Workstation security: Lock down that Mac

Security should always be on the mind of a systems administrator. It should be part of how you build workstation images, how you configure servers, the access you grant to users and the choices you make in building your physical network.

Security, however, doesn't end once everything is rolled out; sysadmins need to remain proactive by being aware of what's going on in their networks and responding quickly to potential intrusions. Equally important, you need keep all servers, workstations and other devices updated against newly discovered security threats, viruses and attacks. And you need to keep your understanding of security techniques and risks current.

With security as an ongoing concern, you can do much of the necessary work as your network is rolled out or upgraded. If things are secure from the start, the number of threats you'll need to worry about right away will be reduced, and even new threats will be easier to deal with.

In this series on Macintosh infrastructure security, I've opted to include as many ways to secure a network as possible. Some of them can be applied to every network; others may have more limited uses. As with backup strategies, security is often a balancing act between protecting your users and allowing them the access they need.

I'm going to talk initially about workstation security for two reasons. First, workstations are where a large number of security breaches are likely to be attempted (particularly in a shared-workstation situation such as a computer lab). Second, many of the security approaches you can take with Mac OS X workstations work for Mac OS X servers, too, while the reverse is rarely true. In other words, server-specific security procedures often aren't relevant to workstations.

Workstation security takes several forms. First there is physical security, which includes protecting computers against vandalism or theft -- either of the entire workstation or of individual components. Physical security is tied to security of data because if someone manages to steal the workstation, they get all of the data contained on it as well.

Next to physical security is firmware security. Apple gives you the power to password-protect access to a workstation or modification of its boot process using the firmware code on the motherboard. This allows you to enforce file permissions on the data stored on the hard drive, which could otherwise be bypassed by users booting to a disk other than the internal hard drive or specified NetBoot disk. Firmware security relies on physical security because access to the internal components of a Macintosh computer allows a person to bypass firmware security precautions.

Finally, there is the security of data stored on the workstation. This includes preventing users from accessing sensitive data or any configuration parameters stored on the workstation. Configurations related to network and server connections are particularly important because that information could be used for other forms of server or network attacks. In addition, data security for workstations involves protecting the workstation's operating system and application files from tampering, which could result in intentional or accidental damage or misconfiguration. In the case of malicious changes, users might be redirected to external sites or servers in a way that divulges sensitive personal or professional information (including network credentials).

We'll cover physical security in this installment. In my next column, we'll talk about Open Firmware security. Next, I'll look at local data security and the large number of ways you can improve the safety of data residing on the workstations in your network. And down the road, we'll cover Mac OS X Server and general Mac network security advice.

You can physically secure Mac workstations in any number of ways. If you are in a small business or corporate environment, where everyone's computer is in an office and there is no general access, you may not need to physically tether or lock each computer in place. In an open environment, such as a school or college computer lab, however, you should make sure that each computer is physically secure. Passing aircraft cable through the handles or locking slots of computers and using Kensington locks (which many Mac models include) or other specially designed locking methods are all good ideas. Close supervision, either human or camera, can also help deter theft.

Computers aren't all that's at risk. Components have a tendency to attract thieves as well. I worked in one school where it became a common after-school activity to try to steal RAM out of Power Macs in one computer lab. People often think computer peripherals are worth a lot of money, whether they actually are or not. Some people get a thrill out of stealing them or may be out to inflict whatever damage they can to an institution. Others seem to focus on stealing data-storage devices, such as hard drives, in attempts to gain sensitive information.

The theft of peripherals and components is sometimes more rampant in office settings than the outright theft of computers. If someone feels their home computer needs more RAM -- and they don't think their office computer needs it -- what's the harm in "borrowing" some, especially after years of devoted service? Or someone may gain access to an office and assume there is sensitive or useful data stored on the external (or even internal) hard drive of a workstation. After all, a workstation in a payroll department presents a tempting target, given the possibility that it contains financial data.

Not only do companies have to spend money to replace missing components or peripherals; they also have to worry that untrained users (or trained users who simply don't care) may damage a workstation in the process of removing a component. This is particularly true in the case of some iMac models, which have components tucked away in a way that can be difficult for even trained technicians to access safely.

All recent Power Macs since 1999 include a locking tab/slot. Placing a lock (or using a cable or a chain attached to a lock) through this tab/slot can prevent the case from opening. Given that these computers are extremely easy to open, you should always lock them (even when they're being used by a trustworthy person). IMac and eMac models may be more difficult to lock down -- especially when it comes to preventing access to RAM chips and AirPort cards, which Apple Computer Inc. deliberately made easy to access. Several companies have developed locking products for them, and securing those iMacs and eMacs that have handles with a cable or chain can make it harder for a computer to be opened.

Again, supervision is a first line of defense in securing open environments. Keeping them behind locked doors can also help.

Securing external peripherals can be as easy as locking them away and requiring users to check them in and out. This is particularly true of easy-to-cary devices such as hard drives which may contain sensitive data.

You can take steps to make sure that you know when hardware has been removed or altered. Consider running a daily Apple Remote Desktop system-overview report (possibly a simple one just verifying that everything is still in the building and connected). If you don't have access to Apple Remote Desktop, you can create a shell script using Secure Shell and the command-line version of the Apple System Profiler to query workstations for their current status (in command-line form, System Profiler lets you specify system attributes such as RAM or serial number you want reported).

While such queries may not stop hardware from "walking out" of the building, they can alert you to theft and notify you if there are problems with a workstation. You may also be able to enlist in-house security personnel, lab monitors or other staff members to verify that everything is where it's supposed to be.

And of course, if the worst happens and something turns up missing, you do at least have a backup program for the data, right?

Coming up next: A look at firmware security.

Ryan Faas is the network administrator and offers consulting services specializing in Mac and cross-platform network solutions for small businesses and education institutions. He is the co-author of Troubleshooting, Maintaining, and Repairing Macs and of O'Reilly's forthcoming Essential Mac OS X Server Administration. He can be reached at

Copyright © 2005 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
Shop Tech Products at Amazon