How to Secure a Mac

Jason WatkinsIT Project Leader
Information security is a multi-billion dollar industry. Just as lucrative is the black market industry which trades stolen identities, credit card numbers and software exploits all over the world. Nothing is hack-proof. The best one can do is make their machine a hard target. Mac OS X 10.7 "Lion" and to a lesser extent, previous versions of Mac OS X, come with many tools to this right out of the box.

1. Keep your Mac updated... Everyone has heard this about software at one point or another. If one uses Mozilla Firefox, or Microsoft Office for Mac, updates are unavoidable. Setting "Software Update" to download and prompt to install updates weekly is a great start. Checking is not enough, the updates actually have to be installed. I do this when finished using the computer for awhile as most updates from Apple require a reboot a la Microsoft Windows.

2. Use a password for all logins... Mac OS X  doesn't force this issue on it's users and single-user Macs automatically log in as the sole user by default. That feature is very convenient for everyone, including thieves. Require a password for all logins by opening the "System Preferences", clicking the "Users & Groups" applet and then clicking the "Login Options" button, under the list of local users on the Mac. The lock at the bottom left-hand side of the window may have to selected to make the Login Options available.

For the "Automatic login:" drop-down list, choose "Off ".

For the "Display login window as:" menu box, choose "Name and password". What this will do is require anyone logging-in to enter a username and a password. The default is for the right user account to be selected from a horizontal list. A thief will need to know the user's username in addition to the password. Mac OS X defaults to using a concatenated version of a user's first and last name as entered.

For example, OS X would make for me, an account named "jasonwatkins". Choosing a username that is nothing like one's proper name enhances account security.

Regarding passwords, the longer, the better. The more complex a password, the harder it would be to determine or crack. Items like spaces, punctuation symbols add "salt" to a password's security value. A pass-phrase is also a very good idea. Pass-phrases use a sequences of words and spaces to make complex and strengthen the typical password.

3. Don't run your Mac as an administrative user... Administrative accounts can access every place on the system and perform every operation. Such access is also very convenient, but hardly necessary for day to day use. Tasks like installing programs, updating programs and changing certain settings will require administrative access.

The first user account created during setup is an administrative user. It has to be in order for the user to complete setup and start using the Mac. This can and should be changed. From that same "Users & Groups" applet in the "System Preferences", select the user account used and uncheck the box titled "Allow user to administer this computer". It would also be a good idea to link the primary user account with an Apple ID. This way, if the password is forgotten the associated Apple ID and it's password can unlock the account.

~ At this point, the Mac is much more secure than the average user setup ~

4. Use an EFI password... Every computer requires an operating system to enable users to interact with and control the computer's hardware. For the Mac, the operating system is OS X (O.S. Ten). The most popular operating system for non-Apple PCs is Microsoft Windows. A small few, myself included, run the Linux operating system on their desktop computers. Servers, the world over, use Linux to provide all manner of network services.

The hardware on a computer can vary from model to model, especially between manufacturers. A common interface to represent the hardware set to the operating system is required for versatility between differing sets of hardware. On common desktop PCs, that system is called the BIOS (Basic Input Output System). Macs today are closer to their PC cousins more than ever, except when it comes to the BIOS. Macs do not use a BIOS like those found on a Dell or HP computer. A system called EFI (Extensible Firmware Interface) is what controls hardware associations with OS X on the Mac.

I can get around any operating system's passwords and access controls by booting that computer to an alternate operating system. Inserting a Linux disc into the CD/DVD-ROM and booting that computer to that disc, will allow me full access to the hard drive. Most Linux install discs are "live", which means the entire operating system runs in memory, or from a page file, before it is installed. Something Mac OS X and Windows do not do, nor ever will. I have had a Microsoft product representative tell me, directly, that there will never be a live version of Windows. Live discs are great for determining whether or not a computers hardware components will work with that version of Linux.

The EFI can use a password to stop the boot process to any device other than the internal hard drive. Macs are very versatile in the way that they can boot from any USB or FireWire drive that happens to have OS X installed. Pressing the "option" key during the Mac boot sequence (before one sees the Apple logo) will give one a choice of all bootable volumes on the Mac. I use external drives to make complete disc images of Macs and to troubleshoot numerous problems.

The Firmware Password utility is used to set an EFI password on any Mac with an Intel processor. The differences being on where the utility is located among versions of OS X. For OS X 10.7 "Lion", the EFI utility is located on a recovery partition, that is created during the OS install. One can boot to that partition by restarting their Mac and holding-down the option key before they see the Apple logo appear on the screen. If nothing else is plugged in to the Mac at that time, the user will see the recovery partition and the internal hard drive as the only boot options. Time Machine backup drives, used with Lion are also available as boot options.

The recovery partition presents a minimal UI, designed purely for fixing the Mac, on which it is installed. To set the EFI password, choose the "Utilities" menu at the top right-hand portion of the menu and select "Firmware Password". DO NOT forget this password. Recovery is possible, but not easy and should never be relied on for just in case. I would write it down and place that information in a safe place, separate from the computer.

5. Use full disk encryption… Encryption is a strong tool for protecting data from unwanted access. For Mac OS X, encryption originally was limited to a user's profile. The home directory that every user had on an OS X system could be encrypted with a tool called "FileVault". FileVault's encryption was linked to the user's Keychain, which is the service that manages security credentials for a user on OS X. The keychain password is linked to a user's login password by default. If a user's password is forcibly changed, the keychain cannot be unlocked unless the original password is provided. This goes for home directories secured with FileVault.

OS X 10.7 introduced FileVault 2, an improvement over the existing program, which introduces full disk encryption. The entire hard drive is secured inside of an encrypted envelope. Every file on the hard drive is encrypted with FileVault 2. Data integrity becomes ever-more important when full disk encryption is brought into the picture. The loss of a user's password, and/or the recovery key will render the data on the hard drive inaccessible. Many folks shy away from full disk encryption just for that reason. The recovery key is generated by FileVault before encryption takes place. Write it down and place it in that same safe place as you did for the firmware password. The importance for preserving that recovery key is absolute, if it is lost along with the user's password, all chances of getting the data back are gone as well. A valid and recent backup should always be kept for any computer, regardless of encryption.

The backup also is important because it can serve as a way to access encrypted data without ever needing to touch the encrypted Mac. OS X 10.5 introduced "Time Machine", an integrated backup program, which makes whole disk copies of OS X to an external USB or FireWire drive. If a thief were to just steal the backup drive, he/she would have all of the data on the hard drive. Apple thought of this and has give Lion's version of Time Machine the ability to encrypt the backup drive. Encryption takes time. The amount depends solely on the size of the hard drive and the speed of the computer. Enable FileVault as the last step in configuring a Mac. I often let the encryption sequence for drives run overnight.

To enable FileVault 2 encryption on OS X 10.7 "Lion" perform the following.

Log in as an administrative user and open the "System Preferences".

Go to "Security & Privacy" section and select the "FileVault" tab.

Unlock the preference pane, if necessary.

Click the "Turn On FileVault…" button. FileVault will present a list of all users on the Mac. This is to allow their accounts to "unlock" the hard drive and log in to OS X after FileVault has encrypted the drive. Each user's individual password is required for this step. If they can't unlock the drive, the only way for them to log in is to have a permitted user unlock the drive, log in first, and the use fast user switching to get the other user on the system. Fast user switching would also have to be enabled from the "Users & Groups" section of "System Preferences" for this to work. I would permit all local users on the Mac to unlock the drive out of complexity reasons alone. Ideally their should only be two users on the Mac anyway.

The Mac will restart next. After the restart, log back in as the administrative user and go back to the FileVault section in System Preferences. FileVault will start encrypting the disk at that time. Be patient! Full disk encryption will take a decent amount of time. A 320GB, 5400 rpm rotational hard drive will take around six hours to fully encrypt. Just leave the computer alone and let it finish. Make sure the A/C power supply is attached to any laptop during this process.

6. Enable OS X's built-in firewall… For some reason, the built-in firewall on OS X 10.7 is off by default. A firewall keeps incoming network traffic off of the computer. The firewall specific to OS X only filters incoming traffic, everything outgoing is not regulated. There are many settings that can be set on the firewall in addition to on or off. Going back to the "Security & Privacy" settings will show the "Firewall" tab right next to the "FileVault" tab. Simply click "Start" will turn the firewall on. The "Advanced…" button, to the bottom right, makes additional settings available.

"Block all incoming connections" does exactly what it states. This is the most secure setting and great for laptops being used on public networks. Services like file sharing and iTunes sharing will not work under this setting.

"Automatically allow signed software to receive incoming connections" will evaluate software requesting incoming connections to see if they have been underwritten by a third-party certificate. This will not "prevent" a bad connection from accessing the computer, just one that cannot be vouched-for by an external party.

"Enable stealth mode" blocks all incoming connections and masks the computer's presence to the network. Remote connection attempts, port scans, pings will all go unanswered to any device asking.

Applications requiring an incoming connection, through the firewall, will prompt for access. Once granted, an exception will be made to the firewall, allowing future access for the same program. For laptops, I enable the firewall and use stealth mode to fly under the network RADAR. If I know a Mac will not need to share any resource, or have remote access, then I will use the safest option "Block all incoming connections". Nothing gets in that way.
Jason WatkinsIT Project Leader

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.