Workstation security: Lock down that Mac

Computerworld - Security should always be on the mind of a systems administrator. It should be part of how you build workstation images, how you configure servers, the access you grant to users and the choices you make in building your physical network.
Security, however, doesn't end once everything is rolled out; sysadmins need to remain proactive by being aware of what's going on in their networks and responding quickly to potential intrusions. Equally important, you need keep all servers, workstations and other devices updated against newly discovered security threats, viruses and attacks. And you need to keep your understanding of security techniques and risks current.
With security as an ongoing concern, you can do much of the necessary work as your network is rolled out or upgraded. If things are secure from the start, the number of threats you'll need to worry about right away will be reduced, and even new threats will be easier to deal with.
In this series on Macintosh infrastructure security, I've opted to include as many ways to secure a network as possible. Some of them can be applied to every network; others may have more limited uses. As with backup strategies, security is often a balancing act between protecting your users and allowing them the access they need.
I'm going to talk initially about workstation security for two reasons. First, workstations are where a large number of security breaches are likely to be attempted (particularly in a shared-workstation situation such as a computer lab). Second, many of the security approaches you can take with Mac OS X workstations work for Mac OS X servers, too, while the reverse is rarely true. In other words, server-specific security procedures often aren't relevant to workstations.
Workstation security takes several forms. First there is physical security, which includes protecting computers against vandalism or theft -- either of the entire workstation or of individual components. Physical security is tied to security of data because if someone manages to steal the workstation, they get all of the data contained on it as well.
Next to physical security is firmware security. Apple gives you the power to password-protect access to a workstation or modification of its boot process using the firmware code on the motherboard. This allows you to enforce file permissions on the data stored on the hard drive, which could otherwise be bypassed by users booting to a disk other than the internal hard drive or specified NetBoot disk. Firmware security relies on physical security because access to the internal