Security?

Discussion in 'General Mac Discussion' started by Pablo, Jan 16, 2003.

  1. Pablo macrumors regular

    Joined:
    Jan 8, 2003
    Location:
    Texas
    #1
    I've thought up a few more questions about Macs and hope I can find some answers...

    One question is in regards to security, specifically dealing with laptops.

    1) What sort of logon/users is used? I'm familiar with the NT OS & file systems. Is there a logon screen during bootup/wakeup?

    2) What sort of security (like NTFS) does the filesystem offer?

    3) My Dell's BIOS allows me to create a password within the BIOS that prevents the laptop from booting without the password, thus not allowing someone to reformat the PC and start fresh. Is there anything like this with the Mac?

    Anything else I should know?
     
  2. Rower_CPU Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #2
    I'll take a stab at your questions...

    1)By default OS X automatically logs in. As soon as you add a second account you are prompted whether or not you want to keep auto login. You can setup the login window at any time with a list of users, where you click on a user and enter the password, or simply username and password fields (similar to NT/2k/XP).

    2)OS X uses HFS+ (Mac OS extended) or UFS (Unix file system). Either file system is capable of full per directory and per file privilege settings (i.e. owner:group:world).

    3)The closest thing that I know of on Macs to a BIOS level password is Open Frimware. OF allows you to prevent the machine from being booted from a CD or different partition without entering the OF password. This should be sufficient to prevent a malicious user from being able to wipe the machine.

    Let me know if I need to clarify anything.:)
     
  3. medea macrumors 68030

    medea

    Joined:
    Aug 4, 2002
    Location:
    Madison, Wi
    #3
    Rower is pretty much on track with security, you can check out http://www.securemac.com/index.php for info on security, but so you don't have to look around everywhere here is some info on security and what rower was talking about with Open Firmware:
     
  4. medea macrumors 68030

    medea

    Joined:
    Aug 4, 2002
    Location:
    Madison, Wi
    #4
    sorry....pt II

    "Administrative users can boot from alternate locations by selecting an alternate System folder in the Startup Disk preference pane in System Preferences, by holding down the option key during startup, or by holding down the c key to boot from an installation CD.__ If the system is booted into Mac OS 9.x, filesystem permissions on HFS+ volumes can be circumvented, allowing the equivalent of root-level access to those volumes._ Booting from alternate Mac OS X installation locations circumvents filesystem permissions for both HFS+ and UFS volumes._ If an attacker has installed X on an external drive and can boot from it, he can authenticate against his own root or administrative user password hash on the external drive instead of the hashes stored in the default boot device._ Installing X on a UFS volume obviously imparts no resistance to this method of attack._
    Apple has also provided a method by which a user may reset any user password on a Mac OS X system._ This is accomplished by booting from a Mac OS X CD and selecting "Reset Password" from the Installer menu._ Apple considers this a feature._ It will certainly be useful in a home setting where an administrative user may not understand the importance of remembering passwords, but it presents a risk of which any administrator should be aware.
    ?Target Disk Mode? also enables booting from an alternate volume._ Mac OS X systems that have built-in FireWire ports can be started up in Target Disk Mode by holding down the t key upon startup._ Connecting another Macintosh via FireWire cable to the system booted in Target Disk Mode will allow the mounting of its volumes._ If the host computer is running Mac OS 9.x, it will be able to mount HFS+ volumes on the target computer._ If the host computer is running Mac OS X, it will be able to mount UFS and HFS+ volumes._ Either way, the host computer will potentially gain root-level access to any volumes it can mount.
    Another method of booting a Mac OS X system is single user mode._ One may enter single user mode by simply holding down the command-s key sequence during system startup._ The risk here is that single user mode requires no authentication by default and imparts root-level access to the system.
    The most apparent method to eliminate these risks associated with physical access to a Mac OS X system is to change the ?security-mode? variable in the system?s Open Firmware._ This setting is supported by Apple Open Firmware 4.1.7 and later._ Supported values for this setting are ?none? (the default), ?command,? or ?full.? The effects of these values of the ?security-mode? variable, at the Open Firmware prompt, are described clearly by CodeSamurai in a SecureMac.com article: _
    __________The ?command? mode just restricts the commands that may be executed to ?go and ?boot.?_ Additionally, under the ?command? mode, the ?boot? command may not have any arguments?that is, it will only boot the device specified in the boot device [sic] variable; no other command may be entered or any settings changed unless the password is supplied._ Moreover, this password protection feature also applies to booting up with the option key held down (which allows you to choose from available bootable volumes?)._ Finally, in ?full? mode, the machine is completely prohibited from booting until the password is entered (21).
    Apple provides a GUI utility called, appropriately enough, ?Open Firmware Password? to set the Open Firmware security-mode variable to ?command? and create an Open Firmware password._ Once these settings are enabled and a password is set, (in addition to the Open Firmware command restrictions outlined above) keys that affect normal startup are disabled._ An Apple Knowledge Base document provides details: _

    When turned off, Open Firmware Password Protection:

    blocks the ability to use the ?C? key to start up from a CD-ROM disc.

    blocks the ability to use the ?N? key to start up from a NetBoot server.

    blocks the ability to use the ?T? key to start up in Target Disk Mode (on computers that offer this feature).

    blocks the ability to start up in Verbose mode by pressing the Command-V key combination during startup.

    block [sic] the ability to start up a system in Single-user mode by depressing the Command-S key combination during startup.

    blocks a reset of Parameter RAM (PRAM) by pressing the Command-Option-P-R key combination during startup.

    requires the password to use the Startup Manager, accessed by pressing the Option key during startup? _

    requires the password to enter commands after starting up in Open Firmware, which is done by depressing the Command-Option-O-F key combination during startup. (11)

    To enable these keys again the Open Firmware Password application must be used to reset the security-mode variable to ?none.?_ The password can be reset and changed 1) by any user of the admin group, 2) by starting up the computer from a Mac OS 9.x System Folder, or 3) if one has access to the internal hardware of the Macintosh._ If the first method poses a risk, then administrators should verify that all users belonging to the admin group require such privilege and should consider using the sudo utility to allow finer-grained control of administrative privileges than the admin group scheme allows (see Authorized Root Privilege Mechanisms, below)._ The Open Firmware password itself will prevent all but one method (the Startup Disk preference pane) of booting Mac OS 9.x, so method two should pose no risk._ If there is a threat associated with the vulnerability of physical access to the internal hardware, an administrator should lock the case of the Macintosh.___

    It is important to note that Apple neither supports nor endorses the use of these Open Firmware security measures on versions of Mac OS X earlier than 10.1 or when used with third-party software utilities._ Improperly changing Open Firmware settings may cause damage that only Apple can repair and these repairs may not be covered by Apple?s warranty._ Good examples of potential harm are reports of permanent Open Firmware corruption if the Open Firmware password is not disabled before performing a firmware update.

    The msec group has released a utility called FWsucker that will extract and decrypt the Open Firmware password._ It is available at http://www.msec.net/software/FWSucker.sit ._ This program comes with little documentation and I have found that it worked only if my Macintosh was booted into Mac OS 9.2.2._ It would not work while Mac OS X was booted._ This program should pose little risk because unprivileged users will not be able to boot into Mac OS 9.x if Open Firmware is password-protected._ If the Open Firmware password is set, the only way to boot into Mac OS 9.x without knowing the firmware password is to select a Mac OS 9.x system folder in the Startup Disk preference pane._ This action can only be performed by users of the admin group._ Note that it is trivial procedure, then, for any administrative user to gain the Open Firmware password.

    Leaving a system unattended while logged-in as a user with administrator privileges or with an open shell that has administrator or root privileges is against recommended practices on any flavor of UNIX._ All users should password-protect their screen saver and activate it when they step away from a Mac OS X system._ This will prevent passersby from tampering with the system._ One may enable this effect by clicking the ?Use my account password? in the ?Activation? tab of the Screen Saver panel in System Preferences._ One should also select an appropriately short delay for screen saver activation using the slider here and create a hot-corner for immediate activation of the screen saver in the ?Hot Corners? tab.
    An out-of-the-box Mac OS X install, once activated by the creation of the first administrative user, may be setup to automatically login that user upon system startup._This behavior should be disabled by unchecking the ?Automatically log in? box in the ?Login Window? tab of the Login preference pane in System Preferences._ A final precaution that should be taken is to prevent Mac OS X from revealing valid usernames in the login window._One may do this by clicking the ?Name and password entry fields? radio button, under the ?Display Login Window as:? heading on the same tab.
    To lessen the risk associated with physical access to a Mac OS X computer, administrators should make several changes to a default installation._ They should create an Open Firmware password._This measure disables most methods of booting from alternate boot devices. _They should carefully limit the privilege of belonging to the admin group to restrict the use of the Startup Disk preferences pane to boot from alternate locations._ Administrators should disable automatic login and disable the display of usernames in the login window._ They should physically lock the cases of Macintoshes._ Additionally, all users should use a password-protected screen saver._ The sum of these measures is a more physically secure Macintosh.
     
  5. Rower_CPU Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #5
    Now that's a plethora of information!!! :eek: :D

    Hopefully that will cover any questions you could have, Pablo...or send you running away screaming. ;)
     
  6. Pablo thread starter macrumors regular

    Joined:
    Jan 8, 2003
    Location:
    Texas

Share This Page