Owners of Apple Macintosh products tend to have a — some would say false — sense of security. As Deb Shinder mentioned in an article about Black Hat 2011, the default settings for Macs are not security-optimized. The following tips list a number of preference changes that are particularly important for the business user to modify. These changes help prevent unauthorized access to your computer or data, mitigate the spread of malware, protect your identity online, and minimize the fallout from a lost or stolen computer. I recommend these preference changes to all Mac users.
Logging in and keeping people out
The first changes I recommend to anyone with a Mac are on the Login Options tab (Figure A) of the Accounts pane in System Preferences (called Users & Groups in Lion).
Change Automatic login to Off, change Display login window as to Name and password, and uncheck the box for Show password hints. Astute observers may notice my option for Automatic login is grayed out; we’ll touch on that in the next section.
The Automatic login drop-down affects the current user, while the other changes affect all users.
Now, navigate to the General tab of the Security pane in System Preferences (called Security & Privacy in Lion, Figure B).
Change the Require password drop-down to immediately so the computer will lock when the screen saver kicks on or when the computer goes to sleep (this is a per-user setting). Under For all accounts on this computer, check the box for Disable automatic login (mine is gray because I have enabled FileVault 2, which makes automatic login impossible). If you have users that are not admins and you would like to prevent them from undoing your work, check the box next to Require an administrator password to access system preferences with lock icons.
A visit to the FileVault and Firewall tabs is also in order. Another TechRepublic article, by Will Limoges, explains why it is important to use both, especially on a MacBook.
In a corporate fleet environment where you might need to make these changes to many computers at once, you can create default user preference templates to be applied at login (called Login Hooks). Also, you can make these changes to the “golden image” from which you deploy your Macs.
Next, we need to make sure the Screen Saver will actually come on to lock the computer during periods of inactivity.
Open System Preferences and click on Desktop & Screen Saver. Switch to the Screen Saver tab. Which screen saver you choose is not important; the important thing is to set the slider under Start screen saver to the appropriate time after which the screen saver will start (Figure C).
If you’re going to walk away from your computer for a few minutes, it’s not a good idea to leave it open to unauthorized access until the screen saver kicks in. If you have Fast User Switching enabled, you can click on the username or icon (depending on which you chose to show in the Menu Bar) and select the option for Login Window, which will put the computer at the login screen without logging you out of your current session (Figure D).
Alternatively you can use the key combination of Shift+Control+Eject which does the same thing. Another good trick is to set up one of the Hot Corners in the Screen Saver preferences to start the screen saver.
Antivirus: Keeping it clean
The debate continues about whether your Mac is virus-proof. This is not as important as the fact that your Mac can be a “carrier” for viruses that affect other platforms. If you don’t want to be responsible for sending an infected file to a client, I suggest using a virus-scanning application to check files before emailing (like ClamXav). While ClamXav has the option to automatically scan incoming files, an on-access scanner is an even better idea. The free Sophos Anti-Virus for Mac Home Edition is a great option for extra peace of mind and has little to no impact on the performance of your system (Figure E). For fleets of Macs, Sophos offers volume licensing that comes with a console to manage the updates, alerts, and disinfection of your monitored computers.
Safe browsing: It’s a jungle out there
I’ll avoid invoking the discussion about which browser is the safest and give you a pointer that is browser-agnostic.
Spoofing and phishing are two of the biggest threats to users browsing the Internet. One of the best ways to mitigate such attacks is to use an alternate DNS provider. Google has a public DNS that you can use, but I prefer OpenDNS. The servers at OpenDNS provide protection from spoofing and phishing by not serving up the IP for URLs that are known to be dangerous. OpenDNS will also correct misspelled URLs that often lead to malicious sites.
You don’t have to sign up for their service; just use the following IP addresses as your primary and secondary DNS: 220.127.116.11 and 18.104.22.168, as shown in Figure F. This can be configured in the Networking pane of System Preferences. Open the Networking pane, highlight the network device you’re using (Ethernet or Wi-Fi) and click the Advanced button in the bottom-right corner. Switch to the DNS tab and click the + under DNS Servers. You’ll get a field where you can enter the primary address. Click the plus sign again and enter the secondary address. Click OK, then click Apply to save the changes. If you have your browser open, quit it, and restart it to use the new DNS.
Alternatively, you can configure your Internet gateway, AirPort, or router to use these DNS IPs, which will protect every computer that uses your network for Internet access. If you do decide to sign up for OpenDNS’s service (which is free for home users), you will get a console where you can customize your protection, get reports, configure content filtering, and set up custom URL shortcuts to sites that you visit on a regular basis. Business users can sign up for the same services (and more) for a price, which is very competitive when compared to services like Websense.
There are a couple of tasty side effects from using OpenDNS. Using it can actually make surfing the web faster, because OpenDNS servers maintain a larger cache of IP addresses than your ISP, and OpenDNS works with content delivery networks to identify nodes that are physically closer to you while you browse. In addition to speed, OpenDNS can be more reliable in the case of outages since their SmartCache keeps many common sites online in the event of an outage or DoS attack.
Do you have other Mac security best practices? Let us know any tools or software solutions you’ve tried to shore up security.