Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > OS X 10.8 Mountain Lion

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 30, 2012, 04:43 PM   #1
RubyRoses
macrumors newbie
 
Join Date: Feb 2011
Mountain Lion - Security Configuration Guide?

Hello again to everyone on MacRumors. I love the new iMac which I brought recently, and have been having a good look round the system getting used to all its new weird and wonderful features. (The last OS I was using was Tiger, so I feel like I'm on an alien planet right now.)

I've been looking for a good guide on how to configure ML's security settings, but was only able to find some guys, er, perhaps slightly paranoid thoughts: https://discussions.apple.com/docs/DOC-3291 and: http://mostlysecure.blogspot.co.uk/2...tain-lion.html Anyone got any other good links, or can suggest any other good guides? Or any other good tips per say?

The first thing I'm trying to wrap my head round is the AppleID's new importance. It seems to me that the AppleID is required if you want to download anything from the app store (a new feature), and the Admin password is required if you want to install anything (a good old feature)? Is that correct?

If that's the case, then would it make better security sense to create an email address which isn't given out publicly, and used only as an AppleID instead? Or is that what this whole @me thing is about (never understood that. Been under a rock for years. Apologies.)

Moving on from that point: I've read that it's wise to create a non-admin account for daily usage. How do you do that, and have many people here done this?

Also. Say you decided to switch on File Vault to encrypt your data: if you backed up said data and then transferred it to another machine, would you be able to read your data as normal, or would it be all scrambled? This is probably another one of my silly questions! ^_-

Thanks a million to anyone who gets back to me. I'm always extremely interested in everyones views.
RubyRoses is offline   0 Reply With Quote
Old Dec 30, 2012, 04:44 PM   #2
GGJstudios
macrumors Westmere
 
Join Date: May 2008
You don't need any 3rd party antivirus app to keep a Mac malware-free, as long as you practice safe computing, as described in the following link. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.
GGJstudios is offline   0 Reply With Quote
Old Dec 31, 2012, 10:26 AM   #3
Weaselboy
macrumors G4
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by RubyRoses View Post
Hello again to everyone on MacRumors. I love the new iMac which I brought recently, and have been having a good look round the system getting used to all its new weird and wonderful features. (The last OS I was using was Tiger, so I feel like I'm on an alien planet right now.)

I've been looking for a good guide on how to configure ML's security settings, but was only able to find some guys, er, perhaps slightly paranoid thoughts: https://discussions.apple.com/docs/DOC-3291 and: http://mostlysecure.blogspot.co.uk/2...tain-lion.html Anyone got any other good links, or can suggest any other good guides? Or any other good tips per say?

The first thing I'm trying to wrap my head round is the AppleID's new importance. It seems to me that the AppleID is required if you want to download anything from the app store (a new feature), and the Admin password is required if you want to install anything (a good old feature)? Is that correct?
You are on target with the AppleID and admin account. As a new user what is easiest is to just create a free iCloud account and use that as your AppleID.

Quote:
If that's the case, then would it make better security sense to create an email address which isn't given out publicly, and used only as an AppleID instead? Or is that what this whole @me thing is about (never understood that. Been under a rock for years. Apologies.)
You do raise a good point. What you can do is create the iCloud account like I mentioned, then go to icloud.com and you can create up to three "alias" email addresses. Then just use the main one for your AppleID purposes and one of the aliases for outside emails. All the emails will come in the same account, so it is easy to manage.

Quote:
Moving on from that point: I've read that it's wise to create a non-admin account for daily usage. How do you do that, and have many people here done this?
That is kind of a hold over from Linux days and not really necessary on OS X. Most users just run with the one admin account. It does not create any security problems.

Quote:
Also. Say you decided to switch on File Vault to encrypt your data: if you backed up said data and then transferred it to another machine, would you be able to read your data as normal, or would it be all scrambled? This is probably another one of my silly questions! ^_-
Nope. Your data would not be encrypted or scrambled if you move it off the machine. The way Filevault2 works is it creates a giant container on the drive and that entire container is locked down. When you login with your password the "container" is unlocked and opened and any data you see or copy/move is not encrypted and looks just like any other drive. It really is very transparent.

If you are concerned about securing your data Filevault2 is a really good way to do that.

You should also turn on the EFI (firmware) password to prevent anybody who steals your machine from booting to an external drive to crack your password. Just do a command-r boot and this will take you to the recovery screen. Then look in the utilities menu for the option to set the firmware password. Make sure you remember what this password is, because if you forget it there is no way to get past it without a visit to the Apple store for a reset.
Weaselboy is offline   0 Reply With Quote
Old Jan 1, 2013, 08:21 AM   #4
RubyRoses
Thread Starter
macrumors newbie
 
Join Date: Feb 2011
Quote:
Originally Posted by GGJstudios View Post
You don't need any 3rd party antivirus app to keep a Mac malware-free, as long as you practice safe computing, as described in the following link. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.
Thanks very much for the pointers, GGJstudios; those are some handy links. I might run ClamXav simply because I've read good things about it and there seems no harm in it. But I agree that any paid-for AV software would be overkill on an iMac which is already protected by Apple.
RubyRoses is offline   0 Reply With Quote
Old Jan 1, 2013, 09:17 AM   #5
RubyRoses
Thread Starter
macrumors newbie
 
Join Date: Feb 2011
Quote:
Originally Posted by Weaselboy View Post
As a new user what is easiest is to just create a free iCloud account and use that as your AppleID...What you can do is create the iCloud account like I mentioned, then go to icloud.com and you can create up to three "alias" email addresses.
Thanks for the suggestion. Since I've got my own domain name, I think I'll just use that to create a new email address. Furthermore, since I don't have any other iDevices, I can't really see the point in using iCloud right now - plus I've heard it's a bit of hassle! But I imagine that one day a time will come where iCloud will become an intergral part of the Apple experience.

Quote:
Originally Posted by Weaselboy View Post
That is kind of a hold over from Linux days and not really necessary on OS X. Most users just run with the one admin account. It does not create any security problems.
That's good to know - I'll just go with the majority then! I must admit, I was dubious as to how two different accounts could make any real difference, security-wise.

Quote:
Originally Posted by Weaselboy View Post
Nope. Your data would not be encrypted or scrambled if you move it off the machine. The way Filevault2 works is it creates a giant container on the drive and that entire container is locked down. When you login with your password the "container" is unlocked and opened and any data you see or copy/move is not encrypted and looks just like any other drive. It really is very transparent.
That's VERY interesting to know. So, if you have set up a login password, what's the difference between having Filevault2 enabled and not, since in both instances you'd be entering the same password (the admin one, I presume). Until you've logged in, all data is inaccessible to you either way, right?

Quote:
Originally Posted by Weaselboy View Post
You should also turn on the EFI (firmware) password to prevent anybody who steals your machine from booting to an external drive to crack your password.
Wow - I didn't know about that. Just out of interest, how would someone boot to an external drive to crack a password?

Thanks ever so much for being so helpful!
RubyRoses is offline   0 Reply With Quote
Old Jan 1, 2013, 11:18 AM   #6
Weaselboy
macrumors G4
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by RubyRoses View Post
That's VERY interesting to know. So, if you have set up a login password, what's the difference between having Filevault2 enabled and not, since in both instances you'd be entering the same password (the admin one, I presume). Until you've logged in, all data is inaccessible to you either way, right?
The regular user password is fairly easy to bypass. You can just command-r boot to the recovery partition and run a utility that resets it. Having FV2 on blocks that and encrypts the entire drive.

Quote:
Wow - I didn't know about that. Just out of interest, how would someone boot to an external drive to crack a password?
There are hacker tools and cracks that require a boot to another drive to load on your computer. Having the EFI password on blocks that.

The combination of EFI password and FV2 is at this point airtight. I have yet to see any demonstration of a way to crack this combination.
Weaselboy is offline   0 Reply With Quote
Old Jan 5, 2013, 04:41 AM   #7
Jon-PDX
macrumors regular
 
Join Date: Oct 2011
Location: Pacific NW - USA
Quote:
Originally Posted by Weaselboy View Post
..........
The combination of EFI password and FV2 is at this point airtight. I have yet to see any demonstration of a way to crack this combination.
Question.....

I've never used an EFI password or FV2. At startup, in addition to the user password, would I also have to enter the EFI and FV2 passwords for a total of three (3) passwords before I can use the computer?

Oh, I just thought of another question......sorry.

If the computer goes to sleep will it be locked down just as tight, or only require the user password (assuming I tell it to ask for one after waking up)?

I'm thinking on my Air this would be a good way to protect it if I lost it. But having to enter that many passwords would sure be a hassle at times.

Thanks,

Jon...
__________________
MacPro 5.1 (mid 2010), MacMini 6.1 (late 2012), iPad-3, iPhone 4s, and a few PC's
Jon-PDX is offline   0 Reply With Quote
Old Jan 5, 2013, 06:14 AM   #8
Weaselboy
macrumors G4
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Jon-PDX View Post
Question.....

I've never used an EFI password or FV2. At startup, in addition to the user password, would I also have to enter the EFI and FV2 passwords for a total of three (3) passwords before I can use the computer?

Oh, I just thought of another question......sorry.

If the computer goes to sleep will it be locked down just as tight, or only require the user password (assuming I tell it to ask for one after waking up)?

I'm thinking on my Air this would be a good way to protect it if I lost it. But having to enter that many passwords would sure be a hassle at times.

Thanks,

Jon...
The EFI password only ever needs to be reentered if you want to boot to another disk. So once you initially set it, you are done with it.

FV2 replaces the login password process you are using now with its own process that looks very much the same.

So from a cold boot you will only enter the FV2 password to login and that is it. So you still only have to type in one password.

It is not as secure when only in sleep. When logged in to the account but at the screen you get when waking from sleep, the FV2 encrypted container is open... so hypothetically a determined hacker MIGHT be able to login to your machine using one of many Internet sharing protocols. This is very very unlikely though.

What I do is just let it sleep with a PW to wake up if the computer is around the house and then logoff completely if I am taking the computer out of the house where it will be left unattended.
Weaselboy is offline   0 Reply With Quote
Old Jan 5, 2013, 06:29 AM   #9
Jon-PDX
macrumors regular
 
Join Date: Oct 2011
Location: Pacific NW - USA
Excellent......thanks for the quick reply!

I think I'll set the EFI on both my machines and give FV2 a try on my Air since I'm still a little nervous about encrypting my drives. I'm sure it's fine but the critical stuff is on the Pro and if I mess up the Air it's no big deal to start from scratch.

Jon...
__________________
MacPro 5.1 (mid 2010), MacMini 6.1 (late 2012), iPad-3, iPhone 4s, and a few PC's
Jon-PDX is offline   1 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > OS X 10.8 Mountain Lion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:01 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC