Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How does IT handle MACs on network?

Posted on 2010-01-06
15
Medium Priority
?
350 Views
Last Modified: 2012-05-08
Hello -

I'm a IT Manager for a medical practice and many of our doctors are convinced that MACs are 100% secure. We all know that is'nt true, so i need to have proof if MAC will or not work securely on a business network. We invest on many layers of security and I must make sure I have a solid understanding on what other IT admin are doing in this situation.

Thanks so much!

nimdatx
0
Comment
Question by:Jaime Campos
  • 5
  • 4
  • 4
  • +1
15 Comments
 
LVL 10

Accepted Solution

by:
robertcerny earned 800 total points
ID: 26191817
Hello,
I think that your question is too generic to get exact answer. 100% security is nonsense as every professional admin know and you mentioned that you already secured your network (Firewal/VPN etc) so my answer is focused on Mac clients only.

1. don't give your users admin rights
2. if they use Parallels Desktop/VMWare to virtualize Windows, be sure to use antivirus software there
3. You and your IT colleagues should be the only ones who install/configure software on Macs
4. Setup Single SignOn with nontrivial passwords
5. Don't forget that Mac OS X is UNIX based system and a lot of _hackers_ utilities exists there (nmap, ettercap, wireshark...) and a possible attack could come from the internal network
6. Disallow you mac users to use samba sharing on their computers

Basically, there are no mac based viruses at the moment. There is some discussion if application which   asks for an admin password before doing _bad_ things is or is not virus but it's not so important for the answer.
0
 
LVL 9

Assisted Solution

by:cmorffew
cmorffew earned 800 total points
ID: 26191912
I currently have a mac/pc environment.  We run approx. 50 Pc's and 6 G5's(mac's).

They are really good regarding virus's as there is "virtually" no virus's for the mac - granted there are some that require a user to actually add the app to their system, but the overall system security is such that nothing can be installed with out an admin password.  In windows some software etc can be installed without being and admin, however, on the mac i have that locked to only the machine admin so a normal user cannot install software. - i find the mac's to be better at stopping software installs than the PC's.

In the 4 years i have been managing this network i have little or no support issues with the macs and plenty with the PC's. :-)

We did implement Active directory with the macs so we can keep all users on the DC and manage them from there.  they have full access to all our Windows shares on the servers and have no issues printing on the network.

hope that helps.
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 26192086
Do you know of any documents stating if MACs on the Network are secure or not (need proof) and step by step on how to configure them to harden the OS and lock them down? I

s there a document for best practices for MACs on a Medical business Network?

Any documents on how to implement within Active Directory?

Can you enforce GP on a MAC, If so can you list a link on how-to?

What AV do you recommend and why?

 Can you explain bottom statement further? What attacks from internal network?
Don't forget that Mac OS X is UNIX based system and a lot of _hackers_ utilities exists there (nmap, ettercap, wireshark...) and a possible attack could come from the internal network

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 9

Expert Comment

by:cmorffew
ID: 26192469
i suggest you review the mac website for security info: http://www.apple.com/macosx/security/

Article on AD and Mac's:
http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf

great article on security:
http://arstechnica.com/apple/news/2008/04/mac-os-x-security.ars

point 5 on Robertcerny's response is the same for any computer - there are more hacking utils available for Pc's than mac's.  A properly configured Mac/UNIX machine is more secure than a PC, Mac's/Unix/Linux machines only weakness is the root password.  Assuming the root password is complex enough and no services/applications/users login as root then there are no issues.
For your medical network, you will not be allowing non staff to access the machines and there should be no way for someone in the waiting room to plug in to your network(you said you have multiple levels of security).  This way there would be no way for a "hacker" to run these tools.  Pc's are more susceptible to "script Kiddies" than any UNIX based system.

I believe the only way to enforce a PC based Group Policy is through a 3rd party addon.  I also believe that you will need a Mac Server to implement policies in that context.  We don't really have any policy's on our macs, for that reason.  I have just locked down each individual Mac with a local admin account.

I do not recommend any AV for the Mac, yet. :-)

Hope that helps.
0
 
LVL 10

Expert Comment

by:robertcerny
ID: 26192773
Hello,
at first, Mac OS X and Mac OS X Server are certified under the internationally-approved Common Criteria security standard. For additional info please check following link:
https://ssl.apple.com/support/security/commoncriteria/

Apple runs a web site related to Mac OS  X security:
http://www.apple.com/support/security/

To integrate Mac OS X with Acitve Directory:
http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf

To implement GP on Mac OS X you need MacOS X Server or advanced knowledge of Mac OS X and special software. I could recommend to consult somebody from Apple Professional Network in your area:
https://i7lp.integral7.com/durango/do/pr/prSearch?ownername=apple&channel=apple

I personally stick with opensource tools if possible, so clamAV is my option. There are mac clients of SophosAV and others, but they of course focus on Windows based viruses and macro viruses of MS Office on both platforms.

The last recommendation was more a side note. It had to remember you that there are some experienced users out there which utilize terminal and UNIX internals of the system and could install network tools which doesn't have icons and are almost invisible. This tools could portscan your servers, do a dictionary based attacks etc.
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 26193019
Last question...

If a user runs XP virtually you mentioned to use a AV on XP side, so if I use clamAV will that still protect from XP side or should I have one AV for XP and one for MAC OS?

Thanks.
0
 
LVL 10

Expert Comment

by:robertcerny
ID: 26193159
Nope,
you definitely need to install AV inside of the virtualized system.
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 26194501
Why would I do these two:
Setup Single SignOn with nontrivial passwords

Disallow you mac users to use samba sharing on their computers

0
 
LVL 10

Expert Comment

by:robertcerny
ID: 26194651
Setup Single SignOn with nontrivial passwords
- it allows you to push GP at least in the passwords area (combining numbers and letters etc) so it moves the security level higher

Disallow you mac users to use samba sharing on their computers
- Macs are immune to Windows viruses but they still can be saved/distributed to their shares. Disabling samba effectively kills this issue
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 400 total points
ID: 26196156
Here's mt $0.02

Handle you Macs as agressively as you handle your Windows machines.

A lot of Mac apps don't need to be installed to run because almost every necessary companent is packaged into a single file.

If you want to manage your Macs like a Windows machine, check out http://www.centrify.com. This app will allow you to manage your Macs thru Active directory group policy objects.

For passwords, you can be as complex as Windows networks.

Hope this helps and shoot any other questions you have.
You should get yourself a Mac mini server. This would be used for deployment and reinstalltion a.k.a netboot/netinstall. Think of this as RIS for Macs.

Yes Macs do not have as many viruses as Windows, but then again, why would you try to wreak havoc on an installbase that is less than 10 or 12% globally. I would still gen an AV soloution such as Sophos for Macs as there are more virus that seem to be appearing for the Mac OS as this OS gains popularity.

For remote management, as Real VNC, TightVNC, Chicken of the VNC or any other iteration out there.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26199490
I dug up this support thread here on EE.  Check it out.  I have a screenshot in there of how Centrify helps you manage your Macs via AD http://www.experts-exchange.com/Apple/Operating_Systems/OS_X/Snow_Leopard_OS_10.6/Q_24930218.html
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 26204334
nappy - Very good info. THANKS. I'm going to try Centrify for 30/60 days and see if all works out. I'm concern on how well it uninstalls if I decide not to use. Any ideas?

Robert - THANKS
CMORF - THANKS

 I really appreciate everyones help.
nimdatx
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 26204391
nappy - Do you have any information on your suggestion?

You should get yourself a Mac mini server. This would be used for deployment and reinstalltion a.k.a netboot/netinstall. Think of this as RIS for Macs.

What is RIS for Macs?
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26204565
Have you ever used RIS to deploy Windows computers?

With netinstall/netboot, just like RIS, you can make a "golden" image for your computers,boot from the network, install the machine all under 45 minutes.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 26204570
open a new topic on this discussion and I can go into more details

0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
A professional opinion on which Apple product to buy, and a tidbit about the WWDC.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question