Securing Mac clients in a network

Discussion in 'macOS' started by kildjean, Jul 24, 2009.

  1. kildjean macrumors regular

    kildjean

    Joined:
    Apr 16, 2005
    Location:
    Useless, TX
    #1
    hi all;

    I would like to know how I could do the following:

    • Rename the administrative account and hide it.
    • Remove all priviledges from regular user accounts
    • Disable auto login
    • Lock down system preferences
    • Remove the ability to install software from User accounts
    • Freeze the keychain
    • Services and applications that will not be used must be disabled.
    • Do not install the BSD subsystem
    • Remove Trust relationships between systems (They are a security risk, and their use must be avoided.)
    • Users must not use root when a non-privileged account will do.

    If anyone could point this out or direct me somewhere where I could read about it I'll appreciate it.

    =)

    Kildjean
     
  2. melchior macrumors 65816

    melchior

    Joined:
    Nov 17, 2002
    #3
    your post made me laugh in your ignorance, well not really, it wasn't that funny. but the BSD subsystem doesn't refer to the 'system' but to the 'subsystem' common unix tools and libraries.

    i don't believe it is installed anyway unless you've installed the dev tools.

    as to the other questions some are easier than others, for example, i don't see how you could stop a user from executing applications they bring on say a usb stick or email... but you could make the Applications directory read-only for users...

    anyway, google would answer these questions with multiple solutions
     
  3. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    Take a look at Apple's Leopard Security Configuration document for answer to a number of your questions. The NSA also have a document for some configuring.

    The admin account can become "hidden" when you change the login settings to only show user name and password fields, rather than a list of users. Not sure how you define "all privileges" so not sure how to answer that. Is logging in a privilege?
     
  4. kildjean thread starter macrumors regular

    kildjean

    Joined:
    Apr 16, 2005
    Location:
    Useless, TX
    #5
    Well, seriously, what that means is not removing the bsd integration.

    What the windows sys admin meant was to disable the use of Terminal on osx.

    understand better now?
     
  5. JGruber macrumors 6502

    Joined:
    Feb 13, 2006
    #6
    About 95% of this can be done via WGM, (Workgroup Manager), if you had a Mac Server running.

    Other than that, I know some of it is possible.
     
  6. mikes63737 macrumors 65816

    Joined:
    Jul 26, 2005
    #7
    I'm so sorry - I thought that you meant the underlying BSD operating system, not the other software. I did a quick Google search for "mac os x bsd subsystem" and I saw this:
    as one of the little preview snippets. But aren't some of those required for even the unix base to run on?

    I'll offer this advice to redeem myself for being so rude - points #2 and #3 can be set in the "Security" section of System Preferences - the 2nd and 3rd options.

    Also, to prevent access to the Terminal, you should be able to just delete the terminal app. But your users can always get a copy of it from one of the demo machines at the Apple store and run it anyway. Maybe Leopard's parental controls can be used to help. I don't know if you're going to be using Leopard server or not, but parental controls may or may not be the answer to many of these questions.
     
  7. kildjean thread starter macrumors regular

    kildjean

    Joined:
    Apr 16, 2005
    Location:
    Useless, TX
    #8
    do you know somewhere I can read about this?

     
  8. JGruber macrumors 6502

    Joined:
    Feb 13, 2006
    #9
    I don't have the links handy, but you can find the WGM info from Apple's documentation.
     
  9. kildjean thread starter macrumors regular

    kildjean

    Joined:
    Apr 16, 2005
    Location:
    Useless, TX
    #10
    that is correct... but dont blame him, its not a common thing unless you are a sys admin, and besides its something new he learned =)

    Terminal is installed as part of the basic tools...

    But is there any way to lock down the usb ports so if you stick a USB it doesnt allow you to read it?

    i googled, and i didnt get the answers I needed which is why I posted here.. =)
     
  10. kildjean thread starter macrumors regular

    kildjean

    Joined:
    Apr 16, 2005
    Location:
    Useless, TX
    #11
    gotcha... I also bought a book that talks about that as well... but wanted to hear ideas of other mac admins... =)

    btw are you the jgruber from daring fireball?
     
  11. JGruber macrumors 6502

    Joined:
    Feb 13, 2006
    #12
    I understand that, learning Mac OS X Server is pretty easy if your familer with AD and GPO in Windows Server.

    And no I'm not the same person, we just share cool lastnames :)
     
  12. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #13
    Read the links to the documents I provided earlier.
     
  13. mikes63737 macrumors 65816

    Joined:
    Jul 26, 2005
    #14
    I would strongly advise thinking how disabling flash drives would affect the employees at your workplace. I went to school for 4 years at a place that banned them (aka they didn't work at all) and to be honest, no work got done. It may be necessary for some peoples jobs, so think twice before you do that.
     

Share This Page