To secure a Mac workstation, remember the users
Computerworld -
Earlier in this series on Macintosh security, I discussed how to physically secure workstations within an infrastructure (see "Workstation security: Lock down that Mac") and how to use the various Open Firmware modes in modern Macs to keep hostile users from bypassing security by booting from an alternate start-up disk (see "Open Firmware Security for Mac Workstations"). I want to continue my discussion of workstation security by describing a number of ways you can configure individual workstations to make their local resources and data (and, thus, your entire infrastructure) more secure.
Securing the data on a workstation means securing user files and folders as well as application folders and operating system components. The goal is to ensure not only that the data that users store on their workstations is safe from prying eyes, but also that any information about your network at large is safe. You also need to maintain the stability and integrity of the workstation so that it can't be hijacked for nefarious purposes.
Some of the tactics here may not be appropriate for every network or every workstation. Some may compromise functionality that you need. Some apply more to Mac OS X Server infrastructures, while others apply more to stand-alone installations. As always, a system administrator's job involves striking a balance between practical user needs and security. Your mileage may vary.
Don't show any user data
Every Mac log-in window, including those in Mac OS X, and Mac OS 9 with multiple users or Mac Manager -- offers you the option of displaying a list where users select their name and then enter their password. This approach is the default for Mac OS X installations. It's graphically attractive, and it can be a major security hole. It displays every user's name to anyone who sits at the workstation. This means that intruders know immediately which usernames are valid; they need only guess someone's password to gain access. Granted, a standard naming scheme may make it easy to guess someone's username, but every step toward security helps. Also, in Open Directory infrastructures, this list is transmitted across the network whenever the log-in Window loads (possibly in clear text), further lessening security. Don't display usernames.
On the same topic, don't use password hints. This isn't an option for directory domain user accounts anyway. But in stand-alone installations, using hints seriously compromises the integrity of passwords. It's far better to make users call the help desk for password resets than it is to take this security risk.
On a related
Macintosh
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
