Best practices for securing Mac network services

Erik Eckel offers some best practices to keep in mind as you secure Mac network services in an enterprise environment.

Macs, by virtue of being built upon the UNIX platform, are more secure than Windows systems. The numerous viruses, spyware, malware ,and network vulnerabilities that plague Windows computers are largely powerless against Macs, but that doesn't mean Macs are immune from threats. Here are some best practices for ensuring Macs remain secure within enterprise environments.

Secure file sharing

Few networking services are enabled, by default, on Macs. Those that are automatically enabled are typically required for network connectivity. That means Mac systems respond to few requests from external machines, thereby enhancing security.

When enterprise administrators deploy Macs, files should be shared from centralized servers. Tapping centralized servers enables leveraging groups, policies and other traditional methods to properly secure network file access.

In those cases in which files must be shared from individual Macs, whether using AFP, FTP or SMB, configure systems to require user authentication. Anonymous FTP is disabled by default on Macs; you should not reverse this setting. Guest access should be disabled, too, from within Account preferences.

Remember, when Mac file sharing is enabled, that administrative users can remotely mount any volume and both standard and administrative users can access their home folders remotely. Public folders are automatically shared, too, as new standard and administrative users are created.

Unless a compelling reason exists, enterprise administrators should disable these default settings within the Sharing preferences or Finder's Get Info window to increase security. Custom file sharing, accessible via the Finder window within its Sharing & Permissions area, permits additional fine-tuning of any file shares enabled on a Mac.

Secure screen sharing

Macs include screen sharing capabilities designed to aid remote engineers troubleshooting client issues. Apple screen sharing uses an encrypted form of the Virtual Network Computing (VNC) protocol. Because the feature enables remotely viewing and controlling a Mac, care must be taken to ensure network security. The service, when enabled within System Preferences Sharing console, listens for UDP and TCP traffic on port 5900.

When enabling screen sharing, or when enterprise administrators purchase optional Apple Remote Desktop (ARD) remote management licenses, the service is enabled. By default, all nonguest users are permitted access to the service. I recommend limiting screen sharing permissions, and then only on systems in which screen sharing must be enabled (consider keeping the feature disabled on systems, when possible, to further heighten security). When the service must be enabled, administrators should specify those users that should be permitted to access the screen sharing feature.

Within the Screen Sharing console, selecting the Allow Access For radio button enables limiting screen sharing access to specified users, only, that you list. List only those user accounts authorized to perform remote management or support operations.

A word on the Mac firewall

Many enterprise administrators deploy hardened firewalls at the network perimeter. Hardware-based routers that protect internal networks aren't foolproof, however. While a required first step, they do little to protect systems behind the firewall from one another, nor does a gateway firewall protect a client system when that system is taken on the road by mobile staff. That's why enterprise administrators should consider leveraging the Mac's application firewall.

The Mac OS X Snow Leopard personal application firewall leverages rules and dynamically enables/disables traffic to better secure network services. The Mac's personal application firewall permits network connections based upon application and service requirements, not just standard static ports, so it better protects mobile systems than can a hardware-based device that may not always be present. Because the firewall operates dynamically, it improves security, too.

Consider an instant messaging program. When a user is logged in and has iChat open, the personal application firewall enables the proper ports necessary for the application's operation. But when the user closes the application (or with other services, when the user logs off), the Mac's firewall closes those ports, thereby tightening security.

The Mac's firewall is enabled from within the System Preferences Security console. Clicking the Firewall tab opens the firewall console. Logging is always enabled. Logging information is stored within the /private/var/log/appfirewall.log file. Further, the firewall can be customized. Using the Advanced button, active services can be monitored and specific services can be manually adjusted.