Securing your computer: Macintosh Quick-Click Guide

“The security systems have to win every time, the attacker only has to win once.”
- Dustin Dykes

[minor updates and corrections: Monday, August 4th, 2008 03:37:58 PM PDT]

[Bonus material is available for some items. Use this link to show all “Bonus Material” { + } ]

If you have not yet had a chance to securely configure your Mac OS X system to meet the campus Cyber Safety Program policy requirements, you may find this Quick-Click Guide useful.

Another source that may provide a useful example of how to introduce your users to computer security is my podcast: Secure Your Computer Now.

Checklist
System Preferences

Date & Time
Accounts
Security
Screen Saver
Software Updates
Sharing (& Firewall)

Password Complexity
Why do I need a long password?
AntiVirus
AntiTrojan (?), e.g. OSX/Leap-A
AntiSpyware
E-mail Relay
Proxy Server
Keychain Access
Other Safe Computing Practices
Additional & Advanced Security Settings
References

This note describes Mac OS X configuration settings for Cyber Safety Program compliance. It is terse and bare-bones, but it does give you a recipe of things to click and check. (Additional detail and discussion can be viewed by clicking on the named sections in the checklist.)

Systems should remain isolated from the operational network until they are completely and securely configured whenever possible; use of an isolated test network is recommended for installation and configuration.

The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent document describing steps you should take before you connect a computer to the Internet. The page contains configuration information for both Windows XP and Mac OS X users.

   http://www.us-cert.gov/reading_room/before_you_plug_in.html/

Before you begin, the unit checklist should be downloaded from:

http://computing.geology.ucdavis.edu/security/Pauls_unit_checklist_mac.pdf

Keep the checklist handy and check things off as you complete them.

At the top of the checklist are places for serial number, and ethernet and wireless IDs. These can be viewed by opening About This Mac from the Apple menu, and then selecting More Info... The serial number is in the Hardware section. The network IDs are in the Network section, under MAC address or hardware address.

Set Up System Preferences

Date & Time
Date & Time preferences should be set to use a network time server to ensure correct time entries in the audit logs.
1. Open System Preferences and click Date & Time
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Click Date & Time
4. Select the “Set Date & Time automatically” checkbox. The server should be set to: time.apple.com
Accounts
1. Open System Preferences and click Accounts
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Ensure each account has a good password
4. Click Login Options and deselect “Automatically log in as:"
5. (recommenced) Select the “Name and password” button
Checklist: If you have done Accounts-3 and -4, you may now place a check in the Yes column for item #5, listed under I-D Authentication, on the unit checklist.
Security
1. Open System Preferences and click Security
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Select “Require password to wake this computer from sleep or screen saver” checkbox
4. Select the “Disable automatic login” checkbox
5. Select the “Require password to unlock each secure system preference” checkbox
6. (Mac OS X 10.4) Select the “Use secure virtual memory” checkbox.
Checklist: If you have done Security-5, you may now place a check in the Yes column for item #6, listed under I-D Authentication, on the unit checklist.
Screen Saver
1. Open System Preferences and click Desktop & Screen Saver
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Click the Screen Saver button
4. Select a screen saver in the list, or select the “Use Random screen saver” checkbox to see a different screen saver each time the screen saver is activated
5. Drag the “Start Screen saver” slider to choose when the screen saver starts. It's required that this be set to 20 minutes or less by campus policy
Checklist: If you have done Security-3 and Screen Saver-5, you may now place a check in the Yes column for item #12, listed under I-F Physical Security, on the unit checklist.
Software Updates
1. Open System Preferences and click Software Updates
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Click Check for Updates and set the interval to Weekly or Daily
4. If you have Microsoft Office 2004 installed, launch /Applications/Microsoft AutoUpdate.app, click Automatically and set the interval to Weekly or Daily
5. If you have other applications that provide security updates, such as Adobe products, configure them to update Weekly or Daily too.
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]

Checklist: If you have done Software Updates-3 (and, optionally -4), you may now place a check in the Yes column for item #1, listed under I-A Software Patch Update, on the unit checklist.
Sharing (& Firewall)

Open System Preferences and click Sharing
If settings are dimmed, click the lock icon and type an administrative name and password
Click Services
Turn off (uncheck) all unneeded services in the list

Apple Remote Desktop
Remote Login

NOTE: The Remote Login service allows users to access the machine remotely. And so, it provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended. (See Remote Login in the advanced section below.)

Click the Firewall button
If the Firewall is off, click Start

Apple Remote Desktop
Remote Login
iChat (there may be several of these)
Retrospect
Network Time

If you are running Mac OS X 10.4 (Tiger), click the advanced button and enable firewall logging

Checklist: If you have done Sharing-4, you may now place a check in the Yes column for item #4, listed under I-C Insecure Network Services, on the unit checklist.
Checklist: If you have done Sharing-6 (and, optionally -7), you may now place a check in the Yes column for item #15, listed under I-G Firewall Services, on the unit checklist.

Password Complexity
The following only works on Mac OS X 10.4 (Tiger) and later.
1. Log into an administrator account on your computer
2. Launch Terminal (located in /Applications/Utilities)
3. Paste the following line into the Terminal window, and then press the return key
4. When prompted, enter your password (this is your local administrator password on your Mac). In typical UNIX fashion, if you get no error message, you can probably assume the command worked.
5. Type “exit” in the Terminal window and then quit Terminal
  Note: A user who gets maxFailedLoginAttempts will disappear from the login screen if you are using the icon display. They will need to be re-enabled with:
```
   pwpolicy -a `whoami` -u shortusername  -enableuser
```
  Similarly, you can disable logins for a user, leaving their files intact for later reuse, and removing their name and icon from the icon-view login window, with:
```
   pwpolicy -a `whoami` -u shortusername  -disableuser
```
  See: man pwpolicy for more details on what each option does.
Checklist: If you have done all the steps in Password Complexity, you may now place a check in the Yes column for item #7, listed under I-D Authentication, on the unit checklist.

Why do I need a long password?
Remember in my CyberSafety talk I described how, if a hacker had access to your encrypted password (called a password “hash"), that they could crack any arbitrary 8-character password (and 14-character LanManager passwords) in about a minute?
Well they've upgraded their hardware and shortened the average time to 0.08 seconds.
Here's some boasting from their website:

"Pre-computed hash tables are files that include every possible hash,
along with it's plaintext, this is much quicker than a simple brute force,
and much more thorough than a dictionary attack... We have developed a
unique solution for our customers that dramatically speeds up the
dictionary process. Your hashes are automatically checked against our
dictionary, at an average of .08 seconds per hash!"

So passwords are pointless?
No, they just need to be longer—10 characters is a start, 12 characters long is better.
Cracking a 12-character password could require as much as 260,000,000 times the resources as an 8 character password.
And here's an article about it (Thanks, Sherie):
NEW SERVICE CRACKS PASSWORDS
The Register, November 10, 2005
Entire article: http://www.theregister.co.uk/2005/11/10/password_hashes/
Summary: Three computer hackers have set up a Web site that offers access—for a fee—to so-called rainbow tables, which are said to allow cracking of most passwords. Computers use codes, or hashes, to conceal user passwords. The creators of the RainbowCrack Online Web site spent two years generating hashes for virtually all possible passwords and storing them in vast tables. With the tables, breaking a password becomes as simple as looking up the hashes and working backwards to the password. Developers of RainbowCrack said the service is not intended for malicious uses but as a tool for network administrators to improve the security of their systems. Security expert Bruce Schneier disagreed, saying he doesn't see any “legitimate business demand” for the service. Philippe Oechslin of Swiss firm Objectif Securite said that system designers can easily incorporate elements into password schemes that add sufficient complexity as to make rainbow tables ineffective in cracking passwords. Schneier said that although such changes are not difficult, very few systems are designed to use them. “A lot of systems are weak,” he said.

Anti-Virus

Before You Install Sophos AntiVirus
Before you install Sophos Anti-Virus you NEED to uninstall any existing Anti-Virus software!
- To Uninstall Symantec AV for Mac OS X, you need to run the Symantec (or Norton) uninstall utility. On your computer's hard disk, the path to the Uninstall program is:
  Applications => Symantec Solutions => Symantec Uninstaller
  The Symantec uninstall utility is also available on recent versions of the UC Davis Internet Tools CD as well as directly from Symantec's support site:
  http://service1.symantec.com/SUPPORT/num.nsf/docid/2002110814042611/Applications/Symantec Solutions/Symantec Uninstaller
  NOTE: If the Symantec Uninstaller reports that there is nothing to uninstall, but you know it is installed, e.g. can see Symantec AntiVirus in the Symantec Solutions folder, you will need to reinstall Symantec AntiVirus and then run the uninstaller again (sheesh!).
- To Uninstal Symantec AV for Windows, see this link:
  http://xbase.ucdavis.edu/itexpress/?f=art&art=1463

Install Sophos AntiVirus
1. Log into the software page at my.ucdavis.edu page
2. Select Anti-Virus from the list on the left side of the page
3. Click Sophos: Single-Machine
4. Download the appropriate software for your platform
5. Double click the “SophosAV_version.dmg” icon
6. Double click the “Sophos Anti-Virus Installer.mpkg” icon
7. Install Sophos Anti-Virus
8. Authenticate as an administrator, when prompted
9. Close the installer when finished
10. From the blue Sophos shield in the Menu Bar, select “Update Now”
11. When the update finishes, you may close the AutoUpdate Status window
12. Restart your computer
13. Log back in
14. The next, and final, step is to do a full scan of your computer.
  Select Open Sophos Anti-Virus... from the blue Sophos shield in the menu bar at the top of your screen.
  Select the drive(s) you want to scan (so that the little dot to the left of the drive name is green and bright ), and click the green start button.
15. ... go do something useful until it is done.
Checklist: If you have done all the steps in Install Sophos AntiVirus, you may now place a check in the Yes column for item #2, listed under I-B Anti-virus Software, on the unit checklist.
Trojans — OSX/Leap-A-style Trojan protection

[The Trojans material is available as Bonus Material. Use this link to show all “Bonus Material” { + } ]

Other Issues

Anti-Spyware
Few spyware programs that affect Mac OS X have yet been identified (as of Monday, August 4th, 2008). Hence, there currently are only a very small number of bona fide Macintosh products that claim to eradicate it.
One of the side-effects of a one-size-fits-all policy is the ironic result that, if you run Mac OS X, you will need to seek an exemption for checklist items #24 and #25, listed under II-F Anti-Spyware Software. If Mac OS X was the target of widespread spyware there would be a variety of solutions available for installation, as in the Windows world. Because there is no glaring vulnerability, there are few solutions to install, much less to update on a regular basis, so you will need to seek an excemption from this standard.
Checklist: If you are running Mac OS X, you may now place a note requesting an excemption in the appropriate column for items #24 and #25, listed under II-F Anti-Spyware Software
No Open Email Relays
Don’t know if you are running an Open Email Relay? If you are running a mail relay, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up. Here’s a way to check if your machine is running a mail server on the standard smtp port.
1. Launch Terminal (located in /Applications/Utilities)
2. Paste the following line into the Terminal window, and then press the return key
3. You should see something like the following “Connection refused” message right away, indicating that no service is running on port 25:
```
   Trying 38.103.63.60...
   telnet: connect to address 38.103.63.60: Connection refused
   telnet: Unable to connect to remote host
```
4. If your firewall is set to “Stealth Mode” you will get a “Trying address..." message right away, but the connection will take a while to timeout. After about a minute, instead of connection refused. you will get an “Operation timed out” message, such as:
```
   Trying 38.103.63.60...
   telnet: connect to address 38.103.63.60: Operation timed out
   telnet: Unable to connect to remote host
```
  In either case, you’re probably good. (For now.)
5. If you get a “Connected to hostname” message, you’ve got a problem, see your system administrator right away!
Checklist: If your computer is not running a mail relay, you may now place a check in the Yes column for item #16, listed under II-A No Open Email Relay
Proxy Server
Don’t know if you are running an Proxy Server? If you are running a proxy server, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up.
If you have not set one up, if your firewall is enabled, and if "Personal Web Sharing” is not enabled in the firewall (see Sharing/Firewall section above), then you are probably OK.
Checklist: If your computer is not running a proxy server, you may now place a check in the Yes column for items #17 & #18, listed under II-B Proxy Services
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]
Keychain access

In Mac OS X 10.3 (Panther):

Launch /Applications/Utilities/Keychain Access.app
from the View menu, select the “Show Status in Menu Bar” item
Quit Keychain Access

In Mac OS X 10.4 (Tiger):

Launch /Applications/Utilities/Keychain Access.app
Select Preferences from the Keychain Acess menu
Select the “Show Status in Menu Bar” checkbox
Click Certificates
Select “Best Attempt” for both “Online Certificate Status Protocol” and “Certificate Revocation List”
Close Preferences
From the Edit menu select “Change Settings for Keychain “login&rduo; ”
(optionally) Select the “Lock after 20 minutes of inactivity” checkbox
Select the “Lock when sleeping” checkbox
Click Save
Quit Keychain Access

A padlock icon will appear in the menu bar with options to lock the scress and/or your keychain. You can use the Lock Screen option to lock your screen immediately before you step away from your computer.

Checklist: This provides an immeditate way to lock the screen, additionally meeting item #12, listed under I-F Physical Security, on the unit checklist.

The Keychain Acess application also allows individual access controls to be placed on keys in the keychain. If you have keys that grant access to particularly sensitive information, I recommend that the access control for that key be changed to "Ask for keychain password."

To configure this for a key:

Launch /Applications/Utilities/Keychain Access.app
Double-click on the key you want to change
Click “Access Control"
Select the “Ask for keychain password” checkbox
Click Save
Quit Keychain Access

Other Safe Computing Practices

Securing Your Web Browser

The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent page designed to help you configure your web browser for safer internet surfing. It is written for home computer users, students, and business workers. The page contains configuration information for both Windows and Macintosh users, with instructions for all the major web browsers.

   http://www.us-cert.gov/reading_room/securing_browser/

Safe Computing

The U.S Computer Emergency Readiness Team (US-CERT) site contains a variety of excellent publications and pages where you can learn more about computer and workplace security.

   http://www.us-cert.gov/reading_room/

Safety tips for handling email attachments and content downloaded from the Internet

   http://docs.info.apple.com/article.html?artnum=108009

Symantec Recommendations

A Symantec posting, concerning the “Mac OS X Archive Metadata Command Execution Vulnerability,” at

   http://securityresponse.symantec.com/avcenter/security/Content/16736.html

has the following recommendations:

Do not accept or execute files from untrusted or unknown sources.
Do not open files that originate from unknown or untrusted sources, even those considered to be of a safe file type. This will mitigate against this and other latent vulnerabilities.
Run all software as a non-privileged user with minimal access rights.
Always perform daily tasks as an unprivileged user with minimal access rights. This will limit the consequences of successful exploitation of this and other latent vulnerabilities.

Note:

Most of the remaining items in the checklist require inspection of
files, behavior modification, or individual policy decisions that are
beyond the scope of this “Quick-Click” Guide.
Additional information and discussion of these issues can be found at:
http://security.ucdavis.edu/cybersafety.cfm

Bonus Material: Additional & Advanced Security Settings

The following items are not specified by the Cyber Safety Program, but they involve security settings you may find useful. For some of these suggestions, you should be familliar with the UNIX command line and editing plain text configuration files. Most of these operations will require administrator access and it is strongly recommended that each file be backed up before editing it.

Disclaimer
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing these recommendations to address local operational and policy concerns.

File System default file protection (umask)

The default umask on Mac OS X systems is 022; this means that be default all users are granted read access to all newly created files. One recommendation is that this be changed to 077 so that only the creator has access to the file. In Mac OS X the umask value must be specified in decimal; the octal value 077 is decimal 63. To change the default umask value:

Log into an administrator account on your computer
Launch Terminal (located in /Applications/Utilities)
Paste the following line into the Terminal window, and then press the return key

   /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 63

When prompted, enter your password
And paste the following line into the Terminal window, and then press the return key

   /usr/bin/sudo /bin/chmod 644 /Library/Preferences/.GlobalPreferences.plist

Type “exit” in the Terminal window and then quit Terminal

To return the umask value to the default setting of 022, use the following command:

      /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 18

022

18

Remote Login - SSH Options

The Remote Login service allows users to access the machine remotely using SSH. The service should be disabled if not required because it also provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended.

Versions

The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 suffers from security vulnerabilities. I recommend that only version 2 be used. To disable version 1 connections, edit the file /etc/sshd_config and change the line that starts with:

#Protocol 2,1

to:

Protocol 2


/usr/bin/sudo /usr/bin/vi /etc/sshd_config

Connections

By default, xinetd and ssh accept connections from all hosts. To change this behavior, add the line

   only_from =

deny

/etc/xinetd.conf

# man xinetd.conf for more information

defaults
{
        instances               = 60
        log_type                = SYSLOG daemon
        log_on_success          = HOST PID
        log_on_failure          = HOST
        cps                     = 25 30
        per_source              = 10
        only_from               = 
}

includedir /etc/xinetd.d


/usr/bin/sudo /usr/bin/vi /etc/xinetd.conf

/etc/xinetd.d/ssh

   only_from = 38.103.63.0

(using the appropriate numbers and syntax for your netowrk). For example, edit or crete the file /etc/xinetd.d/ssh so that it look like:

service ssh
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/libexec/sshd-keygen-wrapper
        server_args     = -i
        groups          = yes
        flags           = REUSE 
        session_create  = yes
        only_from       = 38.103.63.0
}


/usr/bin/sudo /usr/bin/vi /etc/xinetd.d/ssh

IPV6

flags =

only_from

Set the ownership and protection for these updated files with:

   /usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.conf
   /usr/bin/sudo /bin/chmod 444 /etc/xinetd.conf
   /usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.d/ssh
   /usr/bin/sudo /bin/chmod 444 /etc/xinetd.d/ssh

You need to restart the xinetd proccess to have the changes to the configuration files take effect. To reset the xinetd process open a terminal window, paste in the following command, and press the return key.

   /usr/bin/sudo /bin/kill -HUP `cat /var/run/xinetd.pid`

On the other hand, if for some bizarre operational requirement you need to keep SSH open to the world and you're are getting lots of these in your logs:

   myhost sshd[9987]: error: PAM: Authentication failure for admin from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for guest from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for root from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for webmaster from a.b.c.d

Then think about the following:

Thomas Knox writes:
Date:    March 6, 2006 6:42:58 AM PST
Subject: Re: Mac OS X hacked under 30 minutes

If you do have SSH on your Mac open to the world, here's a short script I 
hacked up to at least stop script kiddies from hammering SSH with 
dictionary attacks (or other BFMI attacks) against your system:

   #!/bin/bash
   
   /usr/bin/tail -f /private/var/log/system.log | \
       /usr/bin/grep Failed\ password | /usr/bin/grep illegal\ user | \
       /usr/bin/awk '{system("/sbin/route add " $13 " 127.0.0.1")}'

Just nohup it into the background as root when you boot the system, and 
make sure that it gets re-started when your system.log file is rotated.

Tom

But as you can see, there a couple of minor flaws or considerations with this technique...

Security - Advanced

Global (computer-wide) setup to “Require password to wake this computer from sleep or screen saver"

The challenge: Apple considers this to be a user level setting. The preference is stored in the ByHost folder of the user’s ~/Library/Preferences in a plist file that is named in a machine-specific way by built-in ethernet hadrware address. For example:

   com.apple.screensaver.aa0004005364.plist

To force this setting to apply to all users of a machine, you can setup a “login hook". If you don’t know what that is, talk to your system administrator before proceding...

NOTE: The command “/usr/bin/sudo /usr/bin/defaults write...” used in the instructions below only works in Mac OS X 10.4 (Tiger) and later. For instructions for enabling a login hook in 10.2 and 10.3, and 10.4.2 and later, see: http://docs.info.apple.com/article.html?artnum=301446

You should study and understand what these files do before implementing this. Here are the commands (adapt this for your own site.)


/usr/bin/sudo /bin/mkdir /Library/GEOadmin
/usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/geo-sslock.plist -s -o /Library/GEOadmin/geo-sslock.plist
/usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/login.hook-geo -s -o /etc/login.hook
/usr/bin/sudo /bin/chmod 700 /etc/login.hook
#
# then you need to modify root's com.apple.loginwindow.plist 
# not /Library/Preferences/com.apple.loginwindow.plist
#
/usr/bin/sudo /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.loginwindow LoginHook /etc/login.hook

[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]

II-C Audit Logs

This item requires: “A policy has been developed and implemented defining the use, inspection and retention of audit logs.”

The policy is up to you. Here is a link to an article on how to set up a syslog server on a Mac OS X (Tiger) machine.

The article is by AaronAdams on the www.afp548.com web site:
Configuring Tiger’s syslogd to accept logs from external devices

Near the end of the article, AaronAdams describes setting up an /etc/daily.local script to keep the log working after the periodic daily script runs. My experience is that you also may need to create /etc/weekly.local and /etc/monthly.local scripts with the same content to keep the log working after the periodic weekly amd periodic monthly scripts run.
To get clients to send log messages to your syslog server you need to add a line to the /etc/syslog.conf configuration file on each client. The line contains two parts: what to log (in terms of facility and severity level) and the destination (where to send the message). Assuming you wanted to send messages of severity *.warning, and higher, to your logging host, biglog.example.net you would add a line similar to the following to the /etc/syslog.conf file on each client:
    *.warning	    @mybiglog.example.com
Be sure to read the man syslog.conf file for full datails about the severity level and file format. NOTE: This is one of those UN*X configuration files where the action (level and severity) and the destination fields of the configuration line must be separated by a TAB character, not just whitespace.
/usr/bin/sudo /usr/bin/vi /etc/syslog.conf
This is how you would configure other unix and unix-like systems to log to your server, too.
My experience with Mac OS X 10.4.3 is that you may need to create /etc/daily.local, /etc/weekly.local, and /etc/monthly.local scripts with the same content as describe in the article to keep the log working after the periodic daily, periodic weekly, and periodic monthly scripts run.
After making the configuration change to the on the client you will either need to reboot, or restart the syslogd daemon to get the changes to take effect. The easiest way to restart the syslog daemon, assuming you’ve created the /etc/daily.local file, is simply to invoke that file with /usr/bin/sudo. For example:
   /usr/bin/sudo /etc/daily.local
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]

Your syslog server does not need to be a Mac OS X Server machine. Mac OS X (Tiger) client works just as well. You will need to add a firewall entry to allow UDP traffic to reach the server on port 514. You should also realize that without additional configuration your syslog server may be vulnerable to a Denial-of-Service through port 514, or from log file overflow. Plan wisely.

Much of the material in this document is derived from information in:

Apple’s Common Criteria Configuration and Administration Guide
A Corsaire White Paper: Securing Mac OS X
Apple Mac OS X v10.3.x “Panther” Security Configuration Guide by the National Security Agency.

Apple Mac OS X Server v10.3.x “Panther” Security Configuration Guide by

and my own experience and the advice of others.

Please send comments, corrections, and suggestions to: waterstraat@geology.ucdavis.edu