With its foundation deeply buried in UNIX, the Mac OS X
system is incredibly secure. Even out of the box, this system comes to you in a
very secure state.

The default features included in the Mac make it an
excellent choice for users worried about hackers and viruses. Let’s take a look
at some of OS X’s built-in features that make this system so secure out of the
box.

  • It has a secure default configuration:
    By default, OS X closes all of the communication
    ports, and it disables all native services, including personal file
    sharing, Windows file sharing, personal Web sharing, remote login, FTP
    access, remote Apple events, and printer sharing.
  • It includes a personal firewall: Enabling
    OS X’s personal firewall denies all inbound connections except for those
    you specifically allow. Unlike other personal firewalls, you must
    explicitly identify the traffic you want to allow the first time you turn on
    the firewall. In addition, the firewall includes a Stealth Mode setting, which
    won’t acknowledge the system’s existence to would-be hackers looking for
    machines to attack.
  • It automatically updates the machine:
    This feature allows your Mac to download software updates and security
    patches automatically. In addition, Apple digitally signs its updates, so
    you can be sure they come from a trusted source.
  • It features FileVault encryption: FileVault
    protects the data on your machine using AES-128 encryption, rather than
    the weaker Data Encryption Standard X (DESX) algorithm used by the Windows
    Encrypting File System (EFS).
  • It offers a secure Keychain: The Keychain
    automatically stores all password information to use encrypted disk images
    and to log onto file servers, FTP servers, and Web servers. This feature enables
    you to create and use complex passwords without writing them down or
    trying to remember them.
  • It includes a permanent deletion
    feature:     When you delete a file or folder, the Secure Erase Trash feature
    immediately overwrites the file with invalid information, making the file
    disappear completely and removing the possibility of recovering the data.

Of course, it’s important to remember that even with all of
these native security features, nothing is secure until you’ve verified it—and incorporated
some security best practices. The following three best practices are the most
common security recommendations within the overall UNIX community. You can
accomplish all three tasks via the System Preferences dialog box.

  • Create an additional non-administrative
    account for daily use:     Remember: Admin or root accounts are for tasks—not
    browsing the network and reading e-mail.
  • Use the OS X screensaver with a
    password:     This habit ensures that your machine remains inaccessible whenever
    you’re away from the keyboard.
  • Turn on network time synchronization:
    If you plan to maintain and use log files (and Macs log a lot of
    information), this step makes sure the timestamp in the system logs is
    accurate.

Final thoughts

While OS X is secure out of the box, you should still take
some time and browse through its different features. Make sure to verify that the
level of security is consistent with your needs.

For more information, check out the National Security Agency’s
Apple Mac OS X Guide and Corsaire’s selection of security white papers.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the director
of operations for the Southern Theater Network Operations and Security Center.