Computerworld - Apple's Open Directory is a powerful directory services platform that supports a variety of clients, most notably Mac OS X and Windows. Open Directory is based on open-source software, including OpenLDAP and Kerberos, and includes some components specific to Mac OS X Server.
As such, Open Directory is an easy-to-manage application for Mac and multiplatform networks. It functions well as a network's sole directory service and can integrate well with Active Directory or, for that matter, with any LDAP-based directory services platform.
For administrators, employing a robust directory services application that supports all their clients is only part of the equation. Directory servers manage user authentication and maintain significant amounts of information about users, groups, servers, workstations and network configurations. This makes securing directory servers a paramount concern for any network admin.
Open Directory automatically includes full support for Kerberos and Apple's own secure Open Directory password server for those clients and services that cannot use Kerberos. However, its diverse nature means that Open Directory can easily be made more secure than the default settings leave it after initial setup.
The following methods can greatly enhance the security of a standard Open Directory installation.
Use only Open Directory passwords
When creating or modifying user accounts under Open Directory, admins are given two options for choosing the password type: Open Directory and crypt (sometimes referred to as basic).
Open Directory passwords are stored securely in both a Kerberos realm and in the Open Directory Password Server database. In both cases, the passwords are stored in a highly encrypted form in databases that are separate from Open Directory's LDAP database, where the remaining user account attributes are stored. This provides a high level of security because even if the Open Directory domain itself is compromised, a malicious user will not be able to retrieve password information from it since the passwords are stored in a different location.
To provide backward compatibility with early versions of Mac OS X -- 10.1 and earlier -- however, Open Directory supports the use of crypt passwords. These are stored as an attribute in the user account. Use of crypt passwords presents a significant security risk because the passwords can be easily extracted from a user's account and, despite their "crypt" name, are not significantly encrypted.
As a result, crypt passwords should be avoided wherever possible.
In addition to being far more secure than crypt passwords, Open Directory passwords support the use of password policies that can be set across an Open Directory domain or for specific users. Available policies include minimum password length, expiration and account lockout after multiple failed attempts. You should always make use of password policies to prevent or limit malicious access.
Note: Administrator accounts are exempt from password policies.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All NOSes and Server Software White Papers | Webcasts