Updated by Richard Rathe on
August 22, 2005 using OSX 10.3.9.
Certain details may be different for System 10.4 and above.
Located at http://medinfo.ufl.edu/omi/medmac/security/
As a convenience, OSX will automatically login to your account when you start up. This means that anyone else who boots your computer will gain full access to your account. To prevent this, uncheck the auto login box in Accounts preferences. For even more protection click on Name and Password rather than presenting a list of users.
* Preference Panes are accessed through System Preferences... in the Apple menu.
This feature offers simple but powerful protection from snoops. When the computer goes into sleep or screen save mode, you must reenter your password to wake it. For this to work well, you should also make sure that the screen saver interval is relatively short (say 10 minutes). Finally, you should consider changing your passwords periodically, at least once a year.
On OSX, passwords are managed by Keychain Access (found in Applications/Utilities/). By default the Keychain password is the same as your login password. The problem is that anyone can change this by booting from an OSX CD-ROM. Then all of your passwords could be revealed. To prevent this, just set a Keychain password that is different from your login and admin accounts (Change Password... command found under the Edit menu).
One of the principal advantages of OSX over Microsoft Windows is the requirement that you enter your Admin Password before any major modifications can be made to the operating environment. This forces the human operator (you!) to actively manage the security of your system. But don't grant permission lightly! If the system asks for your Admin Password when you don't expect it, simply click Cancel and reassess the situation.
Apple releases updates for OSX (and certain core applications like Safari) several times a year. Many of these include "patches" for potential security issues. Without these updates, your system will remain vulnerable. There are several ways to update your system, but most should use the automatic Software Update service. At the time of this writing Apple supports updates for OSX versions 10.2, 10.3 and 10.4.
Users with high-speed Internet access should set Software Update to check for updates on a daily basis. Less frequent intervals may be appropriate for modem users. Please note that nothing will be installed on your computer without your permission (see #4 above). As an alternative, you may use Software Update to alert you about new updates, then download and install them manually.
This is an easy one. Go to Sharing, click Firewall, and Click Start. <smile> You might need to Allow specific services (called Ports here) if you are using them (see next item).
This is the flip side of using the firewall, making sure you have services turned off if you aren't using them. (Most are off by default under OSX.) The fewer services your computer "advertises" on the Internet, the safer you are from hackers. Even if you use some of these services from time to time, it is a good idea to turn them off in between.
Other services you should turn off when not in use are Airport (WiFi wireless) and Bluetooth (wireless for small devices, PDAs, phones, etc.). You can turn Airport off from the Internet Connect application.
You can turn off Bluetooth from the Bluetooth Preference pane.
Digital information lasts forever—or five years, whichever comes first.
Jeff Rothenberg (Scientific American article)
It doesn't matter how you backup, just do it! A good rule of thumb is to consider the number of days work/email/transactions you are willing to lose if something should go wrong. There are two kinds of backup you should plan for. The first targets short term recovery of your data. For example, making copies of critical files at the end of each business day. You might reuse the media (CD-RW for example) on a monthly cycle. The second type of backup is better referred to as archiving. The intention here is to make archival copies of data for long term storage and retention. You don't need special software to get started. If you have a CD-R or DVD-R drive you might start by copying your email and documents to a CD/DVD once a week. If you are looking for a more sophisticated or automatic approach, several options are available.
iBackup (free!)
(see recent
review)
RsyncX (free!) (MedMac
handout)
.Mac from Apple
($ subscription required)
Dantz Retrospect ($)
So what if your computer is stolen, and the thieves gain access to all your files? The last line of defense is to make sure those files are unreadable by anyone other than you. That means encryption. Starting with version 10.3, file encryption is built in to OSX! It is called FileVault and can be found under the Security Pane. My only criticism is that this is an all or nothing choice (see the warning in the screen shot below).
For a more selective approach to file encryption, you should consider the PGP Desktop product. Using the PGPdisk function, you can make as many encrypted disk volumes as you need. These act just like a hard disk or CD, but without your PGP passphrase the actual data are gibberish. This is commercial software, so it is not free. But the package including both file and email encryption is worth the cost for anyone who needs these functions.
As a footnote, it is important to point out that both OSX and PGP allow you to 'shred' files so they cannot be recovered from your hard disk. In OSX go to the Secure Empty Trash item in the Finder menu. PGP provides a Wipe function that is faster than Secure Empty for large files and directories. Both methods overwrite the disk with random ones and zeros where your files used to live, so the data cannot be recovered.
Finally, there is no substitute for physical security of your computer, disks, CDs, etc. Some common sense steps you can take: don't leave your laptop unattended; don't advertise that you have a computer in your bag; when you travel by car, put your valuables in the trunk when you leave, not when you arrive at an insecure area.
Another inexpensive measure you can take is to buy a cable lock for your laptop. These typically cost around $30 and will protect you from "grab and go" thieves.
More OSX security information can be found at:
http://www.securemac.com/
http://www.apple.com/macosx/features/security/
http://www.nsa.gov/snac/downloads_macx.cfm
http://www.princeton.edu/~psg/unix/osx/osxsecurity.html
http://www.macos.utah.edu/documentation/macosx/security/security.html
This is a somewhat controversial area because (happy to say) "Macs don't get viruses." Do you really need protection from a threat that is only hypothetical? The answer is "probably" for three reasons. (1) Just because there have been no OSX viruses yet, this does not mean some enterprising jerk won't invent one. (2) Anti-viral software also protects you from non-OS malware such as javascript and Word macro viruses. (3) If you share files with Windows users, having anti-viral software on your Mac may actually help protect them from their own insecure operating system. The Virex product is licensed by UF, so all faculty, students, and staff may download and use it for free! (To download you must be on the campus network and login with your gatorlink ID and password.)
All products discussed are copyright by their
respective owners.
The views expressed are the author's. Your mileage may vary.
This document is copyright 2005
by the University of Florida.