Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MacOSXServer SecurityConfiguration ForMacOSXServerVersion10.6 SnowLeopard KAppleInc. ©2010AppleInc.Allrightsreserved. Theownerorauthorizeduserofavalidcopyof MacOSXsoftwaremayreproducethispublicationfor thepurposeoflearningtousesuchsoftware.Nopartof thispublicationmaybereproducedortransmittedfor commercialpurposes,suchassellingcopiesofthis publicationorforprovidingpaid-forsupportservices. Everyefforthasbeenmadetoensurethatthe informationinthismanualisaccurate.Appleisnot responsibleforprintingorclericalerrors. Apple 1InfiniteLoop Cupertino,CA95014 408-996-1010 www.apple.com TheApplelogoisatrademarkofAppleInc.,registered intheU.S.andothercountries.Useofthe“keyboard” Applelogo(Option-Shift-K)forcommercialpurposes withoutthepriorwrittenconsentofApplemay constitutetrademarkinfringementandunfair competitioninviolationoffederalandstatelaws. Apple,theApplelogo,Airport,Bonjour,FileVault, FireWire,iCal,iChat,iMac,iSight,iTunes,Keychain,Mac, MacOS,QuickTime,Safari,SnowLeopard,Spotlight, Tiger,TimeMachine,Xgrid,Xsan,andXserveare trademarksofAppleInc.,registeredintheU.S.andother countries. AppleRemoteDesktop,Finder,andQuickTime BroadcasteraretrademarksofAppleInc. MobileMeisaservicemarkofAppleInc. TheBluetooth®wordmarkandlogosareregistered trademarksownedbyBluetoothSIG,Inc.andanyuseof suchmarksbyAppleisunderlicense. Intel,IntelCore,andXeonaretrademarksofIntelCorp. intheU.S.andothercountries. Java™andallJava-basedtrademarksandlogosare trademarksorregisteredtrademarksofSun Microsystems,Inc.intheU.S.andothercountries. UNIXisaregisteredtrademarkofTheOpenGroup. Thisproductincludessoftwaredevelopedbythe UniversityofCalifornia,Berkeley,FreeBSD,Inc.,The NetBSDFoundation,Inc.,andtheirrespective contributors. Othercompanyandproductnamesmentionedherein aretrademarksoftheirrespectivecompanies.Mention ofthird-partyproductsisforinformationalpurposes onlyandconstitutesneitheranendorsementnora recommendation.Appleassumesnoresponsibilitywith regardtotheperformanceoruseoftheseproducts. 019-1875/2010-06 2 Contents Preface 17 17 17 20 20 21 21 21 22 22 23 AboutThisGuide Audience What’sinThisGuide UsingThisGuide UsingOnscreenHelp SnowLeopardServerAdministrationGuides ViewingPDFGuidesonScreen PrintingPDFGuides GettingDocumentationUpdates GettingAdditionalInformation Acknowledgments Chapter1 24 25 25 25 26 27 27 28 28 29 29 30 30 31 32 32 33 33 33 34 35 IntroductiontoSnowLeopardServerSecurityArchitecture SecurityArchitecturalOverview UNIXInfrastructure AccessPermissions SecurityFramework LayeredSecurityDefense NetworkSecurity CredentialManagement PublicKeyInfrastructure(PKI) What’sNewinSnowLeopardServerSecurity ExistingSecurityFeaturesinSnowLeopardServer SignedApplications MandatoryAccessControls Sandboxing ManagedUserAccounts EnhancedQuarantining MemoryandRuntimeProtection SecuringSharingandCollaborativeServices ServiceAccessControlLists VPNCompatibilityandIntegration ImprovedCryptography 3 4 35 35 35 36 36 36 37 ExtendedValidationCertificates WildcardinIdentityPreferences EnhancedCommand-LineTools FileVaultandEncryptedStorage EncryptedDiskImageCryptography SmartCardSupportforUnlockingEncryptedStorage EnhancedSafari4.0Security Chapter2 38 38 39 40 40 40 41 41 41 42 42 42 43 43 43 44 44 45 46 47 48 50 50 51 51 InstallingSnowLeopardServer InstallationOverview PreparinganAdministratorComputer SettingUpNetworkInfrastructure StartingUpforInstallation StartingUpfromtheInstallDVD StartingUpfromanAlternatePartition StartingUpfromaNetBootEnvironment RemoteAccessDuringInstallation ServerAdminDuringInstallation SSHDuringInstallation VNCDuringInstallation AboutDefaultInstallationPasswords PreparingDisksforInstallingSnowLeopardServer SecurelyErasingaDiskforInstallation InstallingServerSoftware EnablingtheFirewall ApplyingSoftwareandSecurityUpdates UpdatingfromanInternalSoftwareUpdateServer UpdatingfromInternetSoftwareUpdateServers UpdatingManuallyfromInstallerPackages VerifyingtheIntegrityofSoftware SettingUpServicesandUsers AboutSettingsEstablishedDuringServerSetup EnablingtheFirmwarePassword Chapter3 52 52 53 54 54 55 55 56 57 SecuringSystemHardware ProtectingHardware PreventingWirelessEavesdropping UnderstandingWirelessSecurityChallenges AboutOSComponents RemovingWi-FiSupportSoftware RemovingBluetoothSupportSoftware RemovingIRSupportSoftware PreventingUnauthorizedRecording Contents 57 58 59 60 61 62 RemovingAudioSupportSoftware RemovingVideoRecordingSupportSoftware PreventingDataPortAccess RemovingUSBSupportSoftware RemovingFireWireSupportSoftware SystemHardwareModifications Chapter4 63 63 64 64 65 66 67 68 69 70 SecuringGlobalSystemSettings SecuringSystemStartup UsingtheFirmwarePasswordUtility UsingCommand-LineToolsforSecureStartup ConfiguringAccessWarnings EnablingAccessWarningsfortheLoginWindow UnderstandingtheAuthPluginArchitecture TheBannerSampleProject EnablingAccessWarningsfortheCommandLine TurningOnFileExtensions Chapter5 71 71 72 73 73 74 74 75 75 75 76 76 77 78 78 79 79 80 81 82 83 83 84 84 85 SecuringLocalServerAccounts TypesofUserAccounts GuidelinesforCreatingAccounts DefiningUserIDs SecuringtheGuestAccount SecuringNonadministratorAccounts SecuringExternalAccounts ProtectingDataonExternalVolumes SecuringDirectory-BasedAccounts AvoidingSimultaneousLocalAccountAccess SecuringAdministratorAccounts AboutTieredAdministrationPermissions DefiningAdministrativePermissions AvoidingSharedAdministratorAccounts SecuringtheDirectoryDomainAdministratorAccount ChangingSpecialAuthorizationsforSystemFunctions SecuringtheSystemAdministratorAccount RestrictingsudoUsage UnderstandingDirectoryDomains UnderstandingNetworkServices,Authentication,andContacts ConfiguringLDAPv3Access ConfiguringActiveDirectoryAccess UsingStrongAuthentication UsingPasswordAssistanttoGenerateorAnalyzePasswords UsingKerberos Contents 5 86 86 87 87 88 89 89 91 91 92 Chapter6 6 94 94 96 99 102 103 105 107 109 111 111 112 115 116 116 116 117 117 118 118 120 122 122 123 125 126 128 129 130 133 134 136 UsingSmartCards UsingTokens UsingBiometrics SettingGlobalPasswordPolicies StoringCredentialsinKeychains UsingtheDefaultUserKeychain CreatingAdditionalKeychains SecuringKeychainsandTheirItems UsingSmartCardsasKeychains UsingPortableandNetworkKeychains SecuringSystemPreferences SystemPreferencesOverview SecuringMobileMePreferences SecuringAccountsPreferences SecuringAppearancePreferences SecuringBluetoothPreferences SecuringCDs&DVDsPreferences SecuringDate&TimePreferences SecuringDesktop&ScreenSaverPreferences SecuringDisplayPreferences SecuringDockPreferences SecuringEnergySaverPreferences SecuringExposé&SpacesPreferences SecuringLanguage&TextPreferences SecuringKeyboardPreferences SecuringMousePreferences SecuringBluetoothSettings RestrictingAccesstoSpecifiedUsers SecuringNetworkPreferences DisablingUnusedHardwareDevices SecuringPrint&FaxPreferences SecuringSecurityPreferences GeneralSecurity FileVaultSecurity SecuringSharingPreferences SecuringSoftwareUpdatePreferences SecuringSoundPreferences SecuringSpeechPreferences SecuringSpotlightPreferences SecuringStartupDiskPreferences SecuringTimeMachinePreferences SecuringUniversalAccessPreferences Contents Chapter7 137 137 138 SecuringSystemSwapandHibernationStorage SystemSwapFileOverview EncryptingSystemSwap Chapter8 139 139 140 140 141 141 142 143 143 143 143 144 145 145 146 147 150 151 152 153 153 155 155 156 157 158 158 159 159 160 160 161 161 SecuringDataandUsingEncryption AboutTransportEncryption AboutPayloadEncryption AboutFileandFolderPermissions SettingPOSIXPermissions ViewingPOSIXPermissions InterpretingPOSIXPermissions ModifyingPOSIXPermissions SettingFileandFolderFlags ViewingFlags ModifyingFlags SettingACLPermissions EnablingACLPermissions ModifyingACLPermissions ChangingGlobalUmaskforStricterDefaultPermissions RestrictingSetuidPrograms SecuringUserHomeFolders EncryptingHomeFolders OverviewofFileVault ManagingFileVault ManagingtheFileVaultMasterKeychain EncryptingPortableFiles CreatinganEncryptedDiskImage CreatinganEncryptedDiskImagefromExistingData CreatingEncryptedPDFs SecurelyErasingData ConfiguringFindertoAlwaysSecurelyErase UsingDiskUtilitytoSecurelyEraseaDiskorPartition UsingCommand-LineToolstoSecurelyEraseFiles UsingSecureEmptyTrash UsingDiskUtilitytoSecurelyEraseFreeSpace UsingCommand-LineToolstoSecurelyEraseFreeSpace DeletingPermanentlyfromTimeMachineBackups Chapter9 163 163 164 164 165 ManagingCertificates UnderstandingPublicKeyInfrastructure PublicandPrivateKeys Certificates AboutCertificateAuthorities(CAs) Contents 7 8 165 165 165 167 168 169 170 170 170 172 173 173 174 174 175 175 AboutIdentities Self-SignedCertificates AboutIntermediateTrust CertificateManagerinServerAdmin ReadyingCertificates CreatingaSelf-SignedCertificate StoringthePrivateKey RequestingaCertificatefromaCA CreatingaCA ImportingaCertificateIdentity ManagingCertificates EditingaCertificate DistributingaCAPublicCertificatetoClients DeletingaCertificate RenewinganExpiringCertificate ReplacinganExistingCertificate Chapter10 176 176 176 177 178 178 179 179 180 181 182 182 182 183 183 SettingGeneralProtocolsandAccesstoServices SettingGeneralProtocols DisablingNTPService DisablingSNMP EnablingSSH AboutRemoteManagement(ARD) RemoteManagementBestPractices LimitingRemoteManagementAccess DisablingRemoteManagementAccess RemoteAppleEvents(RAE) RestrictingAccesstoSpecificUsers SettingtheServer’sHostName SettingtheDateandTime SettingUpCertificates SettingServiceAccessControlLists(SACLs) Chapter11 185 185 186 187 187 189 190 190 191 191 SecuringRemoteAccessServices SecuringRemoteSSHLogin ConfiguringSSH ModifyingtheSSHConfigurationFile GeneratingKeyPairsforKey-BasedSSHConnections UpdatingSSHKeyFingerprints ControllingAccesstoSSH SSHMan-in-the-MiddleAttacks TransferringFilesUsingSFTP SecuringVPNService Contents 192 193 194 195 196 196 197 197 VPNandSecurity ConfiguringL2TP/IPSecSettings ConfiguringPPTPSettings VPNAuthenticationMethod UsingVPNServicewithUsersinaThird-PartyLDAPDomain OfferingSecurIDAuthenticationwithVPNService EncryptingObserveandControlNetworkData EncryptingNetworkDataDuringFileCopyandPackageInstallations Chapter12 198 198 199 200 200 200 201 202 203 203 204 205 207 208 210 210 SecuringNetworkInfrastructureServices UsingIPv6Protocol IPv6-EnabledServices SecuringDHCPService DisablingUnnecessaryDHCPServices ConfiguringDHCPServices AssigningStaticIPAddressesUsingDHCP SecuringDNSService UnderstandingBIND TurningOffZoneTransfers DisablingRecursion PreventingSomeDNSAttacks SecuringNATService ConfiguringPortForwarding DisablingNATPortMappingProtocol SecuringBonjour(mDNS) Chapter13 213 213 214 214 214 215 216 217 218 219 220 220 ConfiguringtheFirewall AboutFirewallProtection PlanningFirewallSetup ConfiguringtheFirewallUsingServerAdmin StartingFirewallService CreatinganIPAddressGroup CreatingFirewallServiceRules CreatingAdvancedFirewallRules EnablingStealthMode ViewingtheFirewallServiceLog ConfiguringtheFirewallManually UnderstandingIPFWRulesets Chapter14 222 222 223 223 SecuringCollaborationServices SecuringiCalService DisablingiCalService SecurelyConfiguringiCalService Contents 9 10 225 225 225 226 229 229 229 230 230 231 231 231 232 ViewingiCalServiceLogs SecuringiChatService DisablingiChatService SecurelyConfiguringiChatService ViewingiChatServiceLogs SecuringWikiService DisablingWikiService SecurelyConfiguringWikiServices ViewingWikiServiceLogs SecuringPodcastProducerService DisablingPodcastProducerService SecurelyConfiguringPodcastProducerService ViewingPodcastProducerServiceLogs Chapter15 233 234 234 235 235 236 237 237 238 239 240 241 241 245 245 250 SecuringMailService DisablingMailService ConfiguringMailServiceforSSL EnablingSecureMailTransportwithSSL EnablingSecurePOPAuthentication ConfiguringSSLTransportforPOPConnections EnablingSecureIMAPAuthentication ConfiguringSSLTransportforIMAPConnections EnablingSecureSMTPAuthentication ConfiguringSSLTransportforSMTPConnections UsingACLsforMailServiceAccess LimitingJunkMailandViruses ConnectionControl FilteringSMTPConnections MailScreening ViewingMailServiceLogs Chapter16 251 252 252 253 253 SecuringAntivirusServices SecurelyConfiguringandManagingAntivirusServices EnablingVirusScanning ManagingClamAVwithClamXav ViewingAntivirusServicesLogs Chapter17 254 254 254 254 255 255 SecuringFileServicesandSharepoints SecurityConsiderations RestrictingAccesstoFileServices RestrictingAccesstoEveryone RestrictingAccesstoNFSSharePoints RestrictingGuestAccess Contents 255 256 256 257 258 259 262 263 264 265 265 267 267 268 268 RestrictingFilePermissions ProtocolSecurityComparison DisablingFileSharingServices ChoosingaFileSharingProtocol ConfiguringAFPFileSharingService ConfiguringFTPFileSharingService ConfiguringNFSFileSharingService ConfiguringSMBFileSharingService ConfiguringSharePoints DisablingSharePoints RestrictingAccesstoaSharePoint AFPSharePoints SMBSharePoints FTPSharePoints NFSSharePoints Chapter18 271 272 272 273 274 276 278 278 279 280 280 280 281 282 282 282 283 SecuringWebService DisablingWebService ManagingWebModules DisablingWebOptions UsingRealmstoControlAccess EnablingSecureSocketsLayer(SSL) UsingaPassphrasewithSSLCertificates ViewingWebServiceLogs SecuringWebDAV SecuringBlogServices DisablingBlogServices SecurelyConfiguringBlogServices SecuringTomcat SecuringMySQL DisablingMySQLService SettingUpMySQLService ViewingMySQLServiceandAdminLogs Chapter19 284 284 285 287 288 289 291 292 293 SecuringClientConfigurationManagementServices ManagingApplicationsPreferences ControllingUserAccesstoApplicationsandFolders AllowingSpecificDashboardWidgets DisablingFrontRow AllowingLegacyUserstoOpenApplicationsandFolders ManagingDockPreferences ManagingEnergySaverPreferences ManagingFinderPreferences Contents 11 12 295 298 299 301 302 303 303 304 306 307 308 308 309 310 ManagingLoginPreferences ManagingMediaAccessPreferences ManagingMobilityPreferences ManagingNetworkPreferences ManagingParentalControlsPreferences HidingProfanityinDictionary PreventingAccesstoAdultWebsites AllowingAccessOnlytoSpecificWebsites SettingTimeLimitsandCurfewsonComputerUsage ManagingPrintingPreferences ManagingSoftwareUpdatePreferences ManagingAccesstoSystemPreferences ManagingUniversalAccessPreferences EnforcingPolicy Chapter20 311 311 311 312 314 SecuringNetBootService SecuringNetBootService DisablingNetBootService LimitNetBootServiceClients ViewingNetBootServiceLogs Chapter21 315 315 316 317 SecuringSoftwareUpdateService DisablingSoftwareUpdateService LimitingAutomaticUpdateAvailability ViewingSoftwareUpdateServiceLogs Chapter22 318 318 319 319 321 322 323 SecuringNetworkAccounts AboutOpenDirectoryandActiveDirectory SecuringDirectoryAccounts ConfiguringDirectoryUserAccounts ConfiguringGroupAccounts ConfiguringComputerGroups ControllingNetworkViews Chapter23 324 325 325 326 327 329 329 330 331 SecuringDirectoryServices OpenDirectoryServerRoles ConfiguringtheOpenDirectoryServicesRole StartingKerberosAfterSettingUpanOpenDirectoryMaster ConfiguringOpenDirectoryforSSL ConfiguringOpenDirectoryPolicies SettingtheGlobalPasswordPolicy SettingaBindingPolicyforanOpenDirectoryMasterandReplicas SettingaSecurityPolicyforanOpenDirectoryMasterandReplicas Contents Chapter24 333 333 334 334 335 335 SecuringRADIUS DisablingRADIUS SecurelyConfiguringRADIUSService ConfiguringRADIUStoUseCertificates EditingRADIUSAccess ViewingRADIUSServiceLogs Chapter25 337 337 338 338 339 340 342 SecuringPrintService DisablingPrintService SecuringPrintService ConfiguringPrintServiceAccessControlLists(SACLs) ConfiguringKerberos ConfiguringPrintQueues ViewingPrintServiceandQueueLogs Chapter26 344 344 345 346 347 347 348 348 349 353 SecuringMultimediaServices DisablingQTSS SecurelyConfiguringQTSS ConfiguringaStreamingServer ServingStreamsThroughFirewallsUsingPort80 StreamingThroughFirewallsorNetworkswithAddressTranslation ChangingthePasswordRequiredtoSendanMP3BroadcastStream UsingAutomaticUnicast(Announce)withQTSSonaSeparateComputer ControllingAccesstoStreamedMedia ViewingQTSSLogs Chapter27 354 354 355 355 356 356 357 357 357 358 359 SecuringGridandClusterComputingServices UnderstandingXgridService DisablingXgridService AboutAuthenticationMethodsforXgrid SingleSign-On Password-BasedAuthentication NoAuthentication SecurelyConfiguringXgridService DisablingtheXgridAgent LimitingtheXgridAgent ConfiguringanXgridController Chapter28 361 361 ManagingWhoCanObtainAdministrativePrivileges(sudo) ManagingthesudoersFile Chapter29 363 363 363 ManagingAuthorizationThroughRights UnderstandingthePolicyDatabase TheRightsDictionary Contents 13 14 365 366 366 366 366 Rules ManagingAuthorizationRights CreatinganAuthorizationRight ModifyinganAuthorizationRight ExampleAuthorizationRestrictions Chapter30 368 368 369 370 370 370 371 372 372 372 373 374 375 375 376 376 377 377 378 378 379 MaintainingSystemIntegrity UsingDigitalSignaturestoValidateApplicationsandProcesses ValidatingApplicationBundleIntegrity ValidatingRunningProcesses AuditingSystemActivity InstallingAuditingTools EnablingAuditing SettingAuditMechanisms UsingAuditingTools UsingtheauditTool UsingtheauditreduceTool UsingtheprauditTool DeletingAuditRecords AuditControlFiles ManagingandAnalyzingAuditLogFiles UsingActivityAnalysisTools ValidatingSystemLogging Configuringsyslogd LocalSystemLogging RemoteSystemLogging ViewingLogsinServerAdmin AppendixA 380 380 380 381 382 382 382 383 383 383 384 385 385 386 387 UnderstandingPasswordsandAuthentication PasswordTypes AuthenticationandAuthorization OpenDirectoryPasswords ShadowPasswords CryptPasswords OfflineAttacksonPasswords PasswordGuidelines CreatingComplexPasswords UsinganAlgorithmtoCreateaComplexPassword SafelyStoringYourPassword PasswordMaintenance AuthenticationServices DeterminingWhichAuthenticationOptiontoUse PasswordPolicies Contents 387 388 389 AppendixB 390 390 391 391 392 393 393 393 393 394 394 394 394 395 395 395 395 396 396 396 396 397 397 397 397 398 398 398 398 398 399 399 399 400 400 401 401 401 402 SingleSign-OnAuthentication KerberosAuthentication SmartCardAuthentication SecurityChecklist InstallationActionItems HardwareandCoreSnowLeopardServerActionItems GlobalSettingsforSnowLeopardServerActionItems AccountConfigurationActionItems SystemSoftwareActionItems MobileMePreferencesActionItems AccountsPreferencesActionItems AppearancePreferencesActionItems BluetoothPreferencesActionItems CDs&DVDsPreferencesActionsItems Exposé&SpacesPreferencesActionItems Date&TimePreferencesActionItems Desktop&ScreenSaverPreferencesActionItems DisplayPreferencesActionItems DockPreferencesActionItems EnergySaverPreferencesActionItems KeyboardandMousePreferencesActionItems NetworkPreferencesActionItems Print&FaxPreferencesActionItems QuickTimePreferencesActionItems SecurityPreferencesActionItems SharingPreferencesActionItems SoftwareUpdatePreferencesActionItems SoundPreferencesActionItems SpeechPreferencesActionItems SpotlightPreferencesActionItems StartupDiskPreferencesActionItems TimeMachinePreferencesActionItems DataMaintenanceandEncryptionActionItems AccountPoliciesActionItems SharePointsActionItems AccountConfigurationActionItems ApplicationsPreferencesActionItems DockPreferencesActionItems EnergySaverPreferencesActionItems FinderPreferencesActionItems LoginPreferencesActionItems MediaAccessPreferencesActionItems Contents 15 16 403 403 403 404 404 404 405 405 405 407 407 407 407 408 408 408 408 409 410 410 410 411 411 412 412 412 413 413 413 414 MobilityPreferencesActionItems NetworkPreferencesActionItems PrintingPreferencesActionItems SoftwareUpdatePreferencesActionItems AccesstoSystemPreferencesActionItems UniversalAccessPreferencesActionItems CertificatesActionItems GeneralProtocolsandServiceAccessActionItems RemoteAccessServicesActionItems NetworkandHostAccessServicesActionItems IPv6ProtocolActionItems DHCPServiceActionItems DNSServiceActionItems FirewallServiceActionItems NATServiceActionItems BonjourServiceActionItems CollaborationServicesActionItems MailServiceActionItems FileServicesActionItems AFPFileSharingServiceActionItems FTPFileSharingServiceActionItems NFSFileSharingServiceActionItems SMBActionItems WebServiceActionItems ClientConfigurationManagementServicesActionItems DirectoryServicesActionItems PrintServiceActionItems MultimediaServicesActionItems GridandClusterComputingServicesActionItems ValidatingSystemIntegrityActionItems AppendixC 415 Scripts Index 445 Contents AboutThisGuide UsethisguideasanoverviewofMacOSXv10.6 SnowLeopardServersecurityfeaturesthatcanenhance securityonyourcomputer. ThisguidegivesinstructionsforsecuringSnowLeopardServer,andforsecurely managingserversandclientsinanetworkedenvironment.Italsoprovidesinformation aboutthemanyrolesSnowLeopardServercanassumeinanetwork. Audience AdministratorsofservercomputersrunningSnowLeopardServeraretheintended audienceforthisguide. Ifyou’reusingthisguide,youshouldbeanexperiencedSnowLeopardServeruser,be familiarwiththeWorkgroupManagerandServerAdminapplications,andhaveatleast someexperienceusingtheTerminalapplication’scommand-lineinterface. Youshouldalsohaveexperienceadministeringanetwork,befamiliarwithbasic networkingconcepts,andbefamiliarwiththeSnowLeopardServeradministration guides. Someinstructionsinthisguidearecomplex,anddeviationfromthemcouldresultin seriousadverseeffectsontheserveranditssecurity.Theseinstructionsshouldonlybe usedbyexperiencedSnowLeopardServeradministrators,andshouldbefollowedby thoroughtesting. What’sinThisGuide Thisguideexplainshowtosecureserversandsecurelymanageserverandclient computersinanetworkedenvironment.Itdoesnotprovideinformationabout securingclients.ForhelpwithsecuringcomputersrunningSnowLeopard,see MacOSXSecurityConfiguration. Thisguidecannotcoverallpossiblenetworkconfigurationsinwhich SnowLeopardServermightbeused.Goodnetworksecurityanddesignmustbeused forthisinformationtobeeffective,andanyoneusingthisguideneedstobefamiliar withUNIXsecuritybasics,suchassettingfilepermissions. PrefaceAboutThisGuide 17 Thisguideincludesthefollowingchapters,arrangedintheorderthatyou’relikelyto needthemwhensecurelyconfiguringaserver.  Chapter1,“IntroductiontoSnowLeopardServerSecurityArchitecture,”provides anoverviewofthesecurityarchitectureandfeaturesofSnowLeopardServer.This chapterdescribesthesecurityframework,accesspermissions,built-insecurity services,anddirectoryservices.  Chapter2,“InstallingSnowLeopardServer,”describeshowtosecurelyinstall SnowLeopardServerlocallyorremotely.Thischapteralsoincludesinformation aboutupdatingsystemsoftware,repairingdiskpermissions,andsecurelyerasing data.  Chapter3,“SecuringSystemHardware,”describeshowtophysicallyprotectyour hardwarefromattacks.  Chapter4,“SecuringGlobalSystemSettings,”describeshowtosecuresettingsthat affectallusersofthecomputer.  Chapter5,“SecuringLocalServerAccounts,”describesthetypesofuseraccountsand howtosecurelyconfigureanaccount.Thisincludessecuringaccountsusingstrong authentication.  Chapter6,“SecuringSystemPreferences,”helpsyouconfigurelocalserveraccounts securely.Thisincludesthesecureconfigurationoflocalsystempreferences,setting upstrongauthenticationandcredentialstorage,andsecuringdata.  Chapter7,“SecuringSystemSwapandHibernationStorage,”describeshowtoscrub yoursystemswapandhibernationspaceofsensitiveinformation.  Chapter8,“SecuringDataandUsingEncryption,”describeshowtoencryptdataand howtouseSecureErasetoensureolddataiscompletelyremoved.  Chapter9,“ManagingCertificates,”describeshowtogenerate,request,anddeploy certificates.  Chapter10,“SettingGeneralProtocolsandAccesstoServices,”helpsyouconfigure generalnetworkmanagementprotocolsandrestrictaccesstootherservices.  Chapter11,“SecuringRemoteAccessServices,”tellsyouhowtocreateremote connectionstoyourserverusingencryption.  Chapter12,“SecuringNetworkInfrastructureServices,”explainshowtoconnect clientcomputersandconfigureafirewall.  Chapter13,“ConfiguringtheFirewall,”describeshowtoconfiguretheIPFW2firewall.  Chapter14,“SecuringCollaborationServices,”describeshowtosecurelyconfigure iChat,iCal,Wiki,andPodcastProducerservices.  Chapter15,“SecuringMailService,”explainshowtosetupmailservicetouse encryptionandfilterforspamandviruses.  Chapter16,“SecuringAntivirusServices,”describeshowtoenableandmanage antivirusservicestoprotectyourmailandfiles. 18 PrefaceAboutThisGuide  Chapter17,“SecuringFileServicesandSharepoints,”explainshowtoconfigurefile servicestoenablesecuredatasharing.  Chapter18,“SecuringWebService,”describeshowtosetupawebserverandsecure websettingsandcomponents.  Chapter19,“SecuringClientConfigurationManagementServices,”helpsyouset policiesandenforcethemusingWorkgroupManager.  Chapter20,“SecuringNetBootService,”tellsyouhowtoconfigureNetBootsecurely toprovideimagestoclients.  Chapter21,“SecuringSoftwareUpdateService,”describeshowtosecurelyconfigure softwareupdateservices.  Chapter22,“SecuringNetworkAccounts,”describessecuritysettingsrelatedto manageduserandgroupaccounts.  Chapter23,“SecuringDirectoryServices,”explainshowtoconfigureOpenDirectory servicerolesandpasswordpolicies.  Chapter24,“SecuringRADIUS,”tellshowtosecurelyconfigureRADIUS.  Chapter25,“SecuringPrintService,”explainshowtosetupprintqueuesandbanner pages.  Chapter26,“SecuringMultimediaServices,”providessecurityinformationto configureastreamingserver.  Chapter27,“SecuringGridandClusterComputingServices,”explainshowtosecurely configureanXgridagentandcontroller.  Chapter28,“ManagingWhoCanObtainAdministrativePrivileges(sudo),”describes howtorestrictaccesstothesudocommand.  Chapter29,“ManagingAuthorizationThroughRights,”explainsthepolicydatabase andhowtocontrolauthorizationbymanagingrightsinthepolicydatabase.  Chapter30,“MaintainingSystemIntegrity,”describeshowtousesecurityauditsand loggingtovalidatetheintegrityofyourserveranddata.  AppendixA,“UnderstandingPasswordsandAuthentication,”describesOpen Directoryauthentication,shadowandcryptpasswords,Kerberos,LDAPbind,and singlesign-on.  AppendixB,“SecurityChecklist,”providesachecklistthatguidesyouthrough securingyourserver.  AppendixC,“Scripts,”providescommand-linecommandsandscriptsforsecuring yourserver. Note:BecauseApplefrequentlyreleasesnewversionsandupdatestoitssoftware, imagesshowninthisbookmightbedifferentfromwhatyouseeonyourscreen. PrefaceAboutThisGuide 19 UsingThisGuide Thefollowinglistcontainssuggestionsforusingthisguide:  Readtheguideinitsentirety.Subsequentsectionsmightbuildoninformationand recommendationsdiscussedinpriorsections.  Theinstructionsinthisguideshouldalwaysbetestedinanonoperational environmentbeforedeployment.Thisnonoperationalenvironmentshouldsimulate, asmuchaspossible,theenvironmentwherethecomputerwillbedeployed.  ThisinformationisintendedforcomputersrunningSnowLeopardServer.Before securelyconfiguringaserver,determinewhatfunctionthatparticularserverwill performandapplysecurityconfigurationswhereapplicable.  UsethesecuritychecklistinAppendixBtotrackandrecordeachsecuritytaskand notewhatsettingsyouchanged.Thisinformationcanbehelpfulwhendeveloping asecuritystandardwithinyourorganization. Important:Anydeviationfromthisguideshouldbeevaluatedtodeterminewhat securityrisksitmightintroduce.Takemeasurestomonitorormitigatethoserisks. UsingOnscreenHelp YoucangettaskinstructionsonscreeninHelpViewerwhileyou’remanaging SnowLeopardServer.Youcanviewhelponaserveroranadministratorcomputer. (AnadministratorcomputerisacomputerrunningSnowLeopardServerwiththe serveradministrationtoolsinstalled) TogethelpforanadvancedconfigurationofSnowLeopardServer: m OpenServerAdminorWorkgroupManagerandthen:  UsetheHelpmenutosearchforataskyouwanttoperform.  ChooseHelp>ServerAdminHelporHelp>WorkgroupManagerHelptobrowse andsearchthehelptopics. Theonscreenhelpcontainsinstructionstakenfromtheadvancedadministration guidesdescribedin“SnowLeopardServerAdministrationGuides,”next. Toseethemostrecentserverhelptopics: m MakesuretheserveroradministratorcomputerisconnectedtotheInternetwhile you’regettinghelp. HelpViewerautomaticallyretrievesandcachesthemostrecentserverhelptopics fromtheInternet.WhennotconnectedtotheInternet,HelpViewerdisplayscached helptopics. 20 PrefaceAboutThisGuide SnowLeopardServerAdministrationGuides GettingStartedcoversinstallationandsetupforstandardandworkgroupconfigurations ofSnowLeopardServer.Foradvancedconfigurations,AdvancedServerAdministration coversplanning,installation,setup,andgeneralserveradministration. Asuiteofadditionalguidescoversadvancedplanning,setup,andmanagement ofindividualservices.YoucangettheseguidesinPDFformatfromthe SnowLeopardServerdocumentationwebsite: www.apple.com/server/macosx/resources/documentation.html ViewingPDFGuidesonScreen WhilereadingthePDFversionofaguideonscreen:  Showbookmarkstoseetheguide’soutline,andclickabookmarktojumptothe correspondingsection.  Searchforawordorphrasetoseealistofplaceswhereitappearsinthedocument. Clickalistedplacetoseethepagewhereitoccurs.  Clickacross-referencetojumptothereferencedsection.Clickaweblinktovisitthe websiteinyourbrowser. PrintingPDFGuides Ifyouwanttoprintaguide,youcantakethesestepstosavepaperandink:  Saveinkortonerbynotprintingthecoverpage.  SavecolorinkonacolorprinterbylookinginthepanesofthePrintdialogforan optiontoprintingraysorblackandwhite.  Reducethebulkoftheprinteddocumentandsavepaperbyprintingmorethan onepagepersheetofpaper.InthePrintdialog,changeScaleto115%(155%for GettingStarted).ThenchooseLayoutfromtheuntitledpop-upmenu.Ifyourprinter supportstwo-sided(duplex)printing,selectoneoftheTwo-Sidedoptions. Otherwise,choose2fromthePagesperSheetpop-upmenu,andoptionallychoose SingleHairlinefromtheBordermenu.(Ifyou’reusingMacOSXv10.4Tigeror earlier,theScalesettingisinthePageSetupdialogandtheLayoutsettingsarein thePrintdialog.) Youmaywanttoenlargetheprintedpagesevenifyoudon’tprintdoublesided,because thePDFpagesizeissmallerthanstandardprinterpaper.InthePrintdialogorPageSetup dialog,trychangingScaleto115%(155%forGettingStarted,whichhasCD-sizepages). PrefaceAboutThisGuide 21 GettingDocumentationUpdates Periodically,Applepostsrevisedhelppagesandneweditionsofguides.Somerevised helppagesupdatethelatesteditionsoftheguides.  Toviewnewonscreenhelptopicsforaserverapplication,makesureyourserveror administratorcomputerisconnectedtotheInternetandclick“Latesthelptopics”or “Stayingcurrent”inthemainhelppagefortheapplication.  TodownloadthelatestguidesinPDFformat,gototheMacOSXServer documentationwebsite: www.apple.com/server/resources/  AnRSSfeedlistingthelatestupdatestoMacOSXServerdocumentationand onscreenhelpisavailable.ToviewthefeeduseanRSSreaderapplication,suchas SafariorMail: feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml GettingAdditionalInformation Formoreinformation,consulttheseresources:  ReadMedocuments—getimportantupdatesandspecialinformation.Lookforthem ontheserverdiscs.  MacOSXServerwebsite(www.apple.com/server/macosx)—enterthegatewayto extensiveproductandtechnologyinformation.  SnowLeopardServerSupportwebsite(www.apple.com/support/macosxserver)— accesshundredsofarticlesfromApple’ssupportorganization.  AppleDiscussionswebsite(discussions.apple.com)—sharequestions,knowledge,and advicewithotheradministrators.  AppleMailingListswebsite(www.lists.apple.com)—subscribetomailinglistssoyou cancommunicatewithotheradministratorsusingemail.  AppleTrainingandCertificationwebsite(www.apple.com/training)—honeyourserver administrationskillswithinstructor-ledorself-pacedtraining,anddifferentiate yourselfwithcertification.  AppleProductSecurityMailingListswebsite(lists.apple.com/mailman/listinfo/securityannounce/)—Mailinglistsforcommunicatingbyemailwithotheradministrators aboutsecuritynotificationsandannouncements.  OpenSourcewebsite(developer.apple.com/darwin/)—AccesstoDarwinopensource code,developerinformation,andFAQs.  AppleProductSecuritywebsite(www.apple.com/support/security/)—Accessto securityinformationandresources,includingsecurityupdatesandnotifications. 22 PrefaceAboutThisGuide Foradditionalsecurity-specificinformation,consulttheseresources:  NSAsecurityconfigurationguides(www.nsa.gov/snac/)—TheNationalSecurity Agency(NSA)providesinformationaboutsecurelyconfiguringproprietaryandopen sourcesoftware.  NISTSecurityConfigurationChecklistsRepository(checklists.nist.gov/repository/ category.html)—ThisistheNationalInstituteofStandardsandTechnology(NIST) repositoryforsecurityconfigurationchecklists.  DISASecurityTechnicalImplementationGuide(www.disa.mil/gs/dsn/policies.html)— ThisistheDefenseInformationSystemsAgency(DISA)guideforimplementing securegovernmentnetworks.ADepartmentofDefense(DoD)PKICertificateis requiredtoaccessthisinformation.  CISBenchmarkandScoringTool(www.cisecurity.org/bench_osx.html)—Thisisthe CenterforInternetSecurity(CIS)benchmarkandscoringtoolusedtoestablishCIS benchmarks. Acknowledgments ApplewouldliketothanktheNSA,NIST,andDISAfortheirassistanceincontributing tothesecurityconfigurationguidesforSnowLeopardandSnowLeopardServer. PrefaceAboutThisGuide 23 1 Introductionto SnowLeopardServerSecurity Architecture 1 Usethischaptertolearnaboutthefeaturesin SnowLeopardServerthatcanenhancesecurityon yourcomputer Whetheryou’reahomeuserwithabroadbandInternetconnection,aprofessionalwith amobilecomputer,oranITmanagerwiththousandsofnetworkedsystems,youneed tosafeguardtheconfidentialityofinformationandtheintegrityofyourcomputers. WithSnowLeopardServer,asecuritystrategyisimplementedthatiscentraltothe designoftheoperatingsystem.Toenhancesecurityonyourcomputer, SnowLeopardServerprovidesthefollowingfeatures.  Modernsecurityarchitecture.SnowLeopardincludesstate-of-the-art,standardsbasedtechnologiesthatenableAppleandthird-partydeveloperstobuildsecure softwarefortheMac.Thesetechnologiessupportallaspectsofsystem,data,and networkingsecurityrequiredbytoday’sapplications.  Securedefaultsettings.WhenyoutakeyourMacoutofthebox,itissecurely configuredtomeettheneedsofmostcommonenvironments,soyoudon’tneed tobeasecurityexperttosetupyourcomputer.Thedefaultsettingsmakeitvery difficultformalicioussoftwaretoinfectyourcomputer.Youcanfurtherconfigure securityonthecomputertomeetorganizationaloruserrequirements.  Innovativesecurityapplications.SnowLeopardincludesfeaturesthattakethe worryoutofusingacomputer.Forexample,FileVaultprotectsyourdocuments byusingstrongencryption,anintegratedVPNclientgivesyousecureaccessto networksovertheInternet,andapowerfulfirewallsecuresyourhomenetwork.  Opensourcefoundation.OpensourcemethodologymakesSnowLeopardarobust, secureoperatingsystem,becauseitscorecomponentshavebeensubjectedtopeer reviewfordecades.ProblemscanbequicklyidentifiedandfixedbyAppleandthe largeropensourcecommunity. 24  Rapidresponse.Becausethesecurityofyourcomputerisimportant,Apple respondsrapidlytoprovidepatchesandupdates.Appleworkswithworldwide partners,includingtheComputerEmergencyResponseTeam(CERT),tonotify usersofpotentialthreats.Ifvulnerabilitiesarediscovered,thebuilt-inSoftware Updatetoolnotifiesusersofsecurityupdates,whichareavailableforeasy retrievalandinstallation. SecurityArchitecturalOverview SnowLeopardServersecurityservicesarebuiltontwoopensourcestandards:  BerkeleySoftwareDistribution(BSD):BSDisaformofUNIXthatprovides fundamentalservices,includingtheSnowLeopardServerfilesystemandfile accesspermissions.  CommonDataSecurityArchitecture(CDSA):CDSAprovidesanarrayofsecurity services,includingmorespecificaccesspermissions,authenticationofuseridentities, encryption,andsecuredatastorage. UNIXInfrastructure TheSnowLeopardServerkernel—theheartoftheoperatingsystem—isbuiltfrom BSDandMach. Amongotherthings,BSDprovidesbasicfilesystemandnetworkingservicesand implementsauserandgroupidentificationscheme.BSDenforcesaccessrestrictions tofilesandsystemresourcesbasedonuserandgroupIDs. Machprovidesmemorymanagement,threadcontrol,hardwareabstraction,and interprocesscommunication.Machenforcesaccessbycontrollingwhichtaskscan sendamessagetoaMachport.(AMachportrepresentsataskorsomeother resource.)BSDsecuritypoliciesandMachaccesspermissionsconstituteanessential partofsecurityinSnowLeopardServer,andarecriticaltoenforcinglocalsecurity. AccessPermissions Animportantaspectofcomputersecurityisthegrantingordenyingofaccess permissions(sometimescalledaccessrights).Apermissionistheabilitytoperform aspecificoperation,suchasgainingaccesstodataortoexecutecode. Permissionsaregrantedattheleveloffolders,subfolders,files,orapplications. Permissionsarealsograntedforspecificdatainfilesorapplicationfunctions. PermissionsinSnowLeopardServerarecontrolledatmanylevels,fromtheMach andBSDcomponentsofthekernelthroughhigherlevelsoftheoperatingsystem, and—fornetworkedapplications—throughnetworkprotocols. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 25 AuthorizationVersusAuthentication Authorizationistheprocessbywhichanentity,suchasauseroracomputer,obtains therighttoperformarestrictedoperation.Authorizationcanalsorefertotheright itself,asin“Annehastheauthorizationtorunthatprogram.”Authorizationusually involvesauthenticatingtheentityandthendeterminingwhetherithasthecorrect permissions. Authenticationistheprocessbywhichanentity(suchastheuser)demonstratesthat theyarewhotheysaytheyare.Forexample,theuser,enteringapasswordwhichonly heorshecouldknow,allowsthesystemtoauthenticatethatuser.Authenticationis normallydoneasastepintheauthorizationprocess.Someapplicationsandoperating systemcomponentsperformtheirownauthentication.Authenticationmightuse authorizationserviceswhennecessary. SecurityFramework ThesecurityframeworkinSnowLeopardisanimplementationoftheCDSA architecture.Itcontainsanexpandablesetofcryptographicalgorithmstoperform codesigningandencryptionoperationswhilemaintainingthesecurityofthe cryptographickeys.ItalsocontainslibrariesthatallowtheinterpretationofX.509 certificates. TheCDSAcodeisusedbySnowLeopardfeaturessuchasKeychainandURLAccess forprotectionoflogindata. ApplebuiltthefoundationofSnowLeopardandmanyofitsintegratedserviceswith opensourcesoftware—suchasFreeBSD,Apache,andKerberos,amongothers—that hasbeenmadesecurethroughyearsofpublicscrutinybydevelopersandsecurity expertsaroundtheworld. Strongsecurityisabenefitofopensourcesoftwarebecauseanyonecaninspect thesourcecode,identifytheoreticalvulnerabilities,andtakestepstostrengthen thesoftware. Appleactivelyparticipateswiththeopensourcecommunitybyroutinelyreleasing updatesofSnowLeopardServerthataresubjecttoindependentdevelopers’ongoing review—andbyincorporatingimprovements.Anopensourcesoftwaredevelopment approachprovidesthetransparencynecessarytoincreaseSnowLeopardServer security. 26 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture LayeredSecurityDefense SnowLeopardServersecurityisbuiltonalayereddefenseformaximumprotection. Securityfeaturessuchasthefollowingprovidesolutionsforsecuringdataatalllevels, fromtheoperatingsystemandapplicationstonetworksandtheInternet. Secure Worldwide Communication Secure Applications Secure Network Protocols Security Services Secure Boot/”Lock Down” Internet Applications Network Operating System Hardware  Secureworldwidecommunication:Firewallandmailfilteringhelpprevent malicioussoftwarefromcompromisingyourcomputer.  Secureapplications:EncryptedDiskImagesandFileVaulthelppreventintruders fromviewingdataonyourcomputer.  Securenetworkprotocols:SecureSocketsLayer(SSL)isaprotocolthat helpspreventintrudersfromviewinginformationexchangeacrossanetwork, andKerberossecurestheauthenticationprocess,andafirewallprevents unauthorizedaccesstoacomputerornetwork.  SecurityServices:Authenticationusingkeychains,togetherwithPOSIXandACL permissions,helpspreventintrudersfromusingyourapplicationsandaccessing yourfiles.  Securebootandlockdown:TheFirmwarePasswordUtilityhelpspreventpeople whocanaccessyourhardwarefromgainingroot-levelaccesspermissionstoyour computerfiles. NetworkSecurity SecureTransportisusedtoimplementSSLandTransportLayerSecurity(TLS)protocols. TheseprotocolsprovidesecurecommunicationsoveraTCP/IPconnectionsuchas theInternetbyusingencryptionandcertificateexchange.Afirewallcanthen filtercommunicationoveraTCP/IPconnectionbypermittingordenyingaccessto acomputeroranetwork. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 27 CredentialManagement Akeychainisusedtostorepasswords,keys,certificates,andotherdataplacedinthe keychainbyauser.Duetothesensitivenatureofthisinformation,keychainsuse cryptographytoencryptanddecryptsecrets,andtheysafelystoresecretsandrelated datainfiles. SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandsecurely storekeychainitems.Afterakeychainiscreated,youcanadd,delete,andeditkeychain items,suchaspasswords,keys,certificates,andnotesforusers. Ausercanunlockakeychainthroughauthentication(byusingapassword,digital token,smartcard)andapplicationscanthenusethatkeychaintostoreandretrieve data,suchaspasswords. PublicKeyInfrastructure(PKI) ThePublicKeyInfrastructure(PKI)includescertificate,key,andtrustservicesinclude functionsto:  Create,manage,andreadcertificates  Addcertificatestoakeychain  Createencryptionkeys  Managetrustpolicies ThesefunctionsareusedwhentheservicescallCommonSecurityServiceManager (CSSM)functions.Thisistransparenttousers. 28 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture What’sNewinSnowLeopardServerSecurity SnowLeopardServeroffersthefollowingmajorsecurityenhancements:  Increasedsecurityformemoryandprotection:SnowLeopardServerrunning onthe64-bitchipimprovessupportformemoryandexecutableprotection againstarbitrarycodeexecution.Technologiessuchasexecutedisable,library randomization,andsandboxinghelppreventattacksthattrytohijackormodify thesoftwareonyourcomputer.  BetterTrojanhorseprotection:SnowLeopardServermaintainsprofilesforknown malicioussoftware,andpreventsitsdownloadthroughmanyapplications.  IncreasedVPNcompatibility:Virtualprivatenetwork(VPN)supporthasbeen enhancedtosupportCiscoIPSecVPNconnectionswithoutadditionalsoftware.  ImprovedCryptologytechnologies:SnowLeopardServerincludesEllipticalCurve Cryptography(ECC)supportinmostofitsencryptiontechnologies.  SupportforExtendedValidationCertificates:ExtendedValidation(EV)Certificates requirestheCertificateAuthoritytoinvestigatetheidentityofthecertificateholder beforeissuingacertificate.  SupportforwildcardsindomainsforKeychainAccessidentitypreferences:This allowsaclientcertificate-authenticatedconnectionstomultipleserversorpaths definedwithinasingleIDPref.  Updatedsecuritycommand-linetools:Thesecurityandnetworksetupcommandlinetoolshavebeenenhanced.  EnhancedSafari4.0security:Safarihasenhanceddetectionoffraudulentsites.It alsorunsmanybrowserplug-insasseparateprocessesforenhancedsecurityand stability. ExistingSecurityFeaturesinSnowLeopardServer SnowLeopardServercontinuestoincludethefollowingsecurityfeaturesand technologiestoenhancetheprotectionofyourcomputerandyourpersonal information.  Applicationsigning:Thisenablesyoutoverifytheintegrityandidentityof applicationsonyourMac.  Mandatoryaccesscontrol:Theseenforcerestrictionsonaccesstosystemresources.  Quarantinedapplications:MacOSXv10.6tagsandmarksdownloadedfileswith first-runwarningstohelppreventusersfrominadvertentlyrunningmalicious downloadedapplications.  Runtimeprotection:Technologiessuchasexecutedisable,libraryrandomization, andsandboxinghelppreventattacksthattrytohijackormodifythesoftwareon yoursystem. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 29  Meaningfulsecurityalerts:Whenusersreceivesecurityalertsandquestionstoo frequently,theymayfallintoreflexivemodewhenthesystemasksasecurity-related question,clickingOKwithoutthought.MacOSXv10.6minimizesthenumberof securityalertsthatyousee,sowhenyoudoseeone,itgetsyourattention. SignedApplications Bysigningapplications,yourMaccanverifytheidentityandintegrityofanapplication. ApplicationsshippedwithSnowLeopardServeraresignedbyApple.Inaddition, third-partysoftwaredeveloperscansigntheirsoftwarefortheMac.Applicationsigning doesn’tprovideintrinsicprotection,butitintegrateswithseveralotherfeaturesto enhancesecurity. Featuressuchasparentalcontrols,managedpreferences,Keychain,andthefirewalluse applicationsigningtoverifythattheapplicationstheyareworkingwitharethecorrect, unmodifiedversions. WithKeychain,theuseofsigningdramaticallyreducesthenumberofKeychaindialogs presentedtousersbecausethesystemcanvalidatetheintegrityofanapplicationthat usestheKeychain.Withparentalcontrolsandmanagedpreferences,thesystemuses signaturestoverifythatanapplicationrunsunmodified. Theapplicationfirewallusessignaturestoidentifyandverifytheintegrityof applicationsthataregrantednetworkaccess.Inthecaseofparentalcontrolsand thefirewall,unsignedapplicationsaresignedbythesystemonanadhocbasis toidentifythemandverifythattheyremainunmodified. MandatoryAccessControls SnowLeopardServerusesanaccesscontrolmechanismknownasmandatoryaccess controls.AlthoughtheMandatoryAccessControltechnologyisnotvisibletousers,itis includedinSnowLeopardServertoprotectyourcomputer. Mandatoryaccesscontrolsarepoliciesthatcannotbeoverridden.Thesepoliciesset securityrestrictionscreatedbythedeveloper.Thisapproachisdifferentfrom discretionaryaccesscontrolsthatpermituserstooverridesecuritypoliciesaccording totheirpreferences. MandatoryaccesscontrolsinSnowLeopardServeraren’tvisibletousers,butthey aretheunderlyingtechnologythathelpsenableseveralimportantnewfeatures, includingsandboxing,parentalcontrols,managedpreferences,andasafetynet featureforTimeMachine. 30 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture TimeMachineillustratesthedifferencebetweenmandatoryaccesscontrolsandthe userprivilegemodel—itallowsfileswithinTimeMachinebackupstobedeletedonly byprogramsrelatedtoTimeMachine.Fromthecommandline,nouser—noteven oneloggedinasroot—candeletefilesinaTimeMachinebackup. TimeMachineusesthisstrictpolicybecauseitutilizesfilesystemfeaturesin SnowLeopardServer.Thepolicypreventscorruptioninthebackupdirectoryby preventingtoolsfromdeletingfilesfrombackupsthatmaynotrecognizethenewfile systemfeatures. Mandatoryaccesscontrolsareintegratedwiththeexecsystemservicetopreventthe executionofunauthorizedapplications.Thisisthebasisforapplicationcontrolsin parentalcontrolsinSnowLeopardandmanagedpreferencesinSnowLeopardServer. Mandatoryaccesscontrolsenablestrongparentalcontrols.Inthecaseofthenew sandboxingfacility,mandatoryaccesscontrolsrestrictaccesstosystemresources asdeterminedbyaspecialsandboxingprofilethatisprovidedforeachsandboxed application.Thismeansthatevenprocessesrunningasrootcanhaveextremely limitedaccesstosystemresources. Sandboxing Sandboxinghelpsensurethatapplicationsdoonlywhatthey’reintendedtodoby placingcontrolsonapplicationsthatrestrictwhatfilestheycanaccess,whetherthe applicationscantalktothenetwork,andwhethertheapplicationscanbeusedto launchotherapplications. InSnowLeopardServer,manyofthesystem’shelperapplicationsthatnormally communicatewiththenetwork—suchasmDNSResponder(thesoftwareunderlying Bonjour)andtheKerberosKDC—aresandboxedtoguardthemfromabuseby attackerstryingtoaccessthesystem. Inaddition,otherprogramsthatroutinelytakeuntrustedinput(forinstance,arbitrary filesornetworkconnections),suchasXgridandtheQuickLookandSpotlight backgrounddaemons,aresandboxed. Sandboxingisbasedonthesystem’smandatoryaccesscontrolsmechanism,which isimplementedatthekernellevel.Sandboxingprofilesaredevelopedforeach applicationthatrunsinasandbox,describingpreciselywhichresourcesareaccessible totheapplication. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 31 ManagedUserAccounts Parentalcontrolsprovidecomputeradministratorswiththetoolstoenforcea reasonablelevelofrestrictionsforusersofthecomputer. AdministratoruserscanusefeatureslikeSimpleFindertolimitthelaunchingofaset ofapplicationsorcreateawhitelistofwebsitesthatuserscanvisit.However,ifan attackerhasphysicalaccesstothecomputerportssuchasUSBorFireWire,Parental controlscanbebypassedbymountingadiskimagethatcontainmalicioussoftware. Youcansecuretheseportsbydisablingthem.Forinformationaboutdisabling hardware,seeChapter3,“SecuringSystemHardware.” ThisisthekindofsimpleUIadministratorsofapublicusecomputerenvironmentcan usetorestrictaccesstoapplicationsorsitestokeepusersfromperformingmalicious activities.Itisnotafool-proofsecuritysystemforlocalusers. InSnowLeopardServer,youuseWorkgroupManagertomanagepreferencesforusers ofSnowLeopardsystems. EnhancedQuarantining ApplicationsthatdownloadfilesfromtheInternetorreceivefilesfromexternalsources (suchasmailattachments)canusetheQuarantinefeaturetoprovideafirstlineof defenseagainstmalicioussoftwaresuchasTrojanhorses.Whenanapplicationreceives anunknownfile,itaddsmetadata(quarantineattributes)tothefileusingfunctions foundinLaunchServices. FilesdownloadedusingSafari,Mail,andiChataretaggedwithmetadataindicating thattheyaredownloadedfilesandreferringtotheURL,date,andtimeofthe download.Thismetadataispropagatedfromarchivefilesthataredownloaded(such asZIPorDMGfiles)sothatanyfileextractedfromanarchiveisalsotaggedwith thesameinformation.Thismetadataisusedbythedownloadinspectortoprevent dangerousfiletypesfrombeingopenedunexpectedly. Thefirsttimeyoutrytorunanapplicationthathasbeendownloaded,Download Inspectorinspectsthefile,promptsyouwithawarningaskingwhetheryouwant toruntheapplication,anddisplaystheinformationonthedate,time,andlocation ofthedownload. Youcancontinuetoopentheapplicationorcanceltheattempt,whichisappropriate ifyoudon’trecognizeortrusttheapplication.Afteranapplicationisopened,this messagedoesnotappearagainforthatapplicationandthequarantineattributes arelifted. 32 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture Thismechanismdramaticallyreducesthenumberofwarningsrelatedtodownloads thatyousee.Suchmessagesappearonlywhenyouattempttolaunchadownloaded application.Whenyoudoseeawarning,youaregivenusefulinformationaboutthe sourceofthedownloadthatcanhelpyoumakeaninformeddecisionaboutwhether toproceed. Thefileanditscontentsarealsoinspectedformalicioussoftware(malware).Ifmalware isdetected,adialogappearswiththenameofthemalwarethreatcontainedinthefile. ItwarnstheusertomovethefiletotheTrashorejecttheimageanddeletethesource filetopreventdamagetothecomputer.Malwarepatternsarecontinuallyupdated throughsoftwareupdates. MemoryandRuntimeProtection SnowLeopardServerrunningona64-bitchipsupportsmemoryandexecutable protection.Memoryexecutionpreventionworkstohinderspecifictypesofmalicious software,thosethatrelyonexecutingarbitrarycodefromanareawhichexpectedto containdataandnotcode. SnowLeopardhasthefollowing64-bitprotectionfeatures:no-executestack, noexecutedata,andno-executeheap.InSnowLeopard,no-executestackisavailable for32-and64-bitapplications.For64-bitprocesses,SnowLeopardprovidesprotection fromcodeexecutioninbothheapandstackdataareas.Stackprotectionisavailablefor both32-bitand64-bitprocesses.Itdetectscertaincasesofstackmemorycorruption whichcouldleadtoarbitrarycodeexecutionandterminatestheprocess. SnowLeopardServeralsohasLibraryRandomization.LibraryRandomizationuses shiftingmemorylocationsforoperatingsystemprocesseseachtimethesystemstarts up.Becauseanattackercannotdependonkeysystemprocessesrunninginknown memorylocations,itishardertocompromisetheoperatingsystem. SnowLeopardServeralsohasprocesssandboxing,whichisawayofrestrictingwhat kindsofactivitiesanapplicationcanperform. SecuringSharingandCollaborativeServices InSnowLeopardServer,youcanconfigureandsecuresharingservicesbyusingservice accesscontrollists(SACLs)andasecureconnection. ServiceAccessControlLists Youcanfurthersecuresharingservicesbyallowingaccessonlytousersthatyou specifiedinaserviceaccesscontrollists(SACLs).Youcancreateuseraccountsfor sharingbasedonexistinguseraccountsonthesystem,andforentriesinyouraddress book.SharingservicesbecomemoresecurewithSACLs. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 33 VPNCompatibilityandIntegration SnowLeopardServersupportsstandards-basedL2TP/IPSecandPPTPtunneling protocolstoprovideencryptedVPNconnectionsforMacandWindowssystems —andeveniPhone.TheseVPNservicesusesecureauthenticationmethods, includingMS-CHAPv2andnetwork-layerIPSec.Inaddition,theL2TPVPNserver canauthenticatedusersusingcredentialsfromaKerberosserver. TouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryor LinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.Ifyou needtouseMSCHAPv2toauthenticateusers,youcan’tofferVPNserviceforusers inathird-partyLDAPdomain. Apple’sVPNservercanauthenticateusingRSASecurity’sSecureID.Thisprovidesstrong two-factorauthentication.Ituseshardwareandsoftwaretokenstoverifyuseridentity. However,SecurIDauthenticationcannotbesetupfromServerAdminandrequires additionalmanualsetup. Built-inVPNClient InSnowLeopard,theVPNclientbuiltintoNetworkPreferencesincludessupport forCiscoGroupFilteringandDHCPoverPPPtodynamicallyacquireadditional configurationoptionssuchasstaticroutesandsearchdomains. Youcanalsousedigitalcertificatesandone-timepasswordtokensfromRSAor CRYPTOcardforauthenticationwiththeVPNclient.Theone-timepasswordtokens providearandomlygeneratedpasscodenumberthatmustbeenteredwiththe VPNpassword—agreatoptionforthosewhorequireextremelyrobustsecurity. Inaddition,theL2TPVPNclientcanbeauthenticatedusingcredentialsfromaKerberos server.Ineithercase,youcansavethesettingsforeachVPNserveryouroutinelyuseas alocation,soyoucanreconnectwithoutreconfiguringyoursystemeachtime. Apple’sL2TPVPNclientcanconnectyoutoprotectednetworksautomaticallybyusing itsVPN-on-demandfeature.VPN-on-demandcandetectwhenyouwanttoaccessa networkthatisprotectedbyaVPNserverandcanstarttheconnectionprocessforyou. ThismeansthatyoursecurityisincreasedbecauseVPNconnectionscanbeclosed whennotinuse,andyoucanworkmoreefficiently. InSnowLeopard,theVPNclientincludessupportforCiscoGroupFiltering.Italso supportsDHCPoverPPPtodynamicallyacquireadditionalconfigurationoptionssuch asStaticRoutesandSearchDomains. 34 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture ImprovedCryptography SnowLeopardServerincludesEllipticalCurveCryptography(ECC)supportinmostof itsencryptiontechnologies.ECCencryptionisanadditionalmathematicalmodelfor generatingandreadingencryptionkeys.SnowLeopardsupportsEllipticCurveDigital SignatureAlgorithm(ECDSA)forsigningandkeyexchange. ECC-basedsignatureshavesizeandperformanceadvantages.AnECCkeyofagiven lengthcanbecryptographicallystrongerthanaDSAorRSAkeyofthesamelength. ThismeansthatasmallerECC-basedkey(andthereforeafasterkeytoprocess)canbe justasstrongasaverylongRSA-basedone. ECCissupportedinthefollowingareas:TLS/SSL,S/MIME,Apple'sCertificateAssistant, andApple'scerttool command-linetool. ExtendedValidationCertificates ExtendedValidation(EV)certificatesareaspecialtypeofX.509certificatethatrequires theCertificateAuthority(CA)toinvestigatetheidentityofthecertificateholderbefore theCAcanissuethecertificate. CAswhowanttoissueEVcertificatesmustprovideaninvestigationprocessthatpasses anindependentaudit,andalsoestablishesthelegalidentityandlegalclaimtothe domainnameofthecertificateapplicant. WildcardinIdentityPreferences WildcardscannowbeusedindomainsforKeychainAccessidentitypreferences.This allowsclientcertificate-authenticatedconnectionstomultipleserversorpathsdefined withinasingleIDPref. ThisisoftenusedwithcertificatesusedbyCommonAccessCards(CACs).Formore informationonSmartCards,see“SmartCardSupportforUnlockingEncryptedStorage” onpage36. EnhancedCommand-LineTools Thesecuritycommand-linetoolhasexpandedfunctionsinSnowLeopard. Additionally,networksetuphasbeenenhancedtohandleimportingandexporting 802.1XprofilesaswellassetaTLSidentityonauserprofile. Formoreinformation,seethetools’respectivemanpages. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 35 FileVaultandEncryptedStorage TheDiskUtilitytoolincludedinMacOSXenablesyoutocreateencrypteddisk images,soyoucansafelymailvaluabledocuments,files,andfolderstofriendsand colleagues,savetheencrypteddiskimagetoCDorDVD,orstoreitonthelocal systemoranetworkfileserver. FileVaultalsousesthissameencrypteddiskimagetechnologytoprotectuserfolders. EncryptedDiskImageCryptography Adiskimageisafilethatappearsasavolumeonyourharddisk.Itcanbecopied, moved,oropened.Whenthediskimageisencrypted,filesorfoldersplacedinitare encryptedusing128-bitorevenstronger256-bitAESencryption. Toseethecontentsofthediskimage,includingmetadatasuchasfilename,date, size,orotherproperties,ausermustenterthepasswordorhaveakeychainwiththe correctpassword. Thefileisdecryptedinrealtime,asitisused.Forexample,ifyouopenaQuickTime moviefromanencrypteddiskimage,MacOSXdecryptsonlytheportionofthemovie currentlyplaying. SmartCardSupportforUnlockingEncryptedStorage Smartcardsenableyoutocarrydigitalcertificateswithyou.WithSnowLeopardServer, youcanuseyoursmartcardwheneveranauthenticationdialogispresented. SnowLeopardServerhasthefollowingtokenmodulestosupportthisrobust, two-factorauthenticationmechanismandJavaCard2.1standards:     BelgiumNationalIdentificationCard(BELPIC) U.S.DepartmentofDefenseCommonAccessCard(CAC) JapanesegovernmentPKI(JPKI) U.S.FederalGovernment“PersonalIdentityVerification,alsocalledFIPS-201(PIV) Othercommercialsmartcardvendorsprovidetokenmodulestosupportintegrationof theirsmartcardwiththeSnowLeopardSmartCardarchitecture. SimilartoanATMcardandaPINcode,two-factorauthenticationreliesonsomething youhaveandsomethingyouknow.Ifyoursmartcardislostorstolen,itcannotbe usedunlessyourPINisalsoknown. 36 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture SnowLeopardServerhasadditionalfunctionalityforsmartcarduse,suchas:  Locksystemonsmartcardremoval.YoucanconfigureyourMactolockthesystem whenyouremoveyoursmartcard.  Unlockkeychain.Whenyouinsertasmartcard,thekeychaincanbeunlockedand thenyourstoredinformationandcredentialscanbeused.  UnlockFileVault.YoucanuseasmartcardtounlockyourFileVaultencryptedhome directory.Youcanenablethisfunctionbyusingaprivatekeyonasmartcard. EnhancedSafari4.0Security Safarioffersseveralkindsofenhancedsecurityforwebbrowsing.Itsupportsthe built-inmalwarescanningfunction,sodownloadedfilesarecheckedforspecific TrojanHorseattacks. Safarialsoincludesafraudulentsitedetectionfeature.Itworkslikethis: Googlemaintainsablacklistofknownandhighly-suspectedmalware-transmittingsites andand“phishing”sites(harvestersofsensitivedata).Googleaddsahashofeachsite’s URLtoadatabasethatsomewebbrowserscanuseatsafebrowsing.clients.google.com. WhenSafarilaunches,itdownloadsanabbreviatedlistofthesesites’hashes.When younavigatetoawebsite,Safaricheckstheblacklist.Ifthewebsiteyou’reaccessing matchesahash,SafaricontactsGoogleforcompleteURLinformation.Ifitisapositive match,Safariwarnsyouthatyoumaybeattemptingtoaccessamalwaresiteor phishingsite. Safaristoresthedatainthefolderat/private/var/folders/infolderswithtwo-letter names.Thefullpathis/private/var/folders/xx/yy/-Caches-/com.apple.Safari,where“xx” and“yy”areuniquecodes.Whenyoufindthatfolder,you’llseetwofiles:Cache.db andSafeBrowsing.db. Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 37 2 InstallingSnowLeopardServer 2 Usethischaptertocustomizethedefaultinstallation ofSnowLeopardServerforyourspecificnetwork securityneeds. AlthoughthedefaultinstallationofMacOSXishighlysecure,youcancustomizeitfor yournetworksecurityneeds.Bysecurelyconfiguringthestagesoftheinstallationand understandingMacOSXpermissions,youcanhardenyourcomputertomatchyour securitypolicy. Important:Whenpossible,computersshouldremainisolatedfromtheoperational networkuntiltheyarecompletelyandsecurelyconfigured.Useanisolatedtest networkforinstallationandconfiguration. InstallationOverview DetailedinstructionsforSnowLeopardServerInstallationarefoundintheAdvanced ServerAdministrationguide.Thissectioncontainsbasicpracticesconsistantwith asecureinstallationofSnowLeopardServer. IfSnowLeopardServerwasalreadyinstalledonthecomputer,considerreinstallingit. ByreformattingthevolumeandreinstallingSnowLeopardServer,youavoid vulnerabilitiescausedbypreviousinstallationsorsettings. Becausesomerecoverabledatamightremainonthecomputer,securelyerasethe partitionyou’reinstallingSnowLeopardServeron.Formoreinformation,see“Securely ErasingaDiskforInstallation”onpage43. Ifyoudecideagainstsecurelyerasingthepartition,securelyerasefreespaceafter installingSnowLeopardServer.Formoreinformation,see“UsingDiskUtilityto SecurelyEraseFreeSpace”onpage160. 38 Thereareseveralwaystoinstalltheoperatingsystem,dependingonyourenvironment andinstallationstrategy.Ingeneral,allinstallationshaveafewcommonsteps:  Prepareanadministratorcomputer.  Setupnetworkinfrastructure.  Startupfromadiskotherthanthetargetvolume(forexample,theInstalltionDisc).  Preparethetargetdisk.  StarttheinstallationviaServerAssistant,commandline,orVNC.  Enablethefirewall,blockingallincomingconnections.  Applysoftwareupdatesandsecurityupdates.  Configuretheserverandsetupservices.  EnabletheFirmwarePassword. PreparinganAdministratorComputer Youcanuseanadministratorcomputertoinstall,setup,andadminister SnowLeopardServeronanothercomputer.Anadministratorcomputerisacomputer withSnowLeopardServerorSnowLeopardthatyouusetomanageremoteservers. YoucannotruntheserveradministrationtoolsfromaLeopardorLeopardServer computer. WhenyouinstallandsetupSnowLeopardServeronacomputerthathasadisplay andkeyboard,it’salreadyanadministratorcomputer.Tomakeacomputerwith SnowLeopardintoanadministratorcomputer,youmustinstalladditionalsoftware. Important:IfyouhaveadministrativeapplicationsandtoolsfromLeopardServeror earlier,donotusethemwithSnowLeopardServer. ToinstallSnowLeopardServeradministrationtools: 1 MakesurethecomputerhasSnowLeopardinstalled. 2 Makesurethecomputerhasatleast1GBofRAMand1GBofunuseddiskspace. 3 InserttheMacOSXServerInstallDisc. 4 OpentheOtherInstallersfolder. 5 OpenserveradministrationSoftware.mpkgtostarttheInstallerandthenfollowthe onscreeninstructions. Chapter2InstallingSnowLeopardServer 39 SettingUpNetworkInfrastructure Beforeyoucaninstall,youmustsetuporhavethefollowingsettingsforyour networkservice:  DNS:Youmusthaveafullyqualifieddomainnameforeachserver’sIPaddessinthe DNSsystem.TheDNSzonemusthavethereverse-lookuprecordforthenameand addresspair.Nothavingastable,functioningDNSsystemwithreverselookupleads toservicefailuresandunexpectedbehaviors.  StaticIPAddress:MakesureyoualreadyhaveastaticIPaddressplannedand assignedtotheserver.  DHCP:DonotassigndynamicIPaddressestoservers.IfyourservergetsitsIP addressthroughDHCP,setupastaticmappingintheDHCPserversoyourserver gets(viaitsEthernetaddress)thesameIPaddresseverytime.  Firewallorrouting:Inadditiontoanyfirewallrunningonyourserver,thesubnet routermighthavespecificnetworktrafficrestrictionsinplace.Makesuretheserver’s IPaddressisavailableforthetrafficitwillhandleandtheservicesyouwillrun. StartingUpforInstallation Thecomputercan’tinstalltoitsownstartupvolume,soyoumuststartupinsome otherway,suchas:  TheInstallationDVD  Alternatevolumes(secondpartitionsontheharddiskorexternalFireWiredisks) Forinformationonusingalternatevolumes,seetheAdvancedServerAdministration guide.  NetBoot(ifthenetworkandNetBootserversaretrusted) ForinformationonusingNetBootservers,seetheSystemImagingandSoftware UpdateAdministrationguide. StartingUpfromtheInstallDVD Thecomputermustinstallfromthesamediskorimagethatstartedupthecomputer. Mountinganothersharepointwithaninstallerwon’twork.Theinstallerusessomeof thefilesactiveinthebootedsystempartitionforthenewinstallation. TheeasiestandmostsecurewaytoinstallSnowLeopardServeristoinstallitphysically atthecomputer,knownasalocalinstallation,usingtheDVD.Whenperformingalocal installation,itisrecommended,ifapplicable,thattheentiredrivebereformattedusing atleasta7-passsecureerase,ratherthanonlyreformattingthepartitionwhere SnowLeopardServeristobeinstalled,incasesensitiveinformationwasleftonthe otherpartitions. 40 Chapter2InstallingSnowLeopardServer IfthetargetserverisanXservewithabuilt-inDVDdrive,starttheserverusingthe InstallDVDbyfollowingtheinstructionsintheXserveUser’sGuideforstartingfrom asystemdisc. StartingUpfromanAlternatePartition Forasingle-serverinstallation,preparingtostartupfromanalternatepartitioncanbe moretime-consumingthanusingtheInstallDVD.Thetimerequiredtoimage,scan, andrestoretheimagetoastartuppartitioncanexceedthetimetakentoinstallonce fromtheDVD. However,ifyouarereinstallingregularly,orifyouarecreatinganexternalFireWire drive-basedinstallationtotaketovariouscomputers,orifyouneedsomeotherkind ofmassdistribution(suchasclusteredXserveswithoutDVDdrivesinstalled),this methodcanbeveryefficient. Note:Whencreatingabootableexternaldisk,usetheGUIDPartitioningformat. StartingUpfromaNetBootEnvironment IfyouhaveanexistingNetBootinfrastructure,thisistheeasiestwaytoperformmass installationanddeployment.Thismethodcanbeusedforclustersthathavenooptical driveorexistingsystemsoftware. Thismethodcanalsobeusedinenvironmentswherelargenumbersofserversmust bedeployedinanefficientmanner. Thissectionwon’ttellyouhowtocreatethenecessaryNetBootinfrastructure.Ifyou wanttosetupNetBootandNetInstalloptionsforyournetwork,servers,andclient computers,seethemanualsatwww.apple.com/server/resources/. RemoteAccessDuringInstallation SnowLeopardServerhasseveralremoteaccessservicesactiveduringinstallation.It providesServerAdminadministration,SSHaccessandVNCaccesswhenstartingfrom theinstallationdisk. Important:BeforeyouinstallorreinstallSnowLeopardServer,makesurethenetwork issecurebecauseremoteaccesstechnologiescanpotentiallygiveothersaccesstothe computeroverthenetwork.Forexample,designthenetworktopologysoyoucan maketheservercomputer’ssubnetaccessibleonlytotrustedusers. Chapter2InstallingSnowLeopardServer 41 ServerAdminDuringInstallation Acomputerthatstartedupfromtheinstallationdiscbroadcastsitsinstallation availabilityviaBonjourtothelocalnetwork.Youcanfindserversthatareawaiting installbyfindingtheBonjourservicename“_sa-rspndr._tcp.” Youcanusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucan installserversoftware.Enterthefollowingfromacomputeronthesamelocalnetwork astheserver: dns-sd -B _sa-rspndr._tcp. AdministratorcomputersrunningServerAdmin’sServerAssistantcanprovideadefault passwordandcompleteinstallationremotely.ServerAdmintrafficisencrypted. SSHDuringInstallation Whenyoustartupacomputerfromaserverinstallationdisc,SSHstartssothatremote installationscanbeperformedviathecommandline.SSHserviceisgrantedtotheroot userprovidingthedefaultpassword. VNCDuringInstallation VNCenablesyoutouseaVNCviewer(likeScreenSharingorAppleRemoteDesktop)to viewtheuserinterfaceasifyouwereusingtheremotecomputer’skeyboard,mouse, andmonitor. Allthethingsyoucandoatthecomputerusingthekeyboardandmouseareavailable remotely,aswellaslocally.Thisexcludeshardwarerestarts(usingthepowerbuttonto shutdownandrestartthecomputer),otherhardwaremanipulation,orholdingdown keysduringstartup.VNCviewersareavailableforallpopularcomputingplatforms. VNCtrafficisnotsecurewithoutadditionalprecautions.EstablishanSSHtunnel betweenthelocalhostandtheremoteservertosecurelyperformtheinstallationby redirectingtheVNCtrafficthroughthetunnel. Forexample,toredirectAppleRemoteDesktoptrafficthroughanSSHtunnel,enter: ssh -v -L 2501:local_host:5900 target_server -l target_server_username 42 Chapter2InstallingSnowLeopardServer AboutDefaultInstallationPasswords Serverserialnumbersareusedformorethaninventorytracking.Theserver’sbuilt-in hardwareserialnumberisusedasthedefaultpasswordforremoteinstallation. Thepasswordiscasesensitive. Tofindaserver’sserialnumber,lookforalabelontheserver.Ifyou’reinstalling onanoldercomputerthathasnobuilt-inhardwareserialnumber,use12345678 forthepassword. IfyoureplaceamainlogicboardonanIntelXserve,thebuilt-inhardwarepassword is“SystemS”(noquotes). PreparingDisksforInstallingSnowLeopardServer BeforeperformingacleaninstallationofSnowLeopardServer,youcanpartitionthe servercomputer’sharddiskintomultiplevolumes,createaRAIDset,orerasethe targetdiskorpartition. Ifyou’reusinganinstallationdiscforSnowLeopardServerorlater,youcanperform thesetasksfromanothernetworkedcomputerusingVNCviewersoftware,suchas AppleRemoteDesktop,beforebeginningacleaninstallation. WARNING:Beforepartitioningadisk,creatingaRAIDset,orerasingadiskor partitiononaserver,preserveuserdatayouwanttosavebycopyingittoanother diskorpartition. SecurelyErasingaDiskforInstallation Whenperforminganinstallation,itisrecommended,ifapplicable,thattheentiredrive bereformattedusingatleasta7-passsecureerase,ratherthanonlyreformattingthe partitionwhereSnowLeopardServeristobeinstalled,incasesensitiveinformation wasleftontheotherpartitions. Youhaveseveraloptionsforerasingadisk,dependingonyourpreferredtoolsandyour computingenvironment:  ErasingadiskusingDiskUtility:YoucanusetheInstallertoopenDiskUtilityand thenuseittoerasethetargetvolumeoranothervolume.Youcanerasethetarget andallothervolumesusingtheMacOSExtendedformatorMacOSExtended (Journaled)format.Youcaneraseothervolumesusingthoseformats,aswellas MacOSExtendedformat(Case-Sensitive)format,orMacOSExtended(Journaled, Case-Sensitive)format. Chapter2InstallingSnowLeopardServer 43 Youcanfindinstructionsforpartitioningtheharddiskintomultiplevolumes, creatingaRAIDset,anderasingthetargetdiskorpartitionbyviewingDiskUtility Help.ToviewDiskUtilityHelp,openDiskUtilityonanotherMaccomputerwith MacOSXv10.6andchooseHelp>DiskUtilityHelp.  Erasingadiskusingthecommandline:Youcanusethecommandlinetoerase disksusingthetooldiskutil.Erasingadiskusingdiskutilresultsinlosingallvolume partitions.Thecommandtoeraseacompletediskis: sudo diskutil secureErase 2 format name device Forexample: sudo diskutil secureErase 2 JournaledHFS+ MacProHD disk0 Thereisalsoanoptiontosecurelydeletedatabyoverwritingthediskwithrandom datamultipletimes.Formoredetails,seediskutil’smanpage. Toeraseasinglevolumeonadisk,aslightlydifferentcommandisused: diskutil eraseVolume format name device Forexample: diskutil eraseVolume JournaledHFS+ UntitledPartition /Volumes/ OriginalPartition Forcompletecommandsyntaxfordiskutil,consultthetool’smanpage. InstallingServerSoftware Whenthetargetcomputerisstarted,youuseServerAdmin’sServerAssistant(locally orremotely),VNCcontrol,ortheinstallercommand-linetooltostartinstallation. FordetailedinstructionsonusingoneofthesemethodstoinstallSnowLeopardServer, seetheAdvancedServerAdministrationguide. EnablingtheFirewall Afterconfiguration,enablethefirewalltopreventunauthorizedconnectionstothe serverwhileyoucompletesetup.Foramorecomprehensivetreatmentoffirewall configuration,seeChapter13,“ConfiguringtheFirewall.” Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdeniesaccess toincomingpacketsfromremotecomputersexceptthroughportsforremote configuration.Thisprovidesahighlevelofsecurity. Statefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyour computerarealsopermitted.Youcanthenaddrulestopermitserveraccesstoclients whorequireaccesstoservices. Important:Usegreatcareinremotelychanginganyfirwallconfigurationbecauseof theriskofdisablingcommunicationstotheremotehost. 44 Chapter2InstallingSnowLeopardServer Toenablethefirewall: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 FromtheexpandedServerslist,selectFirewall. IfFirewallisnotlistedasanavailableservicetoconfigure,addittheserverviewby doingthefollowing: a Intheserverlistontheleft,selecttheservername. b ClicktheSettingsbuttoninthetoolbarandthenclicktheServicestab. c SelectthecheckboxforFirewallservice. 4 ClicktheStartFirewallbuttonbelowtheServerslist. Fromthecommandline: # --------------------------------------------------------------------# Securing Firewall Service # --------------------------------------------------------------------# # Add Firewall to the services view # --------------------------------sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured = yes # Start Firewall service # ---------------------sudo serveradmin start ipfilter ApplyingSoftwareandSecurityUpdates AfterinstallingSnowLeopardServer,installthelatestapprovedsecurityupdates. Beforeconnectingyourcomputertoanetworktoobtainsoftwareupdates,enable thefirewallusingServerAdmintoallowonlyessentialservices. Important:Ifyouhavenotsecuredandvalidatedsettingsfornetworkservices,donot enableyournetworkconnectiontoinstallsoftwareupdates.Forinformation,see “SecuringNetworkInfrastructureServices”onpage198. Untilyousecurelyconfigurenetworkservicessettings,limityourupdateinstallationto usingthemanualmethodofinstallingsoftwareupdates.Formoreinformation,see “UpdatingManuallyfromInstallerPackages”onpage48. Chapter2InstallingSnowLeopardServer 45 SnowLeopardServerincludesSoftwareUpdate,anapplicationthatdownloadsand installssoftwareupdatesfromApple’sSoftwareUpdateserverorfromaninternal softwareupdateserver. YoucanconfigureSoftwareUpdatetocheckforupdatesautomatically.Youcanalso configureSoftwareUpdatetodownload,butnotinstall,updates,ifyouwanttoinstall themlater. Beforeinstallingupdates,checkwithyourorganizationfortheirpolicyondownloading updates.Theymightpreferthatyouuseaninternalsoftwareupdateserver,which reducestheamountofexternalnetworktrafficandletstheorganizationqualify softwareupdatesusingorganizationconfigurationsbeforeupdatingsystems. Important:SecurityupdatespublishedbyApplecontainfixesforsecurityissuesand areusuallyreleasedinresponsetoaspecificknownsecurityproblem.Applyingthese updatesisessential. Softwareupdatesareobtainedandinstalledinseveralways:  UsingSoftwareUpdatetodownloadandinstallupdatesfromaninternalsoftware updateserver  UsingSoftwareUpdatetodownloadandinstallupdatesfromInternet-based softwareupdateservers  Manuallydownloadingandinstallingupdatesasseparatesoftwarepackages UpdatingfromanInternalSoftwareUpdateServer Yourcomputercanlookforsoftwareupdatesonaninternalsoftwareupdateserver. Byusinganinternalsoftwareupdateserver,youreducetheamountofdatatransferred outsideofthenetwork,andyourorganizationcancontrolwhichupdatescanbe installedonyourcomputer. IfyourunSoftwareUpdateonawirelessnetworkoruntrustednetwork,youmight downloadmaliciousupdatesfromaroguesoftwareupdateserver.However,Software UpdatewillnotinstallapackagethathasnotbeendigitallysignedbyApple.If SoftwareUpdatedoesnotinstallapackage,deleteitfrom/Library/Updates/;then downloadtheupdateagain. Youcanconnectyourcomputertoanetworkthatmanagesitsclientcomputers,which enablesthenetworktorequirethatthecomputeruseaspecifiedsoftwareupdate server.Or,youcanmodifythe/Library/Preferences/com.apple.SoftwareUpdate.plistfile byenteringthefollowingcommandinaTerminalwindowtospecifyyoursoftware updateserver. 46 Chapter2InstallingSnowLeopardServer Fromthecommandline: # # # # # # # # # # Updating from an Internal Software Update Server -----------------------------------------------Default Settings. blank Software updates are downloaded from one of the following software update servers hosted by Apple. swscan.apple.com:80 swquery.apple.com:80 swcdn.apple.com:80 # Suggested Settings. # Specify the software update server to use. sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index-leopardsnowleopard.merged-1.sucatalog # Available Settings. # Replace swupdate.apple.com with the fully qualified domain name (FQDN) # or IP address of your software update server. # To switch your computer back to the default Apple update server. # sudo defaults delete com.apple.SoftwareUpdate CatalogURL UpdatingfromInternetSoftwareUpdateServers BeforeconnectingtotheInternet,makesureyournetworkservicesaresecurely configured.Forinformation,see“SecuringNetworkInfrastructureServices”on page198. Ifyouareanetworkadministrator,insteadofusingyouroperationalcomputerto checkforandinstallupdates,considerusingatestcomputertodownloadupdates andverifyfileintegritybeforeinstallingupdates.Formoreinformationaboutverifying fileintegrity,see“VerifyingtheIntegrityofSoftware”onpage50. Youcanthentransfertheupdatepackagestoyouroperationalcomputer.For instructionsoninstallingtheupdates,see“UpdatingManuallyfromInstallerPackages” onpage48. YoucanalsodownloadsoftwareupdatesforAppleproductsat www.apple.com/support/downloads/. Important:Makesureupdatesareinstalledwhenthecomputercanberestarted withoutaffectingusersaccessingtheserver. Chapter2InstallingSnowLeopardServer 47 TodownloadandinstallsoftwareupdatesusingSoftwareUpdate: 1 ChooseApple()>SoftwareUpdate. AfterSoftwareUpdatelooksforupdatestoyourinstalledsoftware,itdisplaysalistof updates.Togetolderversionsofupdates,gotothesoftwareupdatewebsiteat www.apple.com/support/downloads/. 2 Selecttheupdatesyouwanttoinstall,andchooseUpdate>InstallandKeepPackage. Whenyoukeepthepackage,itisstoredintheuser’sDownloadsfolder(user_name/ Downloads/). Ifyoudonotwanttoinstallupdates,clickQuit. 3 Acceptthelicensingagreementstostartinstallation. Someupdatesmightrequireyourcomputertorestart.IfSoftwareUpdateasksyou torestartthecomputer,doso. Fromthecommandline: # # # # # # # Updating from Internet Software Update Server ----------------------------------Default Settings. The softwareupdate command checks and lists available updates for download. Software Update preferences are set to the command-line equivalent of. sudo softwareupdate --list --schedule on # Suggested Settings. # Download and install software updates: sudo softwareupdate --download --all --install # # # # # Available Settings. Use the following commands to view softwareupdate options. sudo softwareupdate -h or man softwareupdate UpdatingManuallyfromInstallerPackages YoucanmanuallydownloadsoftwareupdatesforAppleproductsfrom support.apple.com/downloads/,preferablyusingacomputerdesignatedfor downloadingandverifyingupdates.Performeachdownloadseparatelyso fileintegritycanbeverifiedbeforeinstallingtheupdates. Youcanreviewthecontentsofeachsecurityupdatebeforeinstallingit.To seethecontentsofasecurityupdate,gotoApple’sSecuritySupportPageat www.apple.com/support/security/andclicktheSecurityUpdatespagelink. 48 Chapter2InstallingSnowLeopardServer Tomanuallydownload,verify,andinstallsoftwareupdates: 1 Gotosupport.apple.com/downloads/anddownloadthesoftwareupdateson acomputerdesignatedforverifyingsoftwareupdates. Note:UpdatesprovidedthroughSoftwareUpdatemightsometimesappearearlier thanstandaloneupdates. 2 Foreachupdatefiledownloaded,reviewtheSHA-1digest(alsoknownasachecksum), whichshouldbepostedonlinewiththeupdatepackage. 3 Inspectdownloadedupdatesforviruses. 4 Verifytheintegrityofeachupdate. Formoreinformation,see“VerifyingtheIntegrityofSoftware”onpage50. 5 Transfertheupdatepackagesfromyourtestcomputertoyourcurrentcomputer. Thedefaultdownloadlocationforupdatepackagesis/Library/Updates/.Youcan transferupdatepackagestoanylocationonyourcomputer. 6 Double-clickthepackage. Ifthepackageislocatedinadiskimage(dmg)file,double-clickthedmgfileandthen double-clickthepackage. 7 Proceedthroughtheinstallationsteps. 8 Ifrequested,restartthecomputer. Installthesystemupdateandtheninstallsubsequentsecurityupdates.Installthe updatesinorderbyreleasedate,oldesttonewest. Fromthecommandline: # # # # Updating Manually from Installer Packages ----------------------------------Default Settings. None # Suggested Settings. # Download software updates. sudo softwareupdate --download --all # Install software updates. sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume # # # # # Available Settings. Use the following commands to view installer options. sudo installer -h or man installer Chapter2InstallingSnowLeopardServer 49 VerifyingtheIntegrityofSoftware SoftwareimagesandupdatescanincludeanSHA-1digest,whichisalsoknownasa cryptographicchecksum.YoucanusethisSHA-1digesttoverifytheintegrityofthe software.SoftwareupdatesretrievedandinstalledautomaticallyfromSoftwareUpdate verifythechecksumbeforeinstallation. Fromthecommandline: # # # # Verifying the Integrity of Software ----------------------------------Default Settings. None # Suggested Settings. # Use the sha1 command to display a file's SHA-1 digest. # Replace $full_path_filename with the full path filename of the update # package or image that SHA-1 digest is being checked for. sudo /usr/bin/openssl sha1 $full_path_filename # # # # # # Available Settings. Use the following command to view the version of OpenSSl installed on your computer. sudo openssl version Use the following command to view openssl options. man openssl Ifprovided,theSHA-1digestforeachsoftwareupdateorimageshouldmatchthe digestcreatedforthatfile.Ifnot,thefilewascorrupted.Obtainanewcopy. SettingUpServicesandUsers Afterinstallation,theserverisreadyforconfigurationandlocaladministrator accountcreation. AnunconfiguredserverbroadcastsitsinstallationavailabilityviaBonjourtothelocal network.YoucanfindserversthatareawaitinginstallbyfindingtheBonjourservice name“_svr-unconfig._tcp.” Theeasiestwayoffindingaserverthatneedsconfigurationisbyusingthetools installedontheadministrationcomputer:ServerAdminorServerPreferences. Thesetoolscandetectserverswaitingconfigurationonthelocalsubnet,available viaBonjour. 50 Chapter2InstallingSnowLeopardServer Ifyouaretryingtofindserversawaitingconfigurationusingthecommandline,you canusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucaninstall serversoftware.Enterthefollowingfromacomputeronthesamelocalnetworkas theserver: dns-sd -B _sa-unconfig._tcp. AdministratorcomputersrunningServerAdmin’sServerAssistantcanprovideadefault passwordandcompleteinstallationremotely.ServerAdmintrafficisencrypted. Ineithercase,theloginnameandpasswordaredescribedinthesection“About DefaultInstallationPasswords”onpage43. AboutSettingsEstablishedDuringServerSetup Duringserversetup,thefollowingbasicserversettingsareestablished:  Thelanguagetouseforserveradministrationandthecomputerkeyboardlayout isdefined.  Theserversoftwareserialnumberisset.  Atimezoneisspecified,andnetworktimeserviceissetup.  Aserveradministratorlocaluserisdefinedandthelocaladministrator’shomefolder iscreated.  ThedefaultSSHandAppleRemoteDesktopstateisenabled.  Networkinterfaces(ports)areconfigured. TCP/IPandEthernetsettingsaredefinedforeachportyouwanttoactivate.  Networknamesaredefined. TheprimaryDNSnameandcomputernamearedefinedbytheadministrator,and thelocalhostnameisderivedfromthecomputername.  BasicDirectoryinformationissetup.(Optional) TheserverissetupasanOpenDirectoryMaster,oritissettoobtaindirectory informationfromanotheradirectoryservice,orthedirectorysetupcanbedeferred untilfirstlogin.  Someservicesarechosenandconfigured. Foralistofwhichservicesareenabledatstartup,seetheAdvancedServer Administrationguide. EnablingtheFirmwarePassword AfterinstallingSnowLeopardServer,enabletheExtensibleFirmwareInterface(EFI) passwordusingtheFirmwarePasswordUtility.Thispreventsunauthorizedusersfrom startinguptheservertoinstallagainorchangesettings. FormoreinformationabouttheFirmwarePasswordUtility,seeChapter4,“Securing GlobalSystemSettings.” Chapter2InstallingSnowLeopardServer 51 3 SecuringSystemHardware 3 Usethischaptertosecurethesystemhardwarebydisabling theOperatingSystem(OS)componentsandkernel extensions. AfterinstallingandsettingupMacOSXServer,makesureyouprotectyoursystemby disablingspecifichardwareOScomponentsandkernelextensions. Important:Thisdocumentisintendedforusebysecurityprofessionalsinsensitive environments.Implementingthetechniquesandsettingsfoundinthisdocument impactssystemfunctionalityandmightnotbeappropriateforeveryuseror environment. ProtectingHardware Thefirstlevelofsecurityisprotectionfromunwantedphysicalaccess.Ifsomeonecan physicallyaccessacomputer,itbecomesmucheasiertocompromisethecomputer’s security.Whensomeonehasphysicalaccesstothecomputer,theycaninstallmalicious softwareorevent-trackinganddata-capturingservices. Thephysicalsecurityofaserverisanoftenoverlookedaspectofcomputersecurity. Anyonewithphysicalaccesstoacomputer(forexample,toopenthecase,orplugina keyboard,andsoforth)hasalmostfullcontroloverthecomputerandthedataonit. Forexample,someonewithphysicalaccesstoacomputercan:  Restartthecomputerfromanotherexternaldisc,bypassinganyexistinglogin mechanism.  Removeharddisksanduseforensicdatarecoverytechniquestoretrievedata.  Installhardware-basedkey-loggersonthelocaladministrationkeyboard. Inyourownorganizationandenvironment,youmustdecidewhichprecautionsare necessary,effective,andcost-effectivetoprotectthevalueofyourdataandnetwork. 52 Forexample,inanorganizationwherefloor-to-ceilingbarriersmightbeneededto protectaserverroom,securingtheairductsleadingtotheroommightalsoneedto beconsidered.Otherorganizationsmightonlyneedalockedserverrackoran firmwarepassword. Useasmanylayersofphysicalprotectionaspossible.Restrictaccesstoroomsthat containcomputersthatstoreoraccesssensitiveinformation.Provideroomaccessonly tothosewhomustusethosecomputers.Ifpossible,lockthecomputerinalockedor securecontainerwhenitisnotinuse,andboltorfastenittoawallorpieceof furniture. Theharddiskisthemostcriticalhardwarecomponentinyourcomputer.Takespecial caretopreventaccesstotheharddisk.Ifsomeoneremovesyourharddiskandinstalls itinanothercomputer,theycanbypasssafeguardsyousetup.Lockorsecurethe computer’sinternalhardware. Ifyoucan’tguaranteethephysicalsecurityoftheharddisk,considerusingFileVaultfor eachhomefolder.FileVaultencryptshomefoldercontentandguardsagainstthe contentbeingcompromised.Formoreinformation,see“EncryptingHomeFolders”on page151. FileVaultdoesnotprotectagainstthethreatofanattackertamperingwithfilesonthe diskandreinstallingthedrive.Forexample,anattackercouldinstallamodifiedkernel, anduseittoobtainyourFileVaultpasswordbyloggingyourkeyboardkeystrokes. Topreventsuchanattack,lockyourcomputerwhenitisunattended.Also,ifyoushare yourcomputerwithothers,limitthosewhohavesudoerpermissions.Forinformation aboutlimitingsudoers,see“SecuringDirectoryAccounts”onpage319. Ifyouhaveaportablecomputer,keepitsecure.Lockituporhideitwhenitisnotin use.Whentransportingthecomputer,neverleaveitinaninsecurelocation.Consider buyingacomputerbagwithalockingmechanismandlockthecomputerinthebag whenyouaren’tusingit. PreventingWirelessEavesdropping IfyouhaveinstalledSnowLeopardServeronacomputerwithwirelessnetworkaccess (forexample,ithasanAirportcardorotherwi-ficardinstalled),considerdisabling wirelessaccesstopreventeavesdroping. Althoughwirelesstechnologygivesyournetworkmoreflexibilitywithyourusers,it cancausesecurityvulnerabilitiesyoumaybeunawareof.Whereverpossible,disable wirelessaccessforsecurityreasons.Whenusingawirelessaccesspoint,makesureyou properlyconfigurethesecuritysettingstopreventunauthorizedusersfromattempting toaccessyournetwork. Chapter3SecuringSystemHardware 53 Wirelessaccesspointsthathaveaccesstoyourservershouldrequireencryptionofthe connection,userauthentication(throughtheuseofcertificatesorsmartcards),and time-outsforconnections. IfyouneedtouseWi-Fi,seeSnowLeopardSecurityConfigurationforinformationabout howtoleverage802.1XforsecuringyourWi-Fitraffic. UnderstandingWirelessSecurityChallenges MostMaccomputershaveabuilt-inwirelessnetworkcard.Userscanconfiguretheir computertobeawirelessaccesspointtosharetheirInternetconnectionwithother users.However,suchawirelessaccesspointisn’tusuallysecure,therebycreatinga pointofaccessforanattacker. Anyonewithinwirelessrangecangainaccesstoyournetworkbyusinganauthorized user’sinsecurelyconfiguredwirelessLAN.Thesepossiblepointsofaccesscanbevery large,dependingonthenumberofuserswithwirelesstechnologyontheircomputers. Thechallengeariseswhentryingtopreventusersfromcreatingaccesspointstoyour networkortryingtoidentifywheretheaccesspointsareandwhoisattemptingtouse them. Manyorganizationsrestricttheuseofwirelesstechnologyintheirnetwork environment.However,mostMaccomputershavewirelesscapabilitybuiltin,so turningitoffmightnotmeetyourorganization’swirelesstechnologyrestrictions.You mightneedtoremovecomponentsfromMacOSXtodisablethemfrombeingturned oninSystemPreferences. AboutOSComponents Specialhardware,suchaswirelessnetworkingcardsandaudio/videocomponents, needdriversoftwarethatrunsatthekernellevel.Thisdriversoftwareisimplemented askernelextensions(“kexts”)inMacOSXandarealsoknownasOScomponents. ThesekernelextensionscanberemovedfromMacOSXtopreventtheuseofapiece ofhardware. DisablingorremovingOScomponentsorkernelextensionsaltersthebehavioror performanceofthesystem. Important:MacOSXsometimeshasupdatestospecificOScomponents.Whenyour computerinstallstheseupdatesthecomponentisoverwrittenorreinstalledifitwas previouslyremoved.Thisthenreenablesthehardwareyouwanteddisabled.Whenyou installupdatesmakesurethattheinstallationdoesnotreenableanOScomponentyou wanteddisabled. 54 Chapter3SecuringSystemHardware RemovingWi-FiSupportSoftware UsethefollowinginstructionsforremovingAirportsupport.Thistaskrequiresyouto haveadministratorprivileges. YoucanalsohaveanAppleAuthorizedTechnicianremoveAirporthardwarefromyour Applecomputer. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. ToremovekernelextensionsforAirporthardware: 1 Openthe/System/Library/Extensionsfolder. 2 DragthefollowingfiletotheTrash: IO80211Family.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library/)aredeletedandrebuiltbySnowLeopard. 4 ChooseFinder>SecureEmptyTrashtodeletethefiles. 5 Restartthesystem. Fromthecommandline: # ------------------------------------------------------------------# Protecting System Hardware # ------------------------------------------------------------------# Securing Wi-Fi Hardware # ----------------------# Remove AppleAirport kernel extensions. sudo srm -r /System/Library/Extensions/IO80211Family.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions RemovingBluetoothSupportSoftware UsethefollowinginstructionstoremoveBluetoothsupportforperipheralssuchas keyboards,mice,orphones.Thistaskrequiresyoutohaveadministratorprivileges. YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inBluetooth hardwarefromyourApplecomputer. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. Chapter3SecuringSystemHardware 55 ToremovekernelextensionsforBluetoothhardware: 1 Openthe/System/Library/Extensionsfolder. 2 DragthefollowingfilestotheTrash: IOBluetoothFamily.kext IOBluetoothHIDDriver.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library/)aredeletedandrebuiltbySnowLeopardServer. 4 ChooseFinder>SecureEmptyTrashtodeletethefiles. 5 Restartthesystem. Fromthecommandline: # # # # Removing BlueTooth Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove Bluetooth kernel extensions. # Remove Bluetooth kernel extensions. sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kext sudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None RemovingIRSupportSoftware UsethefollowinginstructionstoremoveIRhardwaresupport.Thistaskrequiresyouto haveadministratorprivileges. YoucanalsohaveanAppleAuthorizedTechnicianremoveIRhardwarefromyour Applecomputer. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. ToremovekernelextensionsforIRhardwaresupport: 1 Openthe/System/Library/Extensionsfolder. 56 Chapter3SecuringSystemHardware 2 DragthefollowingfiletotheTrash: AppleIRController.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library)aredeletedandrebuiltautomaticallybyMacOSX. 4 ChooseFinder>SecureEmptyTrashtodeletethefile. 5 Restartthesystem. FromtheCommandLIne: # # # # Removing IR Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove IR kernel extensions. sudo srm -rf /System/Library/Extensions/AppleIRController.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None PreventingUnauthorizedRecording Yourcomputermightbeinanenvironmentwhererecordingdevicessuchascameras ormicrophonesarenotpermitted.Youcanprotectyourorganization’sprivacyby disablingthesedevices.Thistaskrequiresyoutohaveadministratorprivileges. Note:Someorganizationsinsertadummyplugintotheaudioinputandoutputports toensurethataudiohardwareisdisabled. RemovingAudioSupportSoftware Usethefollowinginstructionstoremovesupportforthemicrophoneandaudio subsystem.Thismaydisableaudioplayback. YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inmicrophone hardwarefromyourApplecomputer. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. Chapter3SecuringSystemHardware 57 Toremovekernelextensionsforaudiohardware: 1 Openthe/System/Library/Extensionsfolder. 2 Toremovesupportforaudiocomponentssuchasthemicrophone,dragthefollowing filestotheTrash: AppleUSBAudio.kext IOAudioFamily.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library/)aredeletedandrebuiltbySnowLeopardServer. 4 ChooseFinder>SecureEmptyTrashtodeletethefile. 5 Restartthesystem. Fromthecommandline: # # # # Securing Audio Support Software ----------------------------Default setting: kext files are installed and loaded. # Suggested Setting. # Remove Audio Recording kernel extensions. sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None RemovingVideoRecordingSupportSoftware Usethefollowinginstructionstoremovesupportforanexternalorbuilt-iniSight camera. Note:ThesupportforexternaliSightcamerasshouldberemovedonallmachines. RemovingonlysupportforinternaliSightcamerasstillleavessupportforexternal cameras. YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-invideocamera hardwarefromyourApplecomputer. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. 58 Chapter3SecuringSystemHardware Toremovekernelextensionsforvideohardware: 1 Openthe/System/Library/Extensionsfolder. 2 ToremovesupportfortheexternaliSightcamera,dragthefollowingfiletotheTrash: Apple_iSight.kext 3 Toremovesupportforthebuilt-iniSightcamera,Control-clickIOUSBFamily.kextand selectShowPackageContents. 4 Openthe/Contents/PlugIns/folder. 5 DragthefollowingfiletotheTrash: AppleUSBVideoSupport.kext 6 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library/)aredeletedandrebuiltbySnowLeopardServer. 7 ChooseFinder>SecureEmptyTrashtodeletethefile. 8 Restartthesystem. Fromthecommandline: # # # # Securing Video Recording Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove Video Recording kernel extensions. # Remove external iSight camera. sudo srm -rf /System/Library/Extensions/Apple_iSight.kext # Remove internal iSight camera. sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\ AppleUSBVideoSupport.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None PreventingDataPortAccess Computerdataportscanbeeasilycompromisedifyourcomputerisunattendedfor alongperiodoftimeorisstolen.Topreventyourcomputerfrombeingcompromised, keepitinalockedenvironmentorhiddenwhenyouarenotusingit. Chapter3SecuringSystemHardware 59 Youcanprotectyoursystembypreventinganunauthorizeduserfromusingyour dataports.ThispreventsusersfrombootingtoadifferentvolumeusingaUSB Flashdrive,USB,orFireWireexternalharddrive.Thistaskrequiresyoutohave administratorprivileges. Also,bysettingafirmwarepasswordusingtheFirmwarePasswordUtility,youcan preventaphysicalDirectMemoryAccess(DMA)attackoverFireWire.Whenthe firmwarepasswordisset,anyexternaldeviceisdenieddirectaccesstocomputer memorycontent.FormoreinformationabouttheFirmwarePasswordUtility,see “UsingtheFirmwarePasswordUtility”onpage64. RemovingUSBSupportSoftware UsethefollowinginstructionstoremoveUSBmassstoragedeviceinput/output supportsuchasUSBFlashdrivesandexternalUSBharddrives. TheremovalofthiskernelextensiononlyaffectsUSBmassstoragedevices.Itdoes notaffectotherUSBdevicessuchasaUSBprinter,mouse,orkeyboard.Thistask requiresyoutohaveadministratorprivileges. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. Toremovekernelextensionsforspecifichardware: 1 Openthe/System/Library/Extensionsfolder. 2 ToremovesupportforUSBmassstoragedevices,dragthefollowingfiletotheTrash: IOUSBMassStorageClass.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(located in/System/Library/)aredeletedandrebuiltbySnowLeopardServer. 4 ChooseFinder>SecureEmptyTrashtodeletethefile. 5 Restartthesystem. 60 Chapter3SecuringSystemHardware Fromthecommandline: # # # # # Securing USB Support Software ----------------------------Remove USB kernel extensions. Default setting. kext files are installed and loaded. # Suggested Setting: sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None RemovingFireWireSupportSoftware UsethefollowinginstructionstoremoveFireWireinput/outputsupportsuchas externalFireWireharddisks.Thistaskrequiresyoutohaveadministratorprivileges. Important:Repeattheseinstructionseverytimeasystemupdateisinstalled. Toremovekernelextensionsforspecifichardware: 1 Openthe/System/Library/Extensionsfolder. 2 ToremovesupportforFireWiremassstoragedevices,dragthefollowingfileto theTrash: IOFireWireSerialBusProtocolTransport.kext 3 OpenTerminalandenterthefollowingcommand: sudo touch /System/Library/Extensions Thetouchcommandchangesthemodifieddateofthe/System/Library/Extensions folder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/ System/Library/)aredeletedandrebuiltbySnowLeopardServer. 4 ChooseFinder>SecureEmptyTrashtodeletethefile. 5 Restartthesystem. Chapter3SecuringSystemHardware 61 Fromthecommandline: # # # # Securing FireWire Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove FireWire kernel extensions. sudo srm -rf /System/Library/Extensions/\ IOFireWireSerialBusProtocolTransport.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None SystemHardwareModifications Removingkernelextensionsdoesnotpermanentlydisablecomponents.Youneed administrativeaccesstorestoreandreloadthem. Althoughdisablinghardwareinthismannerisnotassecureasphysicallydisabling hardware,itismoresecurethandisablinghardwarethroughSystemPreferences. Thismethodofdisablinghardwarecomponentsmightnotbesufficienttomeet anorganization’ssecuritypolicy.Consultyourorganization’soperationalpolicyto determineifthismethodisadequate. Ifyourenvironmentdoesnotpermittheuseofthefollowinghardwarecomponents, youmustphysicallydisablethem:  Airport  Bluetooth  Microphone  Camera  IRPort Important:Attemptingtoremovecomponentswillvoidyourwarranty. Note:Ifyouareinagovernmentorganizationandneedaletterofvolatilityfor Appleproducts,[email protected]. 62 Chapter3SecuringSystemHardware 4 SecuringGlobalSystemSettings 4 Usethischaptertolearnhowtosecureglobalsystem settings,securefirmwareandMacOSXstartup,andtouse accesswarnings. AfterinstallingandsettingupSnowLeopardServer,makesureyouprotectyour hardwareandsecureglobalsystemsettings. SecuringSystemStartup Whenacomputerstartsup,itfirststartsExtensibleFirmwareInterface(EFI).EFIisthe softwarelinkbetweenthemotherboardhardwareandthesoftwareoperatingsystem. EFIdeterminewhichpartitionordisktoloadMacOSXfrom.Italsodetermines whethertheusercanentersingle-usermode. Single-usermodelogstheuserinasroot.Thisisdangerousbecauserootuseraccessis themostpowerfullevelofaccess,andactionsperformedasrootareanonymous. IfyoucreateanEFIpassword,youpreventusersfromaccessingsingle-usermode. Thepasswordalsostopsusersfromloadingunapprovedpartitionsordisksandfrom enablingtargetdiskmodeatstartup. AftercreatinganEFIpassword,youmustenterthispasswordwhenyoustartthe computerfromanalternatedisk(forsituationssuchasharddiskfailureorfilesystem repair). Tosecurestartup,performoneofthefollowingtasks:  UsetheFirmwarePasswordUtilitytosettheEFIFirmwarepassword.  Verifyandsetthesecuritymodefromthecommandline. WARNING:EFIsettingsarecritical.Takegreatcarewhenmodifyingthesesettingsand whencreatingasecureFirmwarepassword. 63 AnEFIFirmwarepasswordprovidessomeprotection,butitcanberesetifauser hasphysicalaccesstothemachineandchangesthephysicalmemoryconfiguration ofthemachine. EFIpasswordprotectioncanbebypassediftheuserchangesthephysicalmemory configurationofthemachineandthenresetsthePRAMthreetimes(byholdingdown Command,Option,P,andRkeysduringsystemstartup). UsingtheFirmwarePasswordUtility TheSnowLeopardServerinstallationdiscincludesFirmwarePasswordUtility,which youcanusetoenableanEFIpassword. MaccomputerswithIntelprocessorsuseEFItocontrollow-levelhardware.EFIis similartoBIOSonanx86PCandisthehardwarebaselayerforallcomputersthat canrunSnowLeopardServer.Byprotectingitfromunauthorizedaccessyoucan preventattackersfromgainingaccesstoyourcomputer. TousetheFirmwarePasswordUtility: 1 LoginwithanadministratoraccountandopentheFirmwarePasswordUtility(located ontheMacOSXinstallationdiscin/Applications/Utilities/). 2 ClickNew. 3 Select“Requirepasswordtostartthiscomputerfromanothersource.” TodisabletheEFIpassword,deselect“Requirepasswordtostartthiscomputerfrom anothersource.”Youwon’tneedtoenterapasswordandverifyit.DisablingtheEFI passwordisonlyrecommendedforinstallingMacOSX. 4 InthePasswordandVerifyfields,enteranewEFIpasswordandclickOK. 5 ClosetheFirmwarePasswordUtility. Youcantestyoursettingsbyattemptingtostartupinsingle-usermode.Restartthe computerwhileholdingdowntheCommandandSkeys.Iftheloginwindowloads, changesmadebytheFirmwarePasswordUtilityweresuccessful. UsingCommand-LineToolsforSecureStartup YoucanalsoconfigureEFIfromthecommandlinebyusingthenvramtool.However, youcanonlysetthesecurity-modeenvironmentvariable. Youcansetthesecuritymodetooneofthefollowingvalues:  None:Thisisthedefaultvalueofsecurity-modeandprovidesnosecuritytoyour computer’sEFI.  Command:ThisvaluerequiresapasswordifchangesaremadetoEFIorifauser attemptstostartupfromanalternatevolumeordevice.  Full:Thisvaluerequiresapasswordtostartuporrestartyourcomputer.Italso requiresapasswordtomakechangestoEFI. 64 Chapter4SecuringGlobalSystemSettings Forexample,tosetthesecurity-modetofullyouwouldusethefollowingcommand: sudo nvram security-mode=full TosecurelysetthepasswordforEFI,usetheFirmwarePasswordUtility. Fromthecommandline: # # # # # # Securing Global System Settings ------------------------------------------------------------------------Configuring Firmware Settings ---------------------------------Default Setting. security-mode is off # Suggested Setting. # Secure startup by setting security-mode. Replace $mode-value with # “command” or “full.” sudo nvram security-mode=”$mode-value” # Verify security-mode setting. sudo nvram -x -p # # # # # # # # # # Available Settings. security-mode. “command” “full” Use the following command to view the current nvram settings. nvram -x -p Use the following commands to view nvram options. nvram -h or man nvram ConfiguringAccessWarnings YoucanusealoginwindoworTerminalaccesswarningtoprovidenoticeof acomputer’sownership,towarnagainstunauthorizedaccess,ortoremind authorizedusersoftheirconsenttomonitoring. Chapter4SecuringGlobalSystemSettings 65 EnablingAccessWarningsfortheLoginWindow Beforeenablinganaccesswarning,reviewyourorganization’spolicyforwhatto useasanaccesswarning. Whenausertriestoaccessthecomputer’sloginwindow(locallyorthrough AppleRemoteDesktop),theuserseestheaccesswarningyoucreate,suchas thefollowing: Tocreatealoginwindowaccesswarning: 1 OpenTerminalandverifythatyourlogged-inaccountcanusesudotoperforma defaultswrite. 2 Changeyourloginwindowaccesswarning: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Warning Text” ReplaceWarning Textwithyouraccesswarningtext. 3 Logouttotestyourchanges. YouraccesswarningtextappearsbelowtheMacOSXsubtitle. Fromthecommandline: # Enabling Access Warning for the Login Window # ---------------------------------# Create a login window access warning. sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Warning Text” # You can also used the BannerSample project to create an access warning. 66 Chapter4SecuringGlobalSystemSettings UnderstandingtheAuthPluginArchitecture AuthPluginsareusedtocontrolaccesstoaserviceorapplication.Preinstalled AuthPluginsforSnowLeopardServerarelocatedinthe/System/Library/CoreServices/ SecurtiyAgentPlugins/folder.Theseplug-ins(andtheirassociatedrulesand authorizationrightsforusers)aredefinedinthe/etc/authorizationdatabase,and arequeriedbytheSecurityServer. Formoreinformationabout/etc/authorization,seeChapter29,“Managing AuthorizationThroughRights,”onpage363. ThefollowinggraphicshowstheworkflowoftheSecurityServer. Security Agent Applications 1 5 Authorization Credentail Biometric 4 3 Juan Chavez Security Server Request authorization for right Request user interaction if necessary Password : Password 2 Smart Card Rights Database /etc/authorization Whenanapplicationrequestsauthorizationrightsfromthesecurityserverthe securityserverinterrogatestherightsdatabase(/etc/authorization)todetermine themechanismstobeusedforauthentication. Ifnecessary,thesecurityserverrequestsuserinteractionthroughthesecurity agent.Thesecurityagentthenpromptstheusertoauthenticatethroughtheuse ofapassword,smartcard,orbiometricreader. Thenthesecurityagentsendstheauthenticationinformationbacktothesecurity server,whichpassesitbacktotheapplication. Chapter4SecuringGlobalSystemSettings 67 TheBannerSampleProject Ifyourcomputerhasdevelopertoolsinstalled,thesamplecodeforthebannersample projectislocatedin/Developer/examples/security/bannersample.Youcanmodifyand customizethissamplebannercodeforyourorganization. Afteryoucompilethecodeyoucanplaceitinthe/Library/Security/ SecurityAgentPlugins/folder.Thenmodifythekeysystem.login.consoleinthe/etc/ authorizationfileusingTerminal. Formoreinformationaboutthebannersample,seethebannersampleREADMEfile. Tomodifythe/etc/authorizationfile: 1 OpenTerminal. 2 Enterthefollowingcommand: sudo pico /etc/authorization 3 Locatethesystem.login.consolekey. 4 Add<string>bannersample:test</string>above<string> siffer,privileged</string>,asshowninboldbelow: builtin:smartcard- <key>system.login.console</key> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>comment</key> <string>Login mechanism based rule. Not for general use, yet.</string> <key>mechanisms</key> <array> <string>bannersample:test</string> <string>builtin:smartcard-sniffer,privileged</string> 5 Savechangesandexittheeditor. 6 Restartthecomputerandverifythatthebannerappears. ForadditionalinformationorsupportfortheBannerSampleprojectcontact [email protected]. 68 Chapter4SecuringGlobalSystemSettings EnablingAccessWarningsfortheCommandLine Beforeenablinganaccesswarning,reviewyourorganization’spolicyforwhattouseas anaccesswarning. WhenauseropensTerminallocallyorconnectstothecomputerremotely,theuser seestheaccesswarningyoucreate. Thefollowingtaskmustbeperformedbyanadministratoruserusinganytexteditor. Tocreateacommand-lineaccesswarning: 1 OpenTerminal. 2 Enterthefollowingcommandtocreatethe/etc/motdfile: sudo touch /etc/motd 3 Enterthefollowingcommandtoeditthe/etc/motdfile: sudo pico /etc/motd 4 Enteryouraccesswarningmessage. 5 Savechangesandexitthetexteditor. 6 OpenanewTerminalwindowtotestchanges. YouraccesswarningtextappearsabovethepromptinthenewTerminalwindow. Fromthecommandline: # Enabling Access Warning for the Command Line # ---------------------------------# Create a command-line access warning. sudo touch /etc/motd sudo chmod 644 /etc/motd sudo echo “Warning Text” >> /etc/motd Chapter4SecuringGlobalSystemSettings 69 TurningOnFileExtensions Bymakingthefileextensionvisible,youcandeterminethetypeoffileitisandthe applicationitisassociatedwith. Toturnfileextensionson: 1 OpenFinder. 2 FromtheFindermenu,selectPreferences. 3 ClickAdvancedandselectthe“Showallfilenameextensions”checkbox. 70 Chapter4SecuringGlobalSystemSettings 5 SecuringLocalServerAccounts 5 Usethischaptertolearnhowtosecureaccountsbyassigning useraccounttypes,configuringdirectoryaccess,usingstrong authenticationprocedures,andsafelystoringcredentials. Securinguseraccountsrequiresdetermininghowaccountsareusedandsettingthe levelofaccessforusers. Whenyoudefineauser’saccountyouspecifytheinformationtoprovetheuser’s identity,suchasusername,authenticationmethod(password,digitaltoken, smartcard,orbiometricreader),anduseridentificationnumber(userID).Other informationinauser’saccountisneededbyvariousservicestodeterminewhat theuserisauthorizedtodoandtopersonalizetheuser’senvironment. TypesofUserAccounts WhenyoulogintoSnowLeopardServer,youuseanonadministratororadministrator account.ThemaindifferenceisthatSnowLeopardServerprovidessafetymechanisms topreventnonadministratorusersfromeditingkeypreferences,orfromperforming actionscriticaltocomputersecurity.Administratorusersarenotaslimitedas nonadministratorusers. Youcanfurtherdefinenonadministratorandadministratoraccountsbyspecifying additionaluserprivilegesorrestrictions. Thefollowingtableshowstheaccessprovidedtouseraccounts. UserAccount UserAccess Guestnonadministrator Restricteduseraccess(disabledbydefault) Standardnonadministrator Nonprivilegeduseraccess Managednonadministrator Restricteduseraccess Delegatedserveradministrator Administerspecifiedserviceconfiguration Administrator Fullserverconfigurationadministration 71 UserAccount UserAccess Directorydomainadministrator Administertheconfigureddomainsontheserver Systemadministrator(root) Unrestrictedaccesstotheserver Unlessyouneedadministratoraccessforspecificsystemmaintenancetasksthat cannotbeaccomplishedbyauthenticatingwiththeadministrator’saccountwhile loggedinasanormaluser,alwaysloginasanonadministratoruser.Logoutof theadministratoraccountwhenyouarenotusingthecomputerasanadministrator. Neverbrowsetheweborcheckemailwhileloggedintoanadministrator’saccount. Ifyouareloggedinasanadministrator,youaregrantedprivilegesandabilitiesthat youmightnotneed.Forexample,youcanpotentiallymodifysystempreferences withoutbeingrequiredtoauthenticate.Thisauthenticationbypassesasecurity safeguardthatpreventsmaliciousoraccidentalmodificationofsystempreferences. Note:Thischapterdescribeshowtosecurelocalaccountsconfiguredon SnowLeopardServer.Formoreinformationaboutsecuringuserandgroupnetwork accountsusingWorkgroupManager,seeChapter22,“SecuringNetworkAccounts.” GuidelinesforCreatingAccounts Whenyoucreateuseraccounts,followtheseguidelines:  Nevercreateaccountsthataresharedbyseveralusers.Eachusershouldhavehisor herownstandardormanagedaccount. Individualaccountsarenecessarytomaintainaccountability.Systemlogscantrack activitiesforeachuseraccount,butifseveraluserssharethesameaccountitis difficulttotrackwhichuserperformedanactivity.Similarly,ifseveraladministrators shareasingleadministratoraccount,itbecomeshardertotrackwhichadministrator performedanaction. Ifsomeonecompromisesasharedaccount,itislesslikelytobenoticed.Usersmight mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser sharingtheaccount.  Eachuserneedingadministratoraccessshouldhaveanadministratoraccountin additiontoastandardormanagedaccount. Administratorusersshouldonlyusetheiradministratoraccountsforadministrator purposes.Byrequiringanadministratortohaveapersonalaccountfortypicaluse andanadministratoraccountforadministratorpurposes,youreducetheriskofan administratorperformingactionslikeaccidentallyreconfiguringsecuresystem preferences. 72 Chapter5SecuringLocalServerAccounts DefiningUserIDs AuserIDisanumberthatuniquelyidentifiesauser.SnowLeopardServercomputers usetheuserIDtotrackauser’sfolderandfileownership.Whenausercreatesafolder orfile,theuserIDisstoredasthecreatorID.AuserwiththatuserIDhasreadandwrite permissionstothefolderorfilebydefault. TheuserIDisauniquestringofdigitsbetween500and2,147,483,648.Newusers createdusingtheAccountspaneofSystemPreferencesareassigneduserIDsstarting at501. ItisriskytoassignthesameuserIDtodifferentusers,becausetwouserswiththe sameuserIDhaveidenticaldirectoryandPOSIXfilepermissions.However,each userhasauniqueGUIDthatisgeneratedwhentheuseraccountiscreated.Your GUIDisassociatedwithACLpermissionsthataresetonfilesorfolders.Bysetting ACLpermissionsyoucanpreventuserswithidenticaluserIDsfromaccessingfiles andfolders. TheuserID0isreservedfortherootuser.UserIDsbelow100arereservedfor systemuse.UseraccountswiththeseuserIDsshouldnotbedeletedandshould notbemodifiedexcepttochangethepasswordoftherootuser. Ifyoudon’twanttheusernametoappearintheloginwindowofaclientcomputer, assignauserIDoflessthan500andenterthefollowingcommandinaTerminal window: sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES UsernamesneverappearintheloginwindowinSnowLeopardServer. Ingeneral,afterauserIDisassignedandtheuserstartscreatingfilesandfolders, youshouldn’tchangetheuserID. OnepossiblescenarioinwhichyoumightneedtochangeauserIDiswhenmerging usersfromdifferentserversontoanewserverorclusterofservers.ThesameuserID mighthavebeenassociatedwithadifferentuseronthepreviousserver. SecuringtheGuestAccount Theguestaccountisusedtogiveausertemporaryaccesstoyourcomputer.Theguest accountisdisabledbydefaultbecauseitdoesnotrequireapasswordtologintothe computer.Theguestaccountshouldremaindisabled.Ifthisaccountisenabledandnot securelyconfigured,malicioususerscangainaccesstoyourcomputerwithouttheuse ofapassword. Chapter5SecuringLocalServerAccounts 73 Insecuritysensitiveenvironmentstheguestaccountshouldremaindisabled.Ifyou enabletheguestaccount,enableparentalcontrolstolimitwhattheusercando. Enablingparentalcontrolonanaccountdoesnotdefendagainstadetermined attackerandshouldnotbeusedastheprimarysecuritymechanism. Whetherornottheguestaccountisenabled,disableguestaccountaccessto sharedfilesandfoldersbydeselectingthe“Allowguesttoconnecttosharedfolders” checkbox.Ifyoupermittheguestaccounttoaccesssharedfolders,anattackercan easilyattempttoaccesssharedfolderswithoutapassword. Whenyoufinishwiththisaccount,disableitbydeselectingthe“Allowgueststo logintothiscomputer.”Thispreventstheguestuseraccountfromlogginginto thecomputer. SecuringNonadministratorAccounts Therearetwotypesofnonadministratoruseraccounts:standardandmanaged.  Standarduseraccounts,whichdon’thaveadministratorprivilegesanddon’thave parentalcontrolslimitingtheiractions.  Manageduseraccounts,whichdon’thaveadministratorprivilegesbuthaveactive parentalcontrols.Parentalcontrolshelpdeterunsophisticatedusersfromperforming maliciousactivities.Theycanalsohelppreventusersfrommisusingtheircomputer. Note:Ifyourcomputerisconnectedtoanetwork,amanagedusercanalsobeauser whosepreferencesandaccountinformationaremanagedthroughthenetwork. Whencreatingnonadministratoraccounts,restricttheaccountssotheycanonly usewhatisrequired.Forexample,ifyouplantostoresensitivedataonyourlocal computer,disabletheabilitytoburnDVDs. SecuringExternalAccounts Anexternalaccountisamobileaccountthathasitslocalhomefolderstoredon avolumeinanexternaldrive.Whenanexternalaccountlogsin,MacOSXonly showstheexternalaccountthattheuserloggedinwith.Theexternaluseraccount cannotviewotheraccountsonthecomputer. ExternalaccountsrequireSnowLeopardorlaterandanexternalorejectable volumethatisformattedasMacOSXExtendedformat(HFSPlus).Ifyouusean externalaccount,useFileVaulttoprotectthecontentofyourhomefolderin caseyourexternalvolumeisstolenorlost. Forinformationaboutexternalaccounts,seetheUserManagementguide. 74 Chapter5SecuringLocalServerAccounts ProtectingDataonExternalVolumes Bydefault,auser’shomefolderisnotencrypted.Ifauserstorestheirhomefolderon anexternalvolumeusinganexternalaccount,theusermustsecurethedataonthe externalvolume.Tosecuretheexternalvolume:  Thevolumemustbeabletoprocessanexternalauthentication,suchasaPINor smartcardbeforeitismountedorreadable.  Theuser’shomefoldershoulduseFileVaultorotherencryptionmechanismsto securethedata. SecuringDirectory-BasedAccounts Adirectory-basedaccountisanaccountlocatedonadirectoryserver.Adirectory servercontainsuseraccountrecordsandimportantdataforauthenticatingusers. Ifyourcomputerisconnectedtoadirectoryserver,youcanadddirectoryusersto yourcomputerandgrantthemaccess.Youcanrestrictadirectoryuseraccountby usingParentalControls. Accesstodirectoryserversisusuallytightlyrestrictedtoprotectthedataonthem. AvoidingSimultaneousLocalAccountAccess Monitoringuseraccountsandactivitiesisimportanttosecuringyourcomputer. Thisenablesyoutodetermineifanaccountiscompromisedorifauserisperforming malicioustasks. AvoidingFastUserSwitching AlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultiplelocal usersonasinglecomputer,avoidenablingit. FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground whileanotheruserisusingthecomputer. Also,anyexternalvolumesattachedtothecomputeraremountedwhenanotheruser logsin,grantingallusersaccesstothevolumeandignoringaccesspermissions. AvoidingSharedUserAccounts Avoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintain accountability.Eachusershouldhavehisorherownstandardormanagedaccount. Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly, ifseveraladministratorsshareasingleadministratoraccount,itbecomesharderto trackwhichadministratorperformedaspecificaction. Chapter5SecuringLocalServerAccounts 75 Ifsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmight mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser sharingtheaccount. SecuringAdministratorAccounts Eachadministratorshouldhavetwoaccounts:astandardaccountfordailyuseandan administratoraccountforadministratoraccess.Rememberthatthenonadministrative accountshouldbeusedformostdailyactivity,especiallywhenaccessingthenetwork orInternet. Theadministrator’saccountshouldonlybeusedwhenabsolutelynecessaryto accomplishadministrativetasks.Tosecureadministratoraccounts,restrictthe distributionofadministratoraccountsandlimittheuseoftheseaccounts. Auseraccountwithadministratorprivilegescanperformstandarduserand administratortaskssuchas:         Creatinguseraccounts AddinguserstotheAdmingroup ChangingtheFileVaultmasterpassword Enablingordisablingsharing Enabling,disabling,orchangingfirewallsettings ChangingotherprotectedareasinSystemPreferences Installingsystemsoftware Escalatingprivilegestoroot AboutTieredAdministrationPermissions MacOSXServercanuseanotherlevelofaccesscontrolforaddedsecurity. Administratorscanbeassignedtoservicestheycanconfigure.Theselimitationsare enactedonaserver-by-serverbasis.Thismethodcanbeusedbyanadministratorwith norestrictionstoassignadministrativedutiestootherusers. InpreviousreleasesofMacOSXServer,thereweretwoclassesofusers:adminand everyoneelse.Adminuserscanmakeanychangetothesettingsofanyserviceor changeanydirectorydataincludingpasswordsandpasswordpolicies. InSnowLeopardServer,youcannowgrantindividualsandgroupsspecific administrativepermissionswithoutaddingthemtotheUNIX“admin”group.Inother words,youcanmakethemserviceadministrators. Therearetwolevelsofpermissions:  Administer:ThislevelofpermissionisanalogoustobeingintheUNIXadmingroup. Youcanchangeanysettingontheserverforthedesignatedserverandserviceonly. 76 Chapter5SecuringLocalServerAccounts  Monitor:ThislevelofpermissionallowsyoutoviewOverviewpanes,Logpanes, andotherinformationpanesinServerAdmin,aswellasgeneralserverstatusdatain serverstatuslists.Youdonothaveaccesstosavedservicesettings. Anyuserorgroupcanbegiventhesepermissionsforallservicesorforselected services.Thepermissionsarestoredonaper-serverbasis. Theonlyusersthatcanchangethetieredadministrationaccesslistareusersthatarein theUNIXadmingroup. Thisresultsinatieredadministrationmodel,wheresomeadministratorshavemore privilegesthanothersforassignedservices.Thisresultsinamethodofaccesscontrol forindividualserverfeaturesandservices. Forexample,Alice(theleadadministrator)hascontroloverallservicesonagiven serverandcanlimittheabilityofotheradmingroupusers(likeBobandCathy)to changesettingsontheserver.ShecanassignDNSandFirewallserviceadministration toBob,whileleavingmailserviceadministrationtoCathy. Inthisscenario,Cathycan’tchangethefirewalloranyserviceotherthanmail.Likewise, Bobcan’tchangeanyservicesoutsideofhisassignedservices. TieredadministrationcontrolsareeffectiveinServerAdminandtheserveradmin command-linetool.TheyarenoteffectiveagainstmodifyingUNIXconfigurationfiles throughoutthesystem.ProtectUNIXconfigurationfileswithPOSIX-typepermissionsor ACLs. Youcandeterminewhichservicesotheradmingroupuserscanmodify.Todothis,the administratormakingthedeterminationmusthavefull,unmodifiedaccess. ServerAdminupdatestoreflectwhatoperationsarepossibleforauser’spermissions. Forexample,someservicesarehiddenortheSettingspaneisdimmedwhenyoucan onlymonitorthatservice. Becausethefeatureisenforcedontheserverside,thepermissionsalsoimpactthe usageofserveradmin,dscl,dsimport,andpwpolicycommand-linetoolsbecausethese toolsarelimitedtothepermissionsconfiguredfortheadministratorinuse. DefiningAdministrativePermissions Youcandecideifauserorgroupcanmonitororadministeraserverorservicewithout givingthemthefullpowerofaUNIXadministrativeuser.Assigningeffective permissionstouserscreatesatieredadministration,wheresomebutnotall administrativedutiescanbecarriedoutbydesignatedindividuals. Chapter5SecuringLocalServerAccounts 77 Toassignpermissions: 1 OpenServerAdmin. 2 Selectaserver,clicktheSettingsbuttoninthetoolbar,andthenclicktheAccesstab. 3 ClicktheAdministratorstab. 4 Selectwhethertodefineadministrativepermissionsforallservicesontheserverorfor selectservices. 5 Ifyoudefinepermissionsbyservice,selecttherelatedcheckboxforeachserviceyou wanttoturnon. Ifyoudefinepermissionsbyservice,besuretoassignadministratorstoallactive servicesontheserver. 6 ClicktheAdd(+)buttontoaddauserorgroupfromtheusersandgroupwindow. Toremoveadministrativepermissions,selectauserorgroupandclicktheRemove(-) button. 7 Foreachuserorgroup,selectthepermissionslevelnexttotheuserorgroupname. YoucanchooseMonitororAdminister. ThecapabilitiesofServerAdmintoadministertheserverarelimitedbythissetting whentheserverisaddedtotheServerlist. AvoidingSharedAdministratorAccounts Avoidcreatingaccountsthataresharedbyseveraladministrators.Individualaccounts maintainaccountability.Eachusershouldhavehisorherownaccount. Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.For example,ifseveraladministratorsshareasingleadministratoraccount,itbecomes hardertotrackwhichadministratorperformedaspecificaction. Ifsomeonecompromisesasharedadministratoraccount,itislesslikelytobenoticed. Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactions byanadministratorsharingtheaccount. SecuringtheDirectoryDomainAdministratorAccount AdirectorydomaincanresideonacomputerrunningSnowLeopardServer(for example,theLDAPfolderofanOpenDirectorymaster,orotherread/writedirectory domain)oritcanresideonanon-Appleserver(forexample,anon-AppleLDAPor ActiveDirectoryserver).Onlyadirectorydomainadministratorcanchangethe directorydomain,includingthemanagedaccountsinthedirectorydomain. Whenconfiguringadirectorydomainadministratoraccount,followthesamesecurity guidelinesasyouwouldwithanyotheradministratoraccount. 78 Chapter5SecuringLocalServerAccounts ChangingSpecialAuthorizationsforSystemFunctions Youcanmodifythe/etc/authorizationconfigurationfiletochangeauthorizationsfor administratorsandstandardusers. WARNING:Changestothisfilecanhaveunanticipatednegativeresults.Editwith caution. Tomodifyauthorizationbychangingthe/etc/authorizationfile: 1 Editthe/etc/authorizationfileusingthepicotool,whichallowsforsafeediting ofthefile. Thecommandmustberunasroot: sudo pico /etc/authorization 2 Whenprompted,entertheadministratorpassword. Thisdisplaysapropertylistforauthorization,listingallavailablekeys. 3 Locatethekeyyouwanttomodify. Forexample,tochangewhohasaccesstounlockthescreensaver,modifythe system.login.screensaverkeybychangingtherule: <key>rule</key> <string>authenticate-session-owner-or-admin</string> to <key>rule</key> <string>authenticate-session-owner</string> Doingthisrestrictstheadministratorfromunlockingthescreensaver. 4 Saveandquitpico. SecuringtheSystemAdministratorAccount ThemostpowerfuluseraccountinSnowLeopardisthesystemadministratoror rootaccount.Bydefault,therootaccountonSnowLeopardServerisenabledand usesthesamepasswordasthefirstcreatedadminuser.Youshoulddisableit usingthefollowingcommand: dsenableroot -d Important:Thesystemadministratororrootaccountshouldonlybeusedwhen absolutelynecessary. ThemostpowerfuluseraccountinMacOSXisthesystemadministratororroot account.Bydefault,therootaccountonMacOSXisdisabledanditisrecommended youdonotenableit. Chapter5SecuringLocalServerAccounts 79 TherootaccountisprimarilyusedforperformingUNIXcommands.Generally, actionsthatinvolvecriticalsystemfilesrequireyoutoperformthoseactionsasroot. However,usingthesudocommand,itispossibletoperformroot-levelactionson anas-neededbasis. IfyouareloggedinasaSnowLeopardServeradministrator,youperformcommands asrootbyusingthesudocommand.SnowLeopardServerlogsactionsperformed usingthesudocommand.Thishelpsyoutrackmisuseofthesudocommandon acomputer.Keepinmindthattheselogscanbeeditediftheyarestoredlocally,so onlygrantsudoprivilegestotrustedusers. Youcanusethesucommandtologintothecommandlineasanotheruserifyou havethatuser’spassword.Thisincludestherootuser,iftherootaccountisenabled. Whenyouareloggedinasroot,youcanusethesucommandtochangeusers withoutapassword. Ifmultipleuserscanloginasroot,youcannottrackwhichuserperformedrootactions. Donotallowdirectrootlogin,becausethelogscannotidentifywhichadministrator loggedin.Instead,loginusingaccountswithadministratorprivilege,andthenusethe sudocommandtoperformactionsasroot. Iftherootaccountisenabled,youcandisableitbyusinganadministrativeaccount andthedsenablerootcommand.Forexample,thefollowingcommanddisablesthe rootaccount. sudo dsenableroot -d ForinstructionsabouthowtorestrictrootuseraccessinDirectoryUtility,open MacHelpandsearchfor“DirectoryUtility.” RestrictingsudoUsage Bydefault,sudoisenabledforadministratorusers.Fromthecommandline,youcan disablerootloginorrestricttheuseofsudo.Limittheadministratorsallowedtouse sudotothosewhoneedtoruncommandsasroot. Thecomputerusesafilenamed/etc/sudoerstodeterminewhichuserscanusesudo. Youcanmodifyrootuseraccessbychangingthe/etc/sudoersfiletorestrictsudo accesstospecificaccounts,andallowthoseaccountstoperformspecificallyallowed commands.Thisgivesyoucontroloverwhatuserscandoasroot. Torestrictsudousagebychangingthe/etc/sudoersfile: 1 Astherootuser,usethefollowingcommandtoeditthe/etc/sudoersfile,whichallows forsafeeditingofthefile. sudo visudo 80 Chapter5SecuringLocalServerAccounts 2 Whenprompted,entertheadministratorpassword. Thereisatimeoutvalueassociatedwithsudo.Thisvalueindicatesthenumberof minutesuntilsudopromptsforapasswordagain.Thedefaultvalueis5,whichmeans thatafterissuingthesudocommandandenteringthecorrectpassword,additional sudocommandscanbeenteredfor5minuteswithoutreenteringthepassword. Thisvalueissetinthe/etc/sudoersfile.Formoreinformation,seethesudoandsudoers manpages. 3 IntheDefaultsspecificationsectionofthefile,addthefollowinglines. Defaults timestamp_timeout=0 Defaults tty_tickets Theselineslimittheuseofthesudocommandtoasinglecommandper authenticationandalsoensurethat,evenifatimeoutisactivated,latersudo commandsarelimitedtotheterminalwhereauthenticationoccurred. 4 Restrictwhichadministratorsareallowedtorunsudobyremovingthelinethatbegins with%adminandaddthefollowingentryforeachuser,substitutingtheuser’sshort namefortheworduser: user ALL=(ALL) ALL Doingthismeansthatwhenanadministratorisaddedtothecomputer,the administratormustbeaddedtothe/etc/sudoersfileasdescribed,iftheadministrator needstousesudo. 5 Saveandquitvisudo. Formoreinformation,entermanpicoormanvisudoinaTerminalwindow.For informationabouthowtomodifythe/etc/sudoersfile,seethesudoersmanpage. UnderstandingDirectoryDomains Useraccountsarestoredinadirectorydomain.Yourpreferencesandaccount attributesaresetaccordingtotheinformationstoredinthedirectorydomain. Localaccountsarehostedinalocaldirectorydomain.Whenyoulogintoalocal account,youauthenticatewiththatlocaldirectorydomain.Userswithlocalaccounts typicallyhavelocalhomefolders.Whenausersavesfilesinalocalhomefolder,the filesarestoredlocally.Tosaveafileoverthenetwork,theusermustconnecttothe networkanduploadthefile. Networkaccountsarehostedinanetworkdirectorydomain,suchasaLightweight DirectoryAccessProtocol(LDAP)orNetworkInformationService(NIS)directory.When youlogintoanetworkaccount,youauthenticatewiththenetworkdirectorydomain. Userswithnetworkaccountstypicallyhavenetworkhomefolders.Whentheysavefiles intheirnetworkhomefolders,thefilesarestoredontheserver. Chapter5SecuringLocalServerAccounts 81 Mobileaccountscacheauthenticationinformationandmanagedpreferences.Auser’s authenticationinformationismaintainedonthedirectoryserverbutiscachedonthe localcomputer.Withcachedauthenticationinformation,ausercanloginusingthe sameusernameandpassword(oradigitaltoken,smartcard,orbiometricreader), eveniftheuserisnotconnectedtothenetwork. Userswithmobileaccountshavelocalandnetworkhomefoldersthatcombinetoform portablehomedirectories.Whenuserssavefiles,thefilesarestoredinalocalhome folder.Theportablehomedirectoryisasynchronizedsubsetofauser’slocaland networkhomefolders.Forinformationaboutprotectingyourhomefolder,see Chapter8,“SecuringDataandUsingEncryption.” UnderstandingNetworkServices,Authentication,andContacts YoucanuseDirectoryUtilitytoconfigureyourcomputertouseanetworkdirectory domain.DirectorysearchservicesthatarenotusedshouldbedisabledintheServices paneofDirectoryUtility. DirectoryUtilitycanbeaccessedfromAccountpreferencesbyclickingLoginOptions andthenclickingJoinorEditandthenclickingOpenDirectoryUtility. YoucanenableordisableeachkindofdirectoryserviceprotocolinDirectoryUtility. SnowLeopardServerdoesn’taccessdisableddirectoryservices,exceptforthelocal directorydomain,whichisalwaysaccessed.Inadditiontoenablinganddisabling services,youcanuseDirectoryUtilitytochoosethedirectorydomainsyouwantto authenticatewith. DirectoryUtilitydefinestheauthenticationsearchpolicythatSnowLeopardusesto locateandretrieveuserauthenticationinformationandotheradministrativedatafrom directorydomains. Theloginwindow,Finder,andotherpartsofSnowLeopardusethisauthentication informationandadministrativedata.Fileservice,mailservice,andotherservices providedbyMacOSXServeralsousethisinformation. DirectoryUtilityalsodefinesthecontactssearchpolicythatSnowLeopardusesto locateandretrievename,address,andothercontactinformationfromdirectory domains.AddressBookcanusethiscontactinformation,andotherapplicationscanbe programmedtouseitaswell. Theauthenticationandcontactssearchpolicyconsistsofalistofdirectorydomains (alsoknownasdirectorynodes).Theorderofdirectorydomainsinthelistdefinesthe searchpolicy. 82 Chapter5SecuringLocalServerAccounts Startingatthetopofthelist,SnowLeopardServersearcheseachlisteddirectory domaininturnuntilitfindstheinformationitneedsorreachestheendofthelist withoutfindingtheinformation. FormoreinformationaboutusingDirectoryUtility,seeOpenDirectoryAdministration. ConfiguringLDAPv3Access SnowLeopardServerprimarilyusesOpenDirectoryasitsnetwork-baseddirectory domain.OpenDirectoryusesLDAPv3asitsconnectionprotocol.LDAPv3includes severalsecurityfeaturesthatyoushouldenableifyourserversupportsthem.Enabling everyLDAPv3securityfeaturemaximizesyourLDAPv3security. Tomakesureyoursettingsmatchyournetwork’srequiredsettings,contactyour networkadministrator.Wheneverpossible,allLDAPconnectionsshouldbeconfigured tobeencryptedusingSSL. WhenconfiguringLDAPv3,donotaddDHCP-suppliedLDAPserverstoautomatic searchpoliciesifyoucannotsecurethenetworkthecomputerisrunningon.Ifyoudo, someonecancreatearogueDHCPserverandarogueLDAPdirectoryandthencontrol yourcomputerastherootuser. ForinformationaboutchangingthesecuritypolicyforanLDAPconnectionorabout protectingcomputersfrommaliciousDHCPservers,seeOpenDirectoryAdministration. ConfiguringActiveDirectoryAccess LeopardsupportsmutualauthenticationwithActiveDirectoryservers.Kerberosisa ticket-basedsystemthatenablesmutualauthentication.Theservermustidentifyitself byprovidingatickettoyourcomputer.Thispreventsyourcomputerfromconnecting torogueservers. Leopardalsosupportsdigitalsigningandencryptedpacketsecuritysettingsusedby ActiveDirectory.Thesesettingareenabledbydefault. MutualauthenticationoccurswhenyoubindtoActiveDirectoryservers. Ifyou’reconnectingtoanActiveDirectoryserverwithHighlySecure(HISEC)templates enabled,youcanusethird-partytoolstofurthersecureyourActiveDirectory connection. WhenyouconfigureActiveDirectoryaccess,thesettingsyouchoosearegenerally dictatedbytheActiveDirectoryserver’ssettings.Tomakesureyoursettingsmatch yournetwork’srequiredsettings,contactyournetworkadministrator. Chapter5SecuringLocalServerAccounts 83 Donotuse“Allowadministrationby”settinginsensitiveenvironments.Itcancause untendedprivilegeescalationissuesbecauseanymemberofthegroupspecifiedwill haveadministratorprivilegesonyourcomputer.Additionally,youshouldonlyconnect totrustednetworks. FormoreinformationaboutusingDirectoryUtilitytoconnecttoActiveDirectory servers,seeOpenDirectoryAdministration. UsingStrongAuthentication Authenticationistheprocessofverifyingtheidentityofauser.SnowLeopardServer supportslocalandnetwork-basedauthenticationtoensurethatonlyuserswithvalid authenticationcredentialscanaccessthecomputer’sdata,applications,andnetwork services. Youcanrequirepasswordstologin,towakethecomputerfromsleeporfromascreen saver,toinstallapplications,ortochangesystemsettings.SnowLeopardServeralso supportsauthenticationmethodssuchassmartcards,digitaltokens,andbiometric readers. Strongauthenticationiscreatedbyusingcombinationsofthefollowingauthentication dimensions:  Whattheuserknows,suchasapasswordorPINnumber  Whattheuserhas,suchasaonetimepassword(OTP)tokenorsmartcard,  Whattheuseris,suchasafingerprint,retinascan,orDNAsample Usingacombinationofthesedimensionsmakesauthenticationmorereliableanduser identificationmorecertain. UsingPasswordAssistanttoGenerateorAnalyzePasswords MacOSXincludesPasswordAssistant,anapplicationthatanalyzesthecomplexityofa passwordorgeneratesacomplexpasswordforyou.Youcanspecifythelengthand typeofpasswordyou’dliketogenerate. Youcanchoosefromthefollowingtypesofpasswords:  Manual:YouenterapasswordandthenPasswordAssistantgivesyouthequality levelofyourpassword.Ifthequalitylevelislow,PasswordAssistantgivestipsfor increasingthequalitylevel.  Memorable:Accordingtoyourpasswordlengthrequirements,PasswordAssistant generatesalistofmemorablepasswordsintheSuggestionmenu.  Letters&Numbers:Accordingtoyourpasswordlengthrequirements,Password Assistantgeneratesalistofpasswordswithacombinationoflettersandnumbers.  NumbersOnly:Accordingtoyourpasswordlengthrequirements,Password Assistantgeneratesalistofpasswordscontainingonlynumbers. 84 Chapter5SecuringLocalServerAccounts  Random:Accordingtoyourpasswordlengthrequirements,PasswordAssistant generatesalistofpasswordscontainingrandomcharacters.  FIPS-181compliant:Accordingtoyourpasswordlengthrequirements,Password AssistantgeneratesapasswordthatisFIPS-181compliant(whichincludesmixed upperandlowercase,punctuation,andnumbers). YoucanopenPasswordAssistantfromsomeapplications.Forexample,whenyou createanaccountorchangepasswordsinAccountspreferences,youcanusePassword Assistanttohelpyoucreateasecurepassword. UsingKerberos Kerberosisanauthenticationprotocolusedforsystemwidesinglesign-on,allowing userstoauthenticatetomultipleserviceswithoutreenteringpasswordsorsending themoverthenetwork.Everysystemgeneratesitsownprincipals,allowingittooffer secureservicesthatarefullycompatiblewithotherKerberos-basedimplementations. Note:SnowLeopardServersupportsKerberosv5butdoesnotsupportKerberosv4. SnowLeopardServerusesKerberostomakeiteasiertoshareserviceswithother computers.Akeydistributioncenter(KDC)serverisnotrequiredtouseKerberos authenticationbetweentwocomputersrunningSnowLeopardServer. WhenyouconnecttoacomputerthatsupportsKerberos,youaregrantedaticketthat permitsyoutocontinuetouseservicesonthatcomputer,withoutreauthentication, untilyourticketexpires. Forexample,considertwocomputersrunningSnowLeopardServernamed“Mac01” and“Mac02.”Mac02hasscreensharingandfilesharingturnedon.IfMac01connectsto asharedfolderonMac02,Mac01cansubsequentlyconnecttoscreensharingon Mac02withoutsupplyinglogincredentialsagain. ThisKerberosexchangeisonlyattemptedifyouconnectusingBonjourifyounavigate tothecomputerinFinder,oryouusetheGomenuinFindertoconnecttoaserver usingthelocalhostnameofthecomputername. Normally,afteryourcomputerobtainsaKerberosticketinthismanner,keepthat Kerberosticketuntilitexpires.However,ifyouwanttomanuallyremoveyourKerberos ticket,youcandosousingtheKerberosutilityinSnowLeopardServer. TomanuallyremoveaKerberosticket: 1 OpenKeychainAccess(in/Applications/Utilities). 2 FromtheKeychainAccessmenu,chooseTicketViewer. 3 IntheKerberosapplication’sTicketCachewindow,findthekeythatlookslikethis: yourusername@LKDC:SHA1... Itisfollowedbyalongstringofalphanumericcharacters. Chapter5SecuringLocalServerAccounts 85 4 Click“DestroyTicket”todeletethatkey. Youcanalsousethekinit,kdestroy,andkpasswdcommandstomanageKerberos tickets.Formoreinformation,seethekinit,kdestroy,andkpasswdmanpages. UsingSmartCards Asmartcardisaplasticcard(similarinsizetoacreditcard)orUSBdonglethathas memoryandamicroprocessorembeddedinit.Thesmartcardcanstoreandprocess informationsuchaspasswords,certificates,andkeys. Themicroprocessorinsidethesmartcardcandoauthenticationevaluationoffline beforereleasinginformation. Beforethesmartcardprocessesinformation,youmustauthenticatewiththesmart cardbyaPINorbiometricmeasurement(suchasafingerprint),whichprovidesan additionallayerofsecurity. SmartcardsupportisintegratedintoSnowLeopardServerandcanbeconfiguredto workwiththefollowingservices:           Cryptographiclogin(localornetworkbasedaccounts) UnlockofFileVaultenabledaccounts Unlockkeychains Signedandencryptedemail(S/MIME) Securingwebaccess(HTTPS) VPN(L2TP,PPTP,SSL) 802.1X Screensaverunlock Systemadministration KeychainAccess UsingTokens Youcanuseadigitaltokentoidentifyauserforcommerce,communication,oraccess control.Thistokencanbegeneratedbysoftwareorhardware. SomecommontokensaretheRSASecurIDandtheCRYPTOCardKT-1devices.These hardwaredevicesgeneratetokenstoidentifytheuser.Thegeneratedtokensare specifictothatuser,sotwouserswithdifferentRSASecurIDsordifferentCRYPTOCard KT-1shavedifferenttokens. Youcanusetokensfortwo-factorauthentication.Two-factorreferstoauthenticating throughsomethingyouhave(suchasaone-time-passwordtoken)andsomethingyou know(suchasafixedpassword).Theuseoftokensincreasesthestrengthofthe authentication.TokensarefrequentlyusedforVPNauthentication. 86 Chapter5SecuringLocalServerAccounts UsingBiometrics MacOSXsupportsbiometricsauthenticationtechnologiessuchasthumbprintreaders. Password-protectedwebsitesandapplicationscanbeaccessedwithoutrequiringthe usertorememberalonglistofpasswords. Somebiometricdevicesallowyoutoauthenticatebyplacingyourfingeronapad. Unlikeapassword,yourfingerprintcanneverbeforgottenorstolen.Fingerprint identificationprovidespersonalauthenticationandnetworkaccess. Theuseofbiometricscanenhanceauthenticationbyusingsomethingthatisapartof you(suchasyourfingerprint). SettingGlobalPasswordPolicies Toconfigureapasswordpolicythatcanapplygloballyortoindividualusers,usethe pwpolicycommand-linetool. GlobalpasswordpoliciesarenotimplementedinMacOSX;instead,passwordpolicies aresetforeachuseraccount. Youcansetspecificrulesgoverningthesizeandcomplexityofacceptablepasswords. Forexample,youcanspecifyrequirementsforthefollowing:  Minimumandmaximumcharacterlength  Alphabeticandnumericcharacterinclusion  Maximumnumberoffailedloginsbeforeaccountlockout Torequirethatanauthenticator’spasswordbeaminimumof12charactersandhave nomorethan3failedloginattempts,enterthefollowinginaTerminalwindow: sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=12 maxFailedLoginAttempts=3” Foradvancedpasswordpolicies,usePasswordServerinMacOSXServer.Youcanuseit tosetglobalpasswordpoliciesthatspecifyrequirementsforthefollowing:  Passwordexpirationduration  Specialcharacterinclusion  Mixed-casecharacterinclusion  Passwordreuselimits Youcanusepwpolicytosetapasswordpolicythatmeetsyourorganization’spassword standards.Formoreinformationabouthowtousepwpolicy,enterman pwpolicyina Terminalwindow. Chapter5SecuringLocalServerAccounts 87 StoringCredentialsinKeychains SnowLeopardServerincludesKeychainAccess,anapplicationthatmanages collectionsofpasswordsandcertificatesinasinglecredentialstorecalledakeychain. Eachkeychaincanholdacollectionofcredentialsandprotectthemwithasingle password. Keychainsstoreencryptedpasswords,certificates,andotherprivatevalues(called securenotes).Thesevaluesareaccessibleonlybyunlockingthekeychainusingthe keychainpasswordandonlybyapplicationsthatareapprovedandaddedtotheaccess controlapplicationlist. Youcancreatemultiplekeychains,eachofwhichappearsinakeychainlistinKeychain Access.Eachkeychaincanstoremultiplevalues.Eachvalueiscalledakeyitem.Youcan createakeyiteminanyuser-createdkeychain. Whenanapplicationmuststoreaniteminakeychain,itstoresitinthekeychain designatedasyourdefault.Thedefaultisnamed“login,”butyoucanchangethatto anyuser-createdkeychain.Thedefaultkeychainnameisdisplayedinbold. EachiteminakeychainhasanAccessControlList(ACL)thatcanbepopulatedwith applicationsthathaveauthoritytousethatkeychainitem.Afurtherrestrictioncanbe addedthatforcesanapplicationwithaccesstoconfirmthekeychainpassword. Themainissuewithrememberingpasswordsisthatyou’relikelytomakeallpasswords identicalorkeepawrittenlistofpasswords.Byusingkeychains,youcangreatlyreduce thenumberofpasswordsyouneedtoremember.Becauseyounolongerneedto rememberpasswordsformultipleaccounts,thepasswordsyouchoosecanbevery complexandcanevenberandomlygenerated. Keychainsprovideadditionalprotectionforpasswords,passphrases,certificates,and othercredentialsstoredonthecomputer.Insomecases,suchasusingacertificateto signamailmessage,thecertificatemustbestoredinakeychain. Ifacredentialmustbestoredonthecomputer,storeandmanageitusingKeychain Access.Checkyourorganization’spolicyonkeychainuse. Duetothesensitivenatureofkeychaininformation,keychainsusecryptographyto encryptanddecryptsecrets,andtheysafelystoresecretsandrelateddatainfiles. SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandprovide securestorageofkeychainitems.Afterakeychainiscreated,youcanadd,delete,and editkeychainitems,suchaspasswords,keys,certificates,andnotes.Ausercanunlock akeychainwithasinglepasswordandapplicationscanthenusethatkeychaintostore andretrievedata,suchaspasswords. 88 Chapter5SecuringLocalServerAccounts Note:Youcanusethesecurityandsystemkeychaincommandstoadminister keychains,manipulatekeysandcertificates,anddojustaboutanythingtheSecurity frameworkcando.Formoreinformationaboutthiscommand,seeitsmanpage. UsingtheDefaultUserKeychain Whenauser’saccountiscreated,adefaultkeychainnamed“login”iscreatedforthat user.Thepasswordfortheloginkeychainisinitiallysettotheuser’sloginpassword andisunlockedwhentheuserlogsin.Itremainsunlockedunlesstheuserlocksit,or untiltheuserlogsout. Youshouldchangethesettingsfortheloginkeychainsotheusermustunlockitwhen heorshelogsin,orafterwakingthecomputerfromsleep. Tosecuretheloginkeychain: 1 OpenKeychainAccess. 2 Ifyoudonotseealistofkeychains,clickShowKeychains. 3 Selecttheloginkeychain. 4 ChooseEdit>ChangePasswordforKeychain“login.” 5 Enterthecurrentpassword,andcreateandverifyapasswordfortheloginkeychain. Afteryoucreatealoginkeychainpasswordthatisdifferentfromthenormallogin password,yourkeychainisnotunlockedatlogin. Tohelpyoucreateamoresecurepassword,usePasswordAssistant.Forinformation, see“UsingPasswordAssistanttoGenerateorAnalyzePasswords”onpage84. 6 ChooseEdit>ChangeSettingsforKeychain“login.” 7 Select“Lockwhensleeping.” 8 Deselect“SynchronizethiskeychainusingMobileMe.” 9 Secureeachloginkeychainitem. Forinformation,see“SecuringKeychainsandTheirItems”onpage91. CreatingAdditionalKeychains Whenauseraccountiscreated,itcontainsonlytheinitialdefaultkeychainnamed “login.”Ausercancreateadditionalkeychains,eachofwhichcanhavedifferent settingsandpurposes. Forexample,ausermightwanttogroupcredentialsformailaccountsintoone keychain.Becausemailprogramsquerytheserverfrequentlytocheckformail,it isnotpracticalfortheusertoreauthenticatewhensuchacheckisperformed. Theusercancreateakeychainandconfigureitssettings,sothatheorsheisrequired toenterthekeychainpasswordatloginandwheneverthecomputerisawakened fromsleep. Chapter5SecuringLocalServerAccounts 89 Heorshecanthenmoveallitemscontainingcredentialsformailapplicationsinto thatkeychainandseteachitemsothatonlythemailapplicationassociatedwiththat credentialcanautomaticallyaccessit.Thisforcesotherapplicationstoauthenticate toaccessthatcredential. Configuringakeychain’ssettingsforusebymailapplicationsmightbeunacceptable forotherapplications.Ifauserhasaninfrequentlyusedweb-basedaccount,it ismoreappropriatetostorekeychainsettingsinakeychainconfiguredtorequire reauthenticationforeveryaccessbyanyapplication. Youcanalsocreatemultiplekeychainstoaccommodatevaryingdegreesofsensitivity. Byseparatingkeychainsbasedonsensitivity,youpreventtheexposureofsensitive credentialstolesssensitiveapplicationswithcredentialsonthesamekeychain. Tocreateakeychainandcustomizeitsauthenticationsettings: 1 InKeychainAccess,chooseFile>NewKeychain. 2 Enteraname,selectalocationforthekeychain,andclickCreate. 3 Enterapassword,verifyit,andclickOK. 4 Ifyoudonotseealistofkeychains,clickShowKeychains. 5 Selectthenewkeychain. 6 ChooseEdit>ChangeSettingsforkeychain“keychain_name,”andauthenticate,if requested. 7 Changethe“Lockafter#minutesofinactivity”settingbasedontheaccessfrequency ofthesecuritycredentialsincludedinthekeychain. Ifthesecuritycredentialsareaccessedfrequently,donotselect“Lockafter#minutesof inactivity.” Ifthesecuritycredentialsareaccessedfrequently,select“Lockafter#minutesof inactivity”andselectavalue,suchas15.Ifyouuseapassword-protectedscreensaver, considersettingthisvaluetotheidletimerequiredforyourscreensavertostart. Ifthesecuritycredentialsareaccessedinfrequently,select“Lockafter#minutesof inactivity”andspecifyavalue,suchas1. 8 Select“Lockwhensleeping.” 9 Dragthesecuritycredentialsfromotherkeychainstothenewkeychainand authenticate,ifrequested. Youshouldhavekeychainsthatonlycontainrelatedcertificates.Forexample,you canhaveamailkeychainthatonlycontainsmailitems. 90 Chapter5SecuringLocalServerAccounts 10 Ifyouareaskedtoconfirmaccesstothekeychain,enterthekeychainpasswordand clickAllowOnce. Afterconfirmingaccess,KeychainAccessmovesthesecuritycredentialtothe newkeychain. 11 Secureeachiteminthesecuritycredentialsforyourkeychain. SecuringKeychainsandTheirItems Keychainscanstoremultipleencrypteditems.Youcanconfigureitemssoonlyspecific applicationshaveaccess.(However,youcannotsetAccessControlforcertificates.) Tosecureakeychainitem: 1 InKeychainAccess,selectakeychainandthenselectanitem. 2 ClicktheInformation(i)button. 3 ClickAccessControlandthenauthenticateifrequested. 4 Select“Confirmbeforeallowingaccess.” Afteryouenablethisoption,SnowLeopardServerpromptsyoubeforegivinga securitycredentialtoanapplication. Ifyouselect“Allowallapplicationstoaccessthisitem,”youallowanyapplicationto accessthesecuritycredentialwhenthekeychainisunlocked.Whenaccessingthe securitycredential,thereisnouserprompt,soenablingthisisasecurityrisk. 5 Select“AskforKeychainpassword.” Afterenablingthis,youmustprovidethekeychainpasswordbeforeapplicationscan accesssecuritycredentials. Enablingthisisimportantforcriticalitems,suchasyourpersonalidentity(yourpublic keycertificatesandthecorrespondingprivatekey),whichareneededwhensigningor decryptinginformation.Theseitemscanalsobeplacedintheirownkeychains. 6 Removenontrustedapplicationslistedin“Alwaysallowaccessbytheseapplications” byselectingeachapplicationandclickingtheRemove(–)button. Applicationslistedhererequiretheusertoenterthekeychainpasswordtoaccess securitycredentials. UsingSmartCardsasKeychains SnowLeopardServerintegratessupportforhardware-basedsmartcardsasdynamic keychainswhereanyapplicationusingkeychainscanaccessthatsmartcard.Asmart cardcanbethoughtofasaportableprotectedkeychain. Smartcardsareseenbytheoperatingsystemasdynamickeychainsandareaddedto thetopoftheKeychainAccesslist.Theyarethefirstsearchedinthelist.Theycanbe treatedasotherkeychainsontheuser’scomputer,withthelimitationthatuserscan’t addothersecureobjects. Chapter5SecuringLocalServerAccounts 91 Whenyouattachasupportedsmartcardtoyourcomputer,itappearsinKeychain Access.Ifmultiplesmartcardsareattachedtoyourcomputer,theyappearatthetopof thekeychainlistalphabeticallyasseparatekeychains. YoucanmanuallyunlockandchangethePINusingKeychainAccess.Whenchanging thePINonyoursmartcarditisthesameaschangingthepasswordonaregular keychain. InKeychainAccess,selectyoursmartcardandunlockitbydouble-clickingit.Ifitisnot unlocked,youarepromptedtoenterthepasswordforthesmartcard,whichisthe sameasthePIN.EnterthePINandKeychainAccesstoviewthePIN-protecteddataon thatsmartcard. UsingPortableandNetworkKeychains Ifyou’reusingaportablecomputer,considerstoringyourkeychainsonaportable drive,suchasaUSBflashmemorydrive.Youcanremovetheportabledrivefromthe portablecomputerandstoreitseparatelywhenthekeychainsarenotinuse. Anyoneattemptingtoaccessdataontheportablecomputerneedstheportable computer,portabledrive,andpasswordforthekeychainstoredontheportabledrive. Thisprovidesanextralayerofprotectionifthelaptopisstolenormisplaced. Touseaportabledrivetostorekeychains,moveyourkeychainfilestotheportable driveandconfigureKeychainAccesstousethekeychainsontheportabledrive. Thedefaultlocationforyourkeychainis~/Library/Keychains/.However,youcanstore keychainsinotherlocations. YoucanfurtherprotectportablekeychainsbystoringthemonbiometricUSBflash memorydrives,orbystoringportabledrivecontentsinanencryptedfile.For information,see“EncryptingPortableFiles”onpage155. Checkwithyourorganizationtoseeiftheyallowportabledrivestostorekeychains. Tosetupakeychainforusefromaportabledrive: 1 OpenKeychainAccess. 2 Ifyoudonotseealistofkeychains,clickShowKeychains. 3 ChooseEdit>KeychainList. 4 Notethelocationofthekeychainyouwanttosetup. Thedefaultlocationis~/Library/Keychains/. 5 ClickCancel. 6 Selectthekeychainyouwantsetup. 7 ChooseFile>DeleteKeychain“keychain_name.” 92 Chapter5SecuringLocalServerAccounts 8 ClickDeleteReferences. 9 Copythekeychainfilesfromthepreviouslynotedlocationtotheportabledrive. 10 MovethekeychaintotheTrashanduseSecureEmptyTrashtosecurelyerasethe keychainfilestoredonthecomputer. Forinformation,see“UsingSecureEmptyTrash”onpage160. 11 OpenFinderanddouble-clickthekeychainfileonyourportabledrivetoaddittoyour keychainsearchlist. Chapter5SecuringLocalServerAccounts 93 6 SecuringSystemPreferences 6 UsethischaptertosetSnowLeopardServersystem preferencestoenhancesystemsecurityandfurtherprotect againstattacks. SystemPreferenceshasmanyconfigurablepreferencesthatyoucanusetocustomize systemsecurity.YoucanalsomanagethesepreferencesusingWorkgroupManager. SystemPreferencesOverview SnowLeopardServerincludessystempreferencesthatyoucanusetocustomize security.Whenmodifyingsettingsforoneaccount,makesureyoursettingsare mirroredonallotheraccounts,unlessthereisanexplicitneedfordifferentsettings. YoucanviewsystempreferencesbychoosingApple>SystemPreferences.Inthe SystemPreferenceswindow,clickapreferencetoviewit. Somecriticalpreferencesrequirethatyouauthenticatebeforeyoumodifytheir settings.Toauthenticate,youclickthelock(seetheimagesbelow)andenter anadministrator’snameandpassword(oruseadigitaltoken,smartcard,or biometricreader). Ifyouloginasauserwithadministratorprivileges,thesepreferencesareunlocked unlessyouselect“RequirepasswordtounlockeachSystemPreferencespane”in Securitypreferences.Formoreinformation,see“SecuringSecurityPreferences”on page122. 94 Ifyouloginasastandarduser,thesepreferencesremainlocked.Afterunlocking preferences,youcanlockthemagainbyclickingthelock. Preferencesthatrequireauthenticationincludethefollowing:  Accounts  Date&Time  EnergySaver  MobileMe  Network  Print&Fax  Security  Sharing  StartupDisk  TimeMachine ThischapterlistseachsetofpreferencesincludedwithSnowLeopardServerand describesmodificationsrecommendedtoimprovesecurity. Chapter6SecuringSystemPreferences 95 SecuringMobileMePreferences MobileMeisasuiteofInternettoolsthathelpyousynchronizedataandother importantinformationwhenyou’reawayfromthecomputer. Insensitiveenvironmentsdon’tuseMobileMe.Ifyoumuststorecriticaldata,onlystore itonyourlocalcomputer.Youshouldonlytransferdataoverasecurenetwork connectiontoasecureinternalserver. IfyouuseMobileMe,enableitonlyforuseraccountsthatdon’thaveaccesstocritical data.AvoidenablingMobileMeforadministratororrootuseraccounts. LeavetheoptionsdisabledintheSyncpaneofMobileMepreferences(shownbelow). 96 Chapter6SecuringSystemPreferences LeaveRegisteredComputerforsynchronizationblankintheAdvancedsettingsofthe Syncpane(shownbelow). LeaveiDiskSyncing(shownbelow)disabledbydefault.IfyoumustuseaPublicfolder, enablepasswordprotection. Chapter6SecuringSystemPreferences 97 TodisableMobileMepreferences: 1 OpenMobileMepreferences. 2 Deselect“SynchronizewithMobileMe.” 3 MakesuretherearenocomputersregisteredforsynchronizationintheAdvanced settingsoftheSyncpane. 4 MakesureiDiskSyncingisdisabledintheiDiskpane. Fromthecommandline: # # # # # # # # # # # # ------------------------------------------------------------------Securing System Preferences ------------------------------------------------------------------Securing MobileMe Preferences ------------------------Default Setting. If a MobileMe account is entered during setup, MobileMe is configured for that account. Use the following command to display current MobileMe settings. efaults -currentHost read com.apple.<Preferenceidentifier> Use the following command to view all current settings for currenHost. defaults -currentHost read # Suggested Setting. #Disable Sync options. sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer 1 # Disable iDisk Syncing. sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool no # Available Settings. # None 98 Chapter6SecuringSystemPreferences SecuringAccountsPreferences UseAccountspreferencestochangeorresetaccountpasswords(shownbelow), toenableParentalControls,ortomodifyloginoptionsforeachaccount. Youshouldimmediatelychangethepasswordofthefirstaccountthatwascreatedon yourcomputer.Ifyouareanadministrator,youcanresetotheruseraccountpasswords byselectingtheaccountandclickingResetPassword. Note:Ifyouareanadministrator,passwordpoliciesarenotenforcedwhenyouchange yourpasswordorwhenyouchangeanotheruser’spassword.Therefore,whenyouare changingpasswordsasanadministrator,makesureyoufollowthepasswordpolicyyou set.Formoreinformationaboutpasswordpolicies,see“SettingGlobalPassword Policies”onpage87. Chapter6SecuringSystemPreferences 99 Thepasswordchangedialogandtheresetdialog(shownbelow)provideaccessto PasswordAssistant,anapplicationthatcananalyzethestrengthofyourpasswordand assistyouincreatingamoresecurepassword.Formoreinformation,see“Using PasswordAssistanttoGenerateorAnalyzePasswords”onpage84. Considerthefollowingloginguidelines:  Disableautomaticloginifenabled.  Requirethattheuserenteranameandapassword,andthattheuserauthenticate withouttheuseofapasswordhint.  DisableRestart,Sleep,andShutDownbuttons—theusercannotrestartthe computerwithoutpressingthepowerkeyorloggingin.  Disablefastuserswitchingifenabled—itisasecurityriskbecauseitallowsmultiple userstobesimultaneouslyloggedintoacomputer. AlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultipleusers onasinglecomputer,therearecasesinwhichyoumaynotwanttoenableit. FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground whileanotheruserisusingthecomputer. Also,someexternalvolumesattachedtothecomputeraremountedwhenanother userlogsin,grantingallusersaccesstothevolumeandignoringaccesspermissions. Avoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintain accountability.Eachusershouldhavehisorherownstandardormanagedaccount. 100 Chapter6SecuringSystemPreferences Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethe sameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly,if severaladministratorsshareasingleadministratoraccount,itbecomeshardertotrack whichadministratorperformedaspecificaction. Ifsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmight mistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyauser sharingtheaccount. TosecurelyconfigureAccountspreferences: 1 OpenAccountspreferences. 2 SelectyouraccountandclickthePasswordtab;thenchangethepasswordbyclicking theChangePasswordbutton. Amenuappearsaskingyoutoinputtheoldpassword,newpassword,verificationof thenewpassword,andapasswordhint. Toresetauser’saccountpassword,selecttheaccountandclickRestPasswordbutton. Thenenterthenewpasswordandverificationofthenewpassword,andleavethe passwordhintblank. 3 Donotenterapasswordhint,thenclicktheChangePasswordbutton. 4 ClickLoginOptions. Ascreensimilartothefollowingappears: 5 Under“Displayloginwindowas,”select“Nameandpassword”anddeselectallother options. Chapter6SecuringSystemPreferences 101 Fromthecommandline: # Securing Accounts Preferences # ----------------------------# Change an account's password on a client system. # Don’t use this command if other users are also logged in. sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass # Change an account's password on a server. # Don't use this command if other users are also logged in. sudo dscl . passwd /Users/$User_name $Oldpass $Newpass # Make sure there is no password hint set. sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 # Disable Show the Restart, Sleep, and ShutDown Buttons. sudo defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisable -bool yes # Disable fast user switching. This command does not prevent multiple users # from being logged in. sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO # Disable Automatic login. sudo defaults write /Library/Preferences/.GlobalPreferences\ com.apple.userspref.DisableAutoLogin -bool yes SecuringAppearancePreferences Onemethodtosecureappearancepreferencesistochangethenumberofrecent itemsdisplayedintheApplemenutoNone. Recentitemsareapplications,documents,andserversthatyou’verecentlyused.You canaccessrecentitemsbychoosingApple>RecentItems. Ifintrudersgainaccesstoyourcomputer,theycanuserecentitemstoquicklyview yourmostrecentlyaccessedfiles.Additionally,intruderscanuserecentitemstoaccess authenticationmechanismsforserversifthecorrespondingkeychainsareunlocked. Removingrecentitemsprovidesaminimalincreaseinsecurity,butitcandetervery unsophisticatedintruders. 102 Chapter6SecuringSystemPreferences TosecurelyconfigureAppearancepreferences: 1 OpenAppearancepreferences. Ascreensimilartothefollowingappears: 2 Setall“NumberofRecentItems”preferencestoNone. Fromthecommandline: # # # # Securing Appearance Preferences ----------------------------Default Setting. MaxAmount 10 # Suggested Setting. # Disable display of recent applications. sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0 # Available Settings. # MaxAmount 0,5,10,15,20,30,50 SecuringBluetoothPreferences Bluetoothallowswirelessdevices,suchaskeyboards,mice,andmobilephones,to communicatewiththecomputer.IfthecomputerhasBluetoothcapability,Bluetooth preferencesbecomeavailable.Ifyoudon’tseeBluetoothpreferences,youcannotuse Bluetooth. Chapter6SecuringSystemPreferences 103 Note:Somehighsecurityareasdonotallowradiofrequency(RF)communicationsuch asBluetooth.Consultyourorganizationalrequirementsforpossiblefurther disablementofthecomponent. WhenyoudisableBluetoothinSystemPreferences,youmustdisableBluetoothfor everyuseraccountonthecomputer. ThisdoesnotpreventusersfromreenablingBluetooth.Youcanrestrictauseraccount’s privilegessotheusercannotreenableBluetooth,buttodothis,youremoveseveral importantuserabilities,liketheuser’sabilitytochangehisorherpassword.Formore information,see“TypesofUserAccounts”onpage71. Note:ToremoveBluetoothsupportforperipherals,see“RemovingBluetoothSupport Software”onpage55. TosecurelyconfigureBluetoothpreferences: 1 OpenBluetoothpreferences. Ascreensimilartothefollowingappears: 2 Deselect“On.” 104 Chapter6SecuringSystemPreferences Fromthecommandline: # # # # Securing Bluetooth Preferences ----------------------------Default Setting. Turn Bluetooth on. # Suggested Setting. # Turn Bluetooth off. sudo defaults write /Library/Preferences/com.apple.Bluetooth\ ControllerPowerState -int 0 # Available Settings. # 0 (OFF) or 1 (On) SecuringCDs&DVDsPreferences TosecureCDsandDVDs,donotallowthecomputertoperformautomaticactions whentheuserinsertsadisc. WhenyoudisableautomaticactionsinSystemPreferences,youmustdisablethese actionsforeveryuseraccountonthecomputer. Thisdoesnotpreventusersfromreenablingautomaticactions.Topreventtheuser fromreenablingautomaticactions,youmustrestricttheuser’saccountsotheuser cannotopenSystemPreferences.Formoreinformationonrestrictingaccounts,see “SecuringNonadministratorAccounts”onpage74. TosecurelyconfigureCDs&DVDspreferences: 1 OpenCDs&DVDspreferences. Ascreensimilartothefollowingappears: Chapter6SecuringSystemPreferences 105 2 DisableautomaticactionswheninsertingmediabychoosingIgnoreforeach pop-upmenu. Fromthecommandline: # # # # # # # # # Securing CDs & DVDs Preferences ----------------------------Default Setting. Preference file non existent: /Library/Preferences/com.apple.digihub Blank CD: “Ask what to do” Blank DVD: “Ask what to do” Music CD: “Open iTunes” Picture CD: “Open iPhoto” Video DVD: “Open DVD Player” # Suggested Setting. # Disable blank CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1 # Disable music CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.music.appeared -dict action 1 # Disable picture CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.picture.appeared -dict action 1 # Disable blank DVD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1 # Disable video DVD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.dvd.video.appeared -dict action 1 # # # # # # # # # # # # 106 Available Settings. action 1 = “Ignore” action 2 = “Ask what to do” action 5 = “Open other application” action 6 = “Run script” action 100 = “Open Finder” action 101 = “Open itunes” action 102 = “Open Disk Utility” action 105 = “Open DVD Player” action 106 = “Open iDVD” action 107 = “Open iPhoto action 109 = “Open Front Row” Chapter6SecuringSystemPreferences SecuringDate&TimePreferences Correctdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos. Incorrectdateandtimesettingscancausesecurityissues. YoucanuseDate&Timepreferences(shownbelow)tosetthedateandtimebasedon aNetworkTimeProtocol(NTP)server. Ifyourequireautomaticdateandtime,useatrusted,internalNTPserver. TosecurelyconfigureDate&Timepreferences: 1 OpenDate&Timepreferences. 2 IntheDate&Timepane,selectthe“Setdata&timeautomatically”checkboxandenter asecureandtrustedNTPserverinthe“Setdate&timeautomatically”field. 3 ClicktheTimeZonebutton. Chapter6SecuringSystemPreferences 107 Ascreensimilartothefollowingappears: 4 Chooseatimezone. Fromthecommandline: # # # # # Securing Date & Time Preferences ----------------------------Default Setting. NTP Server: time.apple.com Time Zone: Set time zone automatically using current location # Suggested Setting. # Set the NTP server. sudo cat >> /etc/ntp.conf << END server time.apple.com END # Set the date and time. sudo systemsetup -settimezone $Time_Zone # Available Settings. # NTP Server: Any valid NTP server # Time Zone: /usr/share/zoneinfo 108 Chapter6SecuringSystemPreferences SecuringDesktop&ScreenSaverPreferences YoucanuseDesktop&ScreenSaverpreferences(shownbelow)toconfigurea password-protectedscreensavertopreventunauthorizedusersfromaccessing unattendedcomputers. Youcanuseseveralauthenticationmethodstounlockthescreensaver,including digitaltokens,smartcards,andbiometricreaders. Youshouldalsosetashortinactivityintervaltodecreasetheamountoftimethe unattendedcomputerisunlocked.Forinformationaboutrequiringauthentication forscreensavers,see“SecuringSecurityPreferences”onpage122. YoucanconfigureDesktop&ScreenSaverpreferencestoallowyoutoquicklyenable ordisablescreensaversifyoumoveyourmousecursortoacornerofthescreen,as shownbelow.(YoucanalsodothisbyconfiguringExposé&Spacespreferences.) Chapter6SecuringSystemPreferences 109 Bydefault,anyadmincanunlockanyuser’sdisplay. WhenyouconfigureDesktop&ScreenSaverpreferences,youconfigurethe preferencesforeveryuseraccountonthecomputer. Thisdoesn’tpreventusersfromreconfiguringtheirpreferences.Youcanrestrict auser’saccountprivilegessotheusercannotreconfigurepreferences.Doingthis removesseveralimportantuserabilities,liketheuser’sabilitytochangehisorher password.Formoreinformation,see“TypesofUserAccounts”onpage71. TosecurelyconfigureDesktop&ScreenSaverpreferences: 1 OpenDesktop&ScreenSaverpreferences. 2 ClicktheScreenSaverpane. 3 Set“Startscreensaver”toashortinactivitytime. 4 ClickHotCorners. 5 SetacornertoStartScreenSaverforquickenablingofthescreensaver,butdon’tset ascreencornertoDisableScreenSaver. 110 Chapter6SecuringSystemPreferences Fromthecommandline: # # # # Securing Desktop & Screen Saver Preferences ----------------------------Default Setting. None # Suggested Setting. # Set idle time for screen saver. Replace XX with the idle time in seconds. sudo defaults -currentHost write com.apple.screensaver idleTime -int XX # Set host corner to activate screen saver. sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codecorner -int 5 # Set modifier key to 0 wvous-corner_code-modifier sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codemodifier -int 0 # # # # # # Available Settings. Corner options. wvous-bl-corner (bottom-left) wvous-br-corner(bottom-right) wvous-tl-corner (top-left) wvous-tr-corner (top-right) SecuringDisplayPreferences Ifyouhavemultipledisplaysattachedtoyourcomputer,beawarethatenabling displaymirroringmightexposeprivatedatatoothers.Havingthisadditionaldisplay providesextraopportunityforotherstoseeprivatedata. SecuringDockPreferences YoucanconfiguretheDocktobehiddenwhennotinuse.Thiscanpreventothers fromseeingtheapplicationsonyourcomputer. TosecurelyconfigureDockpreferences: 1 OpenDockpreferences. Chapter6SecuringSystemPreferences 111 Thefollowingscreenappears: 2 Select“AutomaticallyhideandshowtheDock.” Fromthecommandline: # # # # Securing Dock Preferences ----------------------------Default Setting. None # Suggested Setting. # Automatically hide and show Dock. sudo defaults write /Library/Preferences/com.apple.dock autohide -bool YES # Available Settings. # autohide -bool YES # autohide -bool NO SecuringEnergySaverPreferences YoucanuseEnergySaverSleeppreferences(shownbelow)toconfigureaperiodof inactivitybeforeacomputer,display,orharddiskenterssleepmode. Ifthecomputerreceivesdirectoryservicesfromanetworkthatmanagesitsclient computers,whenthecomputerisinsleepmode,itisunmanagedandcannotbe detectedasbeingconnectedtothenetwork.Toallowmanagementandnetwork visibility,configurethedisplayandtheharddisktosleep,butnotthecomputer. Youcanrequireauthenticationbyuseofapassword,digitaltoken,smartcard,or biometricreadertoreactivatethecomputer(see“SecuringSecurityPreferences”on page122).Thisissimilartousingapassword-protectedscreensaver. 112 Chapter6SecuringSystemPreferences YoucanalsousetheOptionspane(shownbelow)tomakesettingsdependingonyour powersupply(poweradapter,UPS,orbattery).Configurethecomputersoitonly wakeswhenyouphysicallyaccessthecomputer.Also,don’tsetthecomputertorestart afterapowerfailure. TosecurelyconfigureEnergySaverpreferences: 1 OpenEnergySaverpreferences. Ascreensimilartothefollowingappears: 2 FromtheSleeppane,set“Putthecomputertosleepwhenitisinactivefor”toNever. 3 Select“Puttheharddisk(s)tosleepwhenpossible”andthenclickthe“Options”pane. 4 Deselect“WakeforEthernetnetworkaccess”and“Startupautomaticallyafterapower failure.” Chapter6SecuringSystemPreferences 113 Fromthecommandline: # # # # Securing Energy Saver Preferences ----------------------------Default Setting. None # Suggested Setting. # Disable computer sleep. sudo pmset -a sleep 0 # Enable hard disk sleep. sudo pmset -a disksleep 1 # Disable Wake for Ethernet network administrator access. sudo pmset -a womp 0 # Disable Restart automatically after power failure. sudo pmset -a autorestart 0 # Available Settings. # 0 (OFF) or 1 (ON) 114 Chapter6SecuringSystemPreferences SecuringExposé&SpacesPreferences Yourcomputershouldrequireauthenticationwhenwakingfromsleeporscreensaver. YoucanconfigureExposé&Spacespreferences(shownbelow)toallowyoutoquickly startthescreensaverifyoumoveyourmousecursortoacornerofthescreen,but don’tconfigureacornertodisablethescreensaver. Forinformationaboutrequiringauthenticationforthescreensaver,see“Securing SecurityPreferences”onpage122. DashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However,be carefulwhenyouinstallthird-partyDashboardwidgets.YoucaninstallDashboard widgetswithoutauthenticating.TopreventDashboardfromrunning,removethe Dashboardapplicationfromthe/Applicationsfolder. WhenyouconfigureExposé&Spacespreferences,youmustconfigurethese preferencesforeveryuseraccountonthecomputer. Thisdoesn’tpreventusersfromreconfiguringtheirpreferences.Youcanrestrictauser account’sprivilegessotheusercannotreconfigurepreferences.Todothis,youremove severalimportantuserabilities,liketheuser’sabilitytochangehisorherpassword.For moreinformation,see“TypesofUserAccounts”onpage71. IfyourorganizationdoesnotwanttouseDashboardbecauseofitspotentialsecurity risk,youcandisableit.IftheuserhasaccesstotheTerminalapplication,Dashboard canbere-enabledatanytime. Chapter6SecuringSystemPreferences 115 Dashboardusesthecom.apple.dashboard.fetchservicetofetchupdatestowidgets fromtheInternet.IfDashboardisdisabled,thisserviceshouldbedisabledaswell.This servicemustbedisabledfromthecommandline,usingthecommandshowninthe instructionsbelow. Fromthecommandline: # # # # Securing Exposé & Spaces Preferences ----------------------------Default Setting. Enabled # Suggested Setting. # Disable dashboard. sudo launchctl unload -w /System/Library/LaunchDaemons/ com.apple.dashboard.advisory.fetch.plist # Available Settings. # Enabled or Disabled SecuringLanguage&TextPreferences Nosecurity-relatedconfigurationisnecessary.However,ifyourcomputerusesmore thanonelanguage,reviewthesecurityriskofthelanguagecharacterset.Consider deselectingunusedpackagesduringMacOSXinstallation. SecuringKeyboardPreferences IfyouarenotusingaBluetoothkeyboard,turnBluetoothoff.Ifyouareusing aBluetoothkeyboard,disableallowingBluetoothdevicestoawakethecomputer intheadvancedsectionofBluetoothpreferences.Formoreinformationabout Bluetooth,see“SecuringBluetoothSettings”onpage117. SecuringMousePreferences IfyouarenotusingaBluetoothmouse,turnBluetoothoff.IfyouareusingaBluetooth mouse,disableallowingBluetoothdevicestoawakethecomputerintheadvanced sectionofBluetoothpreferences.FormoreinformationaboutBluetooth,see“Securing BluetoothPreferences”onpage103. 116 Chapter6SecuringSystemPreferences SecuringBluetoothSettings IfyouhaveaBluetoothmoduleinstalledinyourcomputerorifyouareusingan externalUSBBluetoothmodule,youcansetupyourcomputertouseBluetooth tosendandreceivefileswithotherBluetooth-enabledcomputersordevices. Youcancontrolhowyourcomputerhandlesfilesthatareexchangedbetween Bluetoothdevices.Youcanchoosetoacceptorrefusefilessenttoyourcomputer andchoosewhichfolderotherdevicescanbrowse. Bydefault,BluetoothSharingisturnedoffandshouldremainoffwhenitisnotused. Thispreventsunauthorizedusersfromaccessingyourcomputer. RestrictingAccesstoSpecifiedUsers Ifyouareinanenvironmentwhereyouwouldliketosharefileswithanothercomputer ordevice,usetheBluetoothSharingoptionsandBluetoothpreferencestosecurely enableBluetoothandavoidunauthorizedaccesstoyourcomputer. Bluetoothoptionsshouldalwaysrequirepairingandbesetto“AskWhattoDo”when receivingorsharingitems. WhenconfiguringBluetoothpreferences,tosecureBluetoothsharing,usethe DiscoverableoptiononlywhileyouaresettinguptheBluetoothcomputeror device.Afterthedeviceisconfigured,disabletheDiscoverableoptiontoprevent unauthorizedusersfromdiscoveringyourBluetoothconnection. IntheadvancedsectionofBluetoothpreferences,makesurethat“AllowBluetooth devicestowakethiscomputer”and“Sharemyinternetconnectionwithother Bluetoothdevices”arenotselected. Fromthecommandline: # # # # Bluetooth Sharing ----------------------------Default Setting. Bluetooth Sharing: Disabled # Suggested Setting. # Disable Bluetooth Sharing. sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0 # # # # Available Settings. Bluetooth Sharing. Disabled Enabled Chapter6SecuringSystemPreferences 117 SecuringNetworkPreferences TosecureNetworkpreferences,disableunusedhardwaredeviceslistedinNetwork preferencesandIPv6.YoushouldalsouseastaticIPaddresswhenpossible.ADHCPIP addressshouldbeusedonlyifnecessary. DisablingUnusedHardwareDevices ConsiderdisablingunusedhardwaredeviceslistedinNetworkpreferences(shown below).Enabled,unuseddevices(suchasAirPortandBluetooth)areasecurityrisk. HardwareislistedinNetworkpreferencesonlyifthehardwareisinstalledinthe computer. Whenconfiguringyourcomputerfornetworkaccess,useastaticIPaddresswhen possible.ADHCPIPaddressshouldbeusedonlyifnecessary. SomeorganizationsuseIPv6,anewversionoftheInternetprotocol(IP).Theprimary advantageofIPv6isthatitincreasestheaddresssizefrom32bits(thecurrentIPv4 standard)to128bits. Anaddresssizeof128bitsislargeenoughtosupportalargenumberofaddresses.This allowsmoreaddressesornodesthanareotherwiseavailable.IPv6alsoprovidesmore waystosetuptheaddressandsimplifiesautoconfiguration. BydefaultIPv6isconfiguredautomatically,andthedefaultsettingsaresufficient formostcomputersthatuseIPv6.YoucanalsoconfigureIPv6manually.Ifyour organization’snetworkcannotuseordoesnotrequireIPv6,turnitoff. 118 Chapter6SecuringSystemPreferences TosecurelyconfigureNetworkpreferences: 1 OpenNetworkpreferences. 2 Fromthelistofhardwaredevices,selectthehardwaredeviceyoudon’tuse(for example,Airport,Ethernet,orFireWire). 3 ClicktheActionbuttonbelowthelistofhardwaredevicesandselect“MakeService Inactive.” 4 Repeatsteps2and3todeactivatethedevicesthatyoudon’tuse. 5 Fromthelistofhardwaredevices,selectthehardwaredeviceyouusetoconnectto yournetwork(forexample,AirportorEthernet). 6 FromtheConfigureIPv4pop-upmenu,chooseManually. EnteryourstaticIPaddress,SubnetMask,Router,DNSServer,andSearchDomain configurationsettings. 7 ClickAdvanced. Ascreensimilartothefollowingappears: 8 IntheConfigureIPv6pop-upmenu,chooseOff. IfyoufrequentlyswitchbetweenAirPortandEthernet,youcandisableIPv6forAirPort andEthernetoranyhardwaredevicethatyouusetoconnecttoyournetwork. 9 ClickOK. Chapter6SecuringSystemPreferences 119 Fromthecommandline: # # # # Securing Network Preferences ----------------------------Default Setting. Enabled # Suggested Setting. # Disable IPv6. sudo networksetup -setv6off $interface # Available Settings. # The interface value can be AirPort, Bluetooth, Ethernet, or FireWire SecuringPrint&FaxPreferences ThePrint&Faxpreferencesscreenlookslikethis: Useprintersonlyinasecurelocation.Ifyouprintconfidentialmaterialinaninsecure location,thematerialmightbeviewedbyunauthorizedusers. Becarefulwhenprintingtoasharedprinter.Doingsoallowsothercomputersto capturetheprintjobdirectly.Anothercomputercanbemaliciouslymonitoringand capturingconfidentialdatabeingsenttotherealprinter.Inaddition,unauthorized userscanadditemstoyourprintqueuewithoutauthenticating. 120 Chapter6SecuringSystemPreferences YourprintercanbeaccessedusingtheCUPSwebinterface(http://localhost:631).By default:  TheCUPSwebinterfacecannotbeaccessedremotely.Itcanonlybeaccessedbythe localhost.  Thetitlesofallprintjobsareavailabletoallusersofthesystem.  ThetitlesofallprintjobsareavailabletoeveryonewithaccesstotheCUPSweb interface. CUPSalsoofferstheabilitytobrowsethenetworkforavailableprinters.Manually specifyingavailableprintersismoresecure.YoucancreatepoliciesinCUPSthatrestrict usersfromsuchactionsascancelingjobsordeletingprintersusingtheCUPSweb interface.FormoreinformationaboutcreatingCUPSpolicies,see: http://localhost:631/help/policies.html Toavoidanadditionalavenueofattack,don’treceivefaxesonyourcomputer. TosecurelyconfigurePrint&Faxpreferences: 1 OpenPrint&Faxpreferencesandselectafaxfromtheequipmentlist. 2 ClickReceiveOptions. Ascreensimilartothefollowingappears: 3 Deselect“Receivefaxesonthiscomputer.” 4 ClickOK. 5 Selectaprinterfromtheequipmentlist. 6 Deselect“Sharethisprinteronthenetwork.” Chapter6SecuringSystemPreferences 121 Fromthecommandline: # # # # Securing Print & Fax Preferences ----------------------------Default Setting. Disabled # Suggested Setting. # Disable the receiving of faxes. sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist # Disable printer sharing. sudo cp /etc/cups/cupsd.conf $TEMP_FILE if /usr/bin/grep "Port 631" /etc/cups/cupsd.conf then sudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE >\ /etc/cups/cupsd.conf else echo "Printer Sharing not on" fi # Available Settings. # Enabled or Disabled SecuringSecurityPreferences ThesettingsinSecuritypreferencescoverarangeofSnowLeopardServersecurity features,includingloginoptions,FileVault,andfirewallprotection. GeneralSecurity Considerthefollowinggeneralsecurityguidelines:  Wakecomputer:Requireapasswordtowakethiscomputerfromsleeporscreen saver.Thishelpspreventunauthorizedaccessonunattendedcomputers.Although thereisalockbuttonforSecuritypreferences,usersdon’tneedtobeauthorized asanadministratortomakechanges.Enablethispasswordrequirementforevery useraccountonthecomputer.  Automaticlogin:Disablingautomaticloginisnecessaryforanylevelofsecurity. Ifyouenableautomaticlogin,anintrudercanloginwithoutauthenticating.Evenif youautomaticallyloginwitharestricteduseraccount,itisstilleasiertoperform maliciousactionsonthecomputer.  LocationServices:Disablinglocationservicespreventsinformationaboutthe locationofyourcomputerfrombeingprovidedtoapplications. 122 Chapter6SecuringSystemPreferences  Infraredreceiver:Ifyouarenotusingaremotecontrol,disabletheinfraredreceiver. Thispreventsunauthorizedusersfromcontrollingyourcomputerthroughthe infraredreceiver.IfyouuseanAppleIRRemoteControl,pairittoyourcomputer byclickingPair.Whenyoupairit,nootherIRremotecancontrolyourcomputer. FileVaultSecurity MacOSXincludesFileVault,whichencryptsinformationinyourhomefolder. FileVaultusesthegovernment-approved128-bit(AES-128)encryptionstandardkeys, andsupportstheAdvancedEncryptionStandardwith256-bit(AES-256)keys.For moreinformationaboutdataencryption,seeChapter8,“SecuringDataandUsing Encryption.” FormoreinformationaboutFileVault,see“EncryptingHomeFolders”onpage151. Chapter6SecuringSystemPreferences 123 TosecurelyconfigureSecuritypreferences: 1 OpenSecuritypreferences. 2 IntheGeneralpane,selectthefollowing:  “Requirepasswordimmediatelyaftersleeporscreensaverbegins” 3 Selectthe“DisableLocationServices”checkbox,ifavailable. 4 Selectthe“Disableremotecontrolinfraredreceiver”checkbox. 5 IntheFileVaultpane,click“TurnonFileVault.” 6 EnterapasswordintheMasterPasswordandverifyfields. 7 Authenticatewithyouraccountpassword. 8 Select“Usesecureerase”andclick“TurnonFileVault.” 9 Restartthecomputer. Fromthecommandline: # # # # # # # # # # Securing Security Preferences ----------------------------Default Setting. Required Password Wake: Disabled Automatic Login: Disabled Password Unlock Preferences: Enabled Secure Virtual Memory is Enabled on Portable computer and is Disabled on Desktop computers. IR remote control: Enabled FileVault: Disabled # Suggested Setting. # Enable Require password to wake this computer from sleep or screen saver. sudo defaults -currentHost write com.apple.screensaver askForPassword -int 1 # Disable IR remote control. sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no # Enable FileVault. # To enable FileVault for new users, use this command. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\ createmobileaccount # Enable Firewall. # Replace value with # 0 = off # 1 = on for specific services # 2 = on for essential services sudo defaults write /Library/Preferences/com.apple.alf globalstate -int value 124 Chapter6SecuringSystemPreferences SecuringSharingPreferences Bydefault,everyservicelistedinSharingpreferencesisdisabledexceptforremote login(SSH).Donotenabletheseservicesunlessyouusethem.Thefollowingservices aredescribedindetailinSnowLeopardSecurityConfiguration. Service Description DVDorCDSharing AllowsusersofothercomputerstoremotelyusetheDVDorCDdriveon yourcomputer. ScreenSharing Allowsusersofothercomputerstoremotelyviewandcontrolthe computer. ScannerSharing Allowsothercomputerstoaccessascannerconnectedtothiscomputer. RemoteLogin AllowsuserstoaccessthecomputerremotelybyusingSSH.Ifyourequire theabilitytoperformremotelogin,SSHismoresecurethantelnet,which isdisabledbydefault. RemoteManagement AllowsthecomputertobeaccessedusingAppleRemoteDesktop. RemoteAppleEvents AllowsthecomputertoreceiveAppleeventsfromothercomputers. BluetoothSharing AllowsotherBluetooth-enabledcomputersanddevicestosharefiles withyourcomputer. Bydefaultyourcomputer’shostnameistypicallyfirstname-lastname-computer,where firstnameandlastnamearethesystemadministrator’sfirstnameandlastname, respectively,andcomputeristhetypeofcomputeror“Computer.” WhenusersuseBonjourtodiscoveravailableservices,yourcomputerappearsas hostname.local.Toincreaseprivacy,changeyourcomputer’shostnamesoyouarenot identifiedastheownerofyourcomputer. Formoreinformationabouttheseservicesandthefirewallandsharingcapabilitiesof SnowLeopard,seeSnowLeopardSecurityConfiguration. TosecurelyconfigureSharingpreferences: 1 OpenSharingpreferences. 2 Changethedefaultcomputernametoanamethatdoesnotidentifyyouastheowner. Chapter6SecuringSystemPreferences 125 Fromthecommandline: # # # # Securing Sharing Preferences ----------------------------Default Setting. $host_name = User's Computer # Suggested Setting. # Change computer name where $host_name is the name of the computer. sudo systemsetup -setcomputername $host_name # Change computer Bonjour host name. sudo scutil --set LocalHostName $host_name # Available Setting. # The host name cannot contain spaces or other non-DNS characters. SecuringSoftwareUpdatePreferences YourSoftwareUpdatepreferencesconfigurationdependsonyourorganization’spolicy. Forexample,ifyourcomputerisconnectedtoamanagednetwork,themanagement settingsdeterminewhatsoftwareupdateservertouse. InsteadofusingSoftwareUpdate(shownhere),youcanalsoupdateyourcomputerby usinginstallerpackages. Youcaninstallandverifyupdatesonatestcomputerbeforeinstallingthemon youroperationalcomputer.Formoreinformationabouthowtomanuallyupdate yourcomputer,see“UpdatingManuallyfromInstallerPackages”onpage48. 126 Chapter6SecuringSystemPreferences Aftertransferringinstallerpackagestoyourcomputer,verifytheauthenticityof theinstallerpackages.Formoreinformation,see“VerifyingtheIntegrityofSoftware” onpage50. WhenyouinstallasoftwareupdateusingSoftwareUpdateoraninstallerpackage,you mustauthenticatewithanadministrator’snameandpassword.Thisreducesthechance ofaccidentalormaliciousinstallationofsoftwareupdates. SoftwareUpdatewillnotinstallasoftwarepackagethathasnotbeendigitallysigned byApple. TodisableautomatedSoftwareUpdates: 1 OpenSoftwareUpdatepreferences. 2 ClicktheScheduledCheckpane. 3 Deselect“Downloadimportantupdatesautomatically”and“Checkforupdates.” Fromthecommandline: # # # # # Securing Software Updates Preferences ----------------------------Default Setting. Check for Updates: Enabled Check Updates: Weekly # Suggested Setting. # Disable check for updates and Download important updates automatically. sudo softwareupdate --schedule off # Available Setting. # Check for Updates: Enabled or Disabled # Check Updates: Daily, Weekly, Monthly Chapter6SecuringSystemPreferences 127 SecuringSoundPreferences ManyApplecomputersincludeaninternalmicrophone.YoucanuseSound preferences(shownbelow)todisabletheinternalmicrophoneandthelineinport. TosecurelyconfigureSoundpreferences: 1 OpenSoundpreferences. Ascreensimilartothefollowingappears: 2 SelectInternalmicrophone(ifpresent),andset“Inputvolume”tozero. 3 SelectLineIn(ifpresent),andset“Inputvolume”tozero. Thisensuresthat“LineIn”isthedeviceselectedratherthantheinternalmicrophone whenSoundpreferencesisclosed.Thisprovidesprotectionfrominadvertentuseofthe internalmicrophone. Fromthecommandline: # # # # Securing Sound Preferences ----------------------------Default Setting. Internal microphone or line in: Enabled # Suggested Setting. # Disable internal microphone or line in. # This command does not change the input volume for input devices. It # only sets the default input device volume to zero. sudo osascript -e “set volume input volume 0” # Available Setting. # Internal microphone or line in: 128 Chapter6SecuringSystemPreferences Enabled or Disabled SecuringSpeechPreferences SnowLeopardServerincludesspeechrecognitionandtext-to-speechfeatures,which aredisabledbydefault. Enablethesefeaturesonlyifyouworkinasecureenvironmentwherenoonecan hearyouspeaktothecomputer,orhearthecomputerspeaktoyou.Alsomakesure noaudiorecordingdevicescanrecordyourcommunicationwiththecomputer. ThefollowingshowstheSpeechpreferencespane: ThefollowingshowstheTexttoSpeechpane: Ifyouenabletext-to-speech,useheadphonestokeepothersfromoverhearing yourcomputer. Chapter6SecuringSystemPreferences 129 TosecurelyconfigureSpeechpreferences: 1 OpenSpeechpreferences. 2 ClicktheSpeechRecognitionpaneandsetSpeakableItemsOnorOff. Changethesettingaccordingtoyourenvironment. 3 ClicktheTexttoSpeechpaneandchangethesettingsaccordingtoyourenvironment. Fromthecommandline: # # # # # Securing Speech Preferences ----------------------------Default Setting. Speech Recognition: Disabled Text to Speech: Enabled # Suggested Setting. # Disable Speech Recognition. sudo defaults write "com.apple.speech.recognition.AppleSpeechRecognition.prefs" StartSpeakableItems -bool false # Disable Text to Speech settings. sudo defaults write "com.apple.speech.synthesis.general.prefs" TalkingAlertsSpeakTextFlag -bool false sudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenNotificationAppActivationFlag -bool false sudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenUIUseSpeakingHotKeyFlag -bool false sudo defaults delete "com.apple.speech.synthesis.general.prefs" TimeAnnouncementPrefs # # # # Available Setting. Each item can be set to ON or OFF. OFF: -bool false ON: -bool true SecuringSpotlightPreferences YoucanuseSpotlighttosearchyourcomputerforfiles.Spotlightsearchesthename andmeta-informationassociatedwitheachfileandthecontentsofeachfile. Spotlightfindsfilesregardlessoftheirplacementinthefilesystem.Youmuststill properlysetaccesspermissionsonfolderscontainingconfidentialfiles.Formore informationaboutaccesspermissions,seeChapter8,“SecuringDataandUsing Encryption.” 130 Chapter6SecuringSystemPreferences TheSpotlightPreferencesSearchResultspaneappears: ByplacingspecificfoldersordisksinthePrivacypane,youcanpreventSpotlightfrom searchingthem. Chapter6SecuringSystemPreferences 131 Disablethesearchingoffoldersthatcontainconfidentialinformation.Consider disablingtop-levelfolders.Forexample,ifyoustoreconfidentialdocumentsin subfoldersof~/Documents/,insteadofdisablingeachfolder,disable~/Documents/. Bydefault,theentiresystemisavailableforsearchingusingSpotlight. TosecurelyconfigureSpotlightpreferences: 1 OpenSpotlightpreferences. 2 IntheSearchResultspane,deselectcategoriesyoudon’twantsearchablebySpotlight. 3 ClickthePrivacypane. 4 ClicktheAddbutton,ordragafolderordiskintothePrivacypane. FoldersanddisksinthePrivacypanearenotsearchablebySpotlight. Note:TopreventusersfromreenablingSpotlight,removetherightstoaccessthe .Spotlight-V100folderattherootlevelofyourdrive(/.Spotlight-V100/). Fromthecommandline: # # # # Securing Spotlight Preferences ----------------------------Default Setting. ON for all volumes # Suggested Setting. # Disable Spotlight for a volume and erase its current meta data, where # $volumename is the name of the volume. sudo mdutil -E -i off $volumename # Available Setting. # Spotlight can be turned ON or OFF for each volume. Formoreinformation,enterman 132 mdutilinaTerminalwindow. Chapter6SecuringSystemPreferences SecuringStartupDiskPreferences YoucanuseStartupDiskpreferences(shownbelow)tomakeyourcomputer startupfromaCD,anetworkvolume,adifferentdiskordiskpartition,oranother operatingsystem. Becarefulwhenselectingastartupvolume:  Choosinganetworkinstallimagereinstallsyouroperatingsystemandmighterase thecontentsofyourharddisk.  IfyouchooseaFireWirevolume,yourcomputerstartsupfromtheFireWiredisk pluggedintothecurrentFireWireportforthatvolume.Ifyouconnectadifferent FireWiredisktothatFireWireport,yourcomputerstartsfromthefirstvalid SnowLeopardServervolumeavailabletothecomputer(ifyouhavenotenabled thefirmwarepassword).  Whenyouenableafirmwarepassword,theFireWirevolumeyouselectistheonly volumethatcanstartthecomputer.ThecomputerfirmwarelockstheFireWire BridgeChipGUIDasastartupvolumeinsteadoftheharddisk’sGUID(asisdone withinternalharddisks).IfthediskinsidetheFireWiredriveenclosureisreplaced byanewdisk,thecomputercanstartfromthenewdiskwithoutusingthefirmware password.Toavoidthisintrusionmakesureyourhardwareisphysicallysecured. firmwarecanalsohavealistofFireWirevolumesthatareapprovedforsystem startup.Forinformationaboutphysicallyprotectingyourcomputer,see“Protecting Hardware”onpage52. InadditiontochoosinganewstartupvolumefromStartupDiskpreferences,you canrestartinTargetDiskMode.WhenyourcomputerisinTargetDiskMode,another computercanconnecttoyourcomputerandaccessyourcomputer’sharddisk.The othercomputerhasfullaccesstoallfilesonyourcomputer.Allfilepermissionsfor yourcomputeraredisabledinTargetDiskMode. Chapter6SecuringSystemPreferences 133 ToenterTargetDiskMode,holddowntheTkeyduringstartup.Youcanprevent thestartupshortcutforTargetDiskModebyenablingafirmwarepassword.Ifyou enableafirmwarepassword,youcanstillrestartinTargetDiskModeusingStartup Diskpreferences. Formoreinformationaboutenablingafirmwarepassword,see“UsingtheFirmware PasswordUtility”onpage64. Toselectastartupdisk: 1 OpenStartupDiskpreferences. 2 Selectavolumetousetostartupyourcomputer. 3 Clickthe“Restart”buttontorestartfromtheselectedvolume. Fromthecommandline: # # # # Securing Startup Disk Preferences ----------------------------Default Setting. Startup Disk = “Macintosh HD” # Suggested Setting. # Set startup disk. sudo systemsetup -setstartupdisk $path # Available Setting. # Startup Disk = Valid Boot Volume SecuringTimeMachinePreferences TimeMachine(shownbelow)makesanup-to-datecopyofeverythingonyour Mac—digitalphotos,music,movies,downloadedTVshows,anddocuments—and letsyoueasilygobackintimetorecoverfiles. TimeMachineisoffbydefault.AfteryouenableTimeMachineforthefirsttime,no authenticationisrequiredandsubsequentchangesrequireauthentication. 134 Chapter6SecuringSystemPreferences Informationstoredonyourbackupdiskisnotencryptedandcanbereadby othercomputersthatareconnectedtoyourbackupdisk.Keepyourbackupdisk inaphysicallysecurelocationtopreventunauthorizedaccesstoyourdata. ToenableTimeMachine: 1 OpenTimeMachinepreferences. 2 Slidetheswitchto“ON.” Ascreensimilartothefollowingappears: 3 Selectthediskwherebackupswillbestored,andclick“Useforbackup.” Chapter6SecuringSystemPreferences 135 Fromthecommandline: # # # # Securing Time Machine Preferences ----------------------------Default Setting. OFF # Suggested Setting. # Enable Time Machine. sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1 # Available Setting. # 0 (OFF) or 1 (ON) SecuringUniversalAccessPreferences UniversalAccesspreferencesaredisabledbydefault.However,ifyouuseanassistive device,followtheseguidelines:  Topreventpossiblesecurityrisks,seethedevicemanual.  EnablingVoiceOverconfiguresthecomputertoreadthecontentsunderthecursor outloud,whichmightdiscloseconfidentialdata.  Thesedevicesallowaccesstothecomputerthatcouldrevealorstoreuserinput information. Fromthecommandline: # # # # Securing Universal Access Preferences ----------------------------Default Setting. OFF # Suggested Setting. # Disable VoiceOver service. launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist launchctl unload -w /System/Library/LaunchAgents/\ com.apple.ScreenReaderUIServer.plist launchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist # Available Setting. # None 136 Chapter6SecuringSystemPreferences 7 SecuringSystemSwapand HibernationStorage 7 Usethischaptertoprotectdatainswapfilesfrombeing readable. Thedatathatanapplicationwritestorandom-accessmemory(RAM)mightcontain sensitiveinformation,suchasusernamesandpasswords.MacOSXwritesthecontents ofRAMtoyourlocalharddisktofreememoryforotherapplications.TheRAMcontents storedontheharddiskarekeptinafilecalledaswapfile. Whilethedataisontheharddisk,itcanbeeasilyviewedoraccessedifthecomputeris latercompromised.Youcanprotectthisdatabysecuringthesystemswapfileincase ofanattackortheftofyourcomputer. SystemSwapFileOverview Whenyourcomputeristurnedoff,informationstoredinRAMislost,butinformation storedbyvirtualmemoryinaswapfilecanremainonyourharddriveinunencrypted form.TheMacOSXvirtualmemorysystemcreatesthisswapfileinordertoreduce problemscausedbylimitedmemory. ThevirtualmemorysystemcanswapdatabetweenyourharddiskandRAM.It’s possiblethatsensitiveinformationinyourcomputer’sRAMwillbewrittentoyour harddiskintheswapfilewhileyouareworking,andremainthereuntiloverwritten. Thisdatacanbecompromisedifyourcomputerisaccessedbyanunauthorized user,becausethedataisstoredontheharddiskunencrypted. Whenyourcomputergoesintohibernation,itwritesthecontentofRAMtothe /var/vm/sleepimagefile.ThesleepimagefilecontainsthecontentsofRAM unencrypted,similartoaswapfile. YoucanpreventyoursensitiveRAMinformationfrombeingleftunencryptedon yourharddiskbyenablingsecurevirtualmemorytoencrypttheswapfileandthe /var/vm/sleepimagefile(whereyourhibernationfilesarestored). 137 Note:UsingFileVaultincombinationwiththe“SecureVirtualMemory”featureprovides protectionfromattacksonyoursensitivedatawhenitisstoredontheharddisk. EncryptingSystemSwap Youcanpreventsensitiveinformationfromremainingonyourharddiskandeliminate thesecurityriskbyusingsecurevirtualmemory.Securevirtualmemoryencryptsthe databeingwrittentodisk. Youmustrestarttheserverforthechangetotakeeffect. Toturnonsecurevirtualmemoryfromthecommandline: # # Securing System Swap and Hibernation Storage # ----------------------------# Enable secure virtual memory. sudo defaults write /Library/Preferences/com.apple.virtualMemory \ UseEncryptedSwap -bool YES # Restart to take effect. # sudo shutdown -r now 138 Chapter7SecuringSystemSwapandHibernationStorage 8 SecuringDataandUsing Encryption 8 UsethischaptertolearnhowtosetPOSIX,ACL,andglobal filepermissions,toencrypthomefoldersandportablefiles, andtosecurelyerasedata. Yourdataisthemostvaluablepartofyourcomputer.Byusingencryptionyoucan protectdatainthecaseofanattackortheftofyourmobilecomputer. Bysettingglobalpermissions,encryptinghomefolders,andencryptingportabledata youcanbesureyourdataissecure.Inaddition,byusingthesecureerasefeatureof SnowLeopard,deleteddataiscompletelyerasedfromthecomputer. AboutTransportEncryption Anydatathatistransferredtoorfromtheservercanbekeptsecurebyeither encryptingthetransmission,thepayload,orboth. Transferringdatasecurelyacrossanetworkinvolvesencryptingthepacketcontents sentbetweencomputers.MacOSXServercanprovideTransportLayerSecurity(TLS) anditspredecessor,SecureSocketsLayer(SSL)asthecryptographicprotocolsthat providesecurecommunicationsontheInternetforsuchthingsaswebbrowsing, mail,andotherdatatransfers. Theseencryptionprotocolsallowclientandserverapplicationstocommunicatein awaythathelpspreventeavesdropping,tampering,andmessageforgery. TLSprovidesendpointauthenticationandcommunicationsprivacyovertheInternet usingcryptography.Theseencryptedconnectionsauthenticatetheserver(soits identityisensured)buttheclientremainsunauthenticated. Tohavemutualauthentication(whereeachsideoftheconnectionisassuredofthe identityoftheother),useapublickeyinfrastructure(PKI)fortheconnectingclients. MacOSXServermakesuseofOpenSSLandhasintegratedtransportencryptioninto thefollowingtoolsandservices: 139             ServeradministrationusingServerAdminandServerPreferences UserandgroupmanagementusingWorkgroupManager AddressBookServer iCalServer iChatServer MailService OpenDirectory PodcastProducer RADIUS SSH VPN(L2TP) Webservice Eachservicerequirestransportencryptiontobeenabledindividually.For moreinformationonsecuringdatatransmissionforaservice,seetheservice’s configurationdetails. AboutPayloadEncryption Ratherthanencryptingthetransferofafileacrossthenetwork,youcanencryptthe contentsofthefileinstead.Fileswithstrongencryptionmightbecapturedintransit, butarestillunreadable. Mosttransportencryptionrequirestheparticipationofbothpartiesinthetransaction. Someservices(suchasSMTPmailservice)can’treliablyusesuchtechniques,so encryptingthefileitselfistheonlymethodofreliablysecuringthefilecontent. Tolearnmoreaboutencryptingyourfiles,see“EncryptingPortableFiles”onpage155. AboutFileandFolderPermissions Youprotectfilesandfoldersbysettingpermissionsthatrestrictorallowuserstoaccess them.SnowLeopardsupportstwomethodsofsettingfileandfolderpermissions:  PortableOperatingSystemInterface(POSIX)permissions—standardforUNIX operatingsystems.  AccessControlLists(ACLs)permissions—usedbyMacOSXandcompatiblewith MicrosoftWindowsServer2003andMicrosoftWindowsXP. ACLusesPOSIXwhenverifyingfileandfolderpermissions.TheprocessACLusesto determineifanactionisallowedordeniedincludesspecificrulescalledaccesscontrol entries(ACEs).IfnoACEsapply,standardPOSIXpermissionsdetermineaccess. 140 Chapter8SecuringDataandUsingEncryption SettingPOSIXPermissions SnowLeopardbasesfilepermissionsonPOSIXstandardpermissionssuchasfile ownershipandaccess.Eachsharepoint,file,andfolderhasread,write,andexecute permissiondefinedforthreecategoriesofusers:owner,group,andeveryone. YoucanassignfourtypesofstandardPOSIXaccesspermissionstoasharepoint, folder,orfile:Read&Write,ReadOnly,WriteOnly,andNone. ViewingPOSIXPermissions YoucanassignstandardPOSIXaccesspermissionstothesecategoriesofusers:  Owner—Thisisauserwhocreatesanitem(fileorfolder)ontheserverthatisits ownerandhasRead&Writepermissionsforthatfolder.Bydefaulttheowner ofanitemandtheserveradministratorcanchangetheitem’saccessprivileges (allowagrouporeveryonetousetheitem).Theadministratorcanalsotransfer ownershipoftheshareditemtoanotheruser.  Group—Youcanputuserswhoneedthesameaccesstofilesandfoldersinto groupaccounts.Assignaccesspermissionstoashareditemtoonegrouponly. Formoreinformationaboutcreatinggroups,seetheUserManagementguide.  Everyone—Thisisanyuserwhocanlogintothefileserver(registeredusers andguests). BeforesettingorchangingPOSIXpermissions,viewthecurrentpermissionsettings. Toviewfolderorfilepermissions: 1 OpenTerminal. 2 Runthelscommand: ls -l Outputsimilartothefollowingappears: computer:~/Documents ajohnson$ ls -l total 500 drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder -rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt Note:The“~”referstoyourhomefolder,whichinthiscaseis/Users/ajohnson. ~/Documents/isthecurrentworkingfolder. YoucanalsousetheFindertoviewPOSIXpermissions.IntheFinder,Control-click afileandchooseGetInfo.OpentheOwnership&Permissionsdisclosuretriangleto viewPOSIXpermissions. Chapter8SecuringDataandUsingEncryption 141 InterpretingPOSIXPermissions TointerpretPOSIXpermissions,readthefirst10bitsofthelongformatoutputlistedfor afileorfolder.Forexample: drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder -rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt Inthisexample,NewFolderhasthePOSIXpermissionsdrwxr-xr-xandhasanowner andgroupofajohnson.Permissionsareasfollows:  The dofthePOSIXpermissionssignifiesthatnewfolderisafolder.  Thefirstthreelettersafterthed(rwx)signifythattheownerhasread,write,and executepermissionforthatfolder.  Thenextthreecharacters,r-x,signifythatthegrouphasreadandexecute permission.  Thelastthreecharacters,r-x,signifythatallothershavereadandexecute permission. Inthisexample,userswhocanaccessajohnson’s~/Documents/foldercanopenthe NewFolderfolderbutcan’tmodifyoropenthefile.txtfile.ReadPOSIXpermissionsare propagatedthroughthefolderhierarchy. AlthoughNewFolderhasdrwxr-xr-x privileges,onlyajohnsoncanaccessthefolder. Thisisbecauseajohnson‘s~/Documents/folderhasdrwx------POSIXpermissions. Bydefault,mostuserfoldershavedrwx------ POSIXpermissions.However,onlythe ~/,~/Sites/,and~/Public/foldershavedrwxr-xr-xpermissions.Thesepermissions allowotherpeopletoviewfoldercontentswithoutauthenticating.Ifyoudon’twant otherpeopletoviewthecontents,changethepermissionstodrwx------. Inthe~/Public/folder,theDropBoxfolderhasdrwx-wx-wxPOSIXpermissions.This allowsotheruserstoaddfilesintoajohnson‘sdropboxbuttheycan’tviewthefiles. Youmightseeatforothers’privilegesonafolderusedforcollaboration.Thistis sometimesknownasthestickybit.Enablingthestickybitonafolderpreventspeople fromoverwriting,renaming,orotherwisemodifyingotherpeople’sfiles.Thiscanbe commonifseveralpeoplearegrantedrwxaccess. ThestickybitbeingsetcanappearastorT,dependingonwhethertheexecutebitis setforothers:  Iftheexecutebitappearsast,thestickybitissetandhassearchableandexecutable permissions.  IftheexecutebitappearsasT,thestickybitissetbutdoesnothavesearchableor executablepermissions. Formoreinformation,seethestickymanpage. 142 Chapter8SecuringDataandUsingEncryption ModifyingPOSIXPermissions AfteryourdeterminecurrentPOSIXpermissionsettings,youcanmodifythemusing thechmodcommand. TomodifyPOSIXpermissions: 1 InTerminal,enterthefollowingtoaddwritepermissionforthegrouptofile.txt: chmod g+w file.txt 2 Viewthepermissionsusingthelscommand. ls -l 3 Validatethatthepermissionsarecorrect. computer:~/Documents ajohnsonls -l total 12346 drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder -rw-rw-r-- 1 ajohnson staff 43008 Apr 14 2006 file.txt Formoreinformation,seethechmodmanpage. SettingFileandFolderFlags Youcanalsoprotectfilesandfoldersbyusingflags.Theseflags,orpermission extensions,overridestandardPOSIXpermissions.Theycanonlybesetorunset bythefile’sowneroranadministratorusingsudo.Useflagstopreventthesystem administrator(root)frommodifyingordeletingfilesorfolders. Toenableanddisableflags,usethechflagscommand. ViewingFlags Beforesettingorchangingfileorfolderflags,viewthecurrentflagsettings. Todisplayflagssetonafolder: ls -lo secret -rw-r--r-- 1 ajohnson staff uchg 0 Mar 1 07:54 secret Thisexampledisplaystheflagsettingsforafoldernamedsecret. ModifyingFlags Afteryourdeterminecurrentfileorfolderflagsettings,modifythemusingthechflags command. Tolockorunlockafolderusingflags: sudo chflags uchg folderName Chapter8SecuringDataandUsingEncryption 143 Inthisexample,thefoldernamedsecretislocked. Tounlockthefolder,changeuchgtonouchg: sudo chflags nouchg secret WARNING:Thereisanschgoptionforthechflagscommand.Itsetsthesystem immutableflag.Thissettingcanonlybeundonewhenthecomputerisinsingle-user mode.IfthisisdoneonaRAID,XSan,orotherstoragedevicethatcannotbe mountedinsingle-usermode,theonlywaytoundothesettingistoreformatthe RAIDorXSandevice. Formoreinformation,seethechflagsmanpage. SettingACLPermissions Forgreaterflexibilityinconfiguringandmanagingfilepermissions, SnowLeopardServerimplementsACLs.AnACLisanorderedlistofrulescalledACEs thatcontrolfilepermissions.EachACEcontainsthefollowingcomponents:  User—owner,group,andother  Action—read,write,orexecute  Permission—allowordenytheaction Therulesspecifythepermissionstobegrantedordeniedtoagrouporuserand controlshowthepermissionsarepropagatedthroughafolderhierarchy. ACLsinSnowLeopardServerletyousetfileandfolderaccesspermissionsformultiple usersandgroups,inadditiontostandardPOSIXpermissions.Thismakesiteasytoset upcollaborativeenvironmentsforfilesharinganduninterruptedworkflowswithout compromisingsecurity. SnowLeopardServerhasimplementedfilesystemACLsthatarefullycompatiblewith MicrosoftWindowsServer2003andWindowsXP. Todetermineifanactionisallowedordenied,ACEsareconsideredinorder.Thefirst ACEthatappliestoauserandactiondeterminesthepermissionandnofurtherACEs areevaluated.IfnoACEsapply,standardPOSIXpermissionsdetermineaccess. 144 Chapter8SecuringDataandUsingEncryption EnablingACLPermissions Bydefault,ACLsareenabledinSnowLeopardServer.Iftheyareturnedoff,youmust enablethevolumetosupportACLs. ThefollowingexampleusesthefsaclctlcommandtoenableACLsona SnowLeopardServerstartupvolume: sudo /usr/sbin/fsaclctl -p / -e Formoreinformation,enterfsaclctlinaTerminalwindow. ModifyingACLPermissions YoucansetACLpermissionsforfiles.Thechmod commandenablesanadministratorto grantread,write,andexecuteprivilegestospecificusersforasinglefile. TosetACLpermissionsforafile: 1 Allowspecificuserstoaccessspecificfiles. Forexample,toallowAnneJohnsonpermissiontoreadthefilesecret.txt,enterthe followinginTerminal: chmod +a “ajohnson allow read” secret.txt 2 Allowspecificgroupsofuserstoaccessspecificfiles. Forexample,toallowtheengineersgrouppermissiontodeletethefilesecret.txt,enter thefollowinginTerminal: chmod +a “engineers allow delete” secret.txt 3 Denyaccessprivilegestospecificfiles. Forexample,topreventTomClarkfrommodifyingthefilesecret.txt,enterthe followinginTerminal: chmod +a “tclark deny write” secret.txt 4 ViewandvalidatetheACLmodificationswiththelscommand: ls -le secret.txt -rw------- 1 ajohnson admin 43008 Apr 14 2006 secret.txt 0: ajohnson allow read 1: tclark deny write 2: engineers allow delete Formoreinformation,entermanchmod inaTerminalwindow. Chapter8SecuringDataandUsingEncryption 145 ChangingGlobalUmaskforStricterDefaultPermissions EveryfileorfolderhasPOSIXpermissionsassociatedwithit.Whenyoucreateafileor folder,theumasksettingdeterminesthesePOSIXpermissions. Theumaskvalueissubtractedfromthemaximumpermissionsvalue(777)to determinethedefaultpermissionvalueofanewlycreatedfileorfolder.Forexample,a umaskof022resultsinadefaultpermissionof755. Thedefaultumasksetting022(inoctal)removesgroupandotherwritepermissions. Groupmembersandotheruserscanreadandrunthesefilesorfolders.Changingthe umasksettingto027enablesgroupmemberstoreadfilesandfoldersandprevents othersfromaccessingthefilesandfolders.Ifyouwanttobetheonlyusertoaccess yourfilesandfolders,settheumasksettingto077. Tochangethegloballydefinedumasksetting,changetheumasksettingin/etc/ launchd.conf. Youmustbeloggedinasauserwhocanusesudotoperformtheseoperationsand youmustusethedecimalequivalent,notanoctalnumber. Note:Usersandapplicationscanoverridedefaultumasksettingsatanytimefortheir ownfiles. WARNING:Manyinstallationsdependonthedefaultumasksetting.Therecanbe unintendedandpossiblysevereconsequencestochangingit.Instead,useinherited permissions,whichareappliedbysettingpermissionsonafolder.Allfilescontained inthatfolderwillinheritthepermissionsofthatfolder. Tochangetheglobalumaskfilepermission: 1 Signinasauserwhocanusesudo. 2 OpenTerminal. 3 Changetheumasksetting: sudo echo “umask 027” >> /etc/launchd.conf Thisexamplesetstheglobalumasksettingto027. 4 Logout. Changestoumasksettingstakeeffectatthenextlogin. UserscanusetheFinder’sGetInfowindoworthechmodcommand-linetooltochange permissionsforfilesandfolders. 146 Chapter8SecuringDataandUsingEncryption RestrictingSetuidPrograms Whenappliedtoaprogram,thePOSIXsetuid(setuserID)permissionmeansthatwhen theprogramruns,itwillrunattheprivilegelevelofthefile’sowner.ThePOSIXsetgid (setgroupID)permissionisanalogous.Toseeanexampleofafilewiththesetuidbit, runthelscommandonthepingprogramasfollows: ls -l /sbin/ping -r-sr-xr-x 1 root wheel 68448 Nov 28 2007 /sbin/ping Thesetuidbitisrepresentedwithan“s”inthefieldofpermissions,inthepositionthat containsthefileowner’sexecutepermission.Theprogramrunswiththeprivilege levelofthefile’sowner.Theownerofthefileisroot,sowhenpingisexecuted—no matterwhoexecutesit—itrunsasroot.Forsetgidprograms,an“s”appearsinthe groupexecutepermissionandthefilerunswiththeprivilegesofthegroupowner. Thesetuidbitisnecessaryformanyprogramsonthesystemtoperformthespecific, privilegedtasksforwhichtheyaredesignedfor.Thepingprogram,forexample,is setuidbecauseitmustbeabletoengageinnetworkcommunicationthatisonly possiblewithrootprivileges. Tofindsetuidprogramsonthesystem,usethefollowingcommand: sudo find / -perm -04000 -ls Tofindsetgidprograms,use-02000insteadof-04000. MacOSXincludesapproximately75setuidprograms.Manyoftheseprogramsneed thesetuidbitfornormalsystemoperation.However,otherprogramsmayneedthe setuidbitonlyifcertainfunctionalityisneeded,oronlyifadministratorsneedtouse theprogram. Becauseattackerstrytoinfluenceorco-opttheexecutionofsetuidprogramstotry toelevatetheirprivileges,thereisbenefitinremovingthesetuidbitfromprograms thatmaynotneedit.Thereisalsobenefitinrestrictingtoadministratorstherightto executeasetuidprogram. Ifaprogramisneededbuthashaditssetuidbitstripped,anadministratorcanrunthe programusingsudo,whichrunstheprogramastherootuser.Anadministratorcan alsotemporarilyenablethesetuidbitwhiletheprogramisneeded,andthendisableit againafterward. Chapter8SecuringDataandUsingEncryption 147 StrippingSetuidBits Tostripthesetuidorsetgidbitfromaprogram,usethefollowingcommand: sudo chmod -s programname Thefollowingprogramscanhavetheirsetuidbitremoved,unlessneededforthe purposeshowninthesecondcolumn:: Application RelatedService /System/Library/CoreServices/ AppleRemoteDesktop RemoteManagement/ARDAgent.app/Contents/ MacOS/ARDAgent /usr/bin/at 148 JobScheduler /usr/bin/atq JobScheduler /usr/bin/atrm JobScheduler /usr/bin/crontab JobScheduler /usr/bin/postdrop PostfixMail /System/Library/PrivateFrameworks/ DesktopServicesPriv.framework/ Versions/A/Resources/Locum PerformingPrivilegedFileOperationsusingFinder /usr/bin/postqueue PostfixMailQueue /usr/bin/procmail MailProcessor /usr/bin/wall UserMessaging /usr/bin/write UserMessaging /usr/bin/chrfn ChangeFingerInformation /System/Library/Printers/IOMs/LPRIOM.plugin/ Contents/MacOS/LPRIOMHelper Printing /usr/sbin/traceroute TraceNetworkPath /usr/sbin/traceroute6 TraceNetworkPath /sbin/mount_fs MountingNFSFilesystems /usr/bin/ipcs IPCStatistics /bin/rcp RemoteAccess(unsecure) /usr/bin/rlogin RemoteAccess(unsecure) /usr/bin/rsh RemoteAccess(unsecure) /usr/lib/sa/sadc SystemActivityReporting /usr/sbin/scselect Allowingnon-administratorstochangeNetwork Location Chapter8SecuringDataandUsingEncryption Important:TheRepairPermissionsfeatureofDiskUtilityreenablesthesetuidbiton theseprograms.Softwareupdatesmayalsoreenablethesetuidbitontheseprograms. Toachievesomepersistenceforthepermissionschange,createashellscripttostrip thebitsandthenimplementalaunchdjob(fortherootaccount)toexecutethis scripteveryhalfhour.Thisensuresthatnomorethanhalfanhourpassesfromthe timeasystemupdateisapplieduntilthesetuidbitsareremoved. Forinformationabouthowtosetupalaunchdjob,seeIntroductiontoCommand-Line Administration,availableatwww.apple.com/server/macosx/resources/. UsingACLstoRestrictUsageofSetuidPrograms YoucanalsousetheACLfeatureofMacOSXtorestricttheexecutionofsetuid programs. Restrictingtheexecutionofsetuidprogramstoadministratorspreventsotherusers fromexecutingthoseprograms.Itshouldalsopreventattackerswhohaveordinary userprivilegesfromexecutingthesetuidprogramandtryingtoelevatetheirprivileges. Allusersonthesystemareinthe“staff”group,sothecommandsbelowallow membersoftheadmingrouptoexecute<programname>butdenythatrightto membersofthestaffgroup: sudo chmod +a “group:staff deny execute” <program name> sudo chmod +a# 0 “group:admin allow execute” <program name> ToviewtheACL: ls -le <program name> Theoutputlookssomethinglikethis: -r-sr-xr-x+ 1 root wheel 12345 Nov 28 2007 <program name> 0: group:admin allow execute 1: group:staff deny execute BecausetheACLisevaluatedinorderfromtoptobottom,usersintheadmingroup arepermittedtoexecutetheprogram.Thefollowingruledeniesthatrighttoallusers. Important:Althoughthe“RepairPermissions”featureofDiskUtilitydoesnotstrip ACLsfromprograms,softwareupdatesmightstriptheseACLs.Inordertoachieve somepersistencefortheACLs,createashellscripttosettheACLsandthenimplement alaunchdrecurringevent(fortherootaccount)toexecutethisscript. Forinformationabouthowtosetupalaunchdrecurringevent,consultIntroductionto CommandLineAdministration,availableatwww.apple.com/server/macosx/resources/. Chapter8SecuringDataandUsingEncryption 149 Alaunchdrecurringeventshouldensurethataspecifiedtimeperiod(orless)should passfromthetimeasystemupdateisappliedandtheACLisreset.Becausethe ACLdescribedaboveusesthe+a#optiontoplacerulesinanoncanonicalorder,its reapplicationresultsinadditionalrules.Thefollowingscriptcansuccessfullyapply –andreapply–therules: chmod –a “group:admin allow execute” <program name> chmod +a “group:staff deny execute” <program name> chmod +a# 0 “group:admin allow execute” <program name> SecuringUserHomeFolders Tosecureuserhomefolders,changethepermissionsofeachuser’shomefoldersothe folderisnotworld-readableorworld-searchable. WhenFileVaultisnotenabled,permissionsonthehomefolderofauseraccountallow otheruserstobrowsethefolder’scontents.However,usersmightinadvertentlysave sensitivefilestotheirhomefolder,insteadofintothemore-protected~/Documents, ~/Library,or~/Desktopfolders. The~/Sites,~/Public,and~/Public/DropBoxfoldersineachhomefoldermayrequire world-readableorworld-writeablepermissionsifFileSharingorWebSharingis enabled.Iftheseservicesarenotinuse,thepermissionsonthesefolderscanbe safelychangedtopreventotherusersfrombrowsingorwritingtotheircontents. Astheownerofhisorherhomefolder,theusercanalterthefolder’spermission settingsatanytime,andcanchangethesesettingsback. InSnowLeopardServerallusersareamemberofthe“staff”group,notofagroupthat hasthesamenameastheirusername. Note:Changingpermissionsonauser’shomedirectoryfrom750to700willdisable Applefilesharing(usingthe~/Publicdirectory)andApplewebsharing(usingthe~/ Sitesdirectory). Tochangehomefolderpermissions: m Enterthefollowingcommand,replacingusernamewiththenameoftheaccount: sudo chmod 700 /Users/username Runthiscommandimmediatelyaftersomeonecreatesanaccount. 150 Chapter8SecuringDataandUsingEncryption EncryptingHomeFolders LeopardincludesFileVault,whichcanencryptyourhomefolderanditsfiles.Use FileVaultonportablecomputersandothercomputerswhosephysicalsecurityyou can’tguarantee.EnableFileVaultencryptionforyourcomputeranditsuseraccounts. FileVaultmovesallcontentofyourhomefolderintoabundlediskimagethatsupports AES-128encryption.SnowLeopardsupportsTigersparsediskimagecreatedusing AES-128encryption.Thesparseformatallowstheimagetomaintainasizeproportional toitscontents,whichcansavediskspace. IfyouremovefilesfromaFileVault-protectedhomefolderittakestimetorecoverfree spacefromthehomefolder.Afterthehomefolderisoptimized,youcanaccessfilesin FileVault-protectedhomefolderswithoutnoticeabledelays. Ifyou’reworkingwithconfidentialfilesthatyouplantoeraselater,storethosefilesin separateencryptedimagesthatarenotlocatedinyourhomefolder.Youcanthen erasethoseimageswithoutneedingtorecoverfreespace.Formoreinformation,see “EncryptingPortableFiles”onpage155. Ifyou’veinsecurelydeletedfilesbeforeusingFileVault,thesefilesarerecoverable afteractivatingit.Topreventthis,whenyouinitiallyenableFileVault,securelyerase freespace.Forinformation,see“UsingDiskUtilitytoSecurelyEraseFreeSpace”on page160. BecauseFileVaultisanencryptionofauser’slocalhomefolder,FileVaultdoesnot encryptorprotectfilestransferredoverthenetworkorsavedtoremovablemedia, soyou’llneedtoencryptspecificfilesorfolders.FileVaultcanonlybeenabledfor localormobileaccountsandcannotbeenabledfornetworkhomefolders. Toprotectfilesorfoldersonportablemediaoranetworkvolume,createanencrypted diskimageontheportablemediaornetworkvolume.Thenmounttheseencrypted diskimages,whichprotectdatatransmittedoverthenetworkusingAES-128 encryption.Whenusingthismethod,mounttheencrypteddiskimagefromone computeratatimetopreventirreparablecorruptiontotheimagecontent. Forinformationaboutencryptingspecificfilesorfoldersfortransferfromyournetwork homefolder,see“EncryptingPortableFiles”onpage155. WhenyousetupFileVault,youcreateamasterpassword.Ifyouforgetyourlogin password,youcanuseyourmasterpasswordtorecoverencrypteddata.Ifyou forgetyourloginpasswordandyourmasterpassword,youcannotrecoveryourdata. Becauseofthis,considersealingyourmasterpasswordinanenvelopeandstoring itinasecurelocation. Chapter8SecuringDataandUsingEncryption 151 YoucanusePasswordAssistanttohelpcreateacomplexmasterpasswordthatcannot beeasilycompromised.Forinformation,see“UsingPasswordAssistanttoGenerateor AnalyzePasswords”onpage84. EnablingFileVaultcopiesdatafromyourhomefolderintoanencryptedhomefolder. Aftercopying,FileVaulterasestheunencrypteddata. BydefaultFileVaultinsecurelyerasestheunencrypteddata,butifyouenablesecure erase,yourunencrypteddataissecurelyerased. OverviewofFileVault SnowLeopardServerextendstheunlockingofFileVaulttoSmartCards,whichprovides themostsecurepracticeforprotectingFileVaultaccounts. AccountsprotectedbyFileVaultsupportauthenticationusingapassphraseor aSmartCard.WithSmartCardauthentication,theAES-256symmetricDataKey(DK) usedtoencrypttheuser’sdataisunwrappedusingaprivate(encryption)keyon theSmartCard.Thedatawrittentoorreadfromdiskisencryptedanddecrypted ontheflyduringaccess. FileVaultencryptstheDataKey(DK)usingtheUserKey(UK1),whichcanbegenerated fromyourpassphraseorfromthepublickeyonyourSmartCard.FileVaultseparately encryptstheDataKeyusingtheFileVaultMasterKey(MK). ThearchitecturaldesignofFileVaultmakesitpossiblefortheMKandUK1toencrypt anddecryptfiles.Providingstrongencryptionprotectsuserdataatrestwhileensuring accessmanagementbyITstaff. TheeasiestmethodforcentralizedmanagementofFileVaultonaclientcomputeristo useSnowLeopardServerandWorkGroupManagertoenforcetheuseofFileVaultand theproperidentity. 152 Chapter8SecuringDataandUsingEncryption ManagingFileVault YoucansetaFileVaultmasterkeychaintodecryptanaccountthatusesFileVault toencryptdata.ThenifusersforgettheirFileVaultaccountpassword(whichthey usetodecryptencrypteddata)youcanusetheFileVaultmasterkeychaintodecrypt thedata. TocreatetheFileVaultmasterkeychain: 1 OpenSystemPreferences>Security. 2 ClickMasterPasswordandsetamasterpassword. Selectastrongpasswordandconsidersplittingthepasswordintoatleasttwo components(firsthalfandsecondhalf ).YoucanusePasswordAssistanttoensure thatthequalityofthepasswordisstrong. Toavoidhavingonepersonknowthefullpassword,haveseparatesecurity administratorskeepeachpasswordcomponent.Thispreventsasinglepersonfrom unlocking(decrypting)aFileVaultaccount.Formoreinformation,see“UsingPassword AssistanttoGenerateorAnalyzePasswords”onpage84. SettingamasterpasswordcreatesakeychaincalledFileVaultMaster.keychainin/ Library/Keychains/.TheFileVaultmasterkeychaincontainsaFileVaultrecoverykey (self-signedrootcertificate)andaFileVaultmasterpasswordkey(privatekey). 3 DeletethecertificatenamedFileVaultMaster.cerinthesamelocationasthe FileVaultMaster.keychain. FileVaultMaster.cerisonlyusedforimportingthecertificateintothekeychain.Thisis onlyacertificateanddoesnotcontaintheprivatekey,sothereisnosecurityconcern aboutsomeonewithgainingaccesstothiscertificate. 4 MakeacopyofFileVaultMaster.keychainandputitinasecureplace. 5 DeletetheprivatekeyfromFileVaultMaster.keychaincreatedonthecomputerto modifythekeychain. DeletingthekeyensuresthatevenifsomeoneunlockstheFileVaultmasterkeychain theycannotdecryptthecontentsofaFileVaultaccountbecausethereisnoFileVault masterpasswordprivatekeyavailableforthedecryption. ManagingtheFileVaultMasterKeychain ThemodifiedFileVaultmasterkeychaincannowbedistributedtonetworkcomputers. ThiscanbedonebytransferringFileVaultMaster.keychaintothecomputersbyusing AppleRemoteDesktop,byusingadistributedinstallerexecutedoneachcomputer,by usingvariousscriptingtechniques,orbyincludingitintheoriginaldiskimageifyour organizationrestoressystemswithadefaultimage. Chapter8SecuringDataandUsingEncryption 153 ThemasterkeychainprovidesnetworkmanagementofanyFileVaultaccountcreated onanycomputerwiththemodifiedFileVaultMaster.keychainlocatedinthe/Library/ Keychains/folder.ThesecomputersindicatethatthemasterpasswordissetinSecurity preferences. WhenanaccountiscreatedandthemodifiedFileVaultmasterkeychainispresent,the publickeyfromtheFileVaultrecoverykeyisusedtoencryptthedynamicallygenerated AES128-bit(default)orAES256-bitsymmetrickeythatisusedfortheencryptionand decryptionoftheencrypteddiskimage(FileVaultcontainer). Todecryptaccesstotheencrypteddiskimage,theFileVaultmasterpasswordprivate keyisrequiredtodecrypttheoriginaldynamicallygeneratedAES128-bitor256-bit symmetrickey. Theuser’soriginalpasswordcontinuestoworkasnormal,buttheassumptionhereis thatthemasterpasswordserviceisbeingusedbecausetheuserhasforgottenthe passwordortheorganizationmustperformdatarecoveryfromauser’scomputer. TorecoveranetworkmanagedFileVaultsystemaccount: 1 RetrievethecopyofFileVaultMaster.keychainthatwasstoredbeforetheprivatekey wasdeletingduringmodification. 2 Bringtogetherallsecurityadministratorsinvolvedingeneratingthemasterpassword. Morethanoneindividualisneededifthemasterpasswordwassplitintopassword components. Note:TheadministratormusthaverootaccesstorestoretheFileVaultMaster.keychain file. 3 Restoretheoriginalkeychaintothe/Library/Keychains/folderofthetargetcomputer, replacingtheinstalledkeychain. 4 VerifythattherestoredFileVaultMaster.keychainfilehasthecorrectownershipand permissionsset,similartothefollowingexample. -rw-r--r-- 1 root admin 24880 Mar 2 18:18 FileVaultMaster.keychain 5 Verifythat“PasswordHints”isenabledbyloggingintotheFileVaultaccountyouare attemptingtorecoverandincorrectlyentertheaccountpasswordthreetimes. If“PasswordHints”isenabled,youaregrantedanadditionaltryafterthehintappeals. 6 Whenpromptedforthemasterpassword,havethesecurityadministratorscombine theirpasswordcomponentstounlockaccesstotheaccount. 7 Whentheaccountisunlocked,provideanewpasswordfortheaccount. Thepasswordisusedtoencrypttheoriginalsymmetrickeyusedtoencryptand decryptthediskimage. 154 Chapter8SecuringDataandUsingEncryption Note:ThisprocessdoesnotreencrypttheFileVaultcontainer.Itreencryptstheoriginal symmetrickeywithakeyderivedfromthenewuseraccountpasswordyouentered. Youarenowloggedintotheaccountandgivenaccesstotheuser’shomefolder. 8 DeletetheprivatekeyfromFileVaultMaster.keychainagain,orreplacethekeychainfile withtheoriginalcopyofFileVaultMaster.keychainthatwasstoredbeforetheprivate keywasdeleted. Thisprocessdoesnotchangethepasswordusedtoprotecttheuser’soriginallogin keychain,becausethatpasswordisnotknownorstoredanywhere.Instead,this processcreatesaloginkeychainwiththepasswordenteredastheuser’snewaccount password. EncryptingPortableFiles Toprotectfilesyouwanttotransferoveranetworkorsavetoremovablemedia, encryptadiskimageorencryptthefilesandfolders.FileVaultdoesn’tprotectfiles transmittedoverthenetworkorsavedtoremovablemedia. Usingaserver-basedencrypteddiskimageprovidestheaddedbenefitofencrypting networktrafficbetweenthecomputerandtheserverhostingthemountedencrypted diskimage. CreatinganEncryptedDiskImage Toencryptandsecurelystoredata,youcancreatearead/writeimageorasparse image:  Aread/writeimageconsumesthespacethatwasdefinedwhentheimagewas created.Forexample,ifthemaximumsizeofaread/writeimageissetto10GB,the imageconsumes10GBofspaceevenifitcontainsonly2GBofdata.  Asparseimageconsumesonlytheamountofspacethedataneeds.Forexample, ifthemaximumsizeofasparseimageis10GBandthedataisonly2GB,theimage consumesonly2GBofspace. Ifanunauthorizedadministratormightaccessyourcomputer,creatinganencrypted blankdiskimageispreferredtocreatinganencrypteddiskimagefromexistingdata. Creatinganencryptedimagefromexistingdatacopiesthedatafromanunprotected areatotheencryptedimage.Ifthedataissensitive,createtheimagebeforecreating thedocuments.Thiscreatestheworkingcopies,backups,orcachesoffilesin encryptedstoragefromthestart. Note:Topreventerrorswhenafilesysteminsideasparseimagehasmorefreespace thanthevolumeholdingthesparseimage,HFSvolumesinsidesparseimagesreport anamountoffreespaceslightlylessthantheamountoffreespaceonthevolumethat theimageresideson. Chapter8SecuringDataandUsingEncryption 155 Tocreateanencrypteddiskimage: 1 OpenDiskUtility. 2 ChooseFile>New>BlankDiskImage. 3 Enteranamefortheimage,andchoosewheretostoreit. 4 ChoosethesizeoftheimagebyclickingtheSizepop-upmenu. Makesurethesizeoftheimageislargeenoughforyourneeds.Youcannotincrease thesizeofanimageaftercreatingit. 5 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu. AES-128orAES-256isastrongencryptionformat. 6 ChooseaformatbyclickingtheFormatpop-upmenu. Althoughthereissomeoverhead,thesparseformatallowstheimagetomaintaina sizeproportionaltoitscontents(uptoitsmaximumsize),whichcansavediskspace. 7 ClickCreate. 8 Enterapassword,andverifyit. YoucanaccessPasswordAssistantfromthiswindow.Formoreinformation,see“Using PasswordAssistanttoGenerateorAnalyzePasswords”onpage84. 9 Deselect“Rememberpassword(addtoKeychain),”andclickOK. CreatinganEncryptedDiskImagefromExistingData Ifyoumustmaintaindataconfidentialitywhentransferringfilesfromyour computerbutyoudon’tneedtoencryptfilesonyourcomputer,createadisk imagefromexistingdata. Suchsituationsincludeunavoidableplain-textfiletransfersacrossanetwork,suchas mailattachmentsorFTP,orcopyingtoremovablemedia,suchasaCDorfloppydisk. Ifyouplantoaddfilestothisimageinsteadofcreatinganimagefromexistingdata, createanencrypteddiskimageandaddyourexistingdatatoit.Forinformation,see “CreatinganEncryptedDiskImage”onpage155. Tocreateanencrypteddiskimagefromexistingdata: 1 OpenDiskUtility. 2 ChooseFile>New>DiskImagefromFolder. 3 SelectafolderandclickImage. 4 Enteranamefortheimageandchoosewheretostoreit. 5 ChooseaformatbyclickingtheFormatpop-upmenu. Thecompresseddiskimageformatcanhelpyousaveharddiskspacebyreducingyour diskimagesize. 156 Chapter8SecuringDataandUsingEncryption 6 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu. AES-128orAES-256providestrongencryption. 7 ClickSave. 8 Enterapasswordandverifyit. YoucaneasilyaccessPasswordAssistantfromthiswindow.Formoreinformation,see “UsingPasswordAssistanttoGenerateorAnalyzePasswords”onpage84. 9 Deselect“Rememberpassword(addtoKeychain)”andclickOK. Youcanalsousethehdiutilcommandtocreateandformatencrypteddiskimages. Formoreinformationaboutthiscommand,seeitsmanpage. CreatingEncryptedPDFs Youcanquicklycreatepassword-protected,read-onlyPDFdocumentsofconfidential orpersonaldata.Toopenthesefilesyoumustknowthepasswordforthem. SomeapplicationsdonotsupportprintingtoPDF.Inthiscase,createanencrypteddisc image.Forinformation,see“CreatinganEncryptedDiskImagefromExistingData”on page156. Tocreateanencrypted,read-onlydocument: 1 Openthedocument. 2 ChooseFile>Print. Someapplicationsdon’tallowyoutoprintfromtheFilemenu.Theseapplications mightallowyoutoprintfromothermenus. 3 ClickPDFandchooseSaveasPDF. 4 ClickSecurityOptionsandselectoneormoreofthefollowingoptions:  Requirepasswordtoopendocument  Requirepasswordtocopytextimagesandothercontent  Requirepasswordtoprintdocument WhenyourequireapasswordforthePDF,itbecomesencrypted. 5 Enterapassword,verifyit,andclickOK. 6 Enteranameforthedocument,choosealocation,andclickSave. 7 Testyourdocumentbyopeningit. Youmustenterthepasswordbeforeyoucanviewthecontentsofyourdocument. Chapter8SecuringDataandUsingEncryption 157 SecurelyErasingData Whenyoueraseafile,you’reremovinginformationthatthefilesystemusestofindthe file.Thefile’slocationonthediskismarkedasfreespace.Ifotherfileshavenotwritten overthefreespace,itispossibletoretrievethefileanditscontents. SnowLeopardprovidesthefollowingwaystosecurelyerasefiles.  Zero-outerase  7-passerase  35-passerase Azero-outerasesetsalldatabitsonthediskto0,whilea7-passeraseanda35-pass eraseusealgorithmstooverwritethedisk.A7-passerasefollowstheDepartmentof Defensestandardforthesanitizationofmagneticmedia.A35-passeraseusesthe extremelyadvancedGutmannalgorithmtohelpeliminatethepossibilityofdata recovery. Thezero-outeraseisthequickest.The35-passeraseisthemostsecure,butitisalso35 timesslowerthanthezero-outerase. Eachtimeyouusea7-passor35-passsecureerase,thefollowingseven-stepalgorithm isusedtopreventthedatafrombeingrecovered:  Overwritefilewithasinglecharacter  Overwritefilewithzeroes  Overwritefilewithasinglecharacter  Overwritefilewithrandomcharacters  Overwritefilewithzeroes  Overwritefilewithasinglecharacter  Overwritefilewithrandomcharacters ConfiguringFindertoAlwaysSecurelyErase InSnowLeopardServeryoucanconfigureFindertoalwayssecurelyeraseitemsplaced intheTrash.ThispreventsdatayouplaceintheTrashfrombeingrestored.Usingsecure erasetakelongerthanemptyingtheTrash. ToconfigureFindertoalwaysperformasecureerase: 1 InFinder,chooseFinder>Preferences. 2 ClickAdvanced. 3 Selectthe“EmptyTrashsecurely”checkbox. 158 Chapter8SecuringDataandUsingEncryption UsingDiskUtilitytoSecurelyEraseaDiskorPartition YoucanuseDiskUtilitytosecurelyeraseapartition,usingazero-outerase,a7-pass erase,ora35-passerase. Note:IfyouhaveapartitionwithSnowLeopardinstalledandyouwanttosecurely eraseanunmountedpartition,youdon’tneedtouseyourinstallationdiscs.Inthe Finder,openDiskUtility(locatedin/Applications/Utilities/). WARNING:Securelyerasingapartitionisirreversible.Beforeerasingthepartition, backupcriticalfilesyouwanttokeep. TosecurelyeraseapartitionusingDiskUtility: 1 InsertthefirstoftheSnowLeopardinstallationdiscsintheopticaldrive. 2 RestartthecomputerwhileholdingdowntheCkey. Thecomputerstartsupfromthediscintheopticaldrive. 3 Proceedpastthelanguageselectionstep. 4 ChooseUtilities>DiskUtility. 5 Selectthepartitionyouwanttosecurelyerase. Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedone levelinthelistontheleft. 6 ClickErase,choose“MacOSExtendedJournaled,”andthenclickSecurityOptions. MacOSExtendeddiskformattingprovidesenhancedmultiplatforminteroperability. 7 ChooseaneraseoptionandclickOK. 8 ClickErase. Securelyerasingapartitioncantaketime,dependingonthesizeofthepartitionand themethodyouchoose. UsingCommand-LineToolstoSecurelyEraseFiles YoucanusethesrmcommandinTerminaltosecurelyerasefilesorfolders.Byusing srm,youcanremoveeachfileorfolderbyoverwriting,renaming,andtruncatingthe fileorfolderbeforeerasingit.Thispreventsotherpeoplefromundeletingorrecovering informationaboutthefileorfolder. Forexample,srmsupportssimplemethods,likeoverwritingdatawithasinglepassof zeros,tomorecomplexones,likeusinga7-passor35-passerase. Chapter8SecuringDataandUsingEncryption 159 Thesrmcommandcannotremoveawrite-protectedfileownedbyanotheruser, regardlessofthepermissionsofthedirectorycontainingthefile. WARNING:Erasingfileswithsrmisirreversible.Beforesecurelyerasingfiles,backup criticalfilesyouwanttokeep. Tosecurelyeraseafoldernamedsecret: sudo srm -r -s secret The-roptionremovesthecontentofthedirectory,andthe-soption(simple) overwriteswithasinglerandompass. Foramoresecureerase,usethe-m(medium)optiontoperforma7-passeraseofthe file.The-soptionoverridesthe-moption,ifbotharepresent.Ifneitherisspecified, the35-passisused. Formoreinformation,seethesrm manpage. UsingSecureEmptyTrash SecureEmptyTrashusesa7-passerasetosecurelyerasefilesstoredintheTrash. Dependingonthesizeofthefilesbeingerased,securelyemptyingtheTrashcan taketimetocomplete. WARNING:UsingSecureEmptyTrashisirreversible.Beforesecurelyerasingfiles,back upcriticalfilesyouwanttokeep. TouseSecureEmptyTrash: 1 OpentheFinder. 2 ChooseFinder>SecureEmptyTrash. 3 ClickOK. UsingDiskUtilitytoSecurelyEraseFreeSpace YoucanuseDiskUtilitytosecurelyerasefreespaceonpartitions,usingazero-out erase,a7-passerase,ora35-passerase. TosecurelyerasefreespaceusingDiskUtility: 1 OpenDiskUtility(locatedin/Applications/Utilities/). 2 Selectthepartitiontosecurelyerasefreespacefrom. Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedone levelinthelistontheleft. 3 ClickErase,andthenclickEraseFreeSpace. 160 Chapter8SecuringDataandUsingEncryption 4 ChooseaneraseoptionandclickEraseFreeSpace. Securelyerasingfreespacecantaketime,dependingontheamountoffreespace beingerasedandthemethodyouchoose. 5 ChooseDiskUtility>QuitDiskUtility. UsingCommand-LineToolstoSecurelyEraseFreeSpace Youcansecurelyerasefreespacefromthecommandlinebyusingthediskutil command.However,ownershipoftheaffecteddiskisrequired.Thistoolallowsyouto securelyeraseusingoneofthethreelevelsofsecureerase:  1—Zero-outsecureerase(alsoknownassingle-pass)  2—7-passsecureerase  3—35-passsecureerase Toerasefreespaceusinga7-passsecureerase(indicatedbythenumber2): sudo diskutil secureErase freespace 2 /dev/disk0s3 Formoreinformation,seethediskutilmanpage. Fromthecommandline: # ------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space # ------------------------------------------------------------------# Overwrite a device with zeroes. sudo diskutil zeroDisk /dev/device # Secure erase (7-pass) free space on a volume. sudo diskutil secureErase freespace 2 /dev/device # Secure erase (7-pass) a volume. sudo diskutil secureErase 2 /dev/device DeletingPermanentlyfromTimeMachineBackups TimeMachineisbasedontheMacOSXHFS+filesystem.Ittracksfilechangesand detectsfilesystempermissionsanduseraccessprivileges. WhenTimeMachineperformstheinitialbackup,itcopiesthecontentsofyour computertoyourbackupdrive.Everysubsequentbackupisanincrementalbackup, whichcopiesonlythefilesthathavechangedsincethepreviousbackup. YoucanpermanentlydeletefilesorfoldersfromyourcomputerandallTimeMachine backupsusingTimeMachine.Thiskeepssensitivedatathatyounolongerneedfrom beingrecovered. Chapter8SecuringDataandUsingEncryption 161 TopermanentlydeletefilesorfoldersfromTimeMachinebackups: 1 Deletethefileorfolderfromyourcomputer. 2 OpenTimeMachine. 3 SelectthefileforfolderyouwanttopermanentlydeletefromTimeMachine. 4 ClicktheActionpop-upmenuandselect“DeleteAllBackupsof“FileorFoldername.” 5 Whenthewarningmessageappears,clickOKtopermanentlydeletethefileorfolder. Allbackupcopiesofyourfileorfolderarepermanentlydeletedfromyourcomputer. 162 Chapter8SecuringDataandUsingEncryption 9 ManagingCertificates 9 UsethischaptertolearnhowSnowLeopardServersupports servicesthatensureencrypteddatatransferthrough certificates. SnowLeopardServerusesaPublicKeyInfrastructure(PKI)systemtogenerateand maintaincertificatesofidentities.ServerAdminmakesiteasytomanageSecure SocketsLayer(SSL)certificatesthatcanbeusedbyweb,mail,directoryservices, andotherservicesthatsupportthem. Youcancreateaself-signedcertificateandgenerateaCertificateSigningRequest(CSR) toobtainanSSLcertificatefromanissuingauthorityandinstallthecertificate. FormoreinformationabouthowtouseSSLcertificateswithindividualservices, seeChapter10,“SettingGeneralProtocolsandAccesstoServices.”Also,formore informationaboutcertificatesusingthecommandline,seethemanpageofthe securitycommand-linetool. UnderstandingPublicKeyInfrastructure SnowLeopardServersupportsservicesthatuseSSLtoensureencrypteddata transfer.ItusesaPKIsystemtogenerateandmaintaincertificatesforusewith SSL-enabledservices. PKIsystemsallowthetwopartiesinadatatransactiontobeauthenticatedtoeach other,andtouseencryptionkeysandotherinformationinidentitycertificatesto encryptanddecryptmessagestravelingbetweenthem. PKIenablesmultiplecommunicatingpartiestoestablishconfidentiality,message integrity,andmessagesourceauthenticationwithoutexchangingsecretinformation inadvance. 163 SSLtechnologyreliesonaPKIsystemforsecuredatatransmissionanduser authentication.Itcreatesaninitialsecurecommunicationchanneltonegotiate afaster,secretkeytransmission.SnowLeopardServerusesSSLtoprovide encrypteddatatransmissionforMail,Web,andDirectoryservices. PublicandPrivateKeys WithinaPKI,twodigitalkeysarecreated:thepublickeyandtheprivatekey. Theprivatekeyisn’tdistributedtoanyoneandisoftenencryptedbyapassphrase. Thepublickeyisdistributedtoothercommunicatingparties. Basickeycapabilitiescanbesummedupas: Keytype Capabilities Public  Canencryptmessagesthatcanonlybydecryptedbytheholderofthecorresponding Privatekey.  CanverifythesignatureonamessagetoensurethatitiscomingfromaPrivatekey. Private  Candigitallysignamessageorcertificate,claimingauthenticity.  CandecryptmessagesthatwereencryptedwiththePublickey.  CanencryptmessagesthatcanonlybedecryptedbythePrivatekeyitself. Web,mail,anddirectoryservicesusethepublickeywithSSLtonegotiateasharedkey forthedurationoftheconnection. Forexample,supposeamailserversendsitspublickeytoaconnectingclientand initiatesnegotiationforasecureconnection.Theconnectingclientusesthepublickey toencryptaresponsetothenegotiation.Themailserver,becauseithastheprivate key,candecrypttheresponse.Thenegotiationcontinuesuntilmailserverandclient haveasharedsecrettoencrypttrafficbetweenthetwocomputers. Certificates Acertificateisanelectronicdocumentthatcontainsapublickeywithidentification information(name,organzation,emailaddress,andsoon).Inapublickey environment,acertificateisdigitallysignedbyaCertificateAuthority,oritsown privatekey(thelatterbeingaself-signedcertificate). Apublickeycertificateisafileinaspecifiedformat(MacOSXServerusesthex.509 format)thatcontains:  Thepublickeyhalfofapublic-privatekeypair  Thekeyuser’sidentityinformation,suchasaperson’snameandcontactinformation  Avalidityperiod(howlongthecertificatecanbetrustedtobeaccurate)  TheURLofsomeonewiththepowertorevokethecertificate(itsrevocationcenter)  ThedigitalsignatureofaCA,orthekeyuser 164 Chapter9ManagingCertificates AboutCertificateAuthorities(CAs) ACAisanentitythatsignsandissuesdigitalidentitycertificatesclaimingthataparty iscorrectlyidentified.Inthissense,aCAisatrustedthirdpartyusedbyotherparties whenperformingtransactions. Inx.509systemssuchasSnowLeopardServer,CAsarehierarchical,withCAsbeing certifiedbyhigherCAs,untilyoureacharootauthority.ArootauthorityisaCAthat’s trustedbytheparties,soitdoesn’tneedtobeauthenticatedbyanotherCA.The hierarchyofcertificatesistop-down,withtherootauthority’scertificateatthetop. ACAcanbeacompanythatsignsandissuesapublickeycertificate.Thecertificate atteststhatthepublickeybelongstotheownerrecordedinthecertificate. Inasense,aCAisadigitalnotarypublic.YourequestacertificatebyprovidingtheCA withyouridentityinformation,contactinformation,andthepublickey.TheCAthen verifiesyourinformationsouserscantrustcertificatesissuedforyoubytheCA. AboutIdentities Identitiesareacertificateandaprivatekey,together.Thecertificateidentifiestheuser, andtheprivatekeycorrespondstothecertificate.Asingleusercanhaveseveral identities;foranygivenusereachcertificatecanhaveadifferentname,emailaddress, orissuer. Theseidentitiesareusedfordifferentsecuritycontexts.Forexample,onecanbeused tosignothers’certificates,onecanbeusedtoidentifytheuserbyemail,andthesedo notneedtobethesameidentity. InthecontextoftheMacOSXServerCertificateManager,identitiesinclude asignedcertificateandbothkeysofaPKIkeypair.Theidentitiesareusedbythe systemkeychainandareavailableforusebyservicesthatsupportSSL. Self-SignedCertificates Self-signedcertificatesarecertificatesthataredigitallysignedbytheprivatekey correspondingtothepublickeyincludedinthecertificate.Thisisdoneinplaceof aCAsigningthecertificate.Byself-signingacertificate,you’reattestingthatyouare whoyousayyouare.Notrustedthirdpartyisinvolved. AboutIntermediateTrust IfyouareyourownCAandyourcertificatesarenottrustedbythedefaultshipping rootcertificatesinMacOSX,yourclientscanstillbeconfiguredtotrustyour certificatesthroughanintermediatetrust. Trustistheabilityofaclienttobelievetheidentityofaserverwhenitconnects. Atrustedserverisaknownserverthattheclientcantransactwithsecurely,without interferencefromoutsideandunknownparties. Chapter9ManagingCertificates 165 MacOSXclientsfollowx.509trustvalidationwhenacceptingcertificates,meaning theyfollowthechainofcertificatesignersbackuntiltheyfindatrustedrootcertificate. MacOSXletsyouspecifyatrustedanchor(inotherwords,acertificatethatisnot arootCAcertificate,butthatyoutrust).Aclientcantrustacertificatecloserinthe chainoftrust,orevenjustthesubmittedcertificateitself. Trustingacertificatethatisn’tashippingrootanchorisintermediatetrust.To accomplishthis,trustneedstobebestowedoncertificatesinsteadoftokeychains (aswasdonepreviously).Inv10.4,trustwasgiventocertificatesinthekeychain called“X509Anchors.”TheX509Anchorskeychainwasdeprecatedstartingwith MacOSXv10.5. InSnowLeopardServer,severalkeychainscanholdcertificates:  SystemRootCertificates:Thiskeychainholdsrootcertificatesthatshipwith MacOSX.Thecertificatesalreadyhavetrustgiventothem.  System:Thiskeychainholdscertificatesthatthecomputeradministratorcanadd.All usersonagivenclientcanreadfromthiskeychain.Thetrustsettingsofacertificate inthiskeychaincanoverridethoseofacertificateinSystemRootCertificates.  Anyotherkeychain:Thisholdscertificatesforagivenuserandisonlyaccessible tothatuser.Thetrustsettingsofacertificateinthiskeychaincanoverridethoseof acertificateinSystemRootCertificatesorSystem. Trustedcertificatescanbeinanyoftheselocations,buttotrustacertificate,trust settingsmustbegivenexplicitlytoacertificate. Toconfigureclientstotrustacertificate: 1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer. Thisispreferablydistributedusingnonrewritablemedia,suchasaCD-R.Using nonrewritablemediapreventsthecertificatefrombeingcorrupted. 2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificate wascopiedontotheclientcomputer. 3 DragthecertificatetotheSystemkeychainusingKeychainAccess. Authenticateasanadministrator,ifrequested. 4 Double-clickthecertificatetogetthecertificatedetails. 5 Inthedetailswindow,clicktheTrustdisclosuretriangle. 6 Fromthepop-upmenunextto“Whenusingthiscertificate,”select“AlwaysTrust” Youhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby. 166 Chapter9ManagingCertificates Fromthecommandline Aftercopyingthecertificatetothetargetclientcomputer,performthefollowing, replacing<certificate>withthefilepathtothecertificate: sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/ System.keychain <certificate> Youcanusethesecuritytooltosaveandrestoretrustsettingsaswell.Formore informationonusingthesecuritycommand-linetool,seethesecuritymanpage. CertificateManagerinServerAdmin SnowLeopardServer’sCertificateManagerisintegratedintoServerAdmintohelpyou create,use,andmaintainidentitiesforSSL-enabledservices. TheServerAdmininterfaceisshownbelow,withtheCertificateManagerselected. CertificateManagerprovidesintegratedmanagementofSSLcertificatesin SnowLeopardServerforservicesthatallowtheuseofSSLcertificates.On installation,theservercreatesaself-signedcertificateforimmediateusefrom informationyouputinduringserversetup. CertificateManagerusesMacOSX’sCertificateAssistanttocreateself-signed certificatesandcertificate-signingrequests(CSRs)toobtaincertificatessigned byaCA.Thecertificates,self-signedorsignedbyaCA,arethenaccessibleby servicesthatsupportSSL. Chapter9ManagingCertificates 167 CertificateManagerinServerAdmindoesn’tallowyoutosignandissuecertificates asaCA,nordoesitallowyoutosignandissuecertificatesasarootauthority.Ifyou needthesefunctions,youcanuseCertificateAssistantinKeychainAccess(locatedin /Applications/Utilities/).Itprovidesthesecapabilitiesandothersforworkingwithx.509 certificates. IdentitiesthatwerecreatedandstoredinOpenSSLfilescanalsobeimportedinto CertificateManager.TheyareaccessibletoservicesthatsupportSSL.Self-signedand CA-issuedcertificatesyoucreatedinCAAssistantcanbeusedinCertificateManager byimportingthecertificate. CertificateManagerdisplaysthefollowingforeachcertificate:  Thedomainnamethecertificatewasissuedfor  Theexpirationdateofthecertificate  Whenselected,thedetailedcontentsofthecertificate WhencertificatesandkeysareimportedviaCertificateManager,theyareputin the/etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesfor everyidentity:     Thecertificate Thepublickey Thetrustchain Theconcatenatedversionofthecertificateplusthetrustchain(forusewith someservices) Thecertificateandtrustchainareownedbytherootuserandthewheelgroup,with permissionssetto644.Thepublickeyandconcatenationfileareownedbytheroot userandthecertusersgroup,withpermissionssetto640. Eachfilehasthefollowingnamingconvention: <commonname>.<SHA1hashofthecertificate>.<cert|chain|concat|key>.pem Forexample,thecertificateforawebserveratexample.commightlooklikethis: www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem ReadyingCertificates BeforeyoucanuseSSLinMacOSXServer’sservices,youmustcreateorimport certificates.Youcancreateself-signedcertificates,createcertificatesandthengenerate aCertificateSigningRequest(CSR)tosendtoaCA,orimportcertificatespreviously createdwithOpenSSL. 168 Chapter9ManagingCertificates IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforuseby MacOSXServerservices.TheOpenSSLkeysandcertificatesmustbeinPEMformat. SelectaCAtosignyourcertificaterequest.Ifyoudon’thaveaCAtosignyourrequest, considerbecomingyourownCAandthenimportyourCAcertificatesintotheroot trustdatabaseofyourmanagedmachines. WhenyousetupMacOSXServer,theServerAssistantcreatesaself-signed certificatebasedoninformationyouprovidedwhenit’sfirstinstalled.Itcanbeused foranyservicethatsupportsSSL.Whenyourclientschoosetotrustthecertificate, SSLconnectionscanbeusedwithoutuserinteractionfromthatpointon. Thisinitialself-signedcertificateisusedbyServerAdminandServerPreferencesto encryptadministrativefunctions. CreatingaSelf-SignedCertificate Aself-signedcertificateisgeneratedatserversetup.Althoughitisavailableforuse, youmaywanttocustomizetheinformationinthecertificate,soyouwouldcreate anewself-signedcertificate.ThisisespeciallyimportantifyouplanonhavingaCA signyourcertificate. Whenyoucreateaself-signedcertificate,CertificateManagercreatesaprivate–public keypairintheSystemkeychainwiththekeysizespecified(512-2048bits).Itthen createsthecorrespondingself-signedcertificate. Ifyou’reusingaself-signedcertificate,considerusinganintermediatetrustforitand importthecertificateintotheSystemkeychainonallclientcomputers(ifyouhave controlofthecomputers).Formoreinformationaboutusingintermediatetrust,see “AboutIntermediateTrust”onpage165. Tocreateaself-signedcertificate: 1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL. 2 ClickCertificates. 3 ClicktheAdd(+)buttonandchooseCreateaCertificateIdentity. CertificateAssistantlaunches,populatedwithinformationneededtogeneratethe certificate. 4 Ifyouoverridethedefaults,choose“Letmeoverridedefaults”andfollowtheonscreen instructions. 5 Whenfinished,clickContinue. 6 ConfirmthecertificatecreationbyclickingContinue. TheCertificateAssistantgeneratesakeypairandcertificate.CertificateManager encryptsthefileswitharandompassphrase,putsthepassphraseintheSystem keychain,andputstheresultingPEMfilesin/etc/certificates/. Chapter9ManagingCertificates 169 StoringthePrivateKey Theprivatekeyshouldbegeneratedonacomputerthatisnotconnectedtoyour internalnetwork.Foraddedsecurity,youcanstorethekeychaincontainingtheprivate keyonUSBstoragesoyoucankeeptheCAprivatekeyunavailablewhenconnectedto thenetwork. RequestingaCertificatefromaCA CertificateManagerhelpsyoucreateaCSRtosendtoyourdesignatedCA. YouneedacertificatefortheCAtosign.Youcanusetheonethatwasgeneratedat serversetup,butmorelikelyyouwillwanttogenerateonethathasallthedetails theCArequiresbeforesigning.Ifyouneedtogenerateacertificatebeforegettingit signed,see“CreatingaSelf-SignedCertificate”onpage169. Torequestasignedcertificate: 1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL. 2 ClickCertificates. 3 Selectthecertificateyouwantsigned. 4 ClicktheActionbuttonbelowthecertificateslistandchoose“GenerateCertificate SigningRequest(CSR).” 5 CertificatemanagercreatesthesigningrequestandshowstheASCIItextversionin thesheet. 6 ClickSavetosavetheCSRtothedisk. YourCAwillhaveinstructionsonhowtotransfertheCSRtothesigner.SomeCAs requireyoutouseawebinterface;othersrequiresendingtheCSRinthebodyof amailmessage.FollowtheinstructionsgivenbytheCA. TheCAwillreturnanewlysignedcertificate,whichreplacestheoneyougenerated. Forinstructionsonwhattodonowwithyournewlysignedcertificate,see“Replacing anExistingCertificate”onpage175. CreatingaCA Tosignanotheruser’scertificate,youmustcreateaCA.SometimesaCAcertificate isreferredtoasarootoranchorcertificate.Bysigningacertificatewiththeroot certificate,youbecomethetrustedthirdpartyinthatcertificate’stransactions, vouchingfortheidentityofthecertificateholder. Ifyouarealargeorganization,youmightdecidetoissueorsigncertificatesfor peopleinyourorganizationtousethesecuritybenefitsofcertificates.However, externalorganizationsmightnottrustorrecognizeyoursigningauthority. 170 Chapter9ManagingCertificates TocreateaCA: 1 StartKeychainAccess. KeychainAccessisfoundinthe/Applications/Utilities/directory. 2 IntheKeychainAccessmenu,selectCertificateAssistant>CreateaCertificate Authority. TheCertificateAssistantstarts.ItwillguideyouthroughtheprocessofmakingtheCA. 3 ChoosetocreateaSelfSignedRootCA. 4 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue. YouneedthefollowinginformationtocreateaCA:  Anemailaddress  Thenameoftheissuingauthority(youoryourorganization) YoualsodecideifyouwanttooverridethedefaultsandwhethertomakethisCAthe organization’sdefaultCA.IfyoudonothaveadefaultCAfortheorganization,allow theCertificateAssistanttomakethisCAthedefault. Inmostcircumstances,donotoverridethedefaults.Ifyoudonotoverridethedefaults, skiptostep16. 5 Ifyouoverridethedefaults,providethefollowinginformationinthenextfewscreens:     Auniqueserialnumberfortherootcertificate ThenumberofdaystheCAfunctionsbeforeexpiring ThetypeofusercertificatethisCAissigning WhethertocreateaCAwebsiteforuserstoaccessforCAcertificatedistribution 6 ClickContinue. 7 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue. YouneedthefollowinginformationtocreateaCA:      Anemailaddressoftheresponsiblepartyforcertificates Thenameoftheissuingauthority(youoryourorganization) Theorganizationname Theorganizationunitname Thelocationoftheissuingauthority 8 SelectakeysizeandanencryptionalgorithmfortheCAcertificate,andthenclick Continue. Alargerkeysizeismorecomputationallyintensivetouse,butmuchmoresecure.The algorithmyouchoosedependsmoreonyourorganizationalneedsthanatechnical consideration. DSAandRSAarestrongencryptionalgorithms.DSAisaUnitedStatesFederal Governmentstandardfordigitalsignatures. Chapter9ManagingCertificates 171 9 Selectakeysizeandanencryptionalgorithmforthecertificatestobesigned,and thenclickContinue. 10 SelecttheKeyUsageExtensionsyouneedfortheCAcertificate,andthenclick Continue. Ataminimum,youmustselectSignatureandCertificateSigning. 11 SelecttheKeyUsageExtensionsyouneedforthecertificatestobesigned,andthen clickContinue. DefaultkeyuseselectionsarebasedonthetypeofkeyselectedearlierintheAssistant. 12 SpecifyotherextensionstoaddtheCAcertificateandclickContinue. 13 Selectthekeychain“System”tostoretheCAcertificate. 14 ChoosetotrustcertificatesonthiscomputersignedbythecreatedCA. 15 ClickContinueandauthenticateasanadministratortocreatethecertificateand keypair. 16 ReadandfollowtheinstructionsonthelastpageoftheCertificateAssistant. Youcannowissuecertificatestotrustedparties. ImportingaCertificateIdentity YoucanimportapreviouslygeneratedOpenSSLcertificateandprivatekeyinto CertificateManager.Theitemsarelistedasavailableinthelistofidentitiesandare availabletoSSL-enabledservices. TheOpenSSLkeysandcertificatesmustbeinPEMformat. ToimportanexistingOpenSSLstylecertificate: 1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL. 2 ClickCertificates. 3 ClicktheAdd(+)buttonandchooseImportaCertificateIdentity. 4 DragthePEMfilecontainingtheprivatekeytothesheet. 5 DragthePEMfilecontainingthepubliccertificatetothesheet. 6 Ifneeded,dragassociatednonidentitycertificatestothesheetaswell. 7 ClicktheImportbutton. Ifprompted,entertheprivatekeypassphrase. 172 Chapter9ManagingCertificates ManagingCertificates Afteryoucreateandsignacertificate,youwon’tdomuchmorewithit.Because certificatescannotbeedited,youcandelete,replace,orrevokecertificatesafterthey arecreated.YoucannotchangecertificatesafteraCAsignsthem. Iftheinformationacertificatepossesses(suchascontactinformation)isnolonger accurate,orifyoubelievetheprivatekeyiscompromised,deletethecertificate. IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforuseby services.TheOpenSSLkeysandcertificatesmustbeinPEMformat. IfyouchosecustomlocationsforyourSSLcertificateswithSnowLeopardServer,you mustimportthemintoCertificateManagerifyouwantthemtobeavailablefor services. Customfilesystemlocationsforcertificatescannotbemanagedforservicesusing ServerAdminforSnowLeopardServer.Tousecustomfilelocations,editthe configurationfilesdirectly. WhencertificatesandkeysareimportedviaCertificateManager,theyareputinthe/ etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesforevery identity:     Thecertificate Thepublickey Thetrustchain Theconcatenatedversionofthecertificateplusthetrustchain(forusewithsome services) Eachfilehasthefollowingnamingconvention: <commonname>.<SHA1hashofthecertificate>.<cert|chain|concat|key>.pem Forexample,thecertificateforawebserveratexample.commightlooklikethis: www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pem Afterthecertificatesareimported,CertificateManagerencryptsthefileswitharandom passphrase.ItputsthepassphraseintheSystemkeychain,andputstheresultingPEM filesin/etc/certificates/. EditingaCertificate Afteryouaddacertificatesignature,youcan’teditthecertificate.Youmustreplaceit withonegeneratedfromthesameprivatekey. Forinstructionsonhowtodothis,see“ReplacinganExistingCertificate”onpage175. Chapter9ManagingCertificates 173 DistributingaCAPublicCertificatetoClients Ifyou’reusingself-signedcertificates,awarningappearsinmostuserapplications sayingthattheCAisnotrecognized.Othersoftware,suchastheLDAPclient,refuses touseSSLiftheserver’sCAisunknown. MacOSXServershipsonlywithcertificatesfromwell-knowncommercialCAs.To preventthiswarning,yourCAcertificatemustbedistributedtoeveryclientcomputer thatconnectstothesecureserver. Todistributeyourcertificatetoyourclients: 1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer. Considerusingnonrewritablemedia,suchasaCD-R.Usingnonrewritablemedia preventsthecertificatefrombeingcorrupted. 2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificate wascopiedontotheclientcomputer. 3 DragthecertificatetotheSystemkeychainusingKeychainAccess. 4 Authenticateasanadministrator,ifrequested. 5 Double-clickthecertificatetogetthecertificatedetails. 6 Inthedetailswindow,clicktheTrustdisclosuretriangle. 7 Fromthepop-upmenunextto“Whenusingthiscertificate,”select“AlwaysTrust.” Youhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby. Fromthecommandline: # ------------------------------------------------------------------# Adding the security tool edit trust settings # ------------------------------------------------------------------# Where <certificate> is the local file path to the certificate. # sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/ System.keychain <certificate> DeletingaCertificate Whenacertificatehasexpiredorbeencompromised,youmustdeleteit. Todeleteacertificate: 1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL. 2 ClickCertificates. 3 SelecttheCertificateIdentitytodelete. 4 ClicktheRemove(-)buttonandselectDelete. 174 Chapter9ManagingCertificates 5 ClickSave. RenewinganExpiringCertificate Certificateshaveanexpirationdateandmustberenewedperiodically.Renewinga certificateisthesameasreplacingacertificatewithanewlygeneratedonewithan updatedexpirationdate. Torenewanexpiringcertificate: 1 RequestacertificatefromtheCA. IfyouareyourownCA,createoneusingyourownrootcertificate. 2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate. 3 ClickCertificates. 4 SelecttheCertificateIdentitytorenew. 5 ClicktheActionbuttonandselect“ReplaceCertificatewithSignedorRenewed Certificate.” 6 Dragtherenewedcertificatetothesheet. 7 ClickReplaceCertificate. ReplacinganExistingCertificate IfyouchangetheDNSnameoftheserveroranyvirtualhostsontheserver,youmust replaceanexistingcertificatewithanupdatedone. Toreplaceanexpiringcertificate: 1 RequestacertificatefromtheCA. IfyouareyourownCA,createoneusingyourownrootcertificate. 2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate. 3 ClickCertificates. 4 SelecttheCertificateIdentitytoreplace. 5 ClicktheActionbuttonandselect“ReplaceCertificatewithSignedorRenewed Certificate.” 6 Dragthereplacementcertificatetothesheet. 7 ClickReplaceCertificate. Chapter9ManagingCertificates 175 10 SettingGeneralProtocolsand AccesstoServices 10 UsethischaptertolearnhowtouseServerAdminto configureaccesstoservicesandtosetgeneralprotocols. ServerAdminhelpsyouconfigureandmanageservers.Youcansetgeneralprotocols, nameorrenamecomputers,setthedateandtime,managecertificates,andsetuser accesstospecificservices. SettingGeneralProtocols SnowLeopardServerincludesbasicnetworkmanagementprotocols,including networktimeprotocol(NTP)andsimplenetworkmanagementprotocol(SNMP). Unlessthesearerequired,theyshouldbedisabled. DisablingNTPService NTPallowscomputersonanetworktosynchronizeDate&Timesettings.Client computersspecifytheirNTPserverintheDate&TimepanelofSystemPreferences. NTPclientaccessistypicallyrequired.Ifso,enableitonasingle,trustedserveronthe localnetwork.Thisserviceshouldbedisabledonallotherservers. Formoreinformationabouttheopensourceimplementation,seewww.ntp.org. TodisableNTPservice: 1 OpenServerAdminandconnecttotheserver. 2 ClickSettings,thenclickDate&Time. 3 UnlessNTPisnotrequired,makesureyourserverisconfiguredto“Setdate&time automatically.” 4 Fromthepop-upmenu,choosetheserveryouwanttoactasatimeserver. 5 ClickGeneral. 6 Deselectthe“NetworkTimeServer(NTP)”checkbox. 7 ClickSave. 176 Fromthecommandline: # --------------------------------------------------------------------# Setting General Protocols # --------------------------------------------------------------------# # Disable NTP Client access. # ----------sudo systemsetup -setusingnetworktime off # # Disable NTP service. #-----------sudo serveradmin settings info:ntpTimeServe = no DisablingSNMP SNMPsoftwareallowsothercomputerstomonitorandcollectdataonthestate ofacomputerrunningSnowLeopardServer.Thishelpsadministratorsidentify computersthatwarrantattention,butuseofthisserviceisnotrecommended. TodisableSNMP: 1 OpenServerAdminandconnecttotheserver. 2 ClickSettings. 3 ClickGeneral. 4 Deselect“NetworkManagementServer(SNMP).” 5 ClickSave. Fromthecommandline: # # Disable SNMP. # -----------sudo serveradmin settings info:enableSNMP = no # or alternatively. #sudo service org.net-snmp.snmpd stop Chapter10SettingGeneralProtocolsandAccesstoServices 177 EnablingSSH SnowLeopardServeralsoincludessecureshell(SSH).SSHallowsyoutologinto othercomputersonanetwork,executecommandsremotely,andmovefilesfromone computertoanother.Itprovidesstrongauthenticationandsecurecommunication, andisthereforerecommendedifremoteloginisrequired.Formoreinformation,see www.openssh.org. ToenableSSH: 1 OpenServerAdminandconnecttotheserver. 2 ClickSettings. 3 ClickGeneral. 4 Select“RemoteLogin(SSH).” 5 ClickSave. Fromthecommandline: # # Enable SSH. # ---------sudo service ssh start # or alternatively. # sudo serveradmin settings info:enableSSH = yes AboutRemoteManagement(ARD) YoucanuseARDtoperformremotemanagementtaskssuchasscreensharing.When sharingyourscreenprovideaccessonlytospecificuserstopreventunauthorized accesstoyourcomputerscreen.Youmustalsodeterminetheprivilegesuserswillhave whenviewingyourscreen. ARDisturnedoffbydefaultandshouldremainoffwhenitisnotbeingused.This preventsunauthorizedusersfromattemptingtoaccessyourcomputer. YoucanadministerARDusingabuilt-incommand-linetoolcalledkickstart.Youcan findmoreinformationaboutthetoolanditscapabilitiesbyusingitsbuilt-inhelp. Accessthehelpbyenteringthefollowingcommand: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -help FormoreinformationaboutARDanditsusesandcapabilities,seeAppleRemote DesktopAdministratorGuide. 178 Chapter10SettingGeneralProtocolsandAccesstoServices RemoteManagementBestPractices AnARDmanagerwithfullprivilegescanrunthesetasksastherootuser.Bylimiting theprivilegesthatanARDmanagerhas,youincreasesecurity.Whensettingprivileges, disableorlimitanadministrator’saccesstoanARDclient. YoucansetaVNCpasswordthatrequiresauthorizeduserstouseapasswordto accessyourcomputer.Themostsecurewayistorequireauthorizeduserstorequest permissiontoaccessyourcomputerscreen. RemoteManagmentcanactasastandardVNCserver,acceptingconnectionsfrom VNCclients.EnablingVNCaccessisnotrecommended. IfusersconnecttoyourcomputerusingVNC,requirethattheyuseapasswordby enabling“VNCviewermaycontrolscreenwithpassword.”UsePasswordAssistantto createastrongpasswordforVNCusers. LimitingRemoteManagementAccess Usersthathaveaccesstoscreencontrolandcommand-linecodeexecutionusing AppleRemoteDesktopeffectivelyhaverootuseraccessonthecomputer,eveniftheir useraccountisastandardaccount.Youshouldlimitwhatusersareallowedtodowith RemoteManagement. Changethedefaultsettingforremotemanagementfrom“Allusers”to“Onlythese users.”Thedefaultsetting“Allusers”includesallusersonyourlocalcomputerandall usersinthedirectoryserveryouareconnectedto. AnyaccountusingARDshouldhavelimitedprivilegestopreventremoteusersfrom havingfullcontrolofyourcomputer. YoucansecurelyconfigureARDbyrestrictingaccesstospecificusers.Youcanalso restricteachuser’sprivilegesbysettingARDoptions.Limittheuser’sprivilegesto theuser’spermissiononthecomputer.Forexample,youmightnotwanttogive astandardusertheabilitytochangeyoursettingsordeleteitems. ToLimitRemoteManagementAccess: 1 Ontheserver,openSystemPreferencesandclickSharing. Ifthepreferencepaneislocked,clickthelockandentertheusernameandpassword ofauserwithadministratorprivilegesonthecomputer. 2 SelectRemoteManagementintheSharingpane. 3 Select“Onlytheseusers,”clickAdd(+),selectusers,andclickSelect. 4 Selectauserinthelisttochangethatuser’sadministratorprivileges. 5 ClickOptions. 6 MakethechangestotheaccessprivilegesandthenclickOK. Chapter10SettingGeneralProtocolsandAccesstoServices 179 Yourchangestakeeffectimmediately. YoucanholddowntheOptionkeywhileclickinganaccessprivilegecheckbox toautomaticallyselectallaccesscheckboxes. Formoreinformationabouttheprivilegeslist,see“AppleRemoteDesktop AdministratorAccess”intheseeAppleRemoteDesktopAdministratorGuide. 7 Ifyou’rechangingaccessforseveralusers,repeatthisforeachuser. Fromthecommandline: # # Remote Management (ARD) # ----------------------------# Limiting Remote Management Access # Repeat for each specified user. sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -activate -configure -access -on -users $ARD_USERNAME -privs <none|all|ControlObserve|DeleteFiles|ControlObserve|TextMessages|ShowO bserve|OpenQuitApps|GenerateReports|RestartShutDown|SendFiles|ChangeSe ttings|ObserveOnly> -restart # Specify the user sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAME DisablingRemoteManagementAccess YoucandisableRemoteManagementinseveraldifferentways.Youcan:  Disableaccessforallusers.  StoptheARDAgentprocesstemporarily.  Disabletheserviceentirely. YoumightwanttokeepthecomputerrunningasanARDTaskServerbutnotletusers controlitremotely.Insuchacase,youwoulddisableaccessfortheusers,butleavethe agentrunningandtheserviceintact. Ifyoustoptheagent,itrelaunchesatsystemrestart,soitdoesn’tremainpermanently disabled. Todisableaccessforallusers: 1 Ontheserver,openSystemPreferencesandclickSharing. Ifthepreferencepaneislocked,clickthelockandentertheusernameandpassword ofauserwithadministratorprivilegesonthecomputer. 2 SelectRemoteManagementintheSharingpane. 3 Selectauserfromthe“Onlytheseusers”list. 180 Chapter10SettingGeneralProtocolsandAccesstoServices 4 ClickRemove(-). 5 Repeatforeachuser. TostoptheAgentprocess: 1 OpenTerminal.app. 2 Enterthefollowingcommand: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -agent -stop Todisabletheservice: 1 OpenServerAdminandconnecttotheserver. 2 ClickSettings. 3 ClickGeneral. 4 Deselect“RemoteManagement.” 5 ClickSave. Fromthecommandline: # ## Disable Remote Management # --------------------------# To remove user access: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -activate -configure -access -off # To stop the ARD agent: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -agent -stop # To disable the service: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\ Resources/kickstart -deactivate -stop #or alternatively. # sudo serveradmin settings info:enableARD = no RemoteAppleEvents(RAE) IfyouenableRemoteAppleEvents(RAE),youallowyourcomputertorespondto eventssentbyothercomputersonyournetwork.TheseeventsincludeAppleScript programs.AmaliciousAppleScriptprogramcandothingslikedeleteyour ~/Documents/folder. RAEisturnedoffbydefaultandshouldremainoffwhenitisnotused.Thisprevents unauthorizedusersfromaccessingyourcomputer. Chapter10SettingGeneralProtocolsandAccesstoServices 181 Fromthecommandline: # # Remote Apple Events (RAE) # ----------------------------# Disable Remote Apple Events. sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plist RestrictingAccesstoSpecificUsers AvoidenablingRAE.IfyouenableRAE,dosoonatrustedprivatenetworkanddisable itimmediatelyafterdisconnectingfromthenetwork.Changethedefaultsettingfor RAEfrom“Allusers”to“Onlytheseusers.”Thedefaultsetting“Allusers”includesall usersonyourlocalcomputerandallusersinthedirectoryserveryouareconnectedto. WhensecurelyconfiguringRAE,restrictremoteeventstoonlybeacceptedfrom specificusers.Thispreventsunauthorizedusersfromsendingmaliciouseventsto yourcomputer.Ifyoucreateasharinguseraccount,createastrongpasswordusing PasswordAssistant.AvoidacceptingeventsfromMacOS9computers.Ifyouneed toacceptMacOS9events,usePasswordAssistanttocreateastrongpassword. SettingtheServer’sHostName YoucanchangeyourcomputernameandlocalhostnameinServerAdmin.When otherusersuseBonjourtodiscoveryouravailableservices,theserverisdisplayedas hostname.local. Toincreaseyourprivacy,changethehostnameofyourcomputersoyourcomputer cannotbeeasilyidentified.Thenameshouldnotindicatethepurposeofthecomputer, andtheword“server”shouldnotbeusedasthenameorpartofthename. SettingtheDateandTime Correctdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos. Incorrectdateandtimesettingscancausesecurityissues.YoucanuseServerAdmin toconfigureyourcomputertosetthedateandtimebasedonanNTPserver.Ifyou requireautomaticdateandtime,useatrusted,internalNTPserver. 182 Chapter10SettingGeneralProtocolsandAccesstoServices SettingUpCertificates CertificateManagerisintegratedintoServerAdmintohelpyoucreate,use,and maintainidentitiesforSSL-enabledservices.CertificateManagerprovidesintegrated managementofSSLcertificatesinSnowLeopardServerforservicesthatallowthe useofSSLcertificates. Formoreinformationaboutsettingupcertificates,see“CertificateManagerinServer Admin”onpage167. SettingServiceAccessControlLists(SACLs) YouuseaServiceAccessControlList(SACL)toenforcewhocanuseaspecificservice. Itisnotameansofauthentication.Itisalistofthosewhohaveaccessrightstouse theservice. SACLsallowyoutoaddalayerofaccesscontrolontopofstandardandACL permissions. Auserorgroupnotinaservice’sSACLcannotaccesstheservice.Forexample,to preventusersfromaccessingAFPsharepointsonaserver,includinghomefolders, removetheusersfromtheAFPservice’sSACL. ServerAdmininSnowLeopardServerallowsyoutoconfigureSACLs.OpenDirectory authenticatesuseraccounts,andSACLsauthorizeuseofservices.IfOpenDirectory authenticatesyou,theSACLfortheloginwindowdetermineswhetheryoucanlogin, theSACLforAFPservicedetermineswhetheryoucanconnectforApplefileservice, andsoon. Someservicesalsodeterminewhetherauserisauthorizedtoaccessspecificresources. Thisauthorizationcanrequireretrievingadditionaluseraccountinformationfromthe directorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembership informationtodeterminewhichfoldersandfilestheuserisauthorizedtoreadand writeto. TosetSACLpermissionsforaservice: 1 OpenServerAdminandconnecttotheserver. 2 ClickAccess. 3 ClickServices 4 Torestrictaccesstoallservicesortodeselectthisoptiontosetaccesspermissionsper service,select“Forallservices.” 5 Ifyoudeselect“Forallservices,”selectaservicefromtheServicelist. 6 Toprovideunrestrictedaccesstoservices,click“Allowallusersandgroups.” Toprovideaccesstospecificusersandgroups: Chapter10SettingGeneralProtocolsandAccesstoServices 183 a Select“Allowonlyusersandgroupsbelow.” b ClicktheAdd(+)buttontoopentheUsers&Groupsdrawer. c DragusersandgroupsfromtheUsers&Groupsdrawertothelist. 7 ClickSave. Youcanlimitaccesstocommand-linetoolsthatmightrunservicesbylimitingthe useofthesudocommand.Formoreinformation,see“ManagingthesudoersFile”on page361. Fromthecommandline: # Set SACL permissions for a service. # ---------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP 184 Chapter10SettingGeneralProtocolsandAccesstoServices 11 SecuringRemoteAccessServices 11 UsethischaptertolearnhowtosecureRemoteAccess services. Manyorganizationshaveindividualswhoneedtoconnecttonetworkresources remotely.Thiscancreateadditionalvulnerabilitiesunlessyourremoteaccessservices aresecurelyconfigured. SnowLeopardServerallowsremoteaccessusingremoteloginandVPNservices. Theseservicesshouldbedisabledunlesstheyarerequired. RemoteAccessservicesviaremoteloginconsistsoftwocomponentseachusingthe SecureShell(SSH)servicetoestablishanencryptedtunnelbetweenclientandserver. “SecuringRemoteSSHLogin”onpage185discussessecuringtheservercomponent, while“ConfiguringSSH”onpage186discussessecuringtheclientcomponent. Foradditionalinformationaboutconfiguringremoteaccessservices,seetheNetwork ServicesAdministrationguide. SecuringRemoteSSHLogin RemoteLoginallowsuserstoconnecttoyourcomputerthroughSSH.Byenabling RemoteLogin,youactivatemoresecureversionsofcommonlyusedinsecuretools. BeawareofthefollowingSSHtools:  sshd:Daemonthatactsasaservertoallothercommands  ssh:Primaryusertoolforremoteshellandport-forwardingsessions  scp:Securecopy,atoolforautomatedfiletransfers  sftp:SecureFTP,areplacementforFTP 185 ThefollowingtableliststoolsenabledwithRemoteLoginandtheirinsecure counterparts. SecureRemoteLoginTool InsecureTool ssh telnet slogin login scp rcp sftp ftp SSHcreatesasecureencryptedchannelthatprotectscommunicationwithyour computers.Donotuseolderservicesthatdonotencrypttheircommunications, suchasTelnetorRSH—theyallownetworkeavesdropperstointerceptpasswords orotherdata. Unlessyoumustremotelylogintothecomputeroruseanotherprogramthat dependsonSSH,disabletheremoteloginservice.However,ServerAdminrequires SSH.Ifyoudisableremotelogin,youcannotuseServerAdmintoremotelyadminister theserver. Todisableremotelogin: 1 OpenSystemPreferences. 2 ClickSharing. 3 IntheServicelist,deselectRemoteLogin. ConfiguringSSH SSHletsyousendsecure,encryptedcommandstoaremotecomputer,asifyou weresittingatthecomputer.UsethesshtoolinTerminaltoopenacommand-line connectiontoaremotecomputer.Whiletheconnectionisopen,commandsyou enterareperformedontheremotecomputer. Note:YoucanuseanyapplicationthatsupportsSSHtoconnecttoacomputerrunning SnowLeopardorSnowLeopardServer. SSHworksbysettingupencryptedtunnelsusingpublicandprivatekeys.Hereis adescriptionofanSSHsession: 1 Thelocalandremotecomputersexchangetheirpublickeys. Ifthelocalcomputerhasneverencounteredagivenpublickeybefore,SSHprompts youwhethertoaccepttheunknownkey. 2 Thetwocomputersusethepublickeystonegotiateasessionkeythatisusedto encryptsubsequentsessiondata. 186 Chapter11SecuringRemoteAccessServices 3 TheremotecomputerattemptstoauthenticatethelocalcomputerusingRSAorDSA certificates.Ifthisisnotpossible,thelocalcomputerispromptedforastandardusername/passwordcombination. Forinformationaboutsettingupcertificateauthentication,see“GeneratingKeyPairs forKey-BasedSSHConnections”onpage187. 4 Aftersuccessfulauthentication,thesessionbegins.Eitheraremoteshell,asecurefile transfer,aremotecommand,orsoon,beginsthroughtheencryptedtunnel. ModifyingtheSSHConfigurationFile MakingchangestotheSSHconfigurationfileenablesyoutosetoptionsforeachssh connection.Youcanmakethesechangessystemwideorforspecificusers.Tomakethe changesystemwide,changetheoptionsinthe/etc/ssh_configfile,whichaffectsssh usersonthecomputer.Tomakethechangeforasingleuser,changetheoptionsinthe username/.ssh/configfile. Thesshconfigurationfilehasconnectionoptionsandotherspecificationsforanssh host.AhostisspecifiedbytheHostdeclaration.Bydefault,theHostdeclarationisan asterisk(*),indicatingthatanyhostyouareconnectingtowillusetheoptionslisted belowtheHostdeclaration. YoucanaddaspecifichostandoptionsforthathostbyaddinganewHostdeclaration. ThenewHostdeclarationwillspecifyanameoraddressinplaceoftheasterisk.You canthensettheconnectionoptionforthehostbelowtheHostdeclaration.Thishelps secureyursshsessionsinenvironmentswithvaryingsecuritylevels. Forexample,ifyouareconnectingtoaserverusingsshthroughtheInternet,the servermightrequireamoresecureorstricterconnection.However,ifyouarein amoresecureenvironment,suchasyourownpersonalnetwork,youcannotrequire thesamestrictconnectionoptions. Formoreinformationaboutsshconfigurationfileoptions,seethesshmanpages. ToenableSSH,see“EnablingSSH”onpage178. GeneratingKeyPairsforKey-BasedSSHConnections Bydefault,SSHsupportstheuseofpassword,key,andKerberosauthentication.The standardmethodofSSHauthenticationistosupplylogincredentialsintheformof ausernameandpassword.Identitykeypairauthenticationenablesyoutologinto theserverwithoutsupplyingapassword. Thisprocessworksasfollows: 1 Aprivateandapublickeyaregenerated,eachassociatedwithausernametoestablish thatuser’sauthenticity. 2 Whenyouattempttologinasthatuser,theusernameissenttotheremotecomputer. Chapter11SecuringRemoteAccessServices 187 3 Theremotecomputerlooksintheuser’s.ssh/folderfortheuser’spublickey. ThisfolderiscreatedafterusingSSHthefirsttime. 4 Achallengeisthensenttotheuserbasedonhisorherpublickey. 5 Theuserverifieshisorheridentitybyusingtheprivateportionofthekeypairto decodethechallenge. 6 Afterthechallengeisdecoded,theuserisloggedinwithouttheneedforapassword. Thisisespeciallyusefulwhenautomatingremotescripts. Key-basedauthenticationrequirespossessionoftheprivatekeyinsteadofapassword tologin.Aprivatekeyismuchhardertoguessthanapassword.However,ifthehome folderwheretheprivatekeyisstorediscompromised—assumingtheprivatekeyisnot protectedbyapassword—thenthisprivatekeycanbeusedtologintoothersystems. Passwordauthenticationcanbecompromisedwithoutneedingaprivatekeyfile. IftheserverusesFileVaulttoencryptthehomefolderoftheuseryouwanttouseSSH toconnectas,youmustbeloggedinontheservertouseSSH.Alternatively,youcan storethekeysfortheuserinalocationthatisnotprotectedbyFileVault.However,this isnotsecure. Togeneratetheidentitykeypair: 1 Enterthefollowingcommandonthelocalcomputer. ssh-keygen -t dsa 2 Whenprompted,enterafilenametosavethekeysintheuser’sfolder. 3 Enterapasswordfollowedbypasswordverification(emptyfornopassword). Forexample: Generating public/private dsa key pair. Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in frog. Your public key has been saved in frog.pub. The key fingerprint is: 4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96 [email protected] Thiscreatestwofiles.Youridentificationorprivatekeyissavedinonefile(froginour example)andyourpublickeyissavedintheother(frog.pubinourexample).Thekey fingerprint,derivedcryptographicallyfromthepublickeyvalue,isalsodisplayed.This securesthepublickey,makingitcomputationallyinfeasibleforduplication. Note:ThelocationoftheserverSSHkeyis/etc/ssh_host_key.pub.Backupyourkeyin caseyouneedtoreinstallyourserversoftware.Ifyourserversoftwareisreinstalled,you canretaintheserveridentitybyputtingthekeybackinitsfolder. 188 Chapter11SecuringRemoteAccessServices 4 Copytheresultantpublicfile,whichcontainsthelocalcomputer’spublickey,tothe .ssh/folderintheuser’shomefolderontheremotecomputer. Thenexttimeyoulogintotheremotecomputerfromthelocalcomputer,youwon’t needtoenterapassword(unlessyouenteredoneinStep3above). Note:IfyouareusinganOpenDirectoryuseraccountandhaveloggedinusingthe account,youdonotneedtosupplyapasswordforSSHlogin.OnSnowLeopardServer computers,SSHusesKerberosforsinglesign-onauthenticationwithanyuseraccount thathasanOpenDirectorypassword(butKerberosmustberunningontheOpen Directoryserver).FormoreinformationseetheOpenDirectoryAdministration. UpdatingSSHKeyFingerprints ThefirsttimeyouconnecttoaremotecomputerusingSSH,thelocalcomputer promptsforpermissiontoaddtheremotecomputer’sfingerprint(orencrypted publickey)toalistofknownremotecomputers.Youmightseeamessagelikethis: The authenticity of host "server1.example.com" can’t be established. RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7. Are you sure you want to continue connecting (yes/no)? Thefirsttimeyouconnect,youhavenowayofknowingwhetherthisisthecorrect hostkey.Whenyourespond“yes,”thehostkeyistheninsertedintothe~/.ssh/ known_hostsfilesoitcanbecomparedinlatersessions.Besurethisisthecorrect keybeforeacceptingit.Ifatallpossible,provideuserswiththeencryptionkey throughFTP,mail,oradownloadfromtheweb,sotheycanverifytheidentityof theserver. Ifyoulaterseeawarningmessageaboutaman-in-the-middleattackwhenyoutryto connect,thekeyontheremotecomputermightnolongermatchthekeystoredon thelocalcomputer.Thiscanhappenifyou:  ChangeyourSSHconfigurationonthelocalorremotecomputer.  Performacleaninstallationoftheserversoftwareonthecomputeryouare attemptingtologintousingSSH.  StartupfromaSnowLeopardServerCDonthecomputeryouareattemptingtolog intousingSSH.  AttempttouseSSHtologintoacomputerthathasthesameIPaddressasa computerthatyoupreviouslyusedSSHwithonanothernetwork. Toconnectagain,deletetheentriescorrespondingtotheremotecomputeryouare accessing(whichcanbestoredbybothnameandIPaddress)in~/.ssh/known_hosts. Important:Removinganentryfromtheknown_hostsfilebypassesasecurity mechanismthathelpsyouavoidimpostersandman-in-the-middleattacks.Besureyou understandwhythekeyontheremotecomputerhaschangedbeforeyoudeleteits entryfromtheknown_hostsfile. Chapter11SecuringRemoteAccessServices 189 ControllingAccesstoSSH YoucanuseServerAdmintocontrolwhichuserscanopenacommand-line connectionusingthesshtoolinTerminal.Userswithadministratorprivileges arealwaysallowedtoopenaconnectionusingSSH.Thesshtoolusesthe SSHservice. Forinformationaboutrestrictinguseraccesstoservices,see“SettingServiceAccess ControlLists(SACLs)”onpage183. SSHMan-in-the-MiddleAttacks Anattackermightbeabletoaccessyournetworkandcompromiserouting information,sothatpacketsintendedforaremotecomputerareroutedtothe attackerwhoimpersonatestheremotecomputertothelocalcomputerand thelocalcomputertotheremotecomputer. Here’satypicalscenario:AuserconnectstotheremotecomputerusingSSH.Bymeans ofspoofingtechniques,theattackerposesastheremotecomputerandreceivesthe informationfromthelocalcomputer.Theattackerthenrelaystheinformationtothe intendedremotecomputer,receivesaresponse,andthenrelaystheremotecomputer’s responsetothelocalcomputer.Throughouttheprocess,theattackerisawareof informationthatgoesbackandforth,andcanmodifyit. Thefollowingmessagecanindicateaman-in-the-middleattackwhenconnectingto theremotecomputerusingSSH. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Protectagainstthistypeofattackbyverifyingthatthehostkeysentbackisthe correcthostkeyforthecomputeryouaretryingtoreach.Bewatchfulforthewarning message,andalertyouruserstoitsmeaning. 190 Chapter11SecuringRemoteAccessServices TransferringFilesUsingSFTP SFTPisasecureFTPprotocolthatusesSSHtotransferfiles.SFTPencryptscommands anddata,preventingpasswordsandsensitiveinformationfrombeingtransmittedover thenetwork.AlwaysuseSFTPinsteadofFTP. TotransferafileusingSFTP: 1 OpenTerminal. 2 StarttheSFTPsession. sftp username@hostname ReplaceusernamewithyourusernameandhostnamewiththeIPaddressorhostname oftheserveryouareconnectingto. 3 Enteryourpasswordwhenprompted. Youarenowconnectedsecurelytotheserver. 4 UsetheSFTPcommandstotransferfilesfromtheprompt. sftp> Usetheputcommandtotransferafilefromthelocalcomputertotheremote computer.Usethegetcommandtotransferafilefromtheremotecomputerto thelocalcomputer. 5 Enterthefollowingtotransferapicturefilefromtheremotecomputertothelocal computer. sftp> get picture.png /users/annejohnson picture.png 6 TodisconnectandendtheSFTPsession,enterexitattheprompt. SecuringVPNService ByconfiguringaVirtualPrivateNetwork(VPN)onyourserver,youcangiveusers amoresecurewayofremotelycommunicatingwithcomputersonyournetwork. AVPNconsistsofcomputersornetworks(nodes)connectedbyaprivatelinkof encrypteddata.Thislinksimulatesalocalconnection,asiftheremotecomputerwere attachedtotheLAN. VPNssecurelyconnectusersworkingawayfromtheoffice(forexample,athome)to theLANthroughaconnectionsuchastheInternet.Fromtheuser’sperspective,the VPNconnectionappearsasadedicatedprivatelink. VPNtechnologycanalsoconnectanorganizationtobranchofficesovertheInternet whilemaintainingsecurecommunications.TheVPNconnectionacrosstheInternetacts asaWANlinkbetweenthesites. Chapter11SecuringRemoteAccessServices 191 VPNshaveseveraladvantagesfororganizationswhosecomputerresourcesare physicallyseparated.Forexample,eachremoteuserornodeusesthenetwork resourcesofitsInternetServiceProvider(ISP)ratherthanhavingadirect,wiredlink tothemainlocation. VPNandSecurity VPNsincreasesecuritybyrequiringstrongauthenticationofidentityandencrypted datatransportbetweenthenodesfordataprivacyanddependability.Thefollowing sectionscontaininformationaboutsupportedtransportsandauthenticationmethods. TransportProtocols Therearetwoencryptedtransportprotocols:LayerTwoTunnelingProtocol,Secure InternetProtocol(L2TP/IPSec)andPoint–to–PointTunnelingProtocol(PPTP).Youcan enableeitherorbothoftheseprotocols.Eachhasitsownstrengthsandrequirements. L2TP/IPSec L2TP/IPSecusesstrongIPSecencryptiontotunneldatatoandfromnetworknodes. ItisbasedonCisco’sL2Fprotocol. IPSecrequiressecuritycertificates(self-signedorsignedbyaCAsuchasVerisign)or apredefinedsharedsecretbetweenconnectingnodes. Thesharedsecretmustbeenteredontheserverandtheclient. Thesharedsecretisnotapasswordforauthentication,nordoesitgenerateencryption keystoestablishsecuretunnelsbetweennodes.Itisatokenthatthekeymanagement systemsusetotrusteachother. L2TPisSnowLeopardServer’spreferredVPNprotocolbecauseithassuperiortransport encryptionandcanbeauthenticatedusingKerberos. PPTP PPTPisacommonlyusedWindowsstandardVPNprotocol.PPTPoffersgood encryption(ifstrongpasswordsareused)andsupportsanumberofauthentication schemes.Itusestheuser-providedpasswordtoproduceanencryptionkey. Bydefault,PPTPsupports128-bit(strong)encryption.PPTPalsosupportsthe40-bit (weak)securityencryption. PPTPisnecessaryifyouhaveWindowsclientswithversionsearlierthanWindowsXP orifyouhaveMacOSXv10.2clientsorearlier. 192 Chapter11SecuringRemoteAccessServices ConfiguringL2TP/IPSecSettings UseServerAdmintodesignateL2TPasthetransportprotocol.Ifyouenablethis protocol,youmustalsoconfigureconnectionsettings.Youmustdesignatean IPSecsharedsecret(ifyoudon’tuseasignedsecuritycertificate),theIPaddress allocationrangetobegiventoyourclients,andthegroupthatwillusetheVPN service(ifneeded).IfyouuseL2TPandPPTP,provideeachprotocolwithaseparate, nonoverlappingaddressrange. WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswith thefollowingsettings:  Forthe“any”addressgroup,enableGRE,ESP,VPNL2TP(port1701),andVPNISAKMP/ IKE(port500).  Forthe“192.168-net”addressgroup,choosetoallowalltraffic. ToconfigureL2TPsettings: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofserversappears. 3 FromtheexpandedServerslist,selectVPN. 4 ClickSettings,thenclickL2TP. 5 Selectthe“EnableL2TPoverIPSec”checkbox. 6 Inthe“StartingIPaddress”field,setthebeginningIPaddressoftheVPNallocation range. Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.128. 7 Inthe“EndingIPaddress”field,settheendingIPaddressoftheVPNallocationrange. Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.255. 8 (Optional)Toload-balancetheVPN,selecttheEnableLoadBalancingcheckboxand enteranIPaddressintheClusterIPaddressfield. 9 ChooseaPPPauthenticationtype. IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberos authenticationserver,fromtheAuthenticationpop-upmenuselectKerberos. Otherwise,chooseMS-CHAPv2. IfyouchooseRADIUS,enterthefollowinginformation: PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver. SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver. SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver. SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver. Chapter11SecuringRemoteAccessServices 193 10 IntheIPSecAuthenticationsection,enterthesharedsecretorselectthecertificate touse. Thesharedsecretisacommonpasswordthatauthenticatesmembersofthecluster. IPSecusesthesharedsecretasapresharedkeytoestablishsecuretunnelsbetween clusternodes. 11 ClickSave. ConfiguringPPTPSettings UseServerAdmintodesignatePPTPasthetransportprotocol. Ifyouenablethisprotocol,youmustalsoconfigureconnectionsettings.Youshould designateanencryptionkeylength(40-bitor128-bit),theIPaddressallocationrange tobegiventoyourclients,andthegroupthatwillusetheVPNservice(ifneeded). IfyouuseL2TPandPPTP,providetheprotocolswithaseparate,nonoverlapping addressrange. WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswith thefollowingsettings:  Forthe“any”addressgroup,enableGRE,ESP,VPNL2TP(port1701),andIKE(port 500).  Forthe“192.168-net”addressgroup,choosetoallowalltraffic. ToconfigurePPTPsettings: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofserversappears. 3 FromtheexpandedServerslist,selectVPN. 4 ClickSettings,thenclickPPTP. 5 Select“EnablePPTP.” 6 Ifneeded,select“Allow40-bitencryptionkeysinadditionto128-bit”topermit40-bit and128-bitkeyencryptionaccesstoVPN. WARNING:40-bitencryptionkeysaremuchlesssecurebutcanbenecessaryfor someVPNclientapplications. 7 Inthe“StartingIPaddress”field,setthebeginningIPaddressoftheVPNallocation range. Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.128. 194 Chapter11SecuringRemoteAccessServices 8 Inthe“EndingIPaddress”field,settheendingIPaddressoftheVPNallocationrange. Itcan’toverlaptheDHCPallocationrange,soenter192.168.0.255. 9 ChooseaPPPauthenticationtype. IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberos authenticationserver,fromtheAuthenticationpop-upmenuselectKerberos. Otherwise,chooseMS-CHAPv2. IfyouchooseRADIUS,enterthefollowinginformation: PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver. SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver. SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver. SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver. 10 ClickSave. VPNAuthenticationMethod SnowLeopardServerL2TPVPNusesKerberosv5orMicrosoft’sChallengeHandshake AuthenticationProtocolversion2(MS-CHAPv2)forauthentication.SnowLeopard ServerPPTPVPNusesMS-CHAPv2forauthentication. KerberosisasecureauthenticationprotocolthatusesaKerberosKeyDistribution Serverasatrustedthirdpartytoauthenticateaclienttoaserver. MS-CHAPv2authenticationencodespasswordswhenthey’resentoverthenetwork, andstorestheminascrambledformontheserver.Thismethodoffersgoodsecurity duringnetworktransmission.ItisalsothestandardWindowsauthenticationscheme forVPN. SnowLeopardServerPPTPVPNcanalsouseotherauthenticationmethods.Each methodhasitsownstrengthsandrequirements.Theseotherauthenticationmethods forPPTParenotavailableinServerAdmin. Touseanalternativeauthenticationscheme(forexample,touseRSASecurity’s SecurIDauthentication),youmustedittheVPNconfigurationfilemanually.The configurationfileislocatedat/Library/Preferences/SystemConfiguration/ com.apple.RemoteAccessServers.plist. Formoreinformation,see“OfferingSecurIDAuthenticationwithVPNService”on page196. Chapter11SecuringRemoteAccessServices 195 UsingVPNServicewithUsersinaThird-PartyLDAPDomain TouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryor LinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.Ifyou needtouseMSCHAPv2toauthenticateusers,youcan’tofferVPNserviceforusers inathird-partyLDAPdomain. OfferingSecurIDAuthenticationwithVPNService RSASecurityprovidesstrongauthentication.Ituseshardwareandsoftwaretokensto verifyuseridentity.SecurIDauthenticationisavailableforL2TPandPPTPtransports. Fordetailsandproductofferings,seewww.rsasecurity.com. SnowLeopardServerVPNservicecanofferSecurIDauthentication,butitcannotbeset upinServerAdmin.YoucanuseServerAdmintoconfigurestandardVPNservices,but ServerAdmindoesnothaveaninterfaceforchoosingyourauthenticationmethod. Ifyoumustdesignateanauthenticationscheme(suchasRSASecuritySecurID)other thanthedefault,changetheVPNconfigurationmanually. Foradditionalinformation,seetheRSASecurIDReadyImplementationGuide,locatedon thewebatrsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdf. TomanuallyconfigureRSASecuritySecurIDauthentication: 1 OpenTerminal. 2 Createafoldernamed/var/aceonyourSnowLeopardServer. sudo mkdir /var/ace Authenticate,ifrequested. 3 InFinder,chooseGo>GotoFolder. 4 Type/var/ace. 5 ClickGo. 6 Copythesdconf.recfilefromaSecurIDserverto/var/ace/. Youseeadialogindicatingthatthe/var/ace/foldercannotbemodified.Click Authenticatetoallowthecopy. 7 ConfiguretheVPNservice(PPTPorL2TP)onyourSnowLeopardServertoenable EAP-SecurIDauthenticationfortheprotocolsyouwanttouseitwith. EnterthefollowinginTerminal,replacingprotocolwitheitherpptporl2tp: sudo serveradmin settings vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorEAPPlugins:\ _array_index:0 = "EAP-RSA" sudo serveradmin settings vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorProtocol:\ _array_index: = "EAP" 196 Chapter11SecuringRemoteAccessServices 8 CompletetheremainderofSnowLeopardServerVPNserviceconfigurationusingthe ServerAdmin. EncryptingObserveandControlNetworkData AlthoughAppleRemoteDesktop(“RemoteManagement”)sendsauthentication information,keystrokes,andmanagementcommandsencryptedbydefault,youmight wantadditionalsecurity.YoucanchoosetoencryptallObserveandControltraffic, ataperformancecost. EncryptionisdoneusinganSSHtunnelbetweenparticipatingcomputers.Touse encryptionforObserveandControltasks,thetargetcomputersmusthaveSSHenabled (“RemoteLogin”inthecomputer’sSharingPreferencepane).Additionally,firewalls betweentheparticipatingcomputersmustbeconfiguredtopasstrafficonTCPport22 (SSHwellknownport). IfyouaretryingtocontrolaVNCserverthatisnotaremotedesktop,itcannotsupport RemoteDesktopkeystrokeencryption.IfyoutrytocontrolthatVNCserver,youget awarningthatthekeystrokesaren’tencrypted,whichyoumustacknowledgebefore youcancontroltheVNCserver.Ifyouchosetoencryptallnetworkdata,thenyou cannotcontroltheVNCserverbecauseRemoteDesktopcannotopenthenecessary SSHtunneltotheVNCserver. ToenableObserveandControltransportencryption: 1 ChooseRemoteDesktop>Preferences. 2 ClicktheSecuritybutton. 3 Inthe“Controllingcomputers”section,select“Encryptallnetworkdata.” EncryptingNetworkDataDuringFileCopyandPackageInstallations RemoteDesktopcansendfilesforCopyItemsandInstallPackagesviaencrypted transport.Thisoptionisnotenabledbydefault,andyoumustenableitexplicitlyfor eachcopytask,orinaglobalsettinginRemoteDesktop’spreferences.Eveninstaller packagefilescanbeinterceptedifnotencrypted. Toencryptindividualfilecopyingandpackageinstallationtasks: m IntheCopyItemstaskorInstallPackagestaskconfigurationwindowofRemote Desktop,select“Encryptnetworkdata.” Tosetadefaultencryptionpreferenceforfilecopies: 1 IntheRemoteDesktopPreferenceswindow,selecttheSecuritypane. 2 Select“EncrypttransferswhenusingCopyItems,”or“Encrypttransferswhenusing InstallPackages”asneeded. Alternatively,youcanencryptafilearchivebeforecopyingit.Theencryptedarchive canbeintercepted,butitwouldbeunreadable. Chapter11SecuringRemoteAccessServices 197 12 SecuringNetworkInfrastructure Services 12 UsethischaptertolearnhowtosecureNetworkandHost Accessservices. YoucantailornetworkandhostaccessservicesinSnowLeopardServertoprotect yourcomputerandnetworkusers.Properconfigurationofservicesisimportantand helpscreateahardenedshellprotectingyournetwork. SnowLeopardServerincludesseveralnetworkandhostaccessservicesthathelp youmanageandmaintainyournetwork.Thissectiondescribesrecommended configurationsforsecuringyournetworkservices. Foradditionalinformationaboutconfiguringnetworkandhostaccessservices,see NetworkServicesAdministration. UsingIPv6Protocol InternetProtocolVersion6(IPv6)istheInternet’snext-generationprotocoldesignedto replacethecurrentInternetProtocol,IPVersion4(IPv4,orjustIP). IPv6improvesroutingandnetworkautoconfiguration.Itincreasesthenumberof networkaddressestoover3x1038,andeliminatestheneedforNetworkAddress Translation(NAT).IPv6isexpectedtograduallyreplaceIPv4overanumberofyears, thoughthetwowillcontinuetocoexistduringthistransition. SnowLeopardServer’snetworkservicesarefullyIPv6capableandreadytotransition tothenextgenerationaddressing,aswellasbeingfullyabletooperatewithIPv4. SnowLeopardServerfullysupportsIPv6,whichisconfigurablefromNetwork preferences.DisabletheIPv6protocolifyourserverandclientsdonotrequireit. Disablingtheprotocolpreventspotentialvulnerabilitiesonyourcomputer.For informationaboutdisablingIPv6,see“SecuringNetworkPreferences”onpage118. 198 ToenableIPv6: 1 OpenNetworkpreferences. 2 Inthenetworkconnectionsserviceslist,clicktheservicetoconfigure. 3 ClickAdvanced. 4 ClickTCP/IP. 5 ChooseAutomaticallyfromtheConfigureIPv6pop-upmenu. IfyouchooseManually,youmustknowyourassignedIPv6address,yourrouter’s IPaddress,andaprefixlength. 6 ClickOK. 7 ClickApply. Fromthecommandline: # --------------------------------------------------------------------# Enabling IPv6 # --------------------------------------------------------------------# Enable IPv6. # ------------------------------sudo networksetup -setv6on [networkservice] IPv6-EnabledServices ThefollowingservicesinSnowLeopardServersupportIPv6addressing:  DNS(BIND)  Firewall  Mail(POP/IMAP/SMTP)  Windows(SMB/CIFS)  Web(Apache2) TheseservicessupportIPv6addresses,butnotinServerAdmin.IPv6addressesfailif enteredinIPaddressfieldsinServerAdmin.YoucanconfigureIPv6addressesforthese serviceswithcommand-linetoolsandbyeditingconfigurationfiles. Anumberofcommand-linetoolsinstalledwithSnowLeopardServersupportIPv6 (forexample,ping6andtraceroute6). FormoreinformationaboutIPv6,seewww.ipv6.org. Chapter12SecuringNetworkInfrastructureServices 199 SecuringDHCPService SnowLeopardServerincludesdynamichostconfigurationprotocol(DHCP)service software,whichallowsittoprovideIPaddresses,LDAPserverinformation,andDNS serverinformationtoclients. DisablingUnnecessaryDHCPServices UsingDHCPisnotrecommended.AssigningstaticIPaddresseseasesaccountability andmitigatestherisksposedbyarogueDHCPserver.IfDHCPuseisnecessary,only onesystemshouldactastheDHCPserverandtheserviceshouldbedisabledonall othersystems. TodisabletheDHCPservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectDHCPintheComputers&Serviceslist. 3 ClickStopDHCP. 4 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing DHCP Service # --------------------------------------------------------------------# Disable DHCP Service # -------------------sudo serveradmin stop dhcp ConfiguringDHCPServices TouseaserverasaDHCPserver,configuretheDHCPserviceinServerAdmintonot distributeDNS,LDAP,andWINSinformation.Thisisasecuritymeasuremeantto protectclientsystems. WhenclientsystemsacceptdynamicallyassignedDNS,LDAP,andWINSaddresses, theybecomevulnerabletocertainformsofnetworkbasedattacksfromrogueDHCP servers.Usersmayunknowinglyberedirectedtomaliciouswebsitesorservers. ToconfiguretheDHCPservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectDHCPintheComputers&Serviceslist. 3 SelectSubnets. 4 Selectasubnet. 5 ClickDNS. 200 Chapter12SecuringNetworkInfrastructureServices 6 Deleteanynameserverslisted. 7 ClickLDAP. 8 Deleteanyserverinformationthatappears. 9 ClickWINS. 10 DeletetheWINSinformation. 11 ClickSave. Fromthecommandline: # Configuring DHCP Services # ------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no value sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_serv er:_array_index:0 = "" sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_ index:0 = -empty_array sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT SET" AssigningStaticIPAddressesUsingDHCP YoucanuseServerAdmintoassignIPaddressestospecificcomputers.Thishelps simplifyconfigurationwhenusingDHCPandletsyouhavesomestaticserversor services. ToavoidpotentialaddressconflictsandpreventhackersfromeasilyobtainingvalidIP addresses,useastaticmaptotracknetworkactivity.Astaticmapconsistsofaspecific IPaddressassignedtoanetworkdevice. ToassignastaticIPaddresstoadevice,youneedthedevice’sEthernetaddress (sometimescalleditsMACaddressorhardwareaddress).Eachnetworkinterfacehas itsownEthernetaddress. Ifyouhaveacomputerthatmovesbetweenwiredandwirelessnetworks,itusestwo Ethernetaddresses:oneforthewiredconnection,andoneforthewirelessconnection. ToassignastaticIPaddress: 1 OpenServerAdminandconnecttotheserver. 2 SelectDHCPintheComputers&Serviceslist. 3 ClickStaticMaps. 4 ClickAddComputer. Chapter12SecuringNetworkInfrastructureServices 201 5 Enterthenameofthecomputer. 6 IntheNetworkInterfaceslist,clickthecolumntoenterthefollowinginformation: MACAddressofthecomputerthatneedsastaticaddress. IPaddressyouwanttoassigntothecomputer. 7 IfthecomputerhasothernetworkinterfacesthatrequirestaticIPaddresses,clickthe Add(+)buttonandentertheIPaddressforeachinterface. 8 ClickOK. 9 ClickSave. Fromthecommandline: # Set a DHCP client's static IP address # ------------------------------------# Each computer needs its own GUID within the static map array. # Increment the array index value for network interfaces # for a single computer. serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_i ndex:0 = $ASSIGNED_IP_ADDRESS serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_i ndex:0 = $COMPUTER_MAC_ADDRESS serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name = $COMPUTER_NAME SecuringDNSService SnowLeopardServerusesBerkeleyInternetNameDomain(BIND)v9.4.1forits implementationofDNSprotocols.BINDisanopensourceimplementationandis usedbymostnameserversontheInternet. IfyourserverisnotintendedtobetheauthoritativeDNSserverforyournamespace, disabletheDNSserviceinServerAdmin. TodisabletheDNSservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectDNSintheComputers&Serviceslist. 3 ClickStopDNS. 4 ClickSave. 202 Chapter12SecuringNetworkInfrastructureServices Fromthecommandline: # --------------------------------------------------------------------# Securing DNS Service # --------------------------------------------------------------------# Disable DNS Service. # ------------------sudo serveradmin stop dns UnderstandingBIND BINDisthesetofprogramsusedbySnowLeopardServerthatimplementsDNS.One ofthoseprogramsisthenamedaemon,ornamed.TosetupandconfigureBIND,you mustchangetheconfigurationfileandthezonefile.Theconfigurationfileis /etc/named.conf. Thezonefilenameisbasedonthenameofthezone.Forexample,thezonefile example.comis/var/named/example.com.zone. Ifyoueditnamed.conftoconfigureBIND,don’tchangetheinetsettingsofthe controlsstatement.Otherwise,ServerAdmincan’tretrievestatusinformationforDNS. Theinetsettingsshouldlooklikethis controls { inet 127.0.0.1 port 54 allow {any;} keys { "rndc-key"; }; }; UsingServerAdminaftereditingBINDconfigurationfilesmightoverwritechanges. FormoreinformationaboutDNSandBIND,seethefollowing:  DNSandBIND,5thedition,byPaulAlbitzandCricketLiu(O’ReillyandAssociates, 2006)  TheInternationalSoftwareConsortiumwebsite:www.isc.organdwww.isc.org/sw/ bind  TheDNSResourcesDirectory:www.dns.net/dnsrd TurningOffZoneTransfers Unlessyoursiterequiresthem,useServerAdmintoturnoffzonetransfersand recursiveDNSqueries. ToturnoffzonetransfersandrecursiveDNSqueries: 1 OpenServerAdminandconnecttotheserver. 2 SelectDNSintheComputers&Serviceslist. Chapter12SecuringNetworkInfrastructureServices 203 3 ClickZones. 4 Selecttheprimaryzoneyouwanttochange. 5 ClickGeneral. 6 Deselect“Allowszonetransfer”topreventhostsonthenetworkfromgettingcopiesof theprimaryzonedata. Ifneeded,setupzonetransferssotheyonlyoccurbetweentrustedservers.This requiresmanuallyeditingtheBINDconfigurationfiles. 7 ClickSave. DisablingRecursion RecursionfullyresolvesdomainnamesintoIPaddresses.Applicationsdependonthe DNSservertoperformthisfunction.OtherDNSserversthatqueryyourDNSservers don’tneedtoperformtherecursion. Topreventmalicioususersfromchangingtheprimaryzone’srecords(referredtoas cachepoisoning)andtopreventunauthorizeduseoftheserverforDNSservice,you canrestrictrecursionusingServerAdmin.However,ifyoupreventyourprivatenetwork fromusingrecursion,userscan’tuseyourDNSservicetolookupnamesoutsideof yourzones. DisablerecursiononlyifnoclientsareusingthisDNSserverfornameresolutionand noserversareusingitforforwarding. Ifyoursiterequiresrecursion,allowrecursivequeriesonlyfromtrustedclientsandnot fromexternalnetworks. Ifyouenablerecursion,considerdisablingitforexternalIPaddressesbutenablingit forinternalIPaddresses.ThisrequiresmanuallyeditingtheBINDconfigurationfiles. Todisablerecursion: 1 OpenServerAdminandconnecttotheserver. 2 SelectDNSintheComputers&Serviceslist. 3 ClickSettings. 4 Removeallentriesexcept“localhost”fromthe“Acceptrecursivequeriesfromthe followingnetworks”listusingtheRemove(–)button. 5 ClickSave. Makesurethatforwardandreversezonesareestablishedandfullypopulated. Otherwise,anyOpenDirectoryserverusingtheDNSservicewillnotworkcorrectly. 204 Chapter12SecuringNetworkInfrastructureServices PreventingSomeDNSAttacks DNSserversaretargetedbymaliciouscomputerusers(hackers).DNSserversare susceptibletoseveralkindsofattacks.Bytakingextraprecautions,youcanprevent theproblemsanddowntimeassociatedwithhackers. SeveralkindsofsecurityattacksareassociatedwithDNSservice:      DNScachepoisoning Servermining DNSserviceprofiling Denialofservice(DoS) Servicepiggybacking DNSCachePoisoning DNScachepoisoning(aformofDNSspoofing)istheaddingoffalsedatatotheDNS server’scache.Thisenableshackersto:  RedirectrealdomainnamequeriestoalternativeIPaddresses. Forexample,afalsifiedArecordforabankcouldpointacomputeruser’sbrowserto adifferentIPaddressthatiscontrolledbythehacker.Aduplicatewebsitecouldfool usersintogivingtheirbankaccountnumbersandpasswordstothehacker. Also,afalsifiedmailrecordcouldenableahackertointerceptmailsenttoorfroma domain.Ifthehackerthenforwardsthatmailtothecorrectmailserveraftercopying themail,thiscangoundetected.  PreventproperdomainnameresolutionandaccesstotheInternet. ThisisthemostbenignofDNScachepoisoningattacks.ItmakesaDNSserver appeartobemalfunctioning. Themosteffectivemethodtopreventtheseattacksisvigilance.Thisincludes maintainingup-to-datesoftware. IfexploitsarefoundinthecurrentversionofBIND,theexploitsarepatchedanda securityupdateismadeavailableforSnowLeopardServer.Applyallsuchsecurity patches. ServerMining Serverminingisthepracticeofgettingacopyofacompleteprimaryzoneby requestingazonetransfer.Inthiscase,ahackerpretendstobeasecondaryzoneto anotherprimaryzoneandrequestsacopyoftheprimaryzone’srecords. Withacopyofyourprimaryzone,thehackercanseewhatkindsofservicesadomain offersandtheIPaddressesoftheserversthatofferthem.Heorshecanthentry specificattacksbasedonthoseservices.Thisisreconnaissancebeforeanotherattack. Chapter12SecuringNetworkInfrastructureServices 205 Topreventthisattack,disablezonetransfers.Ifrequired,specifywhichIPaddresses havepermissiontorequestzonetransfers(yoursecondaryzoneservers)anddeny allothers. ZonetransfersareaccomplishedoverTCPonport53.Tolimitzonetransfers,blockzone transferrequestsfromanyonebutyoursecondaryDNSservers. TospecifyzonetransferIPaddresses: 1 CreateafirewallfilterthatpermitsonlyIPaddressesthatareinsideyourfirewallto accessTCPport53. 2 Followtheinstructionsin“CreatingAdvancedFirewallRules”onpage217usingthe followingsettings:      Packet:Allow Port:53 Protocol:TCP SourceIP:theIPaddressofyoursecondaryDNSserver DestinationIP:theIPaddressofyourprimaryDNSserver DNSServiceProfiling Anothercommonreconnaissancetechniqueusedbymalicioususersistoprofileyour DNSservice.FirstahackermakesaBINDversionrequest.Theserverreportswhat versionofBINDisrunning.Thenthehackercomparestheresponsetoknownexploits andvulnerabilitiesforthatversionofBIND. Topreventthisattack,configureBINDtorespondwithsomethingotherthanwhatitis. ToalterBIND’sversionresponse: 1 Openacommand-linetexteditor(forexamplevi,emacs,orpico). 2 Opennamed.confforediting. 3 Totheoptionsbracketsoftheconfigurationfile,addthefollowing: version "[your text, maybe ‘we're not telling!’]"; 4 Savenamed.conf. DenialofService(DoS) Thiskindofattackiscommonandeasy.Ahackersendssomanyservicerequestsand queriesthataserverusesallitsprocessingpowerandnetworkbandwidthtryingto respond.Thehackerpreventslegitimateuseoftheservicebyoverloadingit. Itisdifficulttopreventthistypeofattackbeforeitbegins.Constantmonitoringofthe DNSserviceandserverloadenablesanadministratortocatchtheattackearlyand mitigateitsdamagingeffect. 206 Chapter12SecuringNetworkInfrastructureServices TheeasiestwaytopreventthisattackistoblocktheoffendingIPaddresswithyour firewall.Unfortunately,thismeanstheattackisalreadyunderwayandthehacker’s queriesarebeingansweredandtheactivitylogged. ServicePiggybacking ThisattackisdonenotsomuchbymaliciousintrudersbutbycommonInternetusers wholearnthetrickfromotherusers.TheymightfeelthattheDNSresponsetimewith theirownISPistooslow,sotheyconfiguretheircomputertoqueryanotherDNS serverinsteadoftheirownISP’sDNSservers.Effectively,therearemoreusersaccessing theDNSserverthanwereplannedfor. YoucanpreventthistypeofattackbylimitingordisablingDNSrecursion.Ifyouplanto offerDNSservicetoyourLANusers,theyneedrecursiontoresolvedomainnames,but don’tprovidethisservicetoInternetusers. Topreventrecursionentirely,see“DisablingRecursion”onpage204. ThemostcommonbalanceispermittingrecursionforrequestscomingfromIP addressesinyourownrangebutdenyingrecursiontoexternaladdresses. ARPSpoofing Thistypeofattack,alsoknownasARPpoisoning,allowsanattackertotakeover acomputer’sIPaddressbymanipulatingtheARPcachesofotherhostsonthenetwork. Theattackermustbeonthesamenetworkasthecomputeritisattackingorthehost thatthecomputeriscommunicatingwith. TheattackercanalsouseARPspoofingforaman-in-the-middleattack,whichforwards trafficfromacomputertotheattacker’scomputer.Thisallowstheattackertoview packetsandlookforpasswordsandconfidentialdata.ARPspoofingcanalsobeused tocreateaDoSattack,stoppingallnetworktraffic. ByconfiguringyournetworkwithstaticIPaddressesandmonitoringyournetwork traffic,youcankeepunauthorizedusersfrommaliciouslyusingyournetwork. SecuringNATService NATisaprotocolyouusetogivemultiplecomputersaccesstotheInternetusingonly oneassignedpublicorexternalIPaddress.NATpermitsyoutocreateaprivatenetwork thataccessestheInternetthroughaNATrouterorgateway.NATissometimesreferred toasIPmasquerading. TheNATservicefurtherenhancessecuritybylimitingcommunicationbetweenyour privatenetworkandapublicnetwork(suchastheInternet):  Communicationfromacomputeronyourprivatenetworkistranslatedfrom aprivateIPaddresstoasharedpublicIPaddress.MultipleprivateIPaddresses areconfiguredtouseasinglepublicIPaddress. Chapter12SecuringNetworkInfrastructureServices 207  Communicationtoyourprivatenetworkistranslatedandforwardedtoaninternal privateIPaddress(IPforwarding).Theexternalcomputercannotdeterminethe privateIPaddress.Thiscreatesabarrierbetweenyourprivatenetworkandthepublic network.  Communicationfromapublicnetworkcannotcomeintoyourprivatenetwork unlessitisrequested.Itisonlyallowedinresponsetointernalcommunication. Note:IfusingNAT,considercombiningNATroutingwithothernetworkservices. TheNATroutertakesalltrafficfromyourprivatenetworkandremembersinternal addressesthathavemaderequests.WhentheNATrouterreceivesaresponseto arequest,itforwardsittotheoriginatingcomputer.Trafficthatoriginatesfromthe InternetdoesnotreachcomputersbehindtheNATrouterunlessportforwarding isenabled. Important:FirewallservicemustbeenabledforNATtofunction. IfyourserverisnotintendedtobeaNATserver,deactivatetheNATserversoftware. TodisableNATservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectNATintheComputers&Serviceslist. 3 ClickStopNAT. 4 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing NAT Service # --------------------------------------------------------------------# Disable NAT service. # ------------------sudo serveradmin stop nat ConfiguringPortForwarding YoucandirecttrafficcomingintoyourNATnetworktoaspecificIPaddressbehindthe NATgateway.Thisiscalledportforwarding. Portforwardingcanbeusedtorouteexternal-facinguncommonopenportsonthe firewalltocommoninternalports,obsfucatingwhatservicesareactivethroughthe NATbarrier.Thispracticeisnotreliableandshouldnotbesolelydependedontohide activeservicesonthecomputer. 208 Chapter12SecuringNetworkInfrastructureServices Portforwardingletsyousetupcomputersontheinternalnetworkthathandle incomingconnectionswithoutexposingothercomputerstooutsideconnections.For example,youcouldsetupawebserverbehindtheNATserviceandforwardincoming TCPconnectionrequestsonport80tothedesignatedwebserver. Youcan’tforwardthesameporttomultiplecomputers,butyoucanforwardmany portstoonecomputer.EnablingportforwardingrequirestheuseoftheTerminal applicationandadministratoraccesstorootprivilegesthroughsudo. Youmustalsocreateaplistfile.Thecontentsoftheplistfileareusedtogenerate /etc/nat/natd.conf.apple,whichispassedtotheNATdaemonwhenitisstarted. Donottrytoedit/etc/nat/natd.conf.appledirectly.Ifyouuseaplisteditorinsteadofa command-linetexteditor,alterthefollowingproceduretosuit. Toconfigureportforwarding: 1 Ifthefile/etc/nat/natd.plistdoesn’texist,makeacopyofthedefaultNATdaemonplist. sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist 2 UsingaTerminaleditor,addthefollowingblockofXMLtextto/etc/nat/natd.plist beforethetwolinesattheendofthefile(</dict>and</plist>),substitutingyour settingswhereindicatedbyitalics: <key>redirect_port</key> <array> <dict> <key>proto</key> <string>tcp or udp</string> <key>targetIP</key> <string>LAN_ip</string> <key>targetPortRange</key> <string>LAN_ip_range</string> <key>aliasIP</key> <string>WAN_ip</string> <key>aliasPortRange</key> <string>WAN_port_range</string> </dict> </array> 3 Saveyourfilechanges. 4 EnterthefollowingcommandsintheTerminal: sudo serveradmin stop nat sudo serveradmin start nat 5 Verifythatyourchangesremainbyinspectingthe/etc/nat/natd.conf.applefile. Chapter12SecuringNetworkInfrastructureServices 209 Thechangesmade,exceptforcommentsandthosesettingsthatServerAdmincan change,areusedbyserverconfigurationtools(ServerAdmin,GatewaySetupAssistant, andsudoserveradmin). 6 ClickSave. 7 StartNATservice. DisablingNATPortMappingProtocol NATPortMappingProtocol(NAT-PMP)allowsacomputerbehindtheNATrouterto automaticallyconfiguretheroutertoallowcomputersoutsidetheprivatenetwork tocontactitself.NAT-PMPautomatestheprocessofportforwarding,allowingthe internalnetworkcomputerscontroltheforwarding. Ifyoudonotwantyourinternalclientstochangeport-forwardingrulesdisable NAT-PMP. ToconfigureNATservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectNATintheComputers&Serviceslist. 3 ClickSettings. 4 Deselect“EnableNATPortMappingProtocol.” 5 ClickSave. SecuringBonjour(mDNS) Bonjourisaprotocolfordiscoveringfile,print,chat,musicsharing,andotherservices onIPnetworks.Bonjourlistensforserviceinquiriesfromothercomputersandprovides informationaboutavailableservices.Usersandapplicationsonyourlocalnetworkcan useBonjourtoquicklydeterminewhichservicesareavailableonyourcomputer,and youcanuseittodeterminewhichservicesareavailableontheirs. Thiseasyexchangeofinformationmakesservicediscoveryveryconvenient,butit alsoincursasecurityrisk.Bonjourbroadcaststheservicesthatarepresentandthe servicesyouhaveavailable.Theserisksmustbeweighedagainsttheutilityofrunning anetworkservicesuchasBonjour. AsidefromtheinformationfreelyexchangedbyBonjour,networkservicesinherently incurasecurityriskduetothepotentialforimplementationerrorstoallowremote attackerstoaccessyoursystem.However,Bonjourmitigatestheserisksby implementingsandboxing. ToreducethesecurityriskofrunningBonjour,connectonlytosecure,trustedlocal networks.AlsoverifythatNetworkpreferencesenablesonlyrequirednetworking connections.Thisreducesthechanceofconnectingtoaninsecurenetwork. 210 Chapter12SecuringNetworkInfrastructureServices BeforeusingBonjourtoconnecttoaservice,verifythattheserviceislegitimateand notspoofed.Ifyouconnecttoaspoofedservice,youmightdownloadmaliciousfiles. Ifyoucannottrustallservicesonyourlocalnetwork,thenBonjourshouldnotbeused. WARNING:CarefullyfollowthesestepstodisableBonjour.Amalformedor problematicmDNSResponder.plistfilecanpreventyourMacfromstartingup.Use TimeMachinetoperformafullbackupofyourcomputerbeforeproceeding. TodisableBonjouradvertising,enterthefollowingcommands: 1 MakeabackupcopyofthemDNSResponder.plistfile. 2 OpenTerminalandopenthemDNSResponder.plistfileusingyourpreferredtexteditor. Forexample: sudo vi “/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist” 3 IntheProgramArgumentskeyoftheplistfile,addthefollowingstringtothe <array>...</array>section. <string>-NoMulticastAdvertisements</string> Forexample: <key>ProgramArguments</key> <array> <string>/usr/sbin/mDNSResponder</string> <string>-launchd</string> <string>-NoMulticastAdvertisements</string> </array> 4 SavethechangestothemDNSResponder.plistfile. Important:Ifyoueditedthefileusingemacs,removetheemacsbackupfile(the filewithatildeattheendofthename,“/System/Library/LaunchDaemons/ com.apple.mDNSResponder.plist~”)oryourMacwillnotstartup. YoumustalsoblockBonjourfromlisteningforandacceptingBonjourtrafficby creatingafirewallruleusingipfw.Thispreventsyourcomputerfromreceiving potentiallymaliciousBonjourtrafficfromthenetwork.Ifyouhaven’tsetupIPFW torunwhenthecomputerstartsup,seeChapter13,“ConfiguringtheFirewall.” Addthefollowingruletothe/etc/ipfw.confinthesamewaythatyouedited/System/ Library/LaunchDaemons/com.apple.mDNSResponder.plistinthesectionabove. Chapter12SecuringNetworkInfrastructureServices 211 ToblockBonjourlistening: # # # # # Block Bonjour listening. ------------------------Default Setting. Bonjour is enabled Firewall is disabled # Suggested Setting. # Add the following line to /etc/ipfw.conf. add 00001 deny udp from any to me dst-port 5353 # Reload the firewall rules. sudo /sbin/ipfw flush sudo /sbin/ipfw /etc/ipfw.conf IfBonjourisdisabled,youmustmanuallyconfigurenetworkprinters.DisablingBonjour canalsodisablefunctionalityinotherapplicationsthatrelyonBonjourorpossibly makethemunusable. IfdisablingBonjourinterfereswithotherapplicationsthatareneededbytheuser, removethe<string>-NoMulticastAdvertisements</string>fromthe mDNSResponder.plistfile.ThenunblockUDPport5353onyourfirewall. 212 Chapter12SecuringNetworkInfrastructureServices 13 ConfiguringtheFirewall 13 UsethischaptertolearnhowconfiguretheIPFW2firewall. Usingafirewalltofilternetworktrafficfromahostoranetworkofhostsprevents attackersfromgainingaccesstoyourcomputer. AboutFirewallProtection Firewallserviceissoftwarethatprotectsnetworkapplicationsrunningonyour SnowLeopardServercomputer. Turningonfirewallserviceissimilartoinstallingafiltertolimitaccesstoyournetwork. firewallservicescansincomingIPpacketsandrejectsoracceptsthesepacketsbased onrulesyouusetoconfigurefirewallservice. Youcanmonitoractivityinvolvingyourfirewallbyenablingfirewalllogging.Firewall loggingcreatesalogfilethattracksactivitysuchasthesourcesandconnection attemptsblockedbythefirewall.YoucanviewthislogintheConsoleutility. YoucanrestrictaccesstoanyIPservicerunningontheserver,andyoucancustomize rulesforincomingclientsorforarangeofclientIPaddresses. Important:Firewallservicecandisruptnetworkcommunicationsanditsconfiguration canbecomplicatedtoimplement.Donotimplementrecommendationswithout understandingtheirpurposeorimpact. ServicessuchasWebandFTPservicesareidentifiedonyourserverbyaTransmission ControlProtocol(TCP)orUserDatagramProtocol(UDP)portnumber.Whena computertriestoconnecttoaservice,firewallservicescanstherulelistforamatching portnumber. Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdenies accesstoincomingpacketsfromremotecomputersexceptthroughportsforremote configuration.Thisprovidesahighlevelofsecurity. 213 Statefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyour computerarealsopermitted.Youcanthenaddrulestopermitserveraccesstothose clientswhorequireaccesstoservices. Important:Youshouldnotperformanyfirwallconfigurationremotelybecauseofthe riskofdisablingcommunicationstotheremotehost. PlanningFirewallSetup Planyourfirewallservicebydecidingwhichservicesyouwanttoprovideaccessto. Mail,Web,andFTPservicesgenerallyrequireaccessbycomputersontheInternet. FileandPrintservicesaremostlikelyrestrictedtoyourlocalsubnet. Afteryoudecidewhichservicestoprotectusingfirewallservice,determinewhich IPaddressesyouwanttoaccessyourserver.Thencreatetheappropriaterules. Afterthefirewallserviceisconfigured,networkusersmightrequestthattherules bechangedtoallowadditionalservices.Thesechangesshouldberesistedandan approvalprocessshouldbeputinplacetomonitorthesechanges. ConfiguringtheFirewallUsingServerAdmin Advancedconfigurationserversuseipfw2forfirewallservice.Theapplication-level firewallisavailableonlytostandardandworkgroupconfigurationinstallations. StartingFirewallService Bydefault,firewallserviceblocksincomingTCPconnectionsanddeniesUDPpackets, exceptthosereceivedinresponsetooutgoingrequestsfromtheserver. Beforeyouturnonfirewallservice,makesureyou’vesetuprulespermittingaccess fromIPaddressesyouchoose;otherwise,noonecanaccessyourserver. Ifyouaddorchangearuleafterstartingfirewallservice,thenewruleaffects connectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyall accesstoyourFTPserverafterstartingfirewallservice,computersconnected toyourFTPserveraredisconnected. Tostartfirewallservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClicktheStartFirewallbuttonbelowtheServerslist. 214 Chapter13ConfiguringtheFirewall Fromthecommandline: # --------------------------------------------------------------------# Securing Firewall Service # --------------------------------------------------------------------# Start firewall service. # ---------------------sudo serveradmin start ipfilter CreatinganIPAddressGroup BygroupingIPaddressesyoucansimultaneouslysetfirewallrulesforlargenumbers ofnetworkdevicesandallowformuchbetterorganization.Thisenhancesthesecurity ofyournetwork. Thesegroupsareusedtoorganizeandtargettherules.The“any”addressgroupisfor alladdresses.TwootherIPaddressgroupsarepresentbydefault,intendedforthe entire“10.0.0.0”rangeofprivateaddressesandtheentire“192.168.0.0”rangeofprivate addresses. Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandCIDR notation(192.168.2.0/24),orIPaddressandnetmasknotation(192.168.2.0:255.255.255.0). Bydefault,anIPaddressgroupiscreatedforallincomingIPaddresses.Rulesapplied tothisgroupaffectallincomingnetworktraffic. Tocreateanaddressgroup: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClickSettings,thenclickAddressGroups. 4 BelowtheIPAddressGroupslist,clicktheAdd(+)button. 5 IntheGroupnamefield,enteragroupname. 6 Entertheaddressesandsubnetmaskyouwanttherulestoaffect. UsetheAdd(+)andDelete(–)buttons. ToindicateanyIPaddress,usetheword“any.” 7 ClickOK. 8 ClickSave. Chapter13ConfiguringtheFirewall 215 CreatingFirewallServiceRules Bydefault,firewallservicepermitsallUDPconnectionsandblocksincomingTCP connectionsonportsthatarenotessentialforremoteadministrationoftheserver. Also,bydefault,statefulrulesareinplacethatpermitspecificresponsestooutgoing requests. Beforeyouturnonfirewallservice,makesureyou’vesetuprulespermittingaccess fromIPaddressesyouchoose;otherwise,noonecanaccessyourserver. Youcaneasilypermitstandardservicesthroughthefirewallwithoutadvancedand extensiveconfiguration.Standardservicesinclude:  SSHaccess  Webservice  AppleFileservice  WindowsFileservice  FTPservice  PrinterSharing  DNS/MulticastDNS  ICMPEchoReply(incomingpings)  IGMP  PPTPVPN  L2TPVPN  QTSSmediastreaming  iTunesMusicSharing Ifyouaddorchangearuleafterstartingfirewallservice,thenewruleaffects connectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyallaccessto yourFTPserverafterstartingfirewallservice,computersconnectedtoyourFTPserver aredisconnected. Toconfigurefirewallstandardservices: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClickSettings,thenclickServices. 4 FromtheEditServicesforpop-upmenu,selectanaddressgroup. 5 Fortheaddressgroup,choosetopermitalltrafficfromanyportortopermittrafficon designatedports. 216 Chapter13ConfiguringtheFirewall 6 Foreachserviceyouwanttheaddressgrouptouse,selectAllow. Ifyoudon’tseetheserviceyouneed,addaportanddescriptiontotheserviceslist. Tocreateacustomrule,see“CreatingAdvancedFirewallRules”onpage217. 7 ClickSave. CreatingAdvancedFirewallRules YouusetheAdvancedSettingspaneinServerAdmintoconfigurespecificrulesfor firewallservice.FirewallrulescontainoriginatinganddestinationIPaddresseswith subnetmasks.Theyalsospecifywhattodowithincomingnetworktraffic.Youcan applyaruletoallIPaddresses,aspecificIPaddress,orarangeofIPaddresses. Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandsubnet maskinCIDRnotation(192.168.2.0/24),orIPaddressandsubnetmaskinnetmask notation(192.168.2.0:255.255.255.0). Tosetupanadvancedfirewallrule: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClickSettings,thenclickAdvanced. 4 ClicktheAdd(+)button. Alternatively,youcanselectarulesimilartotheoneyouwanttocreate,clickDuplicate, andthenclickEdit. 5 IntheActionpop-upmenu,selectwhetherthisrulepermitsordeniesaccess. IfyouchooseOther,entertheneededaction(forexample,log). 6 FromtheProtocolpop-upmenu,chooseaprotocol. IfyouchooseOther,entertheneededprotocol(forexample,icmp,esp,ipencap). 7 FromtheServicepop-upmenu,chooseaservice. Toselectanonstandardserviceport,chooseOther. 8 Ifneeded,choosetologallpacketsthatmatchtherule. 9 Forthesourceoffilteredtraffic,chooseanaddressgroupfromtheAddresspop-up menu. Ifyoudon’twanttouseanexistingaddressgroup,enterthesourceIPaddressrange (usingCIDRnotation)youwanttofilter. Ifyouwantittoapplytoanyaddress,choose“any”fromthepop-upmenu. 10 Ifyouselectedanonstandardserviceport,enterthesourceportnumber. 11 Forthedestinationoffilteredtraffic,chooseanaddressgroupfromtheSourcepop-up menu. Chapter13ConfiguringtheFirewall 217 Ifyoudon’twanttouseanexistingaddressgroup,enterthedestinationIPaddress range(usingCIDRnotation). Ifyouwantittoapplytoanyaddress,choose“any”fromthepop-upmenu. 12 Ifyouselectedanonstandardserviceport,enterthedestinationportnumber. 13 FromtheInterfacepop-upmenuthatthisrulewillapplyto,chooseInorOut. Inreferstothepacketsbeingsenttotheserver. Outreferstothepacketsbeingsentfromtheserver. 14 IfyouselectOther,entertheinterfacename(en0,en1,fw1,andsoon). 15 ClickOK. 16 ClickSavetoapplytheruleimmediately. EnablingStealthMode Youcanhideyourfirewallbychoosingnottosendaconnectionfailurenotificationto anyconnectionthatisblockedbythefirewall.Thisiscalledstealthmodeandit effectivelyhidesyourserver’sclosedports. Forexample,ifanetworkintrudertriestoconnecttoyourserver,eveniftheportis blocked,heorsheknowsthatthereisaserverandcanfindotherwaystointrude. Ifstealthmodeisenabled,insteadofbeingrejected,thehackerwon’treceive notificationthatanattemptedconnectiontookplace. Toenablestealthmode: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClickSettings,thenclickAdvanced. 4 Select“EnableforTCP,”“EnableforUDP,”orboth,asneeded. 5 ClickSave. Fromthecommandline: # Enable stealth mode. # ------------------sudo serveradmin settings ipfilter:blackHoleTCP = true sudo serveradmin settings ipfilter:blackHoleUDP = true 218 Chapter13ConfiguringtheFirewall ViewingtheFirewallServiceLog EachruleyousetupinServerAdmincorrespondstorulesintheunderlyingfirewall software.Logentriesshowyouwhentherulewasapplied,theIPaddressoftheclient andserver,andotherinformation. Thelogviewshowsthecontentsof/var/log/ipfw.log.Youcanrefinetheviewusingthe textfilterbox. Toviewthefirewallservicelog: 1 OpenServerAdminandconnecttotheserver. 2 SelectFirewallintheComputers&Serviceslist. 3 ClickLog. Tosearchforspecificentries,usetheFilterfieldabovethelog. Fromthecommandline: # View the firewall service log. # ----------------------------sudo tail /var/log/ipfw.log ThefiltersyoucreateinServerAdmincorrespondtorulesintheunderlyingfiltering software.Logentriesshowyoutheruleapplied,theIPaddressoftheclientandserver, andotherinformation.Formoreinformationaboutrulesandwhattheymean,see “CreatingAdvancedFirewallRules”onpage217. Herearesomeexamplesoffirewalllogentriesandhowtoreadthem. LogExample1 Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP 10.221.41.33:2190 192.168.12.12:80 in via en0 Thisentryshowsthatfirewallserviceusedrule65000todeny(unreach)theremote clientat10.221.41.33:2190fromaccessingserver192.168.12.12onwebport80through Ethernetport0. LogExample2 Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0 Thisentryshowsthatfirewallserviceusedrule100topermittheremoteclientat 10.221.41.33:721toaccesstheserver192.168.12.12ontheLPRprintingport515through Ethernetport0. Chapter13ConfiguringtheFirewall 219 LogExample3 Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152 192.168.12.12:660 out via lo0 ThisentryshowstheNATdivertruleappliedtoanoutboundpacket.Inthiscaseit divertstheruletoserviceport660,whichistheporttheNATdaemonuses. ConfiguringtheFirewallManually TheIPFW2firewall(alsoreferredtohereasIPFW)allowsforthecreationofcomplex andpowerfulpacketfilteringrulesets.Thisfirewallcanbedifficulttoconfigure,andcan alsodisruptnetworkcommunicationsifimproperlyconfigured.Itrequiresmanually writtenrules,andthesystemmustbeconfiguredtoreadthoserulesatstartup. ConfiguringIPFWrulesetsrequiresahigherlevelofexpertisethanmanysystem administrationtasks.IfanadministratorisnotmindfuloftheIPFWrulesetonthe system,confusioncanarisewhensomenetworkconnectivityisnotavailablethat shouldbe. UnderstandingIPFWRulesets AnIPFWconfigurationorrulesetisalistofrulesthataredesignedtomatchpackets andtakeappropriateaction.IPFWrulesarenumberedfrom1to65535.Thepacket passedtothefirewalliscomparedagainsteachoftherules(innumericalorder).When thepacketmatchesarule,thecorrespondingactionistaken. AmorecompletedescriptionofthecapabilitiesandconfigurationofIPFWcanbe foundintheipfwmanpage. TheIPFWrulesetcanbestoredasalistofIPFWrulesinsideatextfile.Traditionally,the file/etc/ipfw.confisusedtostoretheserules. ToviewenforcedIPFWrules,runthecommand: sudo ipfw print Thedefaultoutputshouldappearsomethinglikethis: 65535 allow ip from any to any ThislineshowsthatthedefaultconfigurationallowsalltrafficthroughtheIPFW firewall,performingnofiltering.LikeallIPFWrules,itconsistsofarulenumber(65535); anaction(allow);andbody(ipfromanytoany). Inthiscase,thebody(ipfromanytoany)matchesallIPpackets.Thisalsohappensto beaspecialrule,calledthedefaultrule.Itisthehighest-numberedrulepossibleandis compileddirectlyintothekernel. 220 Chapter13ConfiguringtheFirewall Becausenoruleshaveactuallybeenaddedtothesystem,allpacketsarepassedto thisdefaultrule,whichallowsthemallthrough.However,iftheStealthModefeature isenabledonthesystem,thenthefollowinglineappearsfirstinthelist: 33300 deny icmp from any to me in icmptypes 8 ThisruleshowstheimplementationofStealthMode,droppingincomingpingecho requests,whichisICMPtype8.Becauseitisalowerrulenumber(andthusappears earlierwhenlisted),itisconsultedbeforethedefaultrule. Chapter13ConfiguringtheFirewall 221 14 SecuringCollaborationServices 14 Usethischaptertolearnhowtosecurecollaborationservices. Collaborationserviceshelpusersshareinformationforincreasedproductivity.Securing theaccessandtransferofsharedinformationprotectsyourdata. Collaborationservicespromoteinteractionsamongusers,facilitatingteamworkand productivity.ThischapterdescribeshowtosecureiCal,iChat,Wiki,andPodcast Producercollaborationservices. Forinformationaboutconfiguringcollaborationservices,seeiCalServerAdministration, iChatServiceAdministration,WebTechnologiesAdministration,andPodcastProducer Administration. SecuringiCalService SecurityforiCalserviceconsistsoftwomainareas:  Securingtheauthentication:Thismeansusingamethodofauthenticatingusers thatissecureanddoesn’tpasslogincredentialsincleartextoverthenetwork.The high-securityauthenticationusedpervasivelyinSnowLeopardServerisKerberosv5. Tolearnhowtoconfiguresecureauthentication,see“ChoosingandEnablingSecure AuthenticationforiCalService”onpage223.  Securingthedatatransport:Thismeansencryptingthenetworktrafficbetween thecalendarclientandthecalendarserver.Whenthetransportisencrypted,noone cananalyzethenetworktrafficandreconstructthecontentsofthecalendar.iCal serviceusesSSLtoencryptthedatatransport. TolearnhowtoconfigureandenableSSLforiCalservice,see“Configuringand EnablingSecureNetworkTrafficforiCalService”onpage224. 222 DisablingiCalService IfyourserverisnotintendedtobeaniCalserver,disabletheiCalserversoftware. Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer. TodisableiCalservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectiCalintheComputers&Serviceslist. 3 ClickStopiCal. Fromthecommandline: # --------------------------------------------------------------------# Securing Collaboration Services # --------------------------------------------------------------------# --------------------------------------------------------------------# Securing iCal service # --------------------------------------------------------------------# Disable iCal service. # ------------------------------sudo serveradmin stop calendar SecurelyConfiguringiCalService TosecurelyconfigureiCalservice,youmustsecureauthenticationanddatatransport. ChoosingandEnablingSecureAuthenticationforiCalService UsersauthenticatetoiCalservicethroughoneofthefollowingmethods:  Kerberosv5:ThismethodusesstrongencryptionandisusedinSnowLeopardfor singlesign-ontoservicesofferedbySnowLeopardServer.  Digest:(RFC2617)Thismethodsendssecureloginnamesandencryptedpasswords withouttheuseofatrustedthird-party(liketheKerberosrealm),andisusable withoutmaintainingaKerberosinfrastructure.  Any:ThismethodincludesKerberosv5andDigestauthentication.Theclientcan choosethemostrelevantmethodforwhatitcansupport. YoucansettherequiredauthenticationmethodusingServerAdmin.Toenablethe highestsecurity,chooseamethodotherthan“Any.” Tochooseanauthenticationmethod: 1 InServerAdmin,selectaserverandchoosetheiCalservice. 2 ClicktheSettingsbuttoninthetoolbar. 3 SelectthemethodfromtheAuthenticationpop-upmenu. Chapter14SecuringCollaborationServices 223 4 ClickSave,thenrestarttheservice. Fromthecommandline: # Choose an authentication method for iCal service. # -----------------------------------------------# To enable all auth methods: sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes" sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes" sudo serveradmin stop calendar; sudo serveradmin start calendar # To sudo sudo sudo choose Digest auth only: serveradmin settings calendar:Authentication:Kerberos:Enabled = "no" serveradmin settings calendar:Authentication:Digest:Enabled = "yes" serveradmin stop calendar; sudo serveradmin start calendar # For Kerberos only: sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes" sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no" sudo serveradmin stop calendar; sudo serveradmin start calendar ConfiguringandEnablingSecureNetworkTrafficforiCalService WhenyouenableSecureSocketsLayer(SSL),youencryptalldatasentbetweenthe iCalserverandtheclient.ToenableSSL,youmustselectacertificate.Ifyouusethe defaultself-signedcertificate,theclientsmustchoosetotrustthecertificatebefore theycanmakeasecureconnection. ToenablesecurenetworktrafficusingSSLtransport: 1 InServerAdmin,selectaserverandchoosetheiCalservice. 2 ClicktheSettingsbuttoninthetoolbar. 3 ClickEnableSecureSocketsLayer(SSL). 4 ChooseaTCPportforSSLtocommunicateon. Thedefaultportis8443. 5 Choosethecertificatetobeusedforencryption. 6 ClickSave,thenrestarttheservice. Fromthecommandline: # Enable secure network traffic using SSL transport. # -------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443 224 Chapter14SecuringCollaborationServices ViewingiCalServiceLogs iCalserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack communicationthroughtheiCalservice.YoucanaccesstheiCalservicelog,/var/log/ system.logusingServerAdmin. ToviewtheiCalservicelog: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 ClickiCal. 4 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # View the iCal service log # -------------------------sudo tail /var/log/caldavd/access.log SecuringiChatService TheiChatserviceprovidesasecurewayforuserstochat.TouseiChatserviceon aserver,usersmustbedefinedindirectoriestheserverusestoauthenticateusers. Formoreinformationaboutconfiguringsearchpathstodirectories,seetheOpen DirectoryAdministration. DisablingiChatService IfyourserverisnotintendedtobeaniChatserver,disabletheiChatserversoftware. Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer. TodisableiChatservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectiChatintheComputers&Serviceslist. 3 ClickStopiChat. Fromthecommandline: # Disable iChat service. # -------------------------sudo serveradmin stop jabber Chapter14SecuringCollaborationServices 225 SecurelyConfiguringiChatService IfyourorganizationrequirestheuseofiChatservice,configureittouseSSL.SSL communicationcertifiestheidentityoftheserverandestablishessecure,encrypted dataexchange. YouidentifyanSSLcertificateforiChatservicetousethefirsttimeyousetupiChat service,butyoucanuseadifferentcertificatelater.Youcanuseaself-signedcertificate oracertificateimportedfromaCA.Formoreinformationaboutdefining,obtaining, andinstallingcertificatesonyourserver,see“ReadyingCertificates”onpage168. SendingmessagestomultiplerecipientsoveraninternaliChatseverdoesnotrequire aMobileMeidentity.TheinternaliChatserver(jabberd)requiresaserver-sideSSL certificatethatisusedbyeachclienttoestablishanSSLsession(similartoawebaccess session).AMobileMecertificateisrequiredtoestablishencryptedsessionsbetween twoiChatclientscommunicatingusingtext,audio,andvideo. TosecurelyconfigureiChatservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectiChatintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 ClicktheAdd(+)buttontoaddhostdomains. TheHostDomainslistdesignatesthedomainnamesyouwantiChattosupport. Initially,theserverhostnameisshown.Youcanaddorremoveothernamesthat resolvetotheiChatserviceIPaddresssuchasaliasesdefinedinDNS.Whenstarting iChat,youmustspecifyaDNSfortheservice. HostdomainsareusedtoconstructJabberIDs,whichidentifyiChatusers.Anexample [email protected]. 5 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate. ThemenulistsallSSLcertificatesthathavebeeninstalledontheserver. Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificate pop-upmenu. 6 ChoosethemethodofauthenticationfromtheAuthenticationpop-upmenu: ChooseStandardifyouwantiChattoonlyacceptpasswordauthentication. ChooseKerberosifyouwantiChattoonlyacceptKerberosauthentication. ChooseAnyMethodifyouwantiChattoacceptpasswordandKerberosauthentication. 7 TopermitiChattocommunicatewithotherXMPP-compliantchatservers,select “EnableXMPPserver-to-serverfederation.” 8 IfyouareusingacertificatewithiChat,select“Requiresecureserver-to-server federation.” 226 Chapter14SecuringCollaborationServices ThisoptionrequiresanSSLcertificatetobeinstalled,whichisusedtosecurethe server-to-serverfederation. 9 Torestrictserver-to-servercommunicationtoserversthatarelisted,select“Allow federationwiththefollowingdomains.” YoucanaddorremovedomainsusingtheAdd(+)orDelete(–)buttonsbelowthelist. 10 ClickSave,andthenclickStartService. 11 MakesuretheiChatserver’sOpenDirectorysearchpathincludesdirectorieswhere usersandgroupmembersthatyouwanttocommunicateusingiChatserviceare defined. TheOpenDirectoryAdministrationGuideexplainshowtosetupsearchpaths. AnyuserorgroupmemberdefinedintheOpenDirectorysearchpathisnow authorizedtouseiChatserviceontheserver,unlessyoudenythemaccessto iChatservice. Fromthecommandline: # Securely configure iChat service. # To select an iChat server certificate: sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/ Default.crtkey" # (Or replace the path with the full path to the certificate that you want # to select.) # Restart the service if it is running: sudo serveradmin stop jabber; sudo serveradmin start jabber # To sudo sudo sudo select an iChat server auth method use one of the following: serveradmin settings jabber:authLevel = "ANYMETHOD" serveradmin settings jabber:authLevel = "KERBEROS" serveradmin settings jabber:authLevel = "STANDARD" # Then restart the service: sudo serveradmin stop jabber sudo serveradmin start jabber UsingCertificatestoSecureS2SCommunication UsingServerAdmin,youcansecureS2Scommunicationwithcertificates. Bydefault,iChatselectsaportusingapreinstalled,self-signedSSLcertificate.Youcan selectyourowncertificate.Theselectedcertificateisusedforclient-to-server communicationsonports5222and5223andforserver-to-servercommunications. Chapter14SecuringCollaborationServices 227 Jabberprovidesthefollowingports:  5222acceptsTLSencryption  5223acceptsSSLencryption SSLencryptsyourchatmessageoverthenetworkbetweenclient-to-serverandserverto-serverconnections.However,ifyouriChatserverisloggingchatmessages,your messagesarestoredinaunencryptedformatthatcanbeeasilyviewedbyyourserver administrator. Toselectacertificate: 1 OpenServerAdminandconnecttotheserver. 2 SelectiChatintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate. ThemenulistsallSSLcertificatesthatareinstalledontheserver. Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificate pop-upmenu. 5 ClickSave. Fromthecommandline: # # Select a certificate. # -------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/ Default.crtkey" AdditionalSecurityEnhancements Foradditionalsecurityenhancements,youcanfurtherrestricttheiChatserviceby usingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganization’s networkenvironment. YoucanconfigureSACLstorestrictiChataccesstospecificusersorgroups.Formore informationaboutconfiguringSACLs,see“SettingServiceAccessControlLists(SACLs)” onpage183. YoucanconfigurefirewallrulesthatpreventiChatconnectionsfromunintended sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216. 228 Chapter14SecuringCollaborationServices ViewingiChatServiceLogs iChatserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack communicationthroughtheiChatservice.AccesstheiChatservicelog,/var/log/ system.log,usingServerAdmin. ToviewtheiChatservicelog: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 ClickiChat. 4 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # View the iChat service log. # -------------------------sudo tail /var/log/server.log | grep jabberd SecuringWikiService Thelevelofwebsitesecuritydeterminesthelevelofwikisecurity.Wikisecurityis establishedwhenthewebsitethatthewikiisconfiguredonissecure. DisablingWikiService Ifyourserverdoesnotprovidewikiservice,disablethewikiportionofthewebservice software.Disablingwikiservicedoesnotpreventpotentialvulnerabilitieswithother websiteshostedontheserver. Todisablewikiservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites. 4 Selectthewebsitethathoststhewiki. 5 ClickWebServices. 6 DeselectWikis. Chapter14SecuringCollaborationServices 229 Fromthecommandline: # --------------------------------------------------------------------# Securing Wiki Service # --------------------------------------------------------------------# Disable Wiki service. # ------------------sudo serveradmin stop teams SecurelyConfiguringWikiServices Methodsyoucanusetohelpsecuredatamovingtoandfromyourwikiincludethe following:  SetupSSLforthewebsiteyourwikiisrunningon.SSLprovidessecurityforasite anditsusersbyauthenticatingtheserver,encryptinginformation,andmaintaining messageintegrity.Formoreinformation,see“EnablingSecureSocketsLayer(SSL)” onpage276.  Restrictusersandgroupsthatcancreatewikipagesonyourwebsitebyaddingusers andgroupstothewebserviceslist.Formoreinformation,see“SecuringWeb Service”onpage271. ViewingWikiServiceLogs Wikiserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack communicationthroughthewikiservice.Accessthewikiservicelogs,/Library/Logs/ wikid/error.logand/Library/Logs/wikid/access.log,usingServerAdmin. Toviewthewikiservicelog: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 ClickWiki. 4 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # # View the wiki service log. # -------------------------sudo tail /Library/Logs/wikid/access.log 230 Chapter14SecuringCollaborationServices SecuringPodcastProducerService TosecurePodcastProducerservice,disableitifyoudon’tuseit.Ifyouusetheservice, useServerAdmintocontrolaccesstoworkflowsandcameras. DisablingPodcastProducerService IfyourserverisnotaPodcastProducerserver,disablethePodcastProducerserver software.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer. TodisablePodcastProducerservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectPodcastProducerintheComputers&Serviceslist. 3 ClickStopPodcastProducer. Fromthecommandline: # --------------------------------------------------------------------# Securing Podcast Producer Service # --------------------------------------------------------------------# Disable Podcast Producer service. # -------------------------------sudo serveradmin stop pcast SecurelyConfiguringPodcastProducerService ToprotectthePodcastProducerservicefrombeingexploited,controlaccessto workflowsandcamerasusingServerAdmin. Tocontrolaccesstoaworkflow: 1 OpenServerAdmin. 2 SelectPodcastProducerintheComputers&Serviceslist. 3 ClickWorkflows. 4 SelectaworkflowintheWorkflowlist. 5 Torestrictaccesstotheworkflow,click“Allowaccesstoworkflownameforthefollowing usersandgroups.” 6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcan accesstheselectedworkflow. IntheUsersandGroupswindow,clickUsersanddraguserstothelist. IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist. Todeleteusersandgroupsfromthelist,selectthemandclick(-). 7 ClickSave. Chapter14SecuringCollaborationServices 231 Tocontrolaccesstoacamera: 1 OpenServerAdmin. 2 IntheComputersandServiceslist,selectPodcastProducer. 3 ClickCameras. 4 SelectacameraintheCameraslist. 5 Torestrictaccesstothecamera,click“Allowaccesstocameranameforthefollowing usersandgroups.” 6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcan accesstheselectedcamera. IntheUsersandGroupswindow,clickUsersanddraguserstothelist. IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist. Todeleteusersorgroupsfromthelist,selectthemandclick(-). 7 ClickSave. ViewingPodcastProducerServiceLogs PodcastProducerserviceloggingisimportantforsecurity.Withlogs,youcanmonitor andtrackcommunicationthroughthePodcastProducerservice.AccessthePodcast Producerservicelog,/Library/Logs/pcastserverd/application.log,usingServerAdmin. ToviewthePodcastProducerservicelog: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 ClickPodcastProducer. 4 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # # View the Podcast Producer service log. # ------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log 232 Chapter14SecuringCollaborationServices 15 SecuringMailService 15 Usethischaptertolearnhowtosecuremailservice. Mailserviceiscrucialintoday’sdispersedworkenvironments.Protectyourmailby usingencryption,adaptivejunkmailfiltering,andvirusdetection. MailserviceinSnowLeopardServerallowsnetworkuserstosendandreceivemailover yournetworkoracrosstheInternet. MailservicesendsandreceivesmailusingthefollowingstandardInternetmail protocols:InternetMessageAccessProtocol(IMAP),PostOfficeProtocol(POP),and SimpleMailTransferProtocol(SMTP). MailservicealsousesaDomainNameSystem(DNS)servicetodeterminethe destinationIPaddressofoutgoingmail. SnowLeopardServerusesCyrustoprovidePOPandIMAPservice.Moreinformation aboutCyruscanbefoundatasg.web.cmu.edu/cyrus. SnowLeopardServerusesPostfixasitsmailtransferagent(MTA).Postfixfullysupports SMTP.Yourmailuserswillsettheirmailapplication’soutgoingmailservertoyour SnowLeopardServerrunningPostfix,andaccessincomingmailfroma SnowLeopardServerrunningincomingmailservice.MoreinformationaboutPostfix canbefoundatwww.postfix.org. Formoreinformationaboutconfiguringmailservice,seeMailServiceAdministration. 233 DisablingMailService Ifyourserverisnottomailserver,disablethemailservicesoftware.Disablingthe servicepreventspotentialvulnerabilitiesonyourserver.Todisablemailservice,turn offsupportfortheIMAP,SMTP,andPOPprotocolsthatarenotrequired.mailservice isenabledbydefault(exceptinAdvancedmode),soverificationisrecommended. Todisablemailserviceprotocols: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheGeneraltab. 4 Makesureatleastoneprotocol(SMTP,POP,orIMAP)isenabled. 5 ClickStopServiceinthemenubar. Whentheserviceisturnedon,theStopServicebuttonisavailable. Fromthecommandline: # --------------------------------------------------------------------# Securing Mail Service # --------------------------------------------------------------------# Disable mail service protocols # ------------------------------sudo serveradmin settings mail:imap:enable_pop = no sudo serveradmin settings mail:imap:enable_imap = no sudo serveradmin settings mail:postfix:enable_smtp = no ConfiguringMailServiceforSSL Ifmailserviceprotocolsarerequired,protecttheircommunicationsusingSecure SocketsLayer(SSL).SSLconnectionsensurethatthedatasentbetweenyourmail serverandyourusers’mailclientsisencrypted.Thisallowssecureandconfidential transportofmailmessagesacrossalocalnetwork. SSLtransportdoesn’tprovidesecureauthentication.Itprovidessecuretransferfrom yourmailservertoyourclients.Forsecureauthenticationinformation,seeOpen DirectoryAdministration. Forincomingmail,mailservicesupportssecuremailconnectionswithmailclient softwarethatrequeststhem.IfamailclientrequestsanSSLconnection,mailservice cancomplyifthatoptionisenabled.mailservicestillprovidesnon-SSL(unencrypted) connectionstoclientsthatdon’trequestSSL.Theconfigurationofeachmailclient determineswhetheritconnectswithSSLornot. 234 Chapter15SecuringMailService Foroutgoingmail,mailservicesupportssecuremailconnectionsbetweenSMTP servers.IfanSMTPserverrequestsanSSLconnection,mailservicecancomplyifthat optionisenabled.mailservicecanstillallownon-SSL(unencrypted)connectionsto mailserversthatdon’trequestSSL. EnablingSecureMailTransportwithSSL MailservicerequiresconfigurationtoprovideSSLconnectionsautomatically.Thebasic stepsareasfollows: Step1:Obtainasecuritycertificate Thiscanbedoneinthefollowingways:  GetacertificatefromaCertificateAuthority(CA).  GenerateaCertificateSigningRequest(CSR)andcreateakeychain.  UsetheCSRtoobtainacertificatefromanissuingCAorcreateaself-signed certificateinServerAdmin’sCertificateManager.  LocateanexistingcertificatefromapreviousinstallationofSnowLeopardServer. Ifyouhavealreadygeneratedasecuritycertificateinapreviousversionof Leopard_Server,youcanimportitforuse. Step2:ImportthecertificateintoServerAdmin’sCertificateManager YoucanuseCertificateManagertodraganddropcertificateinformationoryoucan provideCertificateManagerwiththepathtoanexistinginstalledcertificate. Step3:Configuretheservicetousethecertificate ForinstructionsforallowingorrequiringSSLtransport,seethefollowingsections:  “ConfiguringSSLTransportforPOPConnections”onpage236  “ConfiguringSSLTransportforIMAPConnections”onpage237  “ConfiguringSSLTransportforSMTPConnections”onpage239 EnablingSecurePOPAuthentication YourPOPmailservicecanprotectuserpasswordsbyallowingAuthenticatedPOP (APOP)orKerberos.WhenauserconnectswithAPOPorKerberos,theuser’smailclient softwareencryptstheuser’spasswordbeforesendingittoyourPOPservice. Beforeconfiguringmailservicetorequiresecureauthentication,makesurethatusers’ mailapplicationsanduseraccountssupportthemethodofauthenticationyouchoose. BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate SnowLeopardwithaKerberosserver.Ifyou’reusingSnowLeopardServerforKerberos authentication,thisisalreadydoneforyou.Formoreinformation,seeOpenDirectory Administration. Ifyouwanttorequireeitheroftheseauthenticationmethods,enableonlyonemethod. Chapter15SecuringMailService 235 TosetthePOPauthenticationmethod: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 ClicktheAPOPorKerberoscheckboxinthePOP3list. 6 ClickSave. Fromthecommandline: # Set the POP authentication method: sudo serveradmin settings mail:imap:pop_auth_apop = no sudo serveradmin settings mail:imap:pop_auth_clear = no sudo serveradmin settings mail:imap:pop_auth_gssapi = no ConfiguringSSLTransportforPOPConnections SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted. YoucanchooseRequire,Use,orDon’tUseSSLforPOP(andIMAP)connections.Before usingSSLconnections,youmusthaveasecuritycertificateformailuse. SettingSSLtransportforPOPalsosetsitforIMAP. TosetSSLtransportforPOPconnections: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 IntheIMAPandPOPSSLpop-upmenus,selectRequireorUsetoenable(orDon’tUse todisable). 6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare usingorrequiringSSL. 7 ClickSave. Fromthecommandline: # Set SSL transport for POP connections: sudo serveradmin settings mail:imap:tls_server_options = "use" 236 Chapter15SecuringMailService EnablingSecureIMAPAuthentication YourIMAPmailservicecanprotectuserpasswordsbyrequiringthatconnections useasecuremethodofauthentication.YoucanchooseCRAM-MD5orKerberosv5 authentication. Whenauserconnectswithsecureauthentication,theuser’smailclientsoftware encryptstheuser’spasswordbeforesendingittoyourIMAPservice.Makesurethat yourusers’mailapplicationsanduseraccountssupportthemethodofauthentication youchoose. IfyouconfiguremailservicetorequireCRAM-MD5,youmustsetmailaccountstouse aSnowLeopardServerPasswordServerthathasCRAM-MD5enabled.Forinformation, seeOpenDirectoryAdministration. BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate SnowLeopardServerwithaKerberosserver.Ifyou’reusingSnowLeopardServerfor Kerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectory Administration. Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod. TosetsecureIMAPauthentication: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 SelectCRAMMD-5orKerberos(asneeded)intheIMAPsection. 6 ClickSave. Fromthecommandline: # Set secure IMAP authentication: sudo serveradmin settings mail:imap:imap_auth_login = no sudo serveradmin settings mail:imap:imap_auth_plain = no sudo serveradmin settings mail:imap:imap_auth_gssapi = no sudo serveradmin settings mail:imap:imap_auth_clear = no sudo serveradmin settings mail:imap:imap_auth_cram_md5 = no ConfiguringSSLTransportforIMAPConnections SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted. YoucanchooseRequire,Use,orDon’tUseSSLforIMAPconnections.BeforeusingSSL connections,youmusthaveasecuritycertificateformailuse. SettingSSLtransportforIMAPalsosetsitforPOP. Chapter15SecuringMailService 237 ToconfigureSSLtransportforIMAPconnections: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 Fromthepop-upmenusintheIMAPandPOPSSLsectionclickRequireorUseto enable(Don’tUsetodisable). 6 SelecttheCertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare usingorrequiringSSL. 7 ClickSave. Fromthecommandline: # Configure SSL transport for IMAP connections (same as POP) sudo serveradmin settings mail:imap:tls_server_options = "use" EnablingSecureSMTPAuthentication YourservercanguardagainstbeinganopenrelaybyallowingSMTPauthentication. (Anopenrelayindiscriminatelyrelaysmailtoothermailservers.)Youcanconfigure mailservicetorequiresecureauthenticationusingCRAM-MD5orKerberos. Youcanalsoallowthelesssecureplainandloginauthenticationmethods,whichdon’t encryptpasswords,ifsomeusershavemailclientsoftwarethatdoesn’tsupportsecure methods. IfyouconfiguremailservicetorequireCRAM-MD5,mailusers’accountsmustbesetto useapasswordserverthathasCRAM-MD5enabled.Forinformation,seeOpenDirectory Administration. BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrate SnowLeopardServerwithaKerberosserver.Ifyou’reusingSnowLeopardServerfor Kerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectory Administration. EnablingSMTPauthenticationwill:  Makeyourusersauthenticatewiththeirmailclientbeforeacceptingmailtosend.  Frustratemailserverabuserstryingtosendmailwithoutyourconsentthrough yoursystem. Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod. 238 Chapter15SecuringMailService ToallowsecureSMTPauthentication: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 IntheSMTPsection,clicktheCRAMMD-5orKerberoscheckbox. 6 ClickSave. Fromthecommandline: # Allow secure SMTP authentication: sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yes sudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:0 = "gssapi" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "crammd5" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "login" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "plain" ConfiguringSSLTransportforSMTPConnections SSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.You canchooseRequire,Use,orDon’tUseSSLforIMAPconnections.BeforeusingSSL connections,youmusthaveasecuritycertificateformailuse. ToconfigureSSLtransportforSMTPconnections: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheAdvancedtab. 4 SelectSecurity. 5 IntheSMTPSSLsection,clickRequireorUsetoenable(orDon’tUsetodisable). 6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouare usingorrequiringSSL. 7 ClickSave. Chapter15SecuringMailService 239 Fromthecommandline: # Configure SSL transport for SMTP connections: sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes" UsingACLsforMailServiceAccess AccessControlLists(ACLs)areamethodofdesignatingserviceaccesstospecificusers orgroupsonanindividualbasis.Forexample,youcanuseanACLtoallowonlyone usertoaccessafileserverorshelllogin,withoutallowingotherusersontheserverto accessit. MailservicesaredifferentfromservicesthattraditionallyuseACLsfordetermining serviceaccess.mailserviceisalreadyspecifiedonaper-userbasis.Eitheryouhavea mailaccountonaserveroryoudon’t.Beingauseronaserverdoesn’tautomatically conferaccesstomailstorageandretrieval. SomeadministratorsfinditeasiertodesignatemailaccessusingACLsiftheyaredoing alltheirotherconfigurationusingACLs.Theyalsomighthavemixednetwork environmentsthatnecessitateusingACLstoassignmailaccess. SnowLeopardServerallowsyoutoenablemailaccessforusersusingtheAccesstabin aserver’sServerAdminlisting.IfyouenableduseraccessviaServerAdminand traditionalmailaccessusingWorkgroupManager,thesettingsinteractinthefollowing manner: Accessvia Accessvia Workgroup ACL Manager Result On On UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettings intheGeneralSettingsMailpanelinServerAdmin. On Off UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettings intheGeneralSettingsMailpanelinServerAdmin. Off On Userhasmailaccessgrantedaccordingtohisorheruserrecord settingsinWorkgroupManager.Thisisthedefault. Off Off Userhasnomailaccess. Toenableauser’smailaccessusingACLs: 1 InServerAdmin,selecttheserverthathasmailservicerunningandthenclickSettings. 2 SelectAccess,thenclickServices. 3 SelectMailfromtheServiceslist. 4 Deselect“Usesameaccessforallservices.” 5 Select“Allowonlyusersandgroupbelow.” 240 Chapter15SecuringMailService 6 ClicktheAdd(+)buttontorevealaUsersandGroupslist. 7 Dragtheuserorgrouptotheaccesslist. 8 ClickSave. Fromthecommandline: # Enable a user’s mail access using ACLs sudo dseditgroup -o edit -a $USER -t user com.apple.access_mail LimitingJunkMailandViruses Youcanconfiguremailservicetodecreasethevolumeofunsolicitedcommercialmail, alsoknownasjunkmail(orspam),andmailcontainingviruses.Youcantakestepsto blockjunkmailorvirusesthataresenttomailusers.Additionally,youcansecureyour serveragainstusebymailserviceabusers,whotrytouseyourresourcestosendjunk mailtoothers. Youcanalsopreventsendersofjunkmailfromusingyourserverasarelaypoint. Arelaypointoropenrelayisaserverthatunselectivelyreceivesandforwardsmail addressedtootherservers.Anopenrelaysendsmailfromanydomaintoanydomain. JunkmailsendersexploitopenrelayserverstoavoidhavingtheirSMTPservers blacklistedassourcesofjunkmail.Youdon’twantyourserverblacklistedasanopen relaybecauseotherserversmayrejectmailfromyourusers. Therearetwomainmethodsofpreventingvirusesandjunkmailpassingthroughor intoyourmailsystem.Usingbothmethodswillhelpensureyourmailsystemintegrity. Thetwomethodsare:  “ConnectionControl”onpage241  “MailScreening”onpage245 ConnectionControl Thismethodofpreventioncontrolswhichserverscanconnecttoyourmailsystemand whatthoseserversmustdotosendmailthroughyourmailsystem.Yourmailservice candoanyofthefollowingtoexerciseconnectioncontrol:  RequireSMTPauthentication  RestrictSMTPrelay,allowingrelayonlybyapprovedservers  RejectSMTPconnectionsfromdisapprovedservers  Rejectmailfromblacklistedservers  FilterSMTPconnections Thesemethodsareexplainedonthefollowingpages. Chapter15SecuringMailService 241 RequiringSMTPAuthentication IfyourmailservicerequiresSMTPauthentication,yourservercannotbeusedasan openrelaybyanonymoususers.Someonewhowantstouseyourserverasarelay pointmustfirstprovidethenameandpasswordofauseraccountonyourserver. AlthoughSMTPauthenticationappliesprimarilytomailrelay,yourlocalmailusers mustalsoauthenticatebeforesendingmail.Thismeansyourmailusersmusthave mailclientsoftwarethatsupportsSMTPauthenticationortheycan’tsendmailto remoteservers.Mailsentfromexternalmailserversandaddressedtolocalrecipients isstillacceptedanddelivered. TorequireSMTPauthentication,see“EnablingSecureSMTPAuthentication”on page238. RestrictingSMTPRelay YourmailservicecanrestrictSMTPrelaybyallowingonlyapprovedhoststorelaymail. Youcreatethelistofapprovedservers. Approvedhostscanrelaythroughyourmailservicewithoutauthenticating.Serversnot onthelistcannotrelaymailthroughyourmailserviceunlesstheyauthenticatefirst.All hosts,approvedornot,candelivermailtoyourlocalmailuserswithoutauthenticating. Yourmailservicecanlogconnectionattemptsmadebyhostsnotonyourapproved list. TorestrictSMTPrelay: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheRelaytab. 4 Clickthe“AcceptSMTPrelaysonlyfromthese”checkbox. 5 Editthelistofhosts:  ClicktheAdd(+)buttontoaddahosttothelist.  ClicktheRemove(–)buttontodeleteaselectedhostfromthelist.  ClicktheEdit(/)buttontochangeaselectedhostfromthelist. Whenaddingtothelist,youcanuseavarietyofnotations.  EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21.  Enterahostname,suchasmail.example.com.  EnteranInternetdomainname,suchasexample.com. 242 Chapter15SecuringMailService Fromthecommandline: # Restrict SMTP relay: sudo serveradmin settings mail:postfix:mynetworks_enabled = yes SMTPAuthenticationandRestrictedSMTPRelayCombinations ThefollowingtabledescribestheresultsofusingSMTPauthenticationandrestricted SMTPrelayinvariouscombinations. SMTPrequires Restricted authentication SMTPrelay Result On Off Allmailserversmustauthenticatebeforeyourmailserviceaccepts mailforrelay.Yourlocalmailusersmustalsoauthenticatetosend mailout. On On Approvedmailserverscanrelaywithoutauthentication.Servers youhaven’tapprovedcanrelayafterauthenticatingwithyourmail service. Off On Yourmailservicecan’tbeusedforopenrelay.Approvedmail serverscanrelay(withoutauthenticating).Serversthatyouhaven’t approvedcan’trelayunlesstheyauthenticate,buttheycandeliver toyourlocalmailusers.Yourlocalmailusersdon’tneedto authenticatetosendmail. Thisisthemostcommonconfiguration. RejectingSMTPConnectionsfromSpecificServers YourmailservicecanrejectunauthorizedSMTPconnectionsfromhostson adisapproved-hostslistthatyoucreate.Mailtrafficfromhostsonthislistis deniedandSMTPconnectionsareclosedafterpostinga554SMTPconnection refusederror. TorejectunauthorizedSMTPconnectionsfromspecificservers: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheRelaytab. 4 Clickthe“Refuseallmessagesfromthese”checkbox. 5 Editthelistofservers:  ClicktheAdd(+)buttontoaddahosttothelist.  ClicktheRemove(–)buttontodeletetheselectedhostfromthelist.  ClicktheEdit(/)buttontochangetheselectedhostfromthelist. Chapter15SecuringMailService 243 Whenaddingtothelist,youcanusethefollowingnotations:  EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21.  Enterahostname,suchasmail.example.com.  EnteranInternetdomainname,suchasexample.com. Fromthecommandline: # Reject unauthorized SMTP connections: sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yes sudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 = "$NETWORK" RejectingMailfromBlacklistedSenders YourmailservicecanrejectmailfromSMTPserversthatareblacklistedasopenrelays byaReal-timeBlacklist(RBL)server.YourmailserviceusesanRBLserverthatyou specify.RBLsarealsocalledblack-holeservers. Blockingunsolicitedmailfromblacklistedsendersmightnotbecompletelyaccurate. Sometimesitpreventsvalidmailfrombeingreceived. Torejectmailfromblacklistedsenders: 1 InServerAdmin,selectMailintheComputers&Servicespane. 2 ClickSettings. 3 SelecttheRelaytab. 4 Clickthe“Usethesejunkmailrejectionservers”checkbox. 5 EditthelistofserversbyaddingtheDNSnameofanRBLserver:  ClicktheAdd(+)buttontoaddaservertothelist,thenenterthedomainname ofaRBLserver,suchasrbl.example.com.  ClicktheRemove(–)buttontodeleteaserverfromthelist.  ClicktheEdit(/)buttontochangeaserver. Fromthecommandline: # Reject mail from blacklisted senders: sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 = "$BLACKLIST_SERVER" sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yes 244 Chapter15SecuringMailService FilteringSMTPConnections YoucanusefirewallserviceofSnowLeopardServertoallowordenyaccesstoyour SMTPmailservicefromspecificIPaddresses.Filteringdisallowscommunication betweenanoriginatinghostandyourmailserver.mailservicedoesn’treceivethe incomingconnectionandnoSMTPerrorisgeneratedorsentbacktotheclient. TofilterSMTPconnections: 1 InServerAdmin,selectFirewallintheComputers&Servicespane. 2 CreateafirewallIPfilterusingtheinstructionsinNetworkServicesAdministration,using thefollowingsettings:      Access:denied Portnumber:25(oryourincomingSMTPport,ifyouuseanonstandardport) Protocol:TCP Source:theIPaddressoraddressrangeyouwanttoblock Destination:yourmailserver’sIPaddress 3 Ifneeded,logthepacketstomonitortheSMTPabuse. 4 AddmorefiltersfortheSMTPporttoallowordenyaccessfromotherIPaddressesor addressranges. Foradditionalinformationaboutfirewallservice,seeNetworkServicesAdministration. MailScreening Afteramaildeliveryconnectionismadeandthemessageisacceptedforlocaldelivery (relayedmailisnotscreened),themailservercanscreenitbeforedelivery. SnowLeopardServerusesSpamAssassin(fromspamassassin.apache.org)toanalyze thetextofamessage,andgivesitaprobabilityratingforbeingjunkmail. Nojunkmailfilteris100%accurateinidentifyingunwantedmail.Forthisreasonthe junkmailfilterinSnowLeopardServerdoesn’tdeleteorremovejunkmailfrombeing delivered.Instead,itmarksthemailaspotentialjunkmail. Theusercanthendecideifit’sreallyunsolicitedcommercialmailanddealwithit accordingly.ManymailclientsusetheratingsthatSpamAssassinaddsasaguidein classifyingmailfortheuser. SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesfor viruses.Ifasuspectedvirusisfound,youcandealwithitinseveralways,asdescribed in“EnablingJunkMailScreening(BayesianFilters)”onpage245.Virusdefinitionsare keptuptodate(ifenabled)viatheInternetusingaprocesscalledfreshclam. EnablingJunkMailScreening(BayesianFilters) Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling screening,youconfigurescreeningparameters. Chapter15SecuringMailService 245 Bayesianmailfilteringistheclassificationofmailmessagesbasedonstatistics.Each messageisanalyzedandwordfrequencystatisticsaresaved.Mailmessagesthathave moreofthesamewordsasthoseinjunkmailreceiveahighermarkingofprobability thattheyarealsojunkmail.Whenthemessageisscreened,theserveraddsaheader (“X-Spam-Level”)withthejunkmailprobabilityscore. Forexample,let’ssayyouhave400mailmessageswhere200ofthemarejunkmailand 200aregoodmail.Whenamessagearrives,itstextiscomparedtothe200junkmail andthe200goodmessages.Thefilterassignstheincomingmessageaprobabilityof beingjunkorgood,dependingonwhatgroupitmostresembles. Bayesianfilteringhasshownitselftobeaveryeffectivemethodoffindingjunkmail,if thefilterhasenoughdatatocompare.Oneofthestrengthsofthismethodisthemore mailyougetandclassify(aprocesscalledtraining),themoreaccuratethenextround ofclassificationis.Evenifjunkmailsendersaltertheirmailings,thefiltertakesthatinto accountthenexttimearound. Toenablejunkmailscreening: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheFilterstab. 4 SelectScanMailforJunkMail. 5 Setthelevelofpermissiveness(Cautious,Moderate,Aggressive). Thepermissivenessmetersetshowmanyjunkmailflagscanbeappliedtoamessage beforeitisprocessedasjunkmail.Ifyousetitto“Leastpermissive,”mildlysuspicious mailistaggedandprocessedasjunkmail.Ifyousetitto“Mostpermissive”ittakesa highscore(inotherwords,manyjunkmailcharacteristics)tomarkitasjunk. 6 Decidehowtodealwithjunkmailmessages.  Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail notificationofthebouncetoamailaccount,probablythepostmaster.  Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail notificationofthebouncetoamailaccount,probablythepostmaster.  Delivered:Deliversthemessageeventhoughit’sprobablyjunkmail.Youcan optionallyaddtexttothesubjectline,indicatingthatthemessageisprobablyjunk mail,orencapsulatethejunkmailasaMIMEattachment.  Redirected:Deliversthemessagetosomeoneotherthantheintendedrecipient. 7 Choosehowoftentoupdatethejunkmaildatabaseupdated,ifdesired. 8 ClickSave. Foranexplanationofotheroptions,see“FilteringMailbyLanguageandLocale”on page248. 246 Chapter15SecuringMailService Fromthecommandline: # Enable junk mail screening: sudo serveradmin settings mail:postfix:spam_scan_enabled = yes ManuallyTrainingtheJunkMailFilter It’simportanttoteachthefilterwhatisandisn’tjunkmail.Initially,thefilterwon’tbe veryaccurateatmarkingjunkmail,butyoucantrainittodobetter.Accuratetraining requiresalargesample,soaminimumof200messagesofeachtypeisadvised. Totrainthefilter: 1 Chooseamailboxof200messagesmadeofonlyjunkmail. 2 UseTerminalandthefilter’scommand-linetrainingtooltoanalyzeitandrememberit asjunkmailusingthefollowingcommand: sudo sa-learn --showdots --spam <junk mail directory>/* 3 Chooseamailboxof200messagesmadeofonlygoodmail. 4 UseTerminalandthefilter’scommand-linetrainingtooltoanalyzeitandrememberit asgoodmailusingthefollowingcommand: sudo sa-learn --showdots --ham <junk mail directory>/* Ifthejunkmailfilterfailstoidentifyajunkmailmessage,trainitagainsoitcando betternexttime.Usesa-learnagainwiththe--spamargumentonthemislabeled message.Likewise,ifyougetafalsepositive(agoodmessagemarkedasjunkmail), usesa-learnagainwiththe--hamargumenttofurthertrainthefilter. Fromthecommandline: # Train the filter: sudo sa-learn --showdots --spam $JUNK_DIRECTORY/* sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/* Chapter15SecuringMailService 247 AutomaticallyTrainingtheJunkMailFilter Thejunkmailfiltermustbetoldwhatisandisn’tjunkmail.SnowLeopardServer providesamethodofautomaticallytrainingthefilterwiththehelpofmailusers. Theserverrunsanautomatedcommandat1am(alaunchdrecurringevent)thatscans twospeciallynamedmailusers’inboxes.ItrunsSpamAssassin’ssa-learntoolonthe contentsoftheinboxesandusestheresultsforitsadaptivejunkmailfilter. Toautomaticallytrainthejunkmailfilter: 1 Enablejunkmailfiltering. See“EnablingJunkMailScreening(BayesianFilters)”onpage245. 2 Createtwolocalaccounts:junkmailandnotjunkmail. 3 UseWorkgroupManagertoenablethemtoreceivemail. 4 Instructyourmailuserstoredirectjunkmailmessagesthathavenotbeentaggedas junkmailtojunkmail@<yourdomain>. 5 Instructyourmailuserstoredirectrealmailmessagesthatwerewronglytaggedas junkmailtonotjunkmail@<yourdomain>. Eachdayat1am,thejunkmailfilterwilllearnwhatisjunkandwhatwasmistakenfor junk,butisnot. 6 Deletethemessagesinthejunkmailandnotjunkmailaccountsdaily. Fromthecommandline: # Automatically train the junk mail filter: sudo /etc/mail/spamassassin/learn_junk_mail FilteringMailbyLanguageandLocale Youcanfilterincomingmailbasedonlocalesorlanguages.Mailmessagescomposed inforeigntextencodingsareoftenerroneouslymarkedasjunkmail.Youcanconfigure yourmailservertonotmarkmessagesfromdesignatedoriginatingcountriesor languagesasjunkmail. Toallowmailbylanguageandlocale: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheFilterstab. 4 SelectScanEmailforJunkMail. 5 ClicktheEdit(/)buttonnexttoAcceptedLanguagestochangethelist,selectthe languageencodingstoallowasnon-junkmail,andclickOK. 248 Chapter15SecuringMailService 6 ClicktheEdit(/)buttonnexttoAcceptedLocalestochangethelist,selectthecountry codestoallowasnon-junkmail,andclickOK. 7 ClickSave. Fromthecommandline: # Allow mail by language and locale: sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de" sudo serveradmin settings mail:postfix:spam_ok_locales = "en" EnablingVirusScreening Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling screening,youconfigurescreeningparameters. SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesfor viruses.Ifasuspectedvirusisfound,youcanchoosetodealwithitseveralways,as describedbelow.Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternet usingaprocesscalledfreshclam. Toenablevirusscreening: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheFilterstab. 4 SelectScanEmailforViruses. 5 Decidehowtodealwithmessagescontainingviruses. Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail notificationofthebouncetoamailaccount(probablythedomain’spostmaster)and notifytheintendedrecipient. Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail notificationtosomemailaccount,probablythepostmaster,aswellastheintended recipient. Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcan optionallysendamailnotificationofthequarantinetosomemailaccount,probably thepostmaster. 6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered. 7 Choosehowoftentoupdatethevirusdatabase. Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday. 8 ClickSave. Chapter15SecuringMailService 249 Fromthecommandline: # Enable virus screening: sudo serveradmin settings mail:postfix:virus_scan_enabled = yes ViewingMailServiceLogs MailservicemaintainsthefollowinglogsthatyoucanviewinServerAdmin.Thefile locationforeachlogisshownbeneaththeShowpop-upmenu.  MailAccess:Generalmailserviceinformationgoesintothislog.  IMAPlog:IMAP-specificactivitygoesintothislog.  POPlog:POPspecificactivitygoesintothislog.  SMTPlog:SMTPspecificactivitygoesintothislog.  MailingListlogs:ThelogsrecordMailmain’sactivity,includingservice,error,delivery failures,postings,andsubscriptions.  JunkMailandViruslogs:Theseshowactivityformailfiltering,includinglogsforvirus definitionupdates(freshclamlog),virusscanning(clamavlog),andmailfiltering (amavislog). Logscanberefinedbyusingthetextfilterboxinthewindow. Toviewamailservicelog: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClicktheLogsbutton. 3 FromtheViewpop-upmenuchoosealogtype. 4 ClickSave. Fromthecommandline: # View a mail service log: sudo tail /var/log/mail.log 250 Chapter15SecuringMailService 16 SecuringAntivirusServices 16 Usethischaptertolearnhowtousetheantivirusservices builtintoyoursystemtodetectandremoveviruses. Installingantivirustoolshelpspreventinfectionofyourcomputerbyviruses,and helpspreventyourcomputerfrombecomingahostforspreadingvirusestoother computers.Thesetoolsquicklyidentifysuspiciouscontentandcomparethemto knownmaliciouscontent. SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesand attachmentsforviruses.Ifasuspectedvirusisfound,ClamAVdeletesthemessageor quarantinesittoaspecifieddirectoryontheserverforfurtheranalysis. Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternetusingaprocess calledfreshclam. Inadditiontousingantivirustools,youshoulddevelopcomputerusagehabitsthat preventvirusinfection.Forexample,don’tdownloadoropencontentyoudidn’t specificallyrequest,andneveropenafilesenttoyoubysomeoneyoudon’tknow. Whenyouuseantivirustools,makesureyouhavethelatestvirusdefinitionfiles. Theprotectionprovidedbyyourantivirustooldependsonthequalityofyourvirus definitionfiles.Ifyourantivirustoolsupportsit,enableautomaticdownloadingof virusdefinitions. Foralistofantivirustools,seetheMacintoshProductsGuideatguide.apple.com. 251 SecurelyConfiguringandManagingAntivirusServices Thissectiondescribeshowtosecurelyconfigureandmanageantivirusservices. EnablingVirusScanning Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenabling screening,youconfigurescreeningparameters. Toenablevirusscreening: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClickSettings. 3 SelecttheFilterstab. 4 SelectScanEmailforViruses. 5 Decidehowtodealwithjunkmailmessages. Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamail notificationofthebouncetoamailaccount(probablythedomain’spostmaster) andnotifytheintendedrecipient. Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamail notificationtosomemailaccount,probablythepostmaster,aswellastheintended recipient. Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcan optionallysendamailnotificationofthequarantinetosomemailaccount, probablythepostmaster. 6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered. 7 Choosehowoftentoupdatethevirusdatabase. Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday. 8 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing Antivirus Services # --------------------------------------------------------------------# Enable virus screening sudo serveradmin settings mail:postfix:virus_scan_enabled = yes 252 Chapter16SecuringAntivirusServices ManagingClamAVwithClamXav YoucanuseClamXav,afreeGUIfront-endtotheClamAVopensourceviruschecker. Thistoolallowsyouto:  Updatevirusdefinitions  Scanfilesandfoldersforviruses ClamXavperformsthefollowingtasks:  Logsresultstoalogfile  Placesinfectedfilesintoquarantine  Monitorsfoldersforchangestotheircontents YoucanaccessClamXavservicesthroughcontextualpop-upmenusintheFinder. ViewingAntivirusServicesLogs Mailservicemaintainsthefollowingjunkmailandviruslogsthatyoucanviewin ServerAdmin.ThefilelocationforeachlogisshownbeneaththeShowpop-upmenu.  JunkMail/VirusScanning(/var/log/amavis.log)  Virus(/var/log/clamav.log)  VirusDatabaseUpdates(/var/log/freshclamlog) Toviewavirusservicelog: 1 InServerAdmin,selectacomputerintheServerslist,thenselectMail. 2 ClicktheLogsbutton. 3 FromtheViewpop-upmenuchoosealogtype. 4 ClickSave. Fromthecommandline: # View a virus log: sudo tail /var/log/amavisd.log Chapter16SecuringAntivirusServices 253 17 SecuringFileServicesand Sharepoints 17 Usethischaptertolearnhowtosecurefileservices. Securelyconfiguringfileservicesisanimportantstepintheprocessofprotectingyour privatedatafromnetworkattacks. SnowLeopardServer’scross-platformfilesharingserviceshelpgroupsworkmore efficiently bylettingthemshareresources,archiveprojects,exchangeandbackupimportant documents,andconductotherfile-relatedactivities. Sharingfilesoveranetworkopensyourcomputersuptoahostofvulnerabilities.With fileservicesenabled,youareallowingaccesstofilesandfoldersonyourserver(also calledsharepoints). Formoreinformationaboutconfiguringfileservices,seeFileServicesAdministration. SecurityConsiderations Themosteffectivemethodofsecuringyournetworkistoassigncorrectprivilegesfor eachfile,folder,andsharepointyoucreate. RestrictingAccesstoFileServices UseServiceAccessControlLists(SACLs)torestrictaccesstoAFP,FTP,andSMBservices. RestrictingAccesstoEveryone Becarefulwhencreatingandgrantingaccesstosharepoints,especiallyifyou’re connectedtotheInternet.GrantingaccesstoEveryoneortoWorld(inNFSservice) canexposeyourdatatoanyoneontheInternet.ForNFS,itisrecommendedthat youdonotexportvolumestoWorldandthatyouuseKerberostoprovidesecurity forNFSvolumes. 254 RestrictingAccesstoNFSSharePoints NFSsharepointswithouttheuseofKerberosdon’thavethesamelevelofsecurityas AFPandSMB,whichrequireuserauthentication(enteringausernameandpassword) togainaccesstoasharepoint’scontents. IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers, orconfigureNFSwithKerberos.NFSdoesn’tsupportSACLs.Formoreinformation,see “ProtocolSecurityComparison”onpage256. RestrictingGuestAccess Whenyouconfigurefileservice,youcanturnonguestaccess.Guestsareuserswho connecttotheserveranonymouslywithoutenteringausernameorpassword.Users whoconnectanonymouslyarerestrictedtofilesandfoldersthathaveprivilegesset toEveryone. Toprotectyourinformationfromunauthorizedaccess,andtopreventpeoplefrom introducingsoftwarethatmightdamageyourinformationorequipment,takethe followingprecautionsbyusingFileSharinginServerAdmin:  Dependingonthecontrolsyouwanttoplaceonguestaccesstoasharepoint, considerthefollowingoptions:  SetprivilegesforEveryonetoNoneforfilesandfoldersthatguestusersshouldn’t access.Itemswiththissettingcanbeaccessedonlybytheitem’sownerorgroup.  PutfilesavailabletoguestsinonefolderorsetoffoldersandthenassigntheRead OnlyprivilegetotheEveryonecategoryforthatfolderandeachfileinit.  AssignRead&WriteprivilegestotheEveryonecategoryforafolderonlyifguests mustbeabletochangeoradditemsinthefolder.Makesureyoukeepabackup copyofinformationinthisfolder.  Don’texportNFSvolumestoWorld.RestrictNFSexportstoasubnetoraspecificlist ofcomputers.  DisableaccesstoguestsoranonymoususersoverAFP,FTP,andSMBusingServer Admin.  Shareindividualfoldersinsteadofentirevolumes.Thefoldersshouldcontainonly thoseitemsyouwanttoshare. RestrictingFilePermissions Beforeafolderisshared,itspermissionsshouldberestrictedasmuchaspossible. Permissionsonsharepointssetasuserhomefoldersareparticularlyimportant.By default,users’homefoldersaresettoallowanyotherusertoreadtheircontents. Formoreinformationaboutsettingfilepermissions,seeChapter6,“SecuringSystem Preferences.” Chapter17SecuringFileServicesandSharepoints 255 ProtocolSecurityComparison Whensharingnetworkresources,configureyourservertoprovidethenecessary security. AFPandSMBprovidesomelevelofencryptiontosecurepasswordauthentication. AFPandSMBdonotencryptdatatransmissionsoverthenetworksoyoushouldonly usethemonasecurelyconfigurednetwork. FTPdoesnotprovidepasswordordataencryption.WhenusingFTP,makesureyour networkissecurelyconfigured.InsteadofusingFTP,considerusingthescporsftp command-linetools.Thesetoolssecurelyauthenticateandsecurelytransferfiles. Thefollowingtableprovidesacomparisonoftheprotocolsandtheirauthentication andencryptioncapabilities. Protocol Authentication AFP Cleartextandencrypted(Kerberos) Notencryptedanddataisvisibleduring passwords. transmission. DataEncryption NFS Encrypted(Kerberos)passwordand Canbeconfiguredtoencryptdatatransmission. systemauthentication. SMB Cleartextandencrypted(NTLMv1, Notencryptedanddataisvisibleduring transmission. NTLMv2,LANManager,and Kerberos)passwords. FTP Cleartextpasswords. Notencrypted.Dataissentascleartext. DisablingFileSharingServices Unlessyouusetheserverasafileserver,disablefilesharingservices.Disablingthese servicespreventsyourcomputerfrombeingusedbyanattackertoaccessother computersonyournetwork. Todisablefilesharingservices: 1 OpenServerAdminandconnecttotheserver. 2 SelectthefilesharingprotocolintheComputers&Serviceslist. YoucanchooseAFP,FTP,NFS,orSMB. 3 Click“Stop(protocolname)”belowtheComputers&Serviceslist. 4 Repeatforeachprotocol. 256 Chapter17SecuringFileServicesandSharepoints Fromthecommandline: # --------------------------------------------------------------------# Securing File Services # --------------------------------------------------------------------# Disable file sharing services. sudo serveradmin stop afp sudo serveradmin stop smb sudo serveradmin stop ftp sudo serveradmin stop nfs ChoosingaFileSharingProtocol Ifyourequirefilesharingservices,youmustchoosewhichfilesharingprotocolsare neededbeforeconfiguringtheservices.Theprotocolisconfiguredforthefoldersyou aresharing,calledsharepoints.Thesharepointsarecreatedandconfiguredusing WorkgroupManager. Mostinstallationsonlyneedonefilesharingprotocol,andyoushoulduseasfew protocolsaspossible.Limitingthenumberofprotocolsusedbyaserverlimitsits exposuretovulnerabilitiesdiscoveredinthoseprotocols.Theprotocolchoicesare:  AppleFilingProtocol(AFP):AFPisthepreferredmethodoffilesharingfor Macintoshorcompatibleclientsystems.AFPsupportsauthenticationofclients, andalsosupportsencryptednetworktransportusingSSH.  FileTransferProtocol(FTP):FTPshouldgenerallynotbeusedforfilesharing. UsetheSFTPfeatureofSSHinstead.SFTPprovidesasecuremeansofauthentication anddatatransfer,whileFTPdoesnot. TheonlysituationwhereFTPisacceptableiswhentheservermustactasafileserver foranonymoususers.ThismightbenecessaryoverWANs,wherethereisnoconcern fortheconfidentialityofdataandresponsibilityfortheintegrityofthedatarests withitsrecipient.  NetworkFileSystem(NFS):NFSisacommonfilesharingprotocolforUNIX computers.AvoidusingNFS,becauseitdoesnotperformauthenticationofits clients—itgrantsaccessbasedonclientIPaddressesandfilepermissions.Using NFSmaybeappropriateiftheclientcomputeradministrationandthenetwork aretrusted. Chapter17SecuringFileServicesandSharepoints 257  MicrosoftWindowsServerMessageBlock(SMB):SMBisthenativefilesharing protocolforMicrosoftWindows.AvoidusingSMB—itsupportsauthenticationbut doesnotsupportencryptednetworktransport,anditusesNTLMv1andNTLMv2 encryption,bothofwhichareweakpasswordhashingschemes.SMBmaybean appropriateprotocolforWindowsclientswhenthenetworkbetweentheserver andclientisnotatriskforeavesdropping. Eachprotocolisappropriateforspecificsituations.Decidingwhichprotocoltouse dependsontheclientsandnetworkingneeds.Afteryouchooseaprotocolforfile sharing,youmustconfigurethefilesharingprotocol. Ifnosharepointsaresharedwithaprotocol,disabletheservicethatrunsthatprotocol usingServerAdmin.TheNFSservicestopswhennosharepointsspecifyitsuse. ConfiguringAFPFileSharingService AppleFileService,whichusesAFP,letsyousharefilesamongMacintoshclients. Becauseitprovidesauthenticationandencryption,AFPserviceisthepreferredfile sharingmethodforMacintoshorcompatibleclients. Note:Encryptiondoesnotapplytoautomaticallymountedhomefolders,whereonly authenticationisprovided. TosecurelyconfigureAFPService: 1 OpenServerAdminandconnecttotheserver. 2 SelectAFPintheComputers&Serviceslist. 3 ClickSettings. 4 ClickGeneral. 5 Enterthelogingreetingaccordingtositepolicy. 6 ClickAccess. 7 ForAuthentication,choose“Kerberos”ifyoursystemisintegratedintoaKerberos system;otherwise,choose“Standard.” 8 Deselect“Enableadministratortomasqueradeasanyregistereduser.” 9 UnderMaximumConnections,enterthelargestexpectednumberforClient Connections. 10 ClickLogging. 11 Select“EnableaccessLog”toenablelogging. 12 Select“Archiveevery__day(s)”andsetthefrequencytothreedaysoraccordingto yourorganization’srequirements. 258 Chapter17SecuringFileServicesandSharepoints 13 Select“Login”and“Logout”toincludeeventsintheaccesslog. Ifyouneedstrongeraccounting,selecttheotherevents. 14 UnderErrorLog,select“Archiveevery__day(s)”andsetthefrequencyaccordingto yourorganization’srequirements. 15 ClickIdleUsersandconfigureIdleUserssettings:  Deselect“Allowclientstosleep__hour(s)-willnotshowasidle.”  Select“Disconnectidleusersafter__minute(s)”andenteravalueinthetextfield tomitigateriskfromacomputeraccidentallybeingleftunattended.  DeselectGuests,Administrators,RegisteredUsers,andIdleUserswhohave openfiles.  Entera“DisconnectMessage”noticeaccordingtositepolicy. 16 ClickSave. 17 ClickStartAFP. 18 Foradditionalsecurityenhancements,furtherrestrictAFPbyusingSACLsand firewallrules. Theseareconfiguredbasedonyourorganization’snetworkenvironment:  YoucanconfigureSACLstorestrictAFPaccesstospecificusersorgroups.Formore information,see“SettingServiceAccessControlLists(SACLs)”onpage183.  YoucanconfigurefirewallrulesthatpreventAFPconnectionsfromunintended sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216. Fromthecommandline: # Securely configure AFP service: sudo serveradmin settings afp:registerNSL = no sudo serveradmin settings afp:attemptAdminAuth = no sudo serveradmin settings afp:clientSleepOnOff = no sudo serveradmin settings afp:idleDisconnectOnOff = yes sudo serveradmin settings afp:authenticationMode = "kerberos" sudo serveradmin settings afp:activityLog = yes sudo serveradmin settings afp:guestAccess = no ConfiguringFTPFileSharingService Ifauthenticationofusersispossible,usetheSFTPportionofSSHinsteadofFTPto securelytransmitfilestoandfromtheserver.Formoreinformation,see“Transferring FilesUsingSFTP”onpage191. Chapter17SecuringFileServicesandSharepoints 259 FTPisacceptableonlyifitsanonymousaccessfeatureisrequired,whichallows unauthenticatedclientstodownloadfiles.Thefilesaretransferredunencryptedover thenetworkandnoauthenticationisperformed. Althoughthetransferdoesnotguaranteeconfidentialityorintegritytotherecipient,it isappropriateinsomecases.Ifthiscapabilityisnotspecificallyrequired,disableit. ToconfigureFTPtoprovideanonymousFTPdownloads: 1 OpenServerAdminandconnecttotheserver. 2 SelectFTPintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 In“Disconnectclientafter__loginfailures,”enter1. Eventhoughauthenticatedconnectionsarenotaccepted,loginsshouldfailquicklyif accidentallyactivated. 5 EnteramailaddressspeciallysetuptohandleFTPadministration—forexample, [email protected]. 6 UnderAccess,select“Kerberos”forAuthentication. IfaKerberosserverisnotsetup,theauthenticationprocessisblocked. 7 In“Allowamaximumof__authenticatedusers,”enter1. TheGUIdoesnotallowsettingthisto0,butauthenticatedusersaredisabledinlater steps. 8 Select“Enableanonymousaccess.” Anonymousaccesspreventsusercredentialsfrombeingsentopenlyoverthenetwork. Important:Beforeselectingthisoption,reviewtheprivilegesassignedtoyourshare pointsunderFilePrivilegesintheSharingpanetomakesuretherearenosecurity holes. Anonymoususerscanloginusingthename“ftp”or“anonymous.”Theydonotneed apasswordtologin,buttheyarepromptedtoentertheiremailaddress. 9 Determineamaximumnumberofanonymoususersandenterthenumberin“Allow amaximumof__anonymoususers.” 10 UnderFileconversion,deselect“EnableMacBinaryanddiskimageauto-conversion.” 11 ClickMessages. 12 Select“ShowWelcomeMessage”andenterawelcomemessageaccordingtosite policy. 13 Select“ShowBannerMessage”andenterabannermessageaccordingtositepolicy. Donotrevealsoftwareinformation,suchasoperatingsystemtypeorversion,in thebanner. 260 Chapter17SecuringFileServicesandSharepoints 14 ClickLogging. 15 Selectalloptionsunder“LogAuthenticatedUsers”and“LogAnonymousUsers.” Eventhoughauthenticatedusersarenotallowedtologin,theirattemptsshouldbe loggedsocorrectiveactioncanbetaken. 16 ClickAdvanced. 17 Set“Authenticateduserssee”toFTPRootandSharePoints. AuthenticatedusersandanonymoususersseethesameFTProot. 18 Verifythat“FTProot”issettothe/Library/FTPServer/FTPRoot/folder. 19 ClickSave. 20 ClickStartFTP. 21 Openthe/Library/FTPServer/FTPRoot/folderanddragthecontents(Users,Groups, Public)tothetrash. 22 Dragthefilestosharewithanonymoususerstothe/Library/FTPServer/FTPRoot/folder. 23 Verifythatthefilepermissionsforthe/Library/FTPServer/FTPRoot/folderdonotallow publicwriteaccess. 24 Openthefile/Library/FTPServer/Configuration/ftpaccessforediting. 25 Deletelinesthatbeginwith“upload.” Thefollowingtwolinearepresentbydefault: upload /Library/FTPServer/FTPRoot /uploads yes ftp daemon 0666 nodirs upload /Library/FTPServer/FTPRoot /uploads/mkdirs yes ftp daemon 0666 dirs 0777 26 Insertthefollowinglinetopreventadvertisementofoperatingsystemandversion information: greeting terse 27 Insertthefollowinglinestopreventusersfromauthenticating. deny-gid %-99 %65535 deny-uid %-99 %65535 allow-gid ftp allow-uid ftp ThisforcesuserstoaccessFTPanonymously,protectingtheirlogincredentials. 28 Foradditionalsecurityenhancements,youcanfurtherrestricttheFTPservicebyusing SACLsandfirewallrules. Theseareconfiguredbasedonyourorganization’snetworkenvironment.  YoucanconfigureSACLstorestrictFTPaccesstospecificusersorgroups.Formore informationaboutconfiguringSACLs,see“SettingServiceAccessControlLists (SACLs)”onpage183. Chapter17SecuringFileServicesandSharepoints 261  YoucanconfigurefirewallrulesthatpreventFTPconnectionsfromunintended sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216. Fromthecommandline: # Configure FTP to provide anonymous FTP downloads: sudo serveradmin settings ftp:logSecurity:anonymous = yes sudo serveradmin settings ftp:logSecurity:guest = yes sudo serveradmin settings ftp:logSecurity:real = yes sudo serveradmin settings ftp:maxRealUsers = 1 sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = no sudo serveradmin settings ftp:authLevel = "KERBEROS" sudo serveradmin settings ftp:anonymousAccessPermitted = yes sudo serveradmin settings ftp:bannerMessage = "$BANNER" sudo serveradmin settings ftp:maxAnonymousUsers = 500 sudo serveradmin settings ftp:administratorEmailAddress = "[email protected]" sudo serveradmin settings ftp:logCommands:anonymous = yes sudo serveradmin settings ftp:logCommands:guest = yes sudo serveradmin settings ftp:logCommands:real = yes sudo serveradmin settings ftp:loginFailuresPermitted = 1 sudo serveradmin settings ftp:welcomeMessage = "$WELCOME" ConfiguringNFSFileSharingService NFSdoesnotsupportusernameandpasswordauthentication.ItreliesonclientIP addressestoauthenticateusers,andonclientenforcementofpermissions.Thisisnota secureapproachinmostnetworks.Therefore,useNFSonlyifyouareonaLANwith trustedclientcomputers,orifyouareinanenvironmentthatcan’tuseApplefile sharingorWindowsfilesharing. TheNFSserverincludedwithSnowLeopardServerletsyoulimitaccesstoashare pointbasedonaclient’sIPaddress.RestrictaccesstoasharepointexportedusingNFS tothoseclientsthatrequireit.YoucanreshareNFSmountsusingAFP,Windows,and FTPsothatuserscanaccessNFSvolumesinamorerestrictedfashion. ToconfigureandstartNFSservice,useServerAdmin.Forinformationabouthowto setupandrestrictNFSservice,see“NFSSharePoints”onpage268. Foradditionalsecurityenhancements,youcanfurtherrestrictNFSservicebyusing firewallrules.YoucanconfigurefirewallrulesthatpreventAFPconnectionsfrom unintendedsources. Formoreinformation,see“CreatingFirewallServiceRules”onpage216.Rulesare configuredbasedonyourorganization’snetworkenvironment. 262 Chapter17SecuringFileServicesandSharepoints ConfiguringSMBFileSharingService IfsharepointsneedtouseSMB,activateWindowsfileserviceandconfigureit.Support forSMBisprovidedbytheopensourceSambaproject,whichisincludedwith SnowLeopardServer. SMBusesNTLMv1andNTLMv2encryption,whichareveryweakpasswordhashing schemes.FormoreinformationaboutconfiguringtheSambasoftware,goto www.samba.org. TosecurelyconfigureWindowsfilesharingservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectSMBintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 ChoosetheRoleaccordingtooperationalneeds. Iftheserversharesfilesbutdoesnotprovideauthenticationservices,“Standalone Server”istherelevantchoice. 5 Fillinthetextfieldsappropriately,leavingtheDescriptionfieldblank. Itishelpfulforthecomputernametomatchthehostname(withoutthedomain name).TheWorkgroupnamedependsontheconfigurationofWindowsdomainson yoursubnet. 6 ClickAccess. 7 Deselect“AllowGuestaccess.” 8 For“Clientconnections,”select“__maximum”andenterthemaximumnumberof clientconnectionsexpected. TheGraphspaneshowscurrentusage,whichcanhelpyouadjustthenumberof connectionsforyournetwork. 9 ClickLogging. 10 Change“LogDetail”toatleast“medium”tocaptureauthenticationfailures. 11 ClickAdvanced. 12 UnderServices,deselect“WorkgroupMasterBrowser”and“DomainMasterBrowser” unlesstheseservicesarerequired. 13 SelectOffforWINSregistration. 14 ClickSave. 15 ClickStartSMB. 16 Foradditionalsecurityenhancements,furtherrestricttheWindowsservicebyusing SACLsandfirewallrules. Theseareconfiguredbasedonyourorganization’snetworkenvironment: Chapter17SecuringFileServicesandSharepoints 263  YoucanconfigureSACLstorestrictWindowsaccesstospecificusersorgroups.For moreinformationaboutconfiguringSACLs,see“SettingServiceAccessControlLists (SACLs)”onpage183.  YoucanconfigurefirewallrulesthatpreventWindowsconnectionsfromunintended sources.Formoreinformation,see“CreatingFirewallServiceRules”onpage216. Fromthecommandline: # Securely configure Windows file sharing service sudo serveradmin settings smb:wins support = no sudo serveradmin settings smb:domain master = no sudo serveradmin settings smb:map to guest = "Never" sudo serveradmin settings smb:auth methods = "odsam" sudo serveradmin settings smb:ntlm auth = "no" sudo serveradmin settings smb:max smbd processes = 1000 sudo serveradmin settings smb:log level = 1 sudo serveradmin settings smb:preferred master = no sudo serveradmin settings smb:os level = 65 ConfiguringSharePoints Asharepointisaharddisk(orharddiskpartition),discmedia,orfolderthatcontains filesyouwantuserstoshare.Youcanusesharepointstohosthomefolders. YoucanuseServerAdmintosetupsharepointsandthenusethesharepointstohost localhomefolders.Oryoucanmountthesharepointsoithostsnetworkhomefolders. Usingnetworkhomefoldersstoredonasharepointisinherentlylesssecurethanusing localhomefolders.Anintrudercanaccessyournetworkhomefolderthroughan insecurenetworkconnection. Makesurethatsharepointsonlocalsystemdrivesareconfiguredtograntaccessto onlyspecificusersorgroups,andarenotopentoeveryone.Removingopenshare pointspreventsunwantedaccesstoyourcomputerandpreventsyourcomputerfrom beingusedtomaliciouslyaccessadditionalcomputersonthenetwork.Donotshare filesunnecessarily. 264 Chapter17SecuringFileServicesandSharepoints DisablingSharePoints Disableunusedsharepointsandsharingprotocols.Enabledsharepointsandsharing protocolscanprovideanavenueofattackforintruders. Ifyoudisableallsharepointsusingaspecificsharingprotocol,youshouldalsodisable thatprotocol. Todisableasharepoint: 1 OpenServerAdminandconnecttotheserver. 2 ClickthefilesharingprotocolintheComputers&Serviceslist. 3 ClickSharePointsandselectthesharepointfromthelist. 4 ClickSharePointbelowthelist. 5 ClickProtocolOptions. 6 Disablethefollowingsharingoptions: ClickAFPanddeselect“SharethisitemusingAFP.” ClickSMBanddeselect“SharethisitemusingSMB.” ClickFTPanddeselect“SharethisitemusingFTP.” ClickNFSanddeselect“Exportthisitemanditscontentsto”. 7 ClickOK. 8 ClickSave. RestrictingAccesstoaSharePoint Beforeenablingasharepoint,restricttheaccesspermissionsforthefolderthatwillact asthesharepointandonlyallowuserswhomustusethesharepointtoaccessit. YoucanthenuseServerAdmin’sFileSharingpanetosetPOSIXandACLpermissions torestrictsharepointstoonlybeingaccessiblebyspecificusers.Youcanusea combinationofthetwopermissiontypestocustomizeaccessibilityforyourusers. YoucanalsouseWorkgroupManager’seffectivepermissionsinspectortodetermine thepermissionsauserisgranted. WARNING:Carefullysetaccesspermissions.Incorrectlysetaccesspermissionscan preventlegitimateusersfromaccessingfoldersandfiles,ortheycanallowmalicious userstoaccessfoldersandfiles. Torestrictaccesstoasharepoint: 1 OpenServerAdminandconnecttotheserver. 2 ClickthefilesharingprotocolintheComputers&Serviceslist. 3 ClickSharePointsandselectthesharepointfromthelist. Chapter17SecuringFileServicesandSharepoints 265 4 ClickPermissionsbelowthelist. 5 Tosettheownerorgroupoftheshareditem,enternamesordragnamesfromthe UsersandGroupsdrawertotheownerorgrouprecordsinthepermissionstable. TheownerandgrouprecordsarelistedunderthePOSIXheading.Theownerrecord hasthesingleusericon.Thegrouprecordhasthegroupicon. Toopenthedrawer,clicktheAdd(+)button.Ifyoudon’tseearecentlycreateduseror group,clicktheRefreshbutton. Ownerandgroupnamescanalsobeeditedbydouble-clickingapermissionsrecord anddraggingintoortypingintheUser/Groupfieldinthewindowthatappears. Note:Tochangetheautorefreshinterval,chooseServerAdmin>Preferencesand changethevalueofthe“Auto-refreshstatusevery”field. Makesureyouunderstandtheimplicationsofchangingafolder’sownerandgroup. Formoreinformation,see“SettingPOSIXPermissions”onpage141. 6 TochangethepermissionsforOwner,Group,andOthers,usethePermissionpop-up menuintherelatedrowofthepermissionstable. Othersisanyuserthatlogsintothefileserverwhoisnottheowneranddoesnot belongtothegroup. Ifyou’reconfiguringahomefolder’spermissions,givetheownerRead&Write privileges,butreducegroupandeveryoneprivilegestoNone. Thedefaultforhomefoldersisthatthestaffgroupandeveryonehavereadprivileges. Allaccountsarealsomembersofthestaffgroup.Thesetwoprivilegesalloweveryone toviewthecontentsofthehomefolder.Ifyouwantsomeoneotherthantheownerto viewthecontentsofthehomefolder,replacestaffwiththataccount. 7 ClickSave. ThenewsharepointissharedusingAFP,SMB,andFTP,butnotNFS. TosetACLpermissionsonasharepointorafolder: 1 OpenServerAdminandconnecttotheserver. 2 ClickthefilesharingprotocolintheComputers&Serviceslist. 3 ClickSharePointsandselectthesharepointfromthelist. 4 ClickPermissionsbelowthelist. 5 OpentheUsersandGroupsdrawerbyclickingtheAdd(+)button. 6 DraggroupsandusersfromthedrawerintotheACLPermissionslisttocreateACEs. Bydefault,eachnewACEgivestheuserorgroupfullreadandinheritancepermissions. 266 Chapter17SecuringFileServicesandSharepoints Thefirstentryinthelisttakesprecedenceoverthesecond,whichtakesprecedence overthethird,andsoon.Forexample,ifthefirstentrydeniesausertherighttoedita file,otherACEsthatallowthesameusereditingpermissionsareignored.Inaddition, theACEsintheACLtakeprecedenceoverstandardpermissions. 7 IntheAccessControlList,selecttheACE. 8 ClicktheEdit(/)button. 9 FromthePermissionTypepop-upmenu,choose“Allow”or“Deny.” 10 InthePermissionslist,selectpermissions. IfyouchoseCustomfromthePermissionpop-upmenu,clickthedisclosuretrianglesto displayspecificattributes.ChooseAlloworDenyfromthePermissionTypepop-up menu.SelectspecificpermissionsandclickOK. Youcanfurthergrantordenyspecificpermissionsthatyoucannotspecifythrough POSIXpermissions.Forexample,youcanallowausertolistfoldercontentsbut disallowthatuserfromreadingfileattributes. 11 ClickSave. AFPSharePoints Ifyousupplynetworkhomefolders,useAFPbecauseitprovidesauthentication-level accesssecurity.Ausermustloginwithavalidusernameandpasswordtoaccessfiles. YoucanalsoenableAFPusinganSSH-securedtunnelforfilesharing.Thistunnel preventsintrudersfrominterceptingyourcommunicationwithanAFPsharepoint. YoucannotenableSSH-securedtunnelsforAFPsharepointsthathosthomefolders. Formoreinformation,see“ConfiguringAFPFileSharingService”onpage258. SMBSharePoints DonotuseSMBunlessyou’rehostingasharepointspecificallyforWindowsusers. YoucansetupasharepointforSMBaccessonly,sothatWindowsusershavea networklocationforfilesthatcan’tbeusedonotherplatforms. LikeAFP,SMBalsorequiresauthenticatingwithavalidusernameandpasswordto accessfiles.However,therearewell-knownrisksassociatedwithSMB.Forexample, SMBusesNTLMv1andNTLMv2encryption,whichareweakpasswordhashing schemes. Formoreinformation,see“ConfiguringSMBFileSharingService”onpage263. Chapter17SecuringFileServicesandSharepoints 267 FTPSharePoints YoucannotuseFTPsharepointstohosthomefoldersandyoushouldonlyenableFTP sharepointsifyourequireanonymousaccess. FilesaretransferredfromFTPsharepointsunencryptedoverthenetwork.Transferring filesoverFTPdoesnotguaranteeconfidentialityorfileintegrity. IfyouneedtouseFTPforfiletransfers,considerusingtheSSHserviceinstead.Thesftp command,partoftheSSHsuiteoftools,providesanFTP-likeexperienceforuserswhile providingamoresecuresetting.Formoreinformation,seethesftpmanpage. FormoreinformationaboutsettingupFTPsharepoints,see“ConfiguringFTPFile SharingService”onpage259. NFSSharePoints NFSfileaccessisnotbasedonuserauthentication(enteringausernameand password).ItisbasedontheuserIDandtheclientIPaddress.Assuch,NFSshare pointswithouttheuseofKerberosdon’thavethesamelevelofsecurityasAFPand SMB,whichrequireuserauthenticationtogainaccesstoasharepoint’scontents. IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers, orconfigureNFSwithKerberos.NFSdoesn’tsupportSACLs. UseNFSonlyifyoumustprovidehomefoldersforalargenumberofuserswhouse UNIXworkstations.UseServerAdmintorestrictaccesstoanNFSsharepoint,sothat onlyrequiredcomputerscanaccessit. TorestrictaccesstoanNFSsharepoint: 1 OpenServerAdminandconnecttotheserver. 2 ClickthefilesharingprotocolintheComputers&Serviceslist. 3 ClickSharePointsandselectthesharepointfromthelist. 4 ClickSharePointbelowthelist. 5 ClickProtocolOptions. 6 ClickNFS. 7 Ifonlyafewcomputersneedaccesstothesharepoint,select“Exportthisitemandits contentsto”andchooseClientListfromthepop-upmenu. Toaddaclient,clickAdd(+)andentertheIPaddressoftheclientcomputer. Addonlythoseclientcomputersthatrequireaccesstothesharepoint. 8 Ifeverycomputerinasubnetrequiresaccesstothesharepoint,select“Exportthisitem anditscontentsto”andchooseSubnetfromthepop-upmenu. IntheSubnetaddressfield,enterthesubnetaddress.IntheSubnetmaskfield,enter thesubnetmask. 268 Chapter17SecuringFileServicesandSharepoints 9 FromtheMappingpop-upmenu,choose“Alltonobody.” Auserwith“nobody”privilegeshas“Others”POSIXpermissions. 10 FromtheMinimumSecuritypop-upmenu,setthelevelofauthentication: Choose“Standard”ifyoudon’twanttosetalevelofauthentication. Choose“Any”ifyouwantNFStoacceptanymethodauthentication. Choose“Kerberosv5”ifyouwantNFStoonlyacceptKerberosauthentication. Choose“Kerberosv5withdataintegrity”ifyouwantNFStoacceptKerberos authenticationandvalidatethedata(checksum)duringtransmission. Choose“Kerberosv5withdataintegrityandprivacy”tohaveNFSacceptKerberos authentication,tovalidateusingthechecksum,andtoencryptdataduring transmission. 11 Select“Read-only.” 12 ClickSave. Chapter17SecuringFileServicesandSharepoints 269 270 Chapter17SecuringFileServicesandSharepoints 18 SecuringWebService 18 Usethischaptertolearnhowtosecurewebservice. Webserviceprovidesaneasymethodofaccessingdatafromanywhereintheworld. However,thisaccessisoftenattackedduetoitsweaknessonotherplatforms. SnowLeopardServerprovidesmanyconfigurationoptionstoprotectwebservice. WebserviceisbasedonApache,anopensourceHTTPwebserver.Awebserver respondstorequestsforHTMLwebpagesstoredonyoursite.Opensourcesoftware givesyouthecapabilitytoviewandchangethesourcecodetomakechangesand improvements.ThishasledtoApache’swidespreaduse,makingitoneofthemost popularwebserversontheInternettoday. WebadministratorscanuseServerAdmintoadministerwebservicewithoutknowing aboutadvancedsettingsorconfigurationfiles.Webadministratorsproficientwith ApachecanalsoadministerwebtechnologiesusingApache’sadvancedfeatures. BecausewebserviceinSnowLeopardServerisbasedonApache,youaddadvanced featureswithplug-inmodules.ApachemodulesletyouaddsupportforSimpleObject AccessProtocol(SOAP),Java,andCGIlanguagessuchasPython. ForemoreinformationabouttheApacheproject,seewww.apache.org.TheCenterfor InternetSecurity(CIS)atwww.cisecurity.orgprovidesanApacheBenchmarkand Scoringtool.CISBenchmarksenumeratesecurityconfigurationsettingsandactions thathardenyourcomputer. Formoreinformationaboutconfiguringwebservice,seeWebTechnologies Administration. 271 DisablingWebService Ifthesystemisnotintendedtobeawebserver,disablewebserversoftware. Securewebadministrationdemandsscrutinyofconfigurationsettings.UseSSL encryptiontoencryptsensitivewebtraffic. Ifthesystemisnotawebserver,disablewebservicesusingtheServerAdmintool. Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Webservice isdisabledbydefault,butverificationisrecommended. Todisablewebservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickStopWeb. 4 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing Web Service # --------------------------------------------------------------------# Disable web service: sudo serveradmin stop web ManagingWebModules Ifyoursystemdoesnotrequireactivewebmodules,disablethem.Webmodules (sometimescalledplug-ins)consistofwebcomponentsthataddfunctionalitytoweb service.Usingunnecessarymodulescreatespotentialsecurityriskswhentheweb serviceisrunning. Manytypesofwebmodulesareavailableforusewithwebservice.Verifythateach moduleusedisrequiredandthatyouunderstandtheimpactithastosecuritywhen webserviceisrunning. Important:Whendisablingwebmodules,makesurethemoduleisnotneededby anotherwebserviceyouarerunning.Ifyoudisableawebmodulethatanotherweb serviceisdependenton,thatwebservicemightnotwork. 272 Chapter18SecuringWebService Todisablewebmodules: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSettings,thenclickModules. 4 Deselectallmodulesexceptforthemodulesyoursiterequires. 5 ClickSave. DisablingWebOptions Enabledweboptionscanbeasecurityriskifyoudon’tunderstandtheimpactthe modulehastosecuritywhenawebserviceisrunning. Disablethefollowingwebmodulesunlesstheyarespecificallyrequiredforaweb service:  FolderListing:DisplaysalistoffolderswhenusersspecifytheURLandnodefault webpage(suchasindex.html)ispresent.Insteadofviewingadefaultwebpage,the servershowsalistofthewebfolder’scontents.Folderlistingsappearonlyifno defaultdocumentisfound.  WebDAV:TurnsonWeb-basedDistributedAuthoringandVersioning(WebDAV), whichallowsuserstomakechangestowebsiteswhilethesitesarerunning.Ifyou enableWebDAVyoumustalsoassignaccessprivilegesforthesitesandfortheweb folders.  CGIExecution:PermitsCommonGatewayInterface(CGI)programsorscriptstorun onyourwebserver.CGIprogramsorscriptsdefinehowawebserverinteractswith externalcontent-generatingprograms.  ServerSideIncludes(SSI):PermitsSSIdirectivesplacedinwebpagestobe evaluatedontheserverwhilethewebsiteisactive.Youcanadddynamically generatedcontenttoyourwebpageswhilethefilesarebeingviewedbyusers.  AllowAllOverrides:Instructswebservicetolookforadditionalconfigurationfiles insidethewebfolderforeachrequest.  SpotlightSearching:Allowswebbrowserstosearchthecontentofyourwebsite. Todisableweboptions: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslists. 3 ClickSites,thenselectthewebsiteinthelist. 4 ClickOptionsbelowthewebsiteslist. 5 DeselectFolderListing,WebDAV,CGIExecution,ServerSideIncludes(SSI),andAllow AllOverridesunlesstheyarerequired. Chapter18SecuringWebService 273 Fromthecommandline: # Disable web options: sudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled = no sudo serveradmin settings web:Modules:_array_id:dav_module:enabled = no sudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = no sudo serveradmin settings web:Modules:_array_id:apple_spotlight_module:enabled = no sudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:AllowOverride = "None" sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:Includes = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:ExecCGI = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:Indexes = no sudo serveradmin settings web:Sites:_array_id:default_default:SpotlightIndexing = no UsingRealmstoControlAccess Youcanuserealmstocontrolaccessandprovidesecuritytolocationsorfoldersin awebsite.RealmsarelocationsattheURLorfilesinthefolderthatuserscanview. IfWebDAVisenabled,userswithauthoringprivilegescanalsochangecontentin therealm.Yousetuptherealmsandspecifytheusersandgroupsthathaveaccess tothem. Whenanassigneduserorgrouppossessesfewerpermissionsthanthepermissions assignedtouserEveryone,thatuserorgroupisdeleteduponarefresh.Thishappens becausetheaccessassignedtoEveryonepreemptstheaccessassignedtospecific usersorgroupswithfewerpermissionsthanthosepossessedbyEveryone.Thegreater permissionsalwaystakeprecedence. Consequently,thelistofassignedusersandgroupswithfewerpermissionsarenot savedintheRealmspaneuponrefreshiftheirpermissionsaredeterminedtobe preemptedbythepermissionsassignedtoEveryone.Aftertherefresh,thenames arenolongerlistedinthelistontherightintheRealmspane.Also,forabriefperiod oftime,userEveryonewillswitchitsdisplayednameto“no-user.” 274 Chapter18SecuringWebService Tousearealmtocontrolwebsiteaccess: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites,thenselectthewebsiteinthelist. 4 Belowthewebsiteslist,clickRealms. 5 ClicktheAdd(+)buttontocreatearealm. Therealmisthepartofthewebsiteuserscanaccess. 6 IntheRealmNamefield,entertherealmname. Thisisthenameusersseewhentheylogintothewebsite. 7 FromtheAuthenticationpop-upmenu,chooseamethodofauthentication:  Basicauthenticationisonbydefault.Donottousebasicauthenticationforsensitive data.Itsendsyourpasswordtotheserverunencrypted.  Digestauthenticationismoresecurethanbasicauthenticationbecauseitusesan encryptedhashofyourpassword.  Kerberosauthenticationisthemostsecurebecauseitimplementsservercertificates toauthenticate.IfyouwantKerberosauthenticationfortherealm,jointheserverto aKerberosdomain. 8 Entertherealmlocationorfolderyouarerestrictingaccessto: a ChooseLocationfromthepop-upmenuandenteraURLtothelocationinthe websitethatyouwanttorestrictaccessto. b ChooseFolderfromthepop-upmenuandenterthepathtothefolderthatyou wanttorestrictaccessto. YoucanalsoclicktheBrowsebuttontolocatethefolderyouwanttouse. 9 ClickOK. 10 SelectthenewrealmandclickAdd(+)toopentheUsers&Groupspanel. ToswitchbetweentheUserslistandtheGroupslist,clickUsersorGroupsinthepanel. UsetheRealmspanetodeleteauserorgroupbyselectingthenameandclickingthe Delete(–)button. 11 Toaddusersorgroupstoarealm,draguserstothelistontherightintheRealms pane. Whenusersormembersofagroupyou’veaddedtotherealmconnecttothesite,they mustsupplytheirusernameandpassword. Chapter18SecuringWebService 275 12 Limitrealmaccesstospecifiedusersandgroupsbysettingthefollowingpermissions usingtheupanddownarrowsinthePermissionscolumn.  BrowseOnly:Permitsusersorgroupstobrowsethewebsite.  BrowseandReadWebDAV:Permitsusersorgroupstobrowsethewebsiteandalso readthewebsitefilesusingWebDAV.  BrowseandRead/WriteWebDAV:Permitsusersorgroupstobrowsethewebsite andalsoreadandwritetowebsitefilesusingWebDAV.  None:Preventsusersorgroupsfromusingpermissions. 13 ClickSave. EnablingSecureSocketsLayer(SSL) SecureSocketsLayer(SSL)providessecurityforasiteanditsusersbyauthenticating theserver,encryptinginformation,andmaintainingmessageintegrity. SSLisaper-sitesettingthatletsyousendencrypted,authenticatedinformation acrosstheInternet.Forexample,ifyouwanttopermitcreditcardtransactions throughawebsite,youcanprotecttheinformationthat’spassedtoandfrom thatsite. TheSSLlayerisbelowapplicationprotocols(forexample,HTTP)andaboveTCP/IP.This meansthatwhenSSLisoperatingontheserverandontheclientcomputer, informationisencryptedbeforebeingsent. TheApachewebserverinSnowLeopardServerusesapublickey-privatekey combinationtoprotectinformation.Abrowserencryptsinformationusingapublic keyprovidedbytheserverandonlytheserverhasaprivatekeythatcandecrypt thatinformation. ThewebserversupportsSSLv2,SSLv3,andTLSv1.Moreinformationaboutthese protocolversionsisavailableatwww.modssl.org. WhenSSLisimplementedonaserver,abrowserconnectstoitusingthehttpsprefix intheURL,ratherthanhttp.The“s”indicatesthattheserverissecure. WhenabrowserinitiatesaconnectiontoanSSL-protectedserver,itconnectsto aspecificport(443)andsendsamessagethatdescribestheencryptionciphersit recognizes.Theserverrespondswithitsstrongestcipher,andthebrowserandserver thencontinueexchangingmessagesuntiltheserverdeterminesthestrongestcipher thatitandthebrowsercanrecognize. Theserverthensendsitscertificate(anISOX.509certificate)tothebrowser.This certificateidentifiestheserverandusesittocreateanencryptionkeyforthebrowser touse.Atthispointasecureconnectionisestablishedandthebrowserandserver canexchangeencryptedinformation. 276 Chapter18SecuringWebService BeforeyoucanenableSSLprotectionforawebsite,youmustobtaintheproper certificates.Fordetailedinformationaboutcertificatesandtheirmanagement,see AdvancedServerAdministration. TosetupSSLforawebsite: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites,thenselectthewebsiteinthelist. 4 ClickSecuritybelowthewebsiteslist. 5 IntheSecuritypane,selectEnableSecureSocketsLayer(SSL). WhenyouturnonSSL,amessageappears,notingthattheportischangedto443. 6 IntheCertificatepop-upmenu,choosethecertificateyouwant. Ifthecertificateisprotectedbyapassphrase,thenameofthecertificatemustmatch thevirtualhostname.Ifthenamesdon’tmatch,webservicewon’trestart. 7 IfyouchooseCustomConfigurationorwanttoeditacertificate,youmightneedtodo thefollowing: a ClicktheEdit(/)buttonandsupplytheinformationineachfieldforthecertificate. b Ifyoureceivedaca.crtfilefromtheCA,clicktheEdit(/)buttonandpastethetext fromtheca.crtfileintheCertificateAuthorityFilefield. Note:Theca.crtfilemightberequiredbutmightnotbesentdirectlytoyou.Thisfile mustbeavailableonthewebsiteoftheCA. c InthePrivateKeyPassphrasefield,enterapassphraseandclickOK. 8 Inthe“SSLLogFile”field,enterthepathnameforthefolderwhereyouwanttokeep theSSLlog. YoucanalsousetheBrowsebuttontonavigatetothefolder. 9 ClickSave. 10 Confirmthatyouwanttorestartwebservice. ServerAdminletsyouenableSSLwithorwithoutsavingtheSSLpassphrase.Ifyoudid notsavethepassphrasewiththeSSLcertificatedata,theserverpromptsyouforthe passphraseuponrestartbutwon’tacceptmanuallyenteredpassphrases. UsetheSecuritypaneforthesiteinServerAdmintosavethepassphrasewiththeSSL certificatedata.Formoreinformation,see“UsingaPassphrasewithSSLCertificates”on page278. Chapter18SecuringWebService 277 UsingaPassphrasewithSSLCertificates IfyoumanageSSLcertificatesusingServerAdminandyouuseapassphrasefor certificates,ServerAdminensuresthatthepassphraseisstoredinthesystemkeychain. Whenawebsiteisconfiguredtousethecertificateandthatwebserverisstarted,the getsslpassphrase(8)utilityextractsthepassphrasefromthesystemkeychainand passesittothewebserver,aslongasthecertificatenamematchesthevirtualhost name. Ifyoudonotwanttorelyonthismechanism,youcanhavetheApachewebserver promptyouforthepassphrasewhenyoustartorrestartit.Usethesudo serveradmin command-linetooltoconfigurethis. ToconfigureApachetopromptyouforapassphrasewhenitstarts: 1 OpenTerminalandenterthefollowingcommand. sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtin 2 StartApachewiththecommand: sudo serveradmin start web 3 Whenprompted,enterthecertificatepassphrase. Fromthecommandline: # # Configure Apache to prompt you for a passphrase when it starts. #--------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtin ViewingWebServiceLogs UseServerAdmintoviewtheerrorandaccesslogsforwebservice,ifyouhave enabledthem.webserviceinSnowLeopardServerusesthestandardApachelog format,soyoucanalsouseathird-partyloganalysistooltointerpretthelogdata. Toviewlogs: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickLogs,thenchoosebetweenanaccessorerrorlogbyselectingthelogfromthe listoflogs. Tosearchforspecificentries,usetheFilterfieldinthelowerright. 278 Chapter18SecuringWebService Fromthecommandline: # # View logs. #----------sudo tail /var/log/apache2/access_log SecuringWebDAV WebserviceincludessupportforWeb-basedDistributedAuthoringandVersioning, knownasWebDAV.WithWebDAVcapability,youruserscancheckoutwebpages,make changes,andthencheckthepagesbackinwhilethesiteisrunning.Inaddition,the WebDAVcommandsetisrichenoughthatclientcomputerswithSnowLeopard installedcanuseaWebDAV-enabledwebserverasifitwereafileserver. Sharingfilesoveranetworkopensyourcomputerstoahostofvulnerabilities.To reducethesecurityriskwhenusingWebDAV,assignaccessprivilegesforthesitesand forthewebfolders. TosecurelyconfigureWebDAVforasite: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites,thenselectthewebsiteinthelist. 4 ClickOptionsbelowthewebsiteslist. 5 SelecttheWebDAVcheckbox. ThisoptionturnsWebDAVon,allowinguserstomakechangestowebsiteswhilethe sitesarerunning.IfyouenableWebDAV,youmustalsoassignaccessprivilegesforthe sitesandwebfolders. Note:IfyouturnedofftheWebDAVmoduleintheModulespaneofServerAdmin,you mustturnitonagainbeforeWebDAVtakeseffectforasite.Thisistrueevenifthe WebDAVoptionisselectedintheOptionspaneforthesite.Formoreaboutenabling modules,see“ManagingWebModules”onpage272. 6 ClickSave. AfterWebDAVisturnedon,youcanuserealmstocontrolaccesstothewebsite.For moreinformationaboutconfiguringrealms,see“UsingRealmstoControlAccess”on page274. Chapter18SecuringWebService 279 SecuringBlogServices Ablogislikeadiaryorjournal,withentriesthatarearrangedintheordertheywere createdin.Ontheotherhand,awikicontainssharedcontentthatdoesn’tappearin chronologicalorder.Thetypeofinformationyouwanttoputonyoursitehelps determinewhetheritappearsinawikiorinablog. Bydefault,blogsaredisabledwhenyoustartwebservice.Blogscanopenyour computerstoahostofvulnerabilities.Ifblogsarenotrequired,disablethem. DisablingBlogServices Ifyoudonotneedblogservices,disablethem. Todisableblogservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites. 4 IntheSiteslist,clickthesitewhereyouwantblogservicedisabled. 5 ClickWebServices. 6 IntheServicesforGroupssection,deselectthe“Wikiandblog”checkbox. 7 ClickSave. Fromthecommandline: # # Disable blog service. #--------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = no SecurelyConfiguringBlogServices Youcanenableuserandgroupblogserviceonyourwebsite.SnowLeopardServer includesagroupwikiandagroupblog.Theseareenabledtogether.Groupblogslet usersinagroupaccessandpostentriestothesameblog. Userscanalsopublishtheirownpersonalblogusingwebservicesassociatedwiththeir serveraccount.Thisgivesuserstheabilitytomaintainpersonalblogsontheirownuser pages. Tosetupblogservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSites. 280 Chapter18SecuringWebService 4 IntheSiteslist,clickthesitewhereyouwantblogserviceenabled. Tomaximizethesecurityofuserinteractionswiththeserverhostingblogs,haveusers accessblogsthroughasitethathasSSLenabled. 5 ClickWebServices. 6 IntheServicesforGroupssection,selectthe“Wikiandblog”checkbox. 7 ClickSettings. 8 ClickWebServices. 9 Clickblogs. 10 FromthedefaultWikiandBlogThemepop-upmenu,chooseatheme. Athemecontrolstheappearanceofablog.Themesdeterminethecolor,size,location, andotherattributesofblogelements.Eachthemeisimplementedusingastylesheet. Thedefaultthemeisusedwhenablogiscreated,butblogownerscanchangethe theme.Thedefaultthemealsocontrolstheappearanceoftheblog’sfrontpage. 11 Identifyablogfolder,usedtostoreblogfiles. Bydefault,blogfilesarestoredin/Library/Collaborationonthecomputerhostingblog service.YoucanclickChoosetoselectadifferentfolder,suchasafolderonaRAID deviceoronanothercomputer. 12 ClickSave. 13 Makesuretheblogserver’sOpenDirectorysearchpathincludesdirectorieswhere usersandgroupmembersyouwanttosupportwithblogservicearedefined. TheOpenDirectoryAdministrationguideexplainshowtosetupsearchpaths.Anyuser orgroupmemberdefinedintheOpenDirectorysearchpathcancreateandaccess blogsontheserverunlessyoudenythemaccesstoblogservice. SecuringTomcat YouuseServerAdminorTerminaltodisableTomcatifyoudon’tneedit. TostopTomcatusingServerAdmin: 1 OpenServerAdminandconnecttotheserver. 2 SelectWebintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 DeselecttheEnableTomcatcheckbox. 5 ClickSave. Chapter18SecuringWebService 281 Fromthecommandline: # --------------------------------------------------------------------# Securing Tomcat # --------------------------------------------------------------------# Stop Tomcat using Server Admin: sudo /Library/Tomcat/bin/startup.sh stop SecuringMySQL MySQLprovidesarelationaldatabasemanagementsolutionforyourwebserver.With thisopensourcesoftware,youcanlinkdataintablesordatabasesandprovidethe informationonyourwebsite. DisablingMySQLService IfyoudonotneedtorunMySQLservice,disableitinServerAdmin. ToturnMySQLserviceon: 1 OpenServerAdminandconnecttotheserver. 2 SelectMySQLintheComputers&Serviceslist. 3 ClickStopMySQL. Fromthecommandline: # --------------------------------------------------------------------# Securing MySQL # --------------------------------------------------------------------# Turn MySQL service off sudo serveradmin stop mysql SettingUpMySQLService UseMySQLserviceSettingsinServerAdmintospecifythedatabaselocation,toenable networkconnections,andtosettheMySQLrootpassword. ToconfigureMySQLservicesettings: 1 OpenServerAdminandconnecttotheserver. 2 SelectMySQLintheComputers&Serviceslist. 3 ClickSettings. 282 Chapter18SecuringWebService 4 TopreventusertoaccessMySQLservicedeselectthe“Allownetworkconnections” checkbox. Thisprohibitsuseraccesstodatabaseinformationthroughthewebserver. 5 IntheDatabaselocationfieldenterthepathtothelocationofyourdatabase. YoucanalsoclicktheChoosebuttonandbrowseforthefolderyouwanttouse. 6 ClickSave. Fromthecommandline: # # Configure MySQL service settings. #--------------------------------sudo serveradmin settings mysql:allowNetwork = no ViewingMySQLServiceandAdminLogs MySQLservicekeepstwotypesoflogs,aMySQLservicelogandMySQLadminlogs:  TheMySQLservicelogrecordsthetimeofeventssuchaswhenMySQLserviceis startedandstopped.  TheMySQLadminlogrecordsinformationsuchaswhenclientsconnector disconnectandeachSQLstatementreceivedfromclients.Thislogislocatedat/ Library/Logs/MySQL.log. YoucanviewMySQLservicelogsusingServerAdmin. ToviewMySQLservicelogs: 1 OpenServerAdminandconnecttotheserver. 2 SelectMySQLintheComputers&Serviceslist. 3 ClickLogs. UsetheFilterfieldtosearchforspecificentries. Fromthecommandline: # # View MySQL service logs. # -----------------------sudo tail /Library/Logs/MySQL.log Chapter18SecuringWebService 283 19 SecuringClientConfiguration ManagementServices 19 UsethischaptertolearnhowtosecureClientConfiguration Managementservices. Securelyconfiguringclientconfigurationmanagementhelpsstandardizetheclients acrossyournetworkandprovidesasecuredeployment. Bymanagingpreferencesforusers,workgroups,computers,andcomputergroups,you cancustomizetheuser’sexperienceandrestrictuseraccesstoonlytheapplications andnetworkresourcesyouchoose. Tomanagepreferences,usethePreferencespaneinWorkgroupManager. Properlysetmanagedpreferenceshelpdeterusersfromperformingmalicious activities.Theycanalsohelppreventusersfromaccidentallymisusingtheircomputer. ManagingApplicationsPreferences UseApplicationspreferencestoalloworrestrictuseraccesstoapplications. Computersidentifyapplicationsusingoneoftwomethods:digitalsignatures(used inLeopardorlater),andbundleIDs(usedinTigerorearlier,butcanbeusedin SnowLeopardorlater). Digitalsignaturesaremuchmoresecurebecausecleveruserscanmanipulatebundle IDs.WorkgroupManagersupportsbothmethods. UsetheApplicationspanetoworkwithdigitalsignatures.UsetheLegacypanetowork withbundleIDs. 284 Applicationrestrictionsdependonwhichpaneyou’remanagingandtheversionof MacOSXrunbyclientcomputers:  IfyoumanagetheApplicationspaneandyourusersrunSnowLeopardorlater, ApplicationssettingstakeeffectandLegacysettingsareignored.  Ifyoudon’tmanagetheApplicationspane,Legacysettingstakeeffectforany versionofMacOSX.  IfyourusersrunTigerorearlier,onlyLegacysettingstakeeffect. YoucanalsousesettingsinApplicationspreferencestoallowonlyspecificwidgetsin DashboardortodisableFrontRow. ThetablebelowdescribesthesettingsineachApplicationspane. Applicationspreferencepane Whatyoucancontrol Applications Accesstospecificapplicationsandpathstoapplicationsusing digitalsignatures(forusersofSnowLeopardorlater) Widgets AllowedDashboardwidgetsforusersofSnowLeopard FrontRow WhetherFrontRowisallowed Legacy Accesstospecificapplicationsandpathstoapplicationsusing bundleIDs(primarilyforusersofTigerorearlier) ControllingUserAccesstoApplicationsandFolders YoucanuseWorkgroupManagertopreventusersfromlaunchingunapproved applicationsorapplicationslocatedinunapprovedfolders. InTigerorearlier,applicationswereidentifiedbytheirbundleIDs.Ifusershave SnowLeopardorlaterinstalled,youcanusedigitalsignaturestoidentifyapplications. DigitalsignaturesaremuchmoredifficulttocircumventthanabundleID. WorkgroupManagercansignapplicationsthataren’talreadysigned.Whensigning anapplication,youcanembedasignatureoryoucanstoreadetachedsignature separatelyfromtheapplication. Embeddingasignaturehasseveralperformancebenefitsoveradetachedsignature, butwithsignatureembeddingyoumustmakesureeverycomputerhasthesame signedapplication.ForapplicationsrunfromaCD,DVD,orotherread-onlymedia, youmustusedetachedsignatures. Chapter19SecuringClientConfigurationManagementServices 285 WorkgroupManagerusesthefollowingiconstodenotethekindofsignature associatedwithanapplication. Icon Indicatestheapplicationhasthistypeofsignature (noicon) Embeddedsignature Detachedsignature Nosignature Applicationsthatincludehelperapplicationsaredenotedbyadisclosuretriangle. Whenyouclickthedisclosuretriangle,you’llseealistofhelperapplications.Bydefault, thesehelperapplicationsareallowedtoopen. Youcandisableindividualhelperapplications,buttheapplicationmightbehave erraticallyifitrequiresthehelperapplications. Toalloworpreventusersfromlaunchinganapplication,addtheapplicationor applicationpathtooneofthreelists:  Alwaysallowtheseapplications.Addapplicationsthatshouldalwaysbeallowed, regardlessoftheirinclusioninotherlists.Youcansignapplicationsaddedtothislist. Donotaddunsignedapplicationstothislistbecausetheyallowuserstodisguise unapprovedapplicationsasapprovedapplications.  Disallowapplicationswithinthesefolders.Addapplicationsandfolderscontaining applicationsyouwanttopreventusersfromopening.Allapplicationsinthe subfoldersofadisallowedfolderarealsodisallowed.Disallowingafolderinan applicationpackagecancausetheapplicationtobehaveerraticallyorfailtoload.  Allowapplicationswithinthesefolders.Addapplicationsandfolderscontaining applicationsyouwanttoallow.Allapplicationsinthesubfoldersofanallowedfolder arealsoallowed.Unlikeapplicationsinthe“Alwaysallowtheseapplications”list, applicationslistedherearenotallowediftheyortheirpathsarelistedinthe “Disallowapplicationswithinthesefolders”list. Ifanapplicationoritsfolderdoesn’tappearintheselists,theusercan’topenthe application. Someapplicationsdon’tfullysupportsignatures.Tomakesureasignedapplication isrestricted,makeacopyoftheapplication,signit,andmoveittoalocationinthe “Disallowapplicationswithinthesefolders”list.Whenyoutrytoopentheapplication onamanagedcomputer,itshouldopenbecausethesignatureisvalid. Next,voidthesignedapplication’ssignaturebycopyingafileintoitsapplication package.Nowwhenyoutrytoopentheapplicationonamanagedcomputer,itshould notopenbecausethesignatureisvoidandtheapplicationisinadisallowedfolder. 286 Chapter19SecuringClientConfigurationManagementServices TomanageApplicationspreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickApplicationsandthenclicktheApplicationstab. 5 SetthemanagementsettingtoAlways. 6 Select“Restrictwhichapplicationsareallowedtolaunch.” 7 ClicktheApplicationstab(intheApplicationspane),clicktheAdd(+)button,choose anapplicationyouwanttoalwaysallow,andthenclickAdd. Whenyouallowanapplication,youalsoallowallhelperapplicationsincludedwith thatapplication.Youcandeselecthelperapplicationstodisallowthem. 8 Ifyou’reaskedtosigntheapplication,clickSign;ifyou’reaskedtoauthenticate, authenticateasalocaladministrator. Toaddtheapplicationtothelistasanunsignedapplication,clickDon’tSign. Whenyousigntheapplication,WorkgroupManagertriestoembedthesignature. Ifyoudon’thavewriteaccesstotheapplication,WorkgroupManagercreatesa detachedsignature. 9 ClicktheFolderstab,clicktheAdd(+)buttonnextto“Disallowapplicationswithin thesefolders,”andthenchoosefolderscontainingapplicationsyouwanttoprevent usersfromlaunching. 10 ClicktheAdd(+)buttonnexttothe“Allowapplicationswithinthesefolders”fieldand choosefolderscontainingapplicationsyouwanttoallow. Disallowingfolderstakesprecedenceoverallowingthem.Ifyouallowafolderthat isasubfolderofadisallowedfolder,thesubfolderisstilldisallowed. 11 ClickApplyNow. AllowingSpecificDashboardWidgets IfyourusershaveSnowLeopardorlaterinstalled,youcanpreventthemfromopening unapprovedDashboardwidgetsbycreatingalistofapprovedwidgets(whichcan includewidgetsincludedwithSnowLeopardandthird-partywidgets).Toapprove third-partywidgets,youmustbeabletoaccessthemfromyourserver. TheDashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However, userscaninstallthird-partyDashboardwidgetswithoutauthenticating.Toprotect systemsagainstunauthorizeduse,allowuserstouseonlytrustedthird-party Dashboardwidgets. Chapter19SecuringClientConfigurationManagementServices 287 Note:Becausecodesigningisnotsupported,userscanbypassrestrictionsto Dashboardwidgets.Therefore,implementamechanismtoregularlycheckavailable Dashboardwidgetstoensurepolicycompliance. ToallowspecificDashboardwidgets: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickApplicationsandthenclickWidgets. 5 SetthemanagementsettingtoAlways. 6 Select“AllowonlythefollowingDashboardwidgetstorun.” 7 Toallowspecificwidgets,clicktheAdd(+)button,selectthewidget’s.wdgtfile,and thenclickAdd. ThewidgetsincludedwithSnowLeopardarein/Library/Widgets. 8 Topreventusersfromopeningspecificwidgets,selectthewidgetandclickthe Remove(–)button. 9 ClickApplyNow. DisablingFrontRow WithWorkgroupManager,youcandisableFrontRow. TodisableFrontRow: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickApplicationsandthenclickFrontRow. 5 SetthemanagementsettingtoAlways. 6 DeselectAllowFrontRow. 7 ClickApplyNow. 288 Chapter19SecuringClientConfigurationManagementServices Fromthecommandline: # # # # # Securing Client Configuration Management Services ================================================= If the intended target is a client system, the target for the dscl commands should be "/LDAPv3/127.0.0.1". If the management target is the server itself, the target should be ".". # Disable Front Row: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow PreventActivation always -bool 1 AllowingLegacyUserstoOpenApplicationsandFolders TocontroluseraccesstoapplicationsinTigerorearlier,you:  Provideaccesstoasetofapprovedapplicationsthatuserscanopen  Preventusersfromopeningasetofunapprovedapplications Youcanalsosetoptionstofurthercontroluseraccesstoapplications. Whenusershaveaccesstolocalvolumes,theycanaccessapplicationsonthe computer’slocalharddisk.Ifyoudon’twanttoallowthis,disablelocalvolumeaccess. Applicationsusehelperapplicationsfortaskstheycan’tcompleteindependently.For example,ifausertriestoopenaweblinkinamailmessage,themailapplicationmight needtoopenawebbrowsertodisplaythewebpage. Disallowinghelperapplicationsimprovessecuritybecauseanapplicationcan designateanyotherapplicationasahelperapplication.However,youmightwantto includecommonhelperapplicationsintheapprovedapplicationslist.Thisavoids problemssuchasusersbeingunabletoopenandviewmailcontentorattachedfiles. Occasionally,applicationsortheoperatingsystemmightrequiretheuseofUNIXtools, suchasQuickTimeImageConverter.Thesetoolscan’tbeaccesseddirectly,and generallyoperateinthebackgroundwithouttheuser’sknowledge.Ifyoudisallow accesstoUNIXtools,someapplicationsmightnotwork. AllowingUNIXtoolsenhancesapplicationcompatibilityandefficientoperation,but candecreasesecurity. Ifyoudon’tmanageApplicationssettingsforcomputersrunningSnowLeopardor later,Legacysettingsareused. Chapter19SecuringClientConfigurationManagementServices 289 Tosetupalistofaccessibleapplications: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickApplicationsandthenclickLegacy. 5 SetthemanagementsettingtoAlways. 6 Select“Usercanonlyopentheseapplications”or“Usercanopenallapplications exceptthese.” 7 Additemstoorremoveitemsfromthelist. Toselectmultipleitems,holddowntheCommandkey. 8 Toallowaccesstoapplicationsstoredontheuser’slocalharddisk,select“Usercanalso openallapplicationsonlocalvolumes.” 9 Toallowhelperapplications,select“Allowapprovedapplicationstolaunchnonapprovedapplications.” 10 ToallowuseofUNIXtools,select“AllowUNIXtoolstorun.” 11 ClickApplyNow. Fromthecommandline: # Setting up a list of accessible applications # -------------------------------------------# Allow access to applications stored on the user’s local hard disk: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess OpenItemsInternalDrive always -bool 1 # Allow helper applications: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1 # Allow UNIX tools: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess AllowUnbundledApps always -bool 1 290 Chapter19SecuringClientConfigurationManagementServices ManagingDockPreferences Youcancustomizetheuser’sDocktodisplayspecificapplications.Thishelpsyouguide theusertowardusingrecommendedapplications. YoucanalsoadddocumentsandfolderstotheDock.Addingspecific,required networkfolderstotheDockhelpspreventtheuserfromnavigatingthroughyour networkhierarchy.Thisalsohelpspreventthemfrommisusingtheserver. TomanageDockpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickDockandthenclickDockDisplay. 5 SetthemanagementsettingtoOnceorAlways. 6 DragtheDockSizeslidertomaketheDocksmallerorlarger. 7 IfyouwantitemsintheDocktobemagnifiedwhenausermovesthepointerover them,selectMagnificationandthenadjusttheslider. MagnificationisusefulifyouhavemanyitemsintheDock. 8 Fromthe“Positiononscreen”radiobuttons,selectwhethertoplacetheDockonthe left,right,orbottomofthedesktop. 9 Fromthe“Minimizeusing”pop-upmenu,chooseaminimizingeffect. 10 Ifyoudon’twanttouseanimatediconsintheDockwhenanapplicationopens, deselect“Animateopeningapplications.” 11 Ifyoudon’twanttheDocktobevisibleallthetime,select“Automaticallyhideand showtheDock.” WhentheusermovesthepointertotheedgeofthescreenwheretheDockislocated, theDockappears. 12 ClickApplyNow. Chapter19SecuringClientConfigurationManagementServices 291 Fromthecommandline: # Managing Dock Preferences # ------------------------# Set Dock hiding sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohideimmutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide always -bool 1 ManagingEnergySaverPreferences EnergySaverpreferencesettingshelpyousaveenergyandbatterypowerbymanaging wake,sleep,andrestarttimingforserversandclientcomputers.Youcanonlymanage EnergySaverpreferencesforcomputerlists. Whenclientcomputersgotosleep,theybecomeunmanaged.Donotenablesleep modeforclientcomputers. TomanageEnergySaverpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectcomputersorcomputergroups. 4 ClickEnergySaverandthenclickDesktop. 5 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsetting toAlways. 6 Toadjustsleepsettings,chooseSleepfromtheSettingspop-upmenuandmovethe “Putthecomputertosleepwhenitisinactivefor”slidertoNever. 7 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagement settingtoAlways. 8 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputerto sleepwhenitisinactivefor”slidertoNever. 9 ClickPortable. 10 FromthePowerSourcepop-upmenu,chooseAdapterandsetthemanagement settingtoAlways. 11 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputerto sleepwhenitisinactivefor”slidertoNever. 292 Chapter19SecuringClientConfigurationManagementServices 12 FromthePowerSourcepop-upmenu,chooseBatteryandsetthemanagement settingtoAlways. 13 FromtheSettingspop-upmenu,chooseSleepandmovethe“Putthecomputer tosleepwhenitisinactivefor”slidertoNever. 14 ClickSchedule. 15 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsetting toAlways. 16 Deselect“Startupthecomputer.” 17 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagement settingtoAlways. 18 Deselect“Startupthecomputer.” 19 ClickApplyNow. ManagingFinderPreferences YoucancontrolaspectsofFindermenusandwindowstoimproveorcontrolworkflow. Youcanpreventusersfromburningmediaorfromejectingdisks,andfromconnecting toremoteservers.WhenusedwithDockpreferences,youcanguidetheuser experience. TomanageFinderpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickOverview. 5 ClickFinder,clickthePreferencestab,andthenselectAlways. 6 Select“UsenormalFinder.” SimpleFinderisbestusedforcomputersinkiosksituations. SimpleFinderremovestheabilitytouseaFinderwindowtoaccessapplicationsor modifyfiles.ThislimitsuserstoaccessingonlywhatisintheDock.IfyouenableSimple Finder,userscannotmountnetworkvolumes.WithSimpleFinderenabled,users cannotcreatefoldersordeletefiles. 7 Deselect“Harddisks,”“Removablemedia(suchasCDs),”and“Connectedservers.” Bydeselectingthese,youhelppreventusersfromcasuallynavigatingthroughlocal andnetworkfilesystems. Chapter19SecuringClientConfigurationManagementServices 293 8 Select“Alwaysshowfileextensions.” Important:Operatingsystemsusefileextensionsasonemethodofidentifyingtypes offilesandtheirassociatedapplications.Usingonlyfileextensionstocheckthesafety ofincomingfilesleavesyoursystemvulnerabletoattacksbyTrojans.ATrojanisa maliciousapplicationthatusescommonfileextensionsoriconstomasqueradeas adocumentormediafile(suchasaPDF,MP3,orJPEG). Forfurtherexplanationandguidanceonhandlingmailattachmentsandcontent downloadedfromtheinternet,seeKBaseArticle108009:Safetytipsforhandlingemail attachmentsandcontentdownloadedfromtheInternetatdocs.info.apple.com/ article.html?artnum=108009. 9 ClickCommandsandselectAlways. 10 DeselectConnecttoServer,GotoiDisk,andGotoFolder. Insteadofallowingtheusertochoosewhichserversorfolderstoload,addapproved servers. 11 DeselectEjectandBurnDisc. Disallowingexternalmediagivesyoumorecontrol. 12 DeselectRestartandShutDown. Bydisallowingrestartingandshuttingdownclientcomputers,youhelpensurethat yourcomputersareavailabletootherusers. 13 ClickApplyNow. 294 Chapter19SecuringClientConfigurationManagementServices Fromthecommandline: # Managing Finder Preferences # --------------------------# Manage Finder preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER AppleShowAllExtensions-immutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitBurn always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitConnectTo always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitEject always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitGoToFolder always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitGoToiDisk always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowHardDrivesOnDesktop-immutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowMountedServersOnDesktop-immutable always -bool sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowRemovableMediaOnDesktop-immutable always -bool sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER AppleShowAllExtensions always -bool 1 com.apple.finder com.apple.finder com.apple.finder com.apple.finder com.apple.finder com.apple.finder com.apple.finder com.apple.finder 1 com.apple.finder 1 .GlobalPreferences ManagingLoginPreferences UseLoginpreferencestosetoptionsforuserlogin,toprovidepasswordhints,and tocontroltheuser’sabilitytorestartandshutdownthecomputerfromthelogin window.Youcanalsomountagroupvolumeorsetapplicationstoopenwhenauser logsin. ThetablebelowsummarizeswhatyoucandowithsettingsineachLoginpane. Loginpreferencepane Whatyoucancontrol Window Forcomputersandcomputergroupsonly:Theappearanceofthelogin windowsuchastheheading,message,whichusersarelistedifthe“Listof users”isspecified,andtheabilitytorestartorshutdown Options Forcomputersandcomputergroupsonly:Loginwindowoptionslike enablingpasswordhints,automaticlogin,console,fastuserswitching, inactivitylogout,disablingofmanagement,settingthecomputername tomatchthecomputerrecord,andexternalaccountlogin Access Forcomputersandcomputergroupsonly:Whocanlogin,iflocaluserscan useworkgroupsettings,andthecombinationandselectionof workgroups Chapter19SecuringClientConfigurationManagementServices 295 Loginpreferencepane Whatyoucancontrol Scripts Forcomputersandcomputergroupsonly:Ascripttorunduringloginor logoutandwhethertoexecuteordisabletheclientcomputer’sown LoginHookorLogoutHookscripts Items Accesstothegroupvolume,whichapplicationsopenautomaticallyfor theuser,andifuserscanaddorremoveloginitems Bymanagingscriptsettings,youcanhelpprotectyourusersfrommaliciousloginor logoutscriptsthatcouldbeusedtocompromisetheiraccountsintegrity. Youcanmanageloginwindowsettingstomakeitmoredifficultforintrudersto attempttologinaslegitimateusers. Youcanconfigureoptionstotrackmalicioususeractions. TomanageLoginpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectuseraccounts. Toperformthestepsinvolvingapplyingscriptsandloginwindowsettings,select computersorcomputergroups. 4 ClickOverviewandclickLogin. 5 ClickItemsandselectAlways. Differentloginitemssettingsareavailabledependingonwhetheryou’remanaging OnceorAlways.Likeallmanagedpreferences,youshouldusetheAlwayssettingto ensurethatyoursettingsstayineffectpasttheuser’sfirstlogin. 6 Toloadapplicationsortomountagroupvolumeatstartup,clickAddtoopenadialog whereyoucanaddanapplicationorvolume. 7 Addtheapplicationsrequired,includingantivirusandfileintegritychecking applicationsrequiredbyyourorganization. 8 Deselect“Addnetworkhomesharepoint.” Insteadofautomaticallymountingsharepoints,theusershouldmountsharepoints asrequired. 9 Deselect“Usermayaddandremoveadditionalitems”and“UsermaypressShifttokeep itemsfromopening.” Deselectingtheseoptionshelpspreventtheuserfromloadingpotentiallymalicious applications.Italsohelpsensurethattheusercannotbypassloadingapplications requiredbyyourorganization. 296 Chapter19SecuringClientConfigurationManagementServices 10 ClickScriptsandselectAlways. 11 Unlessyourorganizationrequirestheuseofspecificloginorlogoutscripts,deselect LoginScriptandLog-OutScript,andthendeselect“Alsoexecutetheclientcomputer’s LoginHookscript,”and“Alsoexecutetheclientcomputer’sLogoutHookscript.” Torunloginandlogoutscripts,theclient’scomputermusthavealeveloftrustwiththe server.Thisleveloftrustisbasedonhowsecuretheclient’sconnectioniswiththe server.Byrequiringaleveloftrust,thisensuresthattheclientcomputerdoesnotrun scriptsfrommaliciousservers. Formoreinformationabouthowtoenabletheuseofloginandlogoutscripts,seethe UserManagementguide. 12 ClickWindowandselectAlways. 13 Select“LoginWindowmessage”andenterhelpdeskcontactinformationinthe adjacentfield. Donotenterinformationaboutthecomputer’stypicalusageorwhoitsusersare. 14 In“DisplayLoginWindowas,”select“Nameandpasswordtextfields.” Requiringthatusersknowtheiraccountnamesaddsalayerofsecurityandhelps preventintrudersfromcompromisingaccountswithweakpasswords. 15 Deselect“ShowRestartbuttonintheLoginWindow”and“ShowShutDownbuttonin theLoginWindow.” Preventingusersfromeasilyrestartingorshuttingdownthecomputerhelpsensure thatthecomputerisavailabletoallusers. 16 Deselect“Showpasswordhintafter3attemptstoenterapassword.” Passwordhintscanhelpmalicioususerscompromiseaccounts.Ifyouenablethis setting,setthepasswordhintperuseraccounttoinformationforyourorganization’s helpdesk. 17 Deselect“AutoLoginClientSetting.” EnablingthissettingallowsuserstoenableautomaticloginthroughSystem Preferences.Automaticloginbypassesallloginwindow-basedsecuritymechanisms. 18 Deselect“Allowuserstologinusing‘>console.’” EnablingthissettingallowstheusertobypasstheloginwindowandusetheDarwin console(command-lineinterface). 19 ClickOptionsandselectAlways. 20 DeselectEnableFastUserSwitching. FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficult totrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackground whileanotheruserisactivelyusingthecomputer. Chapter19SecuringClientConfigurationManagementServices 297 21 Deselect“Logoutusersafter#minutesofinactivity.” Ifyouselect“Logoutusersafter#minutesofinactivity,”enablepassword-protected screensaversincaseadialogpreventsloggingout. 22 ClickApplyNow. Fromthecommandline: # Managing Login Preferences # -------------------------# Manage login preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow LoginwindowText always -string "$LOGIN_WINDOW_MESSAGE" sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow mcx_UseLoginWindowText always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow RestartDisabled always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow ShutDownDisabled always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow SHOWFULLNAME always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow DisableConsoleAccess always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences MultipleSessionEnabled always -bool 0 ManagingMediaAccessPreferences MediaAccesspreferencesletyoucontrolsettingsfor,andaccessto,CDs,DVDs,the localharddisk,andexternaldisks(forexample,floppydisksandFireWiredrives). Disableunnecessarymedia.Ifuserscanaccessexternalmedia,itprovides opportunitiesforperformingmaliciousactivities.Forexample,theycantransfer maliciousfilesfromthemediatotheharddisk.Anotherexampleisifanintruder gainstemporaryaccesstothecomputer,heorshecanquicklytransferconfidential filestothemedia. Carefullyweightheadvantagesanddisadvantagesofdisablingmedia.Forexample, disablingexternaldiskspreventsyoufromusingUSBflashmemorydrivesforstoring keychains.Formoreinformation,see“StoringCredentialsinKeychains”onpage88. 298 Chapter19SecuringClientConfigurationManagementServices TomanageMediaAccesspreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickOverviewandclickMediaAccess. 5 SelectAlwaysandclickDiscMedia. 6 Unlessyoumustusediscmedia,deselectAllowforCDs&CD-ROMs,DVDs,and RecordableDiscs. Toenablediscmedia,selectbothAllowandRequireAuthenticationforthatdiscmedia. 7 ClickOtherMedia. 8 Unlessyoumustusemedia,deselectAllowforInternalDisksandExternalDisks. Ifyoumustenablemedia,selectAllowandRequireAuthenticationforthatdiscmedia. SelectRead-Onlyifyoudonotneedtosavefilestothatmedia. 9 Select“Ejectallremovablemediaatlogout.” Thishelpspreventusersfromforgettingtheyhavemediainsertedinthecomputer. 10 ClickApplyNow. ManagingMobilityPreferences YoucanuseMobilitypreferencestoenableandconfiguremobileaccountsforusers duringtheirnextlogin. IfyourcomputershaveSnowLeopardorlater,youcanalsoencryptthecontentsofthe mobileaccount’sportablehomedirectory,restrictitssize,chooseitslocation,orsetan expirationdateontheaccount. Mobileaccountsincludeanetworkhomefolderandalocalhomefolder.Byhaving thesetwotypesofhomefolders,clientscantakeadvantageoffeaturesavailablefor localandnetworkaccounts.Youcansynchronizespecificfoldersofthesetwohome folders,creatingaportablehomedirectory. Avoidusingmobileaccounts.Whenyouaccessamobileaccountfromaclient computerandcreateaportablehomedirectory,youcreatealocalhomefolder onthatclientcomputer.Ifyouaccessthemobileaccountfrommanycomputers, creatingportablehomedirectoriesoneachcomputer,yourhomefolder’sfiles arestoredonseveralcomputers.Thisprovidesadditionalavenuesofattack. Chapter19SecuringClientConfigurationManagementServices 299 Ifyouusemobileaccounts,donotcreateportablehomedirectoriesoncomputers thatarephysicallyinsecure,orthatyouinfrequentlyaccess.EnableFileVaultonevery computerwhereyoucreateportablehomedirectories.Formoreinformationabout enablingFileVault,see“SecuringSecurityPreferences”onpage122. TomanageMobilitypreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectauseraccount,groupaccount,computer,orcomputergroup. 4 ClickOverview. 5 ClickMobility,clickAccountCreation,andthenclickCreation. 6 SetthemanagementsettingtoAlways. 7 Todisablemobileaccounts,deselect“Createmobileaccountwhenuserlogsinto networkaccount”;toenablemobileaccounts,selectthisoption. 8 Select“Requireconfirmationbeforecreatingamobileaccount.” Ifthisisdeselected,aportablehomedirectoryiscreatedeverytimetheuseraccesses adifferentcomputer. 9 Select“withsyncingoff.” 10 ClickRules,clickLogin&LogoutSync,andselectAlways. 11 Inthe“Syncatloginandlogout”list,clicktheAdd(+)buttonandenterthepathsof folderslocatedintheuser’shomefolder. Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose folderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles. 12 Inthe“Skipitemsthatmatchanyofthefollowing”list,clicktheAdd(+)buttonand enterthepathsoffolderslocatedintheuser’shomefolder. Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose folderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles. 13 Deselect“Mergewithuser’ssettings.” Bydeselectingthissetting,thefoldersyousynchronizereplacethosechosenby theuser. 14 ClickBackgroundSync.SelectAlways. 15 Inthe“Syncatloginandlogout”list,clicktheAdd(+)buttonandenterthepathsof folderslocatedintheuser’shomefolder. Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose folderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles. 300 Chapter19SecuringClientConfigurationManagementServices 16 Inthe“Skipitemsthatmatchanyofthefollowing”list,clicktheAdd(+)buttonand enterthepathsoffolderslocatedintheuser’shomefolder. Alternatively,clickthebrowse(…)buttontoopenadialogwhereyoucanchoose folderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles. 17 Deselect“Mergewithuser’ssettings.” Bydeselectingthissetting,thefoldersyouchoosetosynchronizereplacethosechosen bytheuser. 18 ClickApplyNow. ManagingNetworkPreferences Networkpreferencesletyouselectandconfigureproxyserversthatcanbeusedby usersandgroups.Youcanalsospecifyhostsanddomainstobypassproxysettings. Usingproxyserverscontrolledbyyourorganizationcanhelpimprovesecurity.Youcan alsodecreasetheperformancehitfromusingproxiesifyouselectivelybypasstrusted hostsanddomains(likechoosinglocalresourcesortrustedsites). YoucanalsodisableInternetSharing,Airport,orBluetooth.Disablingthesecan improvesecuritybyremovingavenuesforattack. TomanageNetworkpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickOverview. 5 ClickNetworkandthenclickProxies. 6 SetthemanagementsettingtoAlways. 7 Selectatypeofproxyserverandenterthenetworkaddressandportofaproxyserver controlledbyyourorganization. 8 IfyouselectAutomaticProxyConfiguration,entertheURLofyourautomaticproxy configuration(.pac)file. Chapter19SecuringClientConfigurationManagementServices 301 9 Inthe“BypassproxysettingsfortheseHosts&Domains”field,entertheaddresses ofthehostsanddomainsthatyouwantuserstoconnecttodirectly. Toentermultipleaddress,separatethesubnetmaskswithnewlines,spaces, semicolons,orcommas.Thereareseveralwaystoenteraddresses:  Asubdomainorfullyqualifieddomainname(FQDN)ofatargetserver,suchas server1.apple.comorstore.apple.com.  ThespecificIPaddressofaserver,suchas192.168.2.1.  Adomainname,suchasapple.com.Thisbypassesapple.com,butnotsubdomains, suchasstore.apple.com.  Anwebsite,includingsubdomains,suchas*.apple.com.  AsubnetinClasslessInter-DomainRouting(CIDR)notation.Forexample,toadda subnetofIPaddressesfrom192.168.2.0to192.168.2.255,namethatview192.168.2.0/ 24.ForadescriptionofsubnetmasksandCIDRnotation,seetheNetworkServices Administrationguide. 10 DeselectUsePassiveFTPMode(PASV). 11 ClickApplyNow. Fromthecommandline: # Managing Network Preferences # ---------------------------# Manage network preferences: sudo networksetup -setwebproxystate Ethernet on sudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008 sudo networksetup -setpassiveftp Ethernet on ManagingParentalControlsPreferences ParentalControlspreferencesallowyoutohideprofanityinDictionary,limitaccess towebsites,orsettimelimitsorotherconstraintsoncomputerusage.Tomanage ParentalControlspreferences,computersmusthaveSnowLeopardorlater. Note:Parentalcontroldoesnotapplytodirectoryusers.Itappliestoonlylocalusers. ThetablebelowdescribesParentalControlssettings. ParentalControlspreference pane 302 Whatyoucancontrol ContentFiltering WhetherprofanityisallowedinDictionary,andlimitationson whichwebsitesuserscanview TimeLimits Howlongandwhenuserscanlogintotheiraccounts Chapter19SecuringClientConfigurationManagementServices HidingProfanityinDictionary YoucanhideprofanetermsfromtheDictionaryapplicationincludedwith SnowLeopardorlater.Whenyouhideprofaneterms,entirelyprofanetermsare removedfromsearchresults.Ifyousearchforaprofanetermthathasanalternate nonprofanedefinition,Dictionaryonlydisplaysthenonprofanedefinition. TohideprofanityinDictionary: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickParentalControlsandthenclickContentFiltering. 5 SetthemanagementsettingtoAlways. 6 Select“HideprofanityinDictionary.” 7 ClickApplyNow. Fromthecommandline: # Managing Parental Control Preferences # ------------------------------------# Hide profanity: sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary parentalControl always -bool 1 PreventingAccesstoAdultWebsites YoucanuseWorkgroupManagertohelppreventusersfromvisitingadultwebsites. Youcanalsoblockaccesstospecificwebsiteswhileallowinguserstoaccessother websites.Youcanallowordenyaccesstospecificsubfoldersinthesamewebsite. Insteadofpreventingaccesstospecificwebsites,youcanallowaccessonlytospecific websites.Formoreinformation,see“AllowingAccessOnlytoSpecificWebsites”on page304. Topreventaccesstowebsites: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. Chapter19SecuringClientConfigurationManagementServices 303 4 ClickParentalControlsandthenclickContentFiltering. 5 SetthemanagementsettingtoAlways. 6 Select“Limitaccesstowebsitesby”andchoose“tryingtolimitaccesstoadult websites.” 7 Toallowaccesstospecificsites,clicktheAdd(+)buttonnexttothe“Alwaysallowsites attheseURLs”listandthenentertheURLofthesiteyouwanttoallow. 8 Toblockaccesstospecificsites,clicktheAdd(+)buttonnexttothe“Neverallowsites attheseURLs”listandthenentertheURLofthesiteyouwanttoblock. Toalloworblockasite,includingallcontentstoredinitssubfolders,enterthehighest levelURLofthesite. Forexample,allowing“www.example.com“letstheuserviewallpagesin www.example.com.However,blocking“www.example.com/banned/“preventstheuser fromviewingcontentstoredinwww.example.com/banned/,includingallsubfoldersin /banned/,butitallowstheusertoviewpagesinwww.example.comthatarenotin /banned/. 9 ClickApplyNow. AllowingAccessOnlytoSpecificWebsites YoucanuseWorkgroupManagertoallowaccessonlytospecificwebsiteson computerswithSnowLeopardorlater. Iftheusertriestovisitawebsitethatheorsheisnotallowedtoaccess,theweb browserloadsawebpagethatlistsallsitestheuserisallowedtoaccess. Tohelpdirectuserstoallowedsites,theuser’sbookmarksarereplacedbywebsitesyou allowaccessto.Thebookmarkscreatedbyallowingaccesstowebsitesarecalled managedbookmarks. IftheusersyncsbookmarkswithMobileMe,thefirsttimetheusersyncsheorsheis askedifMobileMeshouldmergeorreplaceitsbookmarkswiththemanaged bookmarks.Iftheusermergesbookmarks,theMobileMebookmarkswillincludethe originalMobileMebookmarksandthemanagedbookmarks.Iftheuserreplaces bookmarks,theMobileMebookmarksincludeonlythemanagedbookmarks. YoucanalsouseWorkgroupManagertoblockspecificwebsitesinsteadofblockingall websites.Formoreinformation,see“PreventingAccesstoAdultWebsites”onpage303. Toallowaccessonlytospecificwebsites: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 304 Chapter19SecuringClientConfigurationManagementServices 3 Selectusers,groups,computers,orcomputergroups. 4 ClickParentalControlsandthenclickContentFiltering. 5 SetthemanagementsettingtoAlways. 6 Select“Limitaccesstowebsitesby”andchoose“allowingaccesstothefollowing websitesonly.” 7 Useoneofthefollowingmethodstoaddwebsitesthatyouwanttoallowaccessto:  InSafari,openthesiteandthendragtheiconfromtheaddressbar(ofSafari)tothe list.  InSafari,chooseBookmarks>ShowAllBookmarks,thendragiconsfromthe bookmarklisttothelistinWorkgroupManager.  Ifyouhavea.weblocfileofthewebsiteyouwanttoallowaccessto,dragthefileinto thelist.  Ifyoudon’thavea.weblocfileofthewebsiteyouwanttoallowaccessto,clickthe Add(+)buttonandentertheURLofthewebsiteyouwanttoallow. Inthe“Websitetitle”field,namethewebsite.IntheAddressfield,enterthehighest levelURLofthesite. Forexample,allowing“www.example.com“letstheuserviewallpagesin www.example.com.Allowing“www.example.com/allowed/“letstheuserview contentstoredinwww.example.com/allowed/,includingallsubfoldersin/allowed/, butnotfolderslocatedoutsideof/allowed/. 8 Tocreatefolderstoorganizewebsites,clicktheNewFolder(folder)button,then double-clickthefoldertorenameit. ToaddURLswithinafolder,openthefolder’sdisclosuretriangle,selectthefolder,and thenclicktheAdd(+)button. Tocreateasubfolder,openafolder’sdisclosuretriangle,selectthefolder,andthenclick theNewFolder(folder)button. 9 TochangethenameorURLofawebsite,double-clickthewebsiteentry;then,to renameafolder,double-clickthefolderentry. 10 Torearrangewebsitesorfolders,dragthewebsitesorfoldersinthelist. 11 ClickApplyNow. Chapter19SecuringClientConfigurationManagementServices 305 SettingTimeLimitsandCurfewsonComputerUsage YoucanuseWorkgroupManagertosettimelimitsandcurfewsforcomputerusageon computerswithSnowLeopardorlater. Ifyousetatimelimitforcomputerusage,userswhomeettheirdailytimelimitscan’t loginuntilthenextdaywhentheirquotaisreset.Youcansetdifferenttimelimitsfor weekdays(MondaythroughFriday)andweekends(SaturdayandSunday).Thetime limitcanrangefrom30minutesto8hours. Ifyousetacurfew,userscan’tloginduringthedaysandtimesyouspecify.Ifauseris loggedinwhentheircurfewstarts,theuserisimmediatelyloggedout.Youcanset differenttimesforweekdays(denyingaccessSundaynightsthroughThursdaynights) andweekends(FridayandSaturdaynights). Tosettimelimitsandcurfews: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickParentalControlsandthenclickTimeLimits. 5 SetthemanagementsettingtoAlwaysandthenselect“Enforcelimits.” 6 Tosettimelimits,clickAllowances,thenunderWeekdaysorWeekendsselect“Limit computeruseto”anddragtheslidertoamountoftimeyouwanttolimituse. 7 Tosetcurfews,clickCurfews,select“SundaythroughThursday”or“Fridayand Saturday,”andthenentertherangeoftimewhenyouwanttopreventcomputer access. Youcanhighlightthetimeandreplaceitwithanewtime,oryoucanhighlightthe timeandclicktheupordownbuttonsnexttothetime. 8 ClickApplyNow. 306 Chapter19SecuringClientConfigurationManagementServices ManagingPrintingPreferences Printerpreferencesletyoucontrolwhichprinterstheusercanaccess.Ideally,reduce theprinterlisttoonlythoseprinterstheuserneedstoaccess. Youshouldrequirethattheuserauthenticateasanadministratorbeforeprinting. TomanagePrintingpreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickPrintingandthenclickPrinters. 5 SetthemanagementsettingtoAlways. 6 ClickPrinterList. 7 IntheAvailablePrinterslist,selectaprinterandclickAdd;thenaddprintersthatyou wanttheusertoaccess. 8 Toaddadditionalprinterstotheuser’sprinterlist,clickOpenPrinterSetup. Formoreinformation,seePrinterSetupUtilityHelp. 9 Deselect“Allowusertomodifytheprinterlist.” 10 Deselect“Allowprintersthatconnectdirectlytouser’scomputer.” Ifyouselectthissetting,select“Requireanadministratorpassword.” 11 ClickAccess. 12 Selectaprinter,andselect“Requireanadministratorpassword.” RepeatforallprintersintheUser’sPrinterList. 13 ClickApplyNow. Fromthecommandline: # Managing Printing Preferences # ----------------------------# Manage printing preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting RequireAdminToAddPrinters always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting AllowLocalPrinters always -bool 0 Chapter19SecuringClientConfigurationManagementServices 307 ManagingSoftwareUpdatePreferences WithSnowLeopardServer,youcancreateyourownSoftwareUpdateservertocontrol updatesthatareappliedtospecificusersorgroups.Thisishelpfulbecauseitreduces externalnetworktrafficwhilealsoprovidingmorecontroltoserveradministrators. ByconfiguringaSoftwareUpdateserver,serveradministratorscanchoosewhich updatestoprovide. TomanageSoftwareUpdatepreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickSoftwareUpdate. 5 SetthemanagementsettingtoAlways. 6 SpecifyaURLintheformhttp://updateserver.example.com:8088/index.sucatalog. 7 ClickApplyNow. Fromthecommandline: # Managing Software Update Preferences # -----------------------------------# Manage Software Update preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.SoftwareUpdate CatalogURL always -string "http:/ $SERVER:8088/index.sucatalog" ManagingAccesstoSystemPreferences YoucanspecifywhichpreferencestoshowinSystemPreferences.Ifausercansee apreference,itdoesnotmeantheusercanmodifythatpreference.Somepreferences, suchasStartupDiskpreferences,requireanadministratornameandpasswordbefore ausercanmodifyitssettings. ThepreferencesthatappearinWorkgroupManagerarethoseinstalledonthe computeryou’reusing.Ifyouradministratorcomputerismissingpreferencesthat youwanttodisableonclientcomputers,installtheapplicationsrelatedtothose preferencesoruseWorkgroupManageronacomputerthatincludesthosepreferences. 308 Chapter19SecuringClientConfigurationManagementServices TomanageSystemPreferencespreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickSystemPreferences. 5 SetthemanagementsettingtoAlways. 6 ClickShowNone. 7 SelectthefollowingitemstoshowinSystemPreferences:        Appearance SelectDisplays SelectDock SelectExpose&Spaces SelectKeyboard&Mouse SelectSecurity SelectUniversalAccess 8 ClickApplyNow. ManagingUniversalAccessPreferences UniversalAccesssettingscanhelpimprovetheuserexperience.Forexample,ifauser hasdifficultyusingacomputerorwantstoworkinadifferentway,youcanchoose settingsthatenabletheusertoworkmoreeffectively. MostUniversalAccesssettingsdonotnegativelyimpactsecurity.However,some settingsallowotheruserstomoreeasilyseewhatyou’redoing. TomanageUniversalAccesspreferences: 1 InWorkgroupManager,clickPreferences. 2 Makesurethecorrectdirectoryisselectedandyouareauthenticated. Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelock andenterthenameandpasswordofadirectorydomainadministrator. 3 Selectusers,groups,computers,orcomputergroups. 4 ClickUniversalAccess. 5 ClickSeeingandthensetthemanagementsettingtoAlways. Chapter19SecuringClientConfigurationManagementServices 309 6 DeselectTurnonZoom. PressingandholdingtheOption,Command,and+keyswillzoomin,whilepressing andholdingtheOption,Command,and-keyswillzoomout. 7 ClickKeyboardandselectAlways. 8 SelectStickyKeysOffanddeselect“Showpressedkeysonscreen.” IfStickyKeysareonandyouselect“Showpressedkeysonscreen,”modifierkeyssuch asControl,Option,Command,andShiftaredisplayedonscreen.Otherkeysarenot displayed. 9 ClickApplyNow. Fromthecommandline: # Managing Universal Access Preferences # ------------------------------------# Manage Universal Access preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKey always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyShowWindow always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewDriver always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewShowPreview always -bool 0 EnforcingPolicy Whenyouimplementapolicyforcontrollingtheuserexperiencebyremovingfiles (fromexample,Kernelextensions)orbymanaginguser-controllablesettings(for example,screensaversettings),youshouldalsoimplementamechanismfor reenforcingthepolicyincasethedeletedfilesarerestoredorthesettingsare changedbyusersorbysoftwareupdates. Usingmcx,cron,orlaunchdjobs,createscriptsthatrunduringstartupandshutdown andaftersoftwareupdatestoreenforcepolicyincaseofviolations. Toprotectthepolicyenforcementsscripts,compilethemintobinaryformatsousers can’tmodifythem. 310 Chapter19SecuringClientConfigurationManagementServices 20 SecuringNetBootService 20 UsethischaptertolearnhowtosecureNetBootservice. SecurelyconfiguringclientconfigurationmanagementthroughNetBoothelps standardizetheclientsacrossyournetworkandprovidesasecuredeployment. NetworkcomputerscanbemanagedthroughNetBoot,whichdecreasesmaintenance timeandcanhelppreventmalicioussoftwareattacks. SecuringNetBootService ByusingNetBootyoucanhaveyourclientcomputersstartupfromastandardized SnowLeopardconfigurationsuitedtotheirspecifictasks.Becausetheclientcomputers startupfromthesameimage,youcanquicklyupdatetheoperatingsystemforan entiregroupbyupdatingasinglebootimage. Abootimageisafilethatlooksandactslikeamountablediskorvolume.NetBoot imagescontainthesystemsoftwareneededtoactasastartupdiskforclient computersoverthenetwork. Aninstallationimageisanimagethatstartsuptheclientcomputerlongenoughto installsoftwarefromtheimage.Theclientcanthenstartupfromitsownharddrive. Bootimages(NetBoot)andinstallationimages(NetInstall)aredifferentkindsofdisk images.Themaindifferenceisthata.dmgfileisaproperdiskimageanda.nbifolderis abootablenetworkvolume(whichcontainsa.dmgdiskimagefile).Diskimagesare filesthatbehavelikediskvolumes. FormoreinformationaboutconfiguringNetBootservice,seetheSystemImagingand SoftwareUpdateAdministrationguide. DisablingNetBootService IfyourserverisnotaNetBootserver,disabletheNetBootservice.Disablingtheservice preventspotentialvulnerabilitiesonyourcomputer.TheNetBootserviceisdisabledby default,butverificationisrecommended. 311 ThebestwaytopreventclientsfromusingNetBootontheserveristodisableNetBoot serviceonallEthernetports. TodisableNetBoot: 1 OpenServerAdminandconnecttotheserver. 2 SelectNetBootintheComputers&Serviceslist. 3 ClickGeneral. 4 DisableNetBootonallports. 5 ClickStopNetBoot. Fromthecommandline: # # # # # --------------------------------------------------------------------Securing NetBoot Service --------------------------------------------------------------------Disable NetBoot. # --------------------------sudo serveradmin stop netboot LimitNetBootServiceClients IfNetBootserviceisrequired,itshouldbeprovidedoveratrustednetwork. SecurelyconfigureNetBootservicewithrestrictionsontheportsituses,theimages available,andclientaccesstotheservice.NetBootserviceusesAppleFilingProtocol (AFP),NetworkFileSystem(NFS),DynamicHostConfigurationProtocol(DHCP),Web, andTrivialFileTransferProtocol(TFTP)services,dependingonthetypesofclientsyour aretryingtoboot.Youmustalsosecurelyconfigureservicestoreducenetwork vulnerabilities. NetBootservicecreatessharepointsforstoringNetBootandNetInstallimagesin/ Library/NetBoot/oneachvolumeyouenableandnamesthemNetBootSPn,wherenis 0forthefirstsharepointandincreasesby1foreachextrasharepoint. Forexample,ifyoudecidetostoreimagesonthreeserverdisks,NetBootservicesets upthreesharepointsnamedNetBootSP0,NetBootSP1,andNetBootSP2. YoucanrestrictaccesstoNetBootserviceonacase-by-casebasisbylistingthe hardwareaddresses(alsoknownastheEthernetorMACaddresses)ofcomputersthat youwanttopermitordenyaccessto. ThehardwareaddressofaclientcomputerisaddedtotheNetBootFilteringlistwhen theclientstartsupusingNetBootandis,bydefault,enabledtouseNetBootservice. Youcanspecifyotherservices. 312 Chapter20SecuringNetBootService TolimitNetBootclients: 1 OpenServerAdminandconnecttotheserver. 2 SelectNetBootintheComputers&Serviceslist. 3 ClickSettings,thenclickFilters. NetBootservicefilteringletsyourestrictaccesstotheservicebasedontheclient’s Ethernethardware(MAC)address.Aclient’saddressisaddedtothefilterlistthefirst timeitstartsupfromanimageontheserverandisallowedaccessbydefault. 4 Select“EnableNetBoot/DHCPfiltering.” 5 Select“Allowonlyclientslistedbelow(denyothers)”or“Denyonlyclientslistedbelow (allowothers).” 6 UsetheAdd(+)buttontoenterthecanonicalornoncanonicalformofahardware addresstothefilterlist,orusetheDelete(–)buttontoremoveaMACaddressfromthe filterlist. TolookupaMACaddress,entertheclient’sDNSnameorIPaddressintheHostName fieldandclickSearch. TofindthehardwareaddressforacomputerusingSnowLeopard,lookontheTCP/IP paneofthecomputer’sNetworkpreferenceorrunAppleSystemProfiler. 7 ClickOK. 8 ClickSave. Note:YoucanalsorestrictaccesstoaNetBootimagebyselectingthenameofthe imageintheImagespaneoftheNetBootservicesettingsinServerAdmin,clickingthe Edit(/)button,andprovidingtherequiredinformation. Fromthecommandline: # # Securely configure NetBoot. # --------------------------sudo defaults rename /etc/bootpd allow_disabled allow Chapter20SecuringNetBootService 313 ViewingNetBootServiceLogs NetBootserviceloggingisimportanttosecurity.Withlogs,youcanmonitorandtrack clientcommunicationtotheNetBootserver.TheNetBootservicelogis/var/log/ system.logandcanbeaccessedusingServerAdmin. ToviewNetBootservicelogs: 1 OpenServerAdminandconnecttotheserver. 2 SelectNetBootintheComputers&Serviceslist. 3 ClickLogstodisplaythecontentsofsystem.log. Fromthecommandline: # # View NetBoot service logs. # --------------------------sudo tail /var/log/system.log | grep bootpd 314 Chapter20SecuringNetBootService 21 SecuringSoftwareUpdateService 21 UsethischaptertolearnhowtosecureSoftwareUpdate service. YoucanprotectagainstattacksbyconfiguringaninternalSoftwareUpdateserver.This allowsyoutomaintainasecurenetworkbycontrollingwhatsoftwareupdatesare installedonyournetworkcomputers. DisablingSoftwareUpdateService Ifyourserverisnotintendedtobeasoftwareupdateserver,disabletheSoftware Updateservice.Disablingtheservicepreventspotentialvulnerabilitiesonyour computer.SoftwareUpdateserviceisdisabledbydefault,butverificationis recommended. TodisableSoftwareUpdate: 1 OpenServerAdminandconnecttotheserver. 2 SelectSoftwareUpdateintheComputers&Serviceslist. 3 ClickSettings. 4 ClickStopSoftwareUpdate. 5 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing Software Update Service # --------------------------------------------------------------------# Disable Software Update: sudo serveradmin stop swupdate 315 LimitingAutomaticUpdateAvailability SoftwareUpdateserviceoffersyouwaystomanageMacintoshsoftwareupdatesfrom Appleonyournetwork.Inanuncontrolledenvironment,usersmightconnecttoApple SoftwareUpdateserversatanytimeandupdateclientcomputerswithsoftwarethatis notapprovedbyyourITgroup. ByusinglocalSoftwareUpdateservers,yourclientcomputersaccessonlythesoftware updatesyoupermitfromsoftwareliststhatyoucontrol,givingyoumoreflexibilityin managingcomputersoftwareupdates. YoucanrestrictclientaccessinaSoftwareUpdateserverbydisablingautomatic mirror-and-enablefunctionsintheGeneralSettingspane.Youmanagespecificupdates intheUpdatespaneoftheSoftwareUpdateserver. Tospecifywhichupdatesareautomaticallyavailableassoftwareupdates: 1 OpenServerAdminandconnecttotheserver. 2 SelectSoftwareUpdateintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 Toimmediatelydisableallsoftwareupdatesforclientusers,deselect“Automatically enablecopiedupdates.” 5 ClickUpdates. 6 IntheEnablecolumn,selectthecheckboxforeachupdateyouwanttomakeavailable toclientcomputers. 7 ClickSave. Fromthecommandline: # # Specify which client can access software updates. # ---------------------------------sudo serveradmin settings swupdate:autoEnable = no 316 Chapter21SecuringSoftwareUpdateService ViewingSoftwareUpdateServiceLogs SoftwareUpdateserviceloggingisimportantforsecurity.Withlogs,youcanmonitor andtrackcommunicationthroughtheSoftwareUpdateservice.AccesstheSoftware Updateservicelog,/var/log/system.log,usingServerAdmin. ToviewSoftwareUpdateservicelogs: 1 OpenServerAdminandconnecttotheserver. 2 SelectSoftwareUpdateintheComputers&Serviceslist. 3 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # # View Software Update service logs. # ---------------------------------sudo tail /var/log/swupd/swupd_* Chapter21SecuringSoftwareUpdateService 317 22 SecuringNetworkAccounts 22 UsethischaptertolearnhowtouseServerAdminand WorkgroupManagertosetupandmanagehomefolders, accounts,andsettingsforclients. SnowLeopardServerincludesServerAdminandWorkgroupManager. YoucanuseServerAdmintocreateandmanagesharepoints. YoucanuseWorkgroupManager,ausermanagementtool,tomanageuser,group, computer,andcomputergroupaccounts.Youcandefinecoreaccountsettingslike name,password,homefolderlocation,andgroupmembership.Youcanalsomanage preferences,allowingyoutocustomizetheuser’sexperience,grantingorrestricting accesstohisorhercomputer’ssettingsandtonetworkresources. WorkgroupManagerworkscloselywithadirectorydomain.Directorydomainsarelike databases,onlytheyarespecificallygearedtowardsstoringaccountinformationand handlingauthentication.FormoreinformationaboutOpenDirectory,seeChapter23, “SecuringDirectoryServices.” ForinformationaboutusingWorkgroupManager,seetheUserManagementguide. AboutOpenDirectoryandActiveDirectory SnowLeopardServersupportsOpenDirectoryandActiveDirectorydomainsforclient authentication. OpenDirectoryusesOpenLDAP,theopensourceimplementationofLightweight DirectoryAccessProtocol(LDAP),toprovidedirectoryservices.It’scompatiblewith otherstandards-basedLDAPservers,andcanbeintegratedwithproprietaryservices suchasMicrosoft’sActiveDirectoryandNovell’seDirectory.Formoreinformation abouthowtoconfiguretheseoptions,see“ConfiguringOpenDirectoryPolicies”on page329. 318 TheActiveDirectoryplug-insupportspacketsigningandpacketencryptionandisset to“allow,”whichmeansitnegotiatestheconnectionbydefaultandcanbechangedto “require”ifneeded.Also,ifyouconnecttoanActiveDirectoryserverwithHighly Secure(HISEC)templatesenabled,youcanusethird-partytoolstofurthersecureyour ActiveDirectoryconnection. UserscanmutuallyauthenticatewithOpenDirectoryandActiveDirectory.Bothuse Kerberostoauthenticate.Kerberosisaticket-basedsystemthatenablesmutual authentication. Theservermustidentifyitselfbyprovidingatickettoausers’computer.Thisprevents yourcomputerfromconnectingtorogueservers.Usersmustenabletrustedbindingto mutuallyauthenticatewithOpenDirectoryorActiveDirectory. FormoreinformationaboutOpenDirectoryandActiveDirectory,seetheOpen DirectoryAdministrationguide. SecuringDirectoryAccounts Youcanmodifyseveralaccountsettingstoimprovesecurity.Checkwithyour organizationtoensurethatthesesettingsdonotconflictwithnetworksettingsor organizationalrequirements. InWorkgroupManager,youcanusepresetstosaveyoursettingsasatemplatefor futureaccounts.Ifyouhavesettingsthatapplytoseveralaccounts,usepresetsto expeditethecreationoftheseaccounts.Usingpresetsalsoensuresthatyouuse uniformaccountsettingsandhelpsyouavoidconfigurationerrors.Formore information,seetheUserManagementguide. ConfiguringDirectoryUserAccounts Ifyouwanttomanageindividualusersorifyouwantthoseuserstohaveunique identitiesonyournetwork,createuseraccounts. Beforecreatingormodifyinguseraccounts,youshouldhaveafirmunderstandingof whattheaccountwillbeusedforandwhatauthenticationmethodyouwanttouse. Toconfigureuseraccounts: 1 InWorkgroupManager,clickAccounts. 2 Selectthedirectorydomainwheretheaccountresidesbyclickingthesmallglobeicon, andthenauthenticateasthedomainadministrator. Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain administrator. 3 Selecttheuseraccountyouwanttoworkwithfromtheuseraccountslist. 4 ClickBasic. Chapter22SecuringNetworkAccounts 319 5 Ifyouwanttograntserveradministrationprivilegestotheuser,select“administer thisserver.” ServeradministrationprivilegesallowstheusertouseServerAdminandmakechanges toaserver’ssearchpolicyusingDirectoryUtility. 6 ClickAdvanced,thendeselect“Allowsimultaneousloginonmanagedcomputers.” Bydisallowingsimultaneouslogin,youreducethechancesofversionconflictswhen loadingandsavingfiles.Thishelpsremindusersthattheyshouldlogoffofcomputers whentheyarenotusingthem. 7 ChoosethemostsecurepasswordtypeavailableintheUserPasswordTypepop-up menu. Ifyoudon’tusesmartcards,youcanchooseOpenDirectoryorcryptpassword.Open Directoryismoresecurethancryptpassword.IfyournetworkusesOpenDirectoryfor authentication,authenticatewithit.FormoreinformationaboutOpenDirectoryand cryptpasswords,seetheOpenDirectoryAdministrationguide. Smartcardsarealsoasecureformofauthentication.Smartcardsusetwo-factor authentication,whichhelpsensurethatyouraccountsarenotcompromised. 8 IfyouchosetheOpenDirectorypasswordtype,clickOptionsandcompletethe following: a Inthedialogthatappears,select“Disableloginonspecificdate”andenterthedate thattheusernolongerneedstheaccount. b Select“Disableloginafterinactivefor#days,”andreplace#withthenumberofdays whentheusernolongerneedstheaccount. c Select“Disableloginafterusermakes#failedattempts,”andreplace#with3. d Select“Allowtheusertochangethepassword.” e Select“Passwordmustcontainatleast#characters,”andreplace#with8. f Select“Passwordmustberesetevery#days,”andreplace#with90. g Ifyouwanttorequiretheusertocreateapasswordduringtheirnextlogin,select “Passwordmustbechangedatnextlogin.” h Replacethesesuggestedvalueswithvaluesthatmeettherequirementsofyour organization. i ClickOK. 9 ClickGroups. 10 ClicktheAdd(+)buttontoopenadrawerlistingallavailablegroups,thendraggroups fromthedrawerintothePrimaryGroupIDfieldortheOtherGroupslist. Aprimarygroupisthegroupauserbelongstoiftheuserdoesnotbelongtoother groups.Ifauserselectsadifferentworkgroupatlogin,theuserstillretainsaccess permissionsfromtheprimarygroup. 320 Chapter22SecuringNetworkAccounts TheIDoftheprimarygroupisusedbythefilesystemwhentheuseraccessesafile heorshedoesn’town.Thefilesystemchecksthefile’sgrouppermissions,andifthe primarygroupIDoftheusermatchestheIDofthegroupassociatedwiththefile,the userinheritsgroupaccesspermissions. Addingausertoagroupallowstheusertoaccessthegroup’sgroupfolder.Carefully choosewhichgroupstoaddusersto.Formoreinformation,see“ConfiguringGroup Accounts”onpage321. 11 ClickHome. 12 Selectasecurelocationfortheuser’shomefolderinthehomelistandthenenteran appropriatevalueintheDiskQuotafield. Byusingadiskquota,youpreventmalicioususersfromperformingadenialofservice attackwheretheyfillthehomevolume. 13 ClickMailandselectNone. Ifyoumustenablemail,selectPOPonlyorIMAPonly,butnotboth.Usingfewer protocolsreducesthenumberofpossibleavenuesofattack. 14 ClickInfo. 15 Donotenterinformationintheuserinformationfieldsprovided. Userinformationcanbeusedbymaliciousattackerswhentheytrytocompromisethe user’saccount. 16 ClickWindowsandthenclickSave. ConfiguringGroupAccounts Creategroupsofindividualswithsimilaraccessneeds.Forexample,ifyoucreatea separategroupforeachoffice,youcanspecifythatonlymembersofacertainoffice canlogintospecificcomputers.Whenyoumorespecificallydefinegroups,youhave greatercontroloverwhocanusewhat. YoucangrantordenyPOSIXorACLpermissionstogroups.Ifyouhavenestedgroups, youcanpropagateACLpermissionstochildgroups. Groupsalsohaveaccesstogroupfolders,whichprovideaneasywayforgroup memberstosharefileswitheachother. Toconfiguregroupaccounts: 1 InWorkgroupManager,clickAccounts. 2 Selectthedirectorydomainwherethegroupaccountresidesbyclickingthesmall globeicon,andthenauthenticateasthedomainadministrator. Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain administrator. 3 Selectthegroupaccountyouwanttoworkwithfromthegroupaccountslist. Chapter22SecuringNetworkAccounts 321 4 IntheMemberspane,clicktheAdd(+)buttontoopenadrawerthatliststheusers andgroupsdefinedinthedirectorydomainyou’reworkingwith. Makesurethegroupaccountresidesinadirectorydomainspecifiedinthesearch policyofcomputersthattheuserlogsinto. 5 ClickGroupFolder. 6 IntheAddresslistselectasecurelocationforthegroupfolder. 7 IntheOwnerNamefields,entertheshortnameandlongnameoftheuseryou wanttoassignastheownerofthegroupfoldersotheusercanactasgroupfolder administrator. Tochooseanownerfromalistofusersinthecurrentdirectorydomain,clickthe browse(…)button.Clicktheglobeiconinthedrawertochooseadifferentdirectory domain. Thegroupfolderownerisgivenread/writeaccesstothegroupfolder. 8 ClickSave. ConfiguringComputerGroups Acomputergroupcomprisescomputerswiththesamepreferencesettings.Youcan useWorkgroupManagertocreateandmodifycomputergroups. Everycomputeronyournetworkshouldbeamemberofacomputergroup.Ifyou don’tassignacomputertoacomputergroup,thecomputerusesthemanaged preferencesfortheGuestComputeraccount. Bygroupingcomputersintocomputergroups,yousimplifythetaskofsecuring computersonyournetwork. Toconfigurecomputergroups: 1 InWorkgroupManager,clickAccounts. 2 Selectthedirectorydomainwherethecomputergroupresidesbyclickingthesmall globeicon,andthenauthenticateasthedomainadministrator. Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomain administrator. 3 Selectthecomputegroupyouwanttoworkwithfromtheuseraccountslist. 4 ClickMembers,clicktheAdd(+)button,andthendragcomputersorcomputergroups fromthedrawertothelist. Youcanalsoclickthebrowse(…)button,selectacomputer,andthenclickAdd. Continueaddingcomputersandcomputergroupsuntilthelistiscomplete. 5 ClickSave. 322 Chapter22SecuringNetworkAccounts ControllingNetworkViews SnowLeopardServerdoesn’tsupportmanagednetworkviews. TomanagenetworkviewshostedonserversrunningTigerServer,usetheWorkgroup ManagerincludedwithTigerServer. Chapter22SecuringNetworkAccounts 323 23 SecuringDirectoryServices 23 UsethischaptertolearnhowtosecureDirectoryservice. Directoryservicesarethebackboneofyournetwork’ssecuritypolicy.Thegrantingof accesstotheinformationandservicesonyournetworkshouldbewell-plannedand thoughtout. Adirectoryserviceprovidesacentralrepositoryforinformationaboutcomputerusers andnetworkresourcesinanorganization.SnowLeopardServerusesOpenDirectory foritsdirectoryservice. ThedirectoryservicesprovidedbySnowLeopardServeruseLDAPv3,asdomanyother servers.LDAPv3isanopenstandardcommoninmixednetworksofMacintosh,UNIX, andWindowssystems.Someserversusetheolderversion,LDAPv2,toprovide directoryservice. OpenDirectoryalsoprovidesauthenticationservice.Itcansecurelystoreandvalidate thepasswordsofuserswhowanttologintoclientcomputersonyournetworkoruse othernetworkresourcesthatrequireauthentication.OpenDirectorycanalsoenforce policiessuchaspasswordexpirationandminimumlength. Formoreinformationaboutpasswordsandauthentication,seeAppendixA, “UnderstandingPasswordsandAuthentication,”onpage380. OpenDirectorymustbesettotheproperroleandconfiguredtouseSSLtoencryptits communicationstoprotecttheconfidentialityofitsimportantauthenticationdata. PasswordpoliciescanalsobeenforcedbyOpenDirectory. Formoreinformationaboutunderstandingandconfiguringdirectoryand authenticationservices,seetheOpenDirectoryAdministrationguide. 324 OpenDirectoryServerRoles OpenDirectorycanbeconfiguredtooneofseveralroles,dependingontheserver’s placeinthenetworkanddirectorystructure:  StandaloneServer—Thisroledoesnotshareinformationwithothercomputerson thenetwork.Itisalocaldirectorydomainonly.  ConnectedtoaDirectoryServer—Thisroleallowstheservertogetdirectoryand authenticationinformationfromanotherserver’sshareddirectorydomain.  OpenDirectoryMaster—ThisroleprovidesanOpenDirectoryPasswordServer, whichsupportsconventionalauthenticationmethodsrequiredby SnowLeopardServerservices.Inaddition,anOpenDirectoryMastercanprovide Kerberosauthenticationforsinglesign-on.  OpenDirectoryReplica—ThisroleactsasabackuptotheOpenDirectorymaster.It canprovidethesamedirectoryandauthenticationinformationtoothernetworksas themaster.Ithasaread-onlycopyofthemaster’sLDAPdirectorydomain. ConfiguringtheOpenDirectoryServicesRole Iftheserverisnotadirectoryserver,makesuretheLDAPserverisstoppedusing ServerAdmin.TostopLDAPserver,settheOpenDirectoryroletoStandaloneServer. ThispreventsOpenDirectoryfromengaginginunnecessarynetworkcommunications. Onanewlyinstalledserver,theLDAPservershouldbestoppedbydefault,but verificationisrecommended. ToconfiguretheOpenDirectoryrole: 1 OpenServerAdminandconnecttotheserver. 2 SelectOpenDirectoryintheComputers&Serviceslist. 3 ClickSettings,thenclickGeneral. 4 ClickChange. TheServiceConfigurationAssistantopens. 5 Choosearole,thenclickContinue. 6 ConfirmtheOpenDirectoryconfigurationsettings,thenclickContinue. 7 IftheserverwasanOpenDirectorymasterandyouaresurethatusersandservicesno longerneedaccesstothedirectorydatastoredintheshareddirectorydomainthatthe serverhasbeenhosting,clickClose. Chapter23SecuringDirectoryServices 325 8 ClicktheOpenDirectoryUtilitybuttontoconfigureaccesstodirectorysystems. 9 Iftheserveryou’reconfiguringhasaccesstoadirectorysystemthatalsohosts aKerberosrealm,youcanjointheservertotheKerberosrealm. TojointheKerberosrealm,youneedthenameandpasswordofaKerberos administratororauserwhohastheauthoritytojointherealm. 10 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing Directory Services # --------------------------------------------------------------------# Configure the Open Directory role: sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME $ADMIN_UID $SEARCH_BASE $REALM StartingKerberosAfterSettingUpanOpenDirectoryMaster IfKerberosdoesn’tstartwhenyousetupanOpenDirectorymaster,youcanuseServer Admintostartitmanually,butfirstyoumustfixtheproblemthatpreventedKerberos fromstarting.UsuallytheproblemisthattheDNSserviceisn’tcorrectlyconfiguredor isn’trunning. Note:AfteryoumanuallystartKerberos,userswhoseaccountshaveOpenDirectory passwordsandwerecreatedintheOpenDirectorymaster’sLDAPdirectorywhile Kerberoswasstoppedmightneedtoresettheirpasswordsthenexttimetheylogin. Auseraccountisthereforeaffectedonlyifallrecoverableauthenticationmethodsfor OpenDirectorypasswordsweredisabledwhileKerberoswasstopped. TostartKerberosmanuallyonanOpenDirectorymaster: 1 OpenServerAdminandconnecttotheserver. 2 SelectOpenDirectoryintheComputers&Serviceslist. 3 ClickRefresh(orchooseView>Refresh)andverifythestatusofKerberosasreported intheOverviewpane. IfKerberosisrunning,there’snothingmoretodo. 4 VerifythattheDNSnameandaddressresolvebyusingNetworkUtility(in/ Applications/Utilities/)todoaDNSlookupoftheOpenDirectorymaster’sDNS nameandareverselookupoftheIPaddress. Iftheserver’sDNSnameorIPaddressdoesn’tresolvecorrectly: 326 Chapter23SecuringDirectoryServices  IntheNetworkpaneofSystemPreferences,lookattheTCP/IPsettingsforthe server’sprimarynetworkinterface(usuallybuilt-inEthernet).Makesurethefirst DNSserverlistedistheonethatresolvestheOpenDirectoryserver’sname.  ChecktheconfigurationofDNSserviceandmakesureit’srunning. 5 InServerAdmin,selectOpenDirectoryforthemasterserver,clickSettings,then clickGeneral. 6 ClickKerberize,thenenterthefollowinginformation:  AdministratorNameandPassword:Youmustauthenticateasanadministratorofthe OpenDirectorymaster’sLDAPdirectory.  RealmName:Thisfieldispresettobethesameastheserver’sDNSnameconverted tocapitalletters.ThisistheconventionfornamingaKerberosrealm.Ifnecessary,you canenteradifferentname. Fromthecommandline: # Start Kerberos manually on an Open Directory master: sudo kdcsetup -a $ADMIN $REALM ConfiguringOpenDirectoryforSSL UsingServerAdmin,youcanenableSecureSocketsLayer(SSL)forencrypted communicationsbetweenanOpenDirectoryserver’sLDAPdirectorydomainand computersthataccessit. SSLusesadigitalcertificatetoprovideacertifiedidentityfortheserver.Youcanuse aself-signedcertificateoracertificateobtainedfromaCA. SSLcommunicationsforLDAPuseport636.IfSSLisdisabledforLDAPservice, communicationsaresentascleartextonport389. TosetupSSLcommunicationsforLDAPservice: 1 OpenServerAdminandconnecttotheOpenDirectorymasteroranOpenDirectory replicaserver. 2 SelectOpenDirectoryintheComputers&Serviceslist. 3 ClickSettings,thenclickLDAP. 4 FromtheConfigurepop-upmenu,chooseLDAPSettings,thenselectEnableSSL. 5 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAP servicetouse. ThemenulistsallSSLcertificatesinstalledontheserver.Touseacertificatenotlisted, chooseCustomConfigurationfromthepop-upmenu. Chapter23SecuringDirectoryServices 327 6 ClickSave. Fromthecommandline: Thefollowingstepsdescribethecommand-linemethodforcreatingcertificates.For informationaboutdefining,obtaining,andinstallingcertificatesonyourserverusing CertificateManagerinServerAdmin,see“ReadyingCertificates”onpage168. TocreateanOpenDirectoryservicecertificate: 1 Generateaprivatekeyfortheserverinthe/usr/share/certs/folder: Ifthe/usr/share/certsfolderdoesnotexistcreateit. sudo openssl genrsa -out ldapserver.key 2048 2 GenerateaCSRfortheCAtosign: sudo openssl req -new -key ldapserver.key -out ldapserver.csr 3 Filloutthefollowingfieldsascompletelyaspossible,makingcertainthattheCommon NamefieldmatchesthedomainnameoftheLDAPserverexactly: Country Name: Organizational Unit: State or Province Name: Common Name: Locality Name (city): Email Address: Organization Name: Leavethechallengepasswordandoptionalcompanynameblank. 4 Signtheldapserver.csrrequestwiththeopensslcommand. sudo openssl ca -in ldapserver.csr -out ldapserver.crt 5 Whenprompted,entertheCApassphrasetocontinueandcompletetheprocess. ThecertificatefilesneededtoenableSSLontheLDAPserverarenowinthe/usr/share/ certs/folder. 6 OpenServerAdmin. 7 IntheComputers&Serviceslist,selectOpenDirectoryfortheserverthatisanOpen DirectorymasteroranOpenDirectoryreplica. 8 ClickSettings. 9 ClickProtocols. 10 FromtheConfigurepop-upmenu,choose“LDAPSettings.” 11 SelectEnableSecureSocketsLayer(SSL). 328 Chapter23SecuringDirectoryServices 12 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAP servicetouse. ThemenulistsSSLcertificatesthathavebeeninstalledontheserver.Tousea certificatenotlisted,chooseCustomConfigurationfromthepop-upmenu. 13 ClickSave. ConfiguringOpenDirectoryPolicies Youcansetpassword,binding,andsecuritypoliciesforanOpenDirectorymaster anditsreplicas.YoucanalsocansetseveralLDAPoptionsforanOpenDirectory masterorreplica. Formoreinformationaboutconfiguringpolicies,see“ConfiguringDirectoryUser Accounts”onpage319. SettingtheGlobalPasswordPolicy UsingServerAdmin,youcansetaglobalpasswordpolicyforuseraccountsin aSnowLeopardServerdirectorydomain. Theglobalpasswordpolicyaffectsuseraccountsintheserver’slocaldirectorydomain. IftheserverisanOpenDirectorymasterorreplica,theglobalpasswordpolicyalso affectsuseraccountsthathaveanOpenDirectorypasswordtypeintheserver’sLDAP directorydomain. IfyouchangetheglobalpasswordpolicyonanOpenDirectoryreplica,thepolicy settingsbecomesynchronizedwiththemasterandreplicas. Administratoraccountsareexemptfrompasswordpolicies.Eachusercanhavea passwordpolicythatoverridesglobalpasswordpolicysettings.Formoreinformation, see“PasswordPolicies”onpage387. KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately. SnowLeopardServersynchronizestheKerberospasswordpolicyruleswithOpen DirectoryPasswordServerpasswordpolicyrules. Tochangetheglobalpasswordpolicyofuseraccountsinthesamedomain: 1 OpenServerAdminandconnecttoanOpenDirectorymasterorreplicaserver. 2 SelectOpenDirectoryintheComputers&Serviceslist. 3 ClickSettings,thenclickPolicy. 4 ClickPasswords. Thisallowsyoutosetpasswordpolicyoptionsyouwantenforcedforuserswhodonot haveindividualpasswordpolicies. Chapter23SecuringDirectoryServices 329 5 Selectthefollowing:         “Afterusermakes3failedattempts.” “Differfromaccountname.” “Containatleastoneletter.” “Containatleastonenumericcharacter.” “Beresetonfirstuserlogin.” “Containatleast12characters.” ”Differfromlast3passwordsused.” “Beresetevery3months.” Note:Ifyouselectanoptionthatrequiresresettingthepassword,rememberthat someserviceprotocolsdon’tpermituserstochangepasswords.Forexample,users can’tchangetheirpasswordswhenauthenticatingforIMAPmailservice. 6 ClickSave. ReplicasoftheOpenDirectorymasterautomaticallyinherititsglobalpasswordpolicy. Fromthecommandline: # # Change the global password policy of user accounts in the same domain. # ---------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12 maxFailedLoginAttempts=3" SettingaBindingPolicyforanOpenDirectoryMasterandReplicas UsingServerAdmin,youcanconfigureanOpenDirectorymastertopermitorrequire trustedbindingbetweentheLDAPdirectoryandthecomputersthataccessit.Replicas ofanOpenDirectorymasterinheritthemaster’sbindingpolicy. TrustedLDAPbindingismutuallyauthenticated.Thecomputerprovesitsidentity byusinganLDAPdirectoryadministrator’snameandpasswordtoauthenticate totheLDAPdirectory.TheLDAPdirectoryprovesitsauthenticitybymeansofan authenticatedcomputerrecordcreatedinthedirectorywhenyousetuptrusted binding. Clientscan’tbeconfiguredtousetrustedLDAPbindingandaDHCP-suppliedLDAP server(alsoknownasDHCPoption95).TrustedLDAPbindingisinherentlyastatic binding,butDHCP-suppliedLDAPisadynamicbinding. Note:TousetrustedLDAPbinding,clientsneedTigerorTigerServerorlater.Clients usingMacOSXv10.3orearliercan’tsetuptrustedbinding. 330 Chapter23SecuringDirectoryServices TosetthebindingpolicyforanOpenDirectorymaster: 1 OpenServerAdminandconnecttotheOpenDirectorymasterserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 FromtheexpandedServerslist,selectOpenDirectory. 4 ClickSettings,thenclickPolicy. 5 ClickBinding,thensetthedirectorybindingoptionsyouwant:  Topermittrustedbinding,select“Enableauthenticateddirectorybinding.”  Torequiretrustedbinding,alsoselect“Requireauthenticatedbindingbetween directoryandclients.” 6 ClickSave. Important:Ifyouenable“Encryptallpackets(requiresSSLorKerberos)”and“Enable authenticateddirectorybinding,”makesureusersuseonlyoneforbindingandnot both. Fromthecommandline: # # Set the binding policy for an Open Directory master. # --------------------------------sudo slapconfig -setmacosxodpolicy -binding required SettingaSecurityPolicyforanOpenDirectoryMasterandReplicas UsingServerAdmin,youcanconfigureasecuritypolicyforaccesstotheLDAP directoryofanOpenDirectorymaster. ReplicasoftheOpenDirectorymasterinheritthemaster’ssecuritypolicy. Note:IfyouchangethesecuritypolicyfortheLDAPdirectoryofanOpenDirectory master,youmustdisconnectandreconnect(unbindandrebind)everycomputer connected(bound)tothisLDAPdirectoryusingDirectoryUtility. TosetthesecuritypolicyforanOpenDirectorymaster: 1 OpenServerAdminandconnecttotheOpenDirectorymasterserver. 2 SelectOpenDirectoryintheComputers&Serviceslist. 3 ClickSettings,thenclickPolicy. Chapter23SecuringDirectoryServices 331 4 ClickBinding,thensetthesecurityoptionsyouwant:  “Disablecleartextpasswords”determineswhetherclientscansendpasswordsas cleartextifthepasswordscan’tbevalidatedusinganyauthenticationmethodthat sendsanencryptedpassword.  “Digitallysignallpackets(requiresKerberos)”certifiesthatdirectorydatafromthe LDAPserverwon’tbeinterceptedandmodifiedbyanothercomputerwhileenroute toclientcomputers.  “Encryptallpackets(requiresSSLorKerberos)”requirestheLDAPservertoencrypt directorydatausingSSLorKerberosbeforesendingittoclientcomputers.  “Blockman-in-the-middleattacks(requiresKerberos)”protectsagainstarogue serverposingastheLDAPserver.Bestifusedwiththe“Digitallysignallpackets” option.  “Disableclient-sidecaching”preventsclientcomputersfromcachingLDAPdata locally.  “Allowuserstoedittheirowncontactinformation”permitsuserstochangecontact informationontheLDAPserver. 5 ClickSave. Fromthecommandline: # # Set the security policy for an Open Directory master. # ---------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes -sign yes -man-in-the-middle blocked -clientcaching no 332 Chapter23SecuringDirectoryServices 24 SecuringRADIUS 24 UsethischaptertolearnhowtosecureRADIUS. ByconfiguringaRADIUS(RemoteAuthenticationDialInUserService)serverwithOpen Directory,youcansecureyourwirelessenvironmentfromunauthorizedusers. Wirelessnetworkinggivescompaniesgreaternetworkflexibility,seamlesslyconnecting laptopuserstothenetworkandgivingthemthefreedomtomovewithinthecompany whilestayingconnectedtothenetwork. ThischapterdescribeshowtoconfigureanduseRADIUStokeepyourwirelessnetwork secureandtomakesureitisusedonlybyauthorizedusers. DisablingRADIUS IfyourserverisnotintendedtobeaRADIUSserver,disableRADIUS.Disablingthe servicepreventspotentialvulnerabilitiesonyourcomputer.RADIUSisdisabledby default,butverificationisrecommended. TodisableRADIUS: 1 OpenServerAdminandconnecttotheserver. 2 SelectRADIUSintheComputers&Serviceslist. 3 ClickStopRADIUS. 4 ClickSave. Fromthecommandline: # --------------------------------------------------------------------# Securing RADIUS Service # --------------------------------------------------------------------# Disable RADIUS sudo serveradmin stop radiusc 333 SecurelyConfiguringRADIUSService RADIUSisusedtoauthorizeOpenDirectoryusersandgroupssotheycanaccess AirportBaseStationsonanetwork.ByconfiguringRADIUSandOpenDirectoryyou cancontrolwhohasaccesstoyourwirelessnetwork. RADIUSworkswithOpenDirectoryandPasswordServertograntauthorizedusers accesstothenetworkthroughanAirportBaseStation.Whenauserattemptstoaccess anAirportBaseStation,AirportcommunicateswiththeRADIUSserverusingExtensible AuthenticationProtocol(EAP)toauthenticateandauthorizetheuser. Usersaregivenaccesstothenetworkiftheirusercredentialsarevalidandtheyare authorizedtousetheAirportBaseStation.Ifauserisnotauthorized,heorshecannot accessthenetworkthroughtheAirportBaseStation. ConfiguringRADIUStoUseCertificates ToincreasesthesecurityandmanageabilityofAirportBaseStations,useServerAdmin toconfigureRADIUStousecustomcertificates.Usingacertificateincreasesthesecurity andmanageabilityofAirportBaseStations. Touseacustomcertificate: 1 OpenServerAdminandconnecttotheserver. 2 SelectRADIUSintheComputers&Serviceslist. 3 ClickSettings. 4 FromtheRADIUSCertificatepop-upmenu,chooseacertificate. Ifyouhaveacustomcertificate,chooseCustomConfigurationfromtheCertificate pop-upmenuandenterthepathtothecertificatefile,privatekeyfile,andcertificate authorityfile.Iftheprivatekeyisencrypted,entertheprivatekeypassphraseandclick OK. Ifyoudon’thaveacertificateandwanttocreateone,clickManageCertificates.For moreinformationaboutcreatingcertificates,seeChapter9,“ManagingCertificates.” 5 ClickSave. Fromthecommandline: # Use a custom certificate: sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/ $CA_CRT" sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/ certificates/$KEY" sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS" sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/ certificates/$CERT" 334 Chapter24SecuringRADIUS EditingRADIUSAccess YoucanrestrictaccesstoRADIUSbycreatingagroupofusersandaddingthemtothe serviceaccesscontrollist(SACL)ofRADIUS. ToeditRADIUSaccess: 1 OpenServerAdminandconnecttotheserver. 2 SelectRADIUSintheComputers&Serviceslist. 3 ClickSettings,thenclickEditAllowedUsers. 4 Select“Forselectedservicesbelow,”thenselectRADIUS. 5 Select“Allowonlyusersandgroupsbelow.” 6 ClicktheAdd(+)button. 7 FromtheUsersandGroupslist,dragusersorgroupsofuserstothe“Allowonlyusers andgroupsbelow”list. Ifyouwanttoremoveusersfromthe“Allowonlyusersandgroupsbelow”list,select theusersorgroupsofusersandclicktheDelete(-)button.Theuser’sinthislistare theonlyoneswhocanuseRADIUS. Fromthecommandline: # # Edit RADIUS access. # ------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius ViewingRADIUSServiceLogs RADIUSloggingisimportantforsecurity.Withlogs,youcanmonitorandtrack communicationthroughRADIUS.YoucanaccesstheRADIUSlog,/var/log/system.log, usingServerAdmin. ToviewtheRADIUSlog: 1 OpenServerAdminandconnecttotheserver. 2 SelectRADIUSintheComputers&Serviceslist. 3 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Chapter24SecuringRADIUS 335 Fromthecommandline: # # View the RADIUS log # --------------------------sudo tail /var/log/radius/radius.log 336 Chapter24SecuringRADIUS 25 SecuringPrintService 25 Usethischaptertolearnhowtosecureprintservice. Printserviceisoftenanoverlookedpartofasecurityconfiguration.Important informationpassesintoyournetworkedprinterssoitisimportantthatyourprinters arenotmisused. Withaprintserver,youcanshareprintersbysettingupprintqueuesaccessiblebyany numberofusersoveranetworkconnection.Whenauserprintstoasharedqueue,the printjobwaitsontheserveruntiltheprinterisavailableoruntilestablishedscheduling criteriaaremet. Apple’sprintinginfrastructureisbuiltonCommonUNIXPrintingSystem(CUPS).CUPS usesopenstandardssuchasInternetPrintingProtocol(IPP)andPostScriptPrinter Descriptionfiles(PPDs). Formoreinformationaboutconfiguringprintservice,seethePrintServerAdministration guide. DisablingPrintService Ifyourserverisnotintendedtobeaprintserver,disabletheprintserversoftware. Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Printservice isdisabledbydefault,butverificationisrecommended. Todisableprintservice: 1 OpenServerAdminandconnecttotheserver. 2 SelectPrintintheComputers&Serviceslist. 3 ClickStopPrint. 337 Fromthecommandline: # --------------------------------------------------------------------# Securing Print Service # --------------------------------------------------------------------# # Disable print service. # ---------------------sudo serveradmin stop print SecuringPrintService Toincreasesecurityofyourprintservice,configureserviceaccesscontrolsand Kerberos. ConfiguringPrintServiceAccessControlLists(SACLs) YoucanconfigureSACLsusingServerAdmin.SACLsenableyoutospecifywhich administratorshaveaccesstoprintservice. SACLsprovideyouwithgreatercontroloverwhichadministratorshaveaccessto monitorandmanageaservice.Theusersandgroupslistedinaservice’sSACLarethe onlyoneswhocanaccesstheservice.Forexample,togiveadministratoraccessto usersorgroupsfortheprintserviceonyourserver,addthemtotheprintserviceSACL. TosetadministratorSACLpermissionsforprintservice: 1 OpenServerAdminandconnecttotheserver. 2 Selecttheserver’sname. 3 ClickAccess. 4 ClickAdministrators. 5 Selectthelevelofrestrictionthatyouwantfortheservices. Torestrictaccesstoallservices,select“Forallservices.” Tosetaccesspermissionsforindividualservices,select“Forselectedservicesbelow” andthenselectprintservicefromtheServicelist. 6 ToopentheUsersandGroupslist,clicktheAdd(+)button. 7 DragusersandgroupsfromUsersandGroupstothelist. 8 Settheuser’spermission. Tograntadministratoraccess,chooseAdministratorfromthePermissionpop-upmenu nexttotheusername. Tograntmonitoringaccess,chooseMonitorfromthePermissionpop-upmenunextto theusername. 338 Chapter25SecuringPrintService 9 ClickSave. Fromthecommandline: # Set administrator SACL permissions for print service: sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print ConfiguringKerberos YoucanconfigureKerberossupportforprintserviceIPPsharedqueuesusingCUPSv1.3 onlinewebtools.TheprintservicethenusesthelocalKerberosservertoauthorize clientstoprint. ForyourclientcomputerstouseKerberoswithprintservice,theclientsmustbepart ofthesameKerberosrealm.Forinformationonhowtojoinyourclientcomputersto aKerberosrealm,seeOpenDirectoryAdministration. InadditiontojoiningtheKerberosrealm,clientcomputersmustalsouseCUPSonline webtoolstoconfigureKerberossettings.ThestepsforconfiguringCUPSarethesame ontheclientandservercomputers. ToconfigureKerberosforprintservice: 1 OpenSafaribrowser. 2 NavigatetotheCUPSonlinewebadministrationtoolathttp://localhost:631. 3 ClicktheAdministrationtab. 4 UnderBasicServerSettings,selectthe“UseKerberosAuthentication”checkbox. 5 ClickChangeSettingsandauthenticateifprompted. PrintserviceisrestartedandKerberosisenabled. YoucanalsoedittheconfigurationfileinCUPSbyclickingEditConfigurationFile intheAdministrationtabtoopenthe/etc/cups/cupsd.conffile.Changethedefault authenticationtypefromBasictoNegotiate,asshown: # Default authentication type, when authentication is required… DefaultAuthType Negotiate Fromthecommandline: # # Configure Kerberos for print service. # -----------------------------------sudo serveradmin settings sudo serveradmin settings print:authType = KERBEROS Chapter25SecuringPrintService 339 ConfiguringPrintQueues Ifprintserviceisrequired,createaprintqueueforsharedprintersthatisaccessibleby usersoveranetworkconnection. AppleTalkandLinePrinterRemote(LPR)printerqueuesdonotsupportauthentication. Printservicereliesontheclienttoprovideuserinformation.Althoughstandard MacintoshandWindowsclientsprovidecorrectinformation,acleverusercould potentiallymodifytheclienttosubmitfalseinformationandavoidprintquotas. SMBservicesupportsauthentication,requiringuserstologinbeforeusingSMB printers.PrintserviceusesBasicandDigest(MD5)authenticationandsupportsthe IPPprintjobsubmissionmethod. Youcanshareanyprinterthatissetupinaprintqueueontheserver.Youcreateprint queuesusingServerAdmin. Tocreateaprintqueue: 1 OpenServerAdminandconnecttotheserver. 2 SelectPrintintheComputers&Serviceslist. 3 ClickQueues. 4 ClicktheAdd(+)buttontoaddaprintqueueforaspecificprinter,andprovidethe followingprinterinformationfortheprinterthequeueiscreatedfor: Fromthepop-upmenu,choosetheprotocolusedbytheprinter. ForanLPRprinter,entertheprinterIPaddressorDNSnameandclickOK. ForanOpenDirectoryprinter,selecttheprinterinthelistandclickOK. 5 EntertheInternetaddressorDNSnamefortheprinter. Ifyoudon’twanttousetheprinter’sdefaultqueue,deselect“Usedefaultqueueon server,”enteraqueuename,andclickOK. 6 Selectthequeueyouaddedtothequeuelist. Toverifythatyouselectedthecorrectqueue,makesurethequeuenamematchesthe namenexttoPrinter. Note:ChangingtheSharingNamealsochangesthequeuenamethatappearsinPrint &Faxpreferencesontheserver. 340 Chapter25SecuringPrintService 7 IntheSharingNamefield,enterthequeuenameyouwantclientstosee. Makesurethenameiscompatiblewithnamingrestrictionsimposedbyyourclients. Forexample,someLPRclientsdonotsupportnamesthatcontainspaces,andsome Windowsclientsrestrictnamesto12characters.QueuenamessharedusingLPRorSMB mustnotcontaincharactersotherthanA–Z,a–z,0–9,and_(underscore). AppleTalkqueuenamescannotbelongerthan32bytes.Thismightbefewerthan32 typedcharacters.Thequeuenameisencodedaccordingtothelanguageusedonthe serverandmightnotbereadableonclientcomputersusinganotherlanguage. 8 Selecttheprintingprotocolsyourclientsuse. Ifyouselect“SMB,”makesureyoustartSMBservice. 9 IfyouwanttoenforcetheprintquotasyouestablishforusersinWorkgroupManager, selectthe“Enforcequotasforthisqueue”checkbox. 10 Ifyouwanttheprintertocreateacoversheet,choosethetitleofthecoversheetfrom theCoverSheetpop-upmenu;otherwise,choose“None.” 11 ClickSave. Chapter25SecuringPrintService 341 Fromthecommandline: # # Configure a Print queue. # ----------------------sudo serveradmin settings print:lprQueues:_array_index:0 = $PRINTER_SHARING_NAME sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingName = $PRINTER_SHARING_NAME sudo serveradmin settings print:queuesArray:_array_id:example_com:quotasEnforced = yes sudo serveradmin settings print:queuesArray:_array_id:example_com:showNameInBonjour = no sudo serveradmin settings print:queuesArray:_array_id:example_com:defaultCoverPage = "classified" sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:ser vice = "IPP" sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:sha ringEnable = yes sudo serveradmin settings print:queuesArray:_array_id:example_com:printerURI = "lpd:// example.com" sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable = yes sudo serveradmin settings print:queuesArray:_array_id:example_com:printerName = "example_com" sudo serveradmin settings print:useRemoteQueues = yes sudo serveradmin settings print:coverPageNames:_array_index:0 = "classified" ViewingPrintServiceandQueueLogs Printservicekeepstwotypesoflogs:aprintservicelogandindividualprintqueue logs.  Theprintservicelogrecordsthetimeofeventssuchaswhenprintserviceisstarted andstoppedandwhenaprintqueueisputonhold.  Aprintqueuelogrecordsinformationsuchasthenameofuserswhosubmittedjobs andthesizeofeachjob. YoucanviewprintservicelogsusingServerAdmin. 342 Chapter25SecuringPrintService Toviewprintservicelogs: 1 OpenServerAdminandconnecttotheserver. 2 SelectPrintintheComputers&Serviceslist. 3 ClickLogs. UsetheFilterfieldtosearchforspecificentries. Fromthecommandline: # # View print service logs. # ----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log Chapter25SecuringPrintService 343 26 SecuringMultimediaServices 26 UsethischaptertolearnhowtosecureMultimediaservices. ProtectingQuickTimemultimediastreamsandonlyallowingaccesstothosewhoare authorizedtoviewthemcanhelpkeepinformationprivate.Thefollowingsectionhelps youunderstandandconfigureQuickTimeStreamingServer(QTSS)securely. Streamingisthedeliveryofmedia,suchasmoviesandlivepresentations,overa networkinrealtime.Acomputer(streamingserver)sendsthemediatoanother computer(clientcomputer),whichplaysthemediaasitisdelivered. WithQTSSsoftware,youcandeliver:  Broadcastsofliveeventsinrealtime  Videoondemand  Playlistsofprerecordedcontent Alevelofsecurityisinherentinreal-timestreaming,becausecontentisdeliveredonly astheclientneedsitandnofilesremainafterward,butyoumightneedtoaddress somesecurityissues. Formoreinformationaboutconfiguringmultimediaservices,seetheQuickTime StreamingandBroadcastingAdministrationguide. DisablingQTSS IfyourserverisnotintendedtobeaQuickTimestreamingserver,disablethe QuickTimeStreamingserversoftware.Disablingthesoftwarepreventspotential vulnerabilitiesonyourcomputer.QTSSisdisabledbydefault,butverificationis recommended. TodisableQTSS: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickStopQuickTimeStreaming. 344 Fromthecommandline: # --------------------------------------------------------------------# Securing Multimedia Services # --------------------------------------------------------------------# # Disable QTSS. # ------------sudo serveradmin stop qtss SecurelyConfiguringQTSS Alevelofsecurityisinherentinreal-timestreamingbecausecontentisdeliveredonly astheclientneedsitandnofilesremainafterward.However,youmightneedto addresssomesecurityissues. ThestreamingserverusestheIETFstandardRTSP/RTPprotocols.RTSPrunsontopof TCPandRTPrunsonUDP.ManyfirewallsareconfiguredtorestrictTCPpacketsbyport number,andareveryrestrictiveonUDP. TherearethreeoptionsforstreamingthroughfirewallswithQTSS.Theseoptionsare notmutuallyexclusive.Typicallyoneormoreareusedtoprovidethemostflexible setup.Thethreeconfigurationsoutlinedbelowareforclientsbehindafirewall.  Streamviaport80:ThisoptionenablesthestreamingservertoencapsulateRTSP andRTPtrafficinsideTCPport80packets.Becausethisisthedefaultportusedfor HTTP-basedwebtraffic,thestreamedcontentgetsthroughmostfirewalls.However, encapsulatingthestreamingtrafficlowersperformanceonthenetworkandrequires fasterclientconnectionstomaintainstreams.Italsoincreasesloadontheserver.  Opentheappropriateportsonthefirewall:Thisoptionallowsthestreamingserver tobeaccessedviaRTSP/RTPonthedefaultports,andprovidesbetteruseofnetwork resources,lowerspeedsforclientconnections,andlessloadontheserver.Theports thatmustbeopeninclude:  TCPport80:UsedforsignalingandstreamingRTSP/HTTP(ifenabledonserver).  TCPport554:UsedforRTSP.  UDPports6970–9999:UsedforUDPstreaming.AsmallerrangeofUDPports, typically6970-6999,canusuallybeused.  TCPport7070:OptionallyusedforRTSP.(RealServerusesthisport;QTSS/Darwin canalsobeconfiguredtousethisport.)  TCPports8000and8001:CanbeopenedforIcecastMP3streaming. Chapter26SecuringMultimediaServices 345  Setupastreamingproxyserver:Theproxyserverisplacedinthenetwork demilitarizedzone(DMZ)—anareaonthenetworkthatisbetweenanexternal firewallthatconnectstotheInternetandaninternalfirewallbetweentheDMZand theinternalnetwork. Usingfirewallrules,packetswiththeportsdefinedaboveareallowedfromtheproxy servertoclientsthroughtheinternalfirewall,andalsobetweentheproxyserverand theInternetviatheexternalfirewall.However,clientsarenotallowedtomakedirect connectionstoexternalresourcesoverthoseports. Thisapproachensuresthatallpacketsboundfortheinternalnetworkcomethrough theproxyserver,providinganadditionallayerofnetworksecurity. ConfiguringaStreamingServer IfyourequireQTSS,configureitinconjunctionwithyourfirewallandbindittoasingle IPaddress. Toconfigureastreamingserver: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickSettings. 3 ClickIPBinding. BybindingQTSSwithanIPaddress,youcaneasilytracknetworkactivity.Youcanalso configurethefirewalltorestrictnetworkaccesstothisIPaddress.IPbindingisalso helpfulwhenyourserverismultihomed(forexample,ifyou’realsohostingaweb server). 4 SelecttheIPaddressfromthelist. 5 ClickSave. 6 ClickStartQuickTimeStreaming. Fromthecommandline: # # Configure a streaming server. # ---------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 = "$BIND_IP_ADDRESS" 346 Chapter26SecuringMultimediaServices ServingStreamsThroughFirewallsUsingPort80 IfyouaresettingupastreamingserverontheInternetandsomeofyourclientsare behindfirewallsthatallowonlywebtraffic,enablestreamingonport80. Withthisoption,thestreamingserveracceptsconnectionsonport80,thedefaultport forwebtraffic,andQuickTimeclientscanconnecttoyourstreamingserverevenifthey arebehindaweb-onlyfirewall. Ifyouenablestreamingonport80,makesureyoudisableanywebserverwiththe sameIPaddresstoavoidconflictswithyourstreamingserver. ToserveQuickTimestreamsoverHTTPport80: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickSettings. 3 ClickIPBindings. 4 Select“Enablestreamingonport80.” Streamingforselectedaddressesmustbeenabled. Important:Ifyouenablestreamingonport80,makesureyourserverisnotalso runningawebserver,suchasApache.RunningQTSSandawebserverwithstreaming onport80enabledcancauseaportconflictthatresultsinoneorbothserversnot behavingproperly. Fromthecommandline: # Serve QuickTime streams over HTTP port 80: sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 = 554qtss:server:rtsp_port:_array_index:1 = 80qtss:server:rtsp_port:_array_index:2 = 8000qtss:server:rtsp_port:_array_index:3 = 8001 StreamingThroughFirewallsorNetworkswithAddressTranslation ThestreamingserversendsdatausingUDPpackets.Firewallsdesignedtoprotect informationonanetworkoftenblockUDPpackets.Asaresult,clientcomputers locatedbehindafirewallthatblocksUDPpacketscan’treceivestreamedmedia. However,thestreamingserveralsoallowsstreamingoverHTTPconnections,which allowsstreamedmediatobeviewedthroughevenverytightlyconfiguredfirewalls. SomeclientcomputersonnetworksthatuseaddresstranslationcannotreceiveUDP packets,buttheycanreceivemediathat’sstreamedoverHTTPconnections. Chapter26SecuringMultimediaServices 347 Ifusershaveproblemsviewingmediathroughafirewallorviaanetworkthatuses addresstranslation,havethemupgradetheirclientsoftwaretoQuickTime5orlater. Ifusersstillhaveproblems,havetheirnetworkadministratorsprovidethemwiththe relevantsettingsforthestreamingproxyandstreamingtransportsettingsontheir computers. NetworkadministratorscanalsosetfirewallsoftwaretopermitRTPandRTSP throughput. ChangingthePasswordRequiredtoSendanMP3BroadcastStream BroadcastingMP3stoanotherserverrequiresauthentication. TochangetheMP3broadcastpassword: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickSettings,thenclickAccess. 3 IntheMP3BroadcastPasswordbox,enteranewpassword. 4 ClickSave. Fromthecommandline: # Change the MP3 broadcast password: sudo serveradmin settings qtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password = "$QTMP3_PASSWORD" UsingAutomaticUnicast(Announce)withQTSSona SeparateComputer YoucanbroadcastfromQuickTimeBroadcastertoQTSS.Thissettingcanalsobeused toreceiveAnnouncedUDPstreamsfromanotherQuickTimestreamingservervia arelayusingtheAutomaticUnicast(Announce)transmissionmethod.Todoso,you mustcreateabroadcastusernameandpasswordonthestreamingserver. Tocreateabroadcastusernameandpasswordonthestreamingserver: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickSettings,thenclickAccess. 3 Clickthe“Acceptincomingbroadcasts”checkbox. 4 ClickSetPasswordandenterthenameandpassword. 5 ClickSave. 348 Chapter26SecuringMultimediaServices Fromthecommandline: # # Create a broadcast user name and password on the streaming server. # -----------------------sudo serveradmin settings qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes ControllingAccesstoStreamedMedia Youcansetupauthenticationtocontrolclientaccesstostreamedmediafiles.Youcan useWorkgroupManagertospecifywhocanaccessthemediafiles,oryoucanusean accessfile. Twoschemesofauthenticationaresupported:basicanddigest.Bydefault,theserver usesthemoresecuredigestauthentication. Youcanalsocontrolplaylistaccessandadministratoraccesstoyourstreamingserver. Authenticationdoesnotcontrolaccesstomediastreamedfromarelayserver.The administratoroftherelayservermustsetupauthenticationforrelayedmedia. TheabilitytomanageuseraccessisbuiltintoQTSS,soitisalwaysenabled. Foraccesscontroltowork,anaccessfilemustbepresentinthedirectoryyouselected asyourmediadirectory.IfanaccessfileisnotpresentintheQTSSmediadirectory,all clientsareallowedaccesstothemediainthedirectory. TocontrolaccessusingOpenDirectory: m AuthorizeeachuserinWorkgroupManager. Formoreinformation,seeOpenDirectoryAdministration. Tocontrolaccessusinganaccessfile: 1 Usethesudoqtpasswdcommand-lineutilitytocreateuseraccountswithpasswords. 2 Createanaccessfileandplaceitinthemediadirectoryyouwanttoprotect. 3 Todisableauthenticationforamediadirectory,removetheaccessfile(named qtaccess)orrenameit(forexample,qtaccess.disabled). CreatinganAccessFile Anaccessfileisatextfilenamedqtaccessthatcontainsinformationaboutusers andgroupswhoareauthorizedtoviewmediainthedirectorywheretheaccessfile isstored. Thedirectoryyouusetostorestreamedmediacancontainotherdirectories,andeach directorycanhaveitsownaccessfile. Chapter26SecuringMultimediaServices 349 Whenausertriestoviewamediafile,theserverchecksforanaccessfiletosee whethertheuserisauthorizedtoviewthemedia.Theserverlooksfirstinthedirectory wherethemediafileislocated.Ifanaccessfileisnotfound,itlooksintheenclosing directory. Thefirstaccessfilethat’sfoundisusedtodeterminewhethertheuserisauthorizedto viewthemediafile. TheaccessfileforthestreamingserverworksliketheApachewebserveraccessfile. Youcancreateanaccessfilewithatexteditor.Thefilenamemustbeqtaccessandthe filecancontainsomeorallofthefollowinginformation: AuthName <message> AuthUserFile <user filename> AuthGroupFile <group filename> require user <username1> <username2> require group <groupname1> <groupname2> require valid-user require any-user Termsnotinanglebracketsarekeywords.Anythinginanglebracketsisinformation yousupply. Savetheaccessfileasplaintext(not.rtforanyotherfileformat). Here’sabriefexplanationofeachkeyword:  messageistextyourusersseewhentheloginwindowappears.It’soptional.Ifyour messagecontainswhitespace(suchasaspacecharacterbetweenterms),enclose themessageinquotationmarks.  user filenameisthepathandfilenameoftheuserfile.ForSnowLeopard,the defaultis/Library/QuickTimeStreaming/Config/qtusers.  group filenameisthepathandfilenameofthegroupfile.ForSnowLeopard,the defaultis/Library/QuickTimeStreaming/Config/qtgroups.Agroupfileisoptional.If youhavemanyusers,itmightbeeasiertosetupgroupsandthenenterthegroup names,insteadoflistingeachuser.  usernameisauserwhoisauthorizedtologinandviewthemediafile.Theuser’s namemustbeintheuserfileyouspecified.Youcanalsospecifyvalid-user,which designatesanyvaliduser.  groupnameisagroupwhosemembersareauthorizedtologinandviewthemedia file.Thegroupanditsmembersmustbelistedinthegroupfileyouspecified. 350 Chapter26SecuringMultimediaServices Youcanusetheseadditionalusertags:  valid-userisanyuserdefinedintheqtusersfile.Thestatement“requirevalid-user” specifiesthatanyauthenticateduserintheqtusersfilecanhaveaccesstothemedia files.Ifthistagisused,theserverpromptsusersforusernameandpassword.  any-userallowsanyusertoviewmediawithoutprovidinganameorpassword.  AuthSchemeisakeywordwiththevalues“basic”or“digest”toaqtaccessfile.This overridestheglobalauthenticationsettingonadirectory-by-directorybasis. Ifyoumakecustomizedchangestothedefaultqtaccessaccessfile,beawarethat makingchangestobroadcastusersettingsinServerAdminmodifiesthedefault qtaccessfileattherootlevelofthemoviesdirectory.Therefore,customized modificationsyoumakearenotpreserved. WhatClientsNeedWhenAccessingProtectedMedia UsersmusthaveQuickTime5orlatertoaccessamediafilethatdigestauthenticationis enabledfor.Ifyourstreamingserverissetuptousebasicauthentication,usersneed QuickTime4.1orlater. Usersmustentertheirusernamesandpasswordstoviewthemediafile.Userswhotry toaccessamediafilewithanearlierversionofQuickTimewillseetheerrormessage “401:Unauthorized.” AddingUserAccountsandPasswords Youcanaddauseraccountandpasswordifyoulogintotheservercomputer. Toaddauseraccount: 1 Logintotheservercomputerasroot,openaterminalwindow,andenterthe following: sudo qtpasswd <user-name> Alternatively,usesudotoexecutethecommandasroot. 2 Enterapasswordfortheuserandreenteritwhenprompted. Fromthecommandline: # # Add a user account. # -----------------sudo qtpasswd $USER Chapter26SecuringMultimediaServices 351 AddingorDeletingGroups Youcaneditthe/Library/QuickTimeStreaming/Config/qtgroupsfilewithanytexteditor aslongthefileusesthisformat: <groupname>: <user-name1> <user-name2> <user-name3> ForWindows,thepathisc:\ProgramFiles\DarwinStreamingServer\qtgroups.Forother supportedplatforms,itis/etc/streaming/qtgroups. Toaddordeleteagroup,editthegroupfileyousetup. Fromthecommandline: # Adding groups: echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/ Config/qtgroups MakingChangestotheUserorGroupFile Youcanmakechangestotheuserorgroupfileifyoulogintotheservercomputer. Todeleteauserfromauserorgroupfile: 1 Logintotheservercomputerasadministratoranduseatexteditortoopentheuser orgroupfile. 2 Deletetheusernameandencryptedpasswordslinefromtheuserfile. 3 Deletetheusernamefromthegroupfile. Tochangeauserpassword: 1 Logintotheservercomputerasroot,openaterminalwindow,andenterthe following: sudo qtpasswd <user-name> Alternatively,usesudotoexecutethecommandasroot. 2 Enterapasswordfortheuser. Thepasswordyouenterreplacesthepasswordinthefile. Fromthecommandline: # # Change a user password. # ----------------------sudo qtpasswd $USER 352 Chapter26SecuringMultimediaServices ViewingQTSSLogs QTSSprovidesthefollowinglogfiles:  Errorlogs.Theselogfilesrecorderrorssuchasconfigurationproblems.Forexample, ifyoubindtoaspecificIPaddressthatcan’tbefound,oraifuserdeletesstreaming files,theseitemsarelogged.  Accesslogs.Whensomeoneplaysamoviestreamedfromyourserver,thelog reportssuchinformationasthedate,time,andIPaddressofthecomputerthat playedthemovie. QTSSlogfilesarestoredin/Library/QuickTimeStreaming/Logs. QTSSkeepsitslogsinstandardW3Cformat,allowingyoutouseanumberofpopular loganalysistoolstoparsethedata. ToviewtheQTSSlog: 1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist. 2 ClickLogsandthenchoosealogfromtheViewpop-upmenu. Fromthecommandline: # View the QTSS log: sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE Chapter26SecuringMultimediaServices 353 27 SecuringGridandCluster ComputingServices 27 UsethischaptertolearnhowtosecureGridandCluster Computingservices. Protectinggridandclusterserviceshelpscontrolyournetwork’sfreeCPUcyclesfrom misuse.Thischapterhelpsyourestrictyournetwork’sCPUstoauthorizedusers. Xgrid,atechnologyinSnowLeopardServerandSnowLeopard,simplifiesdeployment andmanagementofcomputationalgrids.Xgridenablesyoutogroupcomputersinto gridsorclusters,andallowsuserstoeasilysubmitcomplexcomputationstogroupsof computers(local,remote,orboth),asanadhocgridoracentrallymanagedcluster. Formoreinformationaboutconfiguringmultimediaservices,seetheXgrid AdministrationandHighPerformanceComputingguide. UnderstandingXgridService Xgridservicehandlesthetransferringofcomputingjobstothegridandreturnsthe results.Xgriddoesnotcalculateanything,doesnotknowanythingaboutcalculating, doesnothavecontentforcalculating,anddoesnotevenknowthatyouarecalculating anything. Thecomputingjobishandledbysoftware(suchasperl)thatrunsonnetwork computers,canbeinstalledbeforerunningthecomputingjob,oristransferredto thecomputersusingXgrid. Theprimarycomponentsofacomputationalgridperformthefollowingfunctions:  AnagentrunsonetaskatatimeperCPU.(Adual-processorcomputercanruntwo taskssimultaneously.)  Acontrollerqueuestasks,distributesthosetaskstoagents,andhandlestask reassignment.  AclientsubmitsjobstotheXgridcontrollerintheformofmultipletasks.(Aclient canbeanycomputerrunningTigerorlaterorTigerServerorlater.) 354 Inprinciple,theagent,controller,andclientcanrunonthesameserver,butitisoften moreefficienttohaveadedicatedcontrollernode. DisablingXgridService IfyourserverisnotintendedtobeanXgridserver,disabletheXgridserversoftware. Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer. TheXgridserviceisdisabledbydefault,butverificationisrecommended. TodisableXgridservice: 1 SelectXgridintheComputers&Serviceslist. 2 ClckStopXgrid. 3 ClickSave. Fromthecommandline: # # # # # --------------------------------------------------------------------Xgrid Service --------------------------------------------------------------------Disable Xgrid service. # ---------------------sudo serveradmin stop xgrid AboutAuthenticationMethodsforXgrid YoucanconfigureXgridwithorwithoutauthentication.Ifyourequireauthenticationof controllerstomutuallyauthenticatewithclientsandagents,youcanchooseSingle Sign-OnorPassword-BasedAuthentication. YousetupanXgridcontrollerusingServerAdmin.Youcanspecifythetypeof authenticationforagentsandclients.ThepasswordsenteredinServerAdminforthe controllermustmatchthoseenteredforeachagentandclient. Whenestablishingpasswordsforagentsandclients,considerthesepoints:  Kerberosauthentication(singlesign-on).IfyouuseKerberosauthenticationfor agentsorclients,theserverthat’stheXgridcontrollermustbeconfiguredfor Kerberos,mustbeinthesamerealmastheserverrunningtheKerberosdomain controller(KDC)system,andmustbeboundtotheOpenDirectorymaster. Theagentusesthehostprincipalfoundinthe/etc/krb5.keytabfile.Thecontroller usestheXgridserviceprincipalfoundinthe/etc/krb5.keytabfile. Chapter27SecuringGridandClusterComputingServices 355  Agents.Theagentdeterminestheauthenticationmethod.Thecontrollermust conformtothatmethodandpassword(ifapasswordisused).Whenanagentis configuredwithastandardpassword(notsinglesign-on),youmustusethesame passwordforagentswhenyouconfigurethecontroller.Iftheagenthasspecified singlesign-on,thecorrectserviceprincipalandhostprincipalsmustbeavailable.  Clients.Ifyourserveristhecontrollerforagrid,besurethatSnowLeopardand SnowLeopardServerclientsusethecorrectauthenticationmethodforthe controller. Aclientcannotsubmitajobtothecontrollerunlesstheuserchoosesthecorrect authenticationmethodandenterstheirpasswordcorrectly,orhasthecorrect ticket-grantingticketfromKerberos. Formoreinformation,seeXgridAdministrationandHighPerformanceComputing. SingleSign-On Singlesign-on(SSO)isthemostpowerfulandflexibleformofauthentication.It leveragestheOpenDirectoryandKerberosinfrastructuresinSnowLeopardServerto manageauthenticationbehindthescenes,withoutuserintervention. EachXgridparticipantmusthaveaKerberosprincipal.Theclientsandagentsobtain ticket-grantingticketsfortheirprincipal,whichisusedtoobtainaserviceticketforthe controllerserviceprincipal.Thecontrollerlooksattheticketgrantedtotheclientto determinetheuser’sprincipalandverifiesitwiththerelevantserviceaccesscontrol lists(SACLs)andgroupstodetermineprivileges. Generally,usethisoptionifanyofthefollowingconditionsaretrue:  Youhavesinglesign-oninyourenvironment.  Youhaveadministratorcontroloverallagentsandclientsinuse.  Jobsmustrunwithspecialprivileges(suchasforlocal,network,orSANfilesystem access). Password-BasedAuthentication Whenyoucan’tusesinglesign-on,youcanrequirepasswordauthentication.Youmay notbeabletousesinglesign-onif:  PotentialXgridclientsarenottrustedbyyoursinglesign-ondomain(oryoudon’t haveone).  YouwanttouseagentsacrosstheInternetorthatareoutsideyourcontrol.  Itisanadhocgrid,withouttheabilitytoprearrangeaweboftrust. Inthesesituations,yourbestoptionistospecifyapassword.Youhavetwopassword options:oneforcontroller-clientandoneforcontroller-agent.Forsecurityreasons, theseshouldbedifferentpasswords. 356 Chapter27SecuringGridandClusterComputingServices Note:Youcanalsocreatehybridenvironments,suchaswithclient-controller authenticationdoneusingpasswordsbutcontroller-agentauthenticationdoneusing singlesign-on(orviceversa). NoAuthentication TheNoAuthenticationmethodcreatespotentialsecurityrisks,becauseanyonecan connectorrunajob,whichcanexposesensitivedata.Thisoptionisappropriateonly fortestingaprivatenetworkinahomeorlabthatisinaccessiblefromanyuntrusted computer,orwhennoneofthejobsorthecomputerscontainsensitiveorimportant information. SecurelyConfiguringXgridService Xgridservicemustberunningforyourservertocontrolagridorparticipateinagrid asanagent.IfXgridserviceisrequired,configuretheXgridagentandcontroller.The Xgridcontrollerandagentaredisabledbydefault. WhenconfiguringtheXgridagentandcontroller,requireauthenticationtoprotect yournetworkfrommalicioususers.Authenticationrequiresthatagentandcontroller usethesamepasswordorauthenticateusingKerberossinglesign-on.Withno authentication,amaliciousagentcouldreceivetasksandpotentiallyaccesssensitive data. DisablingtheXgridAgent AnXgridagentrunsthecomputationaltasksofajob.InSnowLeopardServer,the agentisturnedoffbydefault.Whenanagentisturnedonandbecomesactiveat startup,itregisterswithacontroller.(Anagentcanbeconnectedtoonlyonecontroller atatime.)Thecontrollersendsinstructionsanddatatotheagentforthecontroller’s jobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesitsassigned tasksandsendstheresultsbacktothecontroller. YouuseServerAdmintomakesureyourserverisnotactinglikeanXgridagent. TodisableanXgridagentontheserver: 1 SelectXgridintheComputers&Serviceslist. 2 ClickSettings. 3 ClickAgent. 4 Deselect“Enableagentservice.” Chapter27SecuringGridandClusterComputingServices 357 Fromthecommandline: # Configure an Xgrid agent on the server: sudo /usr/sbin/xgridctl agent stop sudo serveradmin settings xgrid:AgentSettings:Enabled = no LimitingtheXgridAgent AnXgridagentregisterswithacontrollerandreceivesinstructionsanddataforthe controller’sjobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesits assignedtasksandsendstheresultsbacktothecontroller. YouuseServerAdmintosetupyourserverasanXgridagent.Inaddition,youcan associatetheagentwithaspecificcontrollerorpermitittojoinagrid,specifywhen theagentacceptstasks,andsetapasswordthatthecontrollermustrecognize. ToconfigureanXgridagentontheserver: 1 OpenServerAdminandconnecttotheserver. 2 SelectXgridintheComputers&Serviceslist. 3 ClickSettings. 4 ClickAgent. 5 Click“Enableagentservice.” 6 SpecifyacontrollerbychoosingitsnameintheControllerpop-upmenuorbyentering thecontrollername. Bydefault,theagentusesthefirstavailablecontroller. Note:Anagentcanfindacontrollerinoneofthreeways:aspecifichostnameorIP address,thefirstavailablecontrollerthatadvertisesonBonjouronthelocalsubnet,or byaspecificBonjourservicename.servicelookupagainstthedomainnameserverfor _xgrid._tcp._ip. 7 Specifywhentheagentwillaccepttasks. Taskscanbeacceptedwhenthecomputerisidleoralways. Acomputerisconsideredidlewhenithasnomouseorkeyboardinputandignores CPUandnetworkactivity.Ifauserreturnstoacomputerthatisrunningagridtask,the computercontinuestorunthetaskuntilitisfinished. 8 Fromthepop-upmenu,chooseoneofthefollowingauthenticationoptionsandenter thepassword.  Passwordrequiresthattheagentandcontrollerusethesamepassword.  KerberosusesSSOauthenticationfortheagent’sadministrator. 358 Chapter27SecuringGridandClusterComputingServices  Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommended becauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withno authentication,anunapprovedagentcouldreceivetasksandpotentiallyaccess sensitivedata. 9 ClickSave. Important:Ifyourequireauthentication,theagentandcontrollermustusethesame passwordormustauthenticateusingKerberossinglesign-on. Fromthecommandline: # Configure an Xgrid agent on the server. # --------------------------sudo serveradmin settings xgrid:AgentSettings:prefs:Enabled = yes sudo serveradmin settings xgrid:AgentSettings:prefs:ControllerAuthentication = "Kerberos" sudo serveradmin settings xgrid:AgentSettings:prefs:ControllerName = "$XGRID_CONTROLLER_HOST" sudo serveradmin settings xgrid:AgentSettings:Enabled = yes ConfiguringanXgridController YouuseServerAdmintoconfigureanXgridcontroller.Whenconfiguringthecontroller, youcanalsosetapasswordforanyagentusingthegridandforanyclientthatsubmits ajobtothegrid. ToconfigureanXgridcontroller: 1 OpenServerAdminandconnecttotheserver. 2 SelectXgridintheComputers&Serviceslist. 3 ClickSettings. 4 ClickController. 5 Click“Enablecontrollerservice.” 6 FromtheClientAuthenticationpop-upmenu,chooseoneofthefollowing authenticationoptionsforclientsandenterthepassword.  Passwordrequiresthattheagentandcontrollerusethesamepassword.  Kerberosusessign-onauthenticationfortheagent’sadministrator.  Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommended becauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withno authentication,anunapprovedagentcouldreceivetasksandpotentiallyaccess sensitivedata. 7 ClickSave. Chapter27SecuringGridandClusterComputingServices 359 Important:Ifyourequireauthentication,theagentandcontrollermustusethesame passwordormustauthenticateusingKerberossinglesign-on. Fromthecommandline: # Configure an Xgrid controller. sudo serveradmin settings xgrid:ControllerSettings:Enabled = yes sudo serveradmin settings xgrid:ControllerSettings:prefs:ClientAuthentication = Password sudo serveradmin settings xgrid:ControllerSettings:ClientPassword = $XGRID_CLIENT_PASS 360 Chapter27SecuringGridandClusterComputingServices 28 ManagingWhoCanObtain AdministrativePrivileges(sudo) 28 Usethischaptertorestrictadministratoraccesstothesudo commandbyspecifyingwhocanusethiscommandinthe sudoersfile. Thesudocommandgivesrootuserprivilegestousersspecifiedinthesudoersfile.If you’reloggedinasanadministratoruserandyourusernameisspecifiedinthe/etc/ sudoersfile,youcanusethiscommand. ManagingthesudoersFile Limitthelistofadministratorsallowedtousethesudotooltothoseadministratorswho requiretheabilitytoruncommandswithrootuserprivileges. Tochangethe/etc/sudoersfile: 1 Editthe/etc/sudoersfileusingthevisudotool,whichallowsforsafeeditingofthefile, thenrunthefollowingcommandwithrootuserprivileges: sudo visudo 2 Whenprompted,enteryouradministratorpassword. Thereisatimeoutvalueassociatedwiththesudotool.Thisvalueindicatesthenumber ofminutesuntilsudopromptsforapasswordagain. Thedefaultvalueis5,whichmeansthatafterissuingthesudo commandandentering thecorrectpassword,additionalsudocommandscanbeenteredfor5minuteswithout reenteringthepassword.Thisvalueissetinthe/etc/sudoersfile. Formoreinformation,seethesudoandsudoersmanpages. 3 IntheDefaultsspecificationsectionofthefile,addthefollowingline: Defaults timestamp_timeout=0 361 4 Restrictwhichadministratorsareallowedtorunthesudotoolbyremovingthelinethat beginswith%adminandaddingthefollowingentryforeachuser,substitutingtheuser’s shortnamefortheworduser: user ALL=(ALL) ALL Doingthismeansthatwhenanadministratorisaddedtoasystem,theadministrator mustbeaddedtothe/etc/sudoersfileasdescribedaboveifthatadministratorneeds tousethesudotool. 5 Saveandquitvisudo. Formoreinformation,seethepicoandvisudomanpages. 362 Chapter28ManagingWhoCanObtainAdministrativePrivileges(sudo) 29 ManagingAuthorizationThrough Rights 29 Usethischaptertocontrolauthorizationonyoursystemby managingthepolicydatabase. AuthorizationonSnowLeopardServeriscontrolledbyapolicydatabase.Thisdatabase isstoredin/etc/authorization.Thedatabaseformatisdescribedincommentsatthe topofthatfile. TheSecurityAgentplug-inprocessesrequestsforauthenticationbygathering requirementsfromthepolicydatabase(/etc/authorization). Actionscanbesuccessfullyperformedonlywhentheuserhasacquiredtherightsto doso. UnderstandingthePolicyDatabase Thepolicydatabaseisapropertylistthatconsistsoftwodictionaries:  Therightsdictionary  Therulesdictionary TheRightsDictionary Therightsdictionarycontainsasetofkey/valuepairs,calledrightspecifications.Thekey istherightnameandthevalueisinformationabouttheright,includingadescription ofwhattheusermustdotoacquiretheright. Thefollowingisanextractfromthepolicydatabaseinstalledonyoursystem. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC …> <plist version="1.0"> <dict> … <key>rights</key> <dict> <key></key> <dict> 363 <key>class</key> <string>rule</string> <key>comment</key> <string>Matches otherwise unmatched rights (i.e., is a default).</ string> <key>rule</key> <string>default</string> </dict> <key>system.device.dvd.setregion.initial</key> <dict> <key>class</key> <string>user</string> <key>comment</key> <string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string> <key>group</key> <string>admin</string> <key>shared</key> <true/> </dict> … <key>config.add.</key> <dict> <key>class</key> <string>allow</string> <key>comment</key> <string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string> </dict> … Inthisextractfromthepolicydatabase,therearethreerights:  Therightspecificationwithanemptykeystringisknownasthedefaultright specification.Toobtainthisrightausermustsatisfythedefaultrulewhich,by defaultoncurrentversionsofMacOSX,istoprovethattheyareanadministrator.  system.device.dvd.setregion.initialcontrolswhethertheuserisallowedtoset theinitialregioncodefortheDVDdrive.Bydefault,ausermustprovethattheyare anadministrator(ingroupadmin)tosettheDVDregion.  config.add.isawildcardrightspecification(itendswithadot)thatmatchesany rightwhosenamestartswiththeconfig.add.characters.Thisrightcontrolswhether ausercanaddarightspecificationtothepolicydatabase.Bydefault,anyusercan addarightspecification. Whenaprogramasksforaright,AuthorizationServicesexecutesthefollowing algorithm: 364 Chapter29ManagingAuthorizationThroughRights 1 Itsearchesthepolicydatabaseforarightspecificationwhosekeymatchestheright name. 2 Ifthatfails,itsearchesthepolicydatabaseforawildcardrightspecificationwhose keymatchestherightname.Ifmultiplerightsarepresent,itusestheonewiththe longestkey. 3 Ifthatfails,itusesthedefaultrightspecification. Afterithasfoundtherelevantrightspecification,AuthorizationServicesevaluatesthe specificationtodecidewhethertogranttheright.Insomecasesthisiseasy(inthe extractfromthepolicydatabaseabove,config.add.isalwaysgranted),butinother casesitcanbemorecomplex(forexample,settingtheDVDregionrequiresthatyou enteranadministratorpassword). Rules Aruleconsistsofasetofattributes.Rulesarepreconfiguredwhen SnowLeopardServerisinstalled,butapplicationscanchangethematanytime. Thefollowingtabledescribestheattributesdefinedforrules. Ruleattribute Genericrulevalue key Description Thekeyisthenameofarule.Akeyusesthesame namingconventionsasaright.SecurityServerusesa rule’skeytomatchtherulewitharight. Wildcardkeysendwitha“.”Thegenericrulehasan emptykeyvalue.Anyrightsthatdonotmatchaspecific ruleusethegenericrule. group admin Theusermustauthenticateasamemberofthisgroup. Thisattributecanbesettoanyonegroup. shared true Ifthisissettotrue,SecurityServermarksthecredentials usedtogainthisrightasshared.SecurityServercanuse anysharedcredentialstoauthorizethisright. Formaximumsecurity,setsharingtofalsesocredentials storedbySecurityServerforoneapplicationarenotused byanotherapplication. timeout 300 Thecredentialusedbythisruleexpiresinthespecified numberofseconds. Formaximumsecuritywheretheusermustauthenticate everytime,setthetimeoutto0.Forminimumsecurity, removethetimeoutattributesotheuserauthenticates onlyoncepersession. TherearesomespecificrulesinthepolicydatabaseforMacOSXapplications.Thereis alsoagenericruleinthepolicydatabasethattheSecurityServerusesforanyrightthat doesn’thaveaspecificrule. Chapter29ManagingAuthorizationThroughRights 365 ManagingAuthorizationRights Managingauthorizationrightsinvolvescreatingandmodifyingrightandrulevalues. CreatinganAuthorizationRight Toauthorizeauserforspecificrights,youmustcreateanauthorizationrightinthe rightsdictionary.Eachrightconsistsofthefollowing:  Thenameoftheright  Avaluethatcontainsoptionaldatapertainingtotheright  Thebytelengthofthevaluefield  Optionalflags Therightalwaysmatchesupwiththegenericruleunlessanewruleisaddedtothe policydatabase. ModifyinganAuthorizationRight Tomodifyaright,changetherelevantvaluein/etc/authorizationandsavethefile:  Tolockoutallprivilegedoperationsnotexplicitlyallowed,changethegenericrule bysettingthetimeoutattributeto0.  Toallowprivilegedoperationsaftertheuserisauthorized,removethetimeout attributefromthegenericrule.  Topreventapplicationsfromsharingrights,setthesharedattributetofalse.  Torequireuserstoauthenticateasamemberofthestaffgroupinsteadoftheadmin group,setthegroupattributetostaff. Note:ThereareAPIsthatyoucanuseformodifying/etc/authorization.It’sbettertouse theseAPIsthantomanuallychangethevalues. ExampleAuthorizationRestrictions AsanexampleofhowtheSecurityServermatchesarightwitharuleinthepolicy database,consideragrades-and-transcriptsapplication. Theapplicationrequeststherightcom.myOrganization.myProduct.transcripts.create. SecurityServerlooksuptherightinthepolicydatabase.Notfindingamatch,Security Serverlooksforarulewithawildcardkeysetto com.myOrganization.myProduct.transcripts.,com.myOrganization.myProduct., com.myOrganization.,orcom.—inthatorder—checkingforthelongestmatch. Ifnowildcardkeymatches,SecurityServerusesthegenericrule. SecurityServerrequestsauthenticationfromtheuser.Theuserprovidesausername andpasswordtoauthenticateasamemberofthegroupadmin.SecurityServercreates acredentialbasedontheuserauthenticationandtherightrequested. 366 Chapter29ManagingAuthorizationThroughRights Thecredentialspecifiesthatotherapplicationscanuseit,andSecurityServersetsthe expirationtofiveminutes. Threeminuteslater,achildprocessoftheapplicationstartsup.Thechildprocess requeststherightcom.myOrganization.myProduct.transcripts.create. SecurityServerfindsthecredential,seesthatitallowssharing,andusesthe right.Twoandahalfminuteslater,thesamechildprocessrequeststheright com.myOrganization.myProduct.transcripts.createagain,buttherighthasexpired. SecurityServerbeginstheprocessofcreatingacredentialbyconsultingthepolicy databaseandrequestinguserauthentication. Chapter29ManagingAuthorizationThroughRights 367 30 MaintainingSystemIntegrity 30 Usethischaptertolearnhowtomonitoreventsandlogsto helpprotecttheintegrityofyourcomputer. Usingauditingandloggingtoolstomonitoryourcomputercanhelpyousecureyour computer.Byreviewingtheseauditsandlogfiles,youcanstoploginattemptsfrom unauthorizedusersorcomputersandfurtherprotectyourconfigurationsettings.This chapteralsodiscussesantivirustools,whichdetectunwantedviruses. UsingDigitalSignaturestoValidateApplicationsand Processes Adigitalsignatureusespublickeycryptographytoensuretheintegrityofdata.Like traditionalsignatureswrittenwithinkonpaper,theycanbeusedtoidentifyand authenticatethesignerofthedata. However,digitalsignaturesgobeyondtraditionalsignaturesinthattheycanalso ensurethatthedataitselfhasnotbeenaltered.Thisislikedesigningacheckinsuch awaythatifsomeonealterstheamountofthesumwrittenonthecheck,an“Invalid” watermarkbecomesvisibleonthefaceofthecheck. Tocreateadigitalsignature,thesignergeneratesamessagedigestofthedata andthenusesaprivatekeytosignthedigest.Thesignermusthaveavalid digitalcertificatecontainingthepublickeythatcorrespondstotheprivatekey. Thecombinationofacertificateandrelatedprivatekeyiscalledanidentity. Thesignatureincludesthesigneddigestandinformationaboutthesigner’sdigital certificate.Thecertificateincludesthepublickeyandthealgorithmneededtoverify thesignature. Toverifythatthesigneddocumenthasnotbeenaltered,therecipientusesthe algorithmtocreateamessagedigestandappliesthepublickeytothesigneddigest. Ifthetwodigestsproveidentical,themessagecannothavebeenalteredandmust havebeensentbytheownerofthepublickey. 368 Toensurethatthepersonwhoprovidedthesignatureisnotonlythesameperson whoprovidedthedatabutisalsowhotheysaytheyare,thecertificateisalsosigned —inthiscasebythecertificateauthority(CA)whoissuedthecertificate. Signedcodeusesseveraldigitalsignatures:  Ifthecodeisuniversal,theobjectcodeforeacharchitectureissignedseparately.  Componentsoftheapplicationbundle(suchastheInfo.plistfile,ifthereisone)are alsosigned. ValidatingApplicationBundleIntegrity Tovalidatethesignatureonasignedapplicationbundle,usethecodesigncommand withthe-voption. Fromthecommandline: # --------------------------------------------------------------------# Maintaining System Integrity # --------------------------------------------------------------------# Validate application bundle integrity. sudo codesign -v $code_path Thiscommandchecksthatthecodebinariesatcode-patharesigned,thatthe signatureisvalid,thatsealedcomponentsareunaltered,andthatthebundlepasses basicconsistencychecks.Itdoesnotverifythatthecodesatisfiesrequirementsexcept itsowndesignatedrequirement. Toverifyarequirement,usethe-Roption.Forexample,toverifythattheAppleMail applicationisidentifiedasMail,signedbyApple,andsecuredwithApple’srootsigning certificate,usethefollowingcommand: Fromthecommandline: # Verify a requirement. sudo codesign -v -R="identifier com.apple.Mail and anchor apple" / Applications/Mail.app Unlikethe-roption,the-Roptiontakesonlyasinglerequirementratherthan arequirementscollection(no=>tags).Addadditional-voptionstogetdetailson thevalidationprocess. Chapter30MaintainingSystemIntegrity 369 Formoreinformationaboutsigningandverifyingapplicationbundlesignatures, seeCodeSigningGuideatdeveloper.apple.com/documentation/Security/Conceptual/ CodeSigningGuide.Formoreinformationaboutthecodesigncommand,seeits manpage. ValidatingRunningProcesses Youcanalsousecodesigntovalidatethesignaturesofrunningprocesses. Ifyoupassanumberratherthanapathtotheverifyoption,codesigntakesthe numbertobetheprocessID(pid)ofarunningprocess,andperformsdynamic validationinstead. AuditingSystemActivity Auditingisthecaptureandmaintenanceofinformationaboutsecurity-relatedevents. Auditinghelpsdeterminethecausesandmethodsusedforsuccessfulandfailedaccess attempts. Theauditsubsystemallowsauthorizedadministratorstocreate,read,anddeleteaudit information.Theauditsubsystemcreatesalogofauditableeventsandallowsthe administratortoreadallauditinformationfromtherecordsinamannersuitablefor interpretation.Thedefaultlocationforthesefilesisthe/var/audit/folder. Theauditsubsystemiscontrolledbytheauditutilitylocatedinthe/usr/sbin/folder. Thisutilitytransitionsthesysteminandoutofauditoperation. Thedefaultconfigurationoftheauditmechanismiscontrolledbyasetof configurationfilesinthe/etc/security/folder. Ifauditingisenabled,the/etc/rcstartupscriptstartstheauditdaemonat systemstartup.Allfeaturesofthedaemonarecontrolledbytheauditutilityand audit_controlfile. InstallingAuditingTools TheCommonCriteriaToolsdiskimage(.dmg)filecontainstheinstallerforauditing tools.ThisdiskimagefileisavailablefromtheCommonCriteriawebpagelocatedat www.apple.com/support/security/commoncriteria/. AfterdownloadingtheCommonCriteriaToolsdiskimagefile,copyittoaremovable disk,suchasaCD-Rdisc,FireWiredisk,orUSBdisk. 370 Chapter30MaintainingSystemIntegrity ToinstalltheCommonCriteriaToolssoftware: 1 InsertthediskthatcontainstheCommonCriteriaToolsdiskimagefileandopenthe filetomountthevolumecontainingthetoolsInstaller. 2 Double-clicktheCommonCriteriaTools.pkginstallerfile. 3 ClickContinue,thenproceedthroughtheinstallationbyfollowingtheonscreen instructions. 4 Whenpromptedtoauthenticate,entertheusernameandpasswordofthe administratoraccount. Fromthecommandline: # Install the common criteria tools software. sudo installer -pkg CommonCriteriaTools.pkg -target / EnablingAuditing Modifythehostconfigfiletoenableauditing. Toturnauditingon: 1 OpenTerminal. 2 Enterthefollowingcommandtoeditthe/etc/hostconfigfile. sudo pico /etc/hostconfig 3 Addthefollowingentrytothefile. AUDIT=-YES- 4 Savethefile. Auditingisenabledwhenthecomputerstartsup. Thefollowingtableshowsthepossibleauditsettingsandwhattheydo. Parameter Description AUDIT=-YES- Enableauditing;ignorefailure. AUDIT=-NO- Disableauditing. AUDIT=-FAILSTOP- Enableauditing;processesmaystopiffailureoccurs. AUDIT=-FAILHALT- Enableauditing;thesystemhaltsiffailureoccurs. IftheAUDITentryismissingfromthe/etc/hostconfigfile,auditingisturnedoff. Afailureisanyoccurrencethatpreventsauditeventsfrombeinglogged. Theauditsubsystemgenerateswarningswhenrelevanteventssuchasstoragespace exhaustionanderrorsinoperationarerecognizedduringauditstartuporlogrotation. Thesewarningsarecommunicatedtotheaudit_warnscript,whichcanthen communicatetheseeventstotheauthorizedadministrator. Chapter30MaintainingSystemIntegrity 371 Fromthecommandline: # Enable auditing. sudo cp /etc/hostconfig /tmp/test if /usr/bin/grep AUDIT /etc/hostconfig then sudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/ hostconfig else /bin/echo AUDIT=-YES- >> /etc/hostconfig fi SettingAuditMechanisms Systemstartupscriptsattempttoconfigureauditingearlyinthesystemstartup process.Afterauditingisenabled,thesettingsfortheauditmechanismaresetwith the/etc/security/audit_controlconfigurationfile. Filescontainingauditsettingscanbeeditedwithanytexteditor.Terminalcanbeused withpicooremacstexteditortools.Formoreinformationaboutusingtexteditorswith Terminal,seethepicooremacsmanpage. Auditflagsaredefinedintermsofauditclasses.Auditflagscanbeforthewhole system,orspecificflagscanbeusedforauser.Auditflagscanincludeorexclude classesofeventsfromtheauditrecordstreambasedontheoutcomeoftheevent. Forexample,theoutcomecouldbesuccess,failure,orboth. Whenauserlogsin,thesystem-wideauditflagsfromtheaudit_controlfileare combinedwiththeuser-specificauditflags(ifany)fromtheaudit_userfile,and togetherestablishthepreselectionmaskfortheuser. Thepreselectionmaskdetermineswhicheventswillgenerateauditrecordsfor auser.Ifthepreselectionmaskischanged,restartthecomputertoensurethatall componentsareproducingauditeventsconsistently. UsingAuditingTools Thissectiondescribeshowtouseauditingtools. UsingtheauditTool Auditingismanagedbytheaudittool.Theaudittoolusesthissyntax: audit [-nst] [file] Theaudittoolcontrolsthestateoftheauditingsubsystem.Theoptionalfileoperand specifiesthelocationoftheaudit_controlinputfile.Thedefaultfileis/etc/security/ audit_control. 372 Chapter30MaintainingSystemIntegrity Youcanusethefollowingoptionswiththeaudittool. Parameter Description -n Forcestheauditsystemtoclosetheexistingauditlogfileandrotatetoanewlog fileinalocationspecifiedintheauditcontrolfile. -s Specifiesthattheauditsystemshouldrestartandrereaditsconfigurationfromthe auditcontrolfile.Anewlogfileiscreated. -t Specifiesthattheauditsystemshouldterminate.Logfilesareclosedandrenamed toindicatethetimeoftheshutdown. Formoreinformation,seetheauditmanpage. UsingtheauditreduceTool Theauditreducetoolenablesyoutoselecteventsthathavebeenloggedinaudit records.Matchingauditrecordsareprintedtothestandardoutputintheirrawbinary form.Ifnofilenameisspecified,thestandardinputisusedbydefault. Theauditreducetoolfollowsthissyntax: auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]] [-c flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid] [-r ruid] [-u auid] [-j id] [-m event] [-o object=value] [file …] Formoreinformation,seetheauditreducemanpages. Parameter Description -A Selectsallrecords. -a YYYYMMDD [HH[MM[SS]]] Selectsrecordsthatoccurredonorafterthespecifieddateandtime. -b YYYYMMDD [HH[MM[SS]]] Selectsrecordsthatoccurredbeforethespecifieddateandtime. -c flags Selectsrecordsmatchingthegivenauditclasses,specifiedasa comma-separatedlistofauditflags. -d YYYYMMDD Selectsrecordsthatoccurredonaspecifieddate.Cannotbeusedwith-aor-b optionflags. -e euid Selectsrecordswiththespecifiedeffectiveuser. -f egid Selectsrecordswiththespecifiedeffectivegroup. -g gid Selectsrecordswiththespecifiedrealgroup. -r ruid Selectsrecordswiththespecifiedrealuser. Chapter30MaintainingSystemIntegrity 373 Parameter Description -u auid SelectsrecordswiththespecifiedauditID. -j id SelectsrecordshavingasubjecttokenwithmatchingID. -m event Selectsrecordswiththespecifiedeventnameornumber. -o object =value file=Selectsrecordscontainingthespecifiedpathname. file="/usr"matchespathsstartingwithusr. file="~/usr"matchespathsnotstartingwithusr. msgqid=SelectsrecordscontainingthespecifiedmessagequeueID. pid=SelectsrecordscontainingthespecifiedprocessID. semid=SelectsrecordscontainingthespecifiedsemaphoreID. shmid=SelectsrecordscontainingthespecifiedsharedmemoryID. ToselectallrecordsassociatedwitheffectiveuserIDrootfromtheauditlog/var/audit/ 20031016184719.20031017122634: auditreduce -e root /var/audit/20031016184719.20031017122634 Toselectallsetlogineventsfromthatlog: auditreduce -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634: UsingtheprauditTool Thepraudittoolprintsthecontentsofauditrecords.Auditrecordsappearinstandard output(stdout).Ifnofilenameisspecified,standardinput(stdin)isused. Thepraudittoolusesthissyntax: praudit [options] audit-trail-file […] Youcanuseprauditwiththefollowingoptions: Parameter Description -l Printstherecordinthesameline.Ifthisoptionisnotspecified,everytokenappears inadifferentline. -r Printsrecordsintheirrawformat.Thisoptionisseparatefrom-s. -s Printsthetokensintheirshortform.ShortASCIIrepresentationsforrecordandevent typearedisplayed.Thisoptionisseparatefrom-r. del Specifiesthedelimiter.Thedefaultdelimiteristhecomma. Ifraworshortformarenotspecified,tokensareprintedintheirlongform.Eventsare displayedaccordingtotheirdescriptionsgiveninaudit_event,UIDsandGIDsare expandedtotheiractualASCIIrepresentation,dateandtimeisdisplayedinstandard dateformat,andsoon. 374 Chapter30MaintainingSystemIntegrity Formoreinformation,seetheprauditmanpage. DeletingAuditRecords Youcancleartheaudittrailbydeletingauditfilesusingthecommandline. WARNING:Donotdeletethecurrentauditlog. Todeleteanauditfile: sudo srm /var/audit/20031016184719.20031017122634 AuditControlFiles Theauditsystemusesthefollowingtextfilestocontrolauditingandwriteaudit records.Thedefaultlocationforthesefilesisthe/etc/security/folder.  audit_class—Theaudit_classfilecontainsdescriptionsofauditableeventclasseson thesystem.Eachauditableeventisamemberofaneventclass.Eachlinemapsan auditeventmask(bitmap)toaclassandadescription.  audit_control—Theaudit_controlfilecontainsseveralauditsystemparameters.Each lineofthisfileisoftheformparameter:value.Auditflagsareacomma-delimitedlist ofauditclassesasdefinedintheaudit_classfile.Eventclassescanbeprecededby aprefixthatchangestheirinterpretation.  audit_event—Theaudit_eventfilecontainsdescriptionsofauditableeventsonthe system.Eachlinemapsanauditeventnumbertoaname,adescription,andaclass. Eacheventclassshouldhaveacorrespondingentryintheaudit_classfile.  audit_user—Theaudit_userfilespecifieswhichauditeventclassesaretobeaudited forspecificusers.Ifspecified,theseflagsarecombinedwithsystemwideauditflags intheaudit_controlfiletodeterminewhichclassesofeventstoauditforauser. Thesesettingstakeeffectwhentheuserlogsin.Eachlinemapsausernametoalist ofclassesthatshouldbeauditedandalistofclassesthatshouldnotbeaudited.  audit_warn—Theaudit_warnfilerunswhenauditdgenerateswarningmessages. Thedefaultaudit_warnisascriptwhosefirstparameteristhetypeofwarning.The scriptappendsitsargumentsto/etc/security/audit_messages.Administratorscan replacethisscriptwithamorecomprehensiveonethattakesdifferentactionsbased onthetypeofwarning.Forexample,alow-spacewarningcouldresultinamail messagebeingsenttotheadministrator. Formoreinformationabouteditingauditcontrolfiles,seetheCommonCriteria Administrationguideatwww.apple.com/support/security. Chapter30MaintainingSystemIntegrity 375 ManagingandAnalyzingAuditLogFiles Ifauditingisenabled,theauditingsubsystemaddsrecordsofauditableeventstoan auditlogfile.Thenameofanauditlogfileconsistsofthedateandtimeitwascreated, followedbyaperiod,andthedateandtimeitwasterminated.Forexample: 20040322183133.20040322184443. ThislogwascreatedonMarch22,2004at18:31:33andwasterminatedonMarch22, 2004at18:44:43. Theauditsubsystemappendsrecordstoonlyoneauditlogfileatatime.Thecurrently activefilehasasuffix“.not_terminated”insteadofadateandtime.Auditlogfilesare storedinthefoldersspecifiedintheaudit_controlfile.Theauditsubsystemcreatesan auditlogfileinthefirstfolderspecified. Whenlessthantheminfreeamountofdiskspaceisavailableonthevolumecontaining theauditlogfile,theauditsubsystem: 1 Issuesanaudit_warnsoftwarning. 2 Terminatesthecurrentauditlogfile. 3 Createsanewauditlogfileinthenextspecifiedfolder. Afterallfoldersspecifiedhaveexceededthisminfreelimit,auditingresumesinthefirst folderagain.However,ifthatfolderisfull,anauditingsubsystemfailurecanoccur. Youcanalsochoosetoterminatethecurrentauditlogfileandcreateanewone manuallyusingtheauditutility.Thisactioniscommonlyreferredtoas“rotatingthe auditlogs.” Useaudit -ntorotatethecurrentlogfile.Useaudit -stoforcetheauditsubsystem toreloaditssettingsfromtheaudit_controlfile(whichalsorotatesthecurrentlogfile). UsingActivityAnalysisTools SnowLeopardServerincludesseveralcommand-linetoolsthatyoucanusetoanalyze computeractivity. Dependingonthetools’configurationsandyourcomputer’sactivity,runningthese toolscanuselargeamountsofdiskspace.Additionally,thesetoolsareonlyeffective whenotherusersdon’thaveadministratoraccess.Userswithadministratoraccesscan editlogsgeneratedbythetoolandtherebycircumventthetool. Ifyourcomputercontainssensitivedata,considerusingbothauditingandlogging tools.Byusingbothtypesoftools,youcanresearchandanalyzeintrusionattempts andchangesinyourcomputer’sbehavior.Youmustconfigurethesetoolstomeetyour organization’sneeds,andthenchangetheirloggingsettingstocreaterelevant informationforreviewingorarchivingpurposes. 376 Chapter30MaintainingSystemIntegrity ValidatingSystemLogging Loggingistherecordingofvariousevents,includingchangestoservicestatus, processes,andoperatingsystemcomponents.Someeventsaresecurityrelated,while othersareinformationmessagesaboutyourcomputer’sactivity. Ifanunexpectederroroccurs,youcananalyzelogstohelpdeterminethecauseofthe error.Forexample,thelogsmightexplainwhyasoftwareupdatecan’tbeinstalled,or whyyoucan’tauthenticate. Loggingtoolscanbeusefulifyouhavemultipleuserswhocanaccessthesudo command.Youcanviewlogstoseewhatusersdidusingthesudocommand.Some sudocommandsperformadditionalactionsthatarenotlogged.Limitthesudo commandsthatindividualusersareallowedtouse.Formoreinformation,see “ManagingthesudoersFile”onpage361. UseConsoletoviewandmaintainlogfiles.Consoleislocatedinthe/Applications/ Utilities/folder.Uponstarting,theConsolewindowshowstheconsole.logfile.Click Logstodisplayapanethatshowsotherlogfilesonthesysteminatreeview.Thetree viewincludesfoldersforservices,suchaswebandmailserversoftware. InSnowLeopardServer,logfilesarehandledbytheBSDsubsystemorbyaspecific application.TheBSDsubsystemhandlesmostimportantsystemlogging,whilesome applicationshandletheirownlogging.LikeotherBSDsystems,SnowLeopardServer usesabackgroundprocesscalledsyslogdtohandlelogging. Aprimarydecisiontomakewhenconfiguringsyslogdiswhethertouselocalor remotelogging.Inlocallogging,logmessagesarestoredontheharddisk.Inremote logging,logmessagesaretransferredoverthenetworktoadedicatedlogserverthat storesthem.Usingremoteloggingisstronglyrecommended. Configuringsyslogd Theconfigurationfileforthesystemloggingprocess,syslogd,is/etc/syslog.conf. Amanualforconfigurationofthisfileisavailablebyissuingthecommandman syslog.confinaTerminalwindow. Eachlinein/etc/syslog.confconsistsoftextcontainingthreetypesofdata:afacility, apriority,andanaction.  Facilitiesarecategoriesoflogmessages.Standardfacilitiesincludemail,news,user, andkern(kernel).Prioritiesdealwiththeurgencyofthemessage.Inorderfromleast tomostcritical,theyaredebug,info,notice,warning,err,crit,alert,andemerg.  Thepriorityofthelogmessageissetbytheapplicationsendingit,notbysyslogd.  Theactionspecifieswhattodowithalogmessageofaspecificfacilityandpriority. Messagescanbesenttofiles,namedpipes,devices,oraremotehost. Chapter30MaintainingSystemIntegrity 377 Thefollowingexamplespecifiesthatforlogmessagesinthecategory“mail”with apriorityof“emerg”orhigher,themessageiswrittentothe/var/log/mail.logfile: mail.emerg /var/log/mail.log Thefacilityandpriorityareseparatedbyaperiod,andtheseareseparatedfromthe actionbytabs.Wildcards(“*”)canalsobeusedintheconfigurationfile. Thefollowingexamplelogsallmessagesofanyfacilityorprioritytothefile/var/log/ all.log: *.* /var/log/all.log LocalSystemLogging Thedefaultconfigurationin/etc/newsyslog.confisconfiguredforlocallogginginthe /var/logfolder.Thecomputerissettorotatelogfilesusingtheperiodiclaunchdjob accordingtotimeintervalsspecifiedinthe/etc/newsyslog.conffile. Rotationentailscompressingthecurrentlogfile,incrementingtheintegerinthe filenameofcompressedlogfiles,andcreatingalogfilefornewmessages. Thefollowingtabledescribestherotationprocessaftertworotations. Filesbeforerotation Filesafterfirstrotation Fileaftersecondrotation system.log system.log system.log mail.log mail.log mail.log mail.log.1.gz mail.log.1.gz system.log.1.gz system.log.1.gz mail.log.2.gz system.log.2.gz Logfilesarerotatedbyalaunchdjob,andtherotationoccursifthecomputerison whenthejobisscheduled.Bydefault,logrotationtasksarescheduledbetween midnightand1inthemorning,tobeasunobtrusiveaspossibletousers.Ifthesystem willnotbepoweredonatthistime,adjustthesettingsin/etc/newsyslog.conf. Forinformationabouteditingthe/etc/newsyslog.conffile,issuetheman commandinaTerminalwindow. 5 newsyslog.conf RemoteSystemLogging Usingremotelogginginadditiontolocalloggingisstronglyrecommended,because locallogscaneasilybealteredifthesystemiscompromised.Considerthefollowing securityissueswhenmakingthedecisiontouseremotelogging.  Thesyslogprocesssendslogmessagesintheclear,whichcouldexposesensitive information. 378 Chapter30MaintainingSystemIntegrity  Toomanylogmessagesfillstoragespaceontheloggingsystem,renderingfurther loggingimpossible.  Logfilescanindicatesuspiciousactivityonlyifabaselineofnormalactivityis established,andifthefilesareregularlymonitoredforsuchactivity. Ifthesesecurityissuesoutweighthesecuritybenefitofremoteloggingforthenetwork beingconfigured,donotuseremotelogging. Thefollowinginstructionsassumearemotelogserverhasbeenconfiguredonthe network. Toenableremotelogging: 1 Open/etc/syslog.confasroot. 2 Addthefollowinglinetothetopofthefile,replacingyour.log.serverwiththename orIPaddressofthelogserver,andmakingsuretokeepallotherlinesintact: *.* @your.log.server 3 Exit,savingchanges. 4 Sendahangupsignaltosyslogdtomakeitreloadtheconfigurationfile: sudo killall -HUP syslogd ViewingLogsinServerAdmin ServerAdminprovidesloggingforsomeservicesenabledonyourserver.Afilter featureallowsyoutosearchthroughthelogforspecificinformation. ToviewlogsinServerAdmin: 1 OpenServerAdminandconnecttotheserver. 2 Clickthetriangleattheleftoftheserver. Thelistofservicesappears. 3 FromtheexpandedServerslist,selectaservice. 4 ClickLogs. Someserviceshavemultiplelogsassociatedwiththem. Fromthecommandline: # View logs in Server Admin. # Use tail or more to view the log files. # The audit files are individually named based on the date. sudo /usr/bin/tail $AUDIT_FILE Chapter30MaintainingSystemIntegrity 379 UnderstandingPasswordsand Authentication A Usethisappendixtolearnthedifferenttypesofpasswords andhowtheyauthenticateusers. Passwordsareacommonmethodforauthenticating.Thereareseveraltypesofservices thatusepasswordstoverifytheidentityofusers. PasswordTypes Eachuseraccounthasapasswordtypethatdetermineshowtheuseraccountis authenticated.Inalocaldirectorydomain,thestandardpasswordtypeisshadow password. ForuseraccountsintheLDAPdirectoryofSnowLeopardServer,thestandard passwordtypeisOpenDirectory.UseraccountsintheLDAPdirectorycanalsohave apasswordtypeofcryptpassword. AuthenticationandAuthorization ServicessuchastheloginwindowandApplefileservicerequestuserauthentication fromOpenDirectory.Authenticationispartoftheprocessbywhichaservice determineswhetheritshouldgrantauseraccesstoaresource.Usuallythisprocess alsorequiresauthorization. Authenticationprovesauser’sidentity,andauthorizationdetermineswhatthe authenticateduserispermittedtodo.Ausertypicallyauthenticatesbyproviding avalidnameandpassword.Aservicecanthenauthorizetheauthenticateduser toaccessspecificresources.Forexample,fileserviceauthorizesfullaccessto foldersandfilesthatanauthenticateduserowns. Youexperienceauthenticationandauthorizationwhenyouuseacreditcard.The merchantauthenticatesyoubycomparingyoursignatureonthesalessliptothe signatureonyourcreditcard.Thenthemerchantsubmitsyourauthorizedcredit cardaccountnumbertothebank,whichauthorizespaymentbasedonyouraccount balanceandcreditlimit. 380 Appendix A OpenDirectoryauthenticatesuseraccounts,andserviceaccesscontrollists(SACLs) authorizeuseofservices.IfOpenDirectoryauthenticatesyou,theSACLforlogin windowdetermineswhetheryoucanlogin,theSACLforAppleFilingProtocol(AFP) servicedetermineswhetheryoucanconnectforfileservice,andsoon. Someservicesalsodeterminewhetherausercanaccessspecificresources.This authorizationcanrequireretrievingotheruseraccountinformationfromthe directorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembership informationtodeterminewhichfoldersandfilestheusercanreadandwriteto. OpenDirectoryPasswords Whenauser’saccounthasapasswordtypeofOpenDirectory,theusercanbe authenticatedbyKerberosortheOpenDirectoryPasswordServer.Kerberosisa networkauthenticationsystemthatusescredentialsissuedbyatrustedserver. OpenDirectoryPasswordServersupportstraditionalpasswordauthenticationmethods thatsomeclientsofnetworkservicesrequire. KerberosandOpenDirectoryPasswordServerdonotstorethepasswordinthe user’saccount.KerberosandOpenDirectoryPasswordServerstorepasswordsin securedatabasesapartfromthedirectorydomain,andpasswordscanneverberead. Passwordscanonlybesetandverified. Malicioususersmightattempttologinoverthenetworkhopingtogainaccessto KerberosandOpenDirectoryPasswordServer.OpenDirectorylogscanalertyouto unsuccessfulloginattempts. UseraccountsinthefollowingdirectorydomainscanhaveOpenDirectorypasswords:  TheLDAPdirectoryofSnowLeopardServer  ThelocaldirectorydomainofSnowLeopardServer Note:OpenDirectorypasswordscan’tbeusedtologintoMacOSXv10.1orearlier. UserswhologinusingtheloginwindowofMacOSXv10.1orearliermustbe configuredtousecryptpasswords.Thepasswordtypedoesn’tmatterforother services.Forexample,auserofMacOSXv10.1couldauthenticateforApplefileservice withanOpenDirectorypassword. AppendixAUnderstandingPasswordsandAuthentication 381 ShadowPasswords ShadowpasswordssupportthesametraditionalauthenticationmethodsasOpen DirectoryPasswordServer.Theseauthenticationmethodsareusedtosendshadow passwordsoverthenetworkinascrambledform,orhash. Ashadowpasswordisstoredasseveralhashesinafileonthesamecomputerasthe directorydomainwheretheuseraccountresides.Becausethepasswordisnotstored intheuseraccount,thepasswordisnoteasytocaptureoverthenetwork.Eachuser’s shadowpasswordisstoredinaseparatefile,namedashadowpasswordfile,andthese filesareprotectedsotheycanbereadonlybytherootuseraccount. Useraccountsstoredinacomputer’slocaldirectorydomainaretheonlyonesthatcan haveashadowpassword.Useraccountsthatarestoredinashareddirectorycan’thave ashadowpassword. Shadowpasswordsalsoprovidecachedauthenticationformobileuseraccounts.For moreinformationaboutmobileuseraccounts,seeUserManagement. CryptPasswords Acryptpasswordisstoredinahashintheuseraccountrecord.Thisstrategy, historicallynamedbasicauthentication,ismostcompatiblewithsoftwarethatneedsto accessuserrecordsdirectly.Forexample,MacOSXv10.1orearlierexpecttofinda cryptpasswordstoredintheuseraccount. Cryptauthenticationsupportsamaximumpasswordlengthofeightbytes(eightASCII characters).Ifalongerpasswordisenteredinauseraccount,onlythefirsteightbytes areusedforcryptpasswordvalidation.ShadowpasswordsandOpenDirectory passwordsarenotsubjecttothislengthlimit. Forsecuretransmissionofpasswordsoveranetwork,cryptsupportstheDHX authenticationmethod. OfflineAttacksonPasswords Becausecryptpasswordsarestoredinuseraccounts,theyaresubjecttocracking. Useraccountsinashareddirectorydomainareaccessibleonthenetwork.Anyoneon thenetworkwhohasWorkgroupManagerorknowshowtousecommand-linetools canreadthecontentsofuseraccounts,includingthepasswordsstoredinthem. OpenDirectorypasswordsandshadowpasswordsaren’tstoredinuseraccounts,so thesepasswordscan’tbereadfromdirectorydomains. AmaliciousattackercoulduseWorkgroupManagerorUNIXcommandstocopy userrecordstoafile.Theattackercantransportthisfiletoasystemandusevarious techniquestodecodecryptpasswordsstoredinuserrecords.Afterdecodingacrypt password,theattackercanloginunnoticedwithalegitimateusernameandcrypt password. 382 AppendixAUnderstandingPasswordsandAuthentication Thisformofattackisknownasanofflineattack,becauseitdoesnotrequiresuccessive loginattemptstogainaccesstoasystem. ShadowpasswordsandOpenDirectorypasswordsarefarlesssusceptibletooffline attacksbecausetheyarenotstoredinuserrecords.Shadowpasswordsarestored inseparatefilesthatcanbereadonlybysomeonewhoknowsthepasswordofthe rootuser. OpenDirectorypasswordsarestoredsecurelyintheKerberosKDCandintheOpen DirectoryPasswordServerdatabase.Auser’sOpenDirectorypasswordcan’tberead byotherusers,notevenbyauserwithadministratorrightsforOpenDirectory authentication.(ThisadministratorcanchangeonlyOpenDirectorypasswordsand passwordpolicies.) PasswordGuidelines Manyapplicationsandservicesrequirethatyoucreatepasswordstoauthenticate. SnowLeopardServerincludesapplicationsthathelpcreatecomplexpasswords (PasswordAssistant),andsecurelystoreyourpasswords(KeychainAccess). SnowLeopardServersupportspasswordsthatcontainUTF-8charactersoranyNULterminatedbytesequence. CreatingComplexPasswords Usethefollowingtipstocreatecomplexpasswords:  Useamixtureofalphabetic(upperandlowercase),numeric,andspecialcharacters (suchas!or@).  Don’tusewordsorcombinationsofwordsfoundinadictionaryofanylanguage. Also,don’tusenamesoranythingelsethatisintelligible.  Createapasswordofatleasttwelvecharacters.Longerpasswordsaregenerallymore securethanshorterpasswords.  Createasrandomapasswordaspossible. YoucanusePasswordAssistanttoverifythecomplexityofyourpassword. UsinganAlgorithmtoCreateaComplexPassword Considercreatinganalgorithmtomakeacomplex(butmemorable)password.Using analgorithmcanincreasetherandomnessofyourpassword.Additionally,insteadof needingtorememberacomplexpassword,youmustrememberonlythealgorithm. Thefollowingexampleshowsonepossiblealgorithmforcreatingacomplexpassword. Insteadofusingthisalgorithm,createyourownormodifythisone. AppendixAUnderstandingPasswordsandAuthentication 383 Tocreateanalgorithmforcreatingacomplexpassword: 1 Chooseyourfavoritephraseorsaying. Inthisexample,we’lluse: Fourscoreandsevenyearsagoourfathersbroughtforth Ideallyyoushouldchooseaphraseofatleasteightwords. 2 Reduceyourfavoritephrasetoanacronymbykeepingonlythefirstletterof eachword. Thesamplephrasebecomes: Fsasyaofbf 3 Replacealetterwithanumber. Ifwereplace“F”andthelast“f”(from“four”and“forth”)with“4”,and“s”(from“seven”) with“7,”thesamplephrasebecomes: 4sa7yaofb4 4 Addspecialcharacters. Ifweadd“$”after“4,”and“&”after“7,”thesamplephrasebecomes: 4$sa7&yaofb4$ 5 Makesomelettersuppercase. Ifweconvertallvowelstouppercase,thesamplephrasebecomes: 4$sA7&yAOfb4$ SafelyStoringYourPassword Ifyoustoreyourpasswordorthealgorithmusedtomakeyourpasswordinasafe place,youcancreatemorecomplexpasswordswithoutthefearofbeingunableto recoverforgottenpasswords. Whenstoringpasswords,makesureyourstoragelocationissafe,unknown,and inaccessibletointruders.Considerstoringyourpasswordsinasealedenvelopeinside alockedcontainer.Alternatively,youcanstoreyourpasswordsinyourwallet.By keepingyourpasswordsinyourwallet,youkeeppasswordsinasafelocationthatis alsoconvenient. Itisrecommendednottostoreyourpasswordanywherenearyourcomputer. 384 AppendixAUnderstandingPasswordsandAuthentication Whenwritingdownyourpassword,takethefollowingprecautions:  Don’tidentifythepasswordasbeingapassword.  Don’tincludeaccountinformationonthesamepieceofpaper.  Addsomefalsecharactersormisinformationtothewrittenpasswordinawaythat youremember.Makethewrittenpassworddifferentfromtherealpassword.  Neverrecordapasswordonline,andneversendapasswordtoanotherperson throughemail. YoucanuseKeychainAccesstostoreyourmorecomplex,longerpasswords.You’llstill needapasswordtounlockKeychainAccesssoyoucanviewandusethesepasswords. BecauseKeychainAccessrequiresthatyouauthenticatetounlockkeychains,itis convenientforyouandinaccessibletointruders.StoretheKeychainAccesspassword inasafelocation.Formoreinformation,see“StoringCredentialsinKeychains”on page88. PasswordMaintenance Afteryoucreateagoodpasswordandstoreitinasafelocation,dothefollowingto makesureyourpasswordremainssecure:  Nevertellanyoneyourpassword.Ifyoutellsomeoneyourpassword,immediately changeyourpassword.  Changeyourpasswordfrequently,andwhenyouthinkyourpasswordhasbeen compromised.Ifyouraccountiscompromised,notifyauthoritiesandclosethe account.  Beawareofwhentrustedapplicationsaskforyourpassword.Maliciousapplications canmimicatrustedapplicationandaskyouforyourpasswordwhenyou’renot expectingit.  Don’treusethesamepasswordformultipleaccounts.Ifyoudo,anintruderwho compromisesyourpasswordcanusethepasswordforallofthoseaccounts.  Don’tenterpassword-relatedhintsin“passwordhint”fields.Byprovidingahint,you compromisetheintegrityofyourpassword.  Don’taccessyouraccountonpubliccomputersorothercomputersthatyoudon’t trust.Maliciouscomputerscanrecordyourkeystrokes.  Don’tenteryourpasswordinfrontofotherpeople. AuthenticationServices OpenDirectoryoffersoptionsforauthenticatinguserswhoseaccountsarestoredin directorydomainsonSnowLeopardServer,includingKerberosandtraditional authenticationmethodsthatnetworkservicesrequire. AppendixAUnderstandingPasswordsandAuthentication 385 OpenDirectorycanauthenticateusersby:  UsingKerberosauthenticationforsinglesign-on.  Usingtraditionalauthenticationmethodsandapasswordstoredsecurelyinthe OpenDirectoryPasswordServerdatabase.  Usingtraditionalauthenticationmethodsandashadowpasswordstoredinasecure shadowpasswordfileforeachuser.  Usingacryptpasswordstoreddirectlyintheuser’saccount,forbackward compatibilitywithlegacysystems.  Usinganon-AppleLDAPserverforLDAPbindauthentication. Inaddition,OpenDirectoryletsyousetupapasswordpolicyforallusersaswellas specificpasswordpoliciesforeachuser,suchasautomaticpasswordexpirationand minimumpasswordlength.(Passwordpoliciesdonotapplytoadministrators,crypt passwordauthentication,orLDAPbindauthentication.) DeterminingWhichAuthenticationOptiontoUse Toauthenticateauser,OpenDirectorymustdeterminewhichauthenticationoptionto use—Kerberos,OpenDirectoryPasswordServer,shadowpassword,orcryptpassword. Theuser’saccountcontainsinformationthatspecifieswhichauthenticationoptionto use.Thisinformationistheauthenticationauthorityattribute. OpenDirectoryusesthenameprovidedbytheusertolocatetheuser’saccountinthe directorydomain.ThenOpenDirectoryconsultstheauthenticationauthorityattribute intheuser’saccountandlearnswhichauthenticationoptiontouse. Youcanchangeauser’sauthenticationauthorityattributebychangingthepassword typeintheAdvancedpaneofWorkgroupManager,asshowninthefollowingtable. Passwordtype Authenticationauthority Attributeinuserrecord OpenDirectory OpenDirectoryPasswordServerand Kerberos Eitherorboth:  ;ApplePasswordServer;  ;Kerberosv5; Shadowpassword Passwordfileforeachuser,readable onlybytherootuseraccount Either:  ;ShadowHash;1  ;ShadowHash;<listofenabled authenticationmethods> Cryptpassword Encodedpasswordinuserrecord Either:  ;basic;  noattributeatall 1 Iftheattributeintheuserrecordis;ShadowHash;withoutalistofenabledauthenticationmethods,default authenticationmethodsareenabled.Thelistofdefaultauthenticationmethodsisdifferentfor SnowLeopardServerandSnowLeopard. 386 AppendixAUnderstandingPasswordsandAuthentication Theauthenticationauthorityattributecanspecifymultipleauthenticationoptions. Forexample,auseraccountwithanOpenDirectorypasswordtypenormallyhasan authenticationauthorityattributethatspecifiesKerberosandOpenDirectoryPassword Server. Auseraccountdoesn’tneedtoincludeanauthenticationauthorityattribute.Ifauser’s accountcontainsnoauthenticationauthorityattribute,SnowLeopardServerassumes acryptpasswordisstoredintheuser’saccount.Forexample,useraccountscreated usingMacOSXv10.1orearliercontainacryptpasswordbutnotanauthentication authorityattribute. PasswordPolicies OpenDirectoryenforcespasswordpoliciesforuserswhosepasswordtypeisOpen Directoryorshadowpassword.Forexample,auser’spasswordpolicycanspecify apasswordexpirationinterval.IftheuserislogginginandOpenDirectorydetermines thattheuser’spasswordhasexpired,theusermustreplacetheexpiredpassword. ThenOpenDirectorycanauthenticatetheuser. Passwordpoliciescandisableauseraccountonaspecifieddate,afteranumberof days,afteraperiodofinactivity,orafteranumberoffailedloginattempts.Password policiescanalsorequirepasswordstobeaminimumlength,containatleastone letter,containatleastonenumber,differfromtheaccountname,differfromrecent passwords,orbechangedperiodically. Thepasswordpolicyforamobileuseraccountapplieswhentheaccountisusedwhile disconnectedfromthenetworkandwhileconnectedtothenetwork.Amobileuser account’spasswordpolicyiscachedforusewhileoffline.Formoreinformationabout mobileuseraccounts,seeUserManagement. Passwordpoliciesdonotaffectadministratoraccounts.Administratorsareexemptfrom passwordpoliciesbecausetheycanchangethepoliciesatwill.Inaddition,enforcing passwordpoliciesonadministratorscouldsubjectthemtodenial-of-serviceattacks. KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately. AnOpenDirectoryserversynchronizestheKerberospasswordpolicyruleswithOpen DirectoryPasswordServerpasswordpolicyrules. SingleSign-OnAuthentication SnowLeopardServerusesKerberosforsinglesign-onauthentication,whichrelieves usersfromenteringanameandpasswordseparatelyforeveryservice.Withsingle sign-on,auseralwaysentersanameandpasswordintheloginwindow.Thereafter, theuserdoesnotneedtoenteranameandpasswordforApplefileservice,mail service,orotherservicesthatuseKerberosauthentication. AppendixAUnderstandingPasswordsandAuthentication 387 Totakeadvantageofsinglesign-on,usersandservicesmustbeKerberized— configuredforKerberosauthentication—andusethesameKerberosKeyDistribution Center(KDC)server. UseraccountsthatresideinanLDAPdirectoryofSnowLeopardServerandhave apasswordtypeofOpenDirectoryusetheserver’sbuilt-inKDC.Theseuseraccounts areconfiguredforKerberosandsinglesign-on.Theserver’sKerberizedservicesuse theserver’sbuilt-inKDCandareconfiguredforsinglesign-on. ThisSnowLeopardServerKDCcanalsoauthenticateusersforservicesprovided byotherservers.HavingmoreserverswithSnowLeopardServerusethe SnowLeopardServerKDCrequiresonlyminimalconfiguration. KerberosAuthentication KerberoswasdevelopedatMITtoprovidesecureauthenticationandcommunication overopennetworksliketheInternet.It’snamedforthethree-headeddogthatguarded theentrancetotheunderworldofGreekmythology. Kerberosprovidesproofofidentityfortwoparties.Itenablesyoutoprovewhoyouare tonetworkservicesyouwanttouse.Italsoprovestoyourapplicationsthatnetwork servicesaregenuine,notspoofed. Likeotherauthenticationsystems,Kerberosdoesnotprovideauthorization.Each networkservicedetermineswhatyouarepermittedtodobasedonyourproven identity. Kerberospermitsaclientandaservertoidentifyeachothermuchmoresecurelythan typicalchallenge-responsepasswordauthenticationmethods.Kerberosalsoprovidesa singlesign-onenvironmentwhereusersauthenticateonlyonceaday,week,orother periodoftime,easingauthenticationfrequency. SnowLeopardServeroffersintegratedKerberossupportthatvirtuallyanyonecan deploy.Kerberosdeploymentissoautomaticthatusersandadministratorsmightnot realizeit’sdeployed. MacOSXv10.3andlateruseKerberoswhensomeonelogsinusinganaccountsetfor OpenDirectoryauthentication.Itisthedefaultsettingforuseraccountsinthe SnowLeopardServerLDAPdirectory.OtherservicesprovidedbytheLDAPdirectory server,suchasAFPandmailservice,alsouseKerberos. IfyournetworkhasotherserverswithSnowLeopardServer,joiningthemtothe Kerberosserveriseasy,andmostoftheirservicesuseKerberosautomatically. Alternatively,ifyournetworkhasaKerberossystemsuchasMicrosoftActiveDirectory, youcansetupyourSnowLeopardServerandSnowLeopardcomputerstouseitfor authentication. 388 AppendixAUnderstandingPasswordsandAuthentication SnowLeopardServerandSnowLeopardorlatersupportKerberosv5. SnowLeopardServerandSnowLeoparddonotsupportKerberosv4. SmartCardAuthentication Smartcardsenableyoutocarryyourdigitalcertificateswithyou.SnowLeopardallows youtouseyoursmartcardwhenanauthenticationdialogispresented. Thisrobust,two-factorauthenticationmechanismcomplieswithDepartmentof DefenseCommonAccessCard,U.S.PIV,BelgiumNationalIdentificationCard,Japanese governmentPKI,andJavaCard2.1standards.SimilartoanATMcardandaPINcode, two-factorauthenticationreliesonsomethingyouhaveandsomethingyouknow.If yoursmartcardislostorstolen,itcannotbeusedunlessyourPINisalsoknown. AppendixAUnderstandingPasswordsandAuthentication 389 B SecurityChecklist Thisappendixcontainsachecklistofrecommendedsteps requiredtosecureSnowLeopardServer. Thisappendixcontainsactionitemchecklistsorderedbychapter. Youcancustomizethesecheckliststosuityourneeds.Forexample,youcanmarkthe completionstatusofactionitemsinthe“Completed?”column.Ifyoudeviatefromthe suggestedactionitem,youcanusethe“Notes”columntojustifyorclarifyyour decision. InstallationActionItems Fordetails,seeChapter2,“InstallingSnowLeopardServer.” ActionItem SecurelyerasetheMacOSX installpartitionbefore installation Disablethefirmwarepassword beforeinstallation InstallSnowLeopardServer usingMacOSExtendeddisk formatting Donotinstallunnecessary packages Donottransferconfidential informationinServerAssistant DonotconnecttotheInternet Createadministratoraccounts withdifficult-to-guessnames Createcomplexpasswordsfor administratoraccounts 390 Completed? Notes Appendix B ActionItem Completed? Notes Donotenterapassword-related hint;instead,enterhelpdesk contactinformation Entercorrecttimesettings UseaninternalSoftwareUpdate server Updatesystemsoftwareusing verifiedpackages Repairdiskpermissionsafter installingsoftwareorsoftware updates HardwareandCoreSnowLeopardServerActionItems Fordetails,seeChapter3,“SecuringSystemHardware.” ActionItem Completed? Notes Restrictaccesstoroomsthat havecomputers Storecomputersinlockedor securecontainerswhennotin use Useapasswordprotected screensaver GlobalSettingsforSnowLeopardServerActionItems Fordetails,seeChapter4,“SecuringGlobalSystemSettings.” ActionItem Completed? Notes Requireafirmwarepassword Createanaccesswarningforthe loginwindow Createanaccesswarningforthe commandline Disablefastuserswitchingwith non-trustedusersorwhen multipleusersaccesslocal accounts AppendixBSecurityChecklist 391 AccountConfigurationActionItems Fordetails,seeChapter5,“SecuringLocalServerAccounts.” ActionItem Createanadministratoraccount andastandardaccountforeach administrator Createastandardoramanaged accountforeach nonadministrator Setparentalcontrolsfor managedaccounts Restrictthedistributionanduse ofadministratoraccounts Modifythe/etc/authorization filetosecuredirectorydomain access Disablesu Disablerootaccount Restrictsudouserstoonly beingabletoaccessrequired commands Setastrongpasswordpolicy UsePasswordAssistantto generatecomplexpasswords Authenticateusingasmartcard, token,orbiometricdevice Securetheloginkeychain Securekeychainitems Createspecializedkeychainsfor differentpurposes Useaportabledrivetostore keychains 392 AppendixBSecurityChecklist Completed? Notes SystemSoftwareActionItems Chapter5,“SecuringLocalServerAccounts,”describeshowtosecuresystem preferences.Everysystempreferencewithsecurity-relatedconfigurationsettingshasits ownactionitemchecklist. MobileMePreferencesActionItems Fordetails,see“SecuringMobileMePreferences”onpage96. ActionItem Completed? Notes DisableallSyncoptions DisableiDiskSyncing EnablePublicFolderpassword protection Donotregistercomputersfor synchronization AccountsPreferencesActionItems Fordetails,see“SecuringAccountsPreferences”onpage99. ActionItem Completed? Notes Changetheinitialpasswordfor thesystemadministrator account Disableautomaticlogin Displaytheloginwindowas nameandpassword Disable“Showpasswordhints” Disable“Enablefastuser switching” Disable“ShowtheRestart,Sleep, andShutDownbuttons” AppearancePreferencesActionItems Fordetails,see“SecuringAppearancePreferences”onpage102. ActionItem Completed? Notes Donotdisplayrecent applications Donotdisplayrecent documents Donotdisplayrecentservers AppendixBSecurityChecklist 393 BluetoothPreferencesActionItems Fordetails,see“SecuringBluetoothPreferences”onpage103. ActionItem Completed? Notes DisableBluetoothforeachuser accountinSystemPreferences Removeprivilegestomodify BluetoothSystemPreferences CDs&DVDsPreferencesActionsItems Fordetails,see“SecuringCDs&DVDsPreferences”onpage105. ActionItem Completed? Notes Disableautomaticactionsfor blankCDsforeachuseraccount Disableautomaticactionsfor blankDVDsforeachuser account Disableautomaticactionsfor musicCDsforeachuseraccount Disableautomaticactionsfor pictureCDsforeachuser account Disableautomaticactionsfor videoDVDsforeachuser account Removeprivilegestomodify CDs&DVDsSystemPreferences Exposé&SpacesPreferencesActionItems Fordetails,see“SecuringExposé&SpacesPreferences”onpage115 ActionItem Completed? Notes DisableDashboard Date&TimePreferencesActionItems Fordetails,see“SecuringDate&TimePreferences”onpage107. ActionItem Setacorrectdateandtime UseasecureinternalNTPserver forautomaticdateandtime setting 394 AppendixBSecurityChecklist Completed? Notes Desktop&ScreenSaverPreferencesActionItems Fordetails,see“SecuringDesktop&ScreenSaverPreferences”onpage109. ActionItem Completed? Notes Setashortinactivityintervalfor thescreensaver SetascreencornertoStart ScreenSaverforeachuser account Donotsetascreencornerto DisableScreenSaverforeach useraccount Removeprivilegestomodify DashboardandExposéSystem Preferences DisplayPreferencesActionItems Fordetails,see“SecuringDisplayPreferences”onpage111. ActionItem Completed? Notes Disabledisplaymirroring DockPreferencesActionItems Fordetails,see“SecuringDockPreferences”onpage111. ActionItem Completed? Notes Setthedocktohidewhennot inuse EnergySaverPreferencesActionItems Fordetails,see“SecuringEnergySaverPreferences”onpage112. ActionItem Completed? Notes Disablesleepingthecomputer forallpowersettings Enablesleepingthedisplayfor allpowersettings Enablesleepingtheharddiskfor allpowersettings Disable“Wakewhenthemodem detectsaring”forallpower settings Disable“WakeforEthernet networkadministratoraccess” forpoweradaptersettings AppendixBSecurityChecklist 395 ActionItem Completed? Notes Disable“Restartautomatically afterapowerfailure”forpower settings Disable“Restartautomaticallyif thecomputerfreezes”forpower settings KeyboardandMousePreferencesActionItems Fordetails,see“SecuringBluetoothPreferences”onpage103. ActionItem Completed? Notes TurnoffBluetooth NetworkPreferencesActionItems Fordetails,see“SecuringNetworkPreferences”onpage118. ActionItem Completed? Notes Disableunusedhardware devices DisableIPv6 Print&FaxPreferencesActionItems Fordetails,see“SecuringPrint&FaxPreferences”onpage120. ActionItem Completed? Notes Useprintersinsecurelocations only Disableprintersharing Disableprintbrowsing Disablereceivingfaxes Disablesendingfaxes QuickTimePreferencesActionItems Fordetails,see“SecuringSecurityPreferences”onpage122. ActionItem Disable“Savemoviesindisk cache” Donotinstallthird-party QuickTimesoftware 396 AppendixBSecurityChecklist Completed? Notes SecurityPreferencesActionItems Fordetails,see“SecuringSecurityPreferences”onpage122. ActionItem Completed? Notes Requireapasswordtowakethe computerfromsleeporscreen saverforeachaccount SharingPreferencesActionItems Fordetails,see“SecuringSharingPreferences”onpage125. ActionItem Completed? Notes DisableRemoteLogin DisableAppleRemoteDesktop DisableRemoteAppleEvents Renameyourcomputertoa namethatdoesnotindicatethe purposeofthecomputer SoftwareUpdatePreferencesActionItems Fordetails,see“SecuringSoftwareUpdatePreferences”onpage126. ActionItem Completed? Notes Set“Checkforupdates” accordingtopolicy Disable“Downloadimportant updatesinthebackground” Manuallyupdateusinginstaller packages Transferinstallerpackagesfrom atestcomputer Verifyinstallerpackagesbefore installing SoundPreferencesActionItems Fordetails,see“SecuringSoundPreferences”onpage128. ActionItem Completed? Notes Minimizeinputvolumeforthe internalmicrophone Minimizeinputvolumeforthe audiolineinport AppendixBSecurityChecklist 397 SpeechPreferencesActionItems Fordetails,see“SecuringSpeechPreferences”onpage129. ActionItem Completed? Notes Enablespeechrecognition inasecureenvironmentonly Useheadphonesifyouenable texttospeech SpotlightPreferencesActionItems Fordetails,see“SecuringSpotlightPreferences”onpage130. ActionItem Completed? Notes PreventSpotlightfrom searchingconfidentialfolders StartupDiskPreferencesActionItems Fordetails,see“SecuringStartupDiskPreferences”onpage133. ActionItem Completed? Notes Carefullychoosethestartup volume TimeMachinePreferencesActionItems Fordetails,see“SecuringTimeMachinePreferences”onpage134. ActionItem Completed? Notes TurnTimeMachineon Selectasafelocationtostore backupsin DataMaintenanceandEncryptionActionItems Fordetails,seeChapter8,“SecuringDataandUsingEncryption.” ActionItem Setglobalpermissionsusing POSIXorACLs Stripsetuidbits Securehomedirectory permissions EnableFileVaultforeveryuser Encryptportablefiles 398 AppendixBSecurityChecklist Completed? Notes ActionItem Completed? Notes Setglobalumaskbychanging NSUmasksettings Mandatesecureerasingoffiles Mandatesecreterasingof partitions Mandatesecurelyerasingfree space AccountPoliciesActionItems Chapter22,“SecuringNetworkAccounts,”describeshowtosetupandmanage accountpoliciesanduseraccounts,aswellashowtoconfiguresettingsand preferencesforclients.Eachtopicwithsecurity-relatedconfigurationsettingshasits ownactionitemchecklist. SharePointsActionItems Fordetails,seeChapter17,“SecuringFileServicesandSharepoints.” ActionItem Completed? Notes EnableSSLinWorkgroup Manager Disableunusedsharepoints Disableunusedsharing protocols Restrictsharepointaccess AccountConfigurationActionItems Fordetails,see“SecuringDirectoryAccounts”onpage319. ActionItem Completed? Notes Disallowsimultaneouslogin UseanOpenDirectory passwordinsteadofacrypt password Enteradiskquota UsePOPorIMAPformail,not both UsePOSIXorACLpermissionsto determinegroupaccountaccess Restrictaccesstospecificgroups byassigningcomputerstoalist AppendixBSecurityChecklist 399 ActionItem Completed? Notes Ifaccountsarestoredina networkdomain,disablelocal accounts Specifyatimeintervaltoupdate thepreferencescache ApplicationsPreferencesActionItems Fordetails,see“ManagingApplicationsPreferences”onpage284. ActionItem Completed? Notes Createalistofapproved applicationsthatuserscanopen Deselect“Usercanalsoopenall applicationsonlocalvolumes” Deselect“Allowapproved applicationstolaunchnonapprovedapplications” Deselect“AllowUNIXtoolsto run” DockPreferencesActionItems Fordetails,see“ManagingDockPreferences”onpage291. ActionItem ModifytheApplicationslistto includerequiredapplications ModifytheDocumentsand Folderslisttoincluderequired documentsandfolders Deselect‘”Mergewithuser’s Dock” Deselect“MyApplications” Deselect“Documents” Deselect“NetworkHome” Select“Automaticallyhideand showtheDock” 400 AppendixBSecurityChecklist Completed? Notes EnergySaverPreferencesActionItems Fordetails,see“ManagingEnergySaverPreferences”onpage292. ActionItem Completed? Notes Disablesleepingthecomputer forallpowersettings Deselect“Startupthe computer” FinderPreferencesActionItems Fordetails,see“ManagingFinderPreferences”onpage293. ActionItem Completed? Notes Select“Usenormalfinder” Deselect“HardDisks” Deselect“Removablemedia (suchasCDs)” Deselect“ConnectedServers” Select“Alwaysshowfile extensions” Deselect“ConnecttoServer” Deselect“GotoiDisk” Deselect“GotoFolder” Deselect“Eject” Deselect“BurnDisk” Deselect“Restart” Deselect“ShutDown” LoginPreferencesActionItems Fordetails,see“ManagingLoginPreferences”onpage295. ActionItem Completed? Notes Deselect“Addnetworkhome sharepoint” Deselect“Usermayaddand removeadditionalitems” Deselect“UsermaypressShiftto keepitemsfromopening” Donotallowloginorlogout scripts DonotallowLoginHookor LogoutHookscripts AppendixBSecurityChecklist 401 ActionItem Completed? Notes Enterhelpdeskinformationas theloginmessage Displaytheloginwindowas nameandpasswordtextfields DonotallowRestartorShut Downbuttonstoshowinthe LoginWindow Donotallowpasswordhints Deselect“AutoLoginClient Setting” Deselect“Allowuserstologin using‘console.’” Deselect“EnableFastUser Switching” Deselect“Logoutusersafter #minutesofactivity” MediaAccessPreferencesActionItems Fordetails,see“ManagingMediaAccessPreferences”onpage298. ActionItem Disableunnecessarymedia Deselect“AllowforCDs” Deselect“AllowforCD-ROMs” Deselect“AllowforDVDs” Deselect“AllowforRecordable Disks” Deselect“AllowforInternal Disks” Deselect“AllowforExternal Disks” Select“Ejectallremovable mediaatlogout” 402 AppendixBSecurityChecklist Completed? Notes MobilityPreferencesActionItems Fordetails,see“ManagingMobilityPreferences”onpage299. ActionItem Completed? Notes Disablemobileaccounton insecureorinfrequently accessedcomputers UseFileVaultoneverycomputer withportablehomefolders Deselect“Synchronizeaccount forofflineuse” NetworkPreferencesActionItems Fordetails,see“ManagingNetworkPreferences”onpage301. ActionItem Completed? Notes Useyourorganization-controlled proxyservers Bypasstrustedhostsand domains Deselect“UsePassiveFTPMode (PASV)” PrintingPreferencesActionItems Fordetails,see“ManagingPrintingPreferences”onpage307. ActionItem Completed? Notes Reduceaccesstoprinters Deselect“Allowusertomodify theprinterlist” Deselect“Allowprintersthat connectdirectlytouser’s computer” Ifselecting“Allowprintersthat connectdirectlytouser’s computer”,thenselect“Require anadministratorpassword” Selectaprinterandselect “Requireanadministrator password” AppendixBSecurityChecklist 403 SoftwareUpdatePreferencesActionItems Fordetails,see“ManagingSoftwareUpdatePreferences”onpage308. ActionItem Completed? Notes Designateaninternalserverto controlsoftwareupdates AccesstoSystemPreferencesActionItems Fordetails,see“ManagingAccesstoSystemPreferences”onpage308. ActionItem Completed? Notes Select“Appearance”toappearin theSystemPreferences preferences Select“Dashboard&Exposé”to appearintheSystem Preferencespreferences Select“Displays”toappearinthe SystemPreferencespreferences Select“Dock”toappearinthe SystemPreferencespreferences Select“Keyboard&Mouse”to appearintheSystem Preferencespreferences Select“Security”toappearinthe SystemPreferencespreferences Select“Universal”toappearin theSystemPreferences preferences Disablewidgetsfornetwork managedusers UniversalAccessPreferencesActionItems Fordetails,see“ManagingUniversalAccessPreferences”onpage309. ActionItem Deselect“TurnonZoom” SetStickyKeystoOff Deselect“Showpressedkeyson screen” 404 AppendixBSecurityChecklist Completed? Notes CertificatesActionItems Fordetails,see“ManagingCertificates”onpage163. ActionItem Completed? Notes Obtaincertificatestousewith SSL-enabledservices CreateaCAtoissuecertificates CreateanSSLcertificatefor distribution Createthefilesandfolders neededbySSL Exportcertificatetoclient computers GeneralProtocolsandServiceAccessActionItems Fordetails,see“SettingGeneralProtocolsandAccesstoServices”onpage176. ActionItem Completed? Notes ConfigureNTPtouseaninternal timeserver DisableSNMP EnableSSH Donotuse“server”oryour nametoidentifytheserver Setacorrectdateandtime UseasecureinternalNTPserver forautomaticdateandtime setting UseCertificateManagerto create,use,andmaintain identitiesforSSL-enabled services UseSACLtorestrictaccessto AFP,FTP,andWindowsfile services RemoteAccessServicesActionItems Fordetails,see“SecuringRemoteAccessServices”onpage185. AppendixBSecurityChecklist 405 ActionItem DisablerootloginusingSSH Modifythe/private/etc/ sshd_configfiletofurther secureSSH Generateidentitykeypairsfor loginauthentication ConfigureaccessforusingSSH throughServerAdminusing SACLs UseSFTPinsteadofFTP DisableVPNservices IfusingVPNservices,enable eitherorbothL2TPandPPTP TouseSecurIDauthentication, edittheVPNconfigurationfile manually Configureanaccesswarning banner DisableAppleRemoteDesktop EncryptObserveandControl trafficbysetting“Encryptall networkdata” Encryptnetworkdataduringfile copyandpackageinstallation bysetting“Encrypttransfers whenusingInstallPackages” DisableRemoteAppleEvents 406 AppendixBSecurityChecklist Completed? Notes NetworkandHostAccessServicesActionItems “SecuringNetworkInfrastructureServices”onpage198describesconfiguration informationtosecureyournetworkservices.Severalservicesareprovidedtomaintain yournetwork.Eachservicewithsecurity-relatedconfigurationsettingshasitsown actionitemchecklist. IPv6ProtocolActionItems Fordetails,see“UsingIPv6Protocol”onpage198. ActionItem Completed? Notes EnableIPv6 ConfigureIPv6manuallyor automatically DHCPServiceActionItems Fordetails,see“SecuringDHCPService”onpage200. ActionItem Completed? Notes DisabletheDHCPserviceifnot required IfusingDHCP,disableDNS, LDAP,andWINS AssignstaticIPaddresses DNSServiceActionItems Fordetails,see“SecuringDNSService”onpage202. ActionItem Completed? Notes DisabletheDNSservice Allowonlyonesystemtoactas theDNSserver Allowrecursivequeriesand zonetransfersonlyfromtrusted clients,notfromexternal networks. UpdateandauditDNSregularly SpecifywhichIPaddressesare allowedtorequestzone transfers ConfigureBINDtorespondwith somethingotherthanthe currentversion LimitordisableDNSrecursion AppendixBSecurityChecklist 407 FirewallServiceActionItems Fordetails,see“ConfiguringtheFirewall”onpage213. ActionItem Completed? Notes CreateIPaddressgroups Configurefirewallrulesfor groupsandservices Configureadvancedrulesfor groupsandservices Enablestealthmode Setuplogging NATServiceActionItems Fordetails,see“SecuringNATService”onpage207. ActionItem Completed? Notes DisableNATserviceifnot required ConfigureNATservice Ifnecessary,forwardincoming traffictoanIPaddress BonjourServiceActionItems Fordetails,see“SecuringBonjour(mDNS)”onpage210. ActionItem Completed? Notes DisableBonjourunlessrequired Disableunusedservicesthat shouldnotbediscovered throughBonjour CollaborationServicesActionItems Fordetails,see“SecuringiCalService”onpage222and“SecuringiChatService”on page225. ActionItem DisableiCalservice DisableiChatservice IfusingiChatservice,designate domainnamestouse 408 AppendixBSecurityChecklist Completed? Notes ActionItem Completed? Notes Designateacertificatetouse Monitorcommunicationusing iChatservicelogs MailServiceActionItems Fordetails,see“SecuringMailService”onpage233. ActionItem Completed? Notes Turnoffsupportforanyprotocol thatisnotrequired Usedifferentsystemsfor providingoutgoingand incomingmailservice EnableSSLforthemailserver Createandinstallasignedmail certificateforoutgoingand incomingmailserviceprotocols Usethe“require”settinginthe SSLsupportoptions (recommended) ConfigureSMTPauthentication requirementstoreducejunk mail Createalistofapprovedhost serverstorelaymail Enablejunkmailfiltering Enablevirusfiltering Updatethevirusdatabaseat leasttwiceaday Setupaproblemreportaccount DisabletheSMTPbanner AppendixBSecurityChecklist 409 FileServicesActionItems “SecuringFileServicesandSharepoints”onpage254describesconfiguringfilesharing services.Eachtypeoffilesharingservicewithsecurity-relatedconfigurationsettings hasitsownactionitemchecklist. ActionItem Completed? Notes Disablefilesharingservicesif notrequired Useasfewprotocolsaspossible UseAFP DisableFTP DisableNFS DisableSMB AFPFileSharingServiceActionItems Fordetails,see“ConfiguringAFPFileSharingService”onpage258. ActionItem Completed? Notes DisableBonjourregistration DisablebrowsingwithAppleTalk DisableGuestaccess Disableadministratorto masqueradeasanotheruser Enter“1”forGuestConnections Enableaccesslog Setfrequencyofarchiving Implementsettingsforidleuser FTPFileSharingServiceActionItems Fordetails,see“ConfiguringFTPFileSharingService”onpage259. ActionItem Ifauthenticationispossible,use SFTPinsteadofFTP Disconnectclientafter1login failure Enteramailaddresssetupto handleFTPadministration SelectKerberosforaccess authentication Allowamaximumof1 authenticateduser 410 AppendixBSecurityChecklist Completed? Notes ActionItem Completed? Notes Enableanonymousaccessand designatethenumberof anonymoususers DisableMacBinaryanddisk imageautoconversion Enable“ShowWelcome Message” Enable“ShowBannerMessage” Logallloginattempts Set“Authenticateduserssee:”to FTProotandSharePoints Designatefilestosharewith anonymoususers Configurethe/Library/ FTPServer/Configuration/ ftpaccess NFSFileSharingServiceActionItems Fordetails,see“ConfiguringNFSFileSharingService”onpage262. ActionItem Completed? Notes UseNFSonlyonasecureLANor whenAppleandWindowsfile sharingsystemsareunavailable RestrictanNFSsharepointto thosesystemsthatrequireit Makethelistofexportoptions asrestrictiveaspossible SMBActionItems Fordetails,see“ConfiguringSMBFileSharingService”onpage263. ActionItem Completed? Notes Donotallowguestaccess Enterthemaximumnumberof clientsconnectionsexpected Set“LogDetail”toatleast medium DeselectWorkgroupMaster BrowserandDomainMaster Browserservices TurnoffWINSregistration AppendixBSecurityChecklist 411 WebServiceActionItems Fordetails,see“SecuringWebService”onpage271. ActionItem Completed? Notes Disablewebserviceifnot required Disablewebmodulesifnot required Disableweboptionsifnot required Createorobtainsigned certificatesforeachdomain name EnableSSLforwebservice IfWebDAVisenabled,assign accessprivilegesforthesites andwebfolders Donotallowwebcontentfiles andfolderstobewritableby world Configurearealmtoallowuser accesstowebsites Allowuserstoaccessblogs throughanSSLenabledsite ClientConfigurationManagementServicesActionItems Fordetails,see“SecuringClientConfigurationManagementServices”onpage284. ActionItem Completed? Notes DisableNetBootandNetBoot diskimages UseServerAdmintoview NetBootclientsandthestatusof NetBootservice DirectoryServicesActionItems Fordetails,see“SecuringDirectoryServices”onpage324. ActionItem ConfigureOpenDirectoryroles ConfigureKerberos 412 AppendixBSecurityChecklist Completed? Notes ActionItem Completed? Notes Setaserveroutsideofdirectory domainsasStandaloneServer EnableSSL Setglobalpasswordpolicies Setbindingpolicies SetsecuritypoliciesforOpen Directory PrintServiceActionItems Fordetails,see“SecuringPrintService”onpage337. ActionItem Completed? Notes UseServerAdmintomanage printqueuesandconfigure settings SpecifyadefaultLPRqueue MultimediaServicesActionItems Fordetails,see“SecuringMultimediaServices”onpage344. ActionItem Completed? Notes UserServerAdmintoconfigure QTSS Usesecuredigestauthentication toconfigureclientaccessto streamedmediafiles GridandClusterComputingServicesActionItems Fordetails,see“SecuringGridandClusterComputingServices”onpage354. ActionItem Completed? Notes Ifpossible,useasinglesign-on password Alwaysrequireauthentication EnableXgridagentservice SetapasswordforXgrid EnableXgridcontrollerservice SetapasswordforXgrid controller AppendixBSecurityChecklist 413 ActionItem Completed? Notes Setapasswordfortheserver actingasagridagent Setapasswordforagentstojoin agridandclientstosubmitjobs ValidatingSystemIntegrityActionItems Fordetails,see“MaintainingSystemIntegrity”onpage368. ActionItem Installandenableauditingtools Configureauditsettings Configurelogfiles Configurelocalsystemusing syslog.conf Enableremotesystemlogging Installfileintegritytools Installantivirustools 414 AppendixBSecurityChecklist Completed? Notes Scripts C Appendix C # --------------------------------------------------------------------# Securing Firewall Service # --------------------------------------------------------------------# # Add Firewall to the services view # --------------------------------sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured = yes # Start Firewall service # ---------------------sudo serveradmin start ipfilter # # # # # # # # # # Updating from an Internal Software Update Server -----------------------------------------------Default Settings. blank Software updates are downloaded from one of the following software update servers hosted by Apple. swscan.apple.com:80 swquery.apple.com:80 swcdn.apple.com:80 # Suggested Settings. # Specify the software update server to use. sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index-leopard-snowleopard.merged1.sucatalog # Available Settings. # Replace swupdate.apple.com with the fully qualified domain name (FQDN) # or IP address of your software update server. # To switch your computer back to the default Apple update server. # sudo defaults delete com.apple.SoftwareUpdate CatalogURL # Updating from Internet Software Update Server # ----------------------------------- 415 # # # # # Default Settings. The softwareupdate command checks and lists available updates for download. Software Update preferences are set to the command-line equivalent of. sudo softwareupdate --list --schedule on # Suggested Settings. # Download and install software updates: sudo softwareupdate --download --all --install # # # # # Available Settings. Use the following commands to view softwareupdate options. sudo softwareupdate -h or man softwareupdate # # # # Updating Manually from Installer Packages ----------------------------------Default Settings. None # Suggested Settings. # Download software updates. sudo softwareupdate --download --all # Install software updates. sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume # # # # # Available Settings. Use the following commands to view installer options. sudo installer -h or man installer # # # # Verifying the Integrity of Software ----------------------------------Default Settings. None # Suggested Settings. # Use the sha1 command to display a file's SHA-1 digest. # Replace $full_path_filename with the full path filename of the update # package or image that SHA-1 digest is being checked for. sudo /usr/bin/openssl sha1 $full_path_filename # # # # # # 416 Available Settings. Use the following command to view the version of OpenSSl installed on your computer. sudo openssl version Use the following command to view openssl options. man openssl AppendixCScripts # ------------------------------------------------------------------# Protecting System Hardware # ------------------------------------------------------------------# Securing Wi-Fi Hardware # ----------------------# Remove AppleAirport kernel extensions. sudo srm -r /System/Library/Extensions/IO80211Family.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # # # # Removing BlueTooth Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove Bluetooth kernel extensions. # Remove Bluetooth kernel extensions. sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kext sudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None # # # # Removing IR Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove IR kernel extensions. sudo srm -rf /System/Library/Extensions/AppleIRController.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None # # # # Securing Audio Support Software ----------------------------Default setting: kext files are installed and loaded. # Suggested Setting. # Remove Audio Recording kernel extensions. sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext AppendixCScripts 417 sudo srm -rf /System/Library/Extensions/IOAudioFamily.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None # # # # Securing Video Recording Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove Video Recording kernel extensions. # Remove external iSight camera. sudo srm -rf /System/Library/Extensions/Apple_iSight.kext # Remove internal iSight camera. sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\ AppleUSBVideoSupport.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None # # # # # Securing USB Support Software ----------------------------Remove USB kernel extensions. Default setting. kext files are installed and loaded. # Suggested Setting: sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions # Available Settings. # None # # # # Securing FireWire Support Software ----------------------------Default setting. kext files are installed and loaded. # Suggested Setting. # Remove FireWire kernel extensions. sudo srm -rf /System/Library/Extensions/\ IOFireWireSerialBusProtocolTransport.kext # Remove Extensions cache files. sudo touch /System/Library/Extensions 418 AppendixCScripts # Available Settings. # None # # # # # # Securing Global System Settings ------------------------------------------------------------------------Configuring Firmware Settings ---------------------------------Default Setting. security-mode is off # Suggested Setting. # Secure startup by setting security-mode. Replace $mode-value with # "command" or "full." sudo nvram security-mode="$mode-value" # Verify security-mode setting. sudo nvram -x -p # # # # # # # # # # Available Settings. security-mode. "command" "full" Use the following command to view the current nvram settings. nvram -x -p Use the following commands to view nvram options. nvram -h or man nvram # Enabling Access Warning for the Login Window # ---------------------------------# Create a login window access warning. sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Warning Text” # You can also used the BannerSample project to create an access warning. # Enabling Access Warning for the Command Line # ---------------------------------# Create a command-line access warning. sudo touch /etc/motd sudo chmod 644 /etc/motd sudo echo "Warning Text" >> /etc/motd # # # # # # # # # ------------------------------------------------------------------Securing System Preferences ------------------------------------------------------------------Securing MobileMe Preferences ------------------------Default Setting. If a MobileMe account is entered during setup, MobileMe is configured for that account. Use the following command to display current MobileMe settings. AppendixCScripts 419 # defaults -currentHost read com.apple.<Preferenceidentifier> # Use the following command to view all current settings for currenHost. # defaults -currentHost read # Suggested Setting. #Disable Sync options. sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer 1 # Disable iDisk Syncing. sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool no # Available Settings. # None # Securing Accounts Preferences # ----------------------------# Change an account's password on a client system. # Don't use this command if other users are also logged in. sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass # Change an account's password on a server. # Don't use this command if other users are also logged in. sudo dscl . passwd /Users/$User_name $Oldpass $Newpass # Make sure there is no password hint set. sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0 # Disable Show the Restart, Sleep, and ShutDown Buttons. sudo defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisable -bool yes # Disable fast user switching. This command does not prevent multiple users # from being logged in. sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO # Disable Automatic login. sudo defaults write /Library/Preferences/.GlobalPreferences\ com.apple.userspref.DisableAutoLogin -bool yes # # # # Securing Appearance Preferences ----------------------------Default Setting. MaxAmount 10 # Suggested Setting. # Disable display of recent applications. sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0 # Available Settings. # MaxAmount 0,5,10,15,20,30,50 420 AppendixCScripts # # # # Securing Bluetooth Preferences ----------------------------Default Setting. Turn Bluetooth on. # Suggested Setting. # Turn Bluetooth off. sudo defaults write /Library/Preferences/com.apple.Bluetooth\ ControllerPowerState -int 0 # Available Settings. # 0 (OFF) or 1 (On) # # # # # # # # # Securing CDs & DVDs Preferences ----------------------------Default Setting. Preference file non existent: /Library/Preferences/com.apple.digihub Blank CD: "Ask what to do" Blank DVD: "Ask what to do" Music CD: "Open iTunes" Picture CD: "Open iPhoto" Video DVD: "Open DVD Player" # Suggested Setting. # Disable blank CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1 # Disable music CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.music.appeared -dict action 1 # Disable picture CD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.picture.appeared -dict action 1 # Disable blank DVD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1 # Disable video DVD automatic action. sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.dvd.video.appeared -dict action 1 # # # # # # # # # # Available Settings. action 1 = "Ignore" action 2 = "Ask what to do" action 5 = "Open other application" action 6 = "Run script” action 100 = "Open Finder" action 101 = "Open itunes" action 102 = "Open Disk Utility" action 105 = "Open DVD Player" action 106 = "Open iDVD" AppendixCScripts 421 # action 107 = "Open iPhoto" # action 109 = "Open Front Row" # # # # # Securing Date & Time Preferences ----------------------------Default Setting. NTP Server: time.apple.com Time Zone: Set time zone automatically using current location # Suggested Setting. # Set the NTP server. sudo cat >> /etc/ntp.conf << END server time.apple.com END # Set the date and time. sudo systemsetup -settimezone $Time_Zone # Available Settings. # NTP Server: Any valid NTP server # Time Zone: /usr/share/zoneinfo # # # # Securing Desktop & Screen Saver Preferences ----------------------------Default Setting. None # Suggested Setting. # Set idle time for screen saver. Replace XX with the idle time in seconds. sudo defaults -currentHost write com.apple.screensaver idleTime -int XX # Set host corner to activate screen saver. sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codecorner -int 5 # Set modifier key to 0 wvous-corner_code-modifier sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_codemodifier -int 0 # # # # # # Available Settings. Corner options. wvous-bl-corner (bottom-left) wvous-br-corner(bottom-right) wvous-tl-corner (top-left) wvous-tr-corner (top-right) # # # # Securing Dock Preferences ----------------------------Default Setting. None # Suggested Setting. # Automatically hide and show Dock. sudo defaults write /Library/Preferences/com.apple.dock autohide -bool YES # Available Settings. 422 AppendixCScripts # autohide -bool YES # autohide -bool NO # # # # Securing Energy Saver Preferences ----------------------------Default Setting. None # Suggested Setting. # Disable computer sleep. sudo pmset -a sleep 0 # Enable hard disk sleep. sudo pmset -a disksleep 1 # Disable Wake for Ethernet network administrator access. sudo pmset -a womp 0 # Disable Restart automatically after power failure. sudo pmset -a autorestart 0 # Available Settings. # 0 (OFF) or 1 (ON) # # # # Securing Exposé & Spaces Preferences ----------------------------Default Setting. Enabled # Suggested Setting. # Disable dashboard. sudo launchctl unload -w /System/Library/LaunchDaemons/ com.apple.dashboard.advisory.fetch.plist # Available Settings. # Enabled or Disabled # # # # Bluetooth Sharing ----------------------------Default Setting. Bluetooth Sharing: Disabled # Suggested Setting. # Disable Bluetooth Sharing. sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0 # # # # Available Settings. Bluetooth Sharing. Disabled Enabled # Securing Network Preferences # ----------------------------- AppendixCScripts 423 # Default Setting. # Enabled # Suggested Setting. # Disable IPv6. sudo networksetup -setv6off $interface # Available Settings. # The interface value can be AirPort, Bluetooth, Ethernet, or FireWire # # # # Securing Print & Fax Preferences ----------------------------Default Setting. Disabled # Suggested Setting. # Disable the receiving of faxes. sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist # Disable printer sharing. sudo cp /etc/cups/cupsd.conf $TEMP_FILE if /usr/bin/grep "Port 631" /etc/cups/cupsd.conf then sudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE > \ /etc/cups/cupsd.conf else echo "Printer Sharing not on" fi # Available Settings. # Enabled or Disabled # # # # # # # # # # Securing Security Preferences ----------------------------Default Setting. Required Password Wake: Disabled Automatic Login: Disabled Password Unlock Preferences: Enabled Secure Virtual Memory is Enabled on Portable computer and is Disabled on Desktop computers. IR remote control: Enabled FileVault: Disabled # Suggested Setting. # Enable Require password to wake this computer from sleep or screen saver. sudo defaults -currentHost write com.apple.screensaver askForPassword -int 1 # Disable IR remote control. sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no # Enable FileVault. # To enable FileVault for new users, use this command. sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\ 424 AppendixCScripts createmobileaccount # Enable Firewall. # Replace value with # 0 = off # 1 = on for specific services # 2 = on for essential services sudo defaults write /Library/Preferences/com.apple.alf globalstate -int value # # # # Securing Sharing Preferences ----------------------------Default Setting. $host_name = User's Computer # Suggested Setting. # Change computer name where $host_name is the name of the computer. sudo systemsetup -setcomputername $host_name # Change computer Bonjour host name. sudo scutil --set LocalHostName $host_name # Available Setting. # The host name cannot contain spaces or other non-DNS characters. # # # # # Securing Software Updates Preferences ----------------------------Default Setting. Check for Updates: Enabled Check Updates: Weekly # Suggested Setting. # Disable check for updates and Download important updates automatically. sudo softwareupdate --schedule off # Available Setting. # Check for Updates: Enabled or Disabled # Check Updates: Daily, Weekly, Monthly # # # # Securing Sound Preferences ----------------------------Default Setting. Internal microphone or line in: Enabled # Suggested Setting. # Disable internal microphone or line in. # This command does not change the input volume for input devices. It # only sets the default input device volume to zero. sudo osascript -e “set volume input volume 0” # Available Setting. # Internal microphone or line in: AppendixCScripts Enabled or Disabled 425 # # # # # Securing Speech Preferences ----------------------------Default Setting. Speech Recognition: Disabled Text to Speech: Enabled # Suggested Setting. # Disable Speech Recognition. sudo defaults write "com.apple.speech.recognition.AppleSpeechRecognition.prefs" StartSpeakableItems -bool false # Disable Text to Speech settings. sudo defaults write "com.apple.speech.synthesis.general.prefs" TalkingAlertsSpeakTextFlag -bool false sudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenNotificationAppActivationFlag -bool false sudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenUIUseSpeakingHotKeyFlag -bool false sudo defaults delete "com.apple.speech.synthesis.general.prefs" TimeAnnouncementPrefs # # # # Available Setting. Each item can be set to ON or OFF. OFF: -bool false ON: -bool true # # # # Securing Spotlight Preferences ----------------------------Default Setting. ON for all volumes # Suggested Setting. # Disable Spotlight for a volume and erase its current meta data, where # $volumename is the name of the volume. sudo mdutil -E -i off $volumename # Available Setting. # Spotlight can be turned ON or OFF for each volume. # # # # Securing Startup Disk Preferences ----------------------------Default Setting. Startup Disk = “Macintosh HD” # Suggested Setting. # Set startup disk. sudo systemsetup -setstartupdisk $path # Available Setting. # Startup Disk = Valid Boot Volume 426 AppendixCScripts # # # # Securing Time Machine Preferences ----------------------------Default Setting. OFF # Suggested Setting. # Enable Time Machine. sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1 # Available Setting. # 0 (OFF) or 1 (ON) # # # # Securing Universal Access Preferences ----------------------------Default Setting. OFF # Suggested Setting. # Disable VoiceOver service. launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plist launchctl unload -w /System/Library/LaunchAgents/\ com.apple.ScreenReaderUIServer.plist launchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist # Available Setting. # None # # Securing System Swap and Hibernation Storage # ----------------------------# Enable secure virtual memory. sudo defaults write /Library/Preferences/com.apple.virtualMemory \ UseEncryptedSwap -bool YES # Restart to take effect. # sudo shutdown -r now # ------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space # ------------------------------------------------------------------# Overwrite a device with zeroes. sudo diskutil zeroDisk /dev/device # Secure erase (7-pass) free space on a volume. sudo diskutil secureErase freespace 2 /dev/device # Secure erase (7-pass) a volume. sudo diskutil secureErase 2 /dev/device # ------------------------------------------------------------------# Adding the security tool edit trust settings AppendixCScripts 427 # ------------------------------------------------------------------# Where <certificate> is the local file path to the certificate. # sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/ System.keychain <certificate> # --------------------------------------------------------------------# Setting General Protocols # --------------------------------------------------------------------# # Disable NTP Client access. # ----------sudo systemsetup -setusingnetworktime off # # Disable NTP service. #-----------sudo serveradmin settings info:ntpTimeServe = no # # Disable SNMP. # -----------sudo serveradmin settings info:enableSNMP = no # or alternatively. #sudo service org.net-snmp.snmpd stop # # Enable SSH. # ---------sudo service ssh start # or alternatively. # sudo serveradmin settings info:enableSSH = yes # # Remote Management (ARD) # ----------------------------# Limiting Remote Management Access # Repeat for each specified user. sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -activate -configure -access -on -users $ARD_USERNAME -privs <none|all|ControlObserve|DeleteFiles|ControlObserve|TextMessages|ShowOb serve|OpenQuitApps|GenerateReports|RestartShutDown|SendFiles|ChangeSett ings|ObserveOnly> -restart # Specify the user sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAME 428 AppendixCScripts # ## Disable Remote Management # --------------------------# To remove user access: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -activate -configure -access -off # To stop the ARD agent: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/ Resources/kickstart -agent -stop # To disable the service: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\ Resources/kickstart -deactivate -stop #or alternatively. # sudo serveradmin settings info:enableARD = no # # Remote Apple Events (RAE) # ----------------------------# Disable Remote Apple Events. sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plist # Set SACL permissions for a service. # ---------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP # --------------------------------------------------------------------# Enabling IPv6 # --------------------------------------------------------------------# Enable IPv6. # ------------------------------sudo networksetup -setv6on [networkservice] # --------------------------------------------------------------------# Securing DHCP Service # --------------------------------------------------------------------# Disable DHCP Service # -------------------sudo serveradmin stop dhcp # Configuring DHCP Services # ------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no value sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_serve r:_array_index:0 = "" AppendixCScripts 429 sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_i ndex:0 = -empty_array sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT SET" # Set a DHCP client's static IP address # ------------------------------------# Each computer needs its own GUID within the static map array. # Increment the array index value for network interfaces # for a single computer. serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_in dex:0 = $ASSIGNED_IP_ADDRESS serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_in dex:0 = $COMPUTER_MAC_ADDRESS serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name = $COMPUTER_NAME # --------------------------------------------------------------------# Securing DNS Service # --------------------------------------------------------------------# Disable DNS Service. # ------------------sudo serveradmin stop dns # --------------------------------------------------------------------# Securing NAT Service # --------------------------------------------------------------------# Disable NAT service. # ------------------sudo serveradmin stop nat # # # # # Block Bonjour listening. ------------------------Default Setting. Bonjour is enabled Firewall is disabled # Suggested Setting. # Add the following line to /etc/ipfw.conf. add 00001 deny udp from any to me dst-port 5353 # Reload the firewall rules. sudo /sbin/ipfw flush sudo /sbin/ipfw /etc/ipfw.conf # --------------------------------------------------------------------# Securing Firewall Service 430 AppendixCScripts # --------------------------------------------------------------------# Start firewall service. # ---------------------sudo serveradmin start ipfilter # Enable stealth mode. # ------------------sudo serveradmin settings ipfilter:blackHoleTCP = true sudo serveradmin settings ipfilter:blackHoleUDP = true # View the firewall service log. # ----------------------------sudo tail /var/log/ipfw.log # --------------------------------------------------------------------# Securing Collaboration Services # --------------------------------------------------------------------# --------------------------------------------------------------------# Securing iCal service # --------------------------------------------------------------------# Disable iCal service. # ------------------------------sudo serveradmin stop calendar # Choose an authentication method for iCal service. # -----------------------------------------------# To enable all auth methods: sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes" sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes" sudo serveradmin stop calendar; sudo serveradmin start calendar # To sudo sudo sudo choose Digest auth only: serveradmin settings calendar:Authentication:Kerberos:Enabled = "no" serveradmin settings calendar:Authentication:Digest:Enabled = "yes" serveradmin stop calendar; sudo serveradmin start calendar # For Kerberos only: sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes" sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no" sudo serveradmin stop calendar; sudo serveradmin start calendar # Enable secure network traffic using SSL transport. # -------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443 # View the iCal service log # -------------------------sudo tail /var/log/caldavd/access.log AppendixCScripts 431 # Disable iChat service. # -------------------------sudo serveradmin stop jabber # Securely configure iChat service. # To select an iChat server certificate: sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/ Default.crtkey" # (Or replace the path with the full path to the certificate that you want # to select.) # Restart the service if it is running: sudo serveradmin stop jabber; sudo serveradmin start jabber # To sudo sudo sudo select an iChat server auth method use one of the following: serveradmin settings jabber:authLevel = "ANYMETHOD" serveradmin settings jabber:authLevel = "KERBEROS" serveradmin settings jabber:authLevel = "STANDARD" # Then restart the service: sudo serveradmin stop jabber sudo serveradmin start jabber # # Select a certificate. # -------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/ Default.crtkey" # View the iChat service log. # -------------------------sudo tail /var/log/server.log | grep jabberd # --------------------------------------------------------------------# Securing Wiki Service # --------------------------------------------------------------------# Disable Wiki service. # ------------------sudo serveradmin stop teams # # View the wiki service log. # -------------------------sudo tail /Library/Logs/wikid/access.log # --------------------------------------------------------------------# Securing Podcast Producer Service # --------------------------------------------------------------------- 432 AppendixCScripts # Disable Podcast Producer service. # -------------------------------sudo serveradmin stop pcast # # View the Podcast Producer service log. # ------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log # --------------------------------------------------------------------# Securing Mail Service # --------------------------------------------------------------------# Disable mail service protocols sudo serveradmin settings mail:imap:enable_pop = no sudo serveradmin settings mail:imap:enable_imap = no sudo serveradmin settings mail:postfix:enable_smtp = no # Set the POP authentication method: sudo serveradmin settings mail:imap:pop_auth_apop = no sudo serveradmin settings mail:imap:pop_auth_clear = no sudo serveradmin settings mail:imap:pop_auth_gssapi = no # Set SSL transport for POP connections: sudo serveradmin settings mail:imap:tls_server_options = "use" # Set secure IMAP authentication: sudo serveradmin settings mail:imap:imap_auth_login = no sudo serveradmin settings mail:imap:imap_auth_plain = no sudo serveradmin settings mail:imap:imap_auth_gssapi = no sudo serveradmin settings mail:imap:imap_auth_clear = no sudo serveradmin settings mail:imap:imap_auth_cram_md5 = no # Configure SSL transport for IMAP connections (same as POP) sudo serveradmin settings mail:imap:tls_server_options = "use" # Allow secure SMTP authentication: sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yes sudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:0 = sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:1 = md5" sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "gssapi" "cram- "login" "plain" # Configure SSL transport for SMTP connections: sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes" AppendixCScripts 433 # Enable a user's mail access using ACLs sudo dseditgroup -o edit -a $USER -t user com.apple.access_mail # Restrict SMTP relay: sudo serveradmin settings mail:postfix:mynetworks_enabled = yes # Reject unauthorized SMTP connections: sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yes sudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 = "$NETWORK" # Reject mail from blacklisted senders: sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 = "$BLACKLIST_SERVER" sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yes # Enable junk mail screening: sudo serveradmin settings mail:postfix:spam_scan_enabled = yes # Train the filter: sudo sa-learn --showdots --spam $JUNK_DIRECTORY/* sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/* # Automatically train the junk mail filter: sudo /etc/mail/spamassassin/learn_junk_mail # Allow mail by language and locale: sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de" sudo serveradmin settings mail:postfix:spam_ok_locales = "en" # Enable virus screening: sudo serveradmin settings mail:postfix:virus_scan_enabled = yes # View a mail service log: sudo tail /var/log/mail.log # --------------------------------------------------------------------# Securing Antivirus Services # --------------------------------------------------------------------# Enable virus screening sudo serveradmin settings mail:postfix:virus_scan_enabled = yes # View a virus log: sudo tail /var/log/amavisd.log # --------------------------------------------------------------------# Securing File Services # --------------------------------------------------------------------- 434 AppendixCScripts # Disable file sharing services. sudo serveradmin stop afp sudo serveradmin stop smb sudo serveradmin stop ftp sudo serveradmin stop nfs # Securely configure AFP service: sudo serveradmin settings afp:registerNSL = no sudo serveradmin settings afp:attemptAdminAuth = no sudo serveradmin settings afp:clientSleepOnOff = no sudo serveradmin settings afp:idleDisconnectOnOff = yes sudo serveradmin settings afp:authenticationMode = "kerberos" sudo serveradmin settings afp:activityLog = yes sudo serveradmin settings afp:guestAccess = no # Configure FTP to provide anonymous FTP downloads: sudo serveradmin settings ftp:logSecurity:anonymous = yes sudo serveradmin settings ftp:logSecurity:guest = yes sudo serveradmin settings ftp:logSecurity:real = yes sudo serveradmin settings ftp:maxRealUsers = 1 sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = no sudo serveradmin settings ftp:authLevel = "KERBEROS" sudo serveradmin settings ftp:anonymousAccessPermitted = yes sudo serveradmin settings ftp:bannerMessage = "$BANNER" sudo serveradmin settings ftp:maxAnonymousUsers = 500 sudo serveradmin settings ftp:administratorEmailAddress = "[email protected]" sudo serveradmin settings ftp:logCommands:anonymous = yes sudo serveradmin settings ftp:logCommands:guest = yes sudo serveradmin settings ftp:logCommands:real = yes sudo serveradmin settings ftp:loginFailuresPermitted = 1 sudo serveradmin settings ftp:welcomeMessage = "$WELCOME" # Securely configure Windows file sharing service sudo serveradmin settings smb:wins support = no sudo serveradmin settings smb:domain master = no sudo serveradmin settings smb:map to guest = "Never" sudo serveradmin settings smb:auth methods = "odsam" sudo serveradmin settings smb:ntlm auth = "no" sudo serveradmin settings smb:max smbd processes = 1000 sudo serveradmin settings smb:log level = 1 sudo serveradmin settings smb:preferred master = no sudo serveradmin settings smb:os level = 65 # --------------------------------------------------------------------# Securing Web Service # --------------------------------------------------------------------# Disable web service: sudo serveradmin stop web # Disable web options: AppendixCScripts 435 sudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled = no sudo serveradmin settings web:Modules:_array_id:dav_module:enabled = no sudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = no sudo serveradmin settings web:Modules:_array_id:apple_spotlight_module:enabled = no sudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:AllowOverride = "None" sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:Includes = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:ExecCGI = no sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/ Library/WebServer/Documents:Options:Indexes = no sudo serveradmin settings web:Sites:_array_id:default_default:SpotlightIndexing = no # # Configure Apache to prompt you for a passphrase when it starts. #--------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtin # # View logs. #----------sudo tail /var/log/apache2/access_log # # Disable blog service. #--------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = no # --------------------------------------------------------------------# Securing Tomcat # --------------------------------------------------------------------# Stop Tomcat using Server Admin: sudo /Library/Tomcat/bin/startup.sh stop # --------------------------------------------------------------------# Securing MySQL # --------------------------------------------------------------------# Turn MySQL service off sudo serveradmin stop mysql # 436 AppendixCScripts # Configure MySQL service settings. #--------------------------------sudo serveradmin settings mysql:allowNetwork = no # # View MySQL service logs. # -----------------------sudo tail /Library/Logs/MySQL.log # # # # # Securing Client Configuration Management Services ================================================= If the intended target is a client system, the target for the dscl commands should be "/LDAPv3/127.0.0.1". If the management target is the server itself, the target should be ".". # Disable Front Row: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow PreventActivation always -bool 1 # Setting up a list of accessible applications # -------------------------------------------# Allow access to applications stored on the user's local hard disk: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess OpenItemsInternalDrive always -bool 1 # Allow helper applications: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1 # Allow UNIX tools: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess AllowUnbundledApps always -bool 1 # Managing Dock Preferences # ------------------------# Set Dock hiding sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohideimmutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide always -bool 1 # Managing Finder Preferences # --------------------------# Manage Finder preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder AppleShowAllExtensions-immutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitBurn always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitConnectTo always -bool 1 AppendixCScripts 437 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitEject always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitGoToFolder always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ProhibitGoToiDisk always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowHardDrivesOnDesktop-immutable always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowMountedServersOnDesktop-immutable always -bool sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER ShowRemovableMediaOnDesktop-immutable always -bool sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER AppleShowAllExtensions always -bool 1 com.apple.finder com.apple.finder com.apple.finder com.apple.finder com.apple.finder 1 com.apple.finder 1 .GlobalPreferences # Managing Login Preferences # -------------------------# Manage login preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow LoginwindowText always -string "$LOGIN_WINDOW_MESSAGE" sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow mcx_UseLoginWindowText always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow RestartDisabled always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow ShutDownDisabled always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow SHOWFULLNAME always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow DisableConsoleAccess always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences MultipleSessionEnabled always -bool 0 # Managing Network Preferences # ---------------------------# Manage network preferences: sudo networksetup -setwebproxystate Ethernet on sudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008 sudo networksetup -setpassiveftp Ethernet on # Managing Parental Control Preferences # ------------------------------------# Hide profanity: sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary parentalControl always -bool 1 # Managing Printing Preferences # ----------------------------# Manage printing preferences: 438 AppendixCScripts sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting RequireAdminToAddPrinters always -bool 1 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting AllowLocalPrinters always -bool 0 # Managing Software Update Preferences # -----------------------------------# Manage Software Update preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.SoftwareUpdate CatalogURL always -string "http:/$SERVER:8088/ index.sucatalog" # Managing Universal Access Preferences # ------------------------------------# Manage Universal Access preferences: sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKey always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyShowWindow always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewDriver always -bool 0 sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewShowPreview always -bool 0 # --------------------------------------------------------------------# Securing NetBoot Service # --------------------------------------------------------------------# # Disable NetBoot. sudo serveradmin stop netboot # # Securely configure NetBoot. # # View NetBoot service logs. sudo tail /var/log/system.log | grep bootpd # --------------------------------------------------------------------# Securing Software Update Service # --------------------------------------------------------------------# Disable Software Update: sudo serveradmin stop swupdate # # Specify which client can access software updates. # ---------------------------------sudo serveradmin settings swupdate:autoEnable = no AppendixCScripts 439 # # View Software Update service logs. # ---------------------------------sudo tail /var/log/swupd/swupd_* # --------------------------------------------------------------------# Securing Directory Services # --------------------------------------------------------------------# Configure the Open Directory role: sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME $ADMIN_UID $SEARCH_BASE $REALM # Start Kerberos manually on an Open Directory master: sudo kdcsetup -a $ADMIN $REALM # # Change the global password policy of user accounts in the same domain. # ---------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12 maxFailedLoginAttempts=3" # # Set the binding policy for an Open Directory master. # --------------------------------sudo slapconfig -setmacosxodpolicy -binding required # # Set the security policy for an Open Directory master. # ---------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes -sign yes -man-in-the-middle blocked -clientcaching no # --------------------------------------------------------------------# Securing RADIUS Service # --------------------------------------------------------------------# Disable RADIUS sudo serveradmin stop radiusc # Use a custom certificate: sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/ $CA_CRT" sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/ certificates/$KEY" sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS" sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/ certificates/$CERT" 440 AppendixCScripts # # Edit RADIUS access. # ------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius # # View the RADIUS log # --------------------------sudo tail /var/log/radius/radius.log # --------------------------------------------------------------------# Securing Print Service # --------------------------------------------------------------------# # Disable print service. # ---------------------sudo serveradmin stop print # Set administrator SACL permissions for print service: sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print # # Configure Kerberos for print service. # -----------------------------------sudo serveradmin settings sudo serveradmin settings print:authType = KERBEROS # # Configure a Print queue. # ----------------------sudo serveradmin settings print:lprQueues:_array_index:0 = $PRINTER_SHARING_NAME sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingName = $PRINTER_SHARING_NAME sudo serveradmin settings print:queuesArray:_array_id:example_com:quotasEnforced = yes sudo serveradmin settings print:queuesArray:_array_id:example_com:showNameInBonjour = no sudo serveradmin settings print:queuesArray:_array_id:example_com:defaultCoverPage = "classified" sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:serv ice = "IPP" sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:shar ingEnable = yes sudo serveradmin settings print:queuesArray:_array_id:example_com:printerURI = "lpd://example.com" sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable = yes AppendixCScripts 441 sudo serveradmin settings print:queuesArray:_array_id:example_com:printerName = "example_com" sudo serveradmin settings print:useRemoteQueues = yes sudo serveradmin settings print:coverPageNames:_array_index:0 = "classified" # # View print service logs. # ----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log # --------------------------------------------------------------------# Securing Multimedia Services # --------------------------------------------------------------------# # Disable QTSS. # ------------sudo serveradmin stop qtss # # Configure a streaming server. # ---------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 = "$BIND_IP_ADDRESS" # Serve QuickTime streams over HTTP port 80: sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 = 554qtss:server:rtsp_port:_array_index:1 = 80qtss:server:rtsp_port:_array_index:2 = 8000qtss:server:rtsp_port:_array_index:3 = 8001 # Change the MP3 broadcast password: sudo serveradmin settings qtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password = "$QTMP3_PASSWORD" # # Create a broadcast user name and password on the streaming server. # -----------------------sudo serveradmin settings qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes # # Add a user account. # -----------------sudo qtpasswd $USER # Adding groups: echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/Config/ qtgroups # 442 AppendixCScripts # Change a user password. # ----------------------sudo qtpasswd $USER # View the QTSS log: sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE # # # # # --------------------------------------------------------------------Xgrid Service --------------------------------------------------------------------Disable Xgrid service. # Configure an Xgrid agent on the server: sudo /usr/sbin/xgridctl agent stop # Configure an Xgrid agent on the server. # Configure an Xgrid controller. sudo serveradmin settings xgrid:ControllerSettings:Enabled = yes sudo serveradmin settings xgrid:ControllerSettings:prefs:ClientAuthentication = Password sudo serveradmin settings xgrid:ControllerSettings:ClientPassword = $XGRID_CLIENT_PASS # --------------------------------------------------------------------# Maintaining System Integrity # --------------------------------------------------------------------# Validate application bundle integrity. sudo codesign -v $code_path # Verify a requirement. sudo codesign -v -R="identifier com.apple.Mail and anchor apple" / Applications/Mail.app # Install the common criteria tools software. sudo installer -pkg CommonCriteriaTools.pkg -target / # Enable auditing. sudo cp /etc/hostconfig /tmp/test if /usr/bin/grep AUDIT /etc/hostconfig then sudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/hostconfig else /bin/echo AUDIT=-YES- >> /etc/hostconfig fi # View logs in Server Admin. # Use tail or more to view the log files. AppendixCScripts 443 # The audit files are individually named based on the date. sudo /usr/bin/tail $AUDIT_FILE 444 AppendixCScripts A access ACLs183,240,381 application284,285,289 connectioncontrol241–245 DirectoryAccess320 file349 media299 passwords348,351 playlists349 printing338 QTSS347,348,349,353 restrictingNetBoot313 restrictingSoftwareUpdate316 SACLs183,228 sharepoint264–268 UniversalAccess309–310 user30–33,274,348,349,351 weblogs280–281 website274,302–304 wirelessusers333 SeealsoACLs;IMAP;LDAP;permissions accesscontrollists.SeeACLs accesswarnings65–69 Seealsopermissions accounts administrator71–72,76–81,319 authentication349 authenticationsetup84–94 creatingsecure74–81 credentialstorage88–93 directorydomains81–84 group321–322,352 mobile82,299–301 nonadministratoruser71–72 preferences99–101 types71 user351,352 Seealsouseraccounts;WorkgroupManager ACEs(accesscontrolentries)144 Acknowledgments23 Index Index ACLs(accesscontrollists) keychainservices88 mailserviceaccess240 permissions140,144–145,265 printserviceaccess338 SACLs183,381 ActiveDirectory83–84,319 activityanalysistools376–379 AddressBook82 addresses.Seeemailaddresses;IPaddresses;NAT addresstranslation347 administrator accountsfor319 auditingtools370–376 directorydomain78,318 passwordsfor329,387 privilegesof361 administratoraccount71–72,76–81 administratorcomputer39 adultwebsites,accesscontrol302 AdvancedEncryptionStandard(AES-128)122 AFP(AppleFilingProtocol)service authentication256 configuration258–259 sharepoints267 agents authentication355,356 controllers358 functionsof354 setup358 Xgrid357–359 AirPort,disabling55 AirPortBaseStation andRADIUS334 anonymousaccess,FTP260 antivirustools.Seevirusscreening any-user tag351 APOP(authenticatedPOP)235 appearancepreferences102–103 AppleFilingProtocolservice.SeeAFP AppleRemoteDesktop.SeeARD AppleSoftwareRestore.SeeASR AppleTalk340 445 applications accesscontrol31,284,285 legacyaccess289 securing30 applications,useraccessto Seealsospecificapplications ARD(AppleRemoteDesktop)178–179 ARP(AddressResolutionProtocol)spoofing207 assistivedevices136 attributes ACL267 authentication386 configuration365 audiorecordingdevices,disabling57 audit_classfile375 audit_controlfile375 audit_eventfile375 audit_userfile375 audit_warnfile375 auditingtools370–376 auditreducetool373–374 audittool372–373 authenticatedPOP.SeeAPOP233 authentication ActiveDirectory83 AFP256 attributes386 vs.authorization26 cached382 credential-based381 definition380 DirectoryAccess82–83 directoryservices318 EAP196,334 fileservices258–259 FTP256 iCalservice223 IMAP237 Kerberos192,196,235,237,238,339,385 methods326,382 NFS256 options356,358 passwords277,278,356,359 POP235 QTSS348,349,351 ServerAdmin167 SMB/CIFS-related256 SMTP242,243 SSH187–189 strengtheningmethods84–87 systempreferences94 user380,385–387,388 VPN192 WebDAV275 WorkgroupManager318–319 Seealsokeychainservices;passwords;RADIUS 446 Index authenticationauthorityattributes386 authorization26–34,79,380 Seealsoauthentication authorizationrights366–367 AuthSchemekeyword351 automaticactions,disabling105 AutomaticUnicast348 B backups161–162 BannerSamplefile,modifying68 bayesianfilters246 BerkeleySoftwareDistribution.SeeBSD BIND(BerkeleyInternetNameDomain)202,203, 206 binding330 blacklistedservers241,244 blogs280–281 blogservice280 Bluetoothpreferences55,103–104,117 Bonjourbrowsingservice210 bootimage,definition311 broadcasting,MP3348 BSD(BerkeleySoftwareDistribution)25,377 bundleIDs284 By139 C CA.Seecertificateauthority cachedauthentication382 cachepoisoning DNS205 cameras58,232 CDs40 CDs,preferences105 CDSA(CommonDataSecurityArchitecture)25 CERT(ComputerEmergencyResponseTeam)25 Certificate167,170 CertificateAuthority(CA) requestingcertificatesfrom169 certificateauthority(CA) Seealsocertificates overview165 requestingcertificatesfrom235 CertificateManager167 certificates163–175 FileVault153 iChatserver226 IPSec192 mailservice234–235 managementof36–37 OpenDirectory327 overview163–167 POP236 privatekeys164 publickeys164,368–369 requesting170,235 self-signed165,169 andServerAdmin167–168 SSL224,228,277 webservice278 CertificateSigningRequest.SeeCSR233 CGI(CommonGatewayInterface)scripts enabling273 chatservice225–229 CIFS(CommonInternetFileSystem).SeeSMB/CIFS ClamAV245,249 clients accesscontrol348,349 authentication356 earlieroperatingsystems192 groupaccounts321–322 groups352 andSSL234 Seealsoclientcomputers;users codesigncommand369–370 collaborationservices groupaccounts321–322 Seealsomailservice;specificfileservices command349 command-lineinterface accesswarnings69 erasingfiles159–160 options349,350 security256 startupsecuritysetup64 command-linetools erasingdisks44 logviewing278 sudo209 CommonCriteriaTools370 CommonDataSecurityArchitecture.SeeCDSA CommonSecurityServiceManager.SeeCSSM CommonUNIXPrintingSystem.SeeCUPS ComputerEmergencyResponseTeam.SeeCERT computergroups322 computername182 computers idlestatus358 name182 Seealsoportablecomputers computers,administrator39 configuration accesscontrol338 agents358 controller359 DHCP40 Firewallservice216,217 iChat226–227 incomingmail237 Kerberos326 Index keychainservices89–91 MacOSXServerfilechanges203 overview233 RADIUS334 sharepoints264 SSH186–187 VPN193,194 SeealsoMailmansetup configurationfiles,SSH187 Consoleapplication377 contactssearchpolicy82–83,320 controllers andagents358 nodes355 setup359 controllers,Xgrid359–360 CRAM-MD5authentication237,238 credential-basedauthentication366–367,381 credentialstorage88–93 cryptpasswords definition382 encryption320,386 CSR(CertificateSigningRequest)163,169,170 CSSM(CommonSecurityServiceManager)28 CUPS(CommonUNIXPrintingSystem)337 curfewsoncomputeruse306 Cyrusmailservice233 D Dashboardpreferences115–116,285,287 databases318 datasecurity59–60,137–162 datatransportencryption224 Date&Timepreferences107–108,182 decryption.Seeencryption Desktoppreferences109–110 DHCP(DynamicHostConfigurationProtocol) service40,200,330 DHXauthentication382 dictionaries rights363–367 Dictionary,hidingprofanityin303 digestauthentication223,349 digestauthentication,WebDAV275 digitalsignatures284,285,368–369 directories.Seedirectoryservices;domains,directory; folders DirectoryAccess82–83,320 directorydomainadministrator78,318 directoryservices ActiveDirectory83–84,319 directorydomains81–84 OpenDirectory83 organizationof318 overview324 447 Seealsodomains,directory;OpenDirectory directoryservices,OpenDirectory333 discovery,service82 diskimages encrypting155–157 installingwith41 read/write155 disks command-linemanagementof44 erasingfreespace43 installationpreparation43 partitions41,43 quotas321 startup133–134 DiskUtility43,159,160 diskutiltool44 displaymirroring111 Displayspreferences111 distributedcomputingarchitecture354–360 DNS(DomainNameSystem)service BIND202,203,206 IPaddresses206 recursion204,207 securingserver205,206 setup40 Dockpreferences111,291–292 documentation21–23 DomainNameSystem.SeeDNS domains,directory ActiveDirectory319 administratorfor78,318 bindingof330 databases318 LDAP196 managementof318 overview81–84 SeealsoLDAP;OpenDirectory DoSattack(denialofservice)206,387 duplicationofsettings319 DVDs40,298–299 DVDs,preferences105 DynamicHostConfigurationProtocol(DHCP)200 E EAP(ExtensibleAuthenticationProtocol)334 EAP-SecurIDauthentication196 EFI(ExtensibleFirmwareInterface)63,134 email.Seemailservice Enabling145 encryption AFP258 certificates164 cryptpasswords320,386 FileVault151–157 mailservice235 448 Index networkconfiguration197 ports228 securevirtualmemory137–138 SSH178,197,257–259 SSL276 VPNprotocols192 SeealsoSSL EnergySaverpreferences112–113 erasingdatapermanently38,158–160 errormessages.Seetroubleshooting Everyonepermissionlevel141 Exposé&Spacespreferences115–116 ExtensibleAuthenticationProtocol.SeeEAP ExtensibleFirmwareInterface.SeeEFI F FastUserSwitching75,297 faxpreferences120 files accesscontrol349 backupof161–162 encryption151–157,197 erasing38,158–160 permissions140–143,146 qtaccess350 qtgroups350 qtusers350 sharedsecret164 transferring191 fileservices authentication258–259 disabling256 FTP259–262,268 NFS262 SeealsoAFP;FTP;NFS;sharepoints filesharing254–255 filesystems erasingdata158 securing38 FileTransferProtocol.SeeFTP FileVault36–37,53,122,151–155,300 FileVaultmasterkeychain153 filters blacklistedmailsenders241,244 junkmail245,247 virus241,249,251 Finderpreferences293–294 fingerprints,server189 firewalls245,345,347 SeealsoFirewallservice Firewallservice213 advancedrulessetup217 introduction213 logs219 andNAT207 harddrive53 hardware,protectionof52 hash,password382 help,using20 helperapplications289 HISEC(HighlySecure)templates83,319 homefolders82,150–155,264,267,299 hostconfigentries371 hostname182 hosts.Seeservers HTTP(HypertextTransferProtocol)276,345,347 images.Seediskimages;NetBoot;NetworkInstall IMAP(InternetMessageAccessProtocol) authentication237 log250,253 incomingmail security234 setup237 installation administratorcomputer39 auditingtools370 withdiskimages41 diskpreparation43 fromearlierOSversions39 fromremovablemedia40 installerpackages126 interactive44 networkservicessetup40 overview38–51 serversoftware40 startingupfor40,41 installerpackages126 installimage,definition311 instantmessaging225–229 Intel-basedMacintosh63 Internationalpreferences116 Internet-basedSoftwareUpdate46 InternetMessageAccessProtocol.SeeIMAP InternetPrintingProtocol.SeeIPP Internetsecurity MobileMepreferences96–98 sharing125 wirelessconnections56 IPaddresses118 DHCP200 DNSrecursion203–204 DNSservice206 andfirewalls40 groups215 IPv6notation198–199 portforwarding208 QTSS346 andrecursion204 IPFilterservice.SeeFirewallservice IPmasquerading.SeeNAT IPP(InternetPrintingProtocol)337 IPSec(IPsecurity)192,193 IPv6addressing118,198–199 iSight,disabling58 ISP(Internetserviceprovider)192 I J servicessettings216 settings40 starting214 stealthmode218 FireWire61,133 FireWireBridgeChipGUID133 firmware,password64 flagsforfilesandfolders143–144 folders flagsfor143–144 group321,322 home81,150–155,267,299 permissionsfor150 website273 freediskspace,erasing160,161 FrontRow285,288 FTP(FileTransferProtocol)service256,257,259– 262,268 G GID(groupID)320 globalfilepermissions146 globalpasswordpolicy329 grids,computational354 grids,computer354 groupaccounts321–322,352 Seealsogroups group filenamekeyword350 groupfolders321,322 groupnamekeyword350 groups blogservice280 configuration321–322 permissions141 guestaccounts permissions141,255 H iCalservice222–225 iChatservice225–229 identitycertificates.Seecertificates IETF(InternetEngineeringTaskForce)standard345 Index Jabberinstantmessagingproject225–229 jobs354 junkmailscreening connectioncontrol241–245 449 filters245,247 log250,253 overview241 K KDC(KerberosKeyDistributionCenter).SeeKerberos Kerberos ActiveDirectory83 authentication85–86,192,223,235–238,385 features381,387,388 OpenDirectory319 passwords387 printservice339 setup326 users326,388 WebDAV275 Xgridadministration355,356 kernelextensions,removing62 key-basedSSHconnection187–189 Keyboardpreferences116 KeychainAccess88 keychainservices28,30,88–93,153 L L2TP/IPSec(LayerTwoTunnelingProtocol,Secure InternetProtocol)34,192,193 LANs(localareanetworks)191,262 layeredsecurityarchitecture27 LayerTwoTunnelingProtocol,SecureInternet protocol(L2TP/IPSec).SeeL2TP/IPSec LDAP(LightweightDirectoryAccessProtocol) service advancedsettings324 configuration83 overview324 security327,331,380 VPN196 Seealsoattributes;mappings;objectclasses; trustedbinding LDAPv3access318,324 Legacypreferences285,289 LightweightDirectoryAccessProtocol.SeeLDAP LinePrinterRemote(LPR)printing340 localareanetworks(LANs)262 localdirectorydomains passwordtypes380,382 localinstallation40 localsystemlogging378 localversusnetworkhomefolders264 lockingfolders143 login accesswarnings65–69 keychain89 preferences295–298 preferencesoverview295 450 Index remote178 securitymeasures99–101 loginscripts296 logs audit376 configuration377–379 Firewallservice219 iChat229,230,232 mailservice250,253 MySQLservice283 NetBoot314 printservice342 QTSS353 RADIUS335 SoftwareUpdateservice317 webservice278 LPR(LinePrinterRemote)printing340 M Mach25 MacOSX installationconsiderations39 OpenDirectorypasswords381 MacOSXServer agentsetup358 authenticationssupported388 configurationfilechanges203 trustedbinding330 mailservice certificates234–235 disabling234 groupsettings321 logs250,253 security234,235 virusfiltering251 mailtransferagent.SeeMTA managedaccounts319–322 managedpreferences Dashboard115–116,285,287 Date&Time107–108,182 Desktop109–110 Displays111 Dock111,291–292 EnergySaver112–113 Exposé&Spaces115–116 Finder293–294 FrontRow285,288 International116 Keyboard116 Legacy285,289 Login295–298 MediaAccess298–299 MobileMe96–98 Mobility299–301 Mouse116 Network118–119,301–302 overview284 ParentalControls302,303,304 Print&Fax120–122 Printing307 Security122 Sharing125,180 SoftwareUpdate46–49,126,308 Sound128 Spotlight130–132 StartupDisk133–134 System308–309 SystemPreferences308,309 TimeMachine161–162 UniversalAccess136,309–310 Seealsopreferences manageduseraccounts71,319–322 mandatoryaccesscontrols30–33 man-in-the-middleattacks190 MediaAccess298–299 messagekeyword350 microphones,disabling57 MicrosoftWindowscompatibilities144 mobileaccounts82,192,299–301,387 MobileMepreferences96–98 Mobilitypreferences299–301 Mousepreferences116 movies,QuickTimecache Seealsostreamingmedia MP3files348 MS-CHAPv2authentication195 MTA(mailtransferagent)233 multimedia344–353 MySQLservice282,283 N nameserver.SeeDNS namingconventions,computers182 NAT(NetworkAddressTranslation) andFirewallservice207 introduction207 NetBootservice41,311–314 NetworkAddressTranslation.SeeNAT network-baseddirectorydomains81–84 network-basedkeychains92–93 NetworkFileSystem.SeeNFS networkinstallimage133 Networkpreferences301–302 networks clientconnections34 preferences302 viewstroubleshooting323 networkservices DHCP40,200 DNS40 Index FileVaultlimitations151,155 homefolders318 installation40 IPv6addressing198–199 keychains92 managedusers74 NTP176 preferences118–119,301–302 sharing125 sleepmodesecurity112 SoftwareUpdatecautions45 VPN191–197 wirelesspreferences103–104 SeealsoIPaddresses networksettings firewallconsideration347 NetworkTimeProtocol.SeeNTP newsyslog command378 NFS(NetworkFileSystem) filesharing255,262,268 security256 sharepoints254,257,268–269 nodes,controller355 nodes,directory.Seedomains,directory nonadministratoruseraccounts71–72 NTDomainservices263–264,340 NTP(networktimeprotocol)176 nvramtool64 O OpenDirectory accesscontrol349 ActiveDirectory318 bindingpolicy330 configuration83,325–330 definition318 DNSrecursion203 andKerberos381 optionssettings330 overview324 passwordtype320,329 andRADIUS333 andSACLs183 securitypolicy331 Seealsodomains,directory OpenDirectorymaster authentication355 binding330 securitypolicy331 OpenDirectoryPasswordServer accesscontrol334 authentication325,381 passwordpolicy387 opensourcemodules Apache271 451 Jabber226 Kerberos223,275 opensourcesoftware25–27 option95,DHCP330 Othersusercategory254 outgoingmail,security235 Overview152 ownerpermission141 P ParentalControls74–75,302,303,304 partitions,disk41–43 PasswordAssistant84–85,100 passwords administrator329,387 Apache278 authentication356,359 authenticationset84 authenticationsetup235–237 changing99–101 command-linetools64 crypt320,386 firmware64,133–134 hash382 keychain89 masterFileVault151–155 OpenDirectory381,386 policies329,387 security384–385 vs.singlesign-on387 SSLpassphrase277 StartupDiskpreferences133–134 streamingmedia348 tokens86 types380,381,382 useraccount351 VPN192 Windowsdomain386 PasswordServer.SeeOpenDirectoryPassword Server PDFs,encrypting157 permissions access25 ACLs265,338 administrator361 folders150 guest255 manipulating143 overview140–146 sharepoints265–267 types254 user274,278,320–322 viewing141 WebDAV274 physicalaccess,securing53 452 Index physicalcomputers hardwaresecurity53 piggybacking,service207 PKI(publickeyinfrastructure)163,164 Seealsocertificates playlists accessing349 QTSS344 plistfiles209 PodcastProducerservice231–232 policydatabase363–367 POP(PostOfficeProtocol)236,250,253 port347 portablecomputers FileVault151 keychains92–93 mobileaccounts82,192,299–301 portablefiles,encrypting155–157 portablekeychains92 portforwarding208 ports encryption228 QTSS345–347 andSSL276 VPN193 POSIX(PortableOperatingSystemInterface)141– 146 Postfixtransferagent233 PostOfficeProtocol.SeePOP PPTP(Point-to-PointTunnelingProtocol)192,194 praudittool374–375 preferences accounts99–101 appearance102–103 Bluetoothwireless103–104,117 CDs105,298–299 DVDs105 fax120–122 login295–298 overview94–95 screensaver109–110 speechrecognition129 time107–108,182 Seealsomanagedpreferences presets319 primaryzone,DNS205 Print&Faxpreferences120–122 printservice accesscontrol307,338 security337 privatekey164,165 privatekeycryptography276 privileges,administrator361 Seealsopermissions problems.Seetroubleshooting profanity,hiding303 profiling,DNSservice206 protocols EAP334 fileservices257 HTTP276 LDAP196 networkservice40 POP236,250,253 RTP345 RTSP345 TCP216 VPN192,193,194,196 Seealsospecificprotocols proxyserversettings301–302,346 publickeycertificates189 publickeycertificates.Seecertificates publickeycryptography276,368–369 publickeyinfrastructure.SeePKI pwpolicycommand86 Q qtaccessfile350 qtgroupsfile350 qtpasswdtool349 QTSS.SeeQuickTimeStreamingServer qtusersfile350 Quarantine32 queues,print creating340 logs342 QuickTimeStreamingServer(QTSS)344–353 quotas,diskspace321 R RADIUS(RemoteAuthenticationDial-InUserService) introduction333 read/writediskimages155 ReallySimpleSyndication.SeeRSS realms.SeeKerberos;WebDAV;websites,accessing recentitemslist102–103 recursion,DNS203–204,207 relays,accesscontrol349 RemoteAppleEvents181 RemoteAuthenticationDial-InUserService (RADIUS).SeeRADIUS RemoteLogin185–186 remoteservers login178 systemlogging378 removablemedia FileVaultlimitations151,155 installationfrom40 preferences298–299 removablemedia,accessing299 rightsdictionary363–365 Index rightspecifications363–365 rootpermissions63,79–80 RSASecurIDs196–197 RTP(Real-TimeTransportProtocol)345 RTSP(Real-TimeStreamingProtocol)345 rules365 S SACLs(serviceaccesscontrollists)183,228,259, 261,338,381 sandboxing31 scptool185 screening virus251 Seealsofilters screensaverpreferences109–110,122 searching Spotlight273 searchingpreferences130–132 SecureEmptyTrashcommand160 securenotes88 SecureShell.SeeSSH SecureSocketsLayer.SeeSSL SecureTransport27 SecurID196–197 Securing210 security ACLs338 authentication223 bestpractices254 certificates327 DNS205,206 firewall245 firewalls345,347 Firewallservice40 IPSec192,193 LDAP327,331,380 NetBootservice312 network256 overview234 passwords235–237,348,351 printservice339 QTSS345,347 serverpolicysettings331 servicelevel183 SSL226–228,234–239,276,327 tools222,224 VPN192 websites276,278 wiki229 Seealsoaccess;authentication;permissions securityarchitectureoverview25–28 security-modeenvironmentvariable64 security-passwordenvironmentvariable64 Securitypreferences122 453 Securitypreferences<$endtrange126 self-signedcertificates165,169,235 ServerAdmin accesscontrol190,240,255,338 asadministrationtool271 authentication167,195 certificates169 opening167 overview163,167 serverstatus203 ServerMessageBlock/CommonInternetFileSystem. SeeSMB/CIFS servermining205 servers bindingto330 blacklisted241,244 naming182 proxy301–302,346 securingDNS205,206 securitypolicy331 SMTP242 startup40,41 SeealsoApachewebserver;remoteservers; websites serversideincludes.SeeSSI serviceaccesscontrollists.SeeSACLs services,security183 setupprocedures.Seeconfiguration;installation SFTP(SecureFileTransferProtocol)191,257–259 sftptool185,268 SHA-1digest50 shadowpasswords definition382 features386 sharedfiles.Seefilesharing sharedresources printers120 useraccounts72 sharedsecretfiles192 sharepoints configuration264–268 homefolders264 NFS254,262 setup264 Sharingpreferences125,180 SimpleFinder293 SimpleNetworkManagementProtocol(SNMP)177 singlesign-on(SSO)authentication86,355,356, 387 single-usermode63 sleepmode,securing112–113,122 sleepsettings,securing292 smartcards36–37,86,91,320,389 SMB/CIFS(ServerMessageBlock/CommonInternet FileSystem)protocol authentication256 454 Index enabling263–264 printing340 securityoverview258 sharepoints267 SMTP(SimpleMailTransferProtocol)242–245,250, 253 SNMP(SimpleNetworkManagementProtocol)177 Snow163 SoftwareUpdateservice45,46–49 clients316 configuration308 disabling315 overview316 preferences126 settings316 starting315,333 Soundpreferences128 sources259 sparseimages155 speechrecognitionpreferences129 spoofing ARP207 Spotlightpreferences130–132 Spotlightsearching273 srmcommand159–160 SSH(secureshellhost)178,185–191,197,259 sshddaemon185 sshtool186 SSI(serversideincludes)273 SSL237 SSL(SecureSocketsLayer) certificates164–167,227,228 iCalservice224 iChatservice226 mailservice234–240 OpenDirectory327–329 overview27 webservice276 standarduseraccounts71 startup,securing63 StartupDiskpreferences133–134 stealthmode,Firewallservice218 streamingmedia344–353 sudotool79–82,209,361 sutool80 synchronization96–98 mobileaccountdata299 time176 syslogdconfigurationfile377 systemadministrator(root)account79–82 SystemPreferences308–309 Seealsomanagedpreferences T targetdiskmode134 tasks354 TCP(TransmissionControlProtocol)213,216,345 The30 third-partyapplications115 ticket-basedauthentication83 timelimitsoncomputeruse306 TimeMachine30–31,134,161 timesettings107–108 timesynchronization176,177 timezonesettings182 TLS(TransportLayerSecurity)protocol tokens,digital86 TransmissionControlProtocol(TCP)213 TransportLayerSecurityprotocol.SeeTLS transportservices27 troubleshooting networkviews323 QTSS353 trustedbinding,policies330 U UDP(UserDatagramProtocol)345,347 UIDs(userIDs)73,284 UniversalAccess overview309 preferences309–310 UniversalAccesspreferences136 UNIX289 UNIXandsecurity25 updating software126,308 updatingsoftware45–49 USBstoragedevices,disabling60 useraccounts administrator319 group321–322,352 indirectorydomains319 mobile299–301 overview71–81 passwords351 security71 settings75 Seealsousers user filenamekeyword350 userID.SeeUID usernamekeyword350 users accesscontrol30–33,71–75,190,274,348,349, 351 auditing376 authentication324–325,326,380,385–387,388 automaticactionscontrol105 andblogservice280 categories254 certificates165 Index FastUserSwitching297 homefolders82,150–153,267,299 identities284 keychainmanagement91 mobile82,192 passwords320 permissions141,274,278,320–322 preferencescontrol115 root63 unregistered255 wirelessaccess333 Seealsoclients;computerlists;preferences;user accounts;WorkgroupManager V validation,systemintegrity368–370 valid-user tag351 videorecordingdevices,disabling58 viewsettings323 virtualmemory137–138 VirtualPrivateNetwork.SeeVPN virusscreening241–249,250,251,253 visudotool361 volumes erasing44 erasingdata158 securing38 startup41 VPN(VirtualPrivateNetwork) authentication192 clients34 introduction191–197 L2TPsettings34,193 andLDAP196 PPTPsettings194 security192 W WAN(wideareanetwork)191 Web271 WebDAV(Web-BasedDistributedAuthoringand Versioning) authentication275 configuration279 enabling273 permissions274 realmdefinitions274 starting273 weblogservice280–281 webmodules273 webservice272–278 websites accesscontrol274 accessing302–304 folders274 455 security229,276 wideareanetwork.SeeWAN widgetsinDashboard285,287 wikis229 Windowsdomain passwords386 Windowsservices263–264,340 wirelesspreferences103–104 workflows231 WorkgroupManager accesscontrol32 accounts319–322 ACLpermissions240 authentication349 directorydomains318 456 Index groupaccountmanagement321–322 overview318–319 Seealsomanagedpreferences workgrouppreferences SeeWorkgroupManager Worldpermissionlevel254 X Xgrid354–360 Z zones,DNS security205 zonetransfer,DNS203