This article is the first part of a three part series on Mac OS X security tips. In
part two I discuss user profile security and finally I will cover system security in part three.
I am certainly not the first person to write an article like this, and to be honest, I surely won't be the last. So why am I bothering to write this down? Well 'repetitio est mater studiorum'...
Physical security
1. Disable automatic login
Most Mac users only have one account on their systems, so having the system automatically login for them makes perfect sense. Doesn't it?
NO!
Think about it, if anyone gets hold of your precious Mac, all they'd have to do is switch it on, and within seconds they can be rifling through all your documents and dirty secrets.
Turning off automatic login is a simple yet effective way of adding a small amount of security to your system. To turn off automatic login open System Preferences and go to Accounts. Find the option called "Login Options", choose this and set automatic login to off.
2. Set a firmware password
An easy way to bypass security measures on any machine is to boot the system using a Live CD (for example). In the case of OS X, boot from an OS X Installation disk which allows you to make changes like reseting the administrator password, or make changes to partitions and disks.
By setting a firmware password you help to prevent attackers from:
• Booting a Live CD
• Running any applications from an OS X Installation disk
• Booting the machine into Target Disk mode and accessing data without logging in
Rather than trying to cover all the ins and outs of setting a firmware password I'll point you to the Apple support article on the subject:
http://support.apple.com/kb/ht1352.3. Encryption is a good idea
Encrypting all of your personal and private files means that if your computer is stolen it becomes far far harder for anyone to access your data.
Apple provides functionality to encrypt your entire home directory called FileVault. This will encrypt everything inside of your home directory, but will not encrypt anything outside of it. For those that only want to protect the data inside their home directory this may be a good solution.
If there is sensitive data outside of the home directories that you need to protect then a full disk encryption solution is worth looking into. This will encrypt everything on a disk, and means that data stored in temp files, and application directories are also secured.
Sophos offers a business class full disk encryption product for Mac OS X called
SafeGuard Disk Encryption for Mac. An additional benefit of full disk encryption is that it prevents someone from booting the system and reading the memory through the FireWire interface.
Encrypting the virtual memory on your system is a wise choice, and something that Apple does turn on by default in 10.6 Snow Leopard.
For older versions of OS X it is strongly recommended that you turn on 'secure virtual memory' in System Preferences. This will prevent others from connecting to your physical machine and reading the data in the virtual memory.
Conclusion
Those of you who are concerned about security on your personal Macs can take advantage of
free anti-virus from Sophos. If you have a iPhone/iPad/iPod Touch we also have a
free application in the App Store to provide the latest security information.
