Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Securing a Mac

E

eric.c

macrumors newbie
Original poster
Jun 29, 2009
25
0
Hey guys, I was wondering what the best way to lock down my Mac is.

Just to be clear, I don't really care if people are able to log in / view my files when I'm not here. What I don't want is for them to be able to change the admin password and make system changes.

I was wondering if my current solution is good enough:

Admin password, set to automatic log in. (so deleting system files needs a password still)
Firmware password, to prevent people from using the OS X restore disks to reset my admin password.

Is this a good enough solution? Can people somehow reset the firmware password without knowing my admin password or vise versa?
 
I don't quite understand what you are asking. You call the thread 'securing a mac' you have an account setup with a password, yet you leave auto login enabled??? If you want your mac to be secure then you better be worried about people being able to get into it!! Turn auto login off and setup a guest account, that way no one can get into your account but they can get in as guest, they can't do much as guest and any files they create get deleted when they log out. No one can do anything as long as the root account is disabled and no one knows your admin account password.
 
eric.c said:
Hey guys, I was wondering what the best way to lock down my Mac is.

Just to be clear, I don't really care if people are able to log in / view my files when I'm not here. What I don't want is for them to be able to change the admin password and make system changes.

I was wondering if my current solution is good enough:

Admin password, set to automatic log in. (so deleting system files needs a password still)
Firmware password, to prevent people from using the OS X restore disks to reset my admin password.

Is this a good enough solution? Can people somehow reset the firmware password without knowing my admin password or vise versa?
Click to expand...
Do others have physical access to your computer? If so, then that raises a red flag that it difficult to lower. People with physical access to your computer can do physical damage to it. Your physical system may be worth much more than the data stored on it.

If others do not have physical access to your computer, then your security measures are more than adequate for most users. Auto login allows the user at the keyboard to use your computer without entered the password. Remote users must still do so. Suffice it to say, you can't use a MacOS X DVD to reset your password via remote login.

BTW, you seem to believe that only the System Restore disc can reset your password. This is not true. Any compatible MacOS X distribution DVD can be used to reset the password. However, the user must have physical access to your system.
 
From Finder Help.

"If you don’t want the user to be able to change preferences or install software on the computer, don’t give the user administrator access.

To keep your computer secure, don’t share administrator names and passwords. Be sure to log out when you leave your computer, and use the Security pane of System Preferences to require a password when the computer is idle. If you leave your computer while you’re logged in, someone could sit down at your computer while you’re away and make changes using your administrator privileges.

Don’t have an administrator account automatically logged in when the computer starts up. If you do, someone could simply restart the computer to gain access with administrator privileges."

Set up a Standard user account without Admin privileges. Using an admin account for every day use is a security threat.
 
Who else has access to your Mac?

Also do they know much about Macs?

If anyone does and they want to cause problems they could change the admin password without knowing the current one easily in under 5 mins.
 
Sorry, it seems that I didn't make myself clear in my post.

I don't really care about if people can see the data that's on the computer. It's nothing confidential. What I don't what people to do is be able to modify the system at all, not even with a Mac OS X DVD or System Restore disk.

My main concern with this is theft. I want automatic login enabled so that I can turn on Undercover when they connect to the internet. What I don't want them to do is to uninstall Undercover (either by uninstalling it, which they need an admin password for) or by reinstalling the system (which I have prevented by putting up a firmware password). I was wondering if there were any other ways to wipe a drive (and thus delete undercover) or swap drives (again, removing undercover) without any password protection on the Mac (like by swapping the HDD, or resetting the firmware password, if that's possible).
 
You should follow Undercover's recommendations on using it. I use it and you should have a guest account setup so that anyone who steals the computer can log in and get connected to the Internet and UC can do it's job.

Secondly, you shouldn't be telling anyone you even have that on there, that way they likely will not look to uninstall it. You can put all the passwords on OS/X or firmware passwords you want on it but if the person who wants your data or computer knows what they're doing, they will have their way with it. But in all likelihood, anyone who does steal it will not know how to bypass UC.

You really shouldn't have an auto login set with administrative privileges; you're just inviting trouble with that.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back