How to secure Macs in the enterprise
- Article 1 of 3
- ComputerWeekly, December 2012
For many people working in IT support and security, the Mac is an 'unknown unknown'. Headlines and word-of-mouth suggest that it is both more secure than Windows, yet just as insecure; it is harder to configure, yet easier to use; it will not fit into enterprise deployments, but does not need to.
This article is intended to introduce someone new to Macs to the basics of their security in the enterprise.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Firewall
The Mac has a built-in firewall you can turn on by clicking Turn On Firewall in the Firewall tab of Security & Privacy.
This is relatively robust and tries to strike a balance between ease of use and security. However, Firewall Options can lock down the firewall even more.
Enable stealth mode will hide the Mac from some speculative hacking traffic. Block all incoming connections should be reserved only for the least secure of Macs, since many useful services will be disabled. However, you can disable or enable incoming connections to specific applications by clicking on the + button and selecting the application whose traffic you want to control.
Disk encryption and secure backups
It almost goes without saying that full disk encryption should be turned on, although Apple's implementation, FileVault, can occasionally be unreliable and will not work with certain types of disk configuration, such as RAID. It is available from the FileVault tab of the Security & Privacy system preferences pane by clicking Turn On FileVault.
Next, specify all the users who can unlock the disk - each will use their own user account password to do so - at start-up.
If you lose the passwords for the accounts on the Mac, you can enter the "safety net" key that OS X generates to decrypt the drive and as a final precaution you can store this key with Apple.
Before beginning the encryption process, you should make a copy of the Mac's startup disk. The Mac has a built-in back-up system called "Time Machine", accessible from "System Preferences", that will regularly back up the main disk to any compatible network server, connected hard drive or partition that you choose.
However, this does not back up every single file on the Mac so it is worth investigating programs such as Carbon Copy Cloner for imaging drives completely.
You should ensure Time Machine back-ups are encrypted by checking the "Encrypt backups" box when you first choose the destination disk.
Locking-down and DLP
OS X has built in Parental Controls in System Preferences that can lock down certain aspects of OS X, such as the ability to change passwords, to use particular applications and more. Click Enable Parental Controls for the first account you want to lock down, then check the appropriate settings for the restrictions you want to apply.
Parental Controls enables a basic form of DLP, by stopping CD burning: check Limit CD and DVD burning in the Other tab.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages