Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Securing Mac clients in a network

Vulkan

Vulkan

macrumors 6502
Original poster
Apr 16, 2005
465
378
Useless, TX
hi all;

I would like to know how I could do the following:

• Rename the administrative account and hide it.
• Remove all priviledges from regular user accounts
• Disable auto login
• Lock down system preferences
• Remove the ability to install software from User accounts
• Freeze the keychain
• Services and applications that will not be used must be disabled.
• Do not install the BSD subsystem
• Remove Trust relationships between systems (They are a security risk, and their use must be avoided.)
• Users must not use root when a non-privileged account will do.

If anyone could point this out or direct me somewhere where I could read about it I'll appreciate it.

=)

Kildjean
 
mikes63737 said:
That made me laugh. Do you expect the computer to be usable? It won't do ANYTHING (seriously!) without the BSD subsystem.
Click to expand...

your post made me laugh in your ignorance, well not really, it wasn't that funny. but the BSD subsystem doesn't refer to the 'system' but to the 'subsystem' common unix tools and libraries.

i don't believe it is installed anyway unless you've installed the dev tools.

as to the other questions some are easier than others, for example, i don't see how you could stop a user from executing applications they bring on say a usb stick or email... but you could make the Applications directory read-only for users...

anyway, google would answer these questions with multiple solutions
 
Take a look at Apple's Leopard Security Configuration document for answer to a number of your questions. The NSA also have a document for some configuring.

The admin account can become "hidden" when you change the login settings to only show user name and password fields, rather than a list of users. Not sure how you define "all privileges" so not sure how to answer that. Is logging in a privilege?
 
mikes63737 said:
That made me laugh. Do you expect the computer to be usable? It won't do ANYTHING (seriously!) without the BSD subsystem.
Click to expand...

Well, seriously, what that means is not removing the bsd integration.

What the windows sys admin meant was to disable the use of Terminal on osx.

understand better now?
 
About 95% of this can be done via WGM, (Workgroup Manager), if you had a Mac Server running.

Other than that, I know some of it is possible.
 
melchior said:
your post made me laugh in your ignorance, well not really, it wasn't that funny. but the BSD subsystem doesn't refer to the 'system' but to the 'subsystem' common unix tools and libraries
Click to expand...

kildjean said:
Well, seriously, what that means is not removing the bsd integration.

What the windows sys admin meant was to disable the use of Terminal on osx.

understand better now?
Click to expand...

I'm so sorry - I thought that you meant the underlying BSD operating system, not the other software. I did a quick Google search for "mac os x bsd subsystem" and I saw this:
Google Search said:
The BSD subsystem is the foundation for Darwin to run on, so it's not possible to install either Darwin or OSX without it
Click to expand...
as one of the little preview snippets. But aren't some of those required for even the unix base to run on?

I'll offer this advice to redeem myself for being so rude - points #2 and #3 can be set in the "Security" section of System Preferences - the 2nd and 3rd options.

Also, to prevent access to the Terminal, you should be able to just delete the terminal app. But your users can always get a copy of it from one of the demo machines at the Apple store and run it anyway. Maybe Leopard's parental controls can be used to help. I don't know if you're going to be using Leopard server or not, but parental controls may or may not be the answer to many of these questions.
 
melchior said:
your post made me laugh in your ignorance, well not really, it wasn't that funny. but the BSD subsystem doesn't refer to the 'system' but to the 'subsystem' common unix tools and libraries.
Click to expand...

that is correct... but dont blame him, its not a common thing unless you are a sys admin, and besides its something new he learned =)

i don't believe it is installed anyway unless you've installed the dev tools.
Click to expand...

Terminal is installed as part of the basic tools...

as to the other questions some are easier than others, for example, i don't see how you could stop a user from executing applications they bring on say a usb stick or email... but you could make the Applications directory read-only for users...
Click to expand...

But is there any way to lock down the usb ports so if you stick a USB it doesnt allow you to read it?

anyway, google would answer these questions with multiple solutions
Click to expand...

i googled, and i didnt get the answers I needed which is why I posted here.. =)
 
JGruber said:
I don't have the links handy, but you can find the WGM info from Apple's documentation.
Click to expand...

gotcha... I also bought a book that talks about that as well... but wanted to hear ideas of other mac admins... =)

btw are you the jgruber from daring fireball?
 
kildjean said:
gotcha... I also bought a book that talks about that as well... but wanted to hear ideas of other mac admins... =)

btw are you the jgruber from daring fireball?
Click to expand...

I understand that, learning Mac OS X Server is pretty easy if your familer with AD and GPO in Windows Server.

And no I'm not the same person, we just share cool lastnames :)
 
I would strongly advise thinking how disabling flash drives would affect the employees at your workplace. I went to school for 4 years at a place that banned them (aka they didn't work at all) and to be honest, no work got done. It may be necessary for some peoples jobs, so think twice before you do that.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back