To secure a Mac workstation, remember the users

Ryan Faas   Today’s Top Stories   or  Other Macintosh OS Stories  

Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare Windows Vista® Migration: What Really Happens? A Customer's Perspective Real-time collaboration and development with IBM Rational Team Concert streamlines any project Myth of the Million Dollar Database Case Study: AISO grows its "green" business Beyond consolidation: five reasons why you should start virtualizing SaaS Solutions for Remote Systems Management Compterworld Technology Briefing: Intelligent Users Use Business Intelligence Computerworld Report- Large Enterprises Pay More for IPAM Sign up to receive Hardware Resource Alerts

September 27, 2005 (Computerworld) -- Earlier in this series on Macintosh security, I discussed how to physically secure workstations within an infrastructure (see "Workstation security: Lock down that Mac") and how to use the various Open Firmware modes in modern Macs to keep hostile users from bypassing security by booting from an alternate start-up disk (see "Open Firmware Security for Mac Workstations"). I want to continue my discussion of workstation security by describing a number of ways you can configure individual workstations to make their local resources and data (and, thus, your entire infrastructure) more secure.
Securing the data on a workstation means securing user files and folders as well as application folders and operating system components. The goal is to ensure not only that the data that users store on their workstations is safe from prying eyes, but also that any information about your network at large is safe. You also need to maintain the stability and integrity of the workstation so that it can't be hijacked for nefarious purposes.
Some of the tactics here may not be appropriate for every network or every workstation. Some may compromise functionality that you need. Some apply more to Mac OS X Server infrastructures, while others apply more to stand-alone installations. As always, a system administrator's job involves striking a balance between practical user needs and security. Your mileage may vary.
Don't show any user data
Every Mac log-in window, including those in Mac OS X, and Mac OS 9 with multiple users or Mac Manager -- offers you the option of displaying a list where users select their name and then enter their password. This approach is the default for Mac OS X installations. It's graphically attractive, and it can be a major security hole. It displays every user's name to anyone who sits at the workstation. This means that intruders know immediately which usernames are valid; they need only guess someone's password to gain access. Granted, a standard naming scheme may make it easy to guess someone's username, but every step toward security helps. Also, in Open Directory infrastructures, this list is transmitted across the network whenever the log-in Window loads (possibly in clear text), further lessening security. Don't display usernames.
On the same topic, don't use password hints. This isn't an option for directory domain user accounts anyway. But in stand-alone installations, using hints seriously compromises the integrity of passwords. It's far better to make users call the help desk for password resets than it is to take this security risk.
On a related note, don't enable fast user switching in Mac OS X (available in Versions 10.3 or higher). This applies to both stand-alone

Continued...
1 | 2 | 3 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"The much-maligned Microsoft Zune apparently has the world's most powerful man as its fan. President-elect Barack Obama was seen using..." Read more... "In Thursday's..." Read more... Read more Macintosh & Apple posts or See all Blogs

Windows users indifferent to Microsoft patch alarm, says researcher Tech jobs down sharply but not out Apple yanks antivirus advice from its Web site More top stories...

Microsoft slates 8 bug updates for year's final Patch Tuesday De Beers tries to force spoof news Web site offline over fake ad Microsoft confirms Yahoo's Lu to run online services

Review: The new MacBook Air, now with extra SSD goodness Thin as ever, the latest Air offers up to twice the storage and snappy performance. Cool Stuff: Your 2008 Holiday Gift Guide We've got an array of economical, expensive, and just plain weird tech gifts for your friends and family. Massive botnet returns from the dead, starts spamming The spam-spewing 'Srizbi' botnet that was shut down two weeks ago has been resurrected and is again under criminal control, say security researchers. Elgan: Why you can't trust 'friends' on Facebook Facebook is popular and growing -- especially with criminals. Here's why they love it. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

Learn-Fast Guide: Get Up to Speed on Green IT (Source: Computerworld) Whether it's in the front office or the server room, green thinking can save energy, trees and money. From the Editorial Staff at Computerworld, here's the latest thinking on greening your operations. Download this executive briefing  Virtualization Everywhere Download this white paper, free, compliments of Citrix. (Source: Citrix) Adoption of virtualization is concentrated among large enterprises, while adoption by mid-sized companies has been much slower. For these companies, the cost and complexity of server virtualization solutions has been a barrier. In this paper, we'll discuss how Citrix XenServer" provides simple, economical server virtualization for any size company. Download now! Download this white paper  Advances in SSL and Certificate Management Advances in SSL and Certificate Management View this webcast now! Go to the webcast  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. 8 Things You Need to Handle Today's Network Traffic Next-Gen Load Balancing: 3 Keys to Successful Delivery of Advanced Web Apps Building a Reliable and Dynamic Data Center with PAN Manager by Egenera View more whitepapers

• Windows users indifferent to Microsoft patch alarm, says researcher
• Microsoft slates 8 bug updates for year's final Patch Tuesday
• Tech jobs down sharply but not out
• More top stories 

Security Directions: Strategies and Tactics for Protecting Your Enterprise in 2009 Attend the Security Directions virtual event, with sessions available live on December 16, 2008 and available on-demand from December 17 though March 17, 2009. Some topics that will be covered include: Best Practices around Data Leak Prevention (DLP). What exactly is security due diligence and why does it matter? Cloud security and privacy. End-point security - rising gas prices have caused an increase in the number of remote workers, which leads to more security issues. Register now for this event that happens on December 16, 2008, but will also available on-demand from December 17 - March 17, 2009. Register Now!

Get Into Gear! Check out our new personal technology section -- TechGear -- for the latest on those cool gadgets that you just gotta have! Host Mike Elgan provides hands-on reviews and analysis of the stuff that makes IT fun. Head to TechGear