Enterprise Software

Follow these best practices for securing Mac OS X

Thanks to several built-in security features, Mac OS X is pretty much secure right out of the box. Of course, there are always additional security practices you can incorporate. Mike Mullins details OS X's built-in security features and suggests three things you can do to secure your Mac even more.

With its foundation deeply buried in UNIX, the Mac OS X system is incredibly secure. Even out of the box, this system comes to you in a very secure state.

The default features included in the Mac make it an excellent choice for users worried about hackers and viruses. Let's take a look at some of OS X's built-in features that make this system so secure out of the box.

  • It has a secure default configuration: By default, OS X closes all of the communication ports, and it disables all native services, including personal file sharing, Windows file sharing, personal Web sharing, remote login, FTP access, remote Apple events, and printer sharing.
  • It includes a personal firewall: Enabling OS X's personal firewall denies all inbound connections except for those you specifically allow. Unlike other personal firewalls, you must explicitly identify the traffic you want to allow the first time you turn on the firewall. In addition, the firewall includes a Stealth Mode setting, which won't acknowledge the system's existence to would-be hackers looking for machines to attack.
  • It automatically updates the machine: This feature allows your Mac to download software updates and security patches automatically. In addition, Apple digitally signs its updates, so you can be sure they come from a trusted source.
  • It features FileVault encryption: FileVault protects the data on your machine using AES-128 encryption, rather than the weaker Data Encryption Standard X (DESX) algorithm used by the Windows Encrypting File System (EFS).
  • It offers a secure Keychain: The Keychain automatically stores all password information to use encrypted disk images and to log onto file servers, FTP servers, and Web servers. This feature enables you to create and use complex passwords without writing them down or trying to remember them.
  • It includes a permanent deletion feature: When you delete a file or folder, the Secure Erase Trash feature immediately overwrites the file with invalid information, making the file disappear completely and removing the possibility of recovering the data.

Of course, it's important to remember that even with all of these native security features, nothing is secure until you've verified it—and incorporated some security best practices. The following three best practices are the most common security recommendations within the overall UNIX community. You can accomplish all three tasks via the System Preferences dialog box.

  • Create an additional non-administrative account for daily use: Remember: Admin or root accounts are for tasks—not browsing the network and reading e-mail.
  • Use the OS X screensaver with a password: This habit ensures that your machine remains inaccessible whenever you're away from the keyboard.
  • Turn on network time synchronization: If you plan to maintain and use log files (and Macs log a lot of information), this step makes sure the timestamp in the system logs is accurate.

Final thoughts

While OS X is secure out of the box, you should still take some time and browse through its different features. Make sure to verify that the level of security is consistent with your needs.

For more information, check out the National Security Agency's Apple Mac OS X Guide and Corsaire's selection of security white papers.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox