Escolar Documentos
Profissional Documentos
Cultura Documentos
Use secure virtual memory • Click "Advanced." Click on the TCP/IP tab and set
default installation of Mac OS X 10.5 (Leopard). These tips • Disable remote control infrared receiver (if present) "Configure IPv6:" to "Off" if not needed. If it is an
may not translate gracefully for previous versions. In the FileVault tab, read the warnings and consider activating AirPort interface, click on the AirPort tab and enable
Important: System updates may override many of these FileVault. FileVault is most appropriate for portable systems, "Disconnect from wireless networks when logging out."
configuration changes. Achieve their persistance using a script since it can protect their data even if the system itself is stolen.
Disable Unnecessary Services
and a cron job or vigilant re-application. In the Firewall tab, select "Allow only essential services."
Next, click on the "Advanced..." button and enable the The following services can be found in /System/Library/
Don't Surf or Read Mail using Admin Account "Firewall Logging" and "Stealth Mode" options. LaunchDaemons. Unless needed for the purpose shown in
Create a non-administrator user in the Accounts pane of the second column, disable each service using the command
System Preferences and use this account for everyday tasks. Secure Users' Home Folder Permissions below, which needs the full path specified:
Only log in with an administrator account when you need to sudo launchctl unload -w PathToPlistFile
To prevent users and guests from perusing other users' home
perform system administration tasks. folders, run the following command for each home folder:
Filename: Needed for:
Use Software Update sudo chmod go-rx /Users/username com.apple.mDNSResponder.plist Bonjour
com.apple.mDNSResponderHelper.plist Bonjour
Regularly applying system updates is extremely important. Physical Security com.apple.dashboard.advisory.fetch.plist Dashboard
For Internet-connected systems: Open the Software Update Auto-Update
Set a firmware password that will prevent unauthorized users com.apple.UserNotificationCenter.plist User
pane in System Preferences. Ensure that "Check for Updates" notifications
from changing the boot device or making other changes.
is enabled, and set it to "Daily" (or the most frequent setting com.apple.RemoteDesktop.PrivilegeProxy.plist ARD
possible in your environment). There is a command line For PowerPC-based Systems: com.apple.IIDCAssistant.plist iSight
version available as well, called softwareupdate. Read its Access the Open Firmware command interface by holding com.apple.blued.plist Bluetooth
man page for more details. down ⌘-Option-O-F during startup. At the prompt, type
password to set a password. Inexplicably, a capital "U"
For systems not connected to the Internet: Retrieve updates The following services can be found in /System/Library/
cannot be used in the password. Next, select a security level LaunchAgents. Disable them in the same way.
regularly from www.apple.com/support/downloads. Be sure
and set it with the following command:
to verify that the SHA-1 digest of any download matches the Filename: Needed for:
digest published there, using the following command: setenv security-mode securitymode com.apple.RemoteUI.plist Remote Control
Hardening Tips
fs.kext/Contents/Resources/load_webdav Services more about ipfw rules, consult the following resources:
/System/Library/Filesystems/AppleShare/ Apple File • the ipfw man page
afpLoad Protocol Sharing
• IPFW section in FreeBSD manual (available online)
/System/Library/Filesystems/AppleShare/ Apple File
check_afp.app/Contents/MacOS/check_afp Protocol Sharing
Disable Bluetooth and AirPort Devices For Default Installation of
/System/Library/Frameworks/ Printer Sharing
ApplicationServices.framework/
Versions/A/Frameworks/PrintCore. The best way to disable Bluetooth hardware is to have an
framework/Versions/A/Resources/ Apple-certified technician remove it. If this is not possible,
PrinterSharingTool
disable it at the software level by removing the following files
/System/Library/CoreServices/Expansion Expansion Slot
from /System/Library/Extensions:
Mac OS X
Slot Utility.app/Contents/Resources/ Utility
PCIELaneConfigTool IOBluetoothFamily.kext
/System/Library/PrivateFrameworks/ Privileged
IOBluetoothHIDDriver.kext
DesktopServicesPriv.framework/ Finder File
10.5
Versions/A/Resources/Locum Operations
/System/Library/Printers/Libraries/ Printer The best way to disable AirPort is to have the AirPort card
aehelper Configuration physically removed from the system. If this is not possible,
/System/Library/Printers/Libraries/ Printer disable it at the software level by removing the following file
"Leopard"
csregprinter Configuration
from /System/Library/Extensions:
/System/Library/PrivateFrameworks/ Disk Utility
DiskManagement.framework/Versions/A/ IO80211Family.kext
Resources/DiskManagementTool
/usr/libexec/dumpemacs Nothing See the note below for information about removing kext files.
/usr/libexec/xgrid/IdleTool XGrid
/usr/sbin/vpnd Hosting VPN Disable Integrated iSight and Sound Input
Services
/sbin/mount_nfs NFS The best way to disable an integrated iSight camera is to have
/sbin/route Network Config an Apple-certified technician remove it. Placing opaque tape
/usr/bin/lppasswd Printer Sharing over the camera is less secure but still helpful. A less persistent
/usr/bin/ipcs IPC statistics but still helpful method is to remove /System/Library/
/bin/rcp Remote Access Quicktime/QuicktimeUSBVDCDigitizer.component,
(Insecure) which will prevent some programs from accessing the camera.
/usr/bin/rlogin
/usr/bin/rsh
To mute the internal microphone, open the Sound preference
/usr/lib/sa/sadc System Activity
Reporting
pane, select the Input tab, and set the microphone input
/usr/sbin/pppd PPP volume level to zero. To disable the microphone, even if it
/usr/sbin/scselect User-selectable means crippling the sound system, remove the following file
Network Location from /System/Library/Extensions:
IOAudioFamily.kext
Configure and Use Both Firewalls
The system includes two firewalls: the ipfw packet-filtering Note on removing kext files: To make the system reflect the
firewall, and the new Application Firewall. The Application removal of kext files, run the following command and reboot:
Firewall limits which programs are allowed to receive sudo touch /System/Library/Extensions
incoming connections, and it should be configured as Systems and Network Analysis Center
described in the earlier section Security Pane Settings. Safari Settings National Security Agency
Configuring the ipfw firewall configuration requires In the Safari web browser, choose "Preferences..." from the 9800 Savage Rd.
more technical expertise and cannot be fully described "Safari" menu. In the General tab, de-select "Open safe files Ft. Meade, MD 20755
here. It requires creating a file with manually written rules after downloading."
(traditionally, /etc/ipfw.conf), and also adding a plist http://www.nsa.gov