Security, FileVault and Firewall
This is part three of this series on Securing Leopard, and brings us to the Security-centric settings in OSX. This includes general security settings, FileVault encryption, and the Built-in Firewall. All of these settings can be found in System Preferences -> Security.
General Security Settings
- Require password immediately after sleep or screen saver begins. This ensures that anyone who visits your computer while you leave it unattended, cannot gain access without typing in your password.
- I also recommend using one of your ‘Hot Corners’ to activate the screen saver (Desktop & Screen Saver preference pane). This makes it very easy to secure your computer when you step away for a second. Also ensure that you set a short enough inactive time period for automatic activation (5 minutes is good).
- Disable automatic login. This is the same setting that was discussed in the first part of this article. You don’t want someone to turn your computer on and be immediately logged in!
- Require a password to unlock each System Preference pane. This simply protects the settings you have configured in System Preferences, and requires an admin password before changes can be made.
- Log out after X minutes of inactivity. This one I leave up to personal preference. There can be benefits to fully logging out if you are not using your system, however this will close all your documents and quit all your applications.
- Use secure virtual memory. This setting will encrypt virtual memory files that are written to disk. Since memory is often used to store passwords, and other potentially sensitive data, it is generally a good idea to use this. It should be noted that this will have a small impact on performance, although this would probably not be noticeable to normal users.
- [NEW!] Automatically update safe downloads list (screenshot above to be updated). Mac OS X has a built-in File Quarantine feature that maintains a small internal list of undesirable files, and warns the user if this file is ever downloaded or found on the system. I recommend keeping this option checked, particularly if you don’t run a separate anti-virus on your system.
- Disable location services. More and more applications and internet services offer features that depend on your location, and these make use of OSX’s ‘Location Services’ module to obtain it. In most cases the system should request your permission to do this. If, like me, you know you’d rather avoid this, then you can disable Location Services altogether. See Apple’s KnowledgeBase article for more information.
- Disable remote control receiver (or pair it). Depending on the computer you have, you may or may not have this option. Most modern Macs come with an infrared remote control that allows you to do stuff like change music tracks, move forward in a slideshow, etc. By default, any Apple remote control can be used to control any compatible Mac – unless you disable the receiver, or pair your remote own remote to your computer.
FileVault – Home Folder Encryption
FileVault is Apple’s solution for encrypting your personal information. Note that it does not perform full disk encryption, instead it encrypts your Home folder, which is where all of your personal data is stored. That said, as the entire disk is not encrypted, the System files and Applications are not protected. If you know you require full disk encryption then you will need a third-party solution such as PGP’s Whole Disk Encryption or Check Point’s Full Disk Encryption. Encrypting your disk or home folder will prevent someone from booting your computer into Target Disk Mode, and accessing your files directly on the disk. Using FileVault does impact performance a bit, although this should not affect most normal users.
To enable FileVault, go to ‘Security’ in System Preferences, then click on the FileVault tab. You can choose to set a Master Password that can be used to unlock any account on the computer – ensure this password is strong if you set one. Click ‘Turn On FileVault’ and you will see the window below (note: this will require free space equal to the size of your Home folder):
What FileVault will do is create an encrypted disk image, and copy your entire Home folder into it. You are given the option of performing a ‘secure erase’ of the original unencrypted home folder files once the copying is complete. This is useful if you want to ensure there are no remnants of unencrypted personal data. Note that secure erase can take a long time.
Mac OS X has a simple, but effective built-in firewall. To activate it simply click the Start button on the Firewall tab. Mac OS X will then ask you which applications are allowed to accept incoming connections. For example if you want to allow others to connect to an iTunes music share, you will need to allow iTunes to accept incoming network connections. If you have network services (Sharing) turned on, OSX will automatically allow these through the firewall. Click on the Advanced button to see additional settings:
The paranoid amongst you can opt to enable the ‘Block all incoming connections’ setting. This is perfectly ok if you don’t want to use any of the Sharing services, or other network-related applications that rely on incoming connections. If you find a network-based application is not working normally, it may be due to this setting.
If you leave this setting unchecked, you can define which applications are allowed inbound connections. If you don’t think something requires inbound connections, you can block them to be safe. If you’re unsure it’s probably best to check the supplier’s website for information about networking requirements. Applications can be added or removed using the + and – buttons below the list area.
The setting immediately below automatically allows certain digitally-signed applications to receive incoming connections. Even though these may be ‘trusted’ applications (eg. signed by Apple), I’d always rather be asked so I leave this unchecked.
The final option, Enable Stealth mode, prevents certain diagnostic tools from communicating with your computer over the network. In rare occasions this can cause some issues with certain applications, although I’ve never had a problem and prefer to leave this option enabled.
Back: Networking and Services