Networking and Services
This is part two of this series on Securing Leopard, and focuses on the configuration of networking and network services. Most Macs come with a number of networking options (eg. AirPort, Bluetooth, Firewire), and 10.6 has a number of network services available to the user. How these are set up can have a big impact on the security of your system. The settings discussed here can be found in System Preferences -> Network and System Preferences -> Sharing.
The first, and easiest, step to securing some of your network interfaces is to disable those you won’t be using – don’t worry you can easily re-enable them later. For example Mac OS X provides great functionality which allows you do networking over FireWire, but most users either won’t have used this, or even heard of it.
To disable unnecessary network interfaces simply select them on the left-hand side of the network pane, click on the gear icon at the bottom, and select ‘Make Service Inactive’. In the screenshot below I’m disabling my AirPort interface, as I’m using an iMac with an Ethernet connection.
Note: If you use the Parallels (or VMWare Fusion) software to virtualize Windows (or Linux), you may have additional interfaces as I have above. These are used by the software to share your internet connection with the virtualized guest OS. Disabling these could interrupt that functionality.
A large number of people use wifi networks on a regular, if not daily basis. There are currently numerous attacks that exist which may allow an attacker to intercept and/or manipulate your wireless traffic if you’re not careful. If you don’t use Airport, it’s best to keep it turned off, which you can do using the button provided on the Airport pane, or by clicking on the Airport icon in the menu bar and selecting ‘Turn Airport Off’.
To configure your Airport settings, click on the ‘Advanced…’ button in the bottom-right. In my opinion, the best practice configuration would be as shown in the screenshot below.
- Preventing your computer from remembering networks it has joined will help mitigate against SSID-spoofing attacks. You can still add individual ‘trusted’ networks when you want to connect to them.
- Disconnecting from wireless networks when logging means that your computer will be less susceptible to wifi-based attacks when you’re not using it.
- The last three options require an administrator password to make changes to the wifi, such as changing networks or turning it on and off. These options are best if you are the sole user of the computer, but can also be used to restrict normal users of the system from changing networks.
When setting up or connecting to wireless networks, try to use WPA2 where possible. Most routers now do this by default, but some still use WEP which is easily broken. Mac OS X’s own Internet Sharing functionality (System Preferences -> Sharing) still only supports WEP, but this is better than having an open network.
Bluetooth can also be configured in a similar fashion. If you don’t use a bluetooth keyboard or mouse, and don’t use bluetooth to interact with your phone, then you can probably disable it. There have been bluetooth-related vulnerabilities in the past, and turning bluetooth off is a good way of avoiding those.
If you do use Bluetooth (even if you keep it turned off), it’s also a good idea to uncheck the ‘Discoverable’ box. This way your computer won’t be broadcasting itself to any listening bluetooth device. If you want to pair a device, you can always initiate the pairing from this window, or make your computer temporarily discoverable.
Click on ‘Advanced’ where you can configure some additional settings:
Sharing and Network Services
Mac OS X has a number of built-in services that can be easily enabled/disabled by the user. They range from file sharing (AFP), to remote login (SSH), to internet sharing. All of these are off by default (a good thing). Best practice is to keep any unnecessary services disabled. The individual security of all these services could be a separate article, so I won’t go into much detail and only look at File Sharing, which is the most commonly used. The only global recommendation I can make is to avoid setting your ‘Computer Name’ to something too obvious/sensitive (like your full name/username), as this is often broadcast over the network.
File Sharing can be configured to allow other users access to files on your computer. By default, when File Sharing is turned on, anyone on the network can log in as a guest and view your so-called ‘Public Folder’ (in your Home folder) over Apple Filing Protocol (AFP). In general this means only other Macs, as Windows and Linux systems do not have AFP capability by default. You can use your Public Folder to share files, and guests can upload files into your Drop Box. If you feel so-inclined, you can share additional folders on your system, and make these accessible to a limited set of user accounts that you create. Note that if someone logs in to your computer using your administrator username and password, they will have access to the entire disk. Also note that the Read & Write privilege means that those users can also delete files.
The additional ‘Options’ pane, accessible by the button of the same name, is where you can enable FTP and/or SMB. If you don’t know whether you need these, it’s best to leave them turned off. The FTP is basic and unencrypted; as such the username and password will be sent over the network in the clear when logging in. SMB is the protocol needed to allow Windows and Linux clients to connect.
The last thing I wanted to discuss in this section is the importance of Software Update. Apple regularly distributes updates, many of which have an impact on security. Not updating could mean leaving your system vulnerable to attack. The relevant settings can be found in System Preferences -> Software Update.
I recommend setting it to check for updates on a daily basis, and to download any updates automatically. Not only does this ensure you’ll be made aware of relevant updates on a timely basis, most of the time these will have been downloaded in the background, so you won’t have to wait to install them.