Mac OS X security / hardening best practices

[Avery1]

Today, I found that I can see the entire contents of my boot disk, when plugged into another machine, as a secondary disk. I did not expect encryption, but did expect some level of PW protection.

I am much more familiar with UNIX and Windows security.

What are the best practices for securing/hardening Snow Leopard?

(I have seen the NSA document, Apple Document, and cisecurity.org benchmarks)

 

[hakuryuu]

If you want to protect your machine from being used as a target disk or booting from a disc, netboot, etc. you should set a Firmware password.

http://support.apple.com/kb/HT1352

 

[Sedulous]

Or enable file vault.

 

[John Kotches]

Today, I found that I can see the entire contents of my boot disk, when plugged into another machine, as a secondary disk. I did not expect encryption, but did expect some level of PW protection.

I am much more familiar with UNIX and Windows security.

And OS X is essentially a *nix underneath.

When you attach a drive to another flavor of unix machine do you need to have a password to see the contents? Nope. Just the appropriate R/W permissions.

What are the best practices for securing/hardening Snow Leopard?

Shutoff all non-essential services. The fewer paths there are into the machine, the harder it is to be hacked. Try a portscanner against the machine to see what TCP and UDP ports are listening as an additional step.

There's obviously much more than that, but just by starting there you're ahead of the game.

(I have seen the NSA document, Apple Document, and cisecurity.org benchmarks)

Then you are armed with more informatation than most.

 

[mac2x]

Could you recommend a portscanner? I would like to try that. PM if you wish.

 

[John Kotches]

Could you recommend a portscanner? I would like to try that. PM if you wish.

I usually use nmap for this type of stuff, http://www.nmap.org

 

[mac2x]

Thanks!

 

[Avery1]

Thanks, folks. Keep 'em coming!

 

[satcomer]

Today, I found that I can see the entire contents of my boot disk, when plugged into another machine, as a secondary disk. I did not expect encryption, but did expect some level of PW protection.

I am much more familiar with UNIX and Windows security.

What are the best practices for securing/hardening Snow Leopard?

(I have seen the NSA document, Apple Document, and cisecurity.org benchmarks)

I would say do NOT use the OS X built-in firewall, it IMHO is for stupid users wo don't know about real firewalls. If you want real firewall protection and use the UNIX built-in command line IPFW without command line then look at WaterRoof. If that is to much for needs then look at NoobProof. For a comparison between the two look at this.