Mountain Lion - Security Configuration Guide?

[RubyRoses]

Hello again to everyone on MacRumors. I love the new iMac which I brought recently, and have been having a good look round the system getting used to all its new weird and wonderful features. (The last OS I was using was Tiger, so I feel like I'm on an alien planet right now.)

I've been looking for a good guide on how to configure ML's security settings, but was only able to find some guys, er, perhaps slightly paranoid thoughts: https://discussions.apple.com/docs/DOC-3291 and: http://mostlysecure.blogspot.co.uk/2...tain-lion.html Anyone got any other good links, or can suggest any other good guides? Or any other good tips per say?

The first thing I'm trying to wrap my head round is the AppleID's new importance. It seems to me that the AppleID is required if you want to download anything from the app store (a new feature), and the Admin password is required if you want to install anything (a good old feature)? Is that correct?

If that's the case, then would it make better security sense to create an email address which isn't given out publicly, and used only as an AppleID instead? Or is that what this whole @me thing is about (never understood that. Been under a rock for years. Apologies.)

Moving on from that point: I've read that it's wise to create a non-admin account for daily usage. How do you do that, and have many people here done this?

Also. Say you decided to switch on File Vault to encrypt your data: if you backed up said data and then transferred it to another machine, would you be able to read your data as normal, or would it be all scrambled? This is probably another one of my silly questions! ^_-

Thanks a million to anyone who gets back to me. I'm always extremely interested in everyones views.

[GGJstudios]

You don't need any 3rd party antivirus app to keep a Mac malware-free, as long as you practice safe computing, as described in the following link. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.

[Weaselboy]

Quote:

Originally Posted by RubyRoses

Hello again to everyone on MacRumors. I love the new iMac which I brought recently, and have been having a good look round the system getting used to all its new weird and wonderful features. (The last OS I was using was Tiger, so I feel like I'm on an alien planet right now.)

I've been looking for a good guide on how to configure ML's security settings, but was only able to find some guys, er, perhaps slightly paranoid thoughts: https://discussions.apple.com/docs/DOC-3291 and: http://mostlysecure.blogspot.co.uk/2...tain-lion.html Anyone got any other good links, or can suggest any other good guides? Or any other good tips per say?

The first thing I'm trying to wrap my head round is the AppleID's new importance. It seems to me that the AppleID is required if you want to download anything from the app store (a new feature), and the Admin password is required if you want to install anything (a good old feature)? Is that correct?

You are on target with the AppleID and admin account. As a new user what is easiest is to just create a free iCloud account and use that as your AppleID.

Quote:

If that's the case, then would it make better security sense to create an email address which isn't given out publicly, and used only as an AppleID instead? Or is that what this whole @me thing is about (never understood that. Been under a rock for years. Apologies.)

You do raise a good point. What you can do is create the iCloud account like I mentioned, then go to icloud.com and you can create up to three "alias" email addresses. Then just use the main one for your AppleID purposes and one of the aliases for outside emails. All the emails will come in the same account, so it is easy to manage.

Quote:

Moving on from that point: I've read that it's wise to create a non-admin account for daily usage. How do you do that, and have many people here done this?

That is kind of a hold over from Linux days and not really necessary on OS X. Most users just run with the one admin account. It does not create any security problems.

Quote:

Also. Say you decided to switch on File Vault to encrypt your data: if you backed up said data and then transferred it to another machine, would you be able to read your data as normal, or would it be all scrambled? This is probably another one of my silly questions! ^_-

Nope. Your data would not be encrypted or scrambled if you move it off the machine. The way Filevault2 works is it creates a giant container on the drive and that entire container is locked down. When you login with your password the "container" is unlocked and opened and any data you see or copy/move is not encrypted and looks just like any other drive. It really is very transparent.

If you are concerned about securing your data Filevault2 is a really good way to do that.

You should also turn on the EFI (firmware) password to prevent anybody who steals your machine from booting to an external drive to crack your password. Just do a command-r boot and this will take you to the recovery screen. Then look in the utilities menu for the option to set the firmware password. Make sure you remember what this password is, because if you forget it there is no way to get past it without a visit to the Apple store for a reset.

[RubyRoses]

Quote:

Originally Posted by GGJstudios

You don't need any 3rd party antivirus app to keep a Mac malware-free, as long as you practice safe computing, as described in the following link. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.

Thanks very much for the pointers, GGJstudios; those are some handy links. I might run ClamXav simply because I've read good things about it and there seems no harm in it. But I agree that any paid-for AV software would be overkill on an iMac which is already protected by Apple.

[RubyRoses]

Quote:

Originally Posted by Weaselboy

As a new user what is easiest is to just create a free iCloud account and use that as your AppleID...What you can do is create the iCloud account like I mentioned, then go to icloud.com and you can create up to three "alias" email addresses.

Thanks for the suggestion. Since I've got my own domain name, I think I'll just use that to create a new email address. Furthermore, since I don't have any other iDevices, I can't really see the point in using iCloud right now - plus I've heard it's a bit of hassle! But I imagine that one day a time will come where iCloud will become an intergral part of the Apple experience.

Quote:

Originally Posted by Weaselboy

That is kind of a hold over from Linux days and not really necessary on OS X. Most users just run with the one admin account. It does not create any security problems.

That's good to know - I'll just go with the majority then! I must admit, I was dubious as to how two different accounts could make any real difference, security-wise.

Quote:

Originally Posted by Weaselboy

Nope. Your data would not be encrypted or scrambled if you move it off the machine. The way Filevault2 works is it creates a giant container on the drive and that entire container is locked down. When you login with your password the "container" is unlocked and opened and any data you see or copy/move is not encrypted and looks just like any other drive. It really is very transparent.

That's VERY interesting to know. So, if you have set up a login password, what's the difference between having Filevault2 enabled and not, since in both instances you'd be entering the same password (the admin one, I presume). Until you've logged in, all data is inaccessible to you either way, right?

Quote:

Originally Posted by Weaselboy

You should also turn on the EFI (firmware) password to prevent anybody who steals your machine from booting to an external drive to crack your password.

Wow - I didn't know about that. Just out of interest, how would someone boot to an external drive to crack a password?

Thanks ever so much for being so helpful!

[Weaselboy]

Quote:

Originally Posted by RubyRoses

That's VERY interesting to know. So, if you have set up a login password, what's the difference between having Filevault2 enabled and not, since in both instances you'd be entering the same password (the admin one, I presume). Until you've logged in, all data is inaccessible to you either way, right?

The regular user password is fairly easy to bypass. You can just command-r boot to the recovery partition and run a utility that resets it. Having FV2 on blocks that and encrypts the entire drive.

Quote:

Wow - I didn't know about that. Just out of interest, how would someone boot to an external drive to crack a password?

There are hacker tools and cracks that require a boot to another drive to load on your computer. Having the EFI password on blocks that.

The combination of EFI password and FV2 is at this point airtight. I have yet to see any demonstration of a way to crack this combination.

[Jon-PDX]

Quote:

Originally Posted by Weaselboy

..........
The combination of EFI password and FV2 is at this point airtight. I have yet to see any demonstration of a way to crack this combination.

Question.....

I've never used an EFI password or FV2. At startup, in addition to the user password, would I also have to enter the EFI and FV2 passwords for a total of three (3) passwords before I can use the computer?

Oh, I just thought of another question......sorry.

If the computer goes to sleep will it be locked down just as tight, or only require the user password (assuming I tell it to ask for one after waking up)?

I'm thinking on my Air this would be a good way to protect it if I lost it. But having to enter that many passwords would sure be a hassle at times.

Thanks,

Jon...

[Weaselboy]

Quote:

Originally Posted by Jon-PDX

Question.....

I've never used an EFI password or FV2. At startup, in addition to the user password, would I also have to enter the EFI and FV2 passwords for a total of three (3) passwords before I can use the computer?

Oh, I just thought of another question......sorry.

If the computer goes to sleep will it be locked down just as tight, or only require the user password (assuming I tell it to ask for one after waking up)?

I'm thinking on my Air this would be a good way to protect it if I lost it. But having to enter that many passwords would sure be a hassle at times.

Thanks,

Jon...

The EFI password only ever needs to be reentered if you want to boot to another disk. So once you initially set it, you are done with it.

FV2 replaces the login password process you are using now with its own process that looks very much the same.

So from a cold boot you will only enter the FV2 password to login and that is it. So you still only have to type in one password.

It is not as secure when only in sleep. When logged in to the account but at the screen you get when waking from sleep, the FV2 encrypted container is open... so hypothetically a determined hacker MIGHT be able to login to your machine using one of many Internet sharing protocols. This is very very unlikely though.

What I do is just let it sleep with a PW to wake up if the computer is around the house and then logoff completely if I am taking the computer out of the house where it will be left unattended.

[Jon-PDX]

Excellent......thanks for the quick reply!

I think I'll set the EFI on both my machines and give FV2 a try on my Air since I'm still a little nervous about encrypting my drives. I'm sure it's fine but the critical stuff is on the Pro and if I mess up the Air it's no big deal to start from scratch.

Jon...