Posted on 03/01/2008 7:16:46 PM PST by Swordmaker
A fellow Freeper purchased a brand new iMac this week and sent me some questions about how to secure his new computer. I thought that the answers are probably of use to other Freepers who have upgraded their computer experience to the Mac. I have decided to post them on Free Republic.
How do I Secure the Root password/login?
Simple solution: Just don't do ROOT.
On a Mac the default Administrator level user that is created when you first set up your computer is not a ROOT user.
There is actually one level higher access than Administrator. That is the Root user, the Super User. On the Mac, Root is turned OFF by default and you actually have to enable it and provide an additional password to use it. There is never/seldom ANYTHING an average user needs to do that requires full access to the ROOT account, so don't activate it.
The Administrator (one level below Root) accounts are permitted to access Root for specific and limited actions such as install software and modify System Wide settings... and these require the re-entering of the Administrator's password.
Drag and Drop installation of Applications generally does not require a password... but any installation that requires modification of a folder owned by the System will. These types of installation are getting rarer as they are generally not necessary.
What is the safest way to run my Mac on the Internet?
There are currently zero viruses, spyware and adware for the Mac that can self install on your Mac... but that doesn't mean that there won't be any tomorrow. But as of now, for the last seven years, Mac users have been able to surf the internet with impunity and virtual immunity from the malware that afflicts Windows users.
There are a few Trojan Horse programs that are on the Web masquerading as something they are not... such as the recent faux video codex available on some porn sites that would install a URL redirector in the Mac. However, these are rare. Nothing can stop YOU from doing stupid things like downloading a file, ignoring the warnings from the Mac OS that the file contains an application, giving the file permission to install, and then permission to run for the first time, EXCEPT YOU being smart and not downloading anything from a site you know nothing about. Mac software, freeware, shareware, and professional apps, are available from trusted sites including Apple, Version Tracker, etc.
Your Mac CAN pass on emails that may contain Windows viruses and malware even though they are not susceptible to them, by forwarding files with attachments to your Windows using friends. The easy way to protect your friends is to NOT forward emails with attachments. . . but sometimes the urge to send that cute picture to Uncle Joe is just too strong to resist. Unfortunately, that picture MIGHT contain malware that can screw up Uncle Joe's computer. Just don't do that... keep the bandwidth down. This ability of the Mac to pass on viruses and other malware to Windows machines is the ONLY reason to run any of the few anti-virus ware available for the Mac... right now. You might want to run it so you can pass on that cute picture to Uncle Joe... Otherwise, most Mac users don't bother. When something malicious to the Mac appears, this advice might change.
I suggest using the standard prudent computer users' advice... don't download anything from a site you don't trust.
OK, since the Administrator account isn't Root, is it safe to use an Administrator Account for every day use?
For greater safety, to protect your Mac, it is advisable to NOT do your daily work in your Administrator account (the default account created when you ran your Mac for the first time).
The safest way to use your Mac is to create a "Standard Account" that is one level below Administrator level. This Standard account can do anything an Administrator account can except modify the Applications Folder (Delete or install), modify the root directory of the booting hard drive (delete or install) or change any system wide preferences. These actions can be accomplished from the Standard account but will require the entry of an Administrator's name AND password for each and every change.
The way to set up a Standard account is easily done in the Apple menu/System Preferences/Accounts preference pane. If you have already set up your current Administrator account for your personal use, you need to first create a new Administrator account and then change your current account to standard.
I am going to assume you want to keep your current account with your personal email settings and internet set up, so I will step you through setting up a new Administrator account and changing your current one to a Standard account.
- Click on the Apple in the upper left corner of the screen and select "System Preferences..."
- Click on the "Accounts" icon - it's on the fourth row of preferences at the left.
- If the "Accounts" pane is locked (the pad lock in the lower left hand corner of the window is locked), click on the padlock and provide your Administrator password in the dialog box that comes up, unlocking the pane.
- Click on the + button in the box at the bottom of the list of users field. A new Dialog window will drop down from the current window bar.
- Select "Administrator" in the New Account selector.
- Enter a User name for your new Account... a single name is easier than a full name. Don't use something like "Admin" or its like.
- You can change the Short Name to anything you prefer. You don't have to accept the one generated from the Name you entered above. The short name can be used in dialogs requesting Administrator names and passwords in place of the real name.
- Enter a complex password... and don't use a word that can be found in a dictionary. Don't use something someone can learn about you as a password such as an anniversary date, etc. The Mac will generate a complex password for you if you like by clicking on the KEY button on the right of the password entry field. The routine allows you to select between "memorable, Letters & Numbers, Numbers Only, Random characters, or FIPS-181 compliant. it also allows you to select the number of characters in the password and provides a barometer bar that shows by the color of the bar how secure the password is... and also has a tip/warning box telling you what might be wrong with your selected password making it insecure. Be sure to write your password down and save this password in a safe place... several safe places... away from your computer. Mine is on the back of a picture in another room, written backwards. [Actually, mine is somewhere else... ;^)>]
- Verify the password you created in the verify field.
- Provide a hint to the password... or where you hid the written down version.
- Don't turn on FileVault protection for this account because you are not going to store any data in it. This Administrator account is just for system maintenance and software installation. You might want to turn this on for any account that will contain sensitive data.
- Click the "Create Account" button.
- Click on the "Login Options" at the bottom of the user account list.
- Select "Disabled" on the Automatic Login. If you are going to be the only user on this computer, you can set the "Automatic Login" to your current user account. I don't recommend this. This default setting will allow anyone starting the computer to automatically have access to your data.
- Change the radio buttons of the "Display Login window as" to "Name and Password." This hides the names of your users and requires anyone logging in to KNOW the name AND password. The other choice requires only that they know the password.
- Click the check box for "Show the Restart, Sleep, and Shut Down buttons." This allows you to shut down the computer or put it to sleep without logging into a user account. Shutting down or restarting while an account is active will require an Administrator name and password because current work in that account in operating applications may be lost.
- If some of your users use a language other than English, check the box for "Show Input Menu in login Window." This adds a choice selection at login for the language and keyboard layout for about 100 other languages available on the Mac.
- Click to check the box for "Show password hints."
- Unless you or one of your users are vision impaired, uncheck the "Use VoiceOver at login window." If you, or they are, then this option will provide voice prompts at login.
- Click to check the "Enable fast user switching." This puts the name of the current user on the Menu Bar at the upper right and adds a drop down menu of other users so you can quickly switch between users without logging out of any of them. Switching to another user requires that user's password to gain access.
- Select how you want to view that list. I suggest "Name."
- Click the padlock to lock the access to this preference pane for this account.
- Close the window. You now have TWO Administrator accounts.
- Log out of your current Administrator account by clicking the Apple Menu (upper right of the screen) and selecting "Log Out (your account). This will now take you to the Log In window.
- Log in to your newly created Administrator Account.
- Repeat steps 1 through 3 to access the Accounts preference pane including unlocking it.
- Click on your original Administrator Account.
- Click the check box on "Allow user to administer this computer" to uncheck it and make this account into a Standard account. The system will not allow this unless there is another Administrator account on the computer.
- Click on the padlock to lock the accounts preference pane for ALL accounts.
- Close the window. You now have one Administrator Account and one Standard Account.
- Log out of your new Administrator Account.
- Log In to your old account which is now a Standard user and continue computing more safely.
Create other user account for other members of your household that will be using this computer by logging into your Administrator account (you can do it from the Standard account by providing both Admin name and password but it's easier to do in Administrator) and repeating steps 1 through 4 and 6 through 12 plus 22 and 23.
For children, or for those you want to limit access to certain apps or websites, use the Parental Controls option. Users can change their passwords if you choose to allow it. For kids, don't let them change the password because you might want to have access to review what they are doing.
What more can I do to increase my Mac's security?
Other than never connecting your computer to the outside world, there are several things you can do to provide "Ultimate" Security to your Mac.
First, use a hardware firewall. If you have a router, that's covered.
Second, setup the Mac's internal security beyond the already pretty secure default settings. This can activated by:
- Click on the Apple in the upper left corner of the screen and select "System Preferences..."
- Click on "Security" on the first row of icons, second from the right.
- Select the "General" tab.
- If the "Security" pane is locked (the pad lock in the lower left hand corner of the window is locked), click on the padlock and provide your Administrator password in the dialog box that comes up, unlocking the pane.
- Click on the check box for "Require password to wake this computer from sleep or screen saver." This prevents people from accessing or copying your files while you are sitting in the bathroom on a quick trip... It is a user option not a system option. If you trust everyone in your house, this is not necessary and adds a bit of inconvenience. Some users may not wish to be inconvenienced by being required to provide their password to turn off the screen saver.
- Make sure the "Disable automatic login" is checked. If you followed the steps above, it should be.
- If you want to prevent the users from changing preferences, check the "Require password to unlock each System Preference pane." This locks every pane.
- Click to check the "Log out after [ ] minutes of inactivity." Set the time you are comfortable with. Do NOT set this if any applications need to run in the background for a particular user account. For example, I use a separate user account for my Fold@Home application... and logging out would shut that down. Having your system go to screen saver with the "Require password to wake this computer from sleep or screen saver" set on each account and the Preference Panes locked is sufficient for most security. But if "Ultimate Security" is important, go for it. Just don't expect long term processing to continue. Security is always a trade-off between secure and usable.
- Click the "Use secure virtual memory" check box to on.
- Click on the padlock to lock this pane.
- Quit "System Preferences" under the System Preferences menu on the menu bar.
Third, turn on FileVault. On a Mac, each account can have its user files encrypted with an industrial strength 128 bit encryption that would take years to decrypt. This can be turned on when you create a new account (See above). FileVault uses your account password for access. If you forget your password, you can forget ever retrieving your data. (The computer Administrator can set a Master Password for the computer... that, and only that, can recover your data if you forget your own password.) To turn on FileVault:
- Repeat steps 1 and 2
- Select the "FireVault" tab.
- If the master password is set for this computer, skip to step 5.
- If the the Master Password is unset for this computer, click on "Set Master Password" button. Provide the Administrator name and password. Enter and confirm a complex master password and don't use a word that can be found in a dictionary. Don't use something someone can learn about you as a password such as an anniversary date, etc. The Mac will generate a complex password for you if you like by clicking on the KEY button on the right of the password entry field. The routine allows you to select between "memorable, Letters & Numbers, Numbers Only, Random characters, or FIPS-181 compliant. it also allows you to select the number of characters in the password and provides a barometer bar that shows by the color of the bar how secure the password is... and also has a tip/warning box telling you what might be wrong with your selected password making it insecure. Be sure to write your password down and save this password in a safe place... several safe places... away from your computer. Mine is on the back of a picture in another room, written backwards. This is a good candidate to be put in a safety deposit box...
- Click the "Turn On FireVault..." button. This is a user option and does not require a password. The system will check to see if there is sufficient hard drive space to create your new encrypted user files. If so, it will do so. If not, it will suggest you delete some files. Expect the process to take a while... hours probably if you have lots of files. You can continue to use your Mac while the process runs.
- When completed, your files are protected.
- Quit "System Preferences" under the System Preferences menu on the menu bar.
What about the built in Firewall on my Mac?
Oh, you can turn on the Mac's own firewall if you want. I have been running my Mac for over a year with out the system firewall, just to see what might happen. So far? Nothing's impacted my Mac.
If you want on or off the Mac Ping List, Freepmail me.
Use a hardware firewall i.e. a NAT router
He would be proud.
Are you s****ing me?
Cheers!
Amazing what childishness Windows users will go to, isn't it?
Glad to have stumbled upon this! Will show it to dh to interpret for me, though. Thank you!
When you get your new iMac...
It is gratefully appreciated!
Thanks, Swordmaker. Bookmarked.
ping
Thanks for the info.
The keyword got pulled.
I was hoping a mod would post who wrote it.
Saw it done once before.
Very funny!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.