Mac Security – How The NSA Hack-Proofs Its Macs
If you’re really concerned about online security on your Mac, you can find some high-impact tips in a factsheet from the National Security Agency designed for use by administrative users of Mac OS X 10.6 Snow Leopard.
Suggestions, ranked by the NSA in order of importance, include:
Don’t Surf or Read Mail Using Admin Account
Use Software Update or on systems not connected to the Internet retrieve updates regularly from:
http://www.apple.com/support/downloads
Account Settings:
– Disable Automatic Login and User List
– Disable guest account and sharing
Security Pane Settings in the General tab, ensure that the following are checked:
– Require password “5 seconds” after sleep or screen saver begins
– Disable automatic login
– Use secure virtual memory
– Disable Location Services (if present)
– Disable remote control infrared receiver (if present)
In the FileVault tab, read the warnings and consider activating FileVault.
Secure Users’ Home Folder Permissions
Set A Firmware Password That Will Prevent Unauthorized Users From Changing The Boot Device Or Making Other Changes.
Disable IPv6 and AirPort when Not Needed
Disable Unnecessary Services
Disable Setuid and Setgid Binaries
Disable Integrated iSight and Sound Input
Safari Preferences
-Safari will automatically open some files by default. This behavior could be leveraged to perform attacks. To disable, uncheck “Open safe files after downloading” in the General tab.
-Unless specifically required, Safari’s Java should be disabled to reduce the browser’s attack surface. On the Security tab, uncheck “Enable Java.”
Au Revoir, Bonjour! – from the security perspective Bonjour! makes the computer unnecessarily visible and generates unwanted network traffic.
Configure and Use Both Firewalls
Disable Bluetooth and AirPort Devices
You can download the NSA factsheet at:
http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf
You can also find Apple’s official Security Guides for OS X 10.3 through 10.6 at:
http://www.apple.com/support/security/guides/