickCameras.
4 SelectacameraintheCameraslist.
5 Torestrictaccesstothecamera,click“Allowaccesstocameranameforthefollowing
usersandgroups.”
6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcan
accesstheselectedcamera.
IntheUsersandGroupswindow,clickUsersanddraguserstothelist.
IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist.
Todeleteusersorgroupsfromthelist,selectthemandclick(-).
7 ClickSave.
ViewingPodcastProducerServiceLogs
PodcastProducerserviceloggingisimportantforsecurity.Withlogs,youcanmonitor
andtrackcommunicationthroughthePodcastProducerservice.AccessthePodcast
Producerservicelog,/Library/Logs/pcastserverd/application.log,usingServerAdmin.
ToviewthePodcastProducerservicelog:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 ClickPodcastProducer.
4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
#
# View the Podcast Producer service log.
# ------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log
232
Chapter14SecuringCollaborationServices
15
SecuringMailService
15
Usethischaptertolearnhowtosecuremailservice.
Mailserviceiscrucialintoday’sdispersedworkenvironments.Protectyourmailby
usingencryption,adaptivejunkmailfiltering,andvirusdetection.
MailserviceinSnowLeopardServerallowsnetworkuserstosendandreceivemailover
yournetworkoracrosstheInternet.
MailservicesendsandreceivesmailusingthefollowingstandardInternetmail
protocols:InternetMessageAccessProtocol(IMAP),PostOfficeProtocol(POP),and
SimpleMailTransferProtocol(SMTP).
MailservicealsousesaDomainNameSystem(DNS)servicetodeterminethe
destinationIPaddressofoutgoingmail.
SnowLeopardServerusesCyrustoprovidePOPandIMAPservice.Moreinformation
aboutCyruscanbefoundatasg.web.cmu.edu/cyrus.
SnowLeopardServerusesPostfixasitsmailtransferagent(MTA).Postfixfullysupports
SMTP.Yourmailuserswillsettheirmailapplication’soutgoingmailservertoyour
SnowLeopardServerrunningPostfix,andaccessincomingmailfroma
SnowLeopardServerrunningincomingmailservice.MoreinformationaboutPostfix
canbefoundatwww.postfix.org.
Formoreinformationaboutconfiguringmailservice,seeMailServiceAdministration.
233
DisablingMailService
Ifyourserverisnottomailserver,disablethemailservicesoftware.Disablingthe
servicepreventspotentialvulnerabilitiesonyourserver.Todisablemailservice,turn
offsupportfortheIMAP,SMTP,andPOPprotocolsthatarenotrequired.mailservice
isenabledbydefault(exceptinAdvancedmode),soverificationisrecommended.
Todisablemailserviceprotocols:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheGeneraltab.
4 Makesureatleastoneprotocol(SMTP,POP,orIMAP)isenabled.
5 ClickStopServiceinthemenubar.
Whentheserviceisturnedon,theStopServicebuttonisavailable.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Mail Service
# --------------------------------------------------------------------# Disable mail service protocols
# ------------------------------sudo serveradmin settings mail:imap:enable_pop = no
sudo serveradmin settings mail:imap:enable_imap = no
sudo serveradmin settings mail:postfix:enable_smtp = no
ConfiguringMailServiceforSSL
Ifmailserviceprotocolsarerequired,protecttheircommunicationsusingSecure
SocketsLayer(SSL).SSLconnectionsensurethatthedatasentbetweenyourmail
serverandyourusers’mailclientsisencrypted.Thisallowssecureandconfidential
transportofmailmessagesacrossalocalnetwork.
SSLtransportdoesn’tprovidesecureauthentication.Itprovidessecuretransferfrom
yourmailservertoyourclients.Forsecureauthenticationinformation,seeOpen
DirectoryAdministration.
Forincomingmail,mailservicesupportssecuremailconnectionswithmailclient
softwarethatrequeststhem.IfamailclientrequestsanSSLconnection,mailservice
cancomplyifthatoptionisenabled.mailservicestillprovidesnon-SSL(unencrypted)
connectionstoclientsthatdon’trequestSSL.Theconfigurationofeachmailclient
determineswhetheritconnectswithSSLornot.
234
Chapter15SecuringMailService
Foroutgoingmail,mailservicesupportssecuremailconnectionsbetweenSMTP
servers.IfanSMTPserverrequestsanSSLconnection,mailservicecancomplyifthat
optionisenabled.mailservicecanstillallownon-SSL(unencrypted)connectionsto
mailserversthatdon’trequestSSL.
EnablingSecureMailTransportwithSSL
MailservicerequiresconfigurationtoprovideSSLconnectionsautomatically.Thebasic
stepsareasfollows:
Step1:Obtainasecuritycertificate
Thiscanbedoneinthefollowingways:
 GetacertificatefromaCertificateAuthority(CA).
 GenerateaCertificateSigningRequest(CSR)andcreateakeychain.
 UsetheCSRtoobtainacertificatefromanissuingCAorcreateaself-signed
certificateinServerAdmin’sCertificateManager.
 LocateanexistingcertificatefromapreviousinstallationofSnowLeopardServer.
Ifyouhavealreadygeneratedasecuritycertificateinapreviousversionof
Leopard_Server,youcanimportitforuse.
Step2:ImportthecertificateintoServerAdmin’sCertificateManager
YoucanuseCertificateManagertodraganddropcertificateinformationoryoucan
provideCertificateManagerwiththepathtoanexistinginstalledcertificate.
Step3:Configuretheservicetousethecertificate
ForinstructionsforallowingorrequiringSSLtransport,seethefollowingsections:
 “ConfiguringSSLTransportforPOPConnections”onpage236
 “ConfiguringSSLTransportforIMAPConnections”onpage237
 “ConfiguringSSLTransportforSMTPConnections”onpage239
EnablingSecurePOPAuthentication
YourPOPmailservicecanprotectuserpasswordsbyallowingAuthenticatedPOP
(APOP)orKerberos.WhenauserconnectswithAPOPorKerberos,theuser’smailclient
softwareencryptstheuser’spasswordbeforesendingittoyourPOPservice.
Beforeconfiguringmailservicetorequiresecureauthentication,makesurethatusers’
mailapplicationsanduseraccountssupportthemethodofauthenticationyouchoose.
BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate
SnowLeopardwithaKerberosserver.Ifyou’reusingSnowLeopardServerforKerberos
authentication,thisisalreadydoneforyou.Formoreinformation,seeOpenDirectory
Administration.
Ifyouwanttorequireeitheroftheseauthenticationmethods,enableonlyonemethod.
Chapter15SecuringMailService
235
TosetthePOPauthenticationmethod:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 ClicktheAPOPorKerberoscheckboxinthePOP3list.
6 ClickSave.
Fromthecommandline:
# Set the POP authentication method:
sudo serveradmin settings mail:imap:pop_auth_apop = no
sudo serveradmin settings mail:imap:pop_auth_clear = no
sudo serveradmin settings mail:imap:pop_auth_gssapi = no
ConfiguringSSLTransportforPOPConnections
SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.
YoucanchooseRequire,Use,orDon’tUseSSLforPOP(andIMAP)connections.Before
usingSSLconnections,youmusthaveasecuritycertificateformailuse.
SettingSSLtransportforPOPalsosetsitforIMAP.
TosetSSLtransportforPOPconnections:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 IntheIMAPandPOPSSLpop-upmenus,selectRequireorUsetoenable(orDon’tUse
todisable).
6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare
usingorrequiringSSL.
7 ClickSave.
Fromthecommandline:
# Set SSL transport for POP connections:
sudo serveradmin settings mail:imap:tls_server_options = "use"
236
Chapter15SecuringMailService
EnablingSecureIMAPAuthentication
YourIMAPmailservicecanprotectuserpasswordsbyrequiringthatconnections
useasecuremethodofauthentication.YoucanchooseCRAM-MD5orKerberosv5
authentication.
Whenauserconnectswithsecureauthentication,theuser’smailclientsoftware
encryptstheuser’spasswordbeforesendingittoyourIMAPservice.Makesurethat
yourusers’mailapplicationsanduseraccountssupportthemethodofauthentication
youchoose.
IfyouconfiguremailservicetorequireCRAM-MD5,youmustsetmailaccountstouse
aSnowLeopardServerPasswordServerthathasCRAM-MD5enabled.Forinformation,
seeOpenDirectoryAdministration.
BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate
SnowLeopardServerwithaKerberosserver.Ifyou’reusingSnowLeopardServerfor
Kerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectory
Administration.
Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod.
TosetsecureIMAPauthentication:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 SelectCRAMMD-5orKerberos(asneeded)intheIMAPsection.
6 ClickSave.
Fromthecommandline:
# Set secure IMAP authentication:
sudo serveradmin settings mail:imap:imap_auth_login = no
sudo serveradmin settings mail:imap:imap_auth_plain = no
sudo serveradmin settings mail:imap:imap_auth_gssapi = no
sudo serveradmin settings mail:imap:imap_auth_clear = no
sudo serveradmin settings mail:imap:imap_auth_cram_md5 = no
ConfiguringSSLTransportforIMAPConnections
SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.
YoucanchooseRequire,Use,orDon’tUseSSLforIMAPconnections.BeforeusingSSL
connections,youmusthaveasecuritycertificateformailuse.
SettingSSLtransportforIMAPalsosetsitforPOP.
Chapter15SecuringMailService
237
ToconfigureSSLtransportforIMAPconnections:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 Fromthepop-upmenusintheIMAPandPOPSSLsectionclickRequireorUseto
enable(Don’tUsetodisable).
6 SelecttheCertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare
usingorrequiringSSL.
7 ClickSave.
Fromthecommandline:
# Configure SSL transport for IMAP connections (same as POP)
sudo serveradmin settings mail:imap:tls_server_options = "use"
EnablingSecureSMTPAuthentication
YourservercanguardagainstbeinganopenrelaybyallowingSMTPauthentication.
(Anopenrelayindiscriminatelyrelaysmailtoothermailservers.)Youcanconfigure
mailservicetorequiresecureauthenticationusingCRAM-MD5orKerberos.
Youcanalsoallowthelesssecureplainandloginauthenticationmethods,whichdon’t
encryptpasswords,ifsomeusershavemailclientsoftwarethatdoesn’tsupportsecure
methods.
IfyouconfiguremailservicetorequireCRAM-MD5,mailusers’accountsmustbesetto
useapasswordserverthathasCRAM-MD5enabled.Forinformation,seeOpenDirectory
Administration.
BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate
SnowLeopardServerwithaKerberosserver.Ifyou’reusingSnowLeopardServerfor
Kerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectory
Administration.
EnablingSMTPauthenticationwill:
 Makeyourusersauthenticatewiththeirmailclientbeforeacceptingmailtosend.
 Frustratemailserverabuserstryingtosendmailwithoutyourconsentthrough
yoursystem.
Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod.
238
Chapter15SecuringMailService
ToallowsecureSMTPauthentication:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 IntheSMTPsection,clicktheCRAMMD-5orKerberoscheckbox.
6 ClickSave.
Fromthecommandline:
# Allow secure SMTP authentication:
sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yes
sudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:0 =
"gssapi"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "crammd5"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "login"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "plain"
ConfiguringSSLTransportforSMTPConnections
SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.You
canchooseRequire,Use,orDon’tUseSSLforIMAPconnections.BeforeusingSSL
connections,youmusthaveasecuritycertificateformailuse.
ToconfigureSSLtransportforSMTPconnections:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheAdvancedtab.
4 SelectSecurity.
5 IntheSMTPSSLsection,clickRequireorUsetoenable(orDon’tUsetodisable).
6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare
usingorrequiringSSL.
7 ClickSave.
Chapter15SecuringMailService
239
Fromthecommandline:
# Configure SSL transport for SMTP connections:
sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes"
UsingACLsforMailServiceAccess
AccessControlLists(ACLs)areamethodofdesignatingserviceaccesstospecificusers
orgroupsonanindividualbasis.Forexample,youcanuseanACLtoallowonlyone
usertoaccessafileserverorshelllogin,withoutallowingotherusersontheserverto
accessit.
MailservicesaredifferentfromservicesthattraditionallyuseACLsfordetermining
serviceaccess.mailserviceisalreadyspecifiedonaper-userbasis.Eitheryouhavea
mailaccountonaserveroryoudon’t.Beingauseronaserverdoesn’tautomatically
conferaccesstomailstorageandretrieval.
SomeadministratorsfinditeasiertodesignatemailaccessusingACLsiftheyaredoing
alltheirotherconfigurationusingACLs.Theyalsomighthavemixednetwork
environmentsthatnecessitateusingACLstoassignmailaccess.
SnowLeopardServerallowsyoutoenablemailaccessforusersusingtheAccesstabin
aserver’sServerAdminlisting.IfyouenableduseraccessviaServerAdminand
traditionalmailaccessusingWorkgroupManager,thesettingsinteractinthefollowing
manner:
Accessvia
Accessvia Workgroup
ACL
Manager
Result
On
On
UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettings
intheGeneralSettingsMailpanelinServerAdmin.
On
Off
UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettings
intheGeneralSettingsMailpanelinServerAdmin.
Off
On
Userhasmailaccessgrantedaccordingtohisorheruserrecord
settingsinWorkgroupManager.Thisisthedefault.
Off
Off
Userhasnomailaccess.
Toenableauser’smailaccessusingACLs:
1 InServerAdmin,selecttheserverthathasmailservicerunningandthenclickSettings.
2 SelectAccess,thenclickServices.
3 SelectMailfromtheServiceslist.
4 Deselect“Usesameaccessforallservices.”
5 Select“Allowonlyusersandgroupbelow.”
240
Chapter15SecuringMailService
6 ClicktheAdd(+)buttontorevealaUsersandGroupslist.
7 Dragtheuserorgrouptotheaccesslist.
8 ClickSave.
Fromthecommandline:
# Enable a user’s mail access using ACLs
sudo dseditgroup -o edit -a $USER -t user com.apple.access_mail
LimitingJunkMailandViruses
Youcanconfiguremailservicetodecreasethevolumeofunsolicitedcommercialmail,
alsoknownasjunkmail(orspam),andmailcontainingviruses.Youcantakestepsto
blockjunkmailorvirusesthataresenttomailusers.Additionally,youcansecureyour
serveragainstusebymailserviceabusers,whotrytouseyourresourcestosendjunk
mailtoothers.
Youcanalsopreventsendersofjunkmailfromusingyourserverasarelaypoint.
Arelaypointoropenrelayisaserverthatunselectivelyreceivesandforwardsmail
addressedtootherservers.Anopenrelaysendsmailfromanydomaintoanydomain.
JunkmailsendersexploitopenrelayserverstoavoidhavingtheirSMTPservers
blacklistedassourcesofjunkmail.Youdon’twantyourserverblacklistedasanopen
relaybecauseotherserversmayrejectmailfromyourusers.
Therearetwomainmethodsofpreventingvirusesandjunkmailpassingthroughor
intoyourmailsystem.Usingbothmethodswillhelpensureyourmailsystemintegrity.
Thetwomethodsare:
 “ConnectionControl”onpage241
 “MailScreening”onpage245
ConnectionControl
Thismethodofpreventioncontrolswhichserverscanconnecttoyourmailsystemand
whatthoseserversmustdotosendmailthroughyourmailsystem.Yourmailservice
candoanyofthefollowingtoexerciseconnectioncontrol:
 RequireSMTPauthentication
 RestrictSMTPrelay,allowingrelayonlybyapprovedservers
 RejectSMTPconnectionsfromdisapprovedservers
 Rejectmailfromblacklistedservers
 FilterSMTPconnections
Thesemethodsareexplainedonthefollowingpages.
Chapter15SecuringMailService
241
RequiringSMTPAuthentication
IfyourmailservicerequiresSMTPauthentication,yourservercannotbeusedasan
openrelaybyanonymoususers.Someonewhowantstouseyourserverasarelay
pointmustfirstprovidethenameandpasswordofauseraccountonyourserver.
AlthoughSMTPauthenticationappliesprimarilytomailrelay,yourlocalmailusers
mustalsoauthenticatebeforesendingmail.Thismeansyourmailusersmusthave
mailclientsoftwarethatsupportsSMTPauthenticationortheycan’tsendmailto
remoteservers.Mailsentfromexternalmailserversandaddressedtolocalrecipients
isstillacceptedanddelivered.
TorequireSMTPauthentication,see“EnablingSecureSMTPAuthentication”on
page238.
RestrictingSMTPRelay
YourmailservicecanrestrictSMTPrelaybyallowingonlyapprovedhoststorelaymail.
Youcreatethelistofapprovedservers.
Approvedhostscanrelaythroughyourmailservicewithoutauthenticating.Serversnot
onthelistcannotrelaymailthroughyourmailserviceunlesstheyauthenticatefirst.All
hosts,approvedornot,candelivermailtoyourlocalmailuserswithoutauthenticating.
Yourmailservicecanlogconnectionattemptsmadebyhostsnotonyourapproved
list.
TorestrictSMTPrelay:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheRelaytab.
4 Clickthe“AcceptSMTPrelaysonlyfromthese”checkbox.
5 Editthelistofhosts:
 ClicktheAdd(+)buttontoaddahosttothelist.
 ClicktheRemove(–)buttontodeleteaselectedhostfromthelist.
 ClicktheEdit(/)buttontochangeaselectedhostfromthelist.
Whenaddingtothelist,youcanuseavarietyofnotations.
 EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21.
 Enterahostname,suchasmail.example.com.
 EnteranInternetdomainname,suchasexample.com.
242
Chapter15SecuringMailService
Fromthecommandline:
# Restrict SMTP relay:
sudo serveradmin settings mail:postfix:mynetworks_enabled = yes
SMTPAuthenticationandRestrictedSMTPRelayCombinations
ThefollowingtabledescribestheresultsofusingSMTPauthenticationandrestricted
SMTPrelayinvariouscombinations.
SMTPrequires Restricted
authentication SMTPrelay
Result
On
Off
Allmailserversmustauthenticatebeforeyourmailserviceaccepts
mailforrelay.Yourlocalmailusersmustalsoauthenticatetosend
mailout.
On
On
Approvedmailserverscanrelaywithoutauthentication.Servers
youhaven’tapprovedcanrelayafterauthenticatingwithyourmail
service.
Off
On
Yourmailservicecan’tbeusedforopenrelay.Approvedmail
serverscanrelay(withoutauthenticating).Serversthatyouhaven’t
approvedcan’trelayunlesstheyauthenticate,buttheycandeliver
toyourlocalmailusers.Yourlocalmailusersdon’tneedto
authenticatetosendmail.
Thisisthemostcommonconfiguration.
RejectingSMTPConnectionsfromSpecificServers
YourmailservicecanrejectunauthorizedSMTPconnectionsfromhostson
adisapproved-hostslistthatyoucreate.Mailtrafficfromhostsonthislistis
deniedandSMTPconnectionsareclosedafterpostinga554SMTPconnection
refusederror.
TorejectunauthorizedSMTPconnectionsfromspecificservers:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheRelaytab.
4 Clickthe“Refuseallmessagesfromthese”checkbox.
5 Editthelistofservers:
 ClicktheAdd(+)buttontoaddahosttothelist.
 ClicktheRemove(–)buttontodeletetheselectedhostfromthelist.
 ClicktheEdit(/)buttontochangetheselectedhostfromthelist.
Chapter15SecuringMailService
243
Whenaddingtothelist,youcanusethefollowingnotations:
 EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21.
 Enterahostname,suchasmail.example.com.
 EnteranInternetdomainname,suchasexample.com.
Fromthecommandline:
# Reject unauthorized SMTP connections:
sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yes
sudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 =
"$NETWORK"
RejectingMailfromBlacklistedSenders
YourmailservicecanrejectmailfromSMTPserversthatareblacklistedasopenrelays
byaReal-timeBlacklist(RBL)server.YourmailserviceusesanRBLserverthatyou
specify.RBLsarealsocalledblack-holeservers.
Blockingunsolicitedmailfromblacklistedsendersmightnotbecompletelyaccurate.
Sometimesitpreventsvalidmailfrombeingreceived.
Torejectmailfromblacklistedsenders:
1 InServerAdmin,selectMailintheComputers&Servicespane.
2 ClickSettings.
3 SelecttheRelaytab.
4 Clickthe“Usethesejunkmailrejectionservers”checkbox.
5 EditthelistofserversbyaddingtheDNSnameofanRBLserver:
 ClicktheAdd(+)buttontoaddaservertothelist,thenenterthedomainname
ofaRBLserver,suchasrbl.example.com.
 ClicktheRemove(–)buttontodeleteaserverfromthelist.
 ClicktheEdit(/)buttontochangeaserver.
Fromthecommandline:
# Reject mail from blacklisted senders:
sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 =
"$BLACKLIST_SERVER"
sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yes
244
Chapter15SecuringMailService
FilteringSMTPConnections
YoucanusefirewallserviceofSnowLeopardServertoallowordenyaccesstoyour
SMTPmailservicefromspecificIPaddresses.Filteringdisallowscommunication
betweenanoriginatinghostandyourmailserver.mailservicedoesn’treceivethe
incomingconnectionandnoSMTPerrorisgeneratedorsentbacktotheclient.
TofilterSMTPconnections:
1 InServerAdmin,selectFirewallintheComputers&Servicespane.
2 CreateafirewallIPfilterusingtheinstructionsinNetworkServicesAdministration,using
thefollowingsettings:
Â
Â
Â
Â
Â
Access:denied
Portnumber:25(oryourincomingSMTPport,ifyouuseanonstandardport)
Protocol:TCP
Source:theIPaddressoraddressrangeyouwanttoblock
Destination:yourmailserver’sIPaddress
3 Ifneeded,logthepacketstomonitortheSMTPabuse.
4 AddmorefiltersfortheSMTPporttoallowordenyaccessfromotherIPaddressesor
addressranges.
Foradditionalinformationaboutfirewallservice,seeNetworkServicesAdministration.
MailScreening
Afteramaildeliveryconnectionismadeandthemessageisacceptedforlocaldelivery
(relayedmailisnotscreened),themailservercanscreenitbeforedelivery.
SnowLeopardServerusesSpamAssassin(fromspamassassin.apache.org)toanalyze
thetextofamessage,andgivesitaprobabilityratingforbeingjunkmail.
Nojunkmailfilteris100%accurateinidentifyingunwantedmail.Forthisreasonthe
junkmailfilterinSnowLeopardServerdoesn’tdeleteorremovejunkmailfrombeing
delivered.Instead,itmarksthemailaspotentialjunkmail.
Theusercanthendecideifit’sreallyunsolicitedcommercialmailanddealwithit
accordingly.ManymailclientsusetheratingsthatSpamAssassinaddsasaguidein
classifyingmailfortheuser.
SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesfor
viruses.Ifasuspectedvirusisfound,youcandealwithitinseveralways,asdescribed
in“EnablingJunkMailScreening(BayesianFilters)”onpage245.Virusdefinitionsare
keptuptodate(ifenabled)viatheInternetusingaprocesscalledfreshclam.
EnablingJunkMailScreening(BayesianFilters)
Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling
screening,youconfigurescreeningparameters.
Chapter15SecuringMailService
245
Bayesianmailfilteringistheclassificationofmailmessagesbasedonstatistics.Each
messageisanalyzedandwordfrequencystatisticsaresaved.Mailmessagesthathave
moreofthesamewordsasthoseinjunkmailreceiveahighermarkingofprobability
thattheyarealsojunkmail.Whenthemessageisscreened,theserveraddsaheader
(“X-Spam-Level”)withthejunkmailprobabilityscore.
Forexample,let’ssayyouhave400mailmessageswhere200ofthemarejunkmailand
200aregoodmail.Whenamessagearrives,itstextiscomparedtothe200junkmail
andthe200goodmessages.Thefilterassignstheincomingmessageaprobabilityof
beingjunkorgood,dependingonwhatgroupitmostresembles.
Bayesianfilteringhasshownitselftobeaveryeffectivemethodoffindingjunkmail,if
thefilterhasenoughdatatocompare.Oneofthestrengthsofthismethodisthemore
mailyougetandclassify(aprocesscalledtraining),themoreaccuratethenextround
ofclassificationis.Evenifjunkmailsendersaltertheirmailings,thefiltertakesthatinto
accountthenexttimearound.
Toenablejunkmailscreening:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheFilterstab.
4 SelectScanMailforJunkMail.
5 Setthelevelofpermissiveness(Cautious,Moderate,Aggressive).
Thepermissivenessmetersetshowmanyjunkmailflagscanbeappliedtoamessage
beforeitisprocessedasjunkmail.Ifyousetitto“Leastpermissive,”mildlysuspicious
mailistaggedandprocessedasjunkmail.Ifyousetitto“Mostpermissive”ittakesa
highscore(inotherwords,manyjunkmailcharacteristics)tomarkitasjunk.
6 Decidehowtodealwithjunkmailmessages.
 Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail
notificationofthebouncetoamailaccount,probablythepostmaster.
 Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail
notificationofthebouncetoamailaccount,probablythepostmaster.
 Delivered:Deliversthemessageeventhoughit’sprobablyjunkmail.Youcan
optionallyaddtexttothesubjectline,indicatingthatthemessageisprobablyjunk
mail,orencapsulatethejunkmailasaMIMEattachment.
 Redirected:Deliversthemessagetosomeoneotherthantheintendedrecipient.
7 Choosehowoftentoupdatethejunkmaildatabaseupdated,ifdesired.
8 ClickSave.
Foranexplanationofotheroptions,see“FilteringMailbyLanguageandLocale”on
page248.
246
Chapter15SecuringMailService
Fromthecommandline:
# Enable junk mail screening:
sudo serveradmin settings mail:postfix:spam_scan_enabled = yes
ManuallyTrainingtheJunkMailFilter
It’simportanttoteachthefilterwhatisandisn’tjunkmail.Initially,thefilterwon’tbe
veryaccurateatmarkingjunkmail,butyoucantrainittodobetter.Accuratetraining
requiresalargesample,soaminimumof200messagesofeachtypeisadvised.
Totrainthefilter:
1 Chooseamailboxof200messagesmadeofonlyjunkmail.
2 UseTerminalandthefilter’scommand-linetrainingtooltoanalyzeitandrememberit
asjunkmailusingthefollowingcommand:
sudo sa-learn --showdots --spam <junk mail directory>/*
3 Chooseamailboxof200messagesmadeofonlygoodmail.
4 UseTerminalandthefilter’scommand-linetrainingtooltoanalyzeitandrememberit
asgoodmailusingthefollowingcommand:
sudo sa-learn --showdots --ham <junk mail directory>/*
Ifthejunkmailfilterfailstoidentifyajunkmailmessage,trainitagainsoitcando
betternexttime.Usesa-learnagainwiththe--spamargumentonthemislabeled
message.Likewise,ifyougetafalsepositive(agoodmessagemarkedasjunkmail),
usesa-learnagainwiththe--hamargumenttofurthertrainthefilter.
Fromthecommandline:
# Train the filter:
sudo sa-learn --showdots --spam $JUNK_DIRECTORY/*
sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/*
Chapter15SecuringMailService
247
AutomaticallyTrainingtheJunkMailFilter
Thejunkmailfiltermustbetoldwhatisandisn’tjunkmail.SnowLeopardServer
providesamethodofautomaticallytrainingthefilterwiththehelpofmailusers.
Theserverrunsanautomatedcommandat1am(alaunchdrecurringevent)thatscans
twospeciallynamedmailusers’inboxes.ItrunsSpamAssassin’ssa-learntoolonthe
contentsoftheinboxesandusestheresultsforitsadaptivejunkmailfilter.
Toautomaticallytrainthejunkmailfilter:
1 Enablejunkmailfiltering.
See“EnablingJunkMailScreening(BayesianFilters)”onpage245.
2 Createtwolocalaccounts:junkmailandnotjunkmail.
3 UseWorkgroupManagertoenablethemtoreceivemail.
4 Instructyourmailuserstoredirectjunkmailmessagesthathavenotbeentaggedas
junkmailtojunkmail@<yourdomain>.
5 Instructyourmailuserstoredirectrealmailmessagesthatwerewronglytaggedas
junkmailtonotjunkmail@<yourdomain>.
Eachdayat1am,thejunkmailfilterwilllearnwhatisjunkandwhatwasmistakenfor
junk,butisnot.
6 Deletethemessagesinthejunkmailandnotjunkmailaccountsdaily.
Fromthecommandline:
# Automatically train the junk mail filter:
sudo /etc/mail/spamassassin/learn_junk_mail
FilteringMailbyLanguageandLocale
Youcanfilterincomingmailbasedonlocalesorlanguages.Mailmessagescomposed
inforeigntextencodingsareoftenerroneouslymarkedasjunkmail.Youcanconfigure
yourmailservertonotmarkmessagesfromdesignatedoriginatingcountriesor
languagesasjunkmail.
Toallowmailbylanguageandlocale:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheFilterstab.
4 SelectScanEmailforJunkMail.
5 ClicktheEdit(/)buttonnexttoAcceptedLanguagestochangethelist,selectthe
languageencodingstoallowasnon-junkmail,andclickOK.
248
Chapter15SecuringMailService
6 ClicktheEdit(/)buttonnexttoAcceptedLocalestochangethelist,selectthecountry
codestoallowasnon-junkmail,andclickOK.
7 ClickSave.
Fromthecommandline:
# Allow mail by language and locale:
sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de"
sudo serveradmin settings mail:postfix:spam_ok_locales = "en"
EnablingVirusScreening
Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling
screening,youconfigurescreeningparameters.
SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesfor
viruses.Ifasuspectedvirusisfound,youcanchoosetodealwithitseveralways,as
describedbelow.Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternet
usingaprocesscalledfreshclam.
Toenablevirusscreening:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheFilterstab.
4 SelectScanEmailforViruses.
5 Decidehowtodealwithmessagescontainingviruses.
Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail
notificationofthebouncetoamailaccount(probablythedomain’spostmaster)and
notifytheintendedrecipient.
Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail
notificationtosomemailaccount,probablythepostmaster,aswellastheintended
recipient.
Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcan
optionallysendamailnotificationofthequarantinetosomemailaccount,probably
thepostmaster.
6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered.
7 Choosehowoftentoupdatethevirusdatabase.
Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday.
8 ClickSave.
Chapter15SecuringMailService
249
Fromthecommandline:
# Enable virus screening:
sudo serveradmin settings mail:postfix:virus_scan_enabled = yes
ViewingMailServiceLogs
MailservicemaintainsthefollowinglogsthatyoucanviewinServerAdmin.Thefile
locationforeachlogisshownbeneaththeShowpop-upmenu.
 MailAccess:Generalmailserviceinformationgoesintothislog.
 IMAPlog:IMAP-specificactivitygoesintothislog.
 POPlog:POPspecificactivitygoesintothislog.
 SMTPlog:SMTPspecificactivitygoesintothislog.
 MailingListlogs:ThelogsrecordMailmain’sactivity,includingservice,error,delivery
failures,postings,andsubscriptions.
 JunkMailandViruslogs:Theseshowactivityformailfiltering,includinglogsforvirus
definitionupdates(freshclamlog),virusscanning(clamavlog),andmailfiltering
(amavislog).
Logscanberefinedbyusingthetextfilterboxinthewindow.
Toviewamailservicelog:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClicktheLogsbutton.
3 FromtheViewpop-upmenuchoosealogtype.
4 ClickSave.
Fromthecommandline:
# View a mail service log:
sudo tail /var/log/mail.log
250
Chapter15SecuringMailService
16
SecuringAntivirusServices
16
Usethischaptertolearnhowtousetheantivirusservices
builtintoyoursystemtodetectandremoveviruses.
Installingantivirustoolshelpspreventinfectionofyourcomputerbyviruses,and
helpspreventyourcomputerfrombecomingahostforspreadingvirusestoother
computers.Thesetoolsquicklyidentifysuspiciouscontentandcomparethemto
knownmaliciouscontent.
SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesand
attachmentsforviruses.Ifasuspectedvirusisfound,ClamAVdeletesthemessageor
quarantinesittoaspecifieddirectoryontheserverforfurtheranalysis.
Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternetusingaprocess
calledfreshclam.
Inadditiontousingantivirustools,youshoulddevelopcomputerusagehabitsthat
preventvirusinfection.Forexample,don’tdownloadoropencontentyoudidn’t
specificallyrequest,andneveropenafilesenttoyoubysomeoneyoudon’tknow.
Whenyouuseantivirustools,makesureyouhavethelatestvirusdefinitionfiles.
Theprotectionprovidedbyyourantivirustooldependsonthequalityofyourvirus
definitionfiles.Ifyourantivirustoolsupportsit,enableautomaticdownloadingof
virusdefinitions.
Foralistofantivirustools,seetheMacintoshProductsGuideatguide.apple.com.
251
SecurelyConfiguringandManagingAntivirusServices
Thissectiondescribeshowtosecurelyconfigureandmanageantivirusservices.
EnablingVirusScanning
Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling
screening,youconfigurescreeningparameters.
Toenablevirusscreening:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClickSettings.
3 SelecttheFilterstab.
4 SelectScanEmailforViruses.
5 Decidehowtodealwithjunkmailmessages.
Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail
notificationofthebouncetoamailaccount(probablythedomain’spostmaster)
andnotifytheintendedrecipient.
Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail
notificationtosomemailaccount,probablythepostmaster,aswellastheintended
recipient.
Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcan
optionallysendamailnotificationofthequarantinetosomemailaccount,
probablythepostmaster.
6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered.
7 Choosehowoftentoupdatethevirusdatabase.
Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday.
8 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Antivirus Services
# --------------------------------------------------------------------# Enable virus screening
sudo serveradmin settings mail:postfix:virus_scan_enabled = yes
252
Chapter16SecuringAntivirusServices
ManagingClamAVwithClamXav
YoucanuseClamXav,afreeGUIfront-endtotheClamAVopensourceviruschecker.
Thistoolallowsyouto:
 Updatevirusdefinitions
 Scanfilesandfoldersforviruses
ClamXavperformsthefollowingtasks:
 Logsresultstoalogfile
 Placesinfectedfilesintoquarantine
 Monitorsfoldersforchangestotheircontents
YoucanaccessClamXavservicesthroughcontextualpop-upmenusintheFinder.
ViewingAntivirusServicesLogs
Mailservicemaintainsthefollowingjunkmailandviruslogsthatyoucanviewin
ServerAdmin.ThefilelocationforeachlogisshownbeneaththeShowpop-upmenu.
 JunkMail/VirusScanning(/var/log/amavis.log)
 Virus(/var/log/clamav.log)
 VirusDatabaseUpdates(/var/log/freshclamlog)
Toviewavirusservicelog:
1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.
2 ClicktheLogsbutton.
3 FromtheViewpop-upmenuchoosealogtype.
4 ClickSave.
Fromthecommandline:
# View a virus log:
sudo tail /var/log/amavisd.log
Chapter16SecuringAntivirusServices
253
17
SecuringFileServicesand
Sharepoints
17
Usethischaptertolearnhowtosecurefileservices.
Securelyconfiguringfileservicesisanimportantstepintheprocessofprotectingyour
privatedatafromnetworkattacks.
SnowLeopardServer’scross-platformfilesharingserviceshelpgroupsworkmore
efficiently
bylettingthemshareresources,archiveprojects,exchangeandbackupimportant
documents,andconductotherfile-relatedactivities.
Sharingfilesoveranetworkopensyourcomputersuptoahostofvulnerabilities.With
fileservicesenabled,youareallowingaccesstofilesandfoldersonyourserver(also
calledsharepoints).
Formoreinformationaboutconfiguringfileservices,seeFileServicesAdministration.
SecurityConsiderations
Themosteffectivemethodofsecuringyournetworkistoassigncorrectprivilegesfor
eachfile,folder,andsharepointyoucreate.
RestrictingAccesstoFileServices
UseServiceAccessControlLists(SACLs)torestrictaccesstoAFP,FTP,andSMBservices.
RestrictingAccesstoEveryone
Becarefulwhencreatingandgrantingaccesstosharepoints,especiallyifyou’re
connectedtotheInternet.GrantingaccesstoEveryoneortoWorld(inNFSservice)
canexposeyourdatatoanyoneontheInternet.ForNFS,itisrecommendedthat
youdonotexportvolumestoWorldandthatyouuseKerberostoprovidesecurity
forNFSvolumes.
254
RestrictingAccesstoNFSSharePoints
NFSsharepointswithouttheuseofKerberosdon’thavethesamelevelofsecurityas
AFPandSMB,whichrequireuserauthentication(enteringausernameandpassword)
togainaccesstoasharepoint’scontents.
IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers,
orconfigureNFSwithKerberos.NFSdoesn’tsupportSACLs.Formoreinformation,see
“ProtocolSecurityComparison”onpage256.
RestrictingGuestAccess
Whenyouconfigurefileservice,youcanturnonguestaccess.Guestsareuserswho
connecttotheserveranonymouslywithoutenteringausernameorpassword.Users
whoconnectanonymouslyarerestrictedtofilesandfoldersthathaveprivilegesset
toEveryone.
Toprotectyourinformationfromunauthorizedaccess,andtopreventpeoplefrom
introducingsoftwarethatmightdamageyourinformationorequipment,takethe
followingprecautionsbyusingFileSharinginServerAdmin:
 Dependingonthecontrolsyouwanttoplaceonguestaccesstoasharepoint,
considerthefollowingoptions:
 SetprivilegesforEveryonetoNoneforfilesandfoldersthatguestusersshouldn’t
access.Itemswiththissettingcanbeaccessedonlybytheitem’sownerorgroup.
 PutfilesavailabletoguestsinonefolderorsetoffoldersandthenassigntheRead
OnlyprivilegetotheEveryonecategoryforthatfolderandeachfileinit.
 AssignRead&WriteprivilegestotheEveryonecategoryforafolderonlyifguests
mustbeabletochangeoradditemsinthefolder.Makesureyoukeepabackup
copyofinformationinthisfolder.
 Don’texportNFSvolumestoWorld.RestrictNFSexportstoasubnetoraspecificlist
ofcomputers.
 DisableaccesstoguestsoranonymoususersoverAFP,FTP,andSMBusingServer
Admin.
 Shareindividualfoldersinsteadofentirevolumes.Thefoldersshouldcontainonly
thoseitemsyouwanttoshare.
RestrictingFilePermissions
Beforeafolderisshared,itspermissionsshouldberestrictedasmuchaspossible.
Permissionsonsharepointssetasuserhomefoldersareparticularlyimportant.By
default,users’homefoldersaresettoallowanyotherusertoreadtheircontents.
Formoreinformationaboutsettingfilepermissions,seeChapter6,“SecuringSystem
Preferences.”
Chapter17SecuringFileServicesandSharepoints
255
ProtocolSecurityComparison
Whensharingnetworkresources,configureyourservertoprovidethenecessary
security.
AFPandSMBprovidesomelevelofencryptiontosecurepasswordauthentication.
AFPandSMBdonotencryptdatatransmissionsoverthenetworksoyoushouldonly
usethemonasecurelyconfigurednetwork.
FTPdoesnotprovidepasswordordataencryption.WhenusingFTP,makesureyour
networkissecurelyconfigured.InsteadofusingFTP,considerusingthescporsftp
command-linetools.Thesetoolssecurelyauthenticateandsecurelytransferfiles.
Thefollowingtableprovidesacomparisonoftheprotocolsandtheirauthentication
andencryptioncapabilities.
Protocol
Authentication
AFP
Cleartextandencrypted(Kerberos) Notencryptedanddataisvisibleduring
passwords.
transmission.
DataEncryption
NFS
Encrypted(Kerberos)passwordand Canbeconfiguredtoencryptdatatransmission.
systemauthentication.
SMB
Cleartextandencrypted(NTLMv1, Notencryptedanddataisvisibleduring
transmission.
NTLMv2,LANManager,and
Kerberos)passwords.
FTP
Cleartextpasswords.
Notencrypted.Dataissentascleartext.
DisablingFileSharingServices
Unlessyouusetheserverasafileserver,disablefilesharingservices.Disablingthese
servicespreventsyourcomputerfrombeingusedbyanattackertoaccessother
computersonyournetwork.
Todisablefilesharingservices:
1 OpenServerAdminandconnecttotheserver.
2 SelectthefilesharingprotocolintheComputers&Serviceslist.
YoucanchooseAFP,FTP,NFS,orSMB.
3 Click“Stop(protocolname)”belowtheComputers&Serviceslist.
4 Repeatforeachprotocol.
256
Chapter17SecuringFileServicesandSharepoints
Fromthecommandline:
# --------------------------------------------------------------------# Securing File Services
# --------------------------------------------------------------------# Disable file sharing services.
sudo serveradmin stop afp
sudo serveradmin stop smb
sudo serveradmin stop ftp
sudo serveradmin stop nfs
ChoosingaFileSharingProtocol
Ifyourequirefilesharingservices,youmustchoosewhichfilesharingprotocolsare
neededbeforeconfiguringtheservices.Theprotocolisconfiguredforthefoldersyou
aresharing,calledsharepoints.Thesharepointsarecreatedandconfiguredusing
WorkgroupManager.
Mostinstallationsonlyneedonefilesharingprotocol,andyoushoulduseasfew
protocolsaspossible.Limitingthenumberofprotocolsusedbyaserverlimitsits
exposuretovulnerabilitiesdiscoveredinthoseprotocols.Theprotocolchoicesare:
 AppleFilingProtocol(AFP):AFPisthepreferredmethodoffilesharingfor
Macintoshorcompatibleclientsystems.AFPsupportsauthenticationofclients,
andalsosupportsencryptednetworktransportusingSSH.
 FileTransferProtocol(FTP):FTPshouldgenerallynotbeusedforfilesharing.
UsetheSFTPfeatureofSSHinstead.SFTPprovidesasecuremeansofauthentication
anddatatransfer,whileFTPdoesnot.
TheonlysituationwhereFTPisacceptableiswhentheservermustactasafileserver
foranonymoususers.ThismightbenecessaryoverWANs,wherethereisnoconcern
fortheconfidentialityofdataandresponsibilityfortheintegrityofthedatarests
withitsrecipient.
 NetworkFileSystem(NFS):NFSisacommonfilesharingprotocolforUNIX
computers.AvoidusingNFS,becauseitdoesnotperformauthenticationofits
clients—itgrantsaccessbasedonclientIPaddressesandfilepermissions.Using
NFSmaybeappropriateiftheclientcomputeradministrationandthenetwork
aretrusted.
Chapter17SecuringFileServicesandSharepoints
257
 MicrosoftWindowsServerMessageBlock(SMB):SMBisthenativefilesharing
protocolforMicrosoftWindows.AvoidusingSMB—itsupportsauthenticationbut
doesnotsupportencryptednetworktransport,anditusesNTLMv1andNTLMv2
encryption,bothofwhichareweakpasswordhashingschemes.SMBmaybean
appropriateprotocolforWindowsclientswhenthenetworkbetweentheserver
andclientisnotatriskforeavesdropping.
Eachprotocolisappropriateforspecificsituations.Decidingwhichprotocoltouse
dependsontheclientsandnetworkingneeds.Afteryouchooseaprotocolforfile
sharing,youmustconfigurethefilesharingprotocol.
Ifnosharepointsaresharedwithaprotocol,disabletheservicethatrunsthatprotocol
usingServerAdmin.TheNFSservicestopswhennosharepointsspecifyitsuse.
ConfiguringAFPFileSharingService
AppleFileService,whichusesAFP,letsyousharefilesamongMacintoshclients.
Becauseitprovidesauthenticationandencryption,AFPserviceisthepreferredfile
sharingmethodforMacintoshorcompatibleclients.
Note:Encryptiondoesnotapplytoautomaticallymountedhomefolders,whereonly
authenticationisprovided.
TosecurelyconfigureAFPService:
1 OpenServerAdminandconnecttotheserver.
2 SelectAFPintheComputers&Serviceslist.
3 ClickSettings.
4 ClickGeneral.
5 Enterthelogingreetingaccordingtositepolicy.
6 ClickAccess.
7 ForAuthentication,choose“Kerberos”ifyoursystemisintegratedintoaKerberos
system;otherwise,choose“Standard.”
8 Deselect“Enableadministratortomasqueradeasanyregistereduser.”
9 UnderMaximumConnections,enterthelargestexpectednumberforClient
Connections.
10 ClickLogging.
11 Select“EnableaccessLog”toenablelogging.
12 Select“Archiveevery__day(s)”andsetthefrequencytothreedaysoraccordingto
yourorganization’srequirements.
258
Chapter17SecuringFileServicesandSharepoints
13 Select“Login”and“Logout”toincludeeventsintheaccesslog.
Ifyouneedstrongeraccounting,selecttheotherevents.
14 UnderErrorLog,select“Archiveevery__day(s)”andsetthefrequencyaccordingto
yourorganization’srequirements.
15 ClickIdleUsersandconfigureIdleUserssettings:
 Deselect“Allowclientstosleep__hour(s)-willnotshowasidle.”
 Select“Disconnectidleusersafter__minute(s)”andenteravalueinthetextfield
tomitigateriskfromacomputeraccidentallybeingleftunattended.
 DeselectGuests,Administrators,RegisteredUsers,andIdleUserswhohave
openfiles.
 Entera“DisconnectMessage”noticeaccordingtositepolicy.
16 ClickSave.
17 ClickStartAFP.
18 Foradditionalsecurityenhancements,furtherrestrictAFPbyusingSACLsand
firewallrules.
Theseareconfiguredbasedonyourorganization’snetworkenvironment:
 YoucanconfigureSACLstorestrictAFPaccesstospecificusersorgroups.Formore
information,see“SettingServiceAccessControlLists(SACLs)”onpage183.
 YoucanconfigurefirewallrulesthatpreventAFPconnectionsfromunintended
sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216.
Fromthecommandline:
# Securely configure AFP service:
sudo serveradmin settings afp:registerNSL = no
sudo serveradmin settings afp:attemptAdminAuth = no
sudo serveradmin settings afp:clientSleepOnOff = no
sudo serveradmin settings afp:idleDisconnectOnOff = yes
sudo serveradmin settings afp:authenticationMode = "kerberos"
sudo serveradmin settings afp:activityLog = yes
sudo serveradmin settings afp:guestAccess = no
ConfiguringFTPFileSharingService
Ifauthenticationofusersispossible,usetheSFTPportionofSSHinsteadofFTPto
securelytransmitfilestoandfromtheserver.Formoreinformation,see“Transferring
FilesUsingSFTP”onpage191.
Chapter17SecuringFileServicesandSharepoints
259
FTPisacceptableonlyifitsanonymousaccessfeatureisrequired,whichallows
unauthenticatedclientstodownloadfiles.Thefilesaretransferredunencryptedover
thenetworkandnoauthenticationisperformed.
Althoughthetransferdoesnotguaranteeconfidentialityorintegritytotherecipient,it
isappropriateinsomecases.Ifthiscapabilityisnotspecificallyrequired,disableit.
ToconfigureFTPtoprovideanonymousFTPdownloads:
1 OpenServerAdminandconnecttotheserver.
2 SelectFTPintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 In“Disconnectclientafter__loginfailures,”enter1.
Eventhoughauthenticatedconnectionsarenotaccepted,loginsshouldfailquicklyif
accidentallyactivated.
5 EnteramailaddressspeciallysetuptohandleFTPadministration—forexample,
[email protected].
6 UnderAccess,select“Kerberos”forAuthentication.
IfaKerberosserverisnotsetup,theauthenticationprocessisblocked.
7 In“Allowamaximumof__authenticatedusers,”enter1.
TheGUIdoesnotallowsettingthisto0,butauthenticatedusersaredisabledinlater
steps.
8 Select“Enableanonymousaccess.”
Anonymousaccesspreventsusercredentialsfrombeingsentopenlyoverthenetwork.
Important:Beforeselectingthisoption,reviewtheprivilegesassignedtoyourshare
pointsunderFilePrivilegesintheSharingpanetomakesuretherearenosecurity
holes.
Anonymoususerscanloginusingthename“ftp”or“anonymous.”Theydonotneed
apasswordtologin,buttheyarepromptedtoentertheiremailaddress.
9 Determineamaximumnumberofanonymoususersandenterthenumberin“Allow
amaximumof__anonymoususers.”
10 UnderFileconversion,deselect“EnableMacBinaryanddiskimageauto-conversion.”
11 ClickMessages.
12 Select“ShowWelcomeMessage”andenterawelcomemessageaccordingtosite
policy.
13 Select“ShowBannerMessage”andenterabannermessageaccordingtositepolicy.
Donotrevealsoftwareinformation,suchasoperatingsystemtypeorversion,in
thebanner.
260
Chapter17SecuringFileServicesandSharepoints
14 ClickLogging.
15 Selectalloptionsunder“LogAuthenticatedUsers”and“LogAnonymousUsers.”
Eventhoughauthenticatedusersarenotallowedtologin,theirattemptsshouldbe
loggedsocorrectiveactioncanbetaken.
16 ClickAdvanced.
17 Set“Authenticateduserssee”toFTPRootandSharePoints.
AuthenticatedusersandanonymoususersseethesameFTProot.
18 Verifythat“FTProot”issettothe/Library/FTPServer/FTPRoot/folder.
19 ClickSave.
20 ClickStartFTP.
21 Openthe/Library/FTPServer/FTPRoot/folderanddragthecontents(Users,Groups,
Public)tothetrash.
22 Dragthefilestosharewithanonymoususerstothe/Library/FTPServer/FTPRoot/folder.
23 Verifythatthefilepermissionsforthe/Library/FTPServer/FTPRoot/folderdonotallow
publicwriteaccess.
24 Openthefile/Library/FTPServer/Configuration/ftpaccessforediting.
25 Deletelinesthatbeginwith“upload.”
Thefollowingtwolinearepresentbydefault:
upload /Library/FTPServer/FTPRoot /uploads yes ftp daemon 0666 nodirs
upload /Library/FTPServer/FTPRoot /uploads/mkdirs yes ftp daemon 0666 dirs
0777
26 Insertthefollowinglinetopreventadvertisementofoperatingsystemandversion
information:
greeting terse
27 Insertthefollowinglinestopreventusersfromauthenticating.
deny-gid %-99 %65535
deny-uid %-99 %65535
allow-gid ftp
allow-uid ftp
ThisforcesuserstoaccessFTPanonymously,protectingtheirlogincredentials.
28 Foradditionalsecurityenhancements,youcanfurtherrestricttheFTPservicebyusing
SACLsandfirewallrules.
Theseareconfiguredbasedonyourorganization’snetworkenvironment.
 YoucanconfigureSACLstorestrictFTPaccesstospecificusersorgroups.Formore
informationaboutconfiguringSACLs,see“SettingServiceAccessControlLists
(SACLs)”onpage183.
Chapter17SecuringFileServicesandSharepoints
261
 YoucanconfigurefirewallrulesthatpreventFTPconnectionsfromunintended
sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216.
Fromthecommandline:
# Configure FTP to provide anonymous FTP downloads:
sudo serveradmin settings ftp:logSecurity:anonymous = yes
sudo serveradmin settings ftp:logSecurity:guest = yes
sudo serveradmin settings ftp:logSecurity:real = yes
sudo serveradmin settings ftp:maxRealUsers = 1
sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = no
sudo serveradmin settings ftp:authLevel = "KERBEROS"
sudo serveradmin settings ftp:anonymousAccessPermitted = yes
sudo serveradmin settings ftp:bannerMessage = "$BANNER"
sudo serveradmin settings ftp:maxAnonymousUsers = 500
sudo serveradmin settings ftp:administratorEmailAddress = "[email protected]"
sudo serveradmin settings ftp:logCommands:anonymous = yes
sudo serveradmin settings ftp:logCommands:guest = yes
sudo serveradmin settings ftp:logCommands:real = yes
sudo serveradmin settings ftp:loginFailuresPermitted = 1
sudo serveradmin settings ftp:welcomeMessage = "$WELCOME"
ConfiguringNFSFileSharingService
NFSdoesnotsupportusernameandpasswordauthentication.ItreliesonclientIP
addressestoauthenticateusers,andonclientenforcementofpermissions.Thisisnota
secureapproachinmostnetworks.Therefore,useNFSonlyifyouareonaLANwith
trustedclientcomputers,orifyouareinanenvironmentthatcan’tuseApplefile
sharingorWindowsfilesharing.
TheNFSserverincludedwithSnowLeopardServerletsyoulimitaccesstoashare
pointbasedonaclient’sIPaddress.RestrictaccesstoasharepointexportedusingNFS
tothoseclientsthatrequireit.YoucanreshareNFSmountsusingAFP,Windows,and
FTPsothatuserscanaccessNFSvolumesinamorerestrictedfashion.
ToconfigureandstartNFSservice,useServerAdmin.Forinformationabouthowto
setupandrestrictNFSservice,see“NFSSharePoints”onpage268.
Foradditionalsecurityenhancements,youcanfurtherrestrictNFSservicebyusing
firewallrules.YoucanconfigurefirewallrulesthatpreventAFPconnectionsfrom
unintendedsources.
Formoreinformation,see“CreatingFirewallServiceRules”onpage216.Rulesare
configuredbasedonyourorganization’snetworkenvironment.
262
Chapter17SecuringFileServicesandSharepoints
ConfiguringSMBFileSharingService
IfsharepointsneedtouseSMB,activateWindowsfileserviceandconfigureit.Support
forSMBisprovidedbytheopensourceSambaproject,whichisincludedwith
SnowLeopardServer.
SMBusesNTLMv1andNTLMv2encryption,whichareveryweakpasswordhashing
schemes.FormoreinformationaboutconfiguringtheSambasoftware,goto
www.samba.org.
TosecurelyconfigureWindowsfilesharingservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectSMBintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 ChoosetheRoleaccordingtooperationalneeds.
Iftheserversharesfilesbutdoesnotprovideauthenticationservices,“Standalone
Server”istherelevantchoice.
5 Fillinthetextfieldsappropriately,leavingtheDescriptionfieldblank.
Itishelpfulforthecomputernametomatchthehostname(withoutthedomain
name).TheWorkgroupnamedependsontheconfigurationofWindowsdomainson
yoursubnet.
6 ClickAccess.
7 Deselect“AllowGuestaccess.”
8 For“Clientconnections,”select“__maximum”andenterthemaximumnumberof
clientconnectionsexpected.
TheGraphspaneshowscurrentusage,whichcanhelpyouadjustthenumberof
connectionsforyournetwork.
9 ClickLogging.
10 Change“LogDetail”toatleast“medium”tocaptureauthenticationfailures.
11 ClickAdvanced.
12 UnderServices,deselect“WorkgroupMasterBrowser”and“DomainMasterBrowser”
unlesstheseservicesarerequired.
13 SelectOffforWINSregistration.
14 ClickSave.
15 ClickStartSMB.
16 Foradditionalsecurityenhancements,furtherrestricttheWindowsservicebyusing
SACLsandfirewallrules.
Theseareconfiguredbasedonyourorganization’snetworkenvironment:
Chapter17SecuringFileServicesandSharepoints
263
 YoucanconfigureSACLstorestrictWindowsaccesstospecificusersorgroups.For
moreinformationaboutconfiguringSACLs,see“SettingServiceAccessControlLists
(SACLs)”onpage183.
 YoucanconfigurefirewallrulesthatpreventWindowsconnectionsfromunintended
sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216.
Fromthecommandline:
# Securely configure Windows file sharing service
sudo serveradmin settings smb:wins support = no
sudo serveradmin settings smb:domain master = no
sudo serveradmin settings smb:map to guest = "Never"
sudo serveradmin settings smb:auth methods = "odsam"
sudo serveradmin settings smb:ntlm auth = "no"
sudo serveradmin settings smb:max smbd processes = 1000
sudo serveradmin settings smb:log level = 1
sudo serveradmin settings smb:preferred master = no
sudo serveradmin settings smb:os level = 65
ConfiguringSharePoints
Asharepointisaharddisk(orharddiskpartition),discmedia,orfolderthatcontains
filesyouwantuserstoshare.Youcanusesharepointstohosthomefolders.
YoucanuseServerAdmintosetupsharepointsandthenusethesharepointstohost
localhomefolders.Oryoucanmountthesharepointsoithostsnetworkhomefolders.
Usingnetworkhomefoldersstoredonasharepointisinherentlylesssecurethanusing
localhomefolders.Anintrudercanaccessyournetworkhomefolderthroughan
insecurenetworkconnection.
Makesurethatsharepointsonlocalsystemdrivesareconfiguredtograntaccessto
onlyspecificusersorgroups,andarenotopentoeveryone.Removingopenshare
pointspreventsunwantedaccesstoyourcomputerandpreventsyourcomputerfrom
beingusedtomaliciouslyaccessadditionalcomputersonthenetwork.Donotshare
filesunnecessarily.
264
Chapter17SecuringFileServicesandSharepoints
DisablingSharePoints
Disableunusedsharepointsandsharingprotocols.Enabledsharepointsandsharing
protocolscanprovideanavenueofattackforintruders.
Ifyoudisableallsharepointsusingaspecificsharingprotocol,youshouldalsodisable
thatprotocol.
Todisableasharepoint:
1 OpenServerAdminandconnecttotheserver.
2 ClickthefilesharingprotocolintheComputers&Serviceslist.
3 ClickSharePointsandselectthesharepointfromthelist.
4 ClickSharePointbelowthelist.
5 ClickProtocolOptions.
6 Disablethefollowingsharingoptions:
ClickAFPanddeselect“SharethisitemusingAFP.”
ClickSMBanddeselect“SharethisitemusingSMB.”
ClickFTPanddeselect“SharethisitemusingFTP.”
ClickNFSanddeselect“Exportthisitemanditscontentsto”.
7 ClickOK.
8 ClickSave.
RestrictingAccesstoaSharePoint
Beforeenablingasharepoint,restricttheaccesspermissionsforthefolderthatwillact
asthesharepointandonlyallowuserswhomustusethesharepointtoaccessit.
YoucanthenuseServerAdmin’sFileSharingpanetosetPOSIXandACLpermissions
torestrictsharepointstoonlybeingaccessiblebyspecificusers.Youcanusea
combinationofthetwopermissiontypestocustomizeaccessibilityforyourusers.
YoucanalsouseWorkgroupManager’seffectivepermissionsinspectortodetermine
thepermissionsauserisgranted.
WARNING:Carefullysetaccesspermissions.Incorrectlysetaccesspermissionscan
preventlegitimateusersfromaccessingfoldersandfiles,ortheycanallowmalicious
userstoaccessfoldersandfiles.
Torestrictaccesstoasharepoint:
1 OpenServerAdminandconnecttotheserver.
2 ClickthefilesharingprotocolintheComputers&Serviceslist.
3 ClickSharePointsandselectthesharepointfromthelist.
Chapter17SecuringFileServicesandSharepoints
265
4 ClickPermissionsbelowthelist.
5 Tosettheownerorgroupoftheshareditem,enternamesordragnamesfromthe
UsersandGroupsdrawertotheownerorgrouprecordsinthepermissionstable.
TheownerandgrouprecordsarelistedunderthePOSIXheading.Theownerrecord
hasthesingleusericon.Thegrouprecordhasthegroupicon.
Toopenthedrawer,clicktheAdd(+)button.Ifyoudon’tseearecentlycreateduseror
group,clicktheRefreshbutton.
Ownerandgroupnamescanalsobeeditedbydouble-clickingapermissionsrecord
anddraggingintoortypingintheUser/Groupfieldinthewindowthatappears.
Note:Tochangetheautorefreshinterval,chooseServerAdmin>Preferencesand
changethevalueofthe“Auto-refreshstatusevery”field.
Makesureyouunderstandtheimplicationsofchangingafolder’sownerandgroup.
Formoreinformation,see“SettingPOSIXPermissions”onpage141.
6 TochangethepermissionsforOwner,Group,andOthers,usethePermissionpop-up
menuintherelatedrowofthepermissionstable.
Othersisanyuserthatlogsintothefileserverwhoisnottheowneranddoesnot
belongtothegroup.
Ifyou’reconfiguringahomefolder’spermissions,givetheownerRead&Write
privileges,butreducegroupandeveryoneprivilegestoNone.
Thedefaultforhomefoldersisthatthestaffgroupandeveryonehavereadprivileges.
Allaccountsarealsomembersofthestaffgroup.Thesetwoprivilegesalloweveryone
toviewthecontentsofthehomefolder.Ifyouwantsomeoneotherthantheownerto
viewthecontentsofthehomefolder,replacestaffwiththataccount.
7 ClickSave.
ThenewsharepointissharedusingAFP,SMB,andFTP,butnotNFS.
TosetACLpermissionsonasharepointorafolder:
1 OpenServerAdminandconnecttotheserver.
2 ClickthefilesharingprotocolintheComputers&Serviceslist.
3 ClickSharePointsandselectthesharepointfromthelist.
4 ClickPermissionsbelowthelist.
5 OpentheUsersandGroupsdrawerbyclickingtheAdd(+)button.
6 DraggroupsandusersfromthedrawerintotheACLPermissionslisttocreateACEs.
Bydefault,eachnewACEgivestheuserorgroupfullreadandinheritancepermissions.
266
Chapter17SecuringFileServicesandSharepoints
Thefirstentryinthelisttakesprecedenceoverthesecond,whichtakesprecedence
overthethird,andsoon.Forexample,ifthefirstentrydeniesausertherighttoedita
file,otherACEsthatallowthesameusereditingpermissionsareignored.Inaddition,
theACEsintheACLtakeprecedenceoverstandardpermissions.
7 IntheAccessControlList,selecttheACE.
8 ClicktheEdit(/)button.
9 FromthePermissionTypepop-upmenu,choose“Allow”or“Deny.”
10 InthePermissionslist,selectpermissions.
IfyouchoseCustomfromthePermissionpop-upmenu,clickthedisclosuretrianglesto
displayspecificattributes.ChooseAlloworDenyfromthePermissionTypepop-up
menu.SelectspecificpermissionsandclickOK.
Youcanfurthergrantordenyspecificpermissionsthatyoucannotspecifythrough
POSIXpermissions.Forexample,youcanallowausertolistfoldercontentsbut
disallowthatuserfromreadingfileattributes.
11 ClickSave.
AFPSharePoints
Ifyousupplynetworkhomefolders,useAFPbecauseitprovidesauthentication-level
accesssecurity.Ausermustloginwithavalidusernameandpasswordtoaccessfiles.
YoucanalsoenableAFPusinganSSH-securedtunnelforfilesharing.Thistunnel
preventsintrudersfrominterceptingyourcommunicationwithanAFPsharepoint.
YoucannotenableSSH-securedtunnelsforAFPsharepointsthathosthomefolders.
Formoreinformation,see“ConfiguringAFPFileSharingService”onpage258.
SMBSharePoints
DonotuseSMBunlessyou’rehostingasharepointspecificallyforWindowsusers.
YoucansetupasharepointforSMBaccessonly,sothatWindowsusershavea
networklocationforfilesthatcan’tbeusedonotherplatforms.
LikeAFP,SMBalsorequiresauthenticatingwithavalidusernameandpasswordto
accessfiles.However,therearewell-knownrisksassociatedwithSMB.Forexample,
SMBusesNTLMv1andNTLMv2encryption,whichareweakpasswordhashing
schemes.
Formoreinformation,see“ConfiguringSMBFileSharingService”onpage263.
Chapter17SecuringFileServicesandSharepoints
267
FTPSharePoints
YoucannotuseFTPsharepointstohosthomefoldersandyoushouldonlyenableFTP
sharepointsifyourequireanonymousaccess.
FilesaretransferredfromFTPsharepointsunencryptedoverthenetwork.Transferring
filesoverFTPdoesnotguaranteeconfidentialityorfileintegrity.
IfyouneedtouseFTPforfiletransfers,considerusingtheSSHserviceinstead.Thesftp
command,partoftheSSHsuiteoftools,providesanFTP-likeexperienceforuserswhile
providingamoresecuresetting.Formoreinformation,seethesftpmanpage.
FormoreinformationaboutsettingupFTPsharepoints,see“ConfiguringFTPFile
SharingService”onpage259.
NFSSharePoints
NFSfileaccessisnotbasedonuserauthentication(enteringausernameand
password).ItisbasedontheuserIDandtheclientIPaddress.Assuch,NFSshare
pointswithouttheuseofKerberosdon’thavethesamelevelofsecurityasAFPand
SMB,whichrequireuserauthenticationtogainaccesstoasharepoint’scontents.
IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers,
orconfigureNFSwithKerberos.NFSdoesn’tsupportSACLs.
UseNFSonlyifyoumustprovidehomefoldersforalargenumberofuserswhouse
UNIXworkstations.UseServerAdmintorestrictaccesstoanNFSsharepoint,sothat
onlyrequiredcomputerscanaccessit.
TorestrictaccesstoanNFSsharepoint:
1 OpenServerAdminandconnecttotheserver.
2 ClickthefilesharingprotocolintheComputers&Serviceslist.
3 ClickSharePointsandselectthesharepointfromthelist.
4 ClickSharePointbelowthelist.
5 ClickProtocolOptions.
6 ClickNFS.
7 Ifonlyafewcomputersneedaccesstothesharepoint,select“Exportthisitemandits
contentsto”andchooseClientListfromthepop-upmenu.
Toaddaclient,clickAdd(+)andentertheIPaddressoftheclientcomputer.
Addonlythoseclientcomputersthatrequireaccesstothesharepoint.
8 Ifeverycomputerinasubnetrequiresaccesstothesharepoint,select“Exportthisitem
anditscontentsto”andchooseSubnetfromthepop-upmenu.
IntheSubnetaddressfield,enterthesubnetaddress.IntheSubnetmaskfield,enter
thesubnetmask.
268
Chapter17SecuringFileServicesandSharepoints
9 FromtheMappingpop-upmenu,choose“Alltonobody.”
Auserwith“nobody”privilegeshas“Others”POSIXpermissions.
10 FromtheMinimumSecuritypop-upmenu,setthelevelofauthentication:
Choose“Standard”ifyoudon’twanttosetalevelofauthentication.
Choose“Any”ifyouwantNFStoacceptanymethodauthentication.
Choose“Kerberosv5”ifyouwantNFStoonlyacceptKerberosauthentication.
Choose“Kerberosv5withdataintegrity”ifyouwantNFStoacceptKerberos
authenticationandvalidatethedata(checksum)duringtransmission.
Choose“Kerberosv5withdataintegrityandprivacy”tohaveNFSacceptKerberos
authentication,tovalidateusingthechecksum,andtoencryptdataduring
transmission.
11 Select“Read-only.”
12 ClickSave.
Chapter17SecuringFileServicesandSharepoints
269
270
Chapter17SecuringFileServicesandSharepoints
18
SecuringWebService
18
Usethischaptertolearnhowtosecurewebservice.
Webserviceprovidesaneasymethodofaccessingdatafromanywhereintheworld.
However,thisaccessisoftenattackedduetoitsweaknessonotherplatforms.
SnowLeopardServerprovidesmanyconfigurationoptionstoprotectwebservice.
WebserviceisbasedonApache,anopensourceHTTPwebserver.Awebserver
respondstorequestsforHTMLwebpagesstoredonyoursite.Opensourcesoftware
givesyouthecapabilitytoviewandchangethesourcecodetomakechangesand
improvements.ThishasledtoApache’swidespreaduse,makingitoneofthemost
popularwebserversontheInternettoday.
WebadministratorscanuseServerAdmintoadministerwebservicewithoutknowing
aboutadvancedsettingsorconfigurationfiles.Webadministratorsproficientwith
ApachecanalsoadministerwebtechnologiesusingApache’sadvancedfeatures.
BecausewebserviceinSnowLeopardServerisbasedonApache,youaddadvanced
featureswithplug-inmodules.ApachemodulesletyouaddsupportforSimpleObject
AccessProtocol(SOAP),Java,andCGIlanguagessuchasPython.
ForemoreinformationabouttheApacheproject,seewww.apache.org.TheCenterfor
InternetSecurity(CIS)atwww.cisecurity.orgprovidesanApacheBenchmarkand
Scoringtool.CISBenchmarksenumeratesecurityconfigurationsettingsandactions
thathardenyourcomputer.
Formoreinformationaboutconfiguringwebservice,seeWebTechnologies
Administration.
271
DisablingWebService
Ifthesystemisnotintendedtobeawebserver,disablewebserversoftware.
Securewebadministrationdemandsscrutinyofconfigurationsettings.UseSSL
encryptiontoencryptsensitivewebtraffic.
Ifthesystemisnotawebserver,disablewebservicesusingtheServerAdmintool.
Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Webservice
isdisabledbydefault,butverificationisrecommended.
Todisablewebservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickStopWeb.
4 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Web Service
# --------------------------------------------------------------------# Disable web service:
sudo serveradmin stop web
ManagingWebModules
Ifyoursystemdoesnotrequireactivewebmodules,disablethem.Webmodules
(sometimescalledplug-ins)consistofwebcomponentsthataddfunctionalitytoweb
service.Usingunnecessarymodulescreatespotentialsecurityriskswhentheweb
serviceisrunning.
Manytypesofwebmodulesareavailableforusewithwebservice.Verifythateach
moduleusedisrequiredandthatyouunderstandtheimpactithastosecuritywhen
webserviceisrunning.
Important:Whendisablingwebmodules,makesurethemoduleisnotneededby
anotherwebserviceyouarerunning.Ifyoudisableawebmodulethatanotherweb
serviceisdependenton,thatwebservicemightnotwork.
272
Chapter18SecuringWebService
Todisablewebmodules:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSettings,thenclickModules.
4 Deselectallmodulesexceptforthemodulesyoursiterequires.
5 ClickSave.
DisablingWebOptions
Enabledweboptionscanbeasecurityriskifyoudon’tunderstandtheimpactthe
modulehastosecuritywhenawebserviceisrunning.
Disablethefollowingwebmodulesunlesstheyarespecificallyrequiredforaweb
service:
 FolderListing:DisplaysalistoffolderswhenusersspecifytheURLandnodefault
webpage(suchasindex.html)ispresent.Insteadofviewingadefaultwebpage,the
servershowsalistofthewebfolder’scontents.Folderlistingsappearonlyifno
defaultdocumentisfound.
 WebDAV:TurnsonWeb-basedDistributedAuthoringandVersioning(WebDAV),
whichallowsuserstomakechangestowebsiteswhilethesitesarerunning.Ifyou
enableWebDAVyoumustalsoassignaccessprivilegesforthesitesandfortheweb
folders.
 CGIExecution:PermitsCommonGatewayInterface(CGI)programsorscriptstorun
onyourwebserver.CGIprogramsorscriptsdefinehowawebserverinteractswith
externalcontent-generatingprograms.
 ServerSideIncludes(SSI):PermitsSSIdirectivesplacedinwebpagestobe
evaluatedontheserverwhilethewebsiteisactive.Youcanadddynamically
generatedcontenttoyourwebpageswhilethefilesarebeingviewedbyusers.
 AllowAllOverrides:Instructswebservicetolookforadditionalconfigurationfiles
insidethewebfolderforeachrequest.
 SpotlightSearching:Allowswebbrowserstosearchthecontentofyourwebsite.
Todisableweboptions:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslists.
3 ClickSites,thenselectthewebsiteinthelist.
4 ClickOptionsbelowthewebsiteslist.
5 DeselectFolderListing,WebDAV,CGIExecution,ServerSideIncludes(SSI),andAllow
AllOverridesunlesstheyarerequired.
Chapter18SecuringWebService
273
Fromthecommandline:
# Disable web options:
sudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled =
no
sudo serveradmin settings web:Modules:_array_id:dav_module:enabled = no
sudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = no
sudo serveradmin settings
web:Modules:_array_id:apple_spotlight_module:enabled = no
sudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:AllowOverride = "None"
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:Includes = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:ExecCGI = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:Indexes = no
sudo serveradmin settings
web:Sites:_array_id:default_default:SpotlightIndexing = no
UsingRealmstoControlAccess
Youcanuserealmstocontrolaccessandprovidesecuritytolocationsorfoldersin
awebsite.RealmsarelocationsattheURLorfilesinthefolderthatuserscanview.
IfWebDAVisenabled,userswithauthoringprivilegescanalsochangecontentin
therealm.Yousetuptherealmsandspecifytheusersandgroupsthathaveaccess
tothem.
Whenanassigneduserorgrouppossessesfewerpermissionsthanthepermissions
assignedtouserEveryone,thatuserorgroupisdeleteduponarefresh.Thishappens
becausetheaccessassignedtoEveryonepreemptstheaccessassignedtospecific
usersorgroupswithfewerpermissionsthanthosepossessedbyEveryone.Thegreater
permissionsalwaystakeprecedence.
Consequently,thelistofassignedusersandgroupswithfewerpermissionsarenot
savedintheRealmspaneuponrefreshiftheirpermissionsaredeterminedtobe
preemptedbythepermissionsassignedtoEveryone.Aftertherefresh,thenames
arenolongerlistedinthelistontherightintheRealmspane.Also,forabriefperiod
oftime,userEveryonewillswitchitsdisplayednameto“no-user.”
274
Chapter18SecuringWebService
Tousearealmtocontrolwebsiteaccess:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites,thenselectthewebsiteinthelist.
4 Belowthewebsiteslist,clickRealms.
5 ClicktheAdd(+)buttontocreatearealm.
Therealmisthepartofthewebsiteuserscanaccess.
6 IntheRealmNamefield,entertherealmname.
Thisisthenameusersseewhentheylogintothewebsite.
7 FromtheAuthenticationpop-upmenu,chooseamethodofauthentication:
 Basicauthenticationisonbydefault.Donottousebasicauthenticationforsensitive
data.Itsendsyourpasswordtotheserverunencrypted.
 Digestauthenticationismoresecurethanbasicauthenticationbecauseitusesan
encryptedhashofyourpassword.
 Kerberosauthenticationisthemostsecurebecauseitimplementsservercertificates
toauthenticate.IfyouwantKerberosauthenticationfortherealm,jointheserverto
aKerberosdomain.
8 Entertherealmlocationorfolderyouarerestrictingaccessto:
a ChooseLocationfromthepop-upmenuandenteraURLtothelocationinthe
websitethatyouwanttorestrictaccessto.
b ChooseFolderfromthepop-upmenuandenterthepathtothefolderthatyou
wanttorestrictaccessto.
YoucanalsoclicktheBrowsebuttontolocatethefolderyouwanttouse.
9 ClickOK.
10 SelectthenewrealmandclickAdd(+)toopentheUsers&Groupspanel.
ToswitchbetweentheUserslistandtheGroupslist,clickUsersorGroupsinthepanel.
UsetheRealmspanetodeleteauserorgroupbyselectingthenameandclickingthe
Delete(–)button.
11 Toaddusersorgroupstoarealm,draguserstothelistontherightintheRealms
pane.
Whenusersormembersofagroupyou’veaddedtotherealmconnecttothesite,they
mustsupplytheirusernameandpassword.
Chapter18SecuringWebService
275
12 Limitrealmaccesstospecifiedusersandgroupsbysettingthefollowingpermissions
usingtheupanddownarrowsinthePermissionscolumn.
 BrowseOnly:Permitsusersorgroupstobrowsethewebsite.
 BrowseandReadWebDAV:Permitsusersorgroupstobrowsethewebsiteandalso
readthewebsitefilesusingWebDAV.
 BrowseandRead/WriteWebDAV:Permitsusersorgroupstobrowsethewebsite
andalsoreadandwritetowebsitefilesusingWebDAV.
 None:Preventsusersorgroupsfromusingpermissions.
13 ClickSave.
EnablingSecureSocketsLayer(SSL)
SecureSocketsLayer(SSL)providessecurityforasiteanditsusersbyauthenticating
theserver,encryptinginformation,andmaintainingmessageintegrity.
SSLisaper-sitesettingthatletsyousendencrypted,authenticatedinformation
acrosstheInternet.Forexample,ifyouwanttopermitcreditcardtransactions
throughawebsite,youcanprotecttheinformationthat’spassedtoandfrom
thatsite.
TheSSLlayerisbelowapplicationprotocols(forexample,HTTP)andaboveTCP/IP.This
meansthatwhenSSLisoperatingontheserverandontheclientcomputer,
informationisencryptedbeforebeingsent.
TheApachewebserverinSnowLeopardServerusesapublickey-privatekey
combinationtoprotectinformation.Abrowserencryptsinformationusingapublic
keyprovidedbytheserverandonlytheserverhasaprivatekeythatcandecrypt
thatinformation.
ThewebserversupportsSSLv2,SSLv3,andTLSv1.Moreinformationaboutthese
protocolversionsisavailableatwww.modssl.org.
WhenSSLisimplementedonaserver,abrowserconnectstoitusingthehttpsprefix
intheURL,ratherthanhttp.The“s”indicatesthattheserverissecure.
WhenabrowserinitiatesaconnectiontoanSSL-protectedserver,itconnectsto
aspecificport(443)andsendsamessagethatdescribestheencryptionciphersit
recognizes.Theserverrespondswithitsstrongestcipher,andthebrowserandserver
thencontinueexchangingmessagesuntiltheserverdeterminesthestrongestcipher
thatitandthebrowsercanrecognize.
Theserverthensendsitscertificate(anISOX.509certificate)tothebrowser.This
certificateidentifiestheserverandusesittocreateanencryptionkeyforthebrowser
touse.Atthispointasecureconnectionisestablishedandthebrowserandserver
canexchangeencryptedinformation.
276
Chapter18SecuringWebService
BeforeyoucanenableSSLprotectionforawebsite,youmustobtaintheproper
certificates.Fordetailedinformationaboutcertificatesandtheirmanagement,see
AdvancedServerAdministration.
TosetupSSLforawebsite:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites,thenselectthewebsiteinthelist.
4 ClickSecuritybelowthewebsiteslist.
5 IntheSecuritypane,selectEnableSecureSocketsLayer(SSL).
WhenyouturnonSSL,amessageappears,notingthattheportischangedto443.
6 IntheCertificatepop-upmenu,choosethecertificateyouwant.
Ifthecertificateisprotectedbyapassphrase,thenameofthecertificatemustmatch
thevirtualhostname.Ifthenamesdon’tmatch,webservicewon’trestart.
7 IfyouchooseCustomConfigurationorwanttoeditacertificate,youmightneedtodo
thefollowing:
a ClicktheEdit(/)buttonandsupplytheinformationineachfieldforthecertificate.
b Ifyoureceivedaca.crtfilefromtheCA,clicktheEdit(/)buttonandpastethetext
fromtheca.crtfileintheCertificateAuthorityFilefield.
Note:Theca.crtfilemightberequiredbutmightnotbesentdirectlytoyou.Thisfile
mustbeavailableonthewebsiteoftheCA.
c InthePrivateKeyPassphrasefield,enterapassphraseandclickOK.
8 Inthe“SSLLogFile”field,enterthepathnameforthefolderwhereyouwanttokeep
theSSLlog.
YoucanalsousetheBrowsebuttontonavigatetothefolder.
9 ClickSave.
10 Confirmthatyouwanttorestartwebservice.
ServerAdminletsyouenableSSLwithorwithoutsavingtheSSLpassphrase.Ifyoudid
notsavethepassphrasewiththeSSLcertificatedata,theserverpromptsyouforthe
passphraseuponrestartbutwon’tacceptmanuallyenteredpassphrases.
UsetheSecuritypaneforthesiteinServerAdmintosavethepassphrasewiththeSSL
certificatedata.Formoreinformation,see“UsingaPassphrasewithSSLCertificates”on
page278.
Chapter18SecuringWebService
277
UsingaPassphrasewithSSLCertificates
IfyoumanageSSLcertificatesusingServerAdminandyouuseapassphrasefor
certificates,ServerAdminensuresthatthepassphraseisstoredinthesystemkeychain.
Whenawebsiteisconfiguredtousethecertificateandthatwebserverisstarted,the
getsslpassphrase(8)utilityextractsthepassphrasefromthesystemkeychainand
passesittothewebserver,aslongasthecertificatenamematchesthevirtualhost
name.
Ifyoudonotwanttorelyonthismechanism,youcanhavetheApachewebserver
promptyouforthepassphrasewhenyoustartorrestartit.Usethesudo serveradmin
command-linetooltoconfigurethis.
ToconfigureApachetopromptyouforapassphrasewhenitstarts:
1 OpenTerminalandenterthefollowingcommand.
sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL
PassPhraseDialog=builtin
2 StartApachewiththecommand:
sudo serveradmin start web
3 Whenprompted,enterthecertificatepassphrase.
Fromthecommandline:
#
# Configure Apache to prompt you for a passphrase when it starts.
#--------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL
PassPhraseDialog=builtin
ViewingWebServiceLogs
UseServerAdmintoviewtheerrorandaccesslogsforwebservice,ifyouhave
enabledthem.webserviceinSnowLeopardServerusesthestandardApachelog
format,soyoucanalsouseathird-partyloganalysistooltointerpretthelogdata.
Toviewlogs:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickLogs,thenchoosebetweenanaccessorerrorlogbyselectingthelogfromthe
listoflogs.
Tosearchforspecificentries,usetheFilterfieldinthelowerright.
278
Chapter18SecuringWebService
Fromthecommandline:
#
# View logs.
#----------sudo tail /var/log/apache2/access_log
SecuringWebDAV
WebserviceincludessupportforWeb-basedDistributedAuthoringandVersioning,
knownasWebDAV.WithWebDAVcapability,youruserscancheckoutwebpages,make
changes,andthencheckthepagesbackinwhilethesiteisrunning.Inaddition,the
WebDAVcommandsetisrichenoughthatclientcomputerswithSnowLeopard
installedcanuseaWebDAV-enabledwebserverasifitwereafileserver.
Sharingfilesoveranetworkopensyourcomputerstoahostofvulnerabilities.To
reducethesecurityriskwhenusingWebDAV,assignaccessprivilegesforthesitesand
forthewebfolders.
TosecurelyconfigureWebDAVforasite:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites,thenselectthewebsiteinthelist.
4 ClickOptionsbelowthewebsiteslist.
5 SelecttheWebDAVcheckbox.
ThisoptionturnsWebDAVon,allowinguserstomakechangestowebsiteswhilethe
sitesarerunning.IfyouenableWebDAV,youmustalsoassignaccessprivilegesforthe
sitesandwebfolders.
Note:IfyouturnedofftheWebDAVmoduleintheModulespaneofServerAdmin,you
mustturnitonagainbeforeWebDAVtakeseffectforasite.Thisistrueevenifthe
WebDAVoptionisselectedintheOptionspaneforthesite.Formoreaboutenabling
modules,see“ManagingWebModules”onpage272.
6 ClickSave.
AfterWebDAVisturnedon,youcanuserealmstocontrolaccesstothewebsite.For
moreinformationaboutconfiguringrealms,see“UsingRealmstoControlAccess”on
page274.
Chapter18SecuringWebService
279
SecuringBlogServices
Ablogislikeadiaryorjournal,withentriesthatarearrangedintheordertheywere
createdin.Ontheotherhand,awikicontainssharedcontentthatdoesn’tappearin
chronologicalorder.Thetypeofinformationyouwanttoputonyoursitehelps
determinewhetheritappearsinawikiorinablog.
Bydefault,blogsaredisabledwhenyoustartwebservice.Blogscanopenyour
computerstoahostofvulnerabilities.Ifblogsarenotrequired,disablethem.
DisablingBlogServices
Ifyoudonotneedblogservices,disablethem.
Todisableblogservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites.
4 IntheSiteslist,clickthesitewhereyouwantblogservicedisabled.
5 ClickWebServices.
6 IntheServicesforGroupssection,deselectthe“Wikiandblog”checkbox.
7 ClickSave.
Fromthecommandline:
#
# Disable blog service.
#--------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = no
SecurelyConfiguringBlogServices
Youcanenableuserandgroupblogserviceonyourwebsite.SnowLeopardServer
includesagroupwikiandagroupblog.Theseareenabledtogether.Groupblogslet
usersinagroupaccessandpostentriestothesameblog.
Userscanalsopublishtheirownpersonalblogusingwebservicesassociatedwiththeir
serveraccount.Thisgivesuserstheabilitytomaintainpersonalblogsontheirownuser
pages.
Tosetupblogservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSites.
280
Chapter18SecuringWebService
4 IntheSiteslist,clickthesitewhereyouwantblogserviceenabled.
Tomaximizethesecurityofuserinteractionswiththeserverhostingblogs,haveusers
accessblogsthroughasitethathasSSLenabled.
5 ClickWebServices.
6 IntheServicesforGroupssection,selectthe“Wikiandblog”checkbox.
7 ClickSettings.
8 ClickWebServices.
9 Clickblogs.
10 FromthedefaultWikiandBlogThemepop-upmenu,chooseatheme.
Athemecontrolstheappearanceofablog.Themesdeterminethecolor,size,location,
andotherattributesofblogelements.Eachthemeisimplementedusingastylesheet.
Thedefaultthemeisusedwhenablogiscreated,butblogownerscanchangethe
theme.Thedefaultthemealsocontrolstheappearanceoftheblog’sfrontpage.
11 Identifyablogfolder,usedtostoreblogfiles.
Bydefault,blogfilesarestoredin/Library/Collaborationonthecomputerhostingblog
service.YoucanclickChoosetoselectadifferentfolder,suchasafolderonaRAID
deviceoronanothercomputer.
12 ClickSave.
13 Makesuretheblogserver’sOpenDirectorysearchpathincludesdirectorieswhere
usersandgroupmembersyouwanttosupportwithblogservicearedefined.
TheOpenDirectoryAdministrationguideexplainshowtosetupsearchpaths.Anyuser
orgroupmemberdefinedintheOpenDirectorysearchpathcancreateandaccess
blogsontheserverunlessyoudenythemaccesstoblogservice.
SecuringTomcat
YouuseServerAdminorTerminaltodisableTomcatifyoudon’tneedit.
TostopTomcatusingServerAdmin:
1 OpenServerAdminandconnecttotheserver.
2 SelectWebintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 DeselecttheEnableTomcatcheckbox.
5 ClickSave.
Chapter18SecuringWebService
281
Fromthecommandline:
# --------------------------------------------------------------------# Securing Tomcat
# --------------------------------------------------------------------# Stop Tomcat using Server Admin:
sudo /Library/Tomcat/bin/startup.sh stop
SecuringMySQL
MySQLprovidesarelationaldatabasemanagementsolutionforyourwebserver.With
thisopensourcesoftware,youcanlinkdataintablesordatabasesandprovidethe
informationonyourwebsite.
DisablingMySQLService
IfyoudonotneedtorunMySQLservice,disableitinServerAdmin.
ToturnMySQLserviceon:
1 OpenServerAdminandconnecttotheserver.
2 SelectMySQLintheComputers&Serviceslist.
3 ClickStopMySQL.
Fromthecommandline:
# --------------------------------------------------------------------# Securing MySQL
# --------------------------------------------------------------------# Turn MySQL service off
sudo serveradmin stop mysql
SettingUpMySQLService
UseMySQLserviceSettingsinServerAdmintospecifythedatabaselocation,toenable
networkconnections,andtosettheMySQLrootpassword.
ToconfigureMySQLservicesettings:
1 OpenServerAdminandconnecttotheserver.
2 SelectMySQLintheComputers&Serviceslist.
3 ClickSettings.
282
Chapter18SecuringWebService
4 TopreventusertoaccessMySQLservicedeselectthe“Allownetworkconnections”
checkbox.
Thisprohibitsuseraccesstodatabaseinformationthroughthewebserver.
5 IntheDatabaselocationfieldenterthepathtothelocationofyourdatabase.
YoucanalsoclicktheChoosebuttonandbrowseforthefolderyouwanttouse.
6 ClickSave.
Fromthecommandline:
#
# Configure MySQL service settings.
#--------------------------------sudo serveradmin settings mysql:allowNetwork = no
ViewingMySQLServiceandAdminLogs
MySQLservicekeepstwotypesoflogs,aMySQLservicelogandMySQLadminlogs:
 TheMySQLservicelogrecordsthetimeofeventssuchaswhenMySQLserviceis
startedandstopped.
 TheMySQLadminlogrecordsinformationsuchaswhenclientsconnector
disconnectandeachSQLstatementreceivedfromclients.Thislogislocatedat/
Library/Logs/MySQL.log.
YoucanviewMySQLservicelogsusingServerAdmin.
ToviewMySQLservicelogs:
1 OpenServerAdminandconnecttotheserver.
2 SelectMySQLintheComputers&Serviceslist.
3 ClickLogs.
UsetheFilterfieldtosearchforspecificentries.
Fromthecommandline:
#
# View MySQL service logs.
# -----------------------sudo tail /Library/Logs/MySQL.log
Chapter18SecuringWebService
283
19
SecuringClientConfiguration
ManagementServices
19
UsethischaptertolearnhowtosecureClientConfiguration
Managementservices.
Securelyconfiguringclientconfigurationmanagementhelpsstandardizetheclients
acrossyournetworkandprovidesasecuredeployment.
Bymanagingpreferencesforusers,workgroups,computers,andcomputergroups,you
cancustomizetheuser’sexperienceandrestrictuseraccesstoonlytheapplications
andnetworkresourcesyouchoose.
Tomanagepreferences,usethePreferencespaneinWorkgroupManager.
Properlysetmanagedpreferenceshelpdeterusersfromperformingmalicious
activities.Theycanalsohelppreventusersfromaccidentallymisusingtheircomputer.
ManagingApplicationsPreferences
UseApplicationspreferencestoalloworrestrictuseraccesstoapplications.
Computersidentifyapplicationsusingoneoftwomethods:digitalsignatures(used
inLeopardorlater),andbundleIDs(usedinTigerorearlier,butcanbeusedin
SnowLeopardorlater).
Digitalsignaturesaremuchmoresecurebecausecleveruserscanmanipulatebundle
IDs.WorkgroupManagersupportsbothmethods.
UsetheApplicationspanetoworkwithdigitalsignatures.UsetheLegacypanetowork
withbundleIDs.
284
Applicationrestrictionsdependonwhichpaneyou’remanagingandtheversionof
MacOSXrunbyclientcomputers:
 IfyoumanagetheApplicationspaneandyourusersrunSnowLeopardorlater,
ApplicationssettingstakeeffectandLegacysettingsareignored.
 Ifyoudon’tmanagetheApplicationspane,Legacysettingstakeeffectforany
versionofMacOSX.
 IfyourusersrunTigerorearlier,onlyLegacysettingstakeeffect.
YoucanalsousesettingsinApplicationspreferencestoallowonlyspecificwidgetsin
DashboardortodisableFrontRow.
ThetablebelowdescribesthesettingsineachApplicationspane.
Applicationspreferencepane
Whatyoucancontrol
Applications
Accesstospecificapplicationsandpathstoapplicationsusing
digitalsignatures(forusersofSnowLeopardorlater)
Widgets
AllowedDashboardwidgetsforusersofSnowLeopard
FrontRow
WhetherFrontRowisallowed
Legacy
Accesstospecificapplicationsandpathstoapplicationsusing
bundleIDs(primarilyforusersofTigerorearlier)
ControllingUserAccesstoApplicationsandFolders
YoucanuseWorkgroupManagertopreventusersfromlaunchingunapproved
applicationsorapplicationslocatedinunapprovedfolders.
InTigerorearlier,applicationswereidentifiedbytheirbundleIDs.Ifusershave
SnowLeopardorlaterinstalled,youcanusedigitalsignaturestoidentifyapplications.
DigitalsignaturesaremuchmoredifficulttocircumventthanabundleID.
WorkgroupManagercansignapplicationsthataren’talreadysigned.Whensigning
anapplication,youcanembedasignatureoryoucanstoreadetachedsignature
separatelyfromtheapplication.
Embeddingasignaturehasseveralperformancebenefitsoveradetachedsignature,
butwithsignatureembeddingyoumustmakesureeverycomputerhasthesame
signedapplication.ForapplicationsrunfromaCD,DVD,orotherread-onlymedia,
youmustusedetachedsignatures.
Chapter19SecuringClientConfigurationManagementServices
285
WorkgroupManagerusesthefollowingiconstodenotethekindofsignature
associatedwithanapplication.
Icon
Indicatestheapplicationhasthistypeofsignature
(noicon)
Embeddedsignature
Detachedsignature
Nosignature
Applicationsthatincludehelperapplicationsaredenotedbyadisclosuretriangle.
Whenyouclickthedisclosuretriangle,you’llseealistofhelperapplications.Bydefault,
thesehelperapplicationsareallowedtoopen.
Youcandisableindividualhelperapplications,buttheapplicationmightbehave
erraticallyifitrequiresthehelperapplications.
Toalloworpreventusersfromlaunchinganapplication,addtheapplicationor
applicationpathtooneofthreelists:
 Alwaysallowtheseapplications.Addapplicationsthatshouldalwaysbeallowed,
regardlessoftheirinclusioninotherlists.Youcansignapplicationsaddedtothislist.
Donotaddunsignedapplicationstothislistbecausetheyallowuserstodisguise
unapprovedapplicationsasapprovedapplications.
 Disallowapplicationswithinthesefolders.Addapplicationsandfolderscontaining
applicationsyouwanttopreventusersfromopening.Allapplicationsinthe
subfoldersofadisallowedfolderarealsodisallowed.Disallowingafolderinan
applicationpackagecancausetheapplicationtobehaveerraticallyorfailtoload.
 Allowapplicationswithinthesefolders.Addapplicationsandfolderscontaining
applicationsyouwanttoallow.Allapplicationsinthesubfoldersofanallowedfolder
arealsoallowed.Unlikeapplicationsinthe“Alwaysallowtheseapplications”list,
applicationslistedherearenotallowediftheyortheirpathsarelistedinthe
“Disallowapplicationswithinthesefolders”list.
Ifanapplicationoritsfolderdoesn’tappearintheselists,theusercan’topenthe
application.
Someapplicationsdon’tfullysupportsignatures.Tomakesureasignedapplication
isrestricted,makeacopyoftheapplication,signit,andmoveittoalocationinthe
“Disallowapplicationswithinthesefolders”list.Whenyoutrytoopentheapplication
onamanagedcomputer,itshouldopenbecausethesignatureisvalid.
Next,voidthesignedapplication’ssignaturebycopyingafileintoitsapplication
package.Nowwhenyoutrytoopentheapplicationonamanagedcomputer,itshould
notopenbecausethesignatureisvoidandtheapplicationisinadisallowedfolder.
286
Chapter19SecuringClientConfigurationManagementServices
TomanageApplicationspreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickApplicationsandthenclicktheApplicationstab.
5 SetthemanagementsettingtoAlways.
6 Select“Restrictwhichapplicationsareallowedtolaunch.”
7 ClicktheApplicationstab(intheApplicationspane),clicktheAdd(+)button,choose
anapplicationyouwanttoalwaysallow,andthenclickAdd.
Whenyouallowanapplication,youalsoallowallhelperapplicationsincludedwith
thatapplication.Youcandeselecthelperapplicationstodisallowthem.
8 Ifyou’reaskedtosigntheapplication,clickSign;ifyou’reaskedtoauthenticate,
authenticateasalocaladministrator.
Toaddtheapplicationtothelistasanunsignedapplication,clickDon’tSign.
Whenyousigntheapplication,WorkgroupManagertriestoembedthesignature.
Ifyoudon’thavewriteaccesstotheapplication,WorkgroupManagercreatesa
detachedsignature.
9 ClicktheFolderstab,clicktheAdd(+)buttonnextto“Disallowapplicationswithin
thesefolders,”andthenchoosefolderscontainingapplicationsyouwanttoprevent
usersfromlaunching.
10 ClicktheAdd(+)buttonnexttothe“Allowapplicationswithinthesefolders”fieldand
choosefolderscontainingapplicationsyouwanttoallow.
Disallowingfolderstakesprecedenceoverallowingthem.Ifyouallowafolderthat
isasubfolderofadisallowedfolder,thesubfolderisstilldisallowed.
11 ClickApplyNow.
AllowingSpecificDashboardWidgets
IfyourusershaveSnowLeopardorlaterinstalled,youcanpreventthemfromopening
unapprovedDashboardwidgetsbycreatingalistofapprovedwidgets(whichcan
includewidgetsincludedwithSnowLeopardandthird-partywidgets).Toapprove
third-partywidgets,youmustbeabletoaccessthemfromyourserver.
TheDashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However,
userscaninstallthird-partyDashboardwidgetswithoutauthenticating.Toprotect
systemsagainstunauthorizeduse,allowuserstouseonlytrustedthird-party
Dashboardwidgets.
Chapter19SecuringClientConfigurationManagementServices
287
Note:Becausecodesigningisnotsupported,userscanbypassrestrictionsto
Dashboardwidgets.Therefore,implementamechanismtoregularlycheckavailable
Dashboardwidgetstoensurepolicycompliance.
ToallowspecificDashboardwidgets:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickApplicationsandthenclickWidgets.
5 SetthemanagementsettingtoAlways.
6 Select“AllowonlythefollowingDashboardwidgetstorun.”
7 Toallowspecificwidgets,clicktheAdd(+)button,selectthewidget’s.wdgtfile,and
thenclickAdd.
ThewidgetsincludedwithSnowLeopardarein/Library/Widgets.
8 Topreventusersfromopeningspecificwidgets,selectthewidgetandclickthe
Remove(–)button.
9 ClickApplyNow.
DisablingFrontRow
WithWorkgroupManager,youcandisableFrontRow.
TodisableFrontRow:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickApplicationsandthenclickFrontRow.
5 SetthemanagementsettingtoAlways.
6 DeselectAllowFrontRow.
7 ClickApplyNow.
288
Chapter19SecuringClientConfigurationManagementServices
Fromthecommandline:
#
#
#
#
#
Securing Client Configuration Management Services
=================================================
If the intended target is a client system, the target for the dscl
commands should be "/LDAPv3/127.0.0.1". If the management target is the
server itself, the target should be ".".
# Disable Front Row:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow
PreventActivation always -bool 1
AllowingLegacyUserstoOpenApplicationsandFolders
TocontroluseraccesstoapplicationsinTigerorearlier,you:
 Provideaccesstoasetofapprovedapplicationsthatuserscanopen
 Preventusersfromopeningasetofunapprovedapplications
Youcanalsosetoptionstofurthercontroluseraccesstoapplications.
Whenusershaveaccesstolocalvolumes,theycanaccessapplicationsonthe
computer’slocalharddisk.Ifyoudon’twanttoallowthis,disablelocalvolumeaccess.
Applicationsusehelperapplicationsfortaskstheycan’tcompleteindependently.For
example,ifausertriestoopenaweblinkinamailmessage,themailapplicationmight
needtoopenawebbrowsertodisplaythewebpage.
Disallowinghelperapplicationsimprovessecuritybecauseanapplicationcan
designateanyotherapplicationasahelperapplication.However,youmightwantto
includecommonhelperapplicationsintheapprovedapplicationslist.Thisavoids
problemssuchasusersbeingunabletoopenandviewmailcontentorattachedfiles.
Occasionally,applicationsortheoperatingsystemmightrequiretheuseofUNIXtools,
suchasQuickTimeImageConverter.Thesetoolscan’tbeaccesseddirectly,and
generallyoperateinthebackgroundwithouttheuser’sknowledge.Ifyoudisallow
accesstoUNIXtools,someapplicationsmightnotwork.
AllowingUNIXtoolsenhancesapplicationcompatibilityandefficientoperation,but
candecreasesecurity.
Ifyoudon’tmanageApplicationssettingsforcomputersrunningSnowLeopardor
later,Legacysettingsareused.
Chapter19SecuringClientConfigurationManagementServices
289
Tosetupalistofaccessibleapplications:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickApplicationsandthenclickLegacy.
5 SetthemanagementsettingtoAlways.
6 Select“Usercanonlyopentheseapplications”or“Usercanopenallapplications
exceptthese.”
7 Additemstoorremoveitemsfromthelist.
Toselectmultipleitems,holddowntheCommandkey.
8 Toallowaccesstoapplicationsstoredontheuser’slocalharddisk,select“Usercanalso
openallapplicationsonlocalvolumes.”
9 Toallowhelperapplications,select“Allowapprovedapplicationstolaunchnonapprovedapplications.”
10 ToallowuseofUNIXtools,select“AllowUNIXtoolstorun.”
11 ClickApplyNow.
Fromthecommandline:
# Setting up a list of accessible applications
# -------------------------------------------# Allow access to applications stored on the user’s local hard disk:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess OpenItemsInternalDrive always -bool 1
# Allow helper applications:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1
# Allow UNIX tools:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess AllowUnbundledApps always -bool 1
290
Chapter19SecuringClientConfigurationManagementServices
ManagingDockPreferences
Youcancustomizetheuser’sDocktodisplayspecificapplications.Thishelpsyouguide
theusertowardusingrecommendedapplications.
YoucanalsoadddocumentsandfolderstotheDock.Addingspecific,required
networkfolderstotheDockhelpspreventtheuserfromnavigatingthroughyour
networkhierarchy.Thisalsohelpspreventthemfrommisusingtheserver.
TomanageDockpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickDockandthenclickDockDisplay.
5 SetthemanagementsettingtoOnceorAlways.
6 DragtheDockSizeslidertomaketheDocksmallerorlarger.
7 IfyouwantitemsintheDocktobemagnifiedwhenausermovesthepointerover
them,selectMagnificationandthenadjusttheslider.
MagnificationisusefulifyouhavemanyitemsintheDock.
8 Fromthe“Positiononscreen”radiobuttons,selectwhethertoplacetheDockonthe
left,right,orbottomofthedesktop.
9 Fromthe“Minimizeusing”pop-upmenu,chooseaminimizingeffect.
10 Ifyoudon’twanttouseanimatediconsintheDockwhenanapplicationopens,
deselect“Animateopeningapplications.”
11 Ifyoudon’twanttheDocktobevisibleallthetime,select“Automaticallyhideand
showtheDock.”
WhentheusermovesthepointertotheedgeofthescreenwheretheDockislocated,
theDockappears.
12 ClickApplyNow.
Chapter19SecuringClientConfigurationManagementServices
291
Fromthecommandline:
# Managing Dock Preferences
# ------------------------# Set Dock hiding
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohideimmutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide
always -bool 1
ManagingEnergySaverPreferences
EnergySaverpreferencesettingshelpyousaveenergyandbatterypowerbymanaging
wake,sleep,andrestarttimingforserversandclientcomputers.Youcanonlymanage
EnergySaverpreferencesforcomputerlists.
Whenclientcomputersgotosleep,theybecomeunmanaged.Donotenablesleep
modeforclientcomputers.
TomanageEnergySaverpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectcomputersorcomputergroups.
4 ClickEnergySaverandthenclickDesktop.
5 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsetting
toAlways.
6 Toadjustsleepsettings,chooseSleepfromtheSettingspop-upmenuandmovethe
“Putthecomputertosleepwhenitisinactivefor”slidertoNever.
7 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagement
settingtoAlways.
8 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputerto
sleepwhenitisinactivefor”slidertoNever.
9 ClickPortable.
10 FromthePowerSourcepop-upmenu,chooseAdapterandsetthemanagement
settingtoAlways.
11 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputerto
sleepwhenitisinactivefor”slidertoNever.
292
Chapter19SecuringClientConfigurationManagementServices
12 FromthePowerSourcepop-upmenu,chooseBatteryandsetthemanagement
settingtoAlways.
13 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputer
tosleepwhenitisinactivefor”slidertoNever.
14 ClickSchedule.
15 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsetting
toAlways.
16 Deselect“Startupthecomputer.”
17 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagement
settingtoAlways.
18 Deselect“Startupthecomputer.”
19 ClickApplyNow.
ManagingFinderPreferences
YoucancontrolaspectsofFindermenusandwindowstoimproveorcontrolworkflow.
Youcanpreventusersfromburningmediaorfromejectingdisks,andfromconnecting
toremoteservers.WhenusedwithDockpreferences,youcanguidetheuser
experience.
TomanageFinderpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickOverview.
5 ClickFinder,clickthePreferencestab,andthenselectAlways.
6 Select“UsenormalFinder.”
SimpleFinderisbestusedforcomputersinkiosksituations.
SimpleFinderremovestheabilitytouseaFinderwindowtoaccessapplicationsor
modifyfiles.ThislimitsuserstoaccessingonlywhatisintheDock.IfyouenableSimple
Finder,userscannotmountnetworkvolumes.WithSimpleFinderenabled,users
cannotcreatefoldersordeletefiles.
7 Deselect“Harddisks,”“Removablemedia(suchasCDs),”and“Connectedservers.”
Bydeselectingthese,youhelppreventusersfromcasuallynavigatingthroughlocal
andnetworkfilesystems.
Chapter19SecuringClientConfigurationManagementServices
293
8 Select“Alwaysshowfileextensions.”
Important:Operatingsystemsusefileextensionsasonemethodofidentifyingtypes
offilesandtheirassociatedapplications.Usingonlyfileextensionstocheckthesafety
ofincomingfilesleavesyoursystemvulnerabletoattacksbyTrojans.ATrojanisa
maliciousapplicationthatusescommonfileextensionsoriconstomasqueradeas
adocumentormediafile(suchasaPDF,MP3,orJPEG).
Forfurtherexplanationandguidanceonhandlingmailattachmentsandcontent
downloadedfromtheinternet,seeKBaseArticle108009:Safetytipsforhandlingemail
attachmentsandcontentdownloadedfromtheInternetatdocs.info.apple.com/
article.html?artnum=108009.
9 ClickCommandsandselectAlways.
10 DeselectConnecttoServer,GotoiDisk,andGotoFolder.
Insteadofallowingtheusertochoosewhichserversorfolderstoload,addapproved
servers.
11 DeselectEjectandBurnDisc.
Disallowingexternalmediagivesyoumorecontrol.
12 DeselectRestartandShutDown.
Bydisallowingrestartingandshuttingdownclientcomputers,youhelpensurethat
yourcomputersareavailabletootherusers.
13 ClickApplyNow.
294
Chapter19SecuringClientConfigurationManagementServices
Fromthecommandline:
# Managing Finder Preferences
# --------------------------# Manage Finder preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
AppleShowAllExtensions-immutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitBurn always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitConnectTo always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitEject always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitGoToFolder always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitGoToiDisk always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowHardDrivesOnDesktop-immutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowMountedServersOnDesktop-immutable always -bool
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowRemovableMediaOnDesktop-immutable always -bool
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
AppleShowAllExtensions always -bool 1
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
1
com.apple.finder
1
.GlobalPreferences
ManagingLoginPreferences
UseLoginpreferencestosetoptionsforuserlogin,toprovidepasswordhints,and
tocontroltheuser’sabilitytorestartandshutdownthecomputerfromthelogin
window.Youcanalsomountagroupvolumeorsetapplicationstoopenwhenauser
logsin.
ThetablebelowsummarizeswhatyoucandowithsettingsineachLoginpane.
Loginpreferencepane
Whatyoucancontrol
Window
Forcomputersandcomputergroupsonly:Theappearanceofthelogin
windowsuchastheheading,message,whichusersarelistedifthe“Listof
users”isspecified,andtheabilitytorestartorshutdown
Options
Forcomputersandcomputergroupsonly:Loginwindowoptionslike
enablingpasswordhints,automaticlogin,console,fastuserswitching,
inactivitylogout,disablingofmanagement,settingthecomputername
tomatchthecomputerrecord,andexternalaccountlogin
Access
Forcomputersandcomputergroupsonly:Whocanlogin,iflocaluserscan
useworkgroupsettings,andthecombinationandselectionof
workgroups
Chapter19SecuringClientConfigurationManagementServices
295
Loginpreferencepane
Whatyoucancontrol
Scripts
Forcomputersandcomputergroupsonly:Ascripttorunduringloginor
logoutandwhethertoexecuteordisabletheclientcomputer’sown
LoginHookorLogoutHookscripts
Items
Accesstothegroupvolume,whichapplicationsopenautomaticallyfor
theuser,andifuserscanaddorremoveloginitems
Bymanagingscriptsettings,youcanhelpprotectyourusersfrommaliciousloginor
logoutscriptsthatcouldbeusedtocompromisetheiraccountsintegrity.
Youcanmanageloginwindowsettingstomakeitmoredifficultforintrudersto
attempttologinaslegitimateusers.
Youcanconfigureoptionstotrackmalicioususeractions.
TomanageLoginpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectuseraccounts.
Toperformthestepsinvolvingapplyingscriptsandloginwindowsettings,select
computersorcomputergroups.
4 ClickOverviewandclickLogin.
5 ClickItemsandselectAlways.
Differentloginitemssettingsareavailabledependingonwhetheryou’remanaging
OnceorAlways.Likeallmanagedpreferences,youshouldusetheAlwayssettingto
ensurethatyoursettingsstayineffectpasttheuser’sfirstlogin.
6 Toloadapplicationsortomountagroupvolumeatstartup,clickAddtoopenadialog
whereyoucanaddanapplicationorvolume.
7 Addtheapplicationsrequired,includingantivirusandfileintegritychecking
applicationsrequiredbyyourorganization.
8 Deselect“Addnetworkhomesharepoint.”
Insteadofautomaticallymountingsharepoints,theusershouldmountsharepoints
asrequired.
9 Deselect“Usermayaddandremoveadditionalitems”and“UsermaypressShifttokeep
itemsfromopening.”
Deselectingtheseoptionshelpspreventtheuserfromloadingpotentiallymalicious
applications.Italsohelpsensurethattheusercannotbypassloadingapplications
requiredbyyourorganization.
296
Chapter19SecuringClientConfigurationManagementServices
10 ClickScriptsandselectAlways.
11 Unlessyourorganizationrequirestheuseofspecificloginorlogoutscripts,deselect
LoginScriptandLog-OutScript,andthendeselect“Alsoexecutetheclientcomputer’s
LoginHookscript,”and“Alsoexecutetheclientcomputer’sLogoutHookscript.”
Torunloginandlogoutscripts,theclient’scomputermusthavealeveloftrustwiththe
server.Thisleveloftrustisbasedonhowsecuretheclient’sconnectioniswiththe
server.Byrequiringaleveloftrust,thisensuresthattheclientcomputerdoesnotrun
scriptsfrommaliciousservers.
Formoreinformationabouthowtoenabletheuseofloginandlogoutscripts,seethe
UserManagementguide.
12 ClickWindowandselectAlways.
13 Select“LoginWindowmessage”andenterhelpdeskcontactinformationinthe
adjacentfield.
Donotenterinformationaboutthecomputer’stypicalusageorwhoitsusersare.
14 In“DisplayLoginWindowas,”select“Nameandpasswordtextfields.”
Requiringthatusersknowtheiraccountnamesaddsalayerofsecurityandhelps
preventintrudersfromcompromisingaccountswithweakpasswords.
15 Deselect“ShowRestartbuttonintheLoginWindow”and“ShowShutDownbuttonin
theLoginWindow.”
Preventingusersfromeasilyrestartingorshuttingdownthecomputerhelpsensure
thatthecomputerisavailabletoallusers.
16 Deselect“Showpasswordhintafter3attemptstoenterapassword.”
Passwordhintscanhelpmalicioususerscompromiseaccounts.Ifyouenablethis
setting,setthepasswordhintperuseraccounttoinformationforyourorganization’s
helpdesk.
17 Deselect“AutoLoginClientSetting.”
EnablingthissettingallowsuserstoenableautomaticloginthroughSystem
Preferences.Automaticloginbypassesallloginwindow-basedsecuritymechanisms.
18 Deselect“Allowuserstologinusing‘>console.’”
EnablingthissettingallowstheusertobypasstheloginwindowandusetheDarwin
console(command-lineinterface).
19 ClickOptionsandselectAlways.
20 DeselectEnableFastUserSwitching.
FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult
totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground
whileanotheruserisactivelyusingthecomputer.
Chapter19SecuringClientConfigurationManagementServices
297
21 Deselect“Logoutusersafter#minutesofinactivity.”
Ifyouselect“Logoutusersafter#minutesofinactivity,”enablepassword-protected
screensaversincaseadialogpreventsloggingout.
22 ClickApplyNow.
Fromthecommandline:
# Managing Login Preferences
# -------------------------# Manage login preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow LoginwindowText always -string
"$LOGIN_WINDOW_MESSAGE"
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow mcx_UseLoginWindowText always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow RestartDisabled always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow ShutDownDisabled always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow SHOWFULLNAME always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow DisableConsoleAccess always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences
MultipleSessionEnabled always -bool 0
ManagingMediaAccessPreferences
MediaAccesspreferencesletyoucontrolsettingsfor,andaccessto,CDs,DVDs,the
localharddisk,andexternaldisks(forexample,floppydisksandFireWiredrives).
Disableunnecessarymedia.Ifuserscanaccessexternalmedia,itprovides
opportunitiesforperformingmaliciousactivities.Forexample,theycantransfer
maliciousfilesfromthemediatotheharddisk.Anotherexampleisifanintruder
gainstemporaryaccesstothecomputer,heorshecanquicklytransferconfidential
filestothemedia.
Carefullyweightheadvantagesanddisadvantagesofdisablingmedia.Forexample,
disablingexternaldiskspreventsyoufromusingUSBflashmemorydrivesforstoring
keychains.Formoreinformation,see“StoringCredentialsinKeychains”onpage88.
298
Chapter19SecuringClientConfigurationManagementServices
TomanageMediaAccesspreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickOverviewandclickMediaAccess.
5 SelectAlwaysandclickDiscMedia.
6 Unlessyoumustusediscmedia,deselectAllowforCDs&CD-ROMs,DVDs,and
RecordableDiscs.
Toenablediscmedia,selectbothAllowandRequireAuthenticationforthatdiscmedia.
7 ClickOtherMedia.
8 Unlessyoumustusemedia,deselectAllowforInternalDisksandExternalDisks.
Ifyoumustenablemedia,selectAllowandRequireAuthenticationforthatdiscmedia.
SelectRead-Onlyifyoudonotneedtosavefilestothatmedia.
9 Select“Ejectallremovablemediaatlogout.”
Thishelpspreventusersfromforgettingtheyhavemediainsertedinthecomputer.
10 ClickApplyNow.
ManagingMobilityPreferences
YoucanuseMobilitypreferencestoenableandconfiguremobileaccountsforusers
duringtheirnextlogin.
IfyourcomputershaveSnowLeopardorlater,youcanalsoencryptthecontentsofthe
mobileaccount’sportablehomedirectory,restrictitssize,chooseitslocation,orsetan
expirationdateontheaccount.
Mobileaccountsincludeanetworkhomefolderandalocalhomefolder.Byhaving
thesetwotypesofhomefolders,clientscantakeadvantageoffeaturesavailablefor
localandnetworkaccounts.Youcansynchronizespecificfoldersofthesetwohome
folders,creatingaportablehomedirectory.
Avoidusingmobileaccounts.Whenyouaccessamobileaccountfromaclient
computerandcreateaportablehomedirectory,youcreatealocalhomefolder
onthatclientcomputer.Ifyouaccessthemobileaccountfrommanycomputers,
creatingportablehomedirectoriesoneachcomputer,yourhomefolder’sfiles
arestoredonseveralcomputers.Thisprovidesadditionalavenuesofattack.
Chapter19SecuringClientConfigurationManagementServices
299
Ifyouusemobileaccounts,donotcreateportablehomedirectoriesoncomputers
thatarephysicallyinsecure,orthatyouinfrequentlyaccess.EnableFileVaultonevery
computerwhereyoucreateportablehomedirectories.Formoreinformationabout
enablingFileVault,see“SecuringSecurityPreferences”onpage122.
TomanageMobilitypreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectauseraccount,groupaccount,computer,orcomputergroup.
4 ClickOverview.
5 ClickMobility,clickAccountCreation,andthenclickCreation.
6 SetthemanagementsettingtoAlways.
7 Todisablemobileaccounts,deselect“Createmobileaccountwhenuserlogsinto
networkaccount”;toenablemobileaccounts,selectthisoption.
8 Select“Requireconfirmationbeforecreatingamobileaccount.”
Ifthisisdeselected,aportablehomedirectoryiscreatedeverytimetheuseraccesses
adifferentcomputer.
9 Select“withsyncingoff.”
10 ClickRules,clickLogin&LogoutSync,andselectAlways.
11 Inthe“Syncatloginandlogout”list,clicktheAdd(+)buttonandenterthepathsof
folderslocatedintheuser’shomefolder.
Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose
folderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles.
12 Inthe“Skipitemsthatmatchanyofthefollowing”list,clicktheAdd(+)buttonand
enterthepathsoffolderslocatedintheuser’shomefolder.
Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose
folderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles.
13 Deselect“Mergewithuser’ssettings.”
Bydeselectingthissetting,thefoldersyousynchronizereplacethosechosenby
theuser.
14 ClickBackgroundSync.SelectAlways.
15 Inthe“Syncatloginandlogout”list,clicktheAdd(+)buttonandenterthepathsof
folderslocatedintheuser’shomefolder.
Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose
folderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles.
300
Chapter19SecuringClientConfigurationManagementServices
16 Inthe“Skipitemsthatmatchanyofthefollowing”list,clicktheAdd(+)buttonand
enterthepathsoffolderslocatedintheuser’shomefolder.
Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose
folderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles.
17 Deselect“Mergewithuser’ssettings.”
Bydeselectingthissetting,thefoldersyouchoosetosynchronizereplacethosechosen
bytheuser.
18 ClickApplyNow.
ManagingNetworkPreferences
Networkpreferencesletyouselectandconfigureproxyserversthatcanbeusedby
usersandgroups.Youcanalsospecifyhostsanddomainstobypassproxysettings.
Usingproxyserverscontrolledbyyourorganizationcanhelpimprovesecurity.Youcan
alsodecreasetheperformancehitfromusingproxiesifyouselectivelybypasstrusted
hostsanddomains(likechoosinglocalresourcesortrustedsites).
YoucanalsodisableInternetSharing,Airport,orBluetooth.Disablingthesecan
improvesecuritybyremovingavenuesforattack.
TomanageNetworkpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickOverview.
5 ClickNetworkandthenclickProxies.
6 SetthemanagementsettingtoAlways.
7 Selectatypeofproxyserverandenterthenetworkaddressandportofaproxyserver
controlledbyyourorganization.
8 IfyouselectAutomaticProxyConfiguration,entertheURLofyourautomaticproxy
configuration(.pac)file.
Chapter19SecuringClientConfigurationManagementServices
301
9 Inthe“BypassproxysettingsfortheseHosts&Domains”field,entertheaddresses
ofthehostsanddomainsthatyouwantuserstoconnecttodirectly.
Toentermultipleaddress,separatethesubnetmaskswithnewlines,spaces,
semicolons,orcommas.Thereareseveralwaystoenteraddresses:
 Asubdomainorfullyqualifieddomainname(FQDN)ofatargetserver,suchas
server1.apple.comorstore.apple.com.
 ThespecificIPaddressofaserver,suchas192.168.2.1.
 Adomainname,suchasapple.com.Thisbypassesapple.com,butnotsubdomains,
suchasstore.apple.com.
 Anwebsite,includingsubdomains,suchas*.apple.com.
 AsubnetinClasslessInter-DomainRouting(CIDR)notation.Forexample,toadda
subnetofIPaddressesfrom192.168.2.0to192.168.2.255,namethatview192.168.2.0/
24.ForadescriptionofsubnetmasksandCIDRnotation,seetheNetworkServices
Administrationguide.
10 DeselectUsePassiveFTPMode(PASV).
11 ClickApplyNow.
Fromthecommandline:
# Managing Network Preferences
# ---------------------------# Manage network preferences:
sudo networksetup -setwebproxystate Ethernet on
sudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008
sudo networksetup -setpassiveftp Ethernet on
ManagingParentalControlsPreferences
ParentalControlspreferencesallowyoutohideprofanityinDictionary,limitaccess
towebsites,orsettimelimitsorotherconstraintsoncomputerusage.Tomanage
ParentalControlspreferences,computersmusthaveSnowLeopardorlater.
Note:Parentalcontroldoesnotapplytodirectoryusers.Itappliestoonlylocalusers.
ThetablebelowdescribesParentalControlssettings.
ParentalControlspreference
pane
302
Whatyoucancontrol
ContentFiltering
WhetherprofanityisallowedinDictionary,andlimitationson
whichwebsitesuserscanview
TimeLimits
Howlongandwhenuserscanlogintotheiraccounts
Chapter19SecuringClientConfigurationManagementServices
HidingProfanityinDictionary
YoucanhideprofanetermsfromtheDictionaryapplicationincludedwith
SnowLeopardorlater.Whenyouhideprofaneterms,entirelyprofanetermsare
removedfromsearchresults.Ifyousearchforaprofanetermthathasanalternate
nonprofanedefinition,Dictionaryonlydisplaysthenonprofanedefinition.
TohideprofanityinDictionary:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickParentalControlsandthenclickContentFiltering.
5 SetthemanagementsettingtoAlways.
6 Select“HideprofanityinDictionary.”
7 ClickApplyNow.
Fromthecommandline:
# Managing Parental Control Preferences
# ------------------------------------# Hide profanity:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary
parentalControl always -bool 1
PreventingAccesstoAdultWebsites
YoucanuseWorkgroupManagertohelppreventusersfromvisitingadultwebsites.
Youcanalsoblockaccesstospecificwebsiteswhileallowinguserstoaccessother
websites.Youcanallowordenyaccesstospecificsubfoldersinthesamewebsite.
Insteadofpreventingaccesstospecificwebsites,youcanallowaccessonlytospecific
websites.Formoreinformation,see“AllowingAccessOnlytoSpecificWebsites”on
page304.
Topreventaccesstowebsites:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
Chapter19SecuringClientConfigurationManagementServices
303
4 ClickParentalControlsandthenclickContentFiltering.
5 SetthemanagementsettingtoAlways.
6 Select“Limitaccesstowebsitesby”andchoose“tryingtolimitaccesstoadult
websites.”
7 Toallowaccesstospecificsites,clicktheAdd(+)buttonnexttothe“Alwaysallowsites
attheseURLs”listandthenentertheURLofthesiteyouwanttoallow.
8 Toblockaccesstospecificsites,clicktheAdd(+)buttonnexttothe“Neverallowsites
attheseURLs”listandthenentertheURLofthesiteyouwanttoblock.
Toalloworblockasite,includingallcontentstoredinitssubfolders,enterthehighest
levelURLofthesite.
Forexample,allowing“www.example.com“letstheuserviewallpagesin
www.example.com.However,blocking“www.example.com/banned/“preventstheuser
fromviewingcontentstoredinwww.example.com/banned/,includingallsubfoldersin
/banned/,butitallowstheusertoviewpagesinwww.example.comthatarenotin
/banned/.
9 ClickApplyNow.
AllowingAccessOnlytoSpecificWebsites
YoucanuseWorkgroupManagertoallowaccessonlytospecificwebsiteson
computerswithSnowLeopardorlater.
Iftheusertriestovisitawebsitethatheorsheisnotallowedtoaccess,theweb
browserloadsawebpagethatlistsallsitestheuserisallowedtoaccess.
Tohelpdirectuserstoallowedsites,theuser’sbookmarksarereplacedbywebsitesyou
allowaccessto.Thebookmarkscreatedbyallowingaccesstowebsitesarecalled
managedbookmarks.
IftheusersyncsbookmarkswithMobileMe,thefirsttimetheusersyncsheorsheis
askedifMobileMeshouldmergeorreplaceitsbookmarkswiththemanaged
bookmarks.Iftheusermergesbookmarks,theMobileMebookmarkswillincludethe
originalMobileMebookmarksandthemanagedbookmarks.Iftheuserreplaces
bookmarks,theMobileMebookmarksincludeonlythemanagedbookmarks.
YoucanalsouseWorkgroupManagertoblockspecificwebsitesinsteadofblockingall
websites.Formoreinformation,see“PreventingAccesstoAdultWebsites”onpage303.
Toallowaccessonlytospecificwebsites:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
304
Chapter19SecuringClientConfigurationManagementServices
3 Selectusers,groups,computers,orcomputergroups.
4 ClickParentalControlsandthenclickContentFiltering.
5 SetthemanagementsettingtoAlways.
6 Select“Limitaccesstowebsitesby”andchoose“allowingaccesstothefollowing
websitesonly.”
7 Useoneofthefollowingmethodstoaddwebsitesthatyouwanttoallowaccessto:
 InSafari,openthesiteandthendragtheiconfromtheaddressbar(ofSafari)tothe
list.
 InSafari,chooseBookmarks>ShowAllBookmarks,thendragiconsfromthe
bookmarklisttothelistinWorkgroupManager.
 Ifyouhavea.weblocfileofthewebsiteyouwanttoallowaccessto,dragthefileinto
thelist.
 Ifyoudon’thavea.weblocfileofthewebsiteyouwanttoallowaccessto,clickthe
Add(+)buttonandentertheURLofthewebsiteyouwanttoallow.
Inthe“Websitetitle”field,namethewebsite.IntheAddressfield,enterthehighest
levelURLofthesite.
Forexample,allowing“www.example.com“letstheuserviewallpagesin
www.example.com.Allowing“www.example.com/allowed/“letstheuserview
contentstoredinwww.example.com/allowed/,includingallsubfoldersin/allowed/,
butnotfolderslocatedoutsideof/allowed/.
8 Tocreatefolderstoorganizewebsites,clicktheNewFolder(folder)button,then
double-clickthefoldertorenameit.
ToaddURLswithinafolder,openthefolder’sdisclosuretriangle,selectthefolder,and
thenclicktheAdd(+)button.
Tocreateasubfolder,openafolder’sdisclosuretriangle,selectthefolder,andthenclick
theNewFolder(folder)button.
9 TochangethenameorURLofawebsite,double-clickthewebsiteentry;then,to
renameafolder,double-clickthefolderentry.
10 Torearrangewebsitesorfolders,dragthewebsitesorfoldersinthelist.
11 ClickApplyNow.
Chapter19SecuringClientConfigurationManagementServices
305
SettingTimeLimitsandCurfewsonComputerUsage
YoucanuseWorkgroupManagertosettimelimitsandcurfewsforcomputerusageon
computerswithSnowLeopardorlater.
Ifyousetatimelimitforcomputerusage,userswhomeettheirdailytimelimitscan’t
loginuntilthenextdaywhentheirquotaisreset.Youcansetdifferenttimelimitsfor
weekdays(MondaythroughFriday)andweekends(SaturdayandSunday).Thetime
limitcanrangefrom30minutesto8hours.
Ifyousetacurfew,userscan’tloginduringthedaysandtimesyouspecify.Ifauseris
loggedinwhentheircurfewstarts,theuserisimmediatelyloggedout.Youcanset
differenttimesforweekdays(denyingaccessSundaynightsthroughThursdaynights)
andweekends(FridayandSaturdaynights).
Tosettimelimitsandcurfews:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickParentalControlsandthenclickTimeLimits.
5 SetthemanagementsettingtoAlwaysandthenselect“Enforcelimits.”
6 Tosettimelimits,clickAllowances,thenunderWeekdaysorWeekendsselect“Limit
computeruseto”anddragtheslidertoamountoftimeyouwanttolimituse.
7 Tosetcurfews,clickCurfews,select“SundaythroughThursday”or“Fridayand
Saturday,”andthenentertherangeoftimewhenyouwanttopreventcomputer
access.
Youcanhighlightthetimeandreplaceitwithanewtime,oryoucanhighlightthe
timeandclicktheupordownbuttonsnexttothetime.
8 ClickApplyNow.
306
Chapter19SecuringClientConfigurationManagementServices
ManagingPrintingPreferences
Printerpreferencesletyoucontrolwhichprinterstheusercanaccess.Ideally,reduce
theprinterlisttoonlythoseprinterstheuserneedstoaccess.
Youshouldrequirethattheuserauthenticateasanadministratorbeforeprinting.
TomanagePrintingpreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickPrintingandthenclickPrinters.
5 SetthemanagementsettingtoAlways.
6 ClickPrinterList.
7 IntheAvailablePrinterslist,selectaprinterandclickAdd;thenaddprintersthatyou
wanttheusertoaccess.
8 Toaddadditionalprinterstotheuser’sprinterlist,clickOpenPrinterSetup.
Formoreinformation,seePrinterSetupUtilityHelp.
9 Deselect“Allowusertomodifytheprinterlist.”
10 Deselect“Allowprintersthatconnectdirectlytouser’scomputer.”
Ifyouselectthissetting,select“Requireanadministratorpassword.”
11 ClickAccess.
12 Selectaprinter,andselect“Requireanadministratorpassword.”
RepeatforallprintersintheUser’sPrinterList.
13 ClickApplyNow.
Fromthecommandline:
# Managing Printing Preferences
# ----------------------------# Manage printing preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting
RequireAdminToAddPrinters always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting
AllowLocalPrinters always -bool 0
Chapter19SecuringClientConfigurationManagementServices
307
ManagingSoftwareUpdatePreferences
WithSnowLeopardServer,youcancreateyourownSoftwareUpdateservertocontrol
updatesthatareappliedtospecificusersorgroups.Thisishelpfulbecauseitreduces
externalnetworktrafficwhilealsoprovidingmorecontroltoserveradministrators.
ByconfiguringaSoftwareUpdateserver,serveradministratorscanchoosewhich
updatestoprovide.
TomanageSoftwareUpdatepreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickSoftwareUpdate.
5 SetthemanagementsettingtoAlways.
6 SpecifyaURLintheformhttp://updateserver.example.com:8088/index.sucatalog.
7 ClickApplyNow.
Fromthecommandline:
# Managing Software Update Preferences
# -----------------------------------# Manage Software Update preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.SoftwareUpdate CatalogURL always -string "http:/
$SERVER:8088/index.sucatalog"
ManagingAccesstoSystemPreferences
YoucanspecifywhichpreferencestoshowinSystemPreferences.Ifausercansee
apreference,itdoesnotmeantheusercanmodifythatpreference.Somepreferences,
suchasStartupDiskpreferences,requireanadministratornameandpasswordbefore
ausercanmodifyitssettings.
ThepreferencesthatappearinWorkgroupManagerarethoseinstalledonthe
computeryou’reusing.Ifyouradministratorcomputerismissingpreferencesthat
youwanttodisableonclientcomputers,installtheapplicationsrelatedtothose
preferencesoruseWorkgroupManageronacomputerthatincludesthosepreferences.
308
Chapter19SecuringClientConfigurationManagementServices
TomanageSystemPreferencespreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickSystemPreferences.
5 SetthemanagementsettingtoAlways.
6 ClickShowNone.
7 SelectthefollowingitemstoshowinSystemPreferences:
Â
Â
Â
Â
Â
Â
Â
Appearance
SelectDisplays
SelectDock
SelectExpose&Spaces
SelectKeyboard&Mouse
SelectSecurity
SelectUniversalAccess
8 ClickApplyNow.
ManagingUniversalAccessPreferences
UniversalAccesssettingscanhelpimprovetheuserexperience.Forexample,ifauser
hasdifficultyusingacomputerorwantstoworkinadifferentway,youcanchoose
settingsthatenabletheusertoworkmoreeffectively.
MostUniversalAccesssettingsdonotnegativelyimpactsecurity.However,some
settingsallowotheruserstomoreeasilyseewhatyou’redoing.
TomanageUniversalAccesspreferences:
1 InWorkgroupManager,clickPreferences.
2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.
Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock
andenterthenameandpasswordofadirectorydomainadministrator.
3 Selectusers,groups,computers,orcomputergroups.
4 ClickUniversalAccess.
5 ClickSeeingandthensetthemanagementsettingtoAlways.
Chapter19SecuringClientConfigurationManagementServices
309
6 DeselectTurnonZoom.
PressingandholdingtheOption,Command,and+keyswillzoomin,whilepressing
andholdingtheOption,Command,and-keyswillzoomout.
7 ClickKeyboardandselectAlways.
8 SelectStickyKeysOffanddeselect“Showpressedkeysonscreen.”
IfStickyKeysareonandyouselect“Showpressedkeysonscreen,”modifierkeyssuch
asControl,Option,Command,andShiftaredisplayedonscreen.Otherkeysarenot
displayed.
9 ClickApplyNow.
Fromthecommandline:
# Managing Universal Access Preferences
# ------------------------------------# Manage Universal Access preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKey always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKeyShowWindow always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess closeViewDriver always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess closeViewShowPreview always -bool 0
EnforcingPolicy
Whenyouimplementapolicyforcontrollingtheuserexperiencebyremovingfiles
(fromexample,Kernelextensions)orbymanaginguser-controllablesettings(for
example,screensaversettings),youshouldalsoimplementamechanismfor
reenforcingthepolicyincasethedeletedfilesarerestoredorthesettingsare
changedbyusersorbysoftwareupdates.
Usingmcx,cron,orlaunchdjobs,createscriptsthatrunduringstartupandshutdown
andaftersoftwareupdatestoreenforcepolicyincaseofviolations.
Toprotectthepolicyenforcementsscripts,compilethemintobinaryformatsousers
can’tmodifythem.
310
Chapter19SecuringClientConfigurationManagementServices
20
SecuringNetBootService
20
UsethischaptertolearnhowtosecureNetBootservice.
SecurelyconfiguringclientconfigurationmanagementthroughNetBoothelps
standardizetheclientsacrossyournetworkandprovidesasecuredeployment.
NetworkcomputerscanbemanagedthroughNetBoot,whichdecreasesmaintenance
timeandcanhelppreventmalicioussoftwareattacks.
SecuringNetBootService
ByusingNetBootyoucanhaveyourclientcomputersstartupfromastandardized
SnowLeopardconfigurationsuitedtotheirspecifictasks.Becausetheclientcomputers
startupfromthesameimage,youcanquicklyupdatetheoperatingsystemforan
entiregroupbyupdatingasinglebootimage.
Abootimageisafilethatlooksandactslikeamountablediskorvolume.NetBoot
imagescontainthesystemsoftwareneededtoactasastartupdiskforclient
computersoverthenetwork.
Aninstallationimageisanimagethatstartsuptheclientcomputerlongenoughto
installsoftwarefromtheimage.Theclientcanthenstartupfromitsownharddrive.
Bootimages(NetBoot)andinstallationimages(NetInstall)aredifferentkindsofdisk
images.Themaindifferenceisthata.dmgfileisaproperdiskimageanda.nbifolderis
abootablenetworkvolume(whichcontainsa.dmgdiskimagefile).Diskimagesare
filesthatbehavelikediskvolumes.
FormoreinformationaboutconfiguringNetBootservice,seetheSystemImagingand
SoftwareUpdateAdministrationguide.
DisablingNetBootService
IfyourserverisnotaNetBootserver,disabletheNetBootservice.Disablingtheservice
preventspotentialvulnerabilitiesonyourcomputer.TheNetBootserviceisdisabledby
default,butverificationisrecommended.
311
ThebestwaytopreventclientsfromusingNetBootontheserveristodisableNetBoot
serviceonallEthernetports.
TodisableNetBoot:
1 OpenServerAdminandconnecttotheserver.
2 SelectNetBootintheComputers&Serviceslist.
3 ClickGeneral.
4 DisableNetBootonallports.
5 ClickStopNetBoot.
Fromthecommandline:
#
#
#
#
#
--------------------------------------------------------------------Securing NetBoot Service
--------------------------------------------------------------------Disable NetBoot.
# --------------------------sudo serveradmin stop netboot
LimitNetBootServiceClients
IfNetBootserviceisrequired,itshouldbeprovidedoveratrustednetwork.
SecurelyconfigureNetBootservicewithrestrictionsontheportsituses,theimages
available,andclientaccesstotheservice.NetBootserviceusesAppleFilingProtocol
(AFP),NetworkFileSystem(NFS),DynamicHostConfigurationProtocol(DHCP),Web,
andTrivialFileTransferProtocol(TFTP)services,dependingonthetypesofclientsyour
aretryingtoboot.Youmustalsosecurelyconfigureservicestoreducenetwork
vulnerabilities.
NetBootservicecreatessharepointsforstoringNetBootandNetInstallimagesin/
Library/NetBoot/oneachvolumeyouenableandnamesthemNetBootSPn,wherenis
0forthefirstsharepointandincreasesby1foreachextrasharepoint.
Forexample,ifyoudecidetostoreimagesonthreeserverdisks,NetBootservicesets
upthreesharepointsnamedNetBootSP0,NetBootSP1,andNetBootSP2.
YoucanrestrictaccesstoNetBootserviceonacase-by-casebasisbylistingthe
hardwareaddresses(alsoknownastheEthernetorMACaddresses)ofcomputersthat
youwanttopermitordenyaccessto.
ThehardwareaddressofaclientcomputerisaddedtotheNetBootFilteringlistwhen
theclientstartsupusingNetBootandis,bydefault,enabledtouseNetBootservice.
Youcanspecifyotherservices.
312
Chapter20SecuringNetBootService
TolimitNetBootclients:
1 OpenServerAdminandconnecttotheserver.
2 SelectNetBootintheComputers&Serviceslist.
3 ClickSettings,thenclickFilters.
NetBootservicefilteringletsyourestrictaccesstotheservicebasedontheclient’s
Ethernethardware(MAC)address.Aclient’saddressisaddedtothefilterlistthefirst
timeitstartsupfromanimageontheserverandisallowedaccessbydefault.
4 Select“EnableNetBoot/DHCPfiltering.”
5 Select“Allowonlyclientslistedbelow(denyothers)”or“Denyonlyclientslistedbelow
(allowothers).”
6 UsetheAdd(+)buttontoenterthecanonicalornoncanonicalformofahardware
addresstothefilterlist,orusetheDelete(–)buttontoremoveaMACaddressfromthe
filterlist.
TolookupaMACaddress,entertheclient’sDNSnameorIPaddressintheHostName
fieldandclickSearch.
TofindthehardwareaddressforacomputerusingSnowLeopard,lookontheTCP/IP
paneofthecomputer’sNetworkpreferenceorrunAppleSystemProfiler.
7 ClickOK.
8 ClickSave.
Note:YoucanalsorestrictaccesstoaNetBootimagebyselectingthenameofthe
imageintheImagespaneoftheNetBootservicesettingsinServerAdmin,clickingthe
Edit(/)button,andprovidingtherequiredinformation.
Fromthecommandline:
#
# Securely configure NetBoot.
# --------------------------sudo defaults rename /etc/bootpd allow_disabled allow
Chapter20SecuringNetBootService
313
ViewingNetBootServiceLogs
NetBootserviceloggingisimportanttosecurity.Withlogs,youcanmonitorandtrack
clientcommunicationtotheNetBootserver.TheNetBootservicelogis/var/log/
system.logandcanbeaccessedusingServerAdmin.
ToviewNetBootservicelogs:
1 OpenServerAdminandconnecttotheserver.
2 SelectNetBootintheComputers&Serviceslist.
3 ClickLogstodisplaythecontentsofsystem.log.
Fromthecommandline:
#
# View NetBoot service logs.
# --------------------------sudo tail /var/log/system.log | grep bootpd
314
Chapter20SecuringNetBootService
21
SecuringSoftwareUpdateService
21
UsethischaptertolearnhowtosecureSoftwareUpdate
service.
YoucanprotectagainstattacksbyconfiguringaninternalSoftwareUpdateserver.This
allowsyoutomaintainasecurenetworkbycontrollingwhatsoftwareupdatesare
installedonyournetworkcomputers.
DisablingSoftwareUpdateService
Ifyourserverisnotintendedtobeasoftwareupdateserver,disabletheSoftware
Updateservice.Disablingtheservicepreventspotentialvulnerabilitiesonyour
computer.SoftwareUpdateserviceisdisabledbydefault,butverificationis
recommended.
TodisableSoftwareUpdate:
1 OpenServerAdminandconnecttotheserver.
2 SelectSoftwareUpdateintheComputers&Serviceslist.
3 ClickSettings.
4 ClickStopSoftwareUpdate.
5 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Software Update Service
# --------------------------------------------------------------------# Disable Software Update:
sudo serveradmin stop swupdate
315
LimitingAutomaticUpdateAvailability
SoftwareUpdateserviceoffersyouwaystomanageMacintoshsoftwareupdatesfrom
Appleonyournetwork.Inanuncontrolledenvironment,usersmightconnecttoApple
SoftwareUpdateserversatanytimeandupdateclientcomputerswithsoftwarethatis
notapprovedbyyourITgroup.
ByusinglocalSoftwareUpdateservers,yourclientcomputersaccessonlythesoftware
updatesyoupermitfromsoftwareliststhatyoucontrol,givingyoumoreflexibilityin
managingcomputersoftwareupdates.
YoucanrestrictclientaccessinaSoftwareUpdateserverbydisablingautomatic
mirror-and-enablefunctionsintheGeneralSettingspane.Youmanagespecificupdates
intheUpdatespaneoftheSoftwareUpdateserver.
Tospecifywhichupdatesareautomaticallyavailableassoftwareupdates:
1 OpenServerAdminandconnecttotheserver.
2 SelectSoftwareUpdateintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 Toimmediatelydisableallsoftwareupdatesforclientusers,deselect“Automatically
enablecopiedupdates.”
5 ClickUpdates.
6 IntheEnablecolumn,selectthecheckboxforeachupdateyouwanttomakeavailable
toclientcomputers.
7 ClickSave.
Fromthecommandline:
#
# Specify which client can access software updates.
# ---------------------------------sudo serveradmin settings swupdate:autoEnable = no
316
Chapter21SecuringSoftwareUpdateService
ViewingSoftwareUpdateServiceLogs
SoftwareUpdateserviceloggingisimportantforsecurity.Withlogs,youcanmonitor
andtrackcommunicationthroughtheSoftwareUpdateservice.AccesstheSoftware
Updateservicelog,/var/log/system.log,usingServerAdmin.
ToviewSoftwareUpdateservicelogs:
1 OpenServerAdminandconnecttotheserver.
2 SelectSoftwareUpdateintheComputers&Serviceslist.
3 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
#
# View Software Update service logs.
# ---------------------------------sudo tail /var/log/swupd/swupd_*
Chapter21SecuringSoftwareUpdateService
317
22
SecuringNetworkAccounts
22
UsethischaptertolearnhowtouseServerAdminand
WorkgroupManagertosetupandmanagehomefolders,
accounts,andsettingsforclients.
SnowLeopardServerincludesServerAdminandWorkgroupManager.
YoucanuseServerAdmintocreateandmanagesharepoints.
YoucanuseWorkgroupManager,ausermanagementtool,tomanageuser,group,
computer,andcomputergroupaccounts.Youcandefinecoreaccountsettingslike
name,password,homefolderlocation,andgroupmembership.Youcanalsomanage
preferences,allowingyoutocustomizetheuser’sexperience,grantingorrestricting
accesstohisorhercomputer’ssettingsandtonetworkresources.
WorkgroupManagerworkscloselywithadirectorydomain.Directorydomainsarelike
databases,onlytheyarespecificallygearedtowardsstoringaccountinformationand
handlingauthentication.FormoreinformationaboutOpenDirectory,seeChapter23,
“SecuringDirectoryServices.”
ForinformationaboutusingWorkgroupManager,seetheUserManagementguide.
AboutOpenDirectoryandActiveDirectory
SnowLeopardServersupportsOpenDirectoryandActiveDirectorydomainsforclient
authentication.
OpenDirectoryusesOpenLDAP,theopensourceimplementationofLightweight
DirectoryAccessProtocol(LDAP),toprovidedirectoryservices.It’scompatiblewith
otherstandards-basedLDAPservers,andcanbeintegratedwithproprietaryservices
suchasMicrosoft’sActiveDirectoryandNovell’seDirectory.Formoreinformation
abouthowtoconfiguretheseoptions,see“ConfiguringOpenDirectoryPolicies”on
page329.
318
TheActiveDirectoryplug-insupportspacketsigningandpacketencryptionandisset
to“allow,”whichmeansitnegotiatestheconnectionbydefaultandcanbechangedto
“require”ifneeded.Also,ifyouconnecttoanActiveDirectoryserverwithHighly
Secure(HISEC)templatesenabled,youcanusethird-partytoolstofurthersecureyour
ActiveDirectoryconnection.
UserscanmutuallyauthenticatewithOpenDirectoryandActiveDirectory.Bothuse
Kerberostoauthenticate.Kerberosisaticket-basedsystemthatenablesmutual
authentication.
Theservermustidentifyitselfbyprovidingatickettoausers’computer.Thisprevents
yourcomputerfromconnectingtorogueservers.Usersmustenabletrustedbindingto
mutuallyauthenticatewithOpenDirectoryorActiveDirectory.
FormoreinformationaboutOpenDirectoryandActiveDirectory,seetheOpen
DirectoryAdministrationguide.
SecuringDirectoryAccounts
Youcanmodifyseveralaccountsettingstoimprovesecurity.Checkwithyour
organizationtoensurethatthesesettingsdonotconflictwithnetworksettingsor
organizationalrequirements.
InWorkgroupManager,youcanusepresetstosaveyoursettingsasatemplatefor
futureaccounts.Ifyouhavesettingsthatapplytoseveralaccounts,usepresetsto
expeditethecreationoftheseaccounts.Usingpresetsalsoensuresthatyouuse
uniformaccountsettingsandhelpsyouavoidconfigurationerrors.Formore
information,seetheUserManagementguide.
ConfiguringDirectoryUserAccounts
Ifyouwanttomanageindividualusersorifyouwantthoseuserstohaveunique
identitiesonyournetwork,createuseraccounts.
Beforecreatingormodifyinguseraccounts,youshouldhaveafirmunderstandingof
whattheaccountwillbeusedforandwhatauthenticationmethodyouwanttouse.
Toconfigureuseraccounts:
1 InWorkgroupManager,clickAccounts.
2 Selectthedirectorydomainwheretheaccountresidesbyclickingthesmallglobeicon,
andthenauthenticateasthedomainadministrator.
Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain
administrator.
3 Selecttheuseraccountyouwanttoworkwithfromtheuseraccountslist.
4 ClickBasic.
Chapter22SecuringNetworkAccounts
319
5 Ifyouwanttograntserveradministrationprivilegestotheuser,select“administer
thisserver.”
ServeradministrationprivilegesallowstheusertouseServerAdminandmakechanges
toaserver’ssearchpolicyusingDirectoryUtility.
6 ClickAdvanced,thendeselect“Allowsimultaneousloginonmanagedcomputers.”
Bydisallowingsimultaneouslogin,youreducethechancesofversionconflictswhen
loadingandsavingfiles.Thishelpsremindusersthattheyshouldlogoffofcomputers
whentheyarenotusingthem.
7 ChoosethemostsecurepasswordtypeavailableintheUserPasswordTypepop-up
menu.
Ifyoudon’tusesmartcards,youcanchooseOpenDirectoryorcryptpassword.Open
Directoryismoresecurethancryptpassword.IfyournetworkusesOpenDirectoryfor
authentication,authenticatewithit.FormoreinformationaboutOpenDirectoryand
cryptpasswords,seetheOpenDirectoryAdministrationguide.
Smartcardsarealsoasecureformofauthentication.Smartcardsusetwo-factor
authentication,whichhelpsensurethatyouraccountsarenotcompromised.
8 IfyouchosetheOpenDirectorypasswordtype,clickOptionsandcompletethe
following:
a Inthedialogthatappears,select“Disableloginonspecificdate”andenterthedate
thattheusernolongerneedstheaccount.
b Select“Disableloginafterinactivefor#days,”andreplace#withthenumberofdays
whentheusernolongerneedstheaccount.
c Select“Disableloginafterusermakes#failedattempts,”andreplace#with3.
d Select“Allowtheusertochangethepassword.”
e Select“Passwordmustcontainatleast#characters,”andreplace#with8.
f Select“Passwordmustberesetevery#days,”andreplace#with90.
g Ifyouwanttorequiretheusertocreateapasswordduringtheirnextlogin,select
“Passwordmustbechangedatnextlogin.”
h Replacethesesuggestedvalueswithvaluesthatmeettherequirementsofyour
organization.
i ClickOK.
9 ClickGroups.
10 ClicktheAdd(+)buttontoopenadrawerlistingallavailablegroups,thendraggroups
fromthedrawerintothePrimaryGroupIDfieldortheOtherGroupslist.
Aprimarygroupisthegroupauserbelongstoiftheuserdoesnotbelongtoother
groups.Ifauserselectsadifferentworkgroupatlogin,theuserstillretainsaccess
permissionsfromtheprimarygroup.
320
Chapter22SecuringNetworkAccounts
TheIDoftheprimarygroupisusedbythefilesystemwhentheuseraccessesafile
heorshedoesn’town.Thefilesystemchecksthefile’sgrouppermissions,andifthe
primarygroupIDoftheusermatchestheIDofthegroupassociatedwiththefile,the
userinheritsgroupaccesspermissions.
Addingausertoagroupallowstheusertoaccessthegroup’sgroupfolder.Carefully
choosewhichgroupstoaddusersto.Formoreinformation,see“ConfiguringGroup
Accounts”onpage321.
11 ClickHome.
12 Selectasecurelocationfortheuser’shomefolderinthehomelistandthenenteran
appropriatevalueintheDiskQuotafield.
Byusingadiskquota,youpreventmalicioususersfromperformingadenialofservice
attackwheretheyfillthehomevolume.
13 ClickMailandselectNone.
Ifyoumustenablemail,selectPOPonlyorIMAPonly,butnotboth.Usingfewer
protocolsreducesthenumberofpossibleavenuesofattack.
14 ClickInfo.
15 Donotenterinformationintheuserinformationfieldsprovided.
Userinformationcanbeusedbymaliciousattackerswhentheytrytocompromisethe
user’saccount.
16 ClickWindowsandthenclickSave.
ConfiguringGroupAccounts
Creategroupsofindividualswithsimilaraccessneeds.Forexample,ifyoucreatea
separategroupforeachoffice,youcanspecifythatonlymembersofacertainoffice
canlogintospecificcomputers.Whenyoumorespecificallydefinegroups,youhave
greatercontroloverwhocanusewhat.
YoucangrantordenyPOSIXorACLpermissionstogroups.Ifyouhavenestedgroups,
youcanpropagateACLpermissionstochildgroups.
Groupsalsohaveaccesstogroupfolders,whichprovideaneasywayforgroup
memberstosharefileswitheachother.
Toconfiguregroupaccounts:
1 InWorkgroupManager,clickAccounts.
2 Selectthedirectorydomainwherethegroupaccountresidesbyclickingthesmall
globeicon,andthenauthenticateasthedomainadministrator.
Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain
administrator.
3 Selectthegroupaccountyouwanttoworkwithfromthegroupaccountslist.
Chapter22SecuringNetworkAccounts
321
4 IntheMemberspane,clicktheAdd(+)buttontoopenadrawerthatliststheusers
andgroupsdefinedinthedirectorydomainyou’reworkingwith.
Makesurethegroupaccountresidesinadirectorydomainspecifiedinthesearch
policyofcomputersthattheuserlogsinto.
5 ClickGroupFolder.
6 IntheAddresslistselectasecurelocationforthegroupfolder.
7 IntheOwnerNamefields,entertheshortnameandlongnameoftheuseryou
wanttoassignastheownerofthegroupfoldersotheusercanactasgroupfolder
administrator.
Tochooseanownerfromalistofusersinthecurrentdirectorydomain,clickthe
browse(…)button.Clicktheglobeiconinthedrawertochooseadifferentdirectory
domain.
Thegroupfolderownerisgivenread/writeaccesstothegroupfolder.
8 ClickSave.
ConfiguringComputerGroups
Acomputergroupcomprisescomputerswiththesamepreferencesettings.Youcan
useWorkgroupManagertocreateandmodifycomputergroups.
Everycomputeronyournetworkshouldbeamemberofacomputergroup.Ifyou
don’tassignacomputertoacomputergroup,thecomputerusesthemanaged
preferencesfortheGuestComputeraccount.
Bygroupingcomputersintocomputergroups,yousimplifythetaskofsecuring
computersonyournetwork.
Toconfigurecomputergroups:
1 InWorkgroupManager,clickAccounts.
2 Selectthedirectorydomainwherethecomputergroupresidesbyclickingthesmall
globeicon,andthenauthenticateasthedomainadministrator.
Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain
administrator.
3 Selectthecomputegroupyouwanttoworkwithfromtheuseraccountslist.
4 ClickMembers,clicktheAdd(+)button,andthendragcomputersorcomputergroups
fromthedrawertothelist.
Youcanalsoclickthebrowse(…)button,selectacomputer,andthenclickAdd.
Continueaddingcomputersandcomputergroupsuntilthelistiscomplete.
5 ClickSave.
322
Chapter22SecuringNetworkAccounts
ControllingNetworkViews
SnowLeopardServerdoesn’tsupportmanagednetworkviews.
TomanagenetworkviewshostedonserversrunningTigerServer,usetheWorkgroup
ManagerincludedwithTigerServer.
Chapter22SecuringNetworkAccounts
323
23
SecuringDirectoryServices
23
UsethischaptertolearnhowtosecureDirectoryservice.
Directoryservicesarethebackboneofyournetwork’ssecuritypolicy.Thegrantingof
accesstotheinformationandservicesonyournetworkshouldbewell-plannedand
thoughtout.
Adirectoryserviceprovidesacentralrepositoryforinformationaboutcomputerusers
andnetworkresourcesinanorganization.SnowLeopardServerusesOpenDirectory
foritsdirectoryservice.
ThedirectoryservicesprovidedbySnowLeopardServeruseLDAPv3,asdomanyother
servers.LDAPv3isanopenstandardcommoninmixednetworksofMacintosh,UNIX,
andWindowssystems.Someserversusetheolderversion,LDAPv2,toprovide
directoryservice.
OpenDirectoryalsoprovidesauthenticationservice.Itcansecurelystoreandvalidate
thepasswordsofuserswhowanttologintoclientcomputersonyournetworkoruse
othernetworkresourcesthatrequireauthentication.OpenDirectorycanalsoenforce
policiessuchaspasswordexpirationandminimumlength.
Formoreinformationaboutpasswordsandauthentication,seeAppendixA,
“UnderstandingPasswordsandAuthentication,”onpage380.
OpenDirectorymustbesettotheproperroleandconfiguredtouseSSLtoencryptits
communicationstoprotecttheconfidentialityofitsimportantauthenticationdata.
PasswordpoliciescanalsobeenforcedbyOpenDirectory.
Formoreinformationaboutunderstandingandconfiguringdirectoryand
authenticationservices,seetheOpenDirectoryAdministrationguide.
324
OpenDirectoryServerRoles
OpenDirectorycanbeconfiguredtooneofseveralroles,dependingontheserver’s
placeinthenetworkanddirectorystructure:
 StandaloneServer—Thisroledoesnotshareinformationwithothercomputerson
thenetwork.Itisalocaldirectorydomainonly.
 ConnectedtoaDirectoryServer—Thisroleallowstheservertogetdirectoryand
authenticationinformationfromanotherserver’sshareddirectorydomain.
 OpenDirectoryMaster—ThisroleprovidesanOpenDirectoryPasswordServer,
whichsupportsconventionalauthenticationmethodsrequiredby
SnowLeopardServerservices.Inaddition,anOpenDirectoryMastercanprovide
Kerberosauthenticationforsinglesign-on.
 OpenDirectoryReplica—ThisroleactsasabackuptotheOpenDirectorymaster.It
canprovidethesamedirectoryandauthenticationinformationtoothernetworksas
themaster.Ithasaread-onlycopyofthemaster’sLDAPdirectorydomain.
ConfiguringtheOpenDirectoryServicesRole
Iftheserverisnotadirectoryserver,makesuretheLDAPserverisstoppedusing
ServerAdmin.TostopLDAPserver,settheOpenDirectoryroletoStandaloneServer.
ThispreventsOpenDirectoryfromengaginginunnecessarynetworkcommunications.
Onanewlyinstalledserver,theLDAPservershouldbestoppedbydefault,but
verificationisrecommended.
ToconfiguretheOpenDirectoryrole:
1 OpenServerAdminandconnecttotheserver.
2 SelectOpenDirectoryintheComputers&Serviceslist.
3 ClickSettings,thenclickGeneral.
4 ClickChange.
TheServiceConfigurationAssistantopens.
5 Choosearole,thenclickContinue.
6 ConfirmtheOpenDirectoryconfigurationsettings,thenclickContinue.
7 IftheserverwasanOpenDirectorymasterandyouaresurethatusersandservicesno
longerneedaccesstothedirectorydatastoredintheshareddirectorydomainthatthe
serverhasbeenhosting,clickClose.
Chapter23SecuringDirectoryServices
325
8 ClicktheOpenDirectoryUtilitybuttontoconfigureaccesstodirectorysystems.
9 Iftheserveryou’reconfiguringhasaccesstoadirectorysystemthatalsohosts
aKerberosrealm,youcanjointheservertotheKerberosrealm.
TojointheKerberosrealm,youneedthenameandpasswordofaKerberos
administratororauserwhohastheauthoritytojointherealm.
10 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing Directory Services
# --------------------------------------------------------------------# Configure the Open Directory role:
sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME
$ADMIN_UID $SEARCH_BASE $REALM
StartingKerberosAfterSettingUpanOpenDirectoryMaster
IfKerberosdoesn’tstartwhenyousetupanOpenDirectorymaster,youcanuseServer
Admintostartitmanually,butfirstyoumustfixtheproblemthatpreventedKerberos
fromstarting.UsuallytheproblemisthattheDNSserviceisn’tcorrectlyconfiguredor
isn’trunning.
Note:AfteryoumanuallystartKerberos,userswhoseaccountshaveOpenDirectory
passwordsandwerecreatedintheOpenDirectorymaster’sLDAPdirectorywhile
Kerberoswasstoppedmightneedtoresettheirpasswordsthenexttimetheylogin.
Auseraccountisthereforeaffectedonlyifallrecoverableauthenticationmethodsfor
OpenDirectorypasswordsweredisabledwhileKerberoswasstopped.
TostartKerberosmanuallyonanOpenDirectorymaster:
1 OpenServerAdminandconnecttotheserver.
2 SelectOpenDirectoryintheComputers&Serviceslist.
3 ClickRefresh(orchooseView>Refresh)andverifythestatusofKerberosasreported
intheOverviewpane.
IfKerberosisrunning,there’snothingmoretodo.
4 VerifythattheDNSnameandaddressresolvebyusingNetworkUtility(in/
Applications/Utilities/)todoaDNSlookupoftheOpenDirectorymaster’sDNS
nameandareverselookupoftheIPaddress.
Iftheserver’sDNSnameorIPaddressdoesn’tresolvecorrectly:
326
Chapter23SecuringDirectoryServices
 IntheNetworkpaneofSystemPreferences,lookattheTCP/IPsettingsforthe
server’sprimarynetworkinterface(usuallybuilt-inEthernet).Makesurethefirst
DNSserverlistedistheonethatresolvestheOpenDirectoryserver’sname.
 ChecktheconfigurationofDNSserviceandmakesureit’srunning.
5 InServerAdmin,selectOpenDirectoryforthemasterserver,clickSettings,then
clickGeneral.
6 ClickKerberize,thenenterthefollowinginformation:
 AdministratorNameandPassword:Youmustauthenticateasanadministratorofthe
OpenDirectorymaster’sLDAPdirectory.
 RealmName:Thisfieldispresettobethesameastheserver’sDNSnameconverted
tocapitalletters.ThisistheconventionfornamingaKerberosrealm.Ifnecessary,you
canenteradifferentname.
Fromthecommandline:
# Start Kerberos manually on an Open Directory master:
sudo kdcsetup -a $ADMIN $REALM
ConfiguringOpenDirectoryforSSL
UsingServerAdmin,youcanenableSecureSocketsLayer(SSL)forencrypted
communicationsbetweenanOpenDirectoryserver’sLDAPdirectorydomainand
computersthataccessit.
SSLusesadigitalcertificatetoprovideacertifiedidentityfortheserver.Youcanuse
aself-signedcertificateoracertificateobtainedfromaCA.
SSLcommunicationsforLDAPuseport636.IfSSLisdisabledforLDAPservice,
communicationsaresentascleartextonport389.
TosetupSSLcommunicationsforLDAPservice:
1 OpenServerAdminandconnecttotheOpenDirectorymasteroranOpenDirectory
replicaserver.
2 SelectOpenDirectoryintheComputers&Serviceslist.
3 ClickSettings,thenclickLDAP.
4 FromtheConfigurepop-upmenu,chooseLDAPSettings,thenselectEnableSSL.
5 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAP
servicetouse.
ThemenulistsallSSLcertificatesinstalledontheserver.Touseacertificatenotlisted,
chooseCustomConfigurationfromthepop-upmenu.
Chapter23SecuringDirectoryServices
327
6 ClickSave.
Fromthecommandline:
Thefollowingstepsdescribethecommand-linemethodforcreatingcertificates.For
informationaboutdefining,obtaining,andinstallingcertificatesonyourserverusing
CertificateManagerinServerAdmin,see“ReadyingCertificates”onpage168.
TocreateanOpenDirectoryservicecertificate:
1 Generateaprivatekeyfortheserverinthe/usr/share/certs/folder:
Ifthe/usr/share/certsfolderdoesnotexistcreateit.
sudo openssl genrsa -out ldapserver.key 2048
2 GenerateaCSRfortheCAtosign:
sudo openssl req -new -key ldapserver.key -out ldapserver.csr
3 Filloutthefollowingfieldsascompletelyaspossible,makingcertainthattheCommon
NamefieldmatchesthedomainnameoftheLDAPserverexactly:
Country Name:
Organizational Unit:
State or Province Name:
Common Name:
Locality Name (city):
Email Address:
Organization Name:
Leavethechallengepasswordandoptionalcompanynameblank.
4 Signtheldapserver.csrrequestwiththeopensslcommand.
sudo openssl ca -in ldapserver.csr -out ldapserver.crt
5 Whenprompted,entertheCApassphrasetocontinueandcompletetheprocess.
ThecertificatefilesneededtoenableSSLontheLDAPserverarenowinthe/usr/share/
certs/folder.
6 OpenServerAdmin.
7 IntheComputers&Serviceslist,selectOpenDirectoryfortheserverthatisanOpen
DirectorymasteroranOpenDirectoryreplica.
8 ClickSettings.
9 ClickProtocols.
10 FromtheConfigurepop-upmenu,choose“LDAPSettings.”
11 SelectEnableSecureSocketsLayer(SSL).
328
Chapter23SecuringDirectoryServices
12 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAP
servicetouse.
ThemenulistsSSLcertificatesthathavebeeninstalledontheserver.Tousea
certificatenotlisted,chooseCustomConfigurationfromthepop-upmenu.
13 ClickSave.
ConfiguringOpenDirectoryPolicies
Youcansetpassword,binding,andsecuritypoliciesforanOpenDirectorymaster
anditsreplicas.YoucanalsocansetseveralLDAPoptionsforanOpenDirectory
masterorreplica.
Formoreinformationaboutconfiguringpolicies,see“ConfiguringDirectoryUser
Accounts”onpage319.
SettingtheGlobalPasswordPolicy
UsingServerAdmin,youcansetaglobalpasswordpolicyforuseraccountsin
aSnowLeopardServerdirectorydomain.
Theglobalpasswordpolicyaffectsuseraccountsintheserver’slocaldirectorydomain.
IftheserverisanOpenDirectorymasterorreplica,theglobalpasswordpolicyalso
affectsuseraccountsthathaveanOpenDirectorypasswordtypeintheserver’sLDAP
directorydomain.
IfyouchangetheglobalpasswordpolicyonanOpenDirectoryreplica,thepolicy
settingsbecomesynchronizedwiththemasterandreplicas.
Administratoraccountsareexemptfrompasswordpolicies.Eachusercanhavea
passwordpolicythatoverridesglobalpasswordpolicysettings.Formoreinformation,
see“PasswordPolicies”onpage387.
KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately.
SnowLeopardServersynchronizestheKerberospasswordpolicyruleswithOpen
DirectoryPasswordServerpasswordpolicyrules.
Tochangetheglobalpasswordpolicyofuseraccountsinthesamedomain:
1 OpenServerAdminandconnecttoanOpenDirectorymasterorreplicaserver.
2 SelectOpenDirectoryintheComputers&Serviceslist.
3 ClickSettings,thenclickPolicy.
4 ClickPasswords.
Thisallowsyoutosetpasswordpolicyoptionsyouwantenforcedforuserswhodonot
haveindividualpasswordpolicies.
Chapter23SecuringDirectoryServices
329
5 Selectthefollowing:
Â
Â
Â
Â
Â
Â
Â
Â
“Afterusermakes3failedattempts.”
“Differfromaccountname.”
“Containatleastoneletter.”
“Containatleastonenumericcharacter.”
“Beresetonfirstuserlogin.”
“Containatleast12characters.”
”Differfromlast3passwordsused.”
“Beresetevery3months.”
Note:Ifyouselectanoptionthatrequiresresettingthepassword,rememberthat
someserviceprotocolsdon’tpermituserstochangepasswords.Forexample,users
can’tchangetheirpasswordswhenauthenticatingforIMAPmailservice.
6 ClickSave.
ReplicasoftheOpenDirectorymasterautomaticallyinherititsglobalpasswordpolicy.
Fromthecommandline:
#
# Change the global password policy of user accounts in the same domain.
# ---------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha
requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12
maxFailedLoginAttempts=3"
SettingaBindingPolicyforanOpenDirectoryMasterandReplicas
UsingServerAdmin,youcanconfigureanOpenDirectorymastertopermitorrequire
trustedbindingbetweentheLDAPdirectoryandthecomputersthataccessit.Replicas
ofanOpenDirectorymasterinheritthemaster’sbindingpolicy.
TrustedLDAPbindingismutuallyauthenticated.Thecomputerprovesitsidentity
byusinganLDAPdirectoryadministrator’snameandpasswordtoauthenticate
totheLDAPdirectory.TheLDAPdirectoryprovesitsauthenticitybymeansofan
authenticatedcomputerrecordcreatedinthedirectorywhenyousetuptrusted
binding.
Clientscan’tbeconfiguredtousetrustedLDAPbindingandaDHCP-suppliedLDAP
server(alsoknownasDHCPoption95).TrustedLDAPbindingisinherentlyastatic
binding,butDHCP-suppliedLDAPisadynamicbinding.
Note:TousetrustedLDAPbinding,clientsneedTigerorTigerServerorlater.Clients
usingMacOSXv10.3orearliercan’tsetuptrustedbinding.
330
Chapter23SecuringDirectoryServices
TosetthebindingpolicyforanOpenDirectorymaster:
1 OpenServerAdminandconnecttotheOpenDirectorymasterserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 FromtheexpandedServerslist,selectOpenDirectory.
4 ClickSettings,thenclickPolicy.
5 ClickBinding,thensetthedirectorybindingoptionsyouwant:
 Topermittrustedbinding,select“Enableauthenticateddirectorybinding.”
 Torequiretrustedbinding,alsoselect“Requireauthenticatedbindingbetween
directoryandclients.”
6 ClickSave.
Important:Ifyouenable“Encryptallpackets(requiresSSLorKerberos)”and“Enable
authenticateddirectorybinding,”makesureusersuseonlyoneforbindingandnot
both.
Fromthecommandline:
#
# Set the binding policy for an Open Directory master.
# --------------------------------sudo slapconfig -setmacosxodpolicy -binding required
SettingaSecurityPolicyforanOpenDirectoryMasterandReplicas
UsingServerAdmin,youcanconfigureasecuritypolicyforaccesstotheLDAP
directoryofanOpenDirectorymaster.
ReplicasoftheOpenDirectorymasterinheritthemaster’ssecuritypolicy.
Note:IfyouchangethesecuritypolicyfortheLDAPdirectoryofanOpenDirectory
master,youmustdisconnectandreconnect(unbindandrebind)everycomputer
connected(bound)tothisLDAPdirectoryusingDirectoryUtility.
TosetthesecuritypolicyforanOpenDirectorymaster:
1 OpenServerAdminandconnecttotheOpenDirectorymasterserver.
2 SelectOpenDirectoryintheComputers&Serviceslist.
3 ClickSettings,thenclickPolicy.
Chapter23SecuringDirectoryServices
331
4 ClickBinding,thensetthesecurityoptionsyouwant:
 “Disablecleartextpasswords”determineswhetherclientscansendpasswordsas
cleartextifthepasswordscan’tbevalidatedusinganyauthenticationmethodthat
sendsanencryptedpassword.
 “Digitallysignallpackets(requiresKerberos)”certifiesthatdirectorydatafromthe
LDAPserverwon’tbeinterceptedandmodifiedbyanothercomputerwhileenroute
toclientcomputers.
 “Encryptallpackets(requiresSSLorKerberos)”requirestheLDAPservertoencrypt
directorydatausingSSLorKerberosbeforesendingittoclientcomputers.
 “Blockman-in-the-middleattacks(requiresKerberos)”protectsagainstarogue
serverposingastheLDAPserver.Bestifusedwiththe“Digitallysignallpackets”
option.
 “Disableclient-sidecaching”preventsclientcomputersfromcachingLDAPdata
locally.
 “Allowuserstoedittheirowncontactinformation”permitsuserstochangecontact
informationontheLDAPserver.
5 ClickSave.
Fromthecommandline:
#
# Set the security policy for an Open Directory master.
# ---------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes
-sign yes -man-in-the-middle blocked -clientcaching no
332
Chapter23SecuringDirectoryServices
24
SecuringRADIUS
24
UsethischaptertolearnhowtosecureRADIUS.
ByconfiguringaRADIUS(RemoteAuthenticationDialInUserService)serverwithOpen
Directory,youcansecureyourwirelessenvironmentfromunauthorizedusers.
Wirelessnetworkinggivescompaniesgreaternetworkflexibility,seamlesslyconnecting
laptopuserstothenetworkandgivingthemthefreedomtomovewithinthecompany
whilestayingconnectedtothenetwork.
ThischapterdescribeshowtoconfigureanduseRADIUStokeepyourwirelessnetwork
secureandtomakesureitisusedonlybyauthorizedusers.
DisablingRADIUS
IfyourserverisnotintendedtobeaRADIUSserver,disableRADIUS.Disablingthe
servicepreventspotentialvulnerabilitiesonyourcomputer.RADIUSisdisabledby
default,butverificationisrecommended.
TodisableRADIUS:
1 OpenServerAdminandconnecttotheserver.
2 SelectRADIUSintheComputers&Serviceslist.
3 ClickStopRADIUS.
4 ClickSave.
Fromthecommandline:
# --------------------------------------------------------------------# Securing RADIUS Service
# --------------------------------------------------------------------# Disable RADIUS
sudo serveradmin stop radiusc
333
SecurelyConfiguringRADIUSService
RADIUSisusedtoauthorizeOpenDirectoryusersandgroupssotheycanaccess
AirportBaseStationsonanetwork.ByconfiguringRADIUSandOpenDirectoryyou
cancontrolwhohasaccesstoyourwirelessnetwork.
RADIUSworkswithOpenDirectoryandPasswordServertograntauthorizedusers
accesstothenetworkthroughanAirportBaseStation.Whenauserattemptstoaccess
anAirportBaseStation,AirportcommunicateswiththeRADIUSserverusingExtensible
AuthenticationProtocol(EAP)toauthenticateandauthorizetheuser.
Usersaregivenaccesstothenetworkiftheirusercredentialsarevalidandtheyare
authorizedtousetheAirportBaseStation.Ifauserisnotauthorized,heorshecannot
accessthenetworkthroughtheAirportBaseStation.
ConfiguringRADIUStoUseCertificates
ToincreasesthesecurityandmanageabilityofAirportBaseStations,useServerAdmin
toconfigureRADIUStousecustomcertificates.Usingacertificateincreasesthesecurity
andmanageabilityofAirportBaseStations.
Touseacustomcertificate:
1 OpenServerAdminandconnecttotheserver.
2 SelectRADIUSintheComputers&Serviceslist.
3 ClickSettings.
4 FromtheRADIUSCertificatepop-upmenu,chooseacertificate.
Ifyouhaveacustomcertificate,chooseCustomConfigurationfromtheCertificate
pop-upmenuandenterthepathtothecertificatefile,privatekeyfile,andcertificate
authorityfile.Iftheprivatekeyisencrypted,entertheprivatekeypassphraseandclick
OK.
Ifyoudon’thaveacertificateandwanttocreateone,clickManageCertificates.For
moreinformationaboutcreatingcertificates,seeChapter9,“ManagingCertificates.”
5 ClickSave.
Fromthecommandline:
# Use a custom certificate:
sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/
$CA_CRT"
sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/
certificates/$KEY"
sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS"
sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/
certificates/$CERT"
334
Chapter24SecuringRADIUS
EditingRADIUSAccess
YoucanrestrictaccesstoRADIUSbycreatingagroupofusersandaddingthemtothe
serviceaccesscontrollist(SACL)ofRADIUS.
ToeditRADIUSaccess:
1 OpenServerAdminandconnecttotheserver.
2 SelectRADIUSintheComputers&Serviceslist.
3 ClickSettings,thenclickEditAllowedUsers.
4 Select“Forselectedservicesbelow,”thenselectRADIUS.
5 Select“Allowonlyusersandgroupsbelow.”
6 ClicktheAdd(+)button.
7 FromtheUsersandGroupslist,dragusersorgroupsofuserstothe“Allowonlyusers
andgroupsbelow”list.
Ifyouwanttoremoveusersfromthe“Allowonlyusersandgroupsbelow”list,select
theusersorgroupsofusersandclicktheDelete(-)button.Theuser’sinthislistare
theonlyoneswhocanuseRADIUS.
Fromthecommandline:
#
# Edit RADIUS access.
# ------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius
ViewingRADIUSServiceLogs
RADIUSloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack
communicationthroughRADIUS.YoucanaccesstheRADIUSlog,/var/log/system.log,
usingServerAdmin.
ToviewtheRADIUSlog:
1 OpenServerAdminandconnecttotheserver.
2 SelectRADIUSintheComputers&Serviceslist.
3 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Chapter24SecuringRADIUS
335
Fromthecommandline:
#
# View the RADIUS log
# --------------------------sudo tail /var/log/radius/radius.log
336
Chapter24SecuringRADIUS
25
SecuringPrintService
25
Usethischaptertolearnhowtosecureprintservice.
Printserviceisoftenanoverlookedpartofasecurityconfiguration.Important
informationpassesintoyournetworkedprinterssoitisimportantthatyourprinters
arenotmisused.
Withaprintserver,youcanshareprintersbysettingupprintqueuesaccessiblebyany
numberofusersoveranetworkconnection.Whenauserprintstoasharedqueue,the
printjobwaitsontheserveruntiltheprinterisavailableoruntilestablishedscheduling
criteriaaremet.
Apple’sprintinginfrastructureisbuiltonCommonUNIXPrintingSystem(CUPS).CUPS
usesopenstandardssuchasInternetPrintingProtocol(IPP)andPostScriptPrinter
Descriptionfiles(PPDs).
Formoreinformationaboutconfiguringprintservice,seethePrintServerAdministration
guide.
DisablingPrintService
Ifyourserverisnotintendedtobeaprintserver,disabletheprintserversoftware.
Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Printservice
isdisabledbydefault,butverificationisrecommended.
Todisableprintservice:
1 OpenServerAdminandconnecttotheserver.
2 SelectPrintintheComputers&Serviceslist.
3 ClickStopPrint.
337
Fromthecommandline:
# --------------------------------------------------------------------# Securing Print Service
# --------------------------------------------------------------------#
# Disable print service.
# ---------------------sudo serveradmin stop print
SecuringPrintService
Toincreasesecurityofyourprintservice,configureserviceaccesscontrolsand
Kerberos.
ConfiguringPrintServiceAccessControlLists(SACLs)
YoucanconfigureSACLsusingServerAdmin.SACLsenableyoutospecifywhich
administratorshaveaccesstoprintservice.
SACLsprovideyouwithgreatercontroloverwhichadministratorshaveaccessto
monitorandmanageaservice.Theusersandgroupslistedinaservice’sSACLarethe
onlyoneswhocanaccesstheservice.Forexample,togiveadministratoraccessto
usersorgroupsfortheprintserviceonyourserver,addthemtotheprintserviceSACL.
TosetadministratorSACLpermissionsforprintservice:
1 OpenServerAdminandconnecttotheserver.
2 Selecttheserver’sname.
3 ClickAccess.
4 ClickAdministrators.
5 Selectthelevelofrestrictionthatyouwantfortheservices.
Torestrictaccesstoallservices,select“Forallservices.”
Tosetaccesspermissionsforindividualservices,select“Forselectedservicesbelow”
andthenselectprintservicefromtheServicelist.
6 ToopentheUsersandGroupslist,clicktheAdd(+)button.
7 DragusersandgroupsfromUsersandGroupstothelist.
8 Settheuser’spermission.
Tograntadministratoraccess,chooseAdministratorfromthePermissionpop-upmenu
nexttotheusername.
Tograntmonitoringaccess,chooseMonitorfromthePermissionpop-upmenunextto
theusername.
338
Chapter25SecuringPrintService
9 ClickSave.
Fromthecommandline:
# Set administrator SACL permissions for print service:
sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print
ConfiguringKerberos
YoucanconfigureKerberossupportforprintserviceIPPsharedqueuesusingCUPSv1.3
onlinewebtools.TheprintservicethenusesthelocalKerberosservertoauthorize
clientstoprint.
ForyourclientcomputerstouseKerberoswithprintservice,theclientsmustbepart
ofthesameKerberosrealm.Forinformationonhowtojoinyourclientcomputersto
aKerberosrealm,seeOpenDirectoryAdministration.
InadditiontojoiningtheKerberosrealm,clientcomputersmustalsouseCUPSonline
webtoolstoconfigureKerberossettings.ThestepsforconfiguringCUPSarethesame
ontheclientandservercomputers.
ToconfigureKerberosforprintservice:
1 OpenSafaribrowser.
2 NavigatetotheCUPSonlinewebadministrationtoolathttp://localhost:631.
3 ClicktheAdministrationtab.
4 UnderBasicServerSettings,selectthe“UseKerberosAuthentication”checkbox.
5 ClickChangeSettingsandauthenticateifprompted.
PrintserviceisrestartedandKerberosisenabled.
YoucanalsoedittheconfigurationfileinCUPSbyclickingEditConfigurationFile
intheAdministrationtabtoopenthe/etc/cups/cupsd.conffile.Changethedefault
authenticationtypefromBasictoNegotiate,asshown:
# Default authentication type, when authentication is required…
DefaultAuthType Negotiate
Fromthecommandline:
#
# Configure Kerberos for print service.
# -----------------------------------sudo serveradmin settings sudo serveradmin settings print:authType =
KERBEROS
Chapter25SecuringPrintService
339
ConfiguringPrintQueues
Ifprintserviceisrequired,createaprintqueueforsharedprintersthatisaccessibleby
usersoveranetworkconnection.
AppleTalkandLinePrinterRemote(LPR)printerqueuesdonotsupportauthentication.
Printservicereliesontheclienttoprovideuserinformation.Althoughstandard
MacintoshandWindowsclientsprovidecorrectinformation,acleverusercould
potentiallymodifytheclienttosubmitfalseinformationandavoidprintquotas.
SMBservicesupportsauthentication,requiringuserstologinbeforeusingSMB
printers.PrintserviceusesBasicandDigest(MD5)authenticationandsupportsthe
IPPprintjobsubmissionmethod.
Youcanshareanyprinterthatissetupinaprintqueueontheserver.Youcreateprint
queuesusingServerAdmin.
Tocreateaprintqueue:
1 OpenServerAdminandconnecttotheserver.
2 SelectPrintintheComputers&Serviceslist.
3 ClickQueues.
4 ClicktheAdd(+)buttontoaddaprintqueueforaspecificprinter,andprovidethe
followingprinterinformationfortheprinterthequeueiscreatedfor:
Fromthepop-upmenu,choosetheprotocolusedbytheprinter.
ForanLPRprinter,entertheprinterIPaddressorDNSnameandclickOK.
ForanOpenDirectoryprinter,selecttheprinterinthelistandclickOK.
5 EntertheInternetaddressorDNSnamefortheprinter.
Ifyoudon’twanttousetheprinter’sdefaultqueue,deselect“Usedefaultqueueon
server,”enteraqueuename,andclickOK.
6 Selectthequeueyouaddedtothequeuelist.
Toverifythatyouselectedthecorrectqueue,makesurethequeuenamematchesthe
namenexttoPrinter.
Note:ChangingtheSharingNamealsochangesthequeuenamethatappearsinPrint
&Faxpreferencesontheserver.
340
Chapter25SecuringPrintService
7 IntheSharingNamefield,enterthequeuenameyouwantclientstosee.
Makesurethenameiscompatiblewithnamingrestrictionsimposedbyyourclients.
Forexample,someLPRclientsdonotsupportnamesthatcontainspaces,andsome
Windowsclientsrestrictnamesto12characters.QueuenamessharedusingLPRorSMB
mustnotcontaincharactersotherthanA–Z,a–z,0–9,and_(underscore).
AppleTalkqueuenamescannotbelongerthan32bytes.Thismightbefewerthan32
typedcharacters.Thequeuenameisencodedaccordingtothelanguageusedonthe
serverandmightnotbereadableonclientcomputersusinganotherlanguage.
8 Selecttheprintingprotocolsyourclientsuse.
Ifyouselect“SMB,”makesureyoustartSMBservice.
9 IfyouwanttoenforcetheprintquotasyouestablishforusersinWorkgroupManager,
selectthe“Enforcequotasforthisqueue”checkbox.
10 Ifyouwanttheprintertocreateacoversheet,choosethetitleofthecoversheetfrom
theCoverSheetpop-upmenu;otherwise,choose“None.”
11 ClickSave.
Chapter25SecuringPrintService
341
Fromthecommandline:
#
# Configure a Print queue.
# ----------------------sudo serveradmin settings print:lprQueues:_array_index:0 =
$PRINTER_SHARING_NAME
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingName =
$PRINTER_SHARING_NAME
sudo serveradmin settings
print:queuesArray:_array_id:example_com:quotasEnforced = yes
sudo serveradmin settings
print:queuesArray:_array_id:example_com:showNameInBonjour = no
sudo serveradmin settings
print:queuesArray:_array_id:example_com:defaultCoverPage =
"classified"
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingList:_array_index:0:ser
vice = "IPP"
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingList:_array_index:0:sha
ringEnable = yes
sudo serveradmin settings
print:queuesArray:_array_id:example_com:printerURI = "lpd://
example.com"
sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable
= yes
sudo serveradmin settings
print:queuesArray:_array_id:example_com:printerName = "example_com"
sudo serveradmin settings print:useRemoteQueues = yes
sudo serveradmin settings print:coverPageNames:_array_index:0 =
"classified"
ViewingPrintServiceandQueueLogs
Printservicekeepstwotypesoflogs:aprintservicelogandindividualprintqueue
logs.
 Theprintservicelogrecordsthetimeofeventssuchaswhenprintserviceisstarted
andstoppedandwhenaprintqueueisputonhold.
 Aprintqueuelogrecordsinformationsuchasthenameofuserswhosubmittedjobs
andthesizeofeachjob.
YoucanviewprintservicelogsusingServerAdmin.
342
Chapter25SecuringPrintService
Toviewprintservicelogs:
1 OpenServerAdminandconnecttotheserver.
2 SelectPrintintheComputers&Serviceslist.
3 ClickLogs.
UsetheFilterfieldtosearchforspecificentries.
Fromthecommandline:
#
# View print service logs.
# ----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log
Chapter25SecuringPrintService
343
26
SecuringMultimediaServices
26
UsethischaptertolearnhowtosecureMultimediaservices.
ProtectingQuickTimemultimediastreamsandonlyallowingaccesstothosewhoare
authorizedtoviewthemcanhelpkeepinformationprivate.Thefollowingsectionhelps
youunderstandandconfigureQuickTimeStreamingServer(QTSS)securely.
Streamingisthedeliveryofmedia,suchasmoviesandlivepresentations,overa
networkinrealtime.Acomputer(streamingserver)sendsthemediatoanother
computer(clientcomputer),whichplaysthemediaasitisdelivered.
WithQTSSsoftware,youcandeliver:
 Broadcastsofliveeventsinrealtime
 Videoondemand
 Playlistsofprerecordedcontent
Alevelofsecurityisinherentinreal-timestreaming,becausecontentisdeliveredonly
astheclientneedsitandnofilesremainafterward,butyoumightneedtoaddress
somesecurityissues.
Formoreinformationaboutconfiguringmultimediaservices,seetheQuickTime
StreamingandBroadcastingAdministrationguide.
DisablingQTSS
IfyourserverisnotintendedtobeaQuickTimestreamingserver,disablethe
QuickTimeStreamingserversoftware.Disablingthesoftwarepreventspotential
vulnerabilitiesonyourcomputer.QTSSisdisabledbydefault,butverificationis
recommended.
TodisableQTSS:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickStopQuickTimeStreaming.
344
Fromthecommandline:
# --------------------------------------------------------------------# Securing Multimedia Services
# --------------------------------------------------------------------#
# Disable QTSS.
# ------------sudo serveradmin stop qtss
SecurelyConfiguringQTSS
Alevelofsecurityisinherentinreal-timestreamingbecausecontentisdeliveredonly
astheclientneedsitandnofilesremainafterward.However,youmightneedto
addresssomesecurityissues.
ThestreamingserverusestheIETFstandardRTSP/RTPprotocols.RTSPrunsontopof
TCPandRTPrunsonUDP.ManyfirewallsareconfiguredtorestrictTCPpacketsbyport
number,andareveryrestrictiveonUDP.
TherearethreeoptionsforstreamingthroughfirewallswithQTSS.Theseoptionsare
notmutuallyexclusive.Typicallyoneormoreareusedtoprovidethemostflexible
setup.Thethreeconfigurationsoutlinedbelowareforclientsbehindafirewall.
 Streamviaport80:ThisoptionenablesthestreamingservertoencapsulateRTSP
andRTPtrafficinsideTCPport80packets.Becausethisisthedefaultportusedfor
HTTP-basedwebtraffic,thestreamedcontentgetsthroughmostfirewalls.However,
encapsulatingthestreamingtrafficlowersperformanceonthenetworkandrequires
fasterclientconnectionstomaintainstreams.Italsoincreasesloadontheserver.
 Opentheappropriateportsonthefirewall:Thisoptionallowsthestreamingserver
tobeaccessedviaRTSP/RTPonthedefaultports,andprovidesbetteruseofnetwork
resources,lowerspeedsforclientconnections,andlessloadontheserver.Theports
thatmustbeopeninclude:
 TCPport80:UsedforsignalingandstreamingRTSP/HTTP(ifenabledonserver).
 TCPport554:UsedforRTSP.
 UDPports6970–9999:UsedforUDPstreaming.AsmallerrangeofUDPports,
typically6970-6999,canusuallybeused.
 TCPport7070:OptionallyusedforRTSP.(RealServerusesthisport;QTSS/Darwin
canalsobeconfiguredtousethisport.)
 TCPports8000and8001:CanbeopenedforIcecastMP3streaming.
Chapter26SecuringMultimediaServices
345
 Setupastreamingproxyserver:Theproxyserverisplacedinthenetwork
demilitarizedzone(DMZ)—anareaonthenetworkthatisbetweenanexternal
firewallthatconnectstotheInternetandaninternalfirewallbetweentheDMZand
theinternalnetwork.
Usingfirewallrules,packetswiththeportsdefinedaboveareallowedfromtheproxy
servertoclientsthroughtheinternalfirewall,andalsobetweentheproxyserverand
theInternetviatheexternalfirewall.However,clientsarenotallowedtomakedirect
connectionstoexternalresourcesoverthoseports.
Thisapproachensuresthatallpacketsboundfortheinternalnetworkcomethrough
theproxyserver,providinganadditionallayerofnetworksecurity.
ConfiguringaStreamingServer
IfyourequireQTSS,configureitinconjunctionwithyourfirewallandbindittoasingle
IPaddress.
Toconfigureastreamingserver:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickSettings.
3 ClickIPBinding.
BybindingQTSSwithanIPaddress,youcaneasilytracknetworkactivity.Youcanalso
configurethefirewalltorestrictnetworkaccesstothisIPaddress.IPbindingisalso
helpfulwhenyourserverismultihomed(forexample,ifyou’realsohostingaweb
server).
4 SelecttheIPaddressfromthelist.
5 ClickSave.
6 ClickStartQuickTimeStreaming.
Fromthecommandline:
#
# Configure a streaming server.
# ---------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 =
"$BIND_IP_ADDRESS"
346
Chapter26SecuringMultimediaServices
ServingStreamsThroughFirewallsUsingPort80
IfyouaresettingupastreamingserverontheInternetandsomeofyourclientsare
behindfirewallsthatallowonlywebtraffic,enablestreamingonport80.
Withthisoption,thestreamingserveracceptsconnectionsonport80,thedefaultport
forwebtraffic,andQuickTimeclientscanconnecttoyourstreamingserverevenifthey
arebehindaweb-onlyfirewall.
Ifyouenablestreamingonport80,makesureyoudisableanywebserverwiththe
sameIPaddresstoavoidconflictswithyourstreamingserver.
ToserveQuickTimestreamsoverHTTPport80:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickSettings.
3 ClickIPBindings.
4 Select“Enablestreamingonport80.”
Streamingforselectedaddressesmustbeenabled.
Important:Ifyouenablestreamingonport80,makesureyourserverisnotalso
runningawebserver,suchasApache.RunningQTSSandawebserverwithstreaming
onport80enabledcancauseaportconflictthatresultsinoneorbothserversnot
behavingproperly.
Fromthecommandline:
# Serve QuickTime streams over HTTP port 80:
sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 =
554qtss:server:rtsp_port:_array_index:1 =
80qtss:server:rtsp_port:_array_index:2 =
8000qtss:server:rtsp_port:_array_index:3 = 8001
StreamingThroughFirewallsorNetworkswithAddressTranslation
ThestreamingserversendsdatausingUDPpackets.Firewallsdesignedtoprotect
informationonanetworkoftenblockUDPpackets.Asaresult,clientcomputers
locatedbehindafirewallthatblocksUDPpacketscan’treceivestreamedmedia.
However,thestreamingserveralsoallowsstreamingoverHTTPconnections,which
allowsstreamedmediatobeviewedthroughevenverytightlyconfiguredfirewalls.
SomeclientcomputersonnetworksthatuseaddresstranslationcannotreceiveUDP
packets,buttheycanreceivemediathat’sstreamedoverHTTPconnections.
Chapter26SecuringMultimediaServices
347
Ifusershaveproblemsviewingmediathroughafirewallorviaanetworkthatuses
addresstranslation,havethemupgradetheirclientsoftwaretoQuickTime5orlater.
Ifusersstillhaveproblems,havetheirnetworkadministratorsprovidethemwiththe
relevantsettingsforthestreamingproxyandstreamingtransportsettingsontheir
computers.
NetworkadministratorscanalsosetfirewallsoftwaretopermitRTPandRTSP
throughput.
ChangingthePasswordRequiredtoSendanMP3BroadcastStream
BroadcastingMP3stoanotherserverrequiresauthentication.
TochangetheMP3broadcastpassword:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickSettings,thenclickAccess.
3 IntheMP3BroadcastPasswordbox,enteranewpassword.
4 ClickSave.
Fromthecommandline:
# Change the MP3 broadcast password:
sudo serveradmin settings
qtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password =
"$QTMP3_PASSWORD"
UsingAutomaticUnicast(Announce)withQTSSona
SeparateComputer
YoucanbroadcastfromQuickTimeBroadcastertoQTSS.Thissettingcanalsobeused
toreceiveAnnouncedUDPstreamsfromanotherQuickTimestreamingservervia
arelayusingtheAutomaticUnicast(Announce)transmissionmethod.Todoso,you
mustcreateabroadcastusernameandpasswordonthestreamingserver.
Tocreateabroadcastusernameandpasswordonthestreamingserver:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickSettings,thenclickAccess.
3 Clickthe“Acceptincomingbroadcasts”checkbox.
4 ClickSetPasswordandenterthenameandpassword.
5 ClickSave.
348
Chapter26SecuringMultimediaServices
Fromthecommandline:
#
# Create a broadcast user name and password on the streaming server.
# -----------------------sudo serveradmin settings
qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes
ControllingAccesstoStreamedMedia
Youcansetupauthenticationtocontrolclientaccesstostreamedmediafiles.Youcan
useWorkgroupManagertospecifywhocanaccessthemediafiles,oryoucanusean
accessfile.
Twoschemesofauthenticationaresupported:basicanddigest.Bydefault,theserver
usesthemoresecuredigestauthentication.
Youcanalsocontrolplaylistaccessandadministratoraccesstoyourstreamingserver.
Authenticationdoesnotcontrolaccesstomediastreamedfromarelayserver.The
administratoroftherelayservermustsetupauthenticationforrelayedmedia.
TheabilitytomanageuseraccessisbuiltintoQTSS,soitisalwaysenabled.
Foraccesscontroltowork,anaccessfilemustbepresentinthedirectoryyouselected
asyourmediadirectory.IfanaccessfileisnotpresentintheQTSSmediadirectory,all
clientsareallowedaccesstothemediainthedirectory.
TocontrolaccessusingOpenDirectory:
m AuthorizeeachuserinWorkgroupManager.
Formoreinformation,seeOpenDirectoryAdministration.
Tocontrolaccessusinganaccessfile:
1 Usethesudoqtpasswdcommand-lineutilitytocreateuseraccountswithpasswords.
2 Createanaccessfileandplaceitinthemediadirectoryyouwanttoprotect.
3 Todisableauthenticationforamediadirectory,removetheaccessfile(named
qtaccess)orrenameit(forexample,qtaccess.disabled).
CreatinganAccessFile
Anaccessfileisatextfilenamedqtaccessthatcontainsinformationaboutusers
andgroupswhoareauthorizedtoviewmediainthedirectorywheretheaccessfile
isstored.
Thedirectoryyouusetostorestreamedmediacancontainotherdirectories,andeach
directorycanhaveitsownaccessfile.
Chapter26SecuringMultimediaServices
349
Whenausertriestoviewamediafile,theserverchecksforanaccessfiletosee
whethertheuserisauthorizedtoviewthemedia.Theserverlooksfirstinthedirectory
wherethemediafileislocated.Ifanaccessfileisnotfound,itlooksintheenclosing
directory.
Thefirstaccessfilethat’sfoundisusedtodeterminewhethertheuserisauthorizedto
viewthemediafile.
TheaccessfileforthestreamingserverworksliketheApachewebserveraccessfile.
Youcancreateanaccessfilewithatexteditor.Thefilenamemustbeqtaccessandthe
filecancontainsomeorallofthefollowinginformation:
AuthName <message>
AuthUserFile <user filename>
AuthGroupFile <group filename>
require user <username1> <username2>
require group <groupname1> <groupname2>
require valid-user
require any-user
Termsnotinanglebracketsarekeywords.Anythinginanglebracketsisinformation
yousupply.
Savetheaccessfileasplaintext(not.rtforanyotherfileformat).
Here’sabriefexplanationofeachkeyword:
 messageistextyourusersseewhentheloginwindowappears.It’soptional.Ifyour
messagecontainswhitespace(suchasaspacecharacterbetweenterms),enclose
themessageinquotationmarks.
 user filenameisthepathandfilenameoftheuserfile.ForSnowLeopard,the
defaultis/Library/QuickTimeStreaming/Config/qtusers.
 group filenameisthepathandfilenameofthegroupfile.ForSnowLeopard,the
defaultis/Library/QuickTimeStreaming/Config/qtgroups.Agroupfileisoptional.If
youhavemanyusers,itmightbeeasiertosetupgroupsandthenenterthegroup
names,insteadoflistingeachuser.
 usernameisauserwhoisauthorizedtologinandviewthemediafile.Theuser’s
namemustbeintheuserfileyouspecified.Youcanalsospecifyvalid-user,which
designatesanyvaliduser.
 groupnameisagroupwhosemembersareauthorizedtologinandviewthemedia
file.Thegroupanditsmembersmustbelistedinthegroupfileyouspecified.
350
Chapter26SecuringMultimediaServices
Youcanusetheseadditionalusertags:
 valid-userisanyuserdefinedintheqtusersfile.Thestatement“requirevalid-user”
specifiesthatanyauthenticateduserintheqtusersfilecanhaveaccesstothemedia
files.Ifthistagisused,theserverpromptsusersforusernameandpassword.
 any-userallowsanyusertoviewmediawithoutprovidinganameorpassword.
 AuthSchemeisakeywordwiththevalues“basic”or“digest”toaqtaccessfile.This
overridestheglobalauthenticationsettingonadirectory-by-directorybasis.
Ifyoumakecustomizedchangestothedefaultqtaccessaccessfile,beawarethat
makingchangestobroadcastusersettingsinServerAdminmodifiesthedefault
qtaccessfileattherootlevelofthemoviesdirectory.Therefore,customized
modificationsyoumakearenotpreserved.
WhatClientsNeedWhenAccessingProtectedMedia
UsersmusthaveQuickTime5orlatertoaccessamediafilethatdigestauthenticationis
enabledfor.Ifyourstreamingserverissetuptousebasicauthentication,usersneed
QuickTime4.1orlater.
Usersmustentertheirusernamesandpasswordstoviewthemediafile.Userswhotry
toaccessamediafilewithanearlierversionofQuickTimewillseetheerrormessage
“401:Unauthorized.”
AddingUserAccountsandPasswords
Youcanaddauseraccountandpasswordifyoulogintotheservercomputer.
Toaddauseraccount:
1 Logintotheservercomputerasroot,openaterminalwindow,andenterthe
following:
sudo qtpasswd <user-name>
Alternatively,usesudotoexecutethecommandasroot.
2 Enterapasswordfortheuserandreenteritwhenprompted.
Fromthecommandline:
#
# Add a user account.
# -----------------sudo qtpasswd $USER
Chapter26SecuringMultimediaServices
351
AddingorDeletingGroups
Youcaneditthe/Library/QuickTimeStreaming/Config/qtgroupsfilewithanytexteditor
aslongthefileusesthisformat:
<groupname>: <user-name1> <user-name2> <user-name3>
ForWindows,thepathisc:\ProgramFiles\DarwinStreamingServer\qtgroups.Forother
supportedplatforms,itis/etc/streaming/qtgroups.
Toaddordeleteagroup,editthegroupfileyousetup.
Fromthecommandline:
# Adding groups:
echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/
Config/qtgroups
MakingChangestotheUserorGroupFile
Youcanmakechangestotheuserorgroupfileifyoulogintotheservercomputer.
Todeleteauserfromauserorgroupfile:
1 Logintotheservercomputerasadministratoranduseatexteditortoopentheuser
orgroupfile.
2 Deletetheusernameandencryptedpasswordslinefromtheuserfile.
3 Deletetheusernamefromthegroupfile.
Tochangeauserpassword:
1 Logintotheservercomputerasroot,openaterminalwindow,andenterthe
following:
sudo qtpasswd <user-name>
Alternatively,usesudotoexecutethecommandasroot.
2 Enterapasswordfortheuser.
Thepasswordyouenterreplacesthepasswordinthefile.
Fromthecommandline:
#
# Change a user password.
# ----------------------sudo qtpasswd $USER
352
Chapter26SecuringMultimediaServices
ViewingQTSSLogs
QTSSprovidesthefollowinglogfiles:
 Errorlogs.Theselogfilesrecorderrorssuchasconfigurationproblems.Forexample,
ifyoubindtoaspecificIPaddressthatcan’tbefound,oraifuserdeletesstreaming
files,theseitemsarelogged.
 Accesslogs.Whensomeoneplaysamoviestreamedfromyourserver,thelog
reportssuchinformationasthedate,time,andIPaddressofthecomputerthat
playedthemovie.
QTSSlogfilesarestoredin/Library/QuickTimeStreaming/Logs.
QTSSkeepsitslogsinstandardW3Cformat,allowingyoutouseanumberofpopular
loganalysistoolstoparsethedata.
ToviewtheQTSSlog:
1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.
2 ClickLogsandthenchoosealogfromtheViewpop-upmenu.
Fromthecommandline:
# View the QTSS log:
sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE
Chapter26SecuringMultimediaServices
353
27
SecuringGridandCluster
ComputingServices
27
UsethischaptertolearnhowtosecureGridandCluster
Computingservices.
Protectinggridandclusterserviceshelpscontrolyournetwork’sfreeCPUcyclesfrom
misuse.Thischapterhelpsyourestrictyournetwork’sCPUstoauthorizedusers.
Xgrid,atechnologyinSnowLeopardServerandSnowLeopard,simplifiesdeployment
andmanagementofcomputationalgrids.Xgridenablesyoutogroupcomputersinto
gridsorclusters,andallowsuserstoeasilysubmitcomplexcomputationstogroupsof
computers(local,remote,orboth),asanadhocgridoracentrallymanagedcluster.
Formoreinformationaboutconfiguringmultimediaservices,seetheXgrid
AdministrationandHighPerformanceComputingguide.
UnderstandingXgridService
Xgridservicehandlesthetransferringofcomputingjobstothegridandreturnsthe
results.Xgriddoesnotcalculateanything,doesnotknowanythingaboutcalculating,
doesnothavecontentforcalculating,anddoesnotevenknowthatyouarecalculating
anything.
Thecomputingjobishandledbysoftware(suchasperl)thatrunsonnetwork
computers,canbeinstalledbeforerunningthecomputingjob,oristransferredto
thecomputersusingXgrid.
Theprimarycomponentsofacomputationalgridperformthefollowingfunctions:
 AnagentrunsonetaskatatimeperCPU.(Adual-processorcomputercanruntwo
taskssimultaneously.)
 Acontrollerqueuestasks,distributesthosetaskstoagents,andhandlestask
reassignment.
 AclientsubmitsjobstotheXgridcontrollerintheformofmultipletasks.(Aclient
canbeanycomputerrunningTigerorlaterorTigerServerorlater.)
354
Inprinciple,theagent,controller,andclientcanrunonthesameserver,butitisoften
moreefficienttohaveadedicatedcontrollernode.
DisablingXgridService
IfyourserverisnotintendedtobeanXgridserver,disabletheXgridserversoftware.
Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.
TheXgridserviceisdisabledbydefault,butverificationisrecommended.
TodisableXgridservice:
1 SelectXgridintheComputers&Serviceslist.
2 ClckStopXgrid.
3 ClickSave.
Fromthecommandline:
#
#
#
#
#
--------------------------------------------------------------------Xgrid Service
--------------------------------------------------------------------Disable Xgrid service.
# ---------------------sudo serveradmin stop xgrid
AboutAuthenticationMethodsforXgrid
YoucanconfigureXgridwithorwithoutauthentication.Ifyourequireauthenticationof
controllerstomutuallyauthenticatewithclientsandagents,youcanchooseSingle
Sign-OnorPassword-BasedAuthentication.
YousetupanXgridcontrollerusingServerAdmin.Youcanspecifythetypeof
authenticationforagentsandclients.ThepasswordsenteredinServerAdminforthe
controllermustmatchthoseenteredforeachagentandclient.
Whenestablishingpasswordsforagentsandclients,considerthesepoints:
 Kerberosauthentication(singlesign-on).IfyouuseKerberosauthenticationfor
agentsorclients,theserverthat’stheXgridcontrollermustbeconfiguredfor
Kerberos,mustbeinthesamerealmastheserverrunningtheKerberosdomain
controller(KDC)system,andmustbeboundtotheOpenDirectorymaster.
Theagentusesthehostprincipalfoundinthe/etc/krb5.keytabfile.Thecontroller
usestheXgridserviceprincipalfoundinthe/etc/krb5.keytabfile.
Chapter27SecuringGridandClusterComputingServices
355
 Agents.Theagentdeterminestheauthenticationmethod.Thecontrollermust
conformtothatmethodandpassword(ifapasswordisused).Whenanagentis
configuredwithastandardpassword(notsinglesign-on),youmustusethesame
passwordforagentswhenyouconfigurethecontroller.Iftheagenthasspecified
singlesign-on,thecorrectserviceprincipalandhostprincipalsmustbeavailable.
 Clients.Ifyourserveristhecontrollerforagrid,besurethatSnowLeopardand
SnowLeopardServerclientsusethecorrectauthenticationmethodforthe
controller.
Aclientcannotsubmitajobtothecontrollerunlesstheuserchoosesthecorrect
authenticationmethodandenterstheirpasswordcorrectly,orhasthecorrect
ticket-grantingticketfromKerberos.
Formoreinformation,seeXgridAdministrationandHighPerformanceComputing.
SingleSign-On
Singlesign-on(SSO)isthemostpowerfulandflexibleformofauthentication.It
leveragestheOpenDirectoryandKerberosinfrastructuresinSnowLeopardServerto
manageauthenticationbehindthescenes,withoutuserintervention.
EachXgridparticipantmusthaveaKerberosprincipal.Theclientsandagentsobtain
ticket-grantingticketsfortheirprincipal,whichisusedtoobtainaserviceticketforthe
controllerserviceprincipal.Thecontrollerlooksattheticketgrantedtotheclientto
determinetheuser’sprincipalandverifiesitwiththerelevantserviceaccesscontrol
lists(SACLs)andgroupstodetermineprivileges.
Generally,usethisoptionifanyofthefollowingconditionsaretrue:
 Youhavesinglesign-oninyourenvironment.
 Youhaveadministratorcontroloverallagentsandclientsinuse.
 Jobsmustrunwithspecialprivileges(suchasforlocal,network,orSANfilesystem
access).
Password-BasedAuthentication
Whenyoucan’tusesinglesign-on,youcanrequirepasswordauthentication.Youmay
notbeabletousesinglesign-onif:
 PotentialXgridclientsarenottrustedbyyoursinglesign-ondomain(oryoudon’t
haveone).
 YouwanttouseagentsacrosstheInternetorthatareoutsideyourcontrol.
 Itisanadhocgrid,withouttheabilitytoprearrangeaweboftrust.
Inthesesituations,yourbestoptionistospecifyapassword.Youhavetwopassword
options:oneforcontroller-clientandoneforcontroller-agent.Forsecurityreasons,
theseshouldbedifferentpasswords.
356
Chapter27SecuringGridandClusterComputingServices
Note:Youcanalsocreatehybridenvironments,suchaswithclient-controller
authenticationdoneusingpasswordsbutcontroller-agentauthenticationdoneusing
singlesign-on(orviceversa).
NoAuthentication
TheNoAuthenticationmethodcreatespotentialsecurityrisks,becauseanyonecan
connectorrunajob,whichcanexposesensitivedata.Thisoptionisappropriateonly
fortestingaprivatenetworkinahomeorlabthatisinaccessiblefromanyuntrusted
computer,orwhennoneofthejobsorthecomputerscontainsensitiveorimportant
information.
SecurelyConfiguringXgridService
Xgridservicemustberunningforyourservertocontrolagridorparticipateinagrid
asanagent.IfXgridserviceisrequired,configuretheXgridagentandcontroller.The
Xgridcontrollerandagentaredisabledbydefault.
WhenconfiguringtheXgridagentandcontroller,requireauthenticationtoprotect
yournetworkfrommalicioususers.Authenticationrequiresthatagentandcontroller
usethesamepasswordorauthenticateusingKerberossinglesign-on.Withno
authentication,amaliciousagentcouldreceivetasksandpotentiallyaccesssensitive
data.
DisablingtheXgridAgent
AnXgridagentrunsthecomputationaltasksofajob.InSnowLeopardServer,the
agentisturnedoffbydefault.Whenanagentisturnedonandbecomesactiveat
startup,itregisterswithacontroller.(Anagentcanbeconnectedtoonlyonecontroller
atatime.)Thecontrollersendsinstructionsanddatatotheagentforthecontroller’s
jobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesitsassigned
tasksandsendstheresultsbacktothecontroller.
YouuseServerAdmintomakesureyourserverisnotactinglikeanXgridagent.
TodisableanXgridagentontheserver:
1 SelectXgridintheComputers&Serviceslist.
2 ClickSettings.
3 ClickAgent.
4 Deselect“Enableagentservice.”
Chapter27SecuringGridandClusterComputingServices
357
Fromthecommandline:
# Configure an Xgrid agent on the server:
sudo /usr/sbin/xgridctl agent stop
sudo serveradmin settings xgrid:AgentSettings:Enabled = no
LimitingtheXgridAgent
AnXgridagentregisterswithacontrollerandreceivesinstructionsanddataforthe
controller’sjobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesits
assignedtasksandsendstheresultsbacktothecontroller.
YouuseServerAdmintosetupyourserverasanXgridagent.Inaddition,youcan
associatetheagentwithaspecificcontrollerorpermitittojoinagrid,specifywhen
theagentacceptstasks,andsetapasswordthatthecontrollermustrecognize.
ToconfigureanXgridagentontheserver:
1 OpenServerAdminandconnecttotheserver.
2 SelectXgridintheComputers&Serviceslist.
3 ClickSettings.
4 ClickAgent.
5 Click“Enableagentservice.”
6 SpecifyacontrollerbychoosingitsnameintheControllerpop-upmenuorbyentering
thecontrollername.
Bydefault,theagentusesthefirstavailablecontroller.
Note:Anagentcanfindacontrollerinoneofthreeways:aspecifichostnameorIP
address,thefirstavailablecontrollerthatadvertisesonBonjouronthelocalsubnet,or
byaspecificBonjourservicename.servicelookupagainstthedomainnameserverfor
_xgrid._tcp._ip.
7 Specifywhentheagentwillaccepttasks.
Taskscanbeacceptedwhenthecomputerisidleoralways.
Acomputerisconsideredidlewhenithasnomouseorkeyboardinputandignores
CPUandnetworkactivity.Ifauserreturnstoacomputerthatisrunningagridtask,the
computercontinuestorunthetaskuntilitisfinished.
8 Fromthepop-upmenu,chooseoneofthefollowingauthenticationoptionsandenter
thepassword.
 Passwordrequiresthattheagentandcontrollerusethesamepassword.
 KerberosusesSSOauthenticationfortheagent’sadministrator.
358
Chapter27SecuringGridandClusterComputingServices
 Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommended
becauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withno
authentication,anunapprovedagentcouldreceivetasksandpotentiallyaccess
sensitivedata.
9 ClickSave.
Important:Ifyourequireauthentication,theagentandcontrollermustusethesame
passwordormustauthenticateusingKerberossinglesign-on.
Fromthecommandline:
# Configure an Xgrid agent on the server.
# --------------------------sudo serveradmin settings xgrid:AgentSettings:prefs:Enabled = yes
sudo serveradmin settings
xgrid:AgentSettings:prefs:ControllerAuthentication = "Kerberos"
sudo serveradmin settings xgrid:AgentSettings:prefs:ControllerName =
"$XGRID_CONTROLLER_HOST"
sudo serveradmin settings xgrid:AgentSettings:Enabled = yes
ConfiguringanXgridController
YouuseServerAdmintoconfigureanXgridcontroller.Whenconfiguringthecontroller,
youcanalsosetapasswordforanyagentusingthegridandforanyclientthatsubmits
ajobtothegrid.
ToconfigureanXgridcontroller:
1 OpenServerAdminandconnecttotheserver.
2 SelectXgridintheComputers&Serviceslist.
3 ClickSettings.
4 ClickController.
5 Click“Enablecontrollerservice.”
6 FromtheClientAuthenticationpop-upmenu,chooseoneofthefollowing
authenticationoptionsforclientsandenterthepassword.
 Passwordrequiresthattheagentandcontrollerusethesamepassword.
 Kerberosusessign-onauthenticationfortheagent’sadministrator.
 Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommended
becauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withno
authentication,anunapprovedagentcouldreceivetasksandpotentiallyaccess
sensitivedata.
7 ClickSave.
Chapter27SecuringGridandClusterComputingServices
359
Important:Ifyourequireauthentication,theagentandcontrollermustusethesame
passwordormustauthenticateusingKerberossinglesign-on.
Fromthecommandline:
# Configure an Xgrid controller.
sudo serveradmin settings xgrid:ControllerSettings:Enabled = yes
sudo serveradmin settings
xgrid:ControllerSettings:prefs:ClientAuthentication = Password
sudo serveradmin settings xgrid:ControllerSettings:ClientPassword =
$XGRID_CLIENT_PASS
360
Chapter27SecuringGridandClusterComputingServices
28
ManagingWhoCanObtain
AdministrativePrivileges(sudo)
28
Usethischaptertorestrictadministratoraccesstothesudo
commandbyspecifyingwhocanusethiscommandinthe
sudoersfile.
Thesudocommandgivesrootuserprivilegestousersspecifiedinthesudoersfile.If
you’reloggedinasanadministratoruserandyourusernameisspecifiedinthe/etc/
sudoersfile,youcanusethiscommand.
ManagingthesudoersFile
Limitthelistofadministratorsallowedtousethesudotooltothoseadministratorswho
requiretheabilitytoruncommandswithrootuserprivileges.
Tochangethe/etc/sudoersfile:
1 Editthe/etc/sudoersfileusingthevisudotool,whichallowsforsafeeditingofthefile,
thenrunthefollowingcommandwithrootuserprivileges:
sudo visudo
2 Whenprompted,enteryouradministratorpassword.
Thereisatimeoutvalueassociatedwiththesudotool.Thisvalueindicatesthenumber
ofminutesuntilsudopromptsforapasswordagain.
Thedefaultvalueis5,whichmeansthatafterissuingthesudo commandandentering
thecorrectpassword,additionalsudocommandscanbeenteredfor5minuteswithout
reenteringthepassword.Thisvalueissetinthe/etc/sudoersfile.
Formoreinformation,seethesudoandsudoersmanpages.
3 IntheDefaultsspecificationsectionofthefile,addthefollowingline:
Defaults timestamp_timeout=0
361
4 Restrictwhichadministratorsareallowedtorunthesudotoolbyremovingthelinethat
beginswith%adminandaddingthefollowingentryforeachuser,substitutingtheuser’s
shortnamefortheworduser:
user ALL=(ALL) ALL
Doingthismeansthatwhenanadministratorisaddedtoasystem,theadministrator
mustbeaddedtothe/etc/sudoersfileasdescribedaboveifthatadministratorneeds
tousethesudotool.
5 Saveandquitvisudo.
Formoreinformation,seethepicoandvisudomanpages.
362
Chapter28ManagingWhoCanObtainAdministrativePrivileges(sudo)
29
ManagingAuthorizationThrough
Rights
29
Usethischaptertocontrolauthorizationonyoursystemby
managingthepolicydatabase.
AuthorizationonSnowLeopardServeriscontrolledbyapolicydatabase.Thisdatabase
isstoredin/etc/authorization.Thedatabaseformatisdescribedincommentsatthe
topofthatfile.
TheSecurityAgentplug-inprocessesrequestsforauthenticationbygathering
requirementsfromthepolicydatabase(/etc/authorization).
Actionscanbesuccessfullyperformedonlywhentheuserhasacquiredtherightsto
doso.
UnderstandingthePolicyDatabase
Thepolicydatabaseisapropertylistthatconsistsoftwodictionaries:
 Therightsdictionary
 Therulesdictionary
TheRightsDictionary
Therightsdictionarycontainsasetofkey/valuepairs,calledrightspecifications.Thekey
istherightnameandthevalueisinformationabouttheright,includingadescription
ofwhattheusermustdotoacquiretheright.
Thefollowingisanextractfromthepolicydatabaseinstalledonyoursystem.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC …>
<plist version="1.0">
<dict>
…
<key>rights</key>
<dict>
<key></key>
<dict>
363
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>Matches otherwise unmatched rights (i.e., is a default).</
string>
<key>rule</key>
<string>default</string>
</dict>
<key>system.device.dvd.setregion.initial</key>
<dict>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>Used by the DVD player to set the region code the first
time. Note that changing the region code after it has been set requires
a different right (system.device.dvd.setregion.change).</string>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
</dict>
…
<key>config.add.</key>
<dict>
<key>class</key>
<string>allow</string>
<key>comment</key>
<string>Wildcard right for adding rights. Anyone is allowed to add
any (non-wildcard) rights.</string>
</dict>
…
Inthisextractfromthepolicydatabase,therearethreerights:
 Therightspecificationwithanemptykeystringisknownasthedefaultright
specification.Toobtainthisrightausermustsatisfythedefaultrulewhich,by
defaultoncurrentversionsofMacOSX,istoprovethattheyareanadministrator.
 system.device.dvd.setregion.initialcontrolswhethertheuserisallowedtoset
theinitialregioncodefortheDVDdrive.Bydefault,ausermustprovethattheyare
anadministrator(ingroupadmin)tosettheDVDregion.
 config.add.isawildcardrightspecification(itendswithadot)thatmatchesany
rightwhosenamestartswiththeconfig.add.characters.Thisrightcontrolswhether
ausercanaddarightspecificationtothepolicydatabase.Bydefault,anyusercan
addarightspecification.
Whenaprogramasksforaright,AuthorizationServicesexecutesthefollowing
algorithm:
364
Chapter29ManagingAuthorizationThroughRights
1 Itsearchesthepolicydatabaseforarightspecificationwhosekeymatchestheright
name.
2 Ifthatfails,itsearchesthepolicydatabaseforawildcardrightspecificationwhose
keymatchestherightname.Ifmultiplerightsarepresent,itusestheonewiththe
longestkey.
3 Ifthatfails,itusesthedefaultrightspecification.
Afterithasfoundtherelevantrightspecification,AuthorizationServicesevaluatesthe
specificationtodecidewhethertogranttheright.Insomecasesthisiseasy(inthe
extractfromthepolicydatabaseabove,config.add.isalwaysgranted),butinother
casesitcanbemorecomplex(forexample,settingtheDVDregionrequiresthatyou
enteranadministratorpassword).
Rules
Aruleconsistsofasetofattributes.Rulesarepreconfiguredwhen
SnowLeopardServerisinstalled,butapplicationscanchangethematanytime.
Thefollowingtabledescribestheattributesdefinedforrules.
Ruleattribute
Genericrulevalue
key
Description
Thekeyisthenameofarule.Akeyusesthesame
namingconventionsasaright.SecurityServerusesa
rule’skeytomatchtherulewitharight.
Wildcardkeysendwitha“.”Thegenericrulehasan
emptykeyvalue.Anyrightsthatdonotmatchaspecific
ruleusethegenericrule.
group
admin
Theusermustauthenticateasamemberofthisgroup.
Thisattributecanbesettoanyonegroup.
shared
true
Ifthisissettotrue,SecurityServermarksthecredentials
usedtogainthisrightasshared.SecurityServercanuse
anysharedcredentialstoauthorizethisright.
Formaximumsecurity,setsharingtofalsesocredentials
storedbySecurityServerforoneapplicationarenotused
byanotherapplication.
timeout
300
Thecredentialusedbythisruleexpiresinthespecified
numberofseconds.
Formaximumsecuritywheretheusermustauthenticate
everytime,setthetimeoutto0.Forminimumsecurity,
removethetimeoutattributesotheuserauthenticates
onlyoncepersession.
TherearesomespecificrulesinthepolicydatabaseforMacOSXapplications.Thereis
alsoagenericruleinthepolicydatabasethattheSecurityServerusesforanyrightthat
doesn’thaveaspecificrule.
Chapter29ManagingAuthorizationThroughRights
365
ManagingAuthorizationRights
Managingauthorizationrightsinvolvescreatingandmodifyingrightandrulevalues.
CreatinganAuthorizationRight
Toauthorizeauserforspecificrights,youmustcreateanauthorizationrightinthe
rightsdictionary.Eachrightconsistsofthefollowing:
 Thenameoftheright
 Avaluethatcontainsoptionaldatapertainingtotheright
 Thebytelengthofthevaluefield
 Optionalflags
Therightalwaysmatchesupwiththegenericruleunlessanewruleisaddedtothe
policydatabase.
ModifyinganAuthorizationRight
Tomodifyaright,changetherelevantvaluein/etc/authorizationandsavethefile:
 Tolockoutallprivilegedoperationsnotexplicitlyallowed,changethegenericrule
bysettingthetimeoutattributeto0.
 Toallowprivilegedoperationsaftertheuserisauthorized,removethetimeout
attributefromthegenericrule.
 Topreventapplicationsfromsharingrights,setthesharedattributetofalse.
 Torequireuserstoauthenticateasamemberofthestaffgroupinsteadoftheadmin
group,setthegroupattributetostaff.
Note:ThereareAPIsthatyoucanuseformodifying/etc/authorization.It’sbettertouse
theseAPIsthantomanuallychangethevalues.
ExampleAuthorizationRestrictions
AsanexampleofhowtheSecurityServermatchesarightwitharuleinthepolicy
database,consideragrades-and-transcriptsapplication.
Theapplicationrequeststherightcom.myOrganization.myProduct.transcripts.create.
SecurityServerlooksuptherightinthepolicydatabase.Notfindingamatch,Security
Serverlooksforarulewithawildcardkeysetto
com.myOrganization.myProduct.transcripts.,com.myOrganization.myProduct.,
com.myOrganization.,orcom.—inthatorder—checkingforthelongestmatch.
Ifnowildcardkeymatches,SecurityServerusesthegenericrule.
SecurityServerrequestsauthenticationfromtheuser.Theuserprovidesausername
andpasswordtoauthenticateasamemberofthegroupadmin.SecurityServercreates
acredentialbasedontheuserauthenticationandtherightrequested.
366
Chapter29ManagingAuthorizationThroughRights
Thecredentialspecifiesthatotherapplicationscanuseit,andSecurityServersetsthe
expirationtofiveminutes.
Threeminuteslater,achildprocessoftheapplicationstartsup.Thechildprocess
requeststherightcom.myOrganization.myProduct.transcripts.create.
SecurityServerfindsthecredential,seesthatitallowssharing,andusesthe
right.Twoandahalfminuteslater,thesamechildprocessrequeststheright
com.myOrganization.myProduct.transcripts.createagain,buttherighthasexpired.
SecurityServerbeginstheprocessofcreatingacredentialbyconsultingthepolicy
databaseandrequestinguserauthentication.
Chapter29ManagingAuthorizationThroughRights
367
30
MaintainingSystemIntegrity
30
Usethischaptertolearnhowtomonitoreventsandlogsto
helpprotecttheintegrityofyourcomputer.
Usingauditingandloggingtoolstomonitoryourcomputercanhelpyousecureyour
computer.Byreviewingtheseauditsandlogfiles,youcanstoploginattemptsfrom
unauthorizedusersorcomputersandfurtherprotectyourconfigurationsettings.This
chapteralsodiscussesantivirustools,whichdetectunwantedviruses.
UsingDigitalSignaturestoValidateApplicationsand
Processes
Adigitalsignatureusespublickeycryptographytoensuretheintegrityofdata.Like
traditionalsignatureswrittenwithinkonpaper,theycanbeusedtoidentifyand
authenticatethesignerofthedata.
However,digitalsignaturesgobeyondtraditionalsignaturesinthattheycanalso
ensurethatthedataitselfhasnotbeenaltered.Thisislikedesigningacheckinsuch
awaythatifsomeonealterstheamountofthesumwrittenonthecheck,an“Invalid”
watermarkbecomesvisibleonthefaceofthecheck.
Tocreateadigitalsignature,thesignergeneratesamessagedigestofthedata
andthenusesaprivatekeytosignthedigest.Thesignermusthaveavalid
digitalcertificatecontainingthepublickeythatcorrespondstotheprivatekey.
Thecombinationofacertificateandrelatedprivatekeyiscalledanidentity.
Thesignatureincludesthesigneddigestandinformationaboutthesigner’sdigital
certificate.Thecertificateincludesthepublickeyandthealgorithmneededtoverify
thesignature.
Toverifythatthesigneddocumenthasnotbeenaltered,therecipientusesthe
algorithmtocreateamessagedigestandappliesthepublickeytothesigneddigest.
Ifthetwodigestsproveidentical,themessagecannothavebeenalteredandmust
havebeensentbytheownerofthepublickey.
368
Toensurethatthepersonwhoprovidedthesignatureisnotonlythesameperson
whoprovidedthedatabutisalsowhotheysaytheyare,thecertificateisalsosigned
—inthiscasebythecertificateauthority(CA)whoissuedthecertificate.
Signedcodeusesseveraldigitalsignatures:
 Ifthecodeisuniversal,theobjectcodeforeacharchitectureissignedseparately.
 Componentsoftheapplicationbundle(suchastheInfo.plistfile,ifthereisone)are
alsosigned.
ValidatingApplicationBundleIntegrity
Tovalidatethesignatureonasignedapplicationbundle,usethecodesigncommand
withthe-voption.
Fromthecommandline:
# --------------------------------------------------------------------# Maintaining System Integrity
# --------------------------------------------------------------------# Validate application bundle integrity.
sudo codesign -v $code_path
Thiscommandchecksthatthecodebinariesatcode-patharesigned,thatthe
signatureisvalid,thatsealedcomponentsareunaltered,andthatthebundlepasses
basicconsistencychecks.Itdoesnotverifythatthecodesatisfiesrequirementsexcept
itsowndesignatedrequirement.
Toverifyarequirement,usethe-Roption.Forexample,toverifythattheAppleMail
applicationisidentifiedasMail,signedbyApple,andsecuredwithApple’srootsigning
certificate,usethefollowingcommand:
Fromthecommandline:
# Verify a requirement.
sudo codesign -v -R="identifier com.apple.Mail and anchor apple" /
Applications/Mail.app
Unlikethe-roption,the-Roptiontakesonlyasinglerequirementratherthan
arequirementscollection(no=>tags).Addadditional-voptionstogetdetailson
thevalidationprocess.
Chapter30MaintainingSystemIntegrity
369
Formoreinformationaboutsigningandverifyingapplicationbundlesignatures,
seeCodeSigningGuideatdeveloper.apple.com/documentation/Security/Conceptual/
CodeSigningGuide.Formoreinformationaboutthecodesigncommand,seeits
manpage.
ValidatingRunningProcesses
Youcanalsousecodesigntovalidatethesignaturesofrunningprocesses.
Ifyoupassanumberratherthanapathtotheverifyoption,codesigntakesthe
numbertobetheprocessID(pid)ofarunningprocess,andperformsdynamic
validationinstead.
AuditingSystemActivity
Auditingisthecaptureandmaintenanceofinformationaboutsecurity-relatedevents.
Auditinghelpsdeterminethecausesandmethodsusedforsuccessfulandfailedaccess
attempts.
Theauditsubsystemallowsauthorizedadministratorstocreate,read,anddeleteaudit
information.Theauditsubsystemcreatesalogofauditableeventsandallowsthe
administratortoreadallauditinformationfromtherecordsinamannersuitablefor
interpretation.Thedefaultlocationforthesefilesisthe/var/audit/folder.
Theauditsubsystemiscontrolledbytheauditutilitylocatedinthe/usr/sbin/folder.
Thisutilitytransitionsthesysteminandoutofauditoperation.
Thedefaultconfigurationoftheauditmechanismiscontrolledbyasetof
configurationfilesinthe/etc/security/folder.
Ifauditingisenabled,the/etc/rcstartupscriptstartstheauditdaemonat
systemstartup.Allfeaturesofthedaemonarecontrolledbytheauditutilityand
audit_controlfile.
InstallingAuditingTools
TheCommonCriteriaToolsdiskimage(.dmg)filecontainstheinstallerforauditing
tools.ThisdiskimagefileisavailablefromtheCommonCriteriawebpagelocatedat
www.apple.com/support/security/commoncriteria/.
AfterdownloadingtheCommonCriteriaToolsdiskimagefile,copyittoaremovable
disk,suchasaCD-Rdisc,FireWiredisk,orUSBdisk.
370
Chapter30MaintainingSystemIntegrity
ToinstalltheCommonCriteriaToolssoftware:
1 InsertthediskthatcontainstheCommonCriteriaToolsdiskimagefileandopenthe
filetomountthevolumecontainingthetoolsInstaller.
2 Double-clicktheCommonCriteriaTools.pkginstallerfile.
3 ClickContinue,thenproceedthroughtheinstallationbyfollowingtheonscreen
instructions.
4 Whenpromptedtoauthenticate,entertheusernameandpasswordofthe
administratoraccount.
Fromthecommandline:
# Install the common criteria tools software.
sudo installer -pkg CommonCriteriaTools.pkg -target /
EnablingAuditing
Modifythehostconfigfiletoenableauditing.
Toturnauditingon:
1 OpenTerminal.
2 Enterthefollowingcommandtoeditthe/etc/hostconfigfile.
sudo pico /etc/hostconfig
3 Addthefollowingentrytothefile.
AUDIT=-YES-
4 Savethefile.
Auditingisenabledwhenthecomputerstartsup.
Thefollowingtableshowsthepossibleauditsettingsandwhattheydo.
Parameter
Description
AUDIT=-YES-
Enableauditing;ignorefailure.
AUDIT=-NO-
Disableauditing.
AUDIT=-FAILSTOP-
Enableauditing;processesmaystopiffailureoccurs.
AUDIT=-FAILHALT-
Enableauditing;thesystemhaltsiffailureoccurs.
IftheAUDITentryismissingfromthe/etc/hostconfigfile,auditingisturnedoff.
Afailureisanyoccurrencethatpreventsauditeventsfrombeinglogged.
Theauditsubsystemgenerateswarningswhenrelevanteventssuchasstoragespace
exhaustionanderrorsinoperationarerecognizedduringauditstartuporlogrotation.
Thesewarningsarecommunicatedtotheaudit_warnscript,whichcanthen
communicatetheseeventstotheauthorizedadministrator.
Chapter30MaintainingSystemIntegrity
371
Fromthecommandline:
# Enable auditing.
sudo cp /etc/hostconfig /tmp/test
if /usr/bin/grep AUDIT /etc/hostconfig
then
sudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/
hostconfig
else
/bin/echo AUDIT=-YES- >> /etc/hostconfig
fi
SettingAuditMechanisms
Systemstartupscriptsattempttoconfigureauditingearlyinthesystemstartup
process.Afterauditingisenabled,thesettingsfortheauditmechanismaresetwith
the/etc/security/audit_controlconfigurationfile.
Filescontainingauditsettingscanbeeditedwithanytexteditor.Terminalcanbeused
withpicooremacstexteditortools.Formoreinformationaboutusingtexteditorswith
Terminal,seethepicooremacsmanpage.
Auditflagsaredefinedintermsofauditclasses.Auditflagscanbeforthewhole
system,orspecificflagscanbeusedforauser.Auditflagscanincludeorexclude
classesofeventsfromtheauditrecordstreambasedontheoutcomeoftheevent.
Forexample,theoutcomecouldbesuccess,failure,orboth.
Whenauserlogsin,thesystem-wideauditflagsfromtheaudit_controlfileare
combinedwiththeuser-specificauditflags(ifany)fromtheaudit_userfile,and
togetherestablishthepreselectionmaskfortheuser.
Thepreselectionmaskdetermineswhicheventswillgenerateauditrecordsfor
auser.Ifthepreselectionmaskischanged,restartthecomputertoensurethatall
componentsareproducingauditeventsconsistently.
UsingAuditingTools
Thissectiondescribeshowtouseauditingtools.
UsingtheauditTool
Auditingismanagedbytheaudittool.Theaudittoolusesthissyntax:
audit [-nst] [file]
Theaudittoolcontrolsthestateoftheauditingsubsystem.Theoptionalfileoperand
specifiesthelocationoftheaudit_controlinputfile.Thedefaultfileis/etc/security/
audit_control.
372
Chapter30MaintainingSystemIntegrity
Youcanusethefollowingoptionswiththeaudittool.
Parameter
Description
-n
Forcestheauditsystemtoclosetheexistingauditlogfileandrotatetoanewlog
fileinalocationspecifiedintheauditcontrolfile.
-s
Specifiesthattheauditsystemshouldrestartandrereaditsconfigurationfromthe
auditcontrolfile.Anewlogfileiscreated.
-t
Specifiesthattheauditsystemshouldterminate.Logfilesareclosedandrenamed
toindicatethetimeoftheshutdown.
Formoreinformation,seetheauditmanpage.
UsingtheauditreduceTool
Theauditreducetoolenablesyoutoselecteventsthathavebeenloggedinaudit
records.Matchingauditrecordsareprintedtothestandardoutputintheirrawbinary
form.Ifnofilenameisspecified,thestandardinputisusedbydefault.
Theauditreducetoolfollowsthissyntax:
auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]] [-c
flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid] [-r ruid] [-u auid]
[-j id] [-m event] [-o object=value] [file …]
Formoreinformation,seetheauditreducemanpages.
Parameter
Description
-A
Selectsallrecords.
-a
YYYYMMDD [HH[MM[SS]]]
Selectsrecordsthatoccurredonorafterthespecifieddateandtime.
-b
YYYYMMDD [HH[MM[SS]]]
Selectsrecordsthatoccurredbeforethespecifieddateandtime.
-c
flags
Selectsrecordsmatchingthegivenauditclasses,specifiedasa
comma-separatedlistofauditflags.
-d
YYYYMMDD
Selectsrecordsthatoccurredonaspecifieddate.Cannotbeusedwith-aor-b
optionflags.
-e
euid
Selectsrecordswiththespecifiedeffectiveuser.
-f
egid
Selectsrecordswiththespecifiedeffectivegroup.
-g
gid
Selectsrecordswiththespecifiedrealgroup.
-r
ruid
Selectsrecordswiththespecifiedrealuser.
Chapter30MaintainingSystemIntegrity
373
Parameter
Description
-u
auid
SelectsrecordswiththespecifiedauditID.
-j
id
SelectsrecordshavingasubjecttokenwithmatchingID.
-m
event
Selectsrecordswiththespecifiedeventnameornumber.
-o
object =value
file=Selectsrecordscontainingthespecifiedpathname.
file="/usr"matchespathsstartingwithusr.
file="~/usr"matchespathsnotstartingwithusr.
msgqid=SelectsrecordscontainingthespecifiedmessagequeueID.
pid=SelectsrecordscontainingthespecifiedprocessID.
semid=SelectsrecordscontainingthespecifiedsemaphoreID.
shmid=SelectsrecordscontainingthespecifiedsharedmemoryID.
ToselectallrecordsassociatedwitheffectiveuserIDrootfromtheauditlog/var/audit/
20031016184719.20031017122634:
auditreduce -e root /var/audit/20031016184719.20031017122634
Toselectallsetlogineventsfromthatlog:
auditreduce -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634:
UsingtheprauditTool
Thepraudittoolprintsthecontentsofauditrecords.Auditrecordsappearinstandard
output(stdout).Ifnofilenameisspecified,standardinput(stdin)isused.
Thepraudittoolusesthissyntax:
praudit [options] audit-trail-file […]
Youcanuseprauditwiththefollowingoptions:
Parameter
Description
-l
Printstherecordinthesameline.Ifthisoptionisnotspecified,everytokenappears
inadifferentline.
-r
Printsrecordsintheirrawformat.Thisoptionisseparatefrom-s.
-s
Printsthetokensintheirshortform.ShortASCIIrepresentationsforrecordandevent
typearedisplayed.Thisoptionisseparatefrom-r.
del
Specifiesthedelimiter.Thedefaultdelimiteristhecomma.
Ifraworshortformarenotspecified,tokensareprintedintheirlongform.Eventsare
displayedaccordingtotheirdescriptionsgiveninaudit_event,UIDsandGIDsare
expandedtotheiractualASCIIrepresentation,dateandtimeisdisplayedinstandard
dateformat,andsoon.
374
Chapter30MaintainingSystemIntegrity
Formoreinformation,seetheprauditmanpage.
DeletingAuditRecords
Youcancleartheaudittrailbydeletingauditfilesusingthecommandline.
WARNING:Donotdeletethecurrentauditlog.
Todeleteanauditfile:
sudo srm /var/audit/20031016184719.20031017122634
AuditControlFiles
Theauditsystemusesthefollowingtextfilestocontrolauditingandwriteaudit
records.Thedefaultlocationforthesefilesisthe/etc/security/folder.
 audit_class—Theaudit_classfilecontainsdescriptionsofauditableeventclasseson
thesystem.Eachauditableeventisamemberofaneventclass.Eachlinemapsan
auditeventmask(bitmap)toaclassandadescription.
 audit_control—Theaudit_controlfilecontainsseveralauditsystemparameters.Each
lineofthisfileisoftheformparameter:value.Auditflagsareacomma-delimitedlist
ofauditclassesasdefinedintheaudit_classfile.Eventclassescanbeprecededby
aprefixthatchangestheirinterpretation.
 audit_event—Theaudit_eventfilecontainsdescriptionsofauditableeventsonthe
system.Eachlinemapsanauditeventnumbertoaname,adescription,andaclass.
Eacheventclassshouldhaveacorrespondingentryintheaudit_classfile.
 audit_user—Theaudit_userfilespecifieswhichauditeventclassesaretobeaudited
forspecificusers.Ifspecified,theseflagsarecombinedwithsystemwideauditflags
intheaudit_controlfiletodeterminewhichclassesofeventstoauditforauser.
Thesesettingstakeeffectwhentheuserlogsin.Eachlinemapsausernametoalist
ofclassesthatshouldbeauditedandalistofclassesthatshouldnotbeaudited.
 audit_warn—Theaudit_warnfilerunswhenauditdgenerateswarningmessages.
Thedefaultaudit_warnisascriptwhosefirstparameteristhetypeofwarning.The
scriptappendsitsargumentsto/etc/security/audit_messages.Administratorscan
replacethisscriptwithamorecomprehensiveonethattakesdifferentactionsbased
onthetypeofwarning.Forexample,alow-spacewarningcouldresultinamail
messagebeingsenttotheadministrator.
Formoreinformationabouteditingauditcontrolfiles,seetheCommonCriteria
Administrationguideatwww.apple.com/support/security.
Chapter30MaintainingSystemIntegrity
375
ManagingandAnalyzingAuditLogFiles
Ifauditingisenabled,theauditingsubsystemaddsrecordsofauditableeventstoan
auditlogfile.Thenameofanauditlogfileconsistsofthedateandtimeitwascreated,
followedbyaperiod,andthedateandtimeitwasterminated.Forexample:
20040322183133.20040322184443.
ThislogwascreatedonMarch22,2004at18:31:33andwasterminatedonMarch22,
2004at18:44:43.
Theauditsubsystemappendsrecordstoonlyoneauditlogfileatatime.Thecurrently
activefilehasasuffix“.not_terminated”insteadofadateandtime.Auditlogfilesare
storedinthefoldersspecifiedintheaudit_controlfile.Theauditsubsystemcreatesan
auditlogfileinthefirstfolderspecified.
Whenlessthantheminfreeamountofdiskspaceisavailableonthevolumecontaining
theauditlogfile,theauditsubsystem:
1 Issuesanaudit_warnsoftwarning.
2 Terminatesthecurrentauditlogfile.
3 Createsanewauditlogfileinthenextspecifiedfolder.
Afterallfoldersspecifiedhaveexceededthisminfreelimit,auditingresumesinthefirst
folderagain.However,ifthatfolderisfull,anauditingsubsystemfailurecanoccur.
Youcanalsochoosetoterminatethecurrentauditlogfileandcreateanewone
manuallyusingtheauditutility.Thisactioniscommonlyreferredtoas“rotatingthe
auditlogs.”
Useaudit -ntorotatethecurrentlogfile.Useaudit -stoforcetheauditsubsystem
toreloaditssettingsfromtheaudit_controlfile(whichalsorotatesthecurrentlogfile).
UsingActivityAnalysisTools
SnowLeopardServerincludesseveralcommand-linetoolsthatyoucanusetoanalyze
computeractivity.
Dependingonthetools’configurationsandyourcomputer’sactivity,runningthese
toolscanuselargeamountsofdiskspace.Additionally,thesetoolsareonlyeffective
whenotherusersdon’thaveadministratoraccess.Userswithadministratoraccesscan
editlogsgeneratedbythetoolandtherebycircumventthetool.
Ifyourcomputercontainssensitivedata,considerusingbothauditingandlogging
tools.Byusingbothtypesoftools,youcanresearchandanalyzeintrusionattempts
andchangesinyourcomputer’sbehavior.Youmustconfigurethesetoolstomeetyour
organization’sneeds,andthenchangetheirloggingsettingstocreaterelevant
informationforreviewingorarchivingpurposes.
376
Chapter30MaintainingSystemIntegrity
ValidatingSystemLogging
Loggingistherecordingofvariousevents,includingchangestoservicestatus,
processes,andoperatingsystemcomponents.Someeventsaresecurityrelated,while
othersareinformationmessagesaboutyourcomputer’sactivity.
Ifanunexpectederroroccurs,youcananalyzelogstohelpdeterminethecauseofthe
error.Forexample,thelogsmightexplainwhyasoftwareupdatecan’tbeinstalled,or
whyyoucan’tauthenticate.
Loggingtoolscanbeusefulifyouhavemultipleuserswhocanaccessthesudo
command.Youcanviewlogstoseewhatusersdidusingthesudocommand.Some
sudocommandsperformadditionalactionsthatarenotlogged.Limitthesudo
commandsthatindividualusersareallowedtouse.Formoreinformation,see
“ManagingthesudoersFile”onpage361.
UseConsoletoviewandmaintainlogfiles.Consoleislocatedinthe/Applications/
Utilities/folder.Uponstarting,theConsolewindowshowstheconsole.logfile.Click
Logstodisplayapanethatshowsotherlogfilesonthesysteminatreeview.Thetree
viewincludesfoldersforservices,suchaswebandmailserversoftware.
InSnowLeopardServer,logfilesarehandledbytheBSDsubsystemorbyaspecific
application.TheBSDsubsystemhandlesmostimportantsystemlogging,whilesome
applicationshandletheirownlogging.LikeotherBSDsystems,SnowLeopardServer
usesabackgroundprocesscalledsyslogdtohandlelogging.
Aprimarydecisiontomakewhenconfiguringsyslogdiswhethertouselocalor
remotelogging.Inlocallogging,logmessagesarestoredontheharddisk.Inremote
logging,logmessagesaretransferredoverthenetworktoadedicatedlogserverthat
storesthem.Usingremoteloggingisstronglyrecommended.
Configuringsyslogd
Theconfigurationfileforthesystemloggingprocess,syslogd,is/etc/syslog.conf.
Amanualforconfigurationofthisfileisavailablebyissuingthecommandman
syslog.confinaTerminalwindow.
Eachlinein/etc/syslog.confconsistsoftextcontainingthreetypesofdata:afacility,
apriority,andanaction.
 Facilitiesarecategoriesoflogmessages.Standardfacilitiesincludemail,news,user,
andkern(kernel).Prioritiesdealwiththeurgencyofthemessage.Inorderfromleast
tomostcritical,theyaredebug,info,notice,warning,err,crit,alert,andemerg.
 Thepriorityofthelogmessageissetbytheapplicationsendingit,notbysyslogd.
 Theactionspecifieswhattodowithalogmessageofaspecificfacilityandpriority.
Messagescanbesenttofiles,namedpipes,devices,oraremotehost.
Chapter30MaintainingSystemIntegrity
377
Thefollowingexamplespecifiesthatforlogmessagesinthecategory“mail”with
apriorityof“emerg”orhigher,themessageiswrittentothe/var/log/mail.logfile:
mail.emerg /var/log/mail.log
Thefacilityandpriorityareseparatedbyaperiod,andtheseareseparatedfromthe
actionbytabs.Wildcards(“*”)canalsobeusedintheconfigurationfile.
Thefollowingexamplelogsallmessagesofanyfacilityorprioritytothefile/var/log/
all.log:
*.* /var/log/all.log
LocalSystemLogging
Thedefaultconfigurationin/etc/newsyslog.confisconfiguredforlocallogginginthe
/var/logfolder.Thecomputerissettorotatelogfilesusingtheperiodiclaunchdjob
accordingtotimeintervalsspecifiedinthe/etc/newsyslog.conffile.
Rotationentailscompressingthecurrentlogfile,incrementingtheintegerinthe
filenameofcompressedlogfiles,andcreatingalogfilefornewmessages.
Thefollowingtabledescribestherotationprocessaftertworotations.
Filesbeforerotation
Filesafterfirstrotation
Fileaftersecondrotation
system.log
system.log
system.log
mail.log
mail.log
mail.log
mail.log.1.gz
mail.log.1.gz
system.log.1.gz
system.log.1.gz
mail.log.2.gz
system.log.2.gz
Logfilesarerotatedbyalaunchdjob,andtherotationoccursifthecomputerison
whenthejobisscheduled.Bydefault,logrotationtasksarescheduledbetween
midnightand1inthemorning,tobeasunobtrusiveaspossibletousers.Ifthesystem
willnotbepoweredonatthistime,adjustthesettingsin/etc/newsyslog.conf.
Forinformationabouteditingthe/etc/newsyslog.conffile,issuetheman
commandinaTerminalwindow.
5
newsyslog.conf
RemoteSystemLogging
Usingremotelogginginadditiontolocalloggingisstronglyrecommended,because
locallogscaneasilybealteredifthesystemiscompromised.Considerthefollowing
securityissueswhenmakingthedecisiontouseremotelogging.
 Thesyslogprocesssendslogmessagesintheclear,whichcouldexposesensitive
information.
378
Chapter30MaintainingSystemIntegrity
 Toomanylogmessagesfillstoragespaceontheloggingsystem,renderingfurther
loggingimpossible.
 Logfilescanindicatesuspiciousactivityonlyifabaselineofnormalactivityis
established,andifthefilesareregularlymonitoredforsuchactivity.
Ifthesesecurityissuesoutweighthesecuritybenefitofremoteloggingforthenetwork
beingconfigured,donotuseremotelogging.
Thefollowinginstructionsassumearemotelogserverhasbeenconfiguredonthe
network.
Toenableremotelogging:
1 Open/etc/syslog.confasroot.
2 Addthefollowinglinetothetopofthefile,replacingyour.log.serverwiththename
orIPaddressofthelogserver,andmakingsuretokeepallotherlinesintact:
*.* @your.log.server
3 Exit,savingchanges.
4 Sendahangupsignaltosyslogdtomakeitreloadtheconfigurationfile:
sudo killall -HUP syslogd
ViewingLogsinServerAdmin
ServerAdminprovidesloggingforsomeservicesenabledonyourserver.Afilter
featureallowsyoutosearchthroughthelogforspecificinformation.
ToviewlogsinServerAdmin:
1 OpenServerAdminandconnecttotheserver.
2 Clickthetriangleattheleftoftheserver.
Thelistofservicesappears.
3 FromtheexpandedServerslist,selectaservice.
4 ClickLogs.
Someserviceshavemultiplelogsassociatedwiththem.
Fromthecommandline:
# View logs in Server Admin.
# Use tail or more to view the log files.
# The audit files are individually named based on the date.
sudo /usr/bin/tail $AUDIT_FILE
Chapter30MaintainingSystemIntegrity
379
UnderstandingPasswordsand
Authentication
A
Usethisappendixtolearnthedifferenttypesofpasswords
andhowtheyauthenticateusers.
Passwordsareacommonmethodforauthenticating.Thereareseveraltypesofservices
thatusepasswordstoverifytheidentityofusers.
PasswordTypes
Eachuseraccounthasapasswordtypethatdetermineshowtheuseraccountis
authenticated.Inalocaldirectorydomain,thestandardpasswordtypeisshadow
password.
ForuseraccountsintheLDAPdirectoryofSnowLeopardServer,thestandard
passwordtypeisOpenDirectory.UseraccountsintheLDAPdirectorycanalsohave
apasswordtypeofcryptpassword.
AuthenticationandAuthorization
ServicessuchastheloginwindowandApplefileservicerequestuserauthentication
fromOpenDirectory.Authenticationispartoftheprocessbywhichaservice
determineswhetheritshouldgrantauseraccesstoaresource.Usuallythisprocess
alsorequiresauthorization.
Authenticationprovesauser’sidentity,andauthorizationdetermineswhatthe
authenticateduserispermittedtodo.Ausertypicallyauthenticatesbyproviding
avalidnameandpassword.Aservicecanthenauthorizetheauthenticateduser
toaccessspecificresources.Forexample,fileserviceauthorizesfullaccessto
foldersandfilesthatanauthenticateduserowns.
Youexperienceauthenticationandauthorizationwhenyouuseacreditcard.The
merchantauthenticatesyoubycomparingyoursignatureonthesalessliptothe
signatureonyourcreditcard.Thenthemerchantsubmitsyourauthorizedcredit
cardaccountnumbertothebank,whichauthorizespaymentbasedonyouraccount
balanceandcreditlimit.
380
Appendix
A
OpenDirectoryauthenticatesuseraccounts,andserviceaccesscontrollists(SACLs)
authorizeuseofservices.IfOpenDirectoryauthenticatesyou,theSACLforlogin
windowdetermineswhetheryoucanlogin,theSACLforAppleFilingProtocol(AFP)
servicedetermineswhetheryoucanconnectforfileservice,andsoon.
Someservicesalsodeterminewhetherausercanaccessspecificresources.This
authorizationcanrequireretrievingotheruseraccountinformationfromthe
directorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembership
informationtodeterminewhichfoldersandfilestheusercanreadandwriteto.
OpenDirectoryPasswords
Whenauser’saccounthasapasswordtypeofOpenDirectory,theusercanbe
authenticatedbyKerberosortheOpenDirectoryPasswordServer.Kerberosisa
networkauthenticationsystemthatusescredentialsissuedbyatrustedserver.
OpenDirectoryPasswordServersupportstraditionalpasswordauthenticationmethods
thatsomeclientsofnetworkservicesrequire.
KerberosandOpenDirectoryPasswordServerdonotstorethepasswordinthe
user’saccount.KerberosandOpenDirectoryPasswordServerstorepasswordsin
securedatabasesapartfromthedirectorydomain,andpasswordscanneverberead.
Passwordscanonlybesetandverified.
Malicioususersmightattempttologinoverthenetworkhopingtogainaccessto
KerberosandOpenDirectoryPasswordServer.OpenDirectorylogscanalertyouto
unsuccessfulloginattempts.
UseraccountsinthefollowingdirectorydomainscanhaveOpenDirectorypasswords:
 TheLDAPdirectoryofSnowLeopardServer
 ThelocaldirectorydomainofSnowLeopardServer
Note:OpenDirectorypasswordscan’tbeusedtologintoMacOSXv10.1orearlier.
UserswhologinusingtheloginwindowofMacOSXv10.1orearliermustbe
configuredtousecryptpasswords.Thepasswordtypedoesn’tmatterforother
services.Forexample,auserofMacOSXv10.1couldauthenticateforApplefileservice
withanOpenDirectorypassword.
AppendixAUnderstandingPasswordsandAuthentication
381
ShadowPasswords
ShadowpasswordssupportthesametraditionalauthenticationmethodsasOpen
DirectoryPasswordServer.Theseauthenticationmethodsareusedtosendshadow
passwordsoverthenetworkinascrambledform,orhash.
Ashadowpasswordisstoredasseveralhashesinafileonthesamecomputerasthe
directorydomainwheretheuseraccountresides.Becausethepasswordisnotstored
intheuseraccount,thepasswordisnoteasytocaptureoverthenetwork.Eachuser’s
shadowpasswordisstoredinaseparatefile,namedashadowpasswordfile,andthese
filesareprotectedsotheycanbereadonlybytherootuseraccount.
Useraccountsstoredinacomputer’slocaldirectorydomainaretheonlyonesthatcan
haveashadowpassword.Useraccountsthatarestoredinashareddirectorycan’thave
ashadowpassword.
Shadowpasswordsalsoprovidecachedauthenticationformobileuseraccounts.For
moreinformationaboutmobileuseraccounts,seeUserManagement.
CryptPasswords
Acryptpasswordisstoredinahashintheuseraccountrecord.Thisstrategy,
historicallynamedbasicauthentication,ismostcompatiblewithsoftwarethatneedsto
accessuserrecordsdirectly.Forexample,MacOSXv10.1orearlierexpecttofinda
cryptpasswordstoredintheuseraccount.
Cryptauthenticationsupportsamaximumpasswordlengthofeightbytes(eightASCII
characters).Ifalongerpasswordisenteredinauseraccount,onlythefirsteightbytes
areusedforcryptpasswordvalidation.ShadowpasswordsandOpenDirectory
passwordsarenotsubjecttothislengthlimit.
Forsecuretransmissionofpasswordsoveranetwork,cryptsupportstheDHX
authenticationmethod.
OfflineAttacksonPasswords
Becausecryptpasswordsarestoredinuseraccounts,theyaresubjecttocracking.
Useraccountsinashareddirectorydomainareaccessibleonthenetwork.Anyoneon
thenetworkwhohasWorkgroupManagerorknowshowtousecommand-linetools
canreadthecontentsofuseraccounts,includingthepasswordsstoredinthem.
OpenDirectorypasswordsandshadowpasswordsaren’tstoredinuseraccounts,so
thesepasswordscan’tbereadfromdirectorydomains.
AmaliciousattackercoulduseWorkgroupManagerorUNIXcommandstocopy
userrecordstoafile.Theattackercantransportthisfiletoasystemandusevarious
techniquestodecodecryptpasswordsstoredinuserrecords.Afterdecodingacrypt
password,theattackercanloginunnoticedwithalegitimateusernameandcrypt
password.
382
AppendixAUnderstandingPasswordsandAuthentication
Thisformofattackisknownasanofflineattack,becauseitdoesnotrequiresuccessive
loginattemptstogainaccesstoasystem.
ShadowpasswordsandOpenDirectorypasswordsarefarlesssusceptibletooffline
attacksbecausetheyarenotstoredinuserrecords.Shadowpasswordsarestored
inseparatefilesthatcanbereadonlybysomeonewhoknowsthepasswordofthe
rootuser.
OpenDirectorypasswordsarestoredsecurelyintheKerberosKDCandintheOpen
DirectoryPasswordServerdatabase.Auser’sOpenDirectorypasswordcan’tberead
byotherusers,notevenbyauserwithadministratorrightsforOpenDirectory
authentication.(ThisadministratorcanchangeonlyOpenDirectorypasswordsand
passwordpolicies.)
PasswordGuidelines
Manyapplicationsandservicesrequirethatyoucreatepasswordstoauthenticate.
SnowLeopardServerincludesapplicationsthathelpcreatecomplexpasswords
(PasswordAssistant),andsecurelystoreyourpasswords(KeychainAccess).
SnowLeopardServersupportspasswordsthatcontainUTF-8charactersoranyNULterminatedbytesequence.
CreatingComplexPasswords
Usethefollowingtipstocreatecomplexpasswords:
 Useamixtureofalphabetic(upperandlowercase),numeric,andspecialcharacters
(suchas!or@).
 Don’tusewordsorcombinationsofwordsfoundinadictionaryofanylanguage.
Also,don’tusenamesoranythingelsethatisintelligible.
 Createapasswordofatleasttwelvecharacters.Longerpasswordsaregenerallymore
securethanshorterpasswords.
 Createasrandomapasswordaspossible.
YoucanusePasswordAssistanttoverifythecomplexityofyourpassword.
UsinganAlgorithmtoCreateaComplexPassword
Considercreatinganalgorithmtomakeacomplex(butmemorable)password.Using
analgorithmcanincreasetherandomnessofyourpassword.Additionally,insteadof
needingtorememberacomplexpassword,youmustrememberonlythealgorithm.
Thefollowingexampleshowsonepossiblealgorithmforcreatingacomplexpassword.
Insteadofusingthisalgorithm,createyourownormodifythisone.
AppendixAUnderstandingPasswordsandAuthentication
383
Tocreateanalgorithmforcreatingacomplexpassword:
1 Chooseyourfavoritephraseorsaying.
Inthisexample,we’lluse:
Fourscoreandsevenyearsagoourfathersbroughtforth
Ideallyyoushouldchooseaphraseofatleasteightwords.
2 Reduceyourfavoritephrasetoanacronymbykeepingonlythefirstletterof
eachword.
Thesamplephrasebecomes:
Fsasyaofbf
3 Replacealetterwithanumber.
Ifwereplace“F”andthelast“f”(from“four”and“forth”)with“4”,and“s”(from“seven”)
with“7,”thesamplephrasebecomes:
4sa7yaofb4
4 Addspecialcharacters.
Ifweadd“$”after“4,”and“&”after“7,”thesamplephrasebecomes:
4$sa7&yaofb4$
5 Makesomelettersuppercase.
Ifweconvertallvowelstouppercase,thesamplephrasebecomes:
4$sA7&yAOfb4$
SafelyStoringYourPassword
Ifyoustoreyourpasswordorthealgorithmusedtomakeyourpasswordinasafe
place,youcancreatemorecomplexpasswordswithoutthefearofbeingunableto
recoverforgottenpasswords.
Whenstoringpasswords,makesureyourstoragelocationissafe,unknown,and
inaccessibletointruders.Considerstoringyourpasswordsinasealedenvelopeinside
alockedcontainer.Alternatively,youcanstoreyourpasswordsinyourwallet.By
keepingyourpasswordsinyourwallet,youkeeppasswordsinasafelocationthatis
alsoconvenient.
Itisrecommendednottostoreyourpasswordanywherenearyourcomputer.
384
AppendixAUnderstandingPasswordsandAuthentication
Whenwritingdownyourpassword,takethefollowingprecautions:
 Don’tidentifythepasswordasbeingapassword.
 Don’tincludeaccountinformationonthesamepieceofpaper.
 Addsomefalsecharactersormisinformationtothewrittenpasswordinawaythat
youremember.Makethewrittenpassworddifferentfromtherealpassword.
 Neverrecordapasswordonline,andneversendapasswordtoanotherperson
throughemail.
YoucanuseKeychainAccesstostoreyourmorecomplex,longerpasswords.You’llstill
needapasswordtounlockKeychainAccesssoyoucanviewandusethesepasswords.
BecauseKeychainAccessrequiresthatyouauthenticatetounlockkeychains,itis
convenientforyouandinaccessibletointruders.StoretheKeychainAccesspassword
inasafelocation.Formoreinformation,see“StoringCredentialsinKeychains”on
page88.
PasswordMaintenance
Afteryoucreateagoodpasswordandstoreitinasafelocation,dothefollowingto
makesureyourpasswordremainssecure:
 Nevertellanyoneyourpassword.Ifyoutellsomeoneyourpassword,immediately
changeyourpassword.
 Changeyourpasswordfrequently,andwhenyouthinkyourpasswordhasbeen
compromised.Ifyouraccountiscompromised,notifyauthoritiesandclosethe
account.
 Beawareofwhentrustedapplicationsaskforyourpassword.Maliciousapplications
canmimicatrustedapplicationandaskyouforyourpasswordwhenyou’renot
expectingit.
 Don’treusethesamepasswordformultipleaccounts.Ifyoudo,anintruderwho
compromisesyourpasswordcanusethepasswordforallofthoseaccounts.
 Don’tenterpassword-relatedhintsin“passwordhint”fields.Byprovidingahint,you
compromisetheintegrityofyourpassword.
 Don’taccessyouraccountonpubliccomputersorothercomputersthatyoudon’t
trust.Maliciouscomputerscanrecordyourkeystrokes.
 Don’tenteryourpasswordinfrontofotherpeople.
AuthenticationServices
OpenDirectoryoffersoptionsforauthenticatinguserswhoseaccountsarestoredin
directorydomainsonSnowLeopardServer,includingKerberosandtraditional
authenticationmethodsthatnetworkservicesrequire.
AppendixAUnderstandingPasswordsandAuthentication
385
OpenDirectorycanauthenticateusersby:
 UsingKerberosauthenticationforsinglesign-on.
 Usingtraditionalauthenticationmethodsandapasswordstoredsecurelyinthe
OpenDirectoryPasswordServerdatabase.
 Usingtraditionalauthenticationmethodsandashadowpasswordstoredinasecure
shadowpasswordfileforeachuser.
 Usingacryptpasswordstoreddirectlyintheuser’saccount,forbackward
compatibilitywithlegacysystems.
 Usinganon-AppleLDAPserverforLDAPbindauthentication.
Inaddition,OpenDirectoryletsyousetupapasswordpolicyforallusersaswellas
specificpasswordpoliciesforeachuser,suchasautomaticpasswordexpirationand
minimumpasswordlength.(Passwordpoliciesdonotapplytoadministrators,crypt
passwordauthentication,orLDAPbindauthentication.)
DeterminingWhichAuthenticationOptiontoUse
Toauthenticateauser,OpenDirectorymustdeterminewhichauthenticationoptionto
use—Kerberos,OpenDirectoryPasswordServer,shadowpassword,orcryptpassword.
Theuser’saccountcontainsinformationthatspecifieswhichauthenticationoptionto
use.Thisinformationistheauthenticationauthorityattribute.
OpenDirectoryusesthenameprovidedbytheusertolocatetheuser’saccountinthe
directorydomain.ThenOpenDirectoryconsultstheauthenticationauthorityattribute
intheuser’saccountandlearnswhichauthenticationoptiontouse.
Youcanchangeauser’sauthenticationauthorityattributebychangingthepassword
typeintheAdvancedpaneofWorkgroupManager,asshowninthefollowingtable.
Passwordtype
Authenticationauthority
Attributeinuserrecord
OpenDirectory
OpenDirectoryPasswordServerand
Kerberos
Eitherorboth:
 ;ApplePasswordServer;
 ;Kerberosv5;
Shadowpassword
Passwordfileforeachuser,readable
onlybytherootuseraccount
Either:
 ;ShadowHash;1
 ;ShadowHash;<listofenabled
authenticationmethods>
Cryptpassword
Encodedpasswordinuserrecord
Either:
 ;basic;
 noattributeatall
1 Iftheattributeintheuserrecordis;ShadowHash;withoutalistofenabledauthenticationmethods,default
authenticationmethodsareenabled.Thelistofdefaultauthenticationmethodsisdifferentfor
SnowLeopardServerandSnowLeopard.
386
AppendixAUnderstandingPasswordsandAuthentication
Theauthenticationauthorityattributecanspecifymultipleauthenticationoptions.
Forexample,auseraccountwithanOpenDirectorypasswordtypenormallyhasan
authenticationauthorityattributethatspecifiesKerberosandOpenDirectoryPassword
Server.
Auseraccountdoesn’tneedtoincludeanauthenticationauthorityattribute.Ifauser’s
accountcontainsnoauthenticationauthorityattribute,SnowLeopardServerassumes
acryptpasswordisstoredintheuser’saccount.Forexample,useraccountscreated
usingMacOSXv10.1orearliercontainacryptpasswordbutnotanauthentication
authorityattribute.
PasswordPolicies
OpenDirectoryenforcespasswordpoliciesforuserswhosepasswordtypeisOpen
Directoryorshadowpassword.Forexample,auser’spasswordpolicycanspecify
apasswordexpirationinterval.IftheuserislogginginandOpenDirectorydetermines
thattheuser’spasswordhasexpired,theusermustreplacetheexpiredpassword.
ThenOpenDirectorycanauthenticatetheuser.
Passwordpoliciescandisableauseraccountonaspecifieddate,afteranumberof
days,afteraperiodofinactivity,orafteranumberoffailedloginattempts.Password
policiescanalsorequirepasswordstobeaminimumlength,containatleastone
letter,containatleastonenumber,differfromtheaccountname,differfromrecent
passwords,orbechangedperiodically.
Thepasswordpolicyforamobileuseraccountapplieswhentheaccountisusedwhile
disconnectedfromthenetworkandwhileconnectedtothenetwork.Amobileuser
account’spasswordpolicyiscachedforusewhileoffline.Formoreinformationabout
mobileuseraccounts,seeUserManagement.
Passwordpoliciesdonotaffectadministratoraccounts.Administratorsareexemptfrom
passwordpoliciesbecausetheycanchangethepoliciesatwill.Inaddition,enforcing
passwordpoliciesonadministratorscouldsubjectthemtodenial-of-serviceattacks.
KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately.
AnOpenDirectoryserversynchronizestheKerberospasswordpolicyruleswithOpen
DirectoryPasswordServerpasswordpolicyrules.
SingleSign-OnAuthentication
SnowLeopardServerusesKerberosforsinglesign-onauthentication,whichrelieves
usersfromenteringanameandpasswordseparatelyforeveryservice.Withsingle
sign-on,auseralwaysentersanameandpasswordintheloginwindow.Thereafter,
theuserdoesnotneedtoenteranameandpasswordforApplefileservice,mail
service,orotherservicesthatuseKerberosauthentication.
AppendixAUnderstandingPasswordsandAuthentication
387
Totakeadvantageofsinglesign-on,usersandservicesmustbeKerberized—
configuredforKerberosauthentication—andusethesameKerberosKeyDistribution
Center(KDC)server.
UseraccountsthatresideinanLDAPdirectoryofSnowLeopardServerandhave
apasswordtypeofOpenDirectoryusetheserver’sbuilt-inKDC.Theseuseraccounts
areconfiguredforKerberosandsinglesign-on.Theserver’sKerberizedservicesuse
theserver’sbuilt-inKDCandareconfiguredforsinglesign-on.
ThisSnowLeopardServerKDCcanalsoauthenticateusersforservicesprovided
byotherservers.HavingmoreserverswithSnowLeopardServerusethe
SnowLeopardServerKDCrequiresonlyminimalconfiguration.
KerberosAuthentication
KerberoswasdevelopedatMITtoprovidesecureauthenticationandcommunication
overopennetworksliketheInternet.It’snamedforthethree-headeddogthatguarded
theentrancetotheunderworldofGreekmythology.
Kerberosprovidesproofofidentityfortwoparties.Itenablesyoutoprovewhoyouare
tonetworkservicesyouwanttouse.Italsoprovestoyourapplicationsthatnetwork
servicesaregenuine,notspoofed.
Likeotherauthenticationsystems,Kerberosdoesnotprovideauthorization.Each
networkservicedetermineswhatyouarepermittedtodobasedonyourproven
identity.
Kerberospermitsaclientandaservertoidentifyeachothermuchmoresecurelythan
typicalchallenge-responsepasswordauthenticationmethods.Kerberosalsoprovidesa
singlesign-onenvironmentwhereusersauthenticateonlyonceaday,week,orother
periodoftime,easingauthenticationfrequency.
SnowLeopardServeroffersintegratedKerberossupportthatvirtuallyanyonecan
deploy.Kerberosdeploymentissoautomaticthatusersandadministratorsmightnot
realizeit’sdeployed.
MacOSXv10.3andlateruseKerberoswhensomeonelogsinusinganaccountsetfor
OpenDirectoryauthentication.Itisthedefaultsettingforuseraccountsinthe
SnowLeopardServerLDAPdirectory.OtherservicesprovidedbytheLDAPdirectory
server,suchasAFPandmailservice,alsouseKerberos.
IfyournetworkhasotherserverswithSnowLeopardServer,joiningthemtothe
Kerberosserveriseasy,andmostoftheirservicesuseKerberosautomatically.
Alternatively,ifyournetworkhasaKerberossystemsuchasMicrosoftActiveDirectory,
youcansetupyourSnowLeopardServerandSnowLeopardcomputerstouseitfor
authentication.
388
AppendixAUnderstandingPasswordsandAuthentication
SnowLeopardServerandSnowLeopardorlatersupportKerberosv5.
SnowLeopardServerandSnowLeoparddonotsupportKerberosv4.
SmartCardAuthentication
Smartcardsenableyoutocarryyourdigitalcertificateswithyou.SnowLeopardallows
youtouseyoursmartcardwhenanauthenticationdialogispresented.
Thisrobust,two-factorauthenticationmechanismcomplieswithDepartmentof
DefenseCommonAccessCard,U.S.PIV,BelgiumNationalIdentificationCard,Japanese
governmentPKI,andJavaCard2.1standards.SimilartoanATMcardandaPINcode,
two-factorauthenticationreliesonsomethingyouhaveandsomethingyouknow.If
yoursmartcardislostorstolen,itcannotbeusedunlessyourPINisalsoknown.
AppendixAUnderstandingPasswordsandAuthentication
389
B
SecurityChecklist
Thisappendixcontainsachecklistofrecommendedsteps
requiredtosecureSnowLeopardServer.
Thisappendixcontainsactionitemchecklistsorderedbychapter.
Youcancustomizethesecheckliststosuityourneeds.Forexample,youcanmarkthe
completionstatusofactionitemsinthe“Completed?”column.Ifyoudeviatefromthe
suggestedactionitem,youcanusethe“Notes”columntojustifyorclarifyyour
decision.
InstallationActionItems
Fordetails,seeChapter2,“InstallingSnowLeopardServer.”
ActionItem
SecurelyerasetheMacOSX
installpartitionbefore
installation
Disablethefirmwarepassword
beforeinstallation
InstallSnowLeopardServer
usingMacOSExtendeddisk
formatting
Donotinstallunnecessary
packages
Donottransferconfidential
informationinServerAssistant
DonotconnecttotheInternet
Createadministratoraccounts
withdifficult-to-guessnames
Createcomplexpasswordsfor
administratoraccounts
390
Completed?
Notes
Appendix
B
ActionItem
Completed?
Notes
Donotenterapassword-related
hint;instead,enterhelpdesk
contactinformation
Entercorrecttimesettings
UseaninternalSoftwareUpdate
server
Updatesystemsoftwareusing
verifiedpackages
Repairdiskpermissionsafter
installingsoftwareorsoftware
updates
HardwareandCoreSnowLeopardServerActionItems
Fordetails,seeChapter3,“SecuringSystemHardware.”
ActionItem
Completed?
Notes
Restrictaccesstoroomsthat
havecomputers
Storecomputersinlockedor
securecontainerswhennotin
use
Useapasswordprotected
screensaver
GlobalSettingsforSnowLeopardServerActionItems
Fordetails,seeChapter4,“SecuringGlobalSystemSettings.”
ActionItem
Completed?
Notes
Requireafirmwarepassword
Createanaccesswarningforthe
loginwindow
Createanaccesswarningforthe
commandline
Disablefastuserswitchingwith
non-trustedusersorwhen
multipleusersaccesslocal
accounts
AppendixBSecurityChecklist
391
AccountConfigurationActionItems
Fordetails,seeChapter5,“SecuringLocalServerAccounts.”
ActionItem
Createanadministratoraccount
andastandardaccountforeach
administrator
Createastandardoramanaged
accountforeach
nonadministrator
Setparentalcontrolsfor
managedaccounts
Restrictthedistributionanduse
ofadministratoraccounts
Modifythe/etc/authorization
filetosecuredirectorydomain
access
Disablesu
Disablerootaccount
Restrictsudouserstoonly
beingabletoaccessrequired
commands
Setastrongpasswordpolicy
UsePasswordAssistantto
generatecomplexpasswords
Authenticateusingasmartcard,
token,orbiometricdevice
Securetheloginkeychain
Securekeychainitems
Createspecializedkeychainsfor
differentpurposes
Useaportabledrivetostore
keychains
392
AppendixBSecurityChecklist
Completed?
Notes
SystemSoftwareActionItems
Chapter5,“SecuringLocalServerAccounts,”describeshowtosecuresystem
preferences.Everysystempreferencewithsecurity-relatedconfigurationsettingshasits
ownactionitemchecklist.
MobileMePreferencesActionItems
Fordetails,see“SecuringMobileMePreferences”onpage96.
ActionItem
Completed?
Notes
DisableallSyncoptions
DisableiDiskSyncing
EnablePublicFolderpassword
protection
Donotregistercomputersfor
synchronization
AccountsPreferencesActionItems
Fordetails,see“SecuringAccountsPreferences”onpage99.
ActionItem
Completed?
Notes
Changetheinitialpasswordfor
thesystemadministrator
account
Disableautomaticlogin
Displaytheloginwindowas
nameandpassword
Disable“Showpasswordhints”
Disable“Enablefastuser
switching”
Disable“ShowtheRestart,Sleep,
andShutDownbuttons”
AppearancePreferencesActionItems
Fordetails,see“SecuringAppearancePreferences”onpage102.
ActionItem
Completed?
Notes
Donotdisplayrecent
applications
Donotdisplayrecent
documents
Donotdisplayrecentservers
AppendixBSecurityChecklist
393
BluetoothPreferencesActionItems
Fordetails,see“SecuringBluetoothPreferences”onpage103.
ActionItem
Completed?
Notes
DisableBluetoothforeachuser
accountinSystemPreferences
Removeprivilegestomodify
BluetoothSystemPreferences
CDs&DVDsPreferencesActionsItems
Fordetails,see“SecuringCDs&DVDsPreferences”onpage105.
ActionItem
Completed?
Notes
Disableautomaticactionsfor
blankCDsforeachuseraccount
Disableautomaticactionsfor
blankDVDsforeachuser
account
Disableautomaticactionsfor
musicCDsforeachuseraccount
Disableautomaticactionsfor
pictureCDsforeachuser
account
Disableautomaticactionsfor
videoDVDsforeachuser
account
Removeprivilegestomodify
CDs&DVDsSystemPreferences
Exposé&SpacesPreferencesActionItems
Fordetails,see“SecuringExposé&SpacesPreferences”onpage115
ActionItem
Completed?
Notes
DisableDashboard
Date&TimePreferencesActionItems
Fordetails,see“SecuringDate&TimePreferences”onpage107.
ActionItem
Setacorrectdateandtime
UseasecureinternalNTPserver
forautomaticdateandtime
setting
394
AppendixBSecurityChecklist
Completed?
Notes
Desktop&ScreenSaverPreferencesActionItems
Fordetails,see“SecuringDesktop&ScreenSaverPreferences”onpage109.
ActionItem
Completed?
Notes
Setashortinactivityintervalfor
thescreensaver
SetascreencornertoStart
ScreenSaverforeachuser
account
Donotsetascreencornerto
DisableScreenSaverforeach
useraccount
Removeprivilegestomodify
DashboardandExposéSystem
Preferences
DisplayPreferencesActionItems
Fordetails,see“SecuringDisplayPreferences”onpage111.
ActionItem
Completed?
Notes
Disabledisplaymirroring
DockPreferencesActionItems
Fordetails,see“SecuringDockPreferences”onpage111.
ActionItem
Completed?
Notes
Setthedocktohidewhennot
inuse
EnergySaverPreferencesActionItems
Fordetails,see“SecuringEnergySaverPreferences”onpage112.
ActionItem
Completed?
Notes
Disablesleepingthecomputer
forallpowersettings
Enablesleepingthedisplayfor
allpowersettings
Enablesleepingtheharddiskfor
allpowersettings
Disable“Wakewhenthemodem
detectsaring”forallpower
settings
Disable“WakeforEthernet
networkadministratoraccess”
forpoweradaptersettings
AppendixBSecurityChecklist
395
ActionItem
Completed?
Notes
Disable“Restartautomatically
afterapowerfailure”forpower
settings
Disable“Restartautomaticallyif
thecomputerfreezes”forpower
settings
KeyboardandMousePreferencesActionItems
Fordetails,see“SecuringBluetoothPreferences”onpage103.
ActionItem
Completed?
Notes
TurnoffBluetooth
NetworkPreferencesActionItems
Fordetails,see“SecuringNetworkPreferences”onpage118.
ActionItem
Completed?
Notes
Disableunusedhardware
devices
DisableIPv6
Print&FaxPreferencesActionItems
Fordetails,see“SecuringPrint&FaxPreferences”onpage120.
ActionItem
Completed?
Notes
Useprintersinsecurelocations
only
Disableprintersharing
Disableprintbrowsing
Disablereceivingfaxes
Disablesendingfaxes
QuickTimePreferencesActionItems
Fordetails,see“SecuringSecurityPreferences”onpage122.
ActionItem
Disable“Savemoviesindisk
cache”
Donotinstallthird-party
QuickTimesoftware
396
AppendixBSecurityChecklist
Completed?
Notes
SecurityPreferencesActionItems
Fordetails,see“SecuringSecurityPreferences”onpage122.
ActionItem
Completed?
Notes
Requireapasswordtowakethe
computerfromsleeporscreen
saverforeachaccount
SharingPreferencesActionItems
Fordetails,see“SecuringSharingPreferences”onpage125.
ActionItem
Completed?
Notes
DisableRemoteLogin
DisableAppleRemoteDesktop
DisableRemoteAppleEvents
Renameyourcomputertoa
namethatdoesnotindicatethe
purposeofthecomputer
SoftwareUpdatePreferencesActionItems
Fordetails,see“SecuringSoftwareUpdatePreferences”onpage126.
ActionItem
Completed?
Notes
Set“Checkforupdates”
accordingtopolicy
Disable“Downloadimportant
updatesinthebackground”
Manuallyupdateusinginstaller
packages
Transferinstallerpackagesfrom
atestcomputer
Verifyinstallerpackagesbefore
installing
SoundPreferencesActionItems
Fordetails,see“SecuringSoundPreferences”onpage128.
ActionItem
Completed?
Notes
Minimizeinputvolumeforthe
internalmicrophone
Minimizeinputvolumeforthe
audiolineinport
AppendixBSecurityChecklist
397
SpeechPreferencesActionItems
Fordetails,see“SecuringSpeechPreferences”onpage129.
ActionItem
Completed?
Notes
Enablespeechrecognition
inasecureenvironmentonly
Useheadphonesifyouenable
texttospeech
SpotlightPreferencesActionItems
Fordetails,see“SecuringSpotlightPreferences”onpage130.
ActionItem
Completed?
Notes
PreventSpotlightfrom
searchingconfidentialfolders
StartupDiskPreferencesActionItems
Fordetails,see“SecuringStartupDiskPreferences”onpage133.
ActionItem
Completed?
Notes
Carefullychoosethestartup
volume
TimeMachinePreferencesActionItems
Fordetails,see“SecuringTimeMachinePreferences”onpage134.
ActionItem
Completed?
Notes
TurnTimeMachineon
Selectasafelocationtostore
backupsin
DataMaintenanceandEncryptionActionItems
Fordetails,seeChapter8,“SecuringDataandUsingEncryption.”
ActionItem
Setglobalpermissionsusing
POSIXorACLs
Stripsetuidbits
Securehomedirectory
permissions
EnableFileVaultforeveryuser
Encryptportablefiles
398
AppendixBSecurityChecklist
Completed?
Notes
ActionItem
Completed?
Notes
Setglobalumaskbychanging
NSUmasksettings
Mandatesecureerasingoffiles
Mandatesecreterasingof
partitions
Mandatesecurelyerasingfree
space
AccountPoliciesActionItems
Chapter22,“SecuringNetworkAccounts,”describeshowtosetupandmanage
accountpoliciesanduseraccounts,aswellashowtoconfiguresettingsand
preferencesforclients.Eachtopicwithsecurity-relatedconfigurationsettingshasits
ownactionitemchecklist.
SharePointsActionItems
Fordetails,seeChapter17,“SecuringFileServicesandSharepoints.”
ActionItem
Completed?
Notes
EnableSSLinWorkgroup
Manager
Disableunusedsharepoints
Disableunusedsharing
protocols
Restrictsharepointaccess
AccountConfigurationActionItems
Fordetails,see“SecuringDirectoryAccounts”onpage319.
ActionItem
Completed?
Notes
Disallowsimultaneouslogin
UseanOpenDirectory
passwordinsteadofacrypt
password
Enteradiskquota
UsePOPorIMAPformail,not
both
UsePOSIXorACLpermissionsto
determinegroupaccountaccess
Restrictaccesstospecificgroups
byassigningcomputerstoalist
AppendixBSecurityChecklist
399
ActionItem
Completed?
Notes
Ifaccountsarestoredina
networkdomain,disablelocal
accounts
Specifyatimeintervaltoupdate
thepreferencescache
ApplicationsPreferencesActionItems
Fordetails,see“ManagingApplicationsPreferences”onpage284.
ActionItem
Completed?
Notes
Createalistofapproved
applicationsthatuserscanopen
Deselect“Usercanalsoopenall
applicationsonlocalvolumes”
Deselect“Allowapproved
applicationstolaunchnonapprovedapplications”
Deselect“AllowUNIXtoolsto
run”
DockPreferencesActionItems
Fordetails,see“ManagingDockPreferences”onpage291.
ActionItem
ModifytheApplicationslistto
includerequiredapplications
ModifytheDocumentsand
Folderslisttoincluderequired
documentsandfolders
Deselect‘”Mergewithuser’s
Dock”
Deselect“MyApplications”
Deselect“Documents”
Deselect“NetworkHome”
Select“Automaticallyhideand
showtheDock”
400
AppendixBSecurityChecklist
Completed?
Notes
EnergySaverPreferencesActionItems
Fordetails,see“ManagingEnergySaverPreferences”onpage292.
ActionItem
Completed?
Notes
Disablesleepingthecomputer
forallpowersettings
Deselect“Startupthe
computer”
FinderPreferencesActionItems
Fordetails,see“ManagingFinderPreferences”onpage293.
ActionItem
Completed?
Notes
Select“Usenormalfinder”
Deselect“HardDisks”
Deselect“Removablemedia
(suchasCDs)”
Deselect“ConnectedServers”
Select“Alwaysshowfile
extensions”
Deselect“ConnecttoServer”
Deselect“GotoiDisk”
Deselect“GotoFolder”
Deselect“Eject”
Deselect“BurnDisk”
Deselect“Restart”
Deselect“ShutDown”
LoginPreferencesActionItems
Fordetails,see“ManagingLoginPreferences”onpage295.
ActionItem
Completed?
Notes
Deselect“Addnetworkhome
sharepoint”
Deselect“Usermayaddand
removeadditionalitems”
Deselect“UsermaypressShiftto
keepitemsfromopening”
Donotallowloginorlogout
scripts
DonotallowLoginHookor
LogoutHookscripts
AppendixBSecurityChecklist
401
ActionItem
Completed?
Notes
Enterhelpdeskinformationas
theloginmessage
Displaytheloginwindowas
nameandpasswordtextfields
DonotallowRestartorShut
Downbuttonstoshowinthe
LoginWindow
Donotallowpasswordhints
Deselect“AutoLoginClient
Setting”
Deselect“Allowuserstologin
using‘console.’”
Deselect“EnableFastUser
Switching”
Deselect“Logoutusersafter
#minutesofactivity”
MediaAccessPreferencesActionItems
Fordetails,see“ManagingMediaAccessPreferences”onpage298.
ActionItem
Disableunnecessarymedia
Deselect“AllowforCDs”
Deselect“AllowforCD-ROMs”
Deselect“AllowforDVDs”
Deselect“AllowforRecordable
Disks”
Deselect“AllowforInternal
Disks”
Deselect“AllowforExternal
Disks”
Select“Ejectallremovable
mediaatlogout”
402
AppendixBSecurityChecklist
Completed?
Notes
MobilityPreferencesActionItems
Fordetails,see“ManagingMobilityPreferences”onpage299.
ActionItem
Completed?
Notes
Disablemobileaccounton
insecureorinfrequently
accessedcomputers
UseFileVaultoneverycomputer
withportablehomefolders
Deselect“Synchronizeaccount
forofflineuse”
NetworkPreferencesActionItems
Fordetails,see“ManagingNetworkPreferences”onpage301.
ActionItem
Completed?
Notes
Useyourorganization-controlled
proxyservers
Bypasstrustedhostsand
domains
Deselect“UsePassiveFTPMode
(PASV)”
PrintingPreferencesActionItems
Fordetails,see“ManagingPrintingPreferences”onpage307.
ActionItem
Completed?
Notes
Reduceaccesstoprinters
Deselect“Allowusertomodify
theprinterlist”
Deselect“Allowprintersthat
connectdirectlytouser’s
computer”
Ifselecting“Allowprintersthat
connectdirectlytouser’s
computer”,thenselect“Require
anadministratorpassword”
Selectaprinterandselect
“Requireanadministrator
password”
AppendixBSecurityChecklist
403
SoftwareUpdatePreferencesActionItems
Fordetails,see“ManagingSoftwareUpdatePreferences”onpage308.
ActionItem
Completed?
Notes
Designateaninternalserverto
controlsoftwareupdates
AccesstoSystemPreferencesActionItems
Fordetails,see“ManagingAccesstoSystemPreferences”onpage308.
ActionItem
Completed?
Notes
Select“Appearance”toappearin
theSystemPreferences
preferences
Select“Dashboard&Exposé”to
appearintheSystem
Preferencespreferences
Select“Displays”toappearinthe
SystemPreferencespreferences
Select“Dock”toappearinthe
SystemPreferencespreferences
Select“Keyboard&Mouse”to
appearintheSystem
Preferencespreferences
Select“Security”toappearinthe
SystemPreferencespreferences
Select“Universal”toappearin
theSystemPreferences
preferences
Disablewidgetsfornetwork
managedusers
UniversalAccessPreferencesActionItems
Fordetails,see“ManagingUniversalAccessPreferences”onpage309.
ActionItem
Deselect“TurnonZoom”
SetStickyKeystoOff
Deselect“Showpressedkeyson
screen”
404
AppendixBSecurityChecklist
Completed?
Notes
CertificatesActionItems
Fordetails,see“ManagingCertificates”onpage163.
ActionItem
Completed?
Notes
Obtaincertificatestousewith
SSL-enabledservices
CreateaCAtoissuecertificates
CreateanSSLcertificatefor
distribution
Createthefilesandfolders
neededbySSL
Exportcertificatetoclient
computers
GeneralProtocolsandServiceAccessActionItems
Fordetails,see“SettingGeneralProtocolsandAccesstoServices”onpage176.
ActionItem
Completed?
Notes
ConfigureNTPtouseaninternal
timeserver
DisableSNMP
EnableSSH
Donotuse“server”oryour
nametoidentifytheserver
Setacorrectdateandtime
UseasecureinternalNTPserver
forautomaticdateandtime
setting
UseCertificateManagerto
create,use,andmaintain
identitiesforSSL-enabled
services
UseSACLtorestrictaccessto
AFP,FTP,andWindowsfile
services
RemoteAccessServicesActionItems
Fordetails,see“SecuringRemoteAccessServices”onpage185.
AppendixBSecurityChecklist
405
ActionItem
DisablerootloginusingSSH
Modifythe/private/etc/
sshd_configfiletofurther
secureSSH
Generateidentitykeypairsfor
loginauthentication
ConfigureaccessforusingSSH
throughServerAdminusing
SACLs
UseSFTPinsteadofFTP
DisableVPNservices
IfusingVPNservices,enable
eitherorbothL2TPandPPTP
TouseSecurIDauthentication,
edittheVPNconfigurationfile
manually
Configureanaccesswarning
banner
DisableAppleRemoteDesktop
EncryptObserveandControl
trafficbysetting“Encryptall
networkdata”
Encryptnetworkdataduringfile
copyandpackageinstallation
bysetting“Encrypttransfers
whenusingInstallPackages”
DisableRemoteAppleEvents
406
AppendixBSecurityChecklist
Completed?
Notes
NetworkandHostAccessServicesActionItems
“SecuringNetworkInfrastructureServices”onpage198describesconfiguration
informationtosecureyournetworkservices.Severalservicesareprovidedtomaintain
yournetwork.Eachservicewithsecurity-relatedconfigurationsettingshasitsown
actionitemchecklist.
IPv6ProtocolActionItems
Fordetails,see“UsingIPv6Protocol”onpage198.
ActionItem
Completed?
Notes
EnableIPv6
ConfigureIPv6manuallyor
automatically
DHCPServiceActionItems
Fordetails,see“SecuringDHCPService”onpage200.
ActionItem
Completed?
Notes
DisabletheDHCPserviceifnot
required
IfusingDHCP,disableDNS,
LDAP,andWINS
AssignstaticIPaddresses
DNSServiceActionItems
Fordetails,see“SecuringDNSService”onpage202.
ActionItem
Completed?
Notes
DisabletheDNSservice
Allowonlyonesystemtoactas
theDNSserver
Allowrecursivequeriesand
zonetransfersonlyfromtrusted
clients,notfromexternal
networks.
UpdateandauditDNSregularly
SpecifywhichIPaddressesare
allowedtorequestzone
transfers
ConfigureBINDtorespondwith
somethingotherthanthe
currentversion
LimitordisableDNSrecursion
AppendixBSecurityChecklist
407
FirewallServiceActionItems
Fordetails,see“ConfiguringtheFirewall”onpage213.
ActionItem
Completed?
Notes
CreateIPaddressgroups
Configurefirewallrulesfor
groupsandservices
Configureadvancedrulesfor
groupsandservices
Enablestealthmode
Setuplogging
NATServiceActionItems
Fordetails,see“SecuringNATService”onpage207.
ActionItem
Completed?
Notes
DisableNATserviceifnot
required
ConfigureNATservice
Ifnecessary,forwardincoming
traffictoanIPaddress
BonjourServiceActionItems
Fordetails,see“SecuringBonjour(mDNS)”onpage210.
ActionItem
Completed?
Notes
DisableBonjourunlessrequired
Disableunusedservicesthat
shouldnotbediscovered
throughBonjour
CollaborationServicesActionItems
Fordetails,see“SecuringiCalService”onpage222and“SecuringiChatService”on
page225.
ActionItem
DisableiCalservice
DisableiChatservice
IfusingiChatservice,designate
domainnamestouse
408
AppendixBSecurityChecklist
Completed?
Notes
ActionItem
Completed?
Notes
Designateacertificatetouse
Monitorcommunicationusing
iChatservicelogs
MailServiceActionItems
Fordetails,see“SecuringMailService”onpage233.
ActionItem
Completed?
Notes
Turnoffsupportforanyprotocol
thatisnotrequired
Usedifferentsystemsfor
providingoutgoingand
incomingmailservice
EnableSSLforthemailserver
Createandinstallasignedmail
certificateforoutgoingand
incomingmailserviceprotocols
Usethe“require”settinginthe
SSLsupportoptions
(recommended)
ConfigureSMTPauthentication
requirementstoreducejunk
mail
Createalistofapprovedhost
serverstorelaymail
Enablejunkmailfiltering
Enablevirusfiltering
Updatethevirusdatabaseat
leasttwiceaday
Setupaproblemreportaccount
DisabletheSMTPbanner
AppendixBSecurityChecklist
409
FileServicesActionItems
“SecuringFileServicesandSharepoints”onpage254describesconfiguringfilesharing
services.Eachtypeoffilesharingservicewithsecurity-relatedconfigurationsettings
hasitsownactionitemchecklist.
ActionItem
Completed?
Notes
Disablefilesharingservicesif
notrequired
Useasfewprotocolsaspossible
UseAFP
DisableFTP
DisableNFS
DisableSMB
AFPFileSharingServiceActionItems
Fordetails,see“ConfiguringAFPFileSharingService”onpage258.
ActionItem
Completed?
Notes
DisableBonjourregistration
DisablebrowsingwithAppleTalk
DisableGuestaccess
Disableadministratorto
masqueradeasanotheruser
Enter“1”forGuestConnections
Enableaccesslog
Setfrequencyofarchiving
Implementsettingsforidleuser
FTPFileSharingServiceActionItems
Fordetails,see“ConfiguringFTPFileSharingService”onpage259.
ActionItem
Ifauthenticationispossible,use
SFTPinsteadofFTP
Disconnectclientafter1login
failure
Enteramailaddresssetupto
handleFTPadministration
SelectKerberosforaccess
authentication
Allowamaximumof1
authenticateduser
410
AppendixBSecurityChecklist
Completed?
Notes
ActionItem
Completed?
Notes
Enableanonymousaccessand
designatethenumberof
anonymoususers
DisableMacBinaryanddisk
imageautoconversion
Enable“ShowWelcome
Message”
Enable“ShowBannerMessage”
Logallloginattempts
Set“Authenticateduserssee:”to
FTProotandSharePoints
Designatefilestosharewith
anonymoususers
Configurethe/Library/
FTPServer/Configuration/
ftpaccess
NFSFileSharingServiceActionItems
Fordetails,see“ConfiguringNFSFileSharingService”onpage262.
ActionItem
Completed?
Notes
UseNFSonlyonasecureLANor
whenAppleandWindowsfile
sharingsystemsareunavailable
RestrictanNFSsharepointto
thosesystemsthatrequireit
Makethelistofexportoptions
asrestrictiveaspossible
SMBActionItems
Fordetails,see“ConfiguringSMBFileSharingService”onpage263.
ActionItem
Completed?
Notes
Donotallowguestaccess
Enterthemaximumnumberof
clientsconnectionsexpected
Set“LogDetail”toatleast
medium
DeselectWorkgroupMaster
BrowserandDomainMaster
Browserservices
TurnoffWINSregistration
AppendixBSecurityChecklist
411
WebServiceActionItems
Fordetails,see“SecuringWebService”onpage271.
ActionItem
Completed?
Notes
Disablewebserviceifnot
required
Disablewebmodulesifnot
required
Disableweboptionsifnot
required
Createorobtainsigned
certificatesforeachdomain
name
EnableSSLforwebservice
IfWebDAVisenabled,assign
accessprivilegesforthesites
andwebfolders
Donotallowwebcontentfiles
andfolderstobewritableby
world
Configurearealmtoallowuser
accesstowebsites
Allowuserstoaccessblogs
throughanSSLenabledsite
ClientConfigurationManagementServicesActionItems
Fordetails,see“SecuringClientConfigurationManagementServices”onpage284.
ActionItem
Completed?
Notes
DisableNetBootandNetBoot
diskimages
UseServerAdmintoview
NetBootclientsandthestatusof
NetBootservice
DirectoryServicesActionItems
Fordetails,see“SecuringDirectoryServices”onpage324.
ActionItem
ConfigureOpenDirectoryroles
ConfigureKerberos
412
AppendixBSecurityChecklist
Completed?
Notes
ActionItem
Completed?
Notes
Setaserveroutsideofdirectory
domainsasStandaloneServer
EnableSSL
Setglobalpasswordpolicies
Setbindingpolicies
SetsecuritypoliciesforOpen
Directory
PrintServiceActionItems
Fordetails,see“SecuringPrintService”onpage337.
ActionItem
Completed?
Notes
UseServerAdmintomanage
printqueuesandconfigure
settings
SpecifyadefaultLPRqueue
MultimediaServicesActionItems
Fordetails,see“SecuringMultimediaServices”onpage344.
ActionItem
Completed?
Notes
UserServerAdmintoconfigure
QTSS
Usesecuredigestauthentication
toconfigureclientaccessto
streamedmediafiles
GridandClusterComputingServicesActionItems
Fordetails,see“SecuringGridandClusterComputingServices”onpage354.
ActionItem
Completed?
Notes
Ifpossible,useasinglesign-on
password
Alwaysrequireauthentication
EnableXgridagentservice
SetapasswordforXgrid
EnableXgridcontrollerservice
SetapasswordforXgrid
controller
AppendixBSecurityChecklist
413
ActionItem
Completed?
Notes
Setapasswordfortheserver
actingasagridagent
Setapasswordforagentstojoin
agridandclientstosubmitjobs
ValidatingSystemIntegrityActionItems
Fordetails,see“MaintainingSystemIntegrity”onpage368.
ActionItem
Installandenableauditingtools
Configureauditsettings
Configurelogfiles
Configurelocalsystemusing
syslog.conf
Enableremotesystemlogging
Installfileintegritytools
Installantivirustools
414
AppendixBSecurityChecklist
Completed?
Notes
Scripts
C
Appendix
C
# --------------------------------------------------------------------# Securing Firewall Service
# --------------------------------------------------------------------#
# Add Firewall to the services view
# --------------------------------sudo serveradmin settings
info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured =
yes
# Start Firewall service
# ---------------------sudo serveradmin start ipfilter
#
#
#
#
#
#
#
#
#
#
Updating from an Internal Software Update Server
-----------------------------------------------Default Settings.
blank
Software updates are downloaded from one of the following software update
servers hosted by Apple.
swscan.apple.com:80
swquery.apple.com:80
swcdn.apple.com:80
# Suggested Settings.
# Specify the software update server to use.
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL
http://swupdate.apple.com:8088/index-leopard-snowleopard.merged1.sucatalog
# Available Settings.
# Replace swupdate.apple.com with the fully qualified domain name (FQDN)
# or IP address of your software update server.
# To switch your computer back to the default Apple update server.
# sudo defaults delete com.apple.SoftwareUpdate CatalogURL
# Updating from Internet Software Update Server
# -----------------------------------
415
#
#
#
#
#
Default Settings.
The softwareupdate command checks and lists available
updates for download. Software Update preferences are set to the
command-line equivalent of.
sudo softwareupdate --list --schedule on
# Suggested Settings.
# Download and install software updates:
sudo softwareupdate --download --all --install
#
#
#
#
#
Available Settings.
Use the following commands to view softwareupdate options.
sudo softwareupdate -h
or
man softwareupdate
#
#
#
#
Updating Manually from Installer Packages
----------------------------------Default Settings.
None
# Suggested Settings.
# Download software updates.
sudo softwareupdate --download --all
# Install software updates.
sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume
#
#
#
#
#
Available Settings.
Use the following commands to view installer options.
sudo installer -h
or
man installer
#
#
#
#
Verifying the Integrity of Software
----------------------------------Default Settings.
None
# Suggested Settings.
# Use the sha1 command to display a file's SHA-1 digest.
# Replace $full_path_filename with the full path filename of the update
# package or image that SHA-1 digest is being checked for.
sudo /usr/bin/openssl sha1 $full_path_filename
#
#
#
#
#
#
416
Available Settings.
Use the following command to view the version of OpenSSl installed on
your computer.
sudo openssl version
Use the following command to view openssl options.
man openssl
AppendixCScripts
# ------------------------------------------------------------------# Protecting System Hardware
# ------------------------------------------------------------------# Securing Wi-Fi Hardware
# ----------------------# Remove AppleAirport kernel extensions.
sudo srm -r /System/Library/Extensions/IO80211Family.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
#
#
#
#
Removing BlueTooth Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove Bluetooth kernel extensions.
# Remove Bluetooth kernel extensions.
sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kext
sudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
#
#
#
#
Removing IR Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove IR kernel extensions.
sudo srm -rf /System/Library/Extensions/AppleIRController.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
#
#
#
#
Securing Audio Support Software
----------------------------Default setting:
kext files are installed and loaded.
# Suggested Setting.
# Remove Audio Recording kernel extensions.
sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext
AppendixCScripts
417
sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
#
#
#
#
Securing Video Recording Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove Video Recording kernel extensions.
# Remove external iSight camera.
sudo srm -rf /System/Library/Extensions/Apple_iSight.kext
# Remove internal iSight camera.
sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\
AppleUSBVideoSupport.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
#
#
#
#
#
Securing USB Support Software
----------------------------Remove USB kernel extensions.
Default setting.
kext files are installed and loaded.
# Suggested Setting:
sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
# Available Settings.
# None
#
#
#
#
Securing FireWire Support Software
----------------------------Default setting.
kext files are installed and loaded.
# Suggested Setting.
# Remove FireWire kernel extensions.
sudo srm -rf /System/Library/Extensions/\
IOFireWireSerialBusProtocolTransport.kext
# Remove Extensions cache files.
sudo touch /System/Library/Extensions
418
AppendixCScripts
# Available Settings.
# None
#
#
#
#
#
#
Securing Global System Settings
------------------------------------------------------------------------Configuring Firmware Settings
---------------------------------Default Setting.
security-mode is off
# Suggested Setting.
# Secure startup by setting security-mode. Replace $mode-value with
# "command" or "full."
sudo nvram security-mode="$mode-value"
# Verify security-mode setting.
sudo nvram -x -p
#
#
#
#
#
#
#
#
#
#
Available Settings.
security-mode.
"command"
"full"
Use the following command to view the current nvram settings.
nvram -x -p
Use the following commands to view nvram options.
nvram -h
or
man nvram
# Enabling Access Warning for the Login Window
# ---------------------------------# Create a login window access warning.
sudo defaults write /Library/Preferences/com.apple.loginwindow
LoginwindowText “Warning Text”
# You can also used the BannerSample project to create an access warning.
# Enabling Access Warning for the Command Line
# ---------------------------------# Create a command-line access warning.
sudo touch /etc/motd
sudo chmod 644 /etc/motd
sudo echo "Warning Text" >> /etc/motd
#
#
#
#
#
#
#
#
#
------------------------------------------------------------------Securing System Preferences
------------------------------------------------------------------Securing MobileMe Preferences
------------------------Default Setting.
If a MobileMe account is entered during setup, MobileMe is configured
for that account.
Use the following command to display current MobileMe settings.
AppendixCScripts
419
# defaults -currentHost read com.apple.<Preferenceidentifier>
# Use the following command to view all current settings for currenHost.
# defaults -currentHost read
# Suggested Setting.
#Disable Sync options.
sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer 1
# Disable iDisk Syncing.
sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool
no
# Available Settings.
# None
# Securing Accounts Preferences
# ----------------------------# Change an account's password on a client system.
# Don't use this command if other users are also logged in.
sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass
# Change an account's password on a server.
# Don't use this command if other users are also logged in.
sudo dscl . passwd /Users/$User_name $Oldpass $Newpass
# Make sure there is no password hint set.
sudo defaults write /Library/Preferences/com.apple.loginwindow
RetriesUntilHint -int 0
# Disable Show the Restart, Sleep, and ShutDown Buttons.
sudo defaults write /Library/Preferences/com.apple.loginwindow
PowerOffDisable -bool yes
# Disable fast user switching. This command does not prevent multiple users
# from being logged in.
sudo defaults write /Library/Preferences/.GlobalPreferences
MultipleSessionEnabled -bool NO
# Disable Automatic login.
sudo defaults write /Library/Preferences/.GlobalPreferences\
com.apple.userspref.DisableAutoLogin -bool yes
#
#
#
#
Securing Appearance Preferences
----------------------------Default Setting.
MaxAmount 10
# Suggested Setting.
# Disable display of recent applications.
sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0
# Available Settings.
# MaxAmount 0,5,10,15,20,30,50
420
AppendixCScripts
#
#
#
#
Securing Bluetooth Preferences
----------------------------Default Setting.
Turn Bluetooth on.
# Suggested Setting.
# Turn Bluetooth off.
sudo defaults write /Library/Preferences/com.apple.Bluetooth\
ControllerPowerState -int 0
# Available Settings.
# 0 (OFF) or 1 (On)
#
#
#
#
#
#
#
#
#
Securing CDs & DVDs Preferences
----------------------------Default Setting.
Preference file non existent: /Library/Preferences/com.apple.digihub
Blank CD: "Ask what to do"
Blank DVD: "Ask what to do"
Music CD: "Open iTunes"
Picture CD: "Open iPhoto"
Video DVD: "Open DVD Player"
# Suggested Setting.
# Disable blank CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.cd.appeared -dict action 1
# Disable music CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.music.appeared -dict action 1
# Disable picture CD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.picture.appeared -dict action 1
# Disable blank DVD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.dvd.appeared -dict action 1
# Disable video DVD automatic action.
sudo defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.dvd.video.appeared -dict action 1
#
#
#
#
#
#
#
#
#
#
Available Settings.
action 1 = "Ignore"
action 2 = "Ask what to do"
action 5 = "Open other application"
action 6 = "Run script”
action 100 = "Open Finder"
action 101 = "Open itunes"
action 102 = "Open Disk Utility"
action 105 = "Open DVD Player"
action 106 = "Open iDVD"
AppendixCScripts
421
# action 107 = "Open iPhoto"
# action 109 = "Open Front Row"
#
#
#
#
#
Securing Date & Time Preferences
----------------------------Default Setting.
NTP Server: time.apple.com
Time Zone: Set time zone automatically using current location
# Suggested Setting.
# Set the NTP server.
sudo cat >> /etc/ntp.conf << END server time.apple.com END
# Set the date and time.
sudo systemsetup -settimezone $Time_Zone
# Available Settings.
# NTP Server: Any valid NTP server
# Time Zone: /usr/share/zoneinfo
#
#
#
#
Securing Desktop & Screen Saver Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Set idle time for screen saver. Replace XX with the idle time in seconds.
sudo defaults -currentHost write com.apple.screensaver idleTime -int XX
# Set host corner to activate screen saver.
sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codecorner -int 5
# Set modifier key to 0 wvous-corner_code-modifier
sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codemodifier -int 0
#
#
#
#
#
#
Available Settings.
Corner options.
wvous-bl-corner (bottom-left)
wvous-br-corner(bottom-right)
wvous-tl-corner (top-left)
wvous-tr-corner (top-right)
#
#
#
#
Securing Dock Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Automatically hide and show Dock.
sudo defaults write /Library/Preferences/com.apple.dock autohide -bool YES
# Available Settings.
422
AppendixCScripts
# autohide -bool YES
# autohide -bool NO
#
#
#
#
Securing Energy Saver Preferences
----------------------------Default Setting.
None
# Suggested Setting.
# Disable computer sleep.
sudo pmset -a sleep 0
# Enable hard disk sleep.
sudo pmset -a disksleep 1
# Disable Wake for Ethernet network administrator access.
sudo pmset -a womp 0
# Disable Restart automatically after power failure.
sudo pmset -a autorestart 0
# Available Settings.
# 0 (OFF) or 1 (ON)
#
#
#
#
Securing Exposé & Spaces Preferences
----------------------------Default Setting.
Enabled
# Suggested Setting.
# Disable dashboard.
sudo launchctl unload -w /System/Library/LaunchDaemons/
com.apple.dashboard.advisory.fetch.plist
# Available Settings.
# Enabled or Disabled
#
#
#
#
Bluetooth Sharing
----------------------------Default Setting.
Bluetooth Sharing: Disabled
# Suggested Setting.
# Disable Bluetooth Sharing.
sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled
0
#
#
#
#
Available Settings.
Bluetooth Sharing.
Disabled
Enabled
# Securing Network Preferences
# -----------------------------
AppendixCScripts
423
# Default Setting.
# Enabled
# Suggested Setting.
# Disable IPv6.
sudo networksetup -setv6off $interface
# Available Settings.
# The interface value can be AirPort, Bluetooth, Ethernet, or FireWire
#
#
#
#
Securing Print & Fax Preferences
----------------------------Default Setting.
Disabled
# Suggested Setting.
# Disable the receiving of faxes.
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist
# Disable printer sharing.
sudo cp /etc/cups/cupsd.conf $TEMP_FILE
if /usr/bin/grep "Port 631" /etc/cups/cupsd.conf
then
sudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE > \
/etc/cups/cupsd.conf
else
echo "Printer Sharing not on"
fi
# Available Settings.
# Enabled or Disabled
#
#
#
#
#
#
#
#
#
#
Securing Security Preferences
----------------------------Default Setting.
Required Password Wake: Disabled
Automatic Login: Disabled
Password Unlock Preferences: Enabled
Secure Virtual Memory is Enabled on Portable computer and is Disabled
on Desktop computers.
IR remote control: Enabled
FileVault: Disabled
# Suggested Setting.
# Enable Require password to wake this computer from sleep or screen saver.
sudo defaults -currentHost write com.apple.screensaver askForPassword -int 1
# Disable IR remote control.
sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController
DeviceEnabled -bool no
# Enable FileVault.
# To enable FileVault for new users, use this command.
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\
424
AppendixCScripts
createmobileaccount
# Enable Firewall.
# Replace value with
# 0 = off
# 1 = on for specific services
# 2 = on for essential services
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int
value
#
#
#
#
Securing Sharing Preferences
----------------------------Default Setting.
$host_name = User's Computer
# Suggested Setting.
# Change computer name where $host_name is the name of the computer.
sudo systemsetup -setcomputername $host_name
# Change computer Bonjour host name.
sudo scutil --set LocalHostName $host_name
# Available Setting.
# The host name cannot contain spaces or other non-DNS characters.
#
#
#
#
#
Securing Software Updates Preferences
----------------------------Default Setting.
Check for Updates: Enabled
Check Updates: Weekly
# Suggested Setting.
# Disable check for updates and Download important updates automatically.
sudo softwareupdate --schedule off
# Available Setting.
# Check for Updates: Enabled or Disabled
# Check Updates: Daily, Weekly, Monthly
#
#
#
#
Securing Sound Preferences
----------------------------Default Setting.
Internal microphone or line in:
Enabled
# Suggested Setting.
# Disable internal microphone or line in.
# This command does not change the input volume for input devices. It
# only sets the default input device volume to zero.
sudo osascript -e “set volume input volume 0”
# Available Setting.
# Internal microphone or line in:
AppendixCScripts
Enabled or Disabled
425
#
#
#
#
#
Securing Speech Preferences
----------------------------Default Setting.
Speech Recognition: Disabled
Text to Speech: Enabled
# Suggested Setting.
# Disable Speech Recognition.
sudo defaults write
"com.apple.speech.recognition.AppleSpeechRecognition.prefs"
StartSpeakableItems -bool false
# Disable Text to Speech settings.
sudo defaults write "com.apple.speech.synthesis.general.prefs"
TalkingAlertsSpeakTextFlag -bool false
sudo defaults write "com.apple.speech.synthesis.general.prefs"
SpokenNotificationAppActivationFlag -bool false
sudo defaults write "com.apple.speech.synthesis.general.prefs"
SpokenUIUseSpeakingHotKeyFlag -bool false
sudo defaults delete "com.apple.speech.synthesis.general.prefs"
TimeAnnouncementPrefs
#
#
#
#
Available Setting.
Each item can be set to ON or OFF.
OFF: -bool false
ON: -bool true
#
#
#
#
Securing Spotlight Preferences
----------------------------Default Setting.
ON for all volumes
# Suggested Setting.
# Disable Spotlight for a volume and erase its current meta data, where
# $volumename is the name of the volume.
sudo mdutil -E -i off $volumename
# Available Setting.
# Spotlight can be turned ON or OFF for each volume.
#
#
#
#
Securing Startup Disk Preferences
----------------------------Default Setting.
Startup Disk = “Macintosh HD”
# Suggested Setting.
# Set startup disk.
sudo systemsetup -setstartupdisk $path
# Available Setting.
# Startup Disk = Valid Boot Volume
426
AppendixCScripts
#
#
#
#
Securing Time Machine Preferences
----------------------------Default Setting.
OFF
# Suggested Setting.
# Enable Time Machine.
sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1
# Available Setting.
# 0 (OFF) or 1 (ON)
#
#
#
#
Securing Universal Access Preferences
----------------------------Default Setting.
OFF
# Suggested Setting.
# Disable VoiceOver service.
launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist
launchctl unload -w /System/Library/LaunchAgents/\
com.apple.ScreenReaderUIServer.plist
launchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist
# Available Setting.
# None
#
# Securing System Swap and Hibernation Storage
# ----------------------------# Enable secure virtual memory.
sudo defaults write /Library/Preferences/com.apple.virtualMemory \
UseEncryptedSwap -bool YES
# Restart to take effect.
# sudo shutdown -r now
# ------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space
# ------------------------------------------------------------------# Overwrite a device with zeroes.
sudo diskutil zeroDisk /dev/device
# Secure erase (7-pass) free space on a volume.
sudo diskutil secureErase freespace 2 /dev/device
# Secure erase (7-pass) a volume.
sudo diskutil secureErase 2 /dev/device
# ------------------------------------------------------------------# Adding the security tool edit trust settings
AppendixCScripts
427
# ------------------------------------------------------------------# Where <certificate> is the local file path to the certificate.
#
sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/
System.keychain <certificate>
# --------------------------------------------------------------------# Setting General Protocols
# --------------------------------------------------------------------#
# Disable NTP Client access.
# ----------sudo systemsetup -setusingnetworktime off
#
# Disable NTP service.
#-----------sudo serveradmin settings info:ntpTimeServe = no
#
# Disable SNMP.
# -----------sudo serveradmin settings info:enableSNMP = no
# or alternatively.
#sudo service org.net-snmp.snmpd stop
#
# Enable SSH.
# ---------sudo service ssh start
# or alternatively.
# sudo serveradmin settings info:enableSSH = yes
#
# Remote Management (ARD)
# ----------------------------# Limiting Remote Management Access
# Repeat for each specified user.
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -activate -configure -access -on -users
$ARD_USERNAME -privs <none|all|ControlObserve|DeleteFiles|ControlObserve|TextMessages|ShowOb
serve|OpenQuitApps|GenerateReports|RestartShutDown|SendFiles|ChangeSett
ings|ObserveOnly> -restart
# Specify the user
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAME
428
AppendixCScripts
#
## Disable Remote Management
# --------------------------# To remove user access:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -activate -configure -access -off
# To stop the ARD agent:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -agent -stop
# To disable the service:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\
Resources/kickstart -deactivate -stop
#or alternatively.
# sudo serveradmin settings info:enableARD = no
#
# Remote Apple Events (RAE)
# ----------------------------# Disable Remote Apple Events.
sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plist
# Set SACL permissions for a service.
# ---------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP
# --------------------------------------------------------------------# Enabling IPv6
# --------------------------------------------------------------------# Enable IPv6.
# ------------------------------sudo networksetup -setv6on [networkservice]
# --------------------------------------------------------------------# Securing DHCP Service
# --------------------------------------------------------------------# Disable DHCP Service
# -------------------sudo serveradmin stop dhcp
# Configuring DHCP Services
# ------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no value
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_serve
r:_array_index:0 = ""
AppendixCScripts
429
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_i
ndex:0 = -empty_array
sudo serveradmin set
dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT
SET"
# Set a DHCP client's static IP address
# ------------------------------------# Each computer needs its own GUID within the static map array.
# Increment the array index value for network interfaces
# for a single computer.
serveradmin settings
dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_in
dex:0 = $ASSIGNED_IP_ADDRESS
serveradmin settings
dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_in
dex:0 = $COMPUTER_MAC_ADDRESS
serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name
= $COMPUTER_NAME
# --------------------------------------------------------------------# Securing DNS Service
# --------------------------------------------------------------------# Disable DNS Service.
# ------------------sudo serveradmin stop dns
# --------------------------------------------------------------------# Securing NAT Service
# --------------------------------------------------------------------# Disable NAT service.
# ------------------sudo serveradmin stop nat
#
#
#
#
#
Block Bonjour listening.
------------------------Default Setting.
Bonjour is enabled
Firewall is disabled
# Suggested Setting.
# Add the following line to /etc/ipfw.conf.
add 00001 deny udp from any to me dst-port 5353
# Reload the firewall rules.
sudo /sbin/ipfw flush
sudo /sbin/ipfw /etc/ipfw.conf
# --------------------------------------------------------------------# Securing Firewall Service
430
AppendixCScripts
# --------------------------------------------------------------------# Start firewall service.
# ---------------------sudo serveradmin start ipfilter
# Enable stealth mode.
# ------------------sudo serveradmin settings ipfilter:blackHoleTCP = true
sudo serveradmin settings ipfilter:blackHoleUDP = true
# View the firewall service log.
# ----------------------------sudo tail /var/log/ipfw.log
# --------------------------------------------------------------------# Securing Collaboration Services
# --------------------------------------------------------------------# --------------------------------------------------------------------# Securing iCal service
# --------------------------------------------------------------------# Disable iCal service.
# ------------------------------sudo serveradmin stop calendar
# Choose an authentication method for iCal service.
# -----------------------------------------------# To enable all auth methods:
sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"
sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"
sudo serveradmin stop calendar; sudo serveradmin start calendar
# To
sudo
sudo
sudo
choose Digest auth only:
serveradmin settings calendar:Authentication:Kerberos:Enabled = "no"
serveradmin settings calendar:Authentication:Digest:Enabled = "yes"
serveradmin stop calendar; sudo serveradmin start calendar
# For Kerberos only:
sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"
sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no"
sudo serveradmin stop calendar; sudo serveradmin start calendar
# Enable secure network traffic using SSL transport.
# -------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443
# View the iCal service log
# -------------------------sudo tail /var/log/caldavd/access.log
AppendixCScripts
431
# Disable iChat service.
# -------------------------sudo serveradmin stop jabber
# Securely configure iChat service.
# To select an iChat server certificate:
sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/
Default.crtkey"
# (Or replace the path with the full path to the certificate that you want
# to select.)
# Restart the service if it is running:
sudo serveradmin stop jabber; sudo serveradmin start jabber
# To
sudo
sudo
sudo
select an iChat server auth method use one of the following:
serveradmin settings jabber:authLevel = "ANYMETHOD"
serveradmin settings jabber:authLevel = "KERBEROS"
serveradmin settings jabber:authLevel = "STANDARD"
# Then restart the service:
sudo serveradmin stop jabber
sudo serveradmin start jabber
#
# Select a certificate.
# -------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/
Default.crtkey"
# View the iChat service log.
# -------------------------sudo tail /var/log/server.log | grep jabberd
# --------------------------------------------------------------------# Securing Wiki Service
# --------------------------------------------------------------------# Disable Wiki service.
# ------------------sudo serveradmin stop teams
#
# View the wiki service log.
# -------------------------sudo tail /Library/Logs/wikid/access.log
# --------------------------------------------------------------------# Securing Podcast Producer Service
# ---------------------------------------------------------------------
432
AppendixCScripts
# Disable Podcast Producer service.
# -------------------------------sudo serveradmin stop pcast
#
# View the Podcast Producer service log.
# ------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log
# --------------------------------------------------------------------# Securing Mail Service
# --------------------------------------------------------------------# Disable mail service protocols
sudo serveradmin settings mail:imap:enable_pop = no
sudo serveradmin settings mail:imap:enable_imap = no
sudo serveradmin settings mail:postfix:enable_smtp = no
# Set the POP authentication method:
sudo serveradmin settings mail:imap:pop_auth_apop = no
sudo serveradmin settings mail:imap:pop_auth_clear = no
sudo serveradmin settings mail:imap:pop_auth_gssapi = no
# Set SSL transport for POP connections:
sudo serveradmin settings mail:imap:tls_server_options = "use"
# Set secure IMAP authentication:
sudo serveradmin settings mail:imap:imap_auth_login = no
sudo serveradmin settings mail:imap:imap_auth_plain = no
sudo serveradmin settings mail:imap:imap_auth_gssapi = no
sudo serveradmin settings mail:imap:imap_auth_clear = no
sudo serveradmin settings mail:imap:imap_auth_cram_md5 = no
# Configure SSL transport for IMAP connections (same as POP)
sudo serveradmin settings mail:imap:tls_server_options = "use"
# Allow secure SMTP authentication:
sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yes
sudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:0 =
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:1 =
md5"
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:2 =
sudo serveradmin settings
mail:postfix:smtpd_pw_server_security_options:_array_index:3 =
"gssapi"
"cram-
"login"
"plain"
# Configure SSL transport for SMTP connections:
sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes"
AppendixCScripts
433
# Enable a user's mail access using ACLs
sudo dseditgroup -o edit -a $USER -t user com.apple.access_mail
# Restrict SMTP relay:
sudo serveradmin settings mail:postfix:mynetworks_enabled = yes
# Reject unauthorized SMTP connections:
sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yes
sudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 =
"$NETWORK"
# Reject mail from blacklisted senders:
sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 =
"$BLACKLIST_SERVER"
sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yes
# Enable junk mail screening:
sudo serveradmin settings mail:postfix:spam_scan_enabled = yes
# Train the filter:
sudo sa-learn --showdots --spam $JUNK_DIRECTORY/*
sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/*
# Automatically train the junk mail filter:
sudo /etc/mail/spamassassin/learn_junk_mail
# Allow mail by language and locale:
sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de"
sudo serveradmin settings mail:postfix:spam_ok_locales = "en"
# Enable virus screening:
sudo serveradmin settings mail:postfix:virus_scan_enabled = yes
# View a mail service log:
sudo tail /var/log/mail.log
# --------------------------------------------------------------------# Securing Antivirus Services
# --------------------------------------------------------------------# Enable virus screening
sudo serveradmin settings mail:postfix:virus_scan_enabled = yes
# View a virus log:
sudo tail /var/log/amavisd.log
# --------------------------------------------------------------------# Securing File Services
# ---------------------------------------------------------------------
434
AppendixCScripts
# Disable file sharing services.
sudo serveradmin stop afp
sudo serveradmin stop smb
sudo serveradmin stop ftp
sudo serveradmin stop nfs
# Securely configure AFP service:
sudo serveradmin settings afp:registerNSL = no
sudo serveradmin settings afp:attemptAdminAuth = no
sudo serveradmin settings afp:clientSleepOnOff = no
sudo serveradmin settings afp:idleDisconnectOnOff = yes
sudo serveradmin settings afp:authenticationMode = "kerberos"
sudo serveradmin settings afp:activityLog = yes
sudo serveradmin settings afp:guestAccess = no
# Configure FTP to provide anonymous FTP downloads:
sudo serveradmin settings ftp:logSecurity:anonymous = yes
sudo serveradmin settings ftp:logSecurity:guest = yes
sudo serveradmin settings ftp:logSecurity:real = yes
sudo serveradmin settings ftp:maxRealUsers = 1
sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = no
sudo serveradmin settings ftp:authLevel = "KERBEROS"
sudo serveradmin settings ftp:anonymousAccessPermitted = yes
sudo serveradmin settings ftp:bannerMessage = "$BANNER"
sudo serveradmin settings ftp:maxAnonymousUsers = 500
sudo serveradmin settings ftp:administratorEmailAddress = "[email protected]"
sudo serveradmin settings ftp:logCommands:anonymous = yes
sudo serveradmin settings ftp:logCommands:guest = yes
sudo serveradmin settings ftp:logCommands:real = yes
sudo serveradmin settings ftp:loginFailuresPermitted = 1
sudo serveradmin settings ftp:welcomeMessage = "$WELCOME"
# Securely configure Windows file sharing service
sudo serveradmin settings smb:wins support = no
sudo serveradmin settings smb:domain master = no
sudo serveradmin settings smb:map to guest = "Never"
sudo serveradmin settings smb:auth methods = "odsam"
sudo serveradmin settings smb:ntlm auth = "no"
sudo serveradmin settings smb:max smbd processes = 1000
sudo serveradmin settings smb:log level = 1
sudo serveradmin settings smb:preferred master = no
sudo serveradmin settings smb:os level = 65
# --------------------------------------------------------------------# Securing Web Service
# --------------------------------------------------------------------# Disable web service:
sudo serveradmin stop web
# Disable web options:
AppendixCScripts
435
sudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled =
no
sudo serveradmin settings web:Modules:_array_id:dav_module:enabled = no
sudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = no
sudo serveradmin settings
web:Modules:_array_id:apple_spotlight_module:enabled = no
sudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:AllowOverride = "None"
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:Includes = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:ExecCGI = no
sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/
Library/WebServer/Documents:Options:Indexes = no
sudo serveradmin settings
web:Sites:_array_id:default_default:SpotlightIndexing = no
#
# Configure Apache to prompt you for a passphrase when it starts.
#--------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL
PassPhraseDialog=builtin
#
# View logs.
#----------sudo tail /var/log/apache2/access_log
#
# Disable blog service.
#--------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = no
# --------------------------------------------------------------------# Securing Tomcat
# --------------------------------------------------------------------# Stop Tomcat using Server Admin:
sudo /Library/Tomcat/bin/startup.sh stop
# --------------------------------------------------------------------# Securing MySQL
# --------------------------------------------------------------------# Turn MySQL service off
sudo serveradmin stop mysql
#
436
AppendixCScripts
# Configure MySQL service settings.
#--------------------------------sudo serveradmin settings mysql:allowNetwork = no
#
# View MySQL service logs.
# -----------------------sudo tail /Library/Logs/MySQL.log
#
#
#
#
#
Securing Client Configuration Management Services
=================================================
If the intended target is a client system, the target for the dscl
commands should be "/LDAPv3/127.0.0.1". If the management target is the
server itself, the target should be ".".
# Disable Front Row:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow
PreventActivation always -bool 1
# Setting up a list of accessible applications
# -------------------------------------------# Allow access to applications stored on the user's local hard disk:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess OpenItemsInternalDrive always -bool 1
# Allow helper applications:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1
# Allow UNIX tools:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.applicationaccess AllowUnbundledApps always -bool 1
# Managing Dock Preferences
# ------------------------# Set Dock hiding
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohideimmutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide
always -bool 1
# Managing Finder Preferences
# --------------------------# Manage Finder preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder
AppleShowAllExtensions-immutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder
ProhibitBurn always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder
ProhibitConnectTo always -bool 1
AppendixCScripts
437
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitEject always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitGoToFolder always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ProhibitGoToiDisk always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowHardDrivesOnDesktop-immutable always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowMountedServersOnDesktop-immutable always -bool
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
ShowRemovableMediaOnDesktop-immutable always -bool
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
AppleShowAllExtensions always -bool 1
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
com.apple.finder
1
com.apple.finder
1
.GlobalPreferences
# Managing Login Preferences
# -------------------------# Manage login preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow LoginwindowText always -string
"$LOGIN_WINDOW_MESSAGE"
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow mcx_UseLoginWindowText always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow RestartDisabled always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow ShutDownDisabled always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow SHOWFULLNAME always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.loginwindow DisableConsoleAccess always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences
MultipleSessionEnabled always -bool 0
# Managing Network Preferences
# ---------------------------# Manage network preferences:
sudo networksetup -setwebproxystate Ethernet on
sudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008
sudo networksetup -setpassiveftp Ethernet on
# Managing Parental Control Preferences
# ------------------------------------# Hide profanity:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary
parentalControl always -bool 1
# Managing Printing Preferences
# ----------------------------# Manage printing preferences:
438
AppendixCScripts
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting
RequireAdminToAddPrinters always -bool 1
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting
AllowLocalPrinters always -bool 0
# Managing Software Update Preferences
# -----------------------------------# Manage Software Update preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER
com.apple.SoftwareUpdate CatalogURL always -string "http:/$SERVER:8088/
index.sucatalog"
# Managing Universal Access Preferences
# ------------------------------------# Manage Universal Access preferences:
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKey always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess stickyKeyShowWindow always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess closeViewDriver always -bool 0
sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2
com.apple.universalaccess closeViewShowPreview always -bool 0
# --------------------------------------------------------------------# Securing NetBoot Service
# --------------------------------------------------------------------#
# Disable NetBoot.
sudo serveradmin stop netboot
#
# Securely configure NetBoot.
#
# View NetBoot service logs.
sudo tail /var/log/system.log | grep bootpd
# --------------------------------------------------------------------# Securing Software Update Service
# --------------------------------------------------------------------# Disable Software Update:
sudo serveradmin stop swupdate
#
# Specify which client can access software updates.
# ---------------------------------sudo serveradmin settings swupdate:autoEnable = no
AppendixCScripts
439
#
# View Software Update service logs.
# ---------------------------------sudo tail /var/log/swupd/swupd_*
# --------------------------------------------------------------------# Securing Directory Services
# --------------------------------------------------------------------# Configure the Open Directory role:
sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME $ADMIN_UID
$SEARCH_BASE $REALM
# Start Kerberos manually on an Open Directory master:
sudo kdcsetup -a $ADMIN $REALM
#
# Change the global password policy of user accounts in the same domain.
# ---------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha
requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12
maxFailedLoginAttempts=3"
#
# Set the binding policy for an Open Directory master.
# --------------------------------sudo slapconfig -setmacosxodpolicy -binding required
#
# Set the security policy for an Open Directory master.
# ---------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes
-sign yes -man-in-the-middle blocked -clientcaching no
# --------------------------------------------------------------------# Securing RADIUS Service
# --------------------------------------------------------------------# Disable RADIUS
sudo serveradmin stop radiusc
# Use a custom certificate:
sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/
$CA_CRT"
sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/
certificates/$KEY"
sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS"
sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/
certificates/$CERT"
440
AppendixCScripts
#
# Edit RADIUS access.
# ------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius
#
# View the RADIUS log
# --------------------------sudo tail /var/log/radius/radius.log
# --------------------------------------------------------------------# Securing Print Service
# --------------------------------------------------------------------#
# Disable print service.
# ---------------------sudo serveradmin stop print
# Set administrator SACL permissions for print service:
sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print
#
# Configure Kerberos for print service.
# -----------------------------------sudo serveradmin settings sudo serveradmin settings print:authType =
KERBEROS
#
# Configure a Print queue.
# ----------------------sudo serveradmin settings print:lprQueues:_array_index:0 =
$PRINTER_SHARING_NAME
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingName =
$PRINTER_SHARING_NAME
sudo serveradmin settings
print:queuesArray:_array_id:example_com:quotasEnforced = yes
sudo serveradmin settings
print:queuesArray:_array_id:example_com:showNameInBonjour = no
sudo serveradmin settings
print:queuesArray:_array_id:example_com:defaultCoverPage = "classified"
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingList:_array_index:0:serv
ice = "IPP"
sudo serveradmin settings
print:queuesArray:_array_id:example_com:sharingList:_array_index:0:shar
ingEnable = yes
sudo serveradmin settings print:queuesArray:_array_id:example_com:printerURI
= "lpd://example.com"
sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable
= yes
AppendixCScripts
441
sudo serveradmin settings
print:queuesArray:_array_id:example_com:printerName = "example_com"
sudo serveradmin settings print:useRemoteQueues = yes
sudo serveradmin settings print:coverPageNames:_array_index:0 = "classified"
#
# View print service logs.
# ----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log
# --------------------------------------------------------------------# Securing Multimedia Services
# --------------------------------------------------------------------#
# Disable QTSS.
# ------------sudo serveradmin stop qtss
#
# Configure a streaming server.
# ---------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 =
"$BIND_IP_ADDRESS"
# Serve QuickTime streams over HTTP port 80:
sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 =
554qtss:server:rtsp_port:_array_index:1 =
80qtss:server:rtsp_port:_array_index:2 =
8000qtss:server:rtsp_port:_array_index:3 = 8001
# Change the MP3 broadcast password:
sudo serveradmin settings
qtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password =
"$QTMP3_PASSWORD"
#
# Create a broadcast user name and password on the streaming server.
# -----------------------sudo serveradmin settings
qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes
#
# Add a user account.
# -----------------sudo qtpasswd $USER
# Adding groups:
echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/Config/
qtgroups
#
442
AppendixCScripts
# Change a user password.
# ----------------------sudo qtpasswd $USER
# View the QTSS log:
sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE
#
#
#
#
#
--------------------------------------------------------------------Xgrid Service
--------------------------------------------------------------------Disable Xgrid service.
# Configure an Xgrid agent on the server:
sudo /usr/sbin/xgridctl agent stop
# Configure an Xgrid agent on the server.
# Configure an Xgrid controller.
sudo serveradmin settings xgrid:ControllerSettings:Enabled = yes
sudo serveradmin settings
xgrid:ControllerSettings:prefs:ClientAuthentication = Password
sudo serveradmin settings xgrid:ControllerSettings:ClientPassword =
$XGRID_CLIENT_PASS
# --------------------------------------------------------------------# Maintaining System Integrity
# --------------------------------------------------------------------# Validate application bundle integrity.
sudo codesign -v $code_path
# Verify a requirement.
sudo codesign -v -R="identifier com.apple.Mail and anchor apple" /
Applications/Mail.app
# Install the common criteria tools software.
sudo installer -pkg CommonCriteriaTools.pkg -target /
# Enable auditing.
sudo cp /etc/hostconfig /tmp/test
if /usr/bin/grep AUDIT /etc/hostconfig
then
sudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/hostconfig
else
/bin/echo AUDIT=-YES- >> /etc/hostconfig
fi
# View logs in Server Admin.
# Use tail or more to view the log files.
AppendixCScripts
443
# The audit files are individually named based on the date.
sudo /usr/bin/tail $AUDIT_FILE
444
AppendixCScripts
A
access
ACLs183,240,381
application284,285,289
connectioncontrol241–245
DirectoryAccess320
file349
media299
passwords348,351
playlists349
printing338
QTSS347,348,349,353
restrictingNetBoot313
restrictingSoftwareUpdate316
SACLs183,228
sharepoint264–268
UniversalAccess309–310
user30–33,274,348,349,351
weblogs280–281
website274,302–304
wirelessusers333
SeealsoACLs;IMAP;LDAP;permissions
accesscontrollists.SeeACLs
accesswarnings65–69
Seealsopermissions
accounts
administrator71–72,76–81,319
authentication349
authenticationsetup84–94
creatingsecure74–81
credentialstorage88–93
directorydomains81–84
group321–322,352
mobile82,299–301
nonadministratoruser71–72
preferences99–101
types71
user351,352
Seealsouseraccounts;WorkgroupManager
ACEs(accesscontrolentries)144
Acknowledgments23
Index
Index
ACLs(accesscontrollists)
keychainservices88
mailserviceaccess240
permissions140,144–145,265
printserviceaccess338
SACLs183,381
ActiveDirectory83–84,319
activityanalysistools376–379
AddressBook82
addresses.Seeemailaddresses;IPaddresses;NAT
addresstranslation347
administrator
accountsfor319
auditingtools370–376
directorydomain78,318
passwordsfor329,387
privilegesof361
administratoraccount71–72,76–81
administratorcomputer39
adultwebsites,accesscontrol302
AdvancedEncryptionStandard(AES-128)122
AFP(AppleFilingProtocol)service
authentication256
configuration258–259
sharepoints267
agents
authentication355,356
controllers358
functionsof354
setup358
Xgrid357–359
AirPort,disabling55
AirPortBaseStation
andRADIUS334
anonymousaccess,FTP260
antivirustools.Seevirusscreening
any-user tag351
APOP(authenticatedPOP)235
appearancepreferences102–103
AppleFilingProtocolservice.SeeAFP
AppleRemoteDesktop.SeeARD
AppleSoftwareRestore.SeeASR
AppleTalk340
445
applications
accesscontrol31,284,285
legacyaccess289
securing30
applications,useraccessto
Seealsospecificapplications
ARD(AppleRemoteDesktop)178–179
ARP(AddressResolutionProtocol)spoofing207
assistivedevices136
attributes
ACL267
authentication386
configuration365
audiorecordingdevices,disabling57
audit_classfile375
audit_controlfile375
audit_eventfile375
audit_userfile375
audit_warnfile375
auditingtools370–376
auditreducetool373–374
audittool372–373
authenticatedPOP.SeeAPOP233
authentication
ActiveDirectory83
AFP256
attributes386
vs.authorization26
cached382
credential-based381
definition380
DirectoryAccess82–83
directoryservices318
EAP196,334
fileservices258–259
FTP256
iCalservice223
IMAP237
Kerberos192,196,235,237,238,339,385
methods326,382
NFS256
options356,358
passwords277,278,356,359
POP235
QTSS348,349,351
ServerAdmin167
SMB/CIFS-related256
SMTP242,243
SSH187–189
strengtheningmethods84–87
systempreferences94
user380,385–387,388
VPN192
WebDAV275
WorkgroupManager318–319
Seealsokeychainservices;passwords;RADIUS
446
Index
authenticationauthorityattributes386
authorization26–34,79,380
Seealsoauthentication
authorizationrights366–367
AuthSchemekeyword351
automaticactions,disabling105
AutomaticUnicast348
B
backups161–162
BannerSamplefile,modifying68
bayesianfilters246
BerkeleySoftwareDistribution.SeeBSD
BIND(BerkeleyInternetNameDomain)202,203,
206
binding330
blacklistedservers241,244
blogs280–281
blogservice280
Bluetoothpreferences55,103–104,117
Bonjourbrowsingservice210
bootimage,definition311
broadcasting,MP3348
BSD(BerkeleySoftwareDistribution)25,377
bundleIDs284
By139
C
CA.Seecertificateauthority
cachedauthentication382
cachepoisoning
DNS205
cameras58,232
CDs40
CDs,preferences105
CDSA(CommonDataSecurityArchitecture)25
CERT(ComputerEmergencyResponseTeam)25
Certificate167,170
CertificateAuthority(CA)
requestingcertificatesfrom169
certificateauthority(CA)
Seealsocertificates
overview165
requestingcertificatesfrom235
CertificateManager167
certificates163–175
FileVault153
iChatserver226
IPSec192
mailservice234–235
managementof36–37
OpenDirectory327
overview163–167
POP236
privatekeys164
publickeys164,368–369
requesting170,235
self-signed165,169
andServerAdmin167–168
SSL224,228,277
webservice278
CertificateSigningRequest.SeeCSR233
CGI(CommonGatewayInterface)scripts
enabling273
chatservice225–229
CIFS(CommonInternetFileSystem).SeeSMB/CIFS
ClamAV245,249
clients
accesscontrol348,349
authentication356
earlieroperatingsystems192
groupaccounts321–322
groups352
andSSL234
Seealsoclientcomputers;users
codesigncommand369–370
collaborationservices
groupaccounts321–322
Seealsomailservice;specificfileservices
command349
command-lineinterface
accesswarnings69
erasingfiles159–160
options349,350
security256
startupsecuritysetup64
command-linetools
erasingdisks44
logviewing278
sudo209
CommonCriteriaTools370
CommonDataSecurityArchitecture.SeeCDSA
CommonSecurityServiceManager.SeeCSSM
CommonUNIXPrintingSystem.SeeCUPS
ComputerEmergencyResponseTeam.SeeCERT
computergroups322
computername182
computers
idlestatus358
name182
Seealsoportablecomputers
computers,administrator39
configuration
accesscontrol338
agents358
controller359
DHCP40
Firewallservice216,217
iChat226–227
incomingmail237
Kerberos326
Index
keychainservices89–91
MacOSXServerfilechanges203
overview233
RADIUS334
sharepoints264
SSH186–187
VPN193,194
SeealsoMailmansetup
configurationfiles,SSH187
Consoleapplication377
contactssearchpolicy82–83,320
controllers
andagents358
nodes355
setup359
controllers,Xgrid359–360
CRAM-MD5authentication237,238
credential-basedauthentication366–367,381
credentialstorage88–93
cryptpasswords
definition382
encryption320,386
CSR(CertificateSigningRequest)163,169,170
CSSM(CommonSecurityServiceManager)28
CUPS(CommonUNIXPrintingSystem)337
curfewsoncomputeruse306
Cyrusmailservice233
D
Dashboardpreferences115–116,285,287
databases318
datasecurity59–60,137–162
datatransportencryption224
Date&Timepreferences107–108,182
decryption.Seeencryption
Desktoppreferences109–110
DHCP(DynamicHostConfigurationProtocol)
service40,200,330
DHXauthentication382
dictionaries
rights363–367
Dictionary,hidingprofanityin303
digestauthentication223,349
digestauthentication,WebDAV275
digitalsignatures284,285,368–369
directories.Seedirectoryservices;domains,directory;
folders
DirectoryAccess82–83,320
directorydomainadministrator78,318
directoryservices
ActiveDirectory83–84,319
directorydomains81–84
OpenDirectory83
organizationof318
overview324
447
Seealsodomains,directory;OpenDirectory
directoryservices,OpenDirectory333
discovery,service82
diskimages
encrypting155–157
installingwith41
read/write155
disks
command-linemanagementof44
erasingfreespace43
installationpreparation43
partitions41,43
quotas321
startup133–134
DiskUtility43,159,160
diskutiltool44
displaymirroring111
Displayspreferences111
distributedcomputingarchitecture354–360
DNS(DomainNameSystem)service
BIND202,203,206
IPaddresses206
recursion204,207
securingserver205,206
setup40
Dockpreferences111,291–292
documentation21–23
DomainNameSystem.SeeDNS
domains,directory
ActiveDirectory319
administratorfor78,318
bindingof330
databases318
LDAP196
managementof318
overview81–84
SeealsoLDAP;OpenDirectory
DoSattack(denialofservice)206,387
duplicationofsettings319
DVDs40,298–299
DVDs,preferences105
DynamicHostConfigurationProtocol(DHCP)200
E
EAP(ExtensibleAuthenticationProtocol)334
EAP-SecurIDauthentication196
EFI(ExtensibleFirmwareInterface)63,134
email.Seemailservice
Enabling145
encryption
AFP258
certificates164
cryptpasswords320,386
FileVault151–157
mailservice235
448
Index
networkconfiguration197
ports228
securevirtualmemory137–138
SSH178,197,257–259
SSL276
VPNprotocols192
SeealsoSSL
EnergySaverpreferences112–113
erasingdatapermanently38,158–160
errormessages.Seetroubleshooting
Everyonepermissionlevel141
Exposé&Spacespreferences115–116
ExtensibleAuthenticationProtocol.SeeEAP
ExtensibleFirmwareInterface.SeeEFI
F
FastUserSwitching75,297
faxpreferences120
files
accesscontrol349
backupof161–162
encryption151–157,197
erasing38,158–160
permissions140–143,146
qtaccess350
qtgroups350
qtusers350
sharedsecret164
transferring191
fileservices
authentication258–259
disabling256
FTP259–262,268
NFS262
SeealsoAFP;FTP;NFS;sharepoints
filesharing254–255
filesystems
erasingdata158
securing38
FileTransferProtocol.SeeFTP
FileVault36–37,53,122,151–155,300
FileVaultmasterkeychain153
filters
blacklistedmailsenders241,244
junkmail245,247
virus241,249,251
Finderpreferences293–294
fingerprints,server189
firewalls245,345,347
SeealsoFirewallservice
Firewallservice213
advancedrulessetup217
introduction213
logs219
andNAT207
harddrive53
hardware,protectionof52
hash,password382
help,using20
helperapplications289
HISEC(HighlySecure)templates83,319
homefolders82,150–155,264,267,299
hostconfigentries371
hostname182
hosts.Seeservers
HTTP(HypertextTransferProtocol)276,345,347
images.Seediskimages;NetBoot;NetworkInstall
IMAP(InternetMessageAccessProtocol)
authentication237
log250,253
incomingmail
security234
setup237
installation
administratorcomputer39
auditingtools370
withdiskimages41
diskpreparation43
fromearlierOSversions39
fromremovablemedia40
installerpackages126
interactive44
networkservicessetup40
overview38–51
serversoftware40
startingupfor40,41
installerpackages126
installimage,definition311
instantmessaging225–229
Intel-basedMacintosh63
Internationalpreferences116
Internet-basedSoftwareUpdate46
InternetMessageAccessProtocol.SeeIMAP
InternetPrintingProtocol.SeeIPP
Internetsecurity
MobileMepreferences96–98
sharing125
wirelessconnections56
IPaddresses118
DHCP200
DNSrecursion203–204
DNSservice206
andfirewalls40
groups215
IPv6notation198–199
portforwarding208
QTSS346
andrecursion204
IPFilterservice.SeeFirewallservice
IPmasquerading.SeeNAT
IPP(InternetPrintingProtocol)337
IPSec(IPsecurity)192,193
IPv6addressing118,198–199
iSight,disabling58
ISP(Internetserviceprovider)192
I
J
servicessettings216
settings40
starting214
stealthmode218
FireWire61,133
FireWireBridgeChipGUID133
firmware,password64
flagsforfilesandfolders143–144
folders
flagsfor143–144
group321,322
home81,150–155,267,299
permissionsfor150
website273
freediskspace,erasing160,161
FrontRow285,288
FTP(FileTransferProtocol)service256,257,259–
262,268
G
GID(groupID)320
globalfilepermissions146
globalpasswordpolicy329
grids,computational354
grids,computer354
groupaccounts321–322,352
Seealsogroups
group filenamekeyword350
groupfolders321,322
groupnamekeyword350
groups
blogservice280
configuration321–322
permissions141
guestaccounts
permissions141,255
H
iCalservice222–225
iChatservice225–229
identitycertificates.Seecertificates
IETF(InternetEngineeringTaskForce)standard345
Index
Jabberinstantmessagingproject225–229
jobs354
junkmailscreening
connectioncontrol241–245
449
filters245,247
log250,253
overview241
K
KDC(KerberosKeyDistributionCenter).SeeKerberos
Kerberos
ActiveDirectory83
authentication85–86,192,223,235–238,385
features381,387,388
OpenDirectory319
passwords387
printservice339
setup326
users326,388
WebDAV275
Xgridadministration355,356
kernelextensions,removing62
key-basedSSHconnection187–189
Keyboardpreferences116
KeychainAccess88
keychainservices28,30,88–93,153
L
L2TP/IPSec(LayerTwoTunnelingProtocol,Secure
InternetProtocol)34,192,193
LANs(localareanetworks)191,262
layeredsecurityarchitecture27
LayerTwoTunnelingProtocol,SecureInternet
protocol(L2TP/IPSec).SeeL2TP/IPSec
LDAP(LightweightDirectoryAccessProtocol)
service
advancedsettings324
configuration83
overview324
security327,331,380
VPN196
Seealsoattributes;mappings;objectclasses;
trustedbinding
LDAPv3access318,324
Legacypreferences285,289
LightweightDirectoryAccessProtocol.SeeLDAP
LinePrinterRemote(LPR)printing340
localareanetworks(LANs)262
localdirectorydomains
passwordtypes380,382
localinstallation40
localsystemlogging378
localversusnetworkhomefolders264
lockingfolders143
login
accesswarnings65–69
keychain89
preferences295–298
preferencesoverview295
450
Index
remote178
securitymeasures99–101
loginscripts296
logs
audit376
configuration377–379
Firewallservice219
iChat229,230,232
mailservice250,253
MySQLservice283
NetBoot314
printservice342
QTSS353
RADIUS335
SoftwareUpdateservice317
webservice278
LPR(LinePrinterRemote)printing340
M
Mach25
MacOSX
installationconsiderations39
OpenDirectorypasswords381
MacOSXServer
agentsetup358
authenticationssupported388
configurationfilechanges203
trustedbinding330
mailservice
certificates234–235
disabling234
groupsettings321
logs250,253
security234,235
virusfiltering251
mailtransferagent.SeeMTA
managedaccounts319–322
managedpreferences
Dashboard115–116,285,287
Date&Time107–108,182
Desktop109–110
Displays111
Dock111,291–292
EnergySaver112–113
Exposé&Spaces115–116
Finder293–294
FrontRow285,288
International116
Keyboard116
Legacy285,289
Login295–298
MediaAccess298–299
MobileMe96–98
Mobility299–301
Mouse116
Network118–119,301–302
overview284
ParentalControls302,303,304
Print&Fax120–122
Printing307
Security122
Sharing125,180
SoftwareUpdate46–49,126,308
Sound128
Spotlight130–132
StartupDisk133–134
System308–309
SystemPreferences308,309
TimeMachine161–162
UniversalAccess136,309–310
Seealsopreferences
manageduseraccounts71,319–322
mandatoryaccesscontrols30–33
man-in-the-middleattacks190
MediaAccess298–299
messagekeyword350
microphones,disabling57
MicrosoftWindowscompatibilities144
mobileaccounts82,192,299–301,387
MobileMepreferences96–98
Mobilitypreferences299–301
Mousepreferences116
movies,QuickTimecache
Seealsostreamingmedia
MP3files348
MS-CHAPv2authentication195
MTA(mailtransferagent)233
multimedia344–353
MySQLservice282,283
N
nameserver.SeeDNS
namingconventions,computers182
NAT(NetworkAddressTranslation)
andFirewallservice207
introduction207
NetBootservice41,311–314
NetworkAddressTranslation.SeeNAT
network-baseddirectorydomains81–84
network-basedkeychains92–93
NetworkFileSystem.SeeNFS
networkinstallimage133
Networkpreferences301–302
networks
clientconnections34
preferences302
viewstroubleshooting323
networkservices
DHCP40,200
DNS40
Index
FileVaultlimitations151,155
homefolders318
installation40
IPv6addressing198–199
keychains92
managedusers74
NTP176
preferences118–119,301–302
sharing125
sleepmodesecurity112
SoftwareUpdatecautions45
VPN191–197
wirelesspreferences103–104
SeealsoIPaddresses
networksettings
firewallconsideration347
NetworkTimeProtocol.SeeNTP
newsyslog command378
NFS(NetworkFileSystem)
filesharing255,262,268
security256
sharepoints254,257,268–269
nodes,controller355
nodes,directory.Seedomains,directory
nonadministratoruseraccounts71–72
NTDomainservices263–264,340
NTP(networktimeprotocol)176
nvramtool64
O
OpenDirectory
accesscontrol349
ActiveDirectory318
bindingpolicy330
configuration83,325–330
definition318
DNSrecursion203
andKerberos381
optionssettings330
overview324
passwordtype320,329
andRADIUS333
andSACLs183
securitypolicy331
Seealsodomains,directory
OpenDirectorymaster
authentication355
binding330
securitypolicy331
OpenDirectoryPasswordServer
accesscontrol334
authentication325,381
passwordpolicy387
opensourcemodules
Apache271
451
Jabber226
Kerberos223,275
opensourcesoftware25–27
option95,DHCP330
Othersusercategory254
outgoingmail,security235
Overview152
ownerpermission141
P
ParentalControls74–75,302,303,304
partitions,disk41–43
PasswordAssistant84–85,100
passwords
administrator329,387
Apache278
authentication356,359
authenticationset84
authenticationsetup235–237
changing99–101
command-linetools64
crypt320,386
firmware64,133–134
hash382
keychain89
masterFileVault151–155
OpenDirectory381,386
policies329,387
security384–385
vs.singlesign-on387
SSLpassphrase277
StartupDiskpreferences133–134
streamingmedia348
tokens86
types380,381,382
useraccount351
VPN192
Windowsdomain386
PasswordServer.SeeOpenDirectoryPassword
Server
PDFs,encrypting157
permissions
access25
ACLs265,338
administrator361
folders150
guest255
manipulating143
overview140–146
sharepoints265–267
types254
user274,278,320–322
viewing141
WebDAV274
physicalaccess,securing53
452
Index
physicalcomputers
hardwaresecurity53
piggybacking,service207
PKI(publickeyinfrastructure)163,164
Seealsocertificates
playlists
accessing349
QTSS344
plistfiles209
PodcastProducerservice231–232
policydatabase363–367
POP(PostOfficeProtocol)236,250,253
port347
portablecomputers
FileVault151
keychains92–93
mobileaccounts82,192,299–301
portablefiles,encrypting155–157
portablekeychains92
portforwarding208
ports
encryption228
QTSS345–347
andSSL276
VPN193
POSIX(PortableOperatingSystemInterface)141–
146
Postfixtransferagent233
PostOfficeProtocol.SeePOP
PPTP(Point-to-PointTunnelingProtocol)192,194
praudittool374–375
preferences
accounts99–101
appearance102–103
Bluetoothwireless103–104,117
CDs105,298–299
DVDs105
fax120–122
login295–298
overview94–95
screensaver109–110
speechrecognition129
time107–108,182
Seealsomanagedpreferences
presets319
primaryzone,DNS205
Print&Faxpreferences120–122
printservice
accesscontrol307,338
security337
privatekey164,165
privatekeycryptography276
privileges,administrator361
Seealsopermissions
problems.Seetroubleshooting
profanity,hiding303
profiling,DNSservice206
protocols
EAP334
fileservices257
HTTP276
LDAP196
networkservice40
POP236,250,253
RTP345
RTSP345
TCP216
VPN192,193,194,196
Seealsospecificprotocols
proxyserversettings301–302,346
publickeycertificates189
publickeycertificates.Seecertificates
publickeycryptography276,368–369
publickeyinfrastructure.SeePKI
pwpolicycommand86
Q
qtaccessfile350
qtgroupsfile350
qtpasswdtool349
QTSS.SeeQuickTimeStreamingServer
qtusersfile350
Quarantine32
queues,print
creating340
logs342
QuickTimeStreamingServer(QTSS)344–353
quotas,diskspace321
R
RADIUS(RemoteAuthenticationDial-InUserService)
introduction333
read/writediskimages155
ReallySimpleSyndication.SeeRSS
realms.SeeKerberos;WebDAV;websites,accessing
recentitemslist102–103
recursion,DNS203–204,207
relays,accesscontrol349
RemoteAppleEvents181
RemoteAuthenticationDial-InUserService
(RADIUS).SeeRADIUS
RemoteLogin185–186
remoteservers
login178
systemlogging378
removablemedia
FileVaultlimitations151,155
installationfrom40
preferences298–299
removablemedia,accessing299
rightsdictionary363–365
Index
rightspecifications363–365
rootpermissions63,79–80
RSASecurIDs196–197
RTP(Real-TimeTransportProtocol)345
RTSP(Real-TimeStreamingProtocol)345
rules365
S
SACLs(serviceaccesscontrollists)183,228,259,
261,338,381
sandboxing31
scptool185
screening
virus251
Seealsofilters
screensaverpreferences109–110,122
searching
Spotlight273
searchingpreferences130–132
SecureEmptyTrashcommand160
securenotes88
SecureShell.SeeSSH
SecureSocketsLayer.SeeSSL
SecureTransport27
SecurID196–197
Securing210
security
ACLs338
authentication223
bestpractices254
certificates327
DNS205,206
firewall245
firewalls345,347
Firewallservice40
IPSec192,193
LDAP327,331,380
NetBootservice312
network256
overview234
passwords235–237,348,351
printservice339
QTSS345,347
serverpolicysettings331
servicelevel183
SSL226–228,234–239,276,327
tools222,224
VPN192
websites276,278
wiki229
Seealsoaccess;authentication;permissions
securityarchitectureoverview25–28
security-modeenvironmentvariable64
security-passwordenvironmentvariable64
Securitypreferences122
453
Securitypreferences<$endtrange126
self-signedcertificates165,169,235
ServerAdmin
accesscontrol190,240,255,338
asadministrationtool271
authentication167,195
certificates169
opening167
overview163,167
serverstatus203
ServerMessageBlock/CommonInternetFileSystem.
SeeSMB/CIFS
servermining205
servers
bindingto330
blacklisted241,244
naming182
proxy301–302,346
securingDNS205,206
securitypolicy331
SMTP242
startup40,41
SeealsoApachewebserver;remoteservers;
websites
serversideincludes.SeeSSI
serviceaccesscontrollists.SeeSACLs
services,security183
setupprocedures.Seeconfiguration;installation
SFTP(SecureFileTransferProtocol)191,257–259
sftptool185,268
SHA-1digest50
shadowpasswords
definition382
features386
sharedfiles.Seefilesharing
sharedresources
printers120
useraccounts72
sharedsecretfiles192
sharepoints
configuration264–268
homefolders264
NFS254,262
setup264
Sharingpreferences125,180
SimpleFinder293
SimpleNetworkManagementProtocol(SNMP)177
singlesign-on(SSO)authentication86,355,356,
387
single-usermode63
sleepmode,securing112–113,122
sleepsettings,securing292
smartcards36–37,86,91,320,389
SMB/CIFS(ServerMessageBlock/CommonInternet
FileSystem)protocol
authentication256
454
Index
enabling263–264
printing340
securityoverview258
sharepoints267
SMTP(SimpleMailTransferProtocol)242–245,250,
253
SNMP(SimpleNetworkManagementProtocol)177
Snow163
SoftwareUpdateservice45,46–49
clients316
configuration308
disabling315
overview316
preferences126
settings316
starting315,333
Soundpreferences128
sources259
sparseimages155
speechrecognitionpreferences129
spoofing
ARP207
Spotlightpreferences130–132
Spotlightsearching273
srmcommand159–160
SSH(secureshellhost)178,185–191,197,259
sshddaemon185
sshtool186
SSI(serversideincludes)273
SSL237
SSL(SecureSocketsLayer)
certificates164–167,227,228
iCalservice224
iChatservice226
mailservice234–240
OpenDirectory327–329
overview27
webservice276
standarduseraccounts71
startup,securing63
StartupDiskpreferences133–134
stealthmode,Firewallservice218
streamingmedia344–353
sudotool79–82,209,361
sutool80
synchronization96–98
mobileaccountdata299
time176
syslogdconfigurationfile377
systemadministrator(root)account79–82
SystemPreferences308–309
Seealsomanagedpreferences
T
targetdiskmode134
tasks354
TCP(TransmissionControlProtocol)213,216,345
The30
third-partyapplications115
ticket-basedauthentication83
timelimitsoncomputeruse306
TimeMachine30–31,134,161
timesettings107–108
timesynchronization176,177
timezonesettings182
TLS(TransportLayerSecurity)protocol
tokens,digital86
TransmissionControlProtocol(TCP)213
TransportLayerSecurityprotocol.SeeTLS
transportservices27
troubleshooting
networkviews323
QTSS353
trustedbinding,policies330
U
UDP(UserDatagramProtocol)345,347
UIDs(userIDs)73,284
UniversalAccess
overview309
preferences309–310
UniversalAccesspreferences136
UNIX289
UNIXandsecurity25
updating
software126,308
updatingsoftware45–49
USBstoragedevices,disabling60
useraccounts
administrator319
group321–322,352
indirectorydomains319
mobile299–301
overview71–81
passwords351
security71
settings75
Seealsousers
user filenamekeyword350
userID.SeeUID
usernamekeyword350
users
accesscontrol30–33,71–75,190,274,348,349,
351
auditing376
authentication324–325,326,380,385–387,388
automaticactionscontrol105
andblogservice280
categories254
certificates165
Index
FastUserSwitching297
homefolders82,150–153,267,299
identities284
keychainmanagement91
mobile82,192
passwords320
permissions141,274,278,320–322
preferencescontrol115
root63
unregistered255
wirelessaccess333
Seealsoclients;computerlists;preferences;user
accounts;WorkgroupManager
V
validation,systemintegrity368–370
valid-user tag351
videorecordingdevices,disabling58
viewsettings323
virtualmemory137–138
VirtualPrivateNetwork.SeeVPN
virusscreening241–249,250,251,253
visudotool361
volumes
erasing44
erasingdata158
securing38
startup41
VPN(VirtualPrivateNetwork)
authentication192
clients34
introduction191–197
L2TPsettings34,193
andLDAP196
PPTPsettings194
security192
W
WAN(wideareanetwork)191
Web271
WebDAV(Web-BasedDistributedAuthoringand
Versioning)
authentication275
configuration279
enabling273
permissions274
realmdefinitions274
starting273
weblogservice280–281
webmodules273
webservice272–278
websites
accesscontrol274
accessing302–304
folders274
455
security229,276
wideareanetwork.SeeWAN
widgetsinDashboard285,287
wikis229
Windowsdomain
passwords386
Windowsservices263–264,340
wirelesspreferences103–104
workflows231
WorkgroupManager
accesscontrol32
accounts319–322
ACLpermissions240
authentication349
directorydomains318
456
Index
groupaccountmanagement321–322
overview318–319
Seealsomanagedpreferences
workgrouppreferences
SeeWorkgroupManager
Worldpermissionlevel254
X
Xgrid354–360
Z
zones,DNS
security205
zonetransfer,DNS203
Related documents
Buyer behavior - WordPress.com
Buyer behavior - WordPress.com
Insert practice name
Insert practice name
Patient Online: Records Access Information Leaflet
Patient Online: Records Access Information Leaflet
Chapter Notes
Chapter Notes
Sales promotion service mail
Sales promotion service mail
Resetting The CIM \ EIM System “sa” Password Procedure
Resetting The CIM \ EIM System “sa” Password Procedure
Operating System Security Fundamentals
Operating System Security Fundamentals
Chapter 4 Windows NT/2000
Chapter 4 Windows NT/2000
Step-‐by-‐step guide to install Python 2.7 and some essential
Step-‐by-‐step guide to install Python 2.7 and some essential
Operating System
Operating System