Mac" Security Bible

Joe Kissell

WILEY Wiley Publishing, Inc. чСчйш&§аШ!а

Part I: Mac Security Basics 1 Chapter 1: Mac Security Overview 3 Mac Security: Myth versus Fact 3 Is it true that Macs don't get viruses? 4 Can Macs spread viruses to Windows computers? 5 Is web browsing safe on a Mac? 5 Can someone eavesdrop on my network , if I use a Mac? 6 Are Mac servers more secure than Windows servers? 6 What's the biggest threat to Mac security? 7 Major Mac OS X Security Features 7 Open-source infrastructure 8 Access permissions 8 Keychain 8 Firewalls 8 Encrypted disk images 8 FileVault 9 VPN client 9 Firmware password protection 9 Download tagging 9 Application signing 9 Privacy versus Security 10 Weighing Convenience against Security 11 Understanding Your Risks 14 The Theory and Practice of Best Practices 15 Seven Things You Should Do Right Now 16 Update your software 16 Setup a standard user account 17 Change your keychain password 19 Turn off all unneeded sharing features 20 Turn on your firewall 22 Switch from WEP or nothing to WPA 23 Back up your Mac 25 Summary 26

xix Contents

Chapter 2: Securing Your Mac against Theft 27 Security Cables and Locks 27 Laptop Lockers 29 Other Theft Deterrents 29 Laptop alarms (hardware) 29 Laptop alarms (software) 29 Login banners 30 Markinga Mac for Recovery 32 Tracking labels 32 Operation Identification 33 Tracking and Recovering Stolen Macs 33 Using tracking software and services 34 Using command-line software to track a Mac 38 Tracking a Mac with Back to My Mac 43 Summary 48 Chapter 3: Working with User Accounts 49 How Accounts Affect Security 49 The notion of accounts 49 What a Mac OS X account is 50 How accounts work 51 The principle of least privilege 51 Understanding POSIX Permissions 52 Read, write, and execute 52 User, group, and other 53 Viewing file permissions 53 Octal permissions 54 Modifying file permissions 55 Modifying file ownership 56 Using the Get Info window 56 Using the umask 58 The other permission bits 61 Types of Accounts 62 Administrator accounts 62 Standard accounts 64 Managed accounts with parental controls 64 Guest account 65 Sharing Only accounts 66 The root account 67 System accounts 68 Groups 68 Configuring an Account 69 Creating a new user 69 Setting user options 71 Creating groups 73 Adjusting Login Options 75

XX Contents

Using Parental Controls 77 Using the Sudo Command 83 Howsudo works 84 Sudo syntax 84 Sudo limitations and risks 85 Modifying the sudoers file 86 Using Access Control Lists 87 ' What's an access control list? 87 Configuring access control lists 87 Access control list options 88 Summary 91 Chapter 4: Configuring Basic Security Settings 93 General Settings 93 Requiring a password to wake a computer 93 Disabling automatic login 95 Locking System Preferences 96 Setting automatic logout 98 Secure virtual memory 99 Location Services settings 100 Infrared receiver settings 100 FileVault 102 How File Vault works 102 Setting up FileVault 103 Firewall 105 MobileMe Settings 108 Account settings 109 Sync settings 110 iDisk settings Ill Back to My Mac settings 112 Energy Saver Settings 114 Setting computer, display, and disk sleep 115 Waking for network access 116 Spotlight Settings 118 AirPort Preferences 119 Assistive Device Access 121 Software Update 122 Terminal 125 Summary 125 Chapter 5: The Mac OS X Keychain 127 How Keychains Work 127 What Keychains Can Store 130 Passwords 130 Public keys, private keys, and certificates 130 Secure notes 131

xxi Contents

Understanding Keychain Alerts 131 Request to use your keychain 132 Permission to use an existing item 132 Alert that an application has changed 133 Safari and the Keychain 134 Using Keychain Access 137 Customizing the view 137 Managing keychain items 139 Managing keychains 141 Using secure notes 144 Working with certificates 145 Repairing damaged keychains 149 Resetting a keychain 151 Summary 152 Chapter 6: Working with Passwords 153 Understanding Passwords 153 What makes a password secure? 154 Exploring password threats 155 Identification versus security 158 Multifactor authentication 159 Managing your passwords 160 The Varieties of Mac OS X Passwords 161 User account passwords 161 File Vault master password 162 The root password 163 Keychain passwords 163 Firmware passwords 163 Wi-Fi passwords 163 Disk image passwords 164 Apple ID password 165 Network passwords 165 Creating Good Passwords 165 Avoiding easily guessed passwords 166 Password length and complexity 166 Password mnemonics 167 Using patterns safely 168 Reusing passwords 169 Using Password Assistant 170 Using Third-Party Password Utilities 172 Password generators 172 Password managers 173 Resetting an Administrator's Password 176 Using the original administrator account 176 Using a Mac OS X Install DVD 176 Using a Firmware Password 177 xxii Contents

Using Smart Cards, Tokens, and Biometrie Authentication Devices 180 Smart cards and tokens 180 One-time password tokens 181 Biometrie devices 181 Summary 181 Chapter 7: Securely Sharing System Resources 183 Using Shared System Resources Wisely 183 DVD or CD Sharing 184 Screen Sharing 186 File Sharing 188 Activating File Sharing 188 Choosing file-sharing protocols 190 Changing which items are shared 191 Granting access to users and groups 192 Printer Sharing 193 Scanner Sharing 195 Web Sharing 198 Activating Web Sharing 198 Publishing web pages 198 Making your web server visible to the outside world 199 Web-sharing negatives 201 Remote Login 201 Remote Management 203 Remote Apple Events 206 Xgrid Sharing 208 Internet Sharing 210 Bluetooth Sharing 213 Sharing files via Bluetooth 214 Setting up Bluetooth Sharing 215 Sharing an Internet connection via Bluetooth 218 Summary 219 Chapter 8: Backing Up Your Mac 221 Backup Basics 221 What to back up 222 Which media to use 223 How often to backup 223 Versioned backups 224 Bootable duplicates 224 Offsite backups 225 Choosing Backup Software 225 How many computers are you backing up? 226 What type(s) of backup do you need? 227 What media will you use? 227 How should data be restored? 227 What other special features do you need? 228 Bottom-line recommendations 229 Using Time Machine 229 How Time Machine works 230 Choosing hardware for Time Machine 231 Configuring Time Machine 232 Managing Time Machine behavior 234 Restoring data from Time Machine 235 Creating Bootable Duplicates 238 What's a bootable duplicate? 238 Using SuperDuper! 239 Using Carbon Copy Cloner 242 Other options 245 Starting up from a bootable duplicate 246 Using Internet Backup Services 247 Internet backup basics 247 Choosing a provider 248 Managing Backup Media 250 Offsite backups 250 Keeping media comfortable 251 Testing and recopying media 251 RAID and Data Redundancy 251 Mirrored RAIDs and backup 252 Do you need a RAID? 252 Choosing a RAID system 253 Configuring a RAID with Disk Utility 254 Summary 256 Part II: Protecting Your Privacy 257

Chapter 9: Securing Email, Chat, and Voice over IP 259 Understanding Email Security 259 Using secure authentication 261 Using SSL for sending and receiving email 262 Signingemail messages 262 Encrypting email messages 263 Encrypting data on your disk 263 Logging In Securely 263 Secure logins in Mail 264 Secure logins in Entourage 265 Secure logins in Thunderbird 266 Using SSL for Incoming and Outgoing Mail 266 How SSL works for email 267 Configuring SSL for incoming mail 267 Configuring SSL for outgoing mail 271 Contents

Using SSL for webmail 274 Gmail 275 Hotmail 275 MobileMe 275 Yahoo! Mail 275 Digitally Signing and Encrypting Email 276 When and why to encrypt your email 277 Using S/MIME in Apple Mail 278 Using PGP or GPG for encrypted email 286 Stopping Spam 290 Understanding spammers 290 Learning basic spam-filtering concepts 292 Configuring your email client's spam filter 295 Using third-party spam filters 301 Other spam-filtering strategies 302 Examining Message Headers and Source 303 Message headers 304 Message source 307 iChat Security 308 Adjusting iChat privacy settings 308 Using encryption for iChat 310 Securing Instant Messaging and Voice over IP with Third-Party Software 311 Skype 312 Zfone 312 Adium 313 Psi 313 Summary 313 Chapter 10: Browsing the Web Securely 315 The Challenges of Secure Browsing 316 Privacy 316 Fraud 317 Malware 318 Inappropriate content 318 Annoyances 319 Using SSL Encryption 320 Checkinga certificate 322 Responding to certificate warnings 322 Keeping Form Information Safe 325 Using your browser's form-filling feature 326 Third-party web form password tools 331 Protecting Yourself from Harmful Downloads 334 Protecting Yourself from Phishing Schemes 338 Checking source URLs 338 Using Extended Validation certificates 339

XXV Contents

Using a password manager to fill in data 340 Using third-party anti-phishing software 340 Covering Your Browsing Tracks 340 The browsing records your Mac stores 341 Prevention versus cleanup 342 Managing cookies 343 Using Safari's Private Browsing feature 351 Using Safari's data removal features 352 Handling private data with Firefox 354 Using third-party web privacy software 356 Cleaning up other browsing traces 360 Browsing Anonymously 363 What information you normally reveal 364 Hiding your IP address by using anonymous proxy servers 365 Hiding your IP address by using onion routing 369 Masking other browser details 370 Blocking Ads, Pop-up Windows, and Flash 371 Using browser settings 372 Using Hostal 374 Using other ad-blocking software 375 Blocking Other Undesirable Content 377 Summary 378 Chapter 11: Securely Accessing Other Computers 379 Transferring Files 379 FTP, SCP, SFTP, and FTPS 380 WebDAV 381 Other protocols 382 Remote file transfers in the Finder 382 Using file-transfer software 384 Controlling Another Computer Remotely 387 Using Mac OS X Screen Sharing 388 Using Apple Remote Desktop 394 Using VNC 394 Using Timbuktu Pro 396 Using SSH for Remote Login 397 Using SSH with password authentication 398 Using key-based authentication 400 Tunneling other services through SSH 402 Summary 407 Chapter 12: Using Virtual Private Networks 409 What Is a Virtual Private Network? 409 VPN Varieties 411 PPTP 411 L2TP over IPsec 412

xxvi Contents

Cisco IPsec 412 SSbTLS and OpenVPN 412 Zero-configuration VPNs 413 Choosing a VPN Provider 414 Configuring Your Mac for VPN Access 416 Using the Network preference pane 416 Using other VPN tools 419 Summary 422 Chapter 13: Encrypting and Securely Deleting Files 423 File-Encryption Basics 424 Encryption algorithms 424 Passwords and keys 425 Choosing what to encrypt 426 Encryption pitfalls and misunderstandings 427 Encrypting Individual Files and Folders 429 Encrypting files on the command line 430 Encrypting files and folders with third-party software 430 Working with Encrypted Disk Images 433 Encrypting disk images with Disk Utility 434 Encrypting disk images with PGP 437 Using other encrypted disk image products 441 Using File Vault 442 File Vault virtues and vices 442 Deciding whether FileVault is for you 444 Configuring FileVault 445 Encrypting an Entire Disk 447 PGP Whole Disk Encryption 448 Check Point Full Disk Encryption 449 WinMagic SecureDoc 450 Using Hardware-Encrypted Drives 452 Key-based enclosures 453 Keypad-based enclosures 453 Biometrie enclosures 454 Externally authenticating enclosures 454 Self-encrypting drive mechanisms 454 Securely Deleting Files 455 Using the Secure Empty Trash command 456 Erasing empty space with Disk Utility 456 Using third-party utilities 457 Securely Erasing Disks 457 Recovering Deleted Files 459 Summary 460

xxvii Contents

Part III: Network Security Fundamentals 461 Chapter 14: Guarding against Malware 463 The Varieties of Malware 464 Viruses : 464 Macro viruses 464 Worms 465 Trojan horses 465 Zombie software 466 Spyware 466 Adware 466 Keystroke loggers 466 Rootkits 467 Macs as Malware Carriers 467 Assessing Your Mac's Vulnerability 469 Common-Sense Malware Protection 469 Choosing Anti-Malware Software 471 Factors to consider 472 ClamXav 472 Intego VirusBarrier, Internet Security Barrier, and NetBarrier 473 iAntiVirus 475 Internet Cleanup 476 Kaspersky Anti-Virus for Mac 477 MacScan 477 McAfee VirusScan 478 Norton Antivirus for Mac 479 Sophos Anti-Virus 481 Trend Micro Smart Surfing for Mac 481 Using Outbound Firewalls 482 Little Snitch ( 483 NetBarrier 484 Norton Firewall for Mac 485 Internet Cleanup 487 What Anti-Malware Software Can't Do 487 Securing Windows on a Mac 488 Security risks with Boot Camp and virtualization software 488 Protecting your Windows installation 489 Choosing anti-malware software for Windows 492 Summary 493 Chapter 15: Securing Your Wired Network 495 Understanding Gateways, Modems, and Routers 496 Gateways 496 Modems 496 Hubs, switches, and routers 497 xxviii Contents

Access points 498 Understanding NAT, DHCP, and IPv6 499 NAT 499 DHCP 501 IPv6 network security 502 Using Port Forwarding 503 UsingaDMZ 505 Genuine DMZs 505 DMZ hosts 506 Using NAT-PMP or UPnP 506 Using Proxy Servers 507 Using 802.IX 509 The authentication server 510 The authenticator 510 The supplicant 510 Summary 512 Chapter 16: Securing Your Wireless Network 513 Wireless Security Basics 514 Protecting your access point 514 Controlling wireless network visibility 514 Controlling wireless network access 515 Encrypting your wireless connection 516 Configuring an AirPort Base Station 519 Setting the base station security options 520 Setting wireless options 522 Setting up a guest network 539 Configuring Third-Party Access Points 539 Access point configuration basics 540 2Wire 540 Belkin 540 D-Link 540 Linksys 541 Netgear 541 Wireless Security Settings on Your Mac 541 Using Public Wi-Fi Hotspots 543 Using Wi-Fi Scanning Software 545 Summary 547 Chapter 17: Using Firewalls 549 Understanding How Firewalls Work 549 Firewall terminology 550 Why firewalls exist 550 Basic firewall operation 551 Do you need a firewall? 551

xxix Contents

Using Mac OS X's Application Firewall 552 How the application firewall works 553 When to use the application firewall 554 Configuring the application firewall 554 Using IPFW 557 The IPFW process 558 IPFW syntax 558 Creating an IPFW raleset 560 Creating an IPFW shell script 561 Creating an IPFWlaunchd item 562 Configuring IPFW rules with third-party utilities 563 Using Other Third-Party Firewall Software 570 Intego NetBarrier 570 IPNetSentryX and IPNetRouterX 571 Norton Firewall for Mac 573 Summary 575 Chapter 18: Web Server Security 577 The Basics of Running a Secure Web Server 577 General considerations 578 Sharing settings 578 Firewall settings 580 Network and routing setup 580 Apache settings 581 File permissions 582 Dynamic website content 584 Using HTTP Authentication 585 Securing a Site with SSL 588 Creating a certificate and activating SSL 589 Redirecting HTTP traffic to HTTPS 591 Avoiding Injection Attacks 592 Database Security 594 Summary 595 Chapter 19: Using Logs 597 Log Basics 597 What logs can tell you about security 598 What information is logged? 598 Storing logs safely 599 Log rotation 600 Adjusting syslogd Behavior 600 Finding Logs 602 Understanding the Console and System Logs 602

XXX Contents

Viewing logs in Console 603 Console basics 603 Useful Console features 606 Looking for Useful Information 608 System log 608 Apache logs 609 Application firewall log 610 FTP log 610 Installer log 611 Samba logs 611 Secure log 612 Other logs 613 Summary 614 Part IV: Advanced Security Measures 615 Chapter 20: Network Scanning 617 What Can Network Scanning Reveal? 618 Network Mapping 619 Using nmap for network mapping 620 Using IPNetMonitorX for network mapping 623 Port Scanning 624 Using Network Utility for port scanning 625 Using nmap for port scanning 626 Using IPNetMonitorX for port scanning 631 Protecting Your Macs from Network Scanning 632 Summary 634 Chapter 21: Vulnerability Scanning and Testing 635 Using Nessus 636 Nessus overview 636 Installing and configuring Nessus 636 Selecting scan targets 640 Creating a scanning policy 641 Running a customized scan 645 Interpreting scan results 646 Using SAINT and SAINTexploit 647 Using Metasploit 653 Metasploit interfaces 654 Installing Metasploit 654 Basic Metasploit procedures 656 Running an exploit in the Metasploit console 657 Running an exploit in the Metasploit GUI 658 Summary 663

xxxi Contents

Chapter 22: Network Monitoring 665 The Varieties of Network Monitoring 665 Network Intrusion Detection Systems 666 Using Snort as a NIDS 668 Other third-party NIDS tools 676 Network Intrusion Prevention Systems 677 Using Snort as a NIPS 677 Using IPNetSentryX or IPNetRouterX as a NIPS 678 Using Intego NetBarrier 683 Information Leak Detection Systems 685 Using Snort for ILDS 686 Other ILDS options 686 Honeypot Monitoring 688 Summary 690 Chapter 23: Monitoring File Integrity 691 Understanding File Integrity Monitoring 691 Tripwire 692 Configuring Tripwire's policy 693 Running Tripwire 694 Radmind 695 Samhain 695 Baseline 696 Sonar 697 Summary 698 Chapter 24: Forensics: Discovering What Went Wrong 699 Overview of Computer Forensics 700 Live versus deferred analysis 700 Choosing whether to save a disk image 701 Preventing disk changes 702 Looking for Rogue Processes 703 Using Activity Monitor 703 Using lsof 705 Looking for Rogue Software 706 Using MacForensicsLab 710 Installing and configuring MacForensicsLab 711 Acquiring an image 715 Working with an image 716 Auditing user data 718 Other Forensics Tools 719 MacLockPick II 719 MacQuisition 721 BlackBag Forensic Suite 722

xxxii Contents

Mac Marshal 723 The Sleuth Kit 723 Summary 723

Part V: Securing Mac OS X Server 725

Chapter 25: Mac OS X Server Security Overview 727 Comparing Mac OS X and Mac OS X Server 727 Mac OS X Server Security Fundamentals 731 Understanding Open Directory 732 Understanding Password Server and Kerberos 734 Choosing Which Services to Run 736 Configuring Local User Accounts 739 Summary 742 Chapter 26: Using Directory Services 743 Configuring Open Directory 743 Activating Open Directory , 744 Choosing an Open Directory role 745 LDAP settings 748 Policy settings 749 Configuring Open Directory users and groups 753 Setting up Open Directory clients 760 Using Windows Directory Services 762 Using Active Directory for directory services 763 Setting up a magic triangle 764 Summary 764 Chapter 27: Working with SSL Certificates 765 Certificate Overview 766 Certificate authorities 766 Self-signed certificates 767 Creating a Self-Signed Certificate 768 Requesting a Certificate from a Certificate Authority 770 Creating and Using a Certificate Authority 772 Managing Certificates 774 Summary 775 Chapter 28: Securing Email Services 777 Mac OS X Mail Server Overview 777 Configuring Authentication Options 779 Using SSL for Email 781 Configuring Relay Options. 782

xxxiii Contents

Configuring Spam and Vims Protection 784 Turning On the Mail Service 787 Summary 790 Chapter 29: Securing File Sharing 791 About File-Sharing Protocols 791 AFP 792 SMB 792 FTP 793 NFS 793 Configuring AFP 793 Configuring SMB 795 Configuring FTP 797 Configuring NFS 798 Configuring a Share Point 799 Creating a share point 800 Setting protocol options 800 Restricting access to a share point 804 Restricting access to file-sharing services 807 Summary 809 Chapter 30: Securing the Web Server 811 Configuring Web Options 811 Configuring Web Services 814 Controlling Site Access with Realms 816 Enabling SSL 819 Configuring the Forward Proxy Server 822 Summary 823 Chapter 31: Securing Other Network Services 825 Configuring the Mac OS X Server Firewall 825 Basic setup 826 Configuring standard services 827 Advanced settings 828 Protecting your network 831 Using Mac OS X Server's VPN Services 833 Choosing a transport protocol 833 Configuring L2TP over IPsec 833 Configuring PPTP 835 Restricting VPN access 836 Securing Address Book Server 837 Securing iCal Server 839 Securing iChat Server 841 Securing the Mobile Access Server 843 Securing MySQL 847

xxxiv Contents

Securing NetBoot 849 Configuring RADIUS 850 Summary 852 Glossary 853

Appendix: Where to Find More Information 861 Apple Publications 861 Take Control ebooks 862 Other Books 863 Online Resources 863

Index 865

XXXV