While requiring a slightly different mindset, security is as important for Mac systems as it is Windows desktops and servers. Just as with Windows, protecting the Mac operating system and the data it holds -- whether from internal audiences, outside hackers and/or random attacks -- requires a well-thought strategy and careful execution.

Although Windows administrators often begin security efforts by developing standard user groups, assigning rights and implementing strong password policies (as should also be done for Mac users), the very next step typically involves investing an organization's resources -- both time and money -- in antivirus and antispyware programs. Although viruses pose much less of a threat to the Mac platform, organizations shouldn't forego protecting Mac systems with a quality antivirus application. While blogs and other media celebrate the relative lack of self-replicating Mac viruses, especially compared to the number of such infections impacting Windows users, a best business practice is to ensure Mac systems are adequately protected.

Antivirus and antispyware options

Several antivirus options serve to protect the Mac platform: Norton AntiVirus 10.0 For Macintosh, McAfee VirusScan For Mac, Intego Virus Barrier X4, Sophos Anti-Virus For Macintosh, and ClamXav.

Spyware on the Mac platform, however, is essentially a non-issue. Unlike the Windows OS, which in many organizations is sometimes crippled by the never-ending onslaught of malware, adware, and spyware, Macs are relatively immune from the threat. That said, very few utilities exist to protect Macs from unwanted software and malware. Such offerings include SmithMicro Software's Internet Cleanup and SecureMac.com Inc.'s MacScan.

Security efforts on the Mac, therefore, quickly turn to focusing on user account security (as with Windows) and quickly move to maintenance and administration best practices. Once user accounts have been implemented and separate, complex passwords assigned to both user and local administrator accounts, typical Windows administrators can take several steps to help ensure Mac OS X systems remain locked down.

Software update

Keeping systems current with the latest security updates and patches is a necessity. The Mac's Software Update feature is the equivalent of Windows Update. By configuring Software Update to automatically download and apply security updates, administrators can keep systems current and help protect Mac OS X from unwanted breaches and compromise.

To configure Software Update, administrators should follow these steps on Mac OS X version 10.4 systems:

  1. Open System Preferences.
  2. Double-click Software Update within the System section.
  3. Press the Update Software tab.
  4. Select the Check For Updates box.
  5. Specify how often the Mac system should check for updates (options include Daily, Weekly, and Monthly), as shown in Figure A. Weekly updates should suffice in most organizations, although particularly high-security conscious organizations can opt to check daily.
  6. Administrators wishing to review downloads before they install should check the Download Important Updates In The Background box. When the box is checked, the Mac will notify users that important software updates have been downloaded and are awaiting installation.

Figure A

Software Update assists administrators in keeping Mac OS X current with the latest security patches.

Administrators wishing to review which software updates have been loaded can check the Software Update's Installed Updates tab. A window, similar to the one in Figure B, will appear listing installed updates, for which version number information also appears.

Figure B

Software Update's Installed Updates tab lists when updates were applied, the update name and the version number. All of the Installed Updates information can also be viewed as a log file.

Meanwhile, administrators can check for new updates at any time by pressing the Software Update's Check Now button.

Application updates

In addition to ensuring Mac OS X remains up-to-date with the latest security patches and fixes, administrators should strive to ensure installed applications remain current. For example, numerous Mac programs connect to networks, the Internet and other resources. Those programs, too, must remain secure with the latest security patches. By regularly updating Web browsers, office productivity applications, utilities, antivirus programs, and other software, administrators can help prevent common causes of system breaches.

IP Firewall

Another element with which Windows administrators must familiarize themselves is the Mac OS X IP Firewall, known as IPFW. The built-in firewall offers a powerful utility for protecting against unwanted network access.

To enable Mac's IP Firewall and reduce network threats, administrators can follow these steps:

  1. Open System Preferences.
  2. Double-click the Sharing option within the Internet & Network section.
  3. Select the Firewall tab.
  4. Press the padlock icon and enter an account username and password possessing administrator rights and press OK. You'll then see the screen shown in Figure C.
  5. Ensure the firewall is enabled (press the Start button if the firewall is stopped).
  6. Disable as many of the incoming network services as is practical within the organization's operating environment. To disable services (for which default options include Personal File Sharing, Windows Sharing, Personal Web Sharing, Remote Login -- SSH, FTP Access, Apple Remote Desktop, Remote Apple Events, Printer Sharing, iChat Bonjour, iTunes Music Sharing, iPhoto Bonjour Sharing, Network Time and CVS), simply uncheck the respective checkbox.

Figure C

Apple's built-in firewall provides a simple interface for configuring powerful service-blocking features.

Administrators can add new services using the supplied New button. When enabling new incoming services, administrators must specify a port name (options include ICQ, IRC, Timbuktu, VNC, and Other), TCP port number, UDP port number, and a description.

Under Advanced Options, administrators can elect to block all UDP traffic, enable firewall logging and trigger Stealth Mode. In Stealth Mode, uninvited traffic receives no response from the Mac system, thereby increasing security by preventing the Mac from automatically responding to even simple attempts to learn whether it is online.

FileVault

Administrators wishing to ensure Mac data remains secure can leverage Apple's FileVault feature, which is particularly important on laptops used by mobile employees. FileVault automatically encrypts all the data within each user's Home folder. Without knowing a user's password, the 128-bit encryption makes it exponentially more difficult for another user or hacker to access another Mac user's files. Thus, if a laptop with sensitive data is accidentally left in an airport or hotel, the PC's data is that much more secure.

To enable FileVault, administrators need to follow these steps:

  1. Open System Preferences.
  2. Double-click the Security icon within the Personal section.
  3. Select Turn On FileVault (you'll be prompted to set a Master Password for the system if one hasn't already been assigned).
  4. The Mac will present a warning message stating that files will be encrypted. Administrators must enter the administrative password to proceed. Upon supplying the password, the Mac begins encrypting the user's Home Folder; the process can take some time depending upon the number and size of files stored within the Home Folder.
  5. When complete, the Mac will present the login Window. Users can then log back in to the Mac system (they'll find the Home Folder contents are now encrypted, as noted by a FileVault icon on the user's login window).

Secure virtual memory

Particularly security-conscious organizations can also choose to encrypt the Mac's virtual memory. Virtual memory, of course, is the data the Mac stores on the hard drive when operations exceed available RAM.

By enabling Secure Virtual Memory, administrators can prevent talented hackers from accessing information (including passwords and domain logons) from a user's live swap file. While the scenario sounds unlikely, the prevalence of unencrypted Wi-Fi hotspots and go-anywhere computing only increases the likelihood of such a breach.

To enable Secure Virtual Memory, administrators can follow these steps:

  1. Open System Preferences.
  2. Double-click the Security icon from within the Personal section.
  3. Press on the padlock to enable changes.
  4. Supply a username and permission possessing administrator rights.
  5. Check the box for Use Secure Virtual Memory.

Other recommendations

Administrators can also take several other steps to help secure Macs. In addition to disabling automatic login (the checkbox is accessed using the Security applet within System Preferences), administrators should disable fast user switching (accessed from the Accounts applet within System Preferences). Further, when deploying new Macs, care should be taken to leave the UNIX-powered machine's root account off.

To disable the root user account (if enabled), follow these steps:

  1. Open the Mac's Finder application.
  2. Navigate to the Applications folder.
  3. Open the Utilities folder.
  4. Open NetInfo Manager.
  5. Select Security from the top menu bar and select Authenticate.
  6. Enter a username and password possessing administrator rights and press OK.
  7. Highlight Security from the menu bar.
  8. Select Disable Root User.

Summary

Out of the box, Macs are inherently more secure than Windows systems. In addition to having most unnecessary services and daemons disabled by default, Macs face little threat from viruses, spyware, adware, and other malware. That doesn't mean Macs are immune from security threats, though.

In fact, Apple computers require sound security strategies to remain secure just as Windows systems do. By configuring user accounts, assigning proper permissions, requiring complex passwords, regularly updating Mac OS X and installed applications, ensuring the Mac's built-in firewall is properly configured, and by following other steps reviewed here, administrators can help ensure they've taken appropriate steps to protect Apple systems from unwanted breaches.