Security and Spam Mac/PC Compatibility: QuickStart Guide for Business 2
Security and Spam QuickStart Guide for Business
The Basics The need to protect against hackers and other threats is a fact of life. Mac OS X features a number of built-in technologies to help you fend off attacks and keep unwanted email out of your employees’ inboxes. User benefit: When users are protected from spam and other computer security threats, they can do their jobs without wasting time deleting spam messages or calling IT to fix a computer that has a virus. Business benefit: Proper computer security—including spam protection—can potentially save huge amounts of money by minimizing lost work time and emergency IT costs. It also keeps outsiders from stealing confidential business information.
Standards and Buzzwords Here are some common terms associated with security and spam.
AES 128-bit and 256 encryption. Advanced Encryption Standard—cryptography technology recommended by the U.S. government to secure sensitive documents. AES-256, the stronger of the two, is used in Mac OS X features such as FileVault (for protecting home directories) and Disk Utility (for creating encrypted disk images). Firewall. Hardware and/or software that monitors attempts to communicate with your computer over a network, and blocks dangerous traffic. Mac OS X comes with a built-in firewall that can be configured through the Security pane of System Preferences. Keychain. Software in Mac OS X that holds “keys” (passwords and other personal information) you need to access protected network services, decode encrypted disk images, and so on. When you log in to Mac OS X, the system opens your Keychain, so you don’t have to remember user names and passwords. Only users who know the login name and password for a specific Mac user account can access that account’s Keychain. 3
Phishing. Method of obtaining confidential information with fraudulent email messages. The messages appear to come from legitimate senders (such as financial institutions), but they are from cybercriminals. Commonly, the messages have links that lead to a website designed to look like a legitimate company. When you enter a credit card number or other personal information, that information is captured by the person or group that sent the fraudulent message. Port. Numerical identifier that allows a computer’s networking software to route incoming or outgoing traffic to the correct service. For example, your computer connects to one port at your ISP’s mail server address when you send email, and a different port is used at your computer’s address when you receive email. Spam. Unsolicited email. Spam can clutter inboxes, contain inappropriate text or graphics, and propagate viruses and other malicious computer programs. Fighting spam should be a multipronged effort, including choosing an Internet service provider with robust anti-spam technologies and taking advantage of spam-filtering tools in applications such as Mail. SSL/TLS. Secure Sockets Layer and Transport Layer Security. These protocols provide a secure, encrypted channel between two computers communicating over the Internet. For example, an HTTPS connection uses SSL or TLS to encrypt traffic between your computer and an online banking website. Mac OS X fully supports SSL and TLS. Spyware. Computer program that tracks a user’s activities (such as websites visited or keystrokes typed) and sends that information to another site. Spyware can be used to obtain passwords and other confidential information. Mac OS X helps block spyware by requiring user interaction before installing a program. Trojan horse. Computer program that pretends to be innocuous (such as a game) but in reality has another purpose. For example, a Trojan horse program may trick users into installing software that enables hackers to control their computers. The UNIX foundation of Mac OS X works with Apple-developed security features to provide robust protection against Trojan horses and other malicious code. VPN. Virtual private network. A VPN lets you establish a secure connection to a remote computer, for example, to access a corporate file server from home over a dial-up or broadband (cable/DSL) connection. The Network pane in System Preferences included with Mac OS X enables you to connect to both L2TP and PPTP VPNs. WEP/WPA. Wired Equivalent Privacy and Wi-Fi Protected Access. WEP and WPA are two methods of protecting wireless communications from eavesdropping. Apple’s AirPort wireless networking technology supports both protocols. You can find more explanations of networking and security terms in the Mac OS X Server Glossary (available at www.apple.com/server/documentation) and the Mac OS X Security Tech Brief (linked from www.apple.com/macosx/features/security).
How the Mac Does It Every Mac is very secure right out of the box, but can be made even more secure. Leopard is an Open Brand UNIX 03 Registered Product, and has been designed to protect your personal data and online activities. In addition, many security features built into Mac OS X are on by default. They are unobtrusive and easy to use, so you don’t have to be an expert to protect your Mac. Apple responds quickly to computer threats, providing timely software updates that are easy to install and manage. Of course, it’s always a good idea to use all available resources to protect your Mac and important information you keep on it. Both commercial and open source antivirus programs are available for Mac OS X. You also may install another level of mail-filtering software to supplement filtering provided by the Mail application. Make sure your ISP offers robust protection against viruses and spam. 4
Out-Of-The-Box Security By default, all native services— personal file sharing, remote login, etc.—are turned off. You control which ports and services to activate. If you need to open any ports, the built-in personal firewall can protect your computer from unauthorized access by monitoring all incoming network traffic. When you enable the personal firewall in Mac OS X, all inbound connections are denied except those you explicitly permit. There’s even a stealth mode, meaning your Mac won’t even acknowledge its existence to people scanning for computers to attack. Mac OS X is designed to protect you from deceptive software applications. People attempting to break into computers sometimes disguise a malicious program as a picture, movie, or other seemingly non-executable file. You might download such files from the web or get them by mail or chat. When a Mac detects that you are downloading a file that may contain a computer program you are not aware of (such as one inside a JPEG file), it will alert you and ask for your permission to proceed. One of the greatest security strengths of Mac OS X is that it is an Open Brand UNIX 03 Registered Product, conforming to SUSv3 and POSIX 1003.1 specifications. At its core is Darwin, the open source, fully conformant UNIX operating system—built on Mach 3.0 and FreeBSD 5. Because Darwin is an open source project, computer programmers and security experts all over the world continually look for ways to make it stronger and safer. Apple is an active participant in the Darwin project, and incorporates the best suggestions from the Darwin community into Mac OS X updates and new releases. Apple also works with a number of security organizations, including CERT/CC, FIRST, the FreeBSD security team, and the Department of Homeland Security in the United States. Security Updates And Tools One of the most important measures to keep any computer safe is to install operating system updates as soon as available. By default, Mac OS X checks for updates weekly. For peace of mind, you can set it to download security updates automatically. Apple digitally signs updates, so you can be sure they come from a trusted source. Security tools also are built into other Mac applications. Safari features an option called Private Browsing that allows you to surf the web without caching information about where you visit or personal information you enter; it’s as if you were never there. And Mail offers powerful protection against spammers, with outstanding accuracy in identifying spam, and versatile filters that you can customize according to your needs. You can even shield all the information in your home folder from prying eyes. FileVault, a built-in feature of Mac OS X, uses the latest government encryption standard, AES-128, to safeguard your work. FileVault encrypts and decrypts files on the fly, so it doesn’t interfere with your work. Protecting your home folder is especially important when you use a portable Mac system away from home or office. Speaking of your home folder, if you share a Mac with other users, the UNIX-based multiuser features of Mac OS X offer robust protection against other people seeing your data. Each user can have a unique user name, password, Keychain, and home directory. For added control, an administrator can designate actions each user can perform. Leopard is also protected in other ways. Sometimes hackers try to hijack an application to run malicious code. Sandboxing, built into Mac OS X Leopard, helps ensure that applications do only what they’re intended to by restricting files they can access, whether they can talk to the network, and whether they can be used to launch other applications. Helper applications in Leopard — including software that enables Bonjour and the Spotlight indexer — are sandboxed to guard against attackers. 5
Private Browsing Private Browsing is a helpful feature when you need to use a shared computer, such as one in a library, Internet café, or office. When you turn on Private Browsing from the Safari menu:
• Web pages are not added to your History file. • Items are automatically removed from the Downloads window. • Information (such as names and passwords) is not saved for AutoFill. • Searches are not added to the pop-up menu in the Google search box. Other important Mac OS X security features include: Secure Keychain. The Keychain in Mac OS X stores your user names and passwords so that you don’t need to remember them. Once you unlock your Keychain with a single password, it automatically authenticates you to file servers, websites, email accounts, your .Mac account, etc. You decide which data are and aren’t stored in your Keychain. Wireless encryption. Your Mac can use either WPA or WEP data encryption for secure communication over wireless networks. Authentication. Mac OS X supports Kerberos for secure single sign-on authentication to network resources and LDAP version 3 and Active Directory for authentication to directory services. Kerberized applications include Safari and Mail. Virtual private network (VPN). You can use either the L2TP or PPTP protocol for secure remote access to organizational networks.
Mac/Windows Compatibility Mac computers support a wide range of industry standards and proprietary Microsoft protocols, enabling the Mac to integrate smoothly into Windows-based security environments. Mac OS X users can access online resources that use Kerberos for authentication. Apple’s Open Directory architecture is based on industry-standard LDAP version 3 protocols. If your company uses Microsoft’s proprietary Active Directory system, network administrators can set a single authentication policy that will permit both Mac OS X and Windows users to log in and authenticate. Mac OS X also supports Microsoft’s NTLM version 2 authentication protocol. The built-in VPN client in Mac OS X supports both the L2TP and PPTP protocols, so it’s compatible with the most popular VPN servers, including those from Cisco and Microsoft. For wireless security, Mac users can access networks protected with either WPA or WEP, both in widespread use. 6
For spam defense, Mail in Mac OS X can leverage filtering performed by network mail security products such as Brightmail AntiSpam and Apache SpamAssassin, no matter which computer platform those solutions run on.
How Do I Get Started? Mac OS X offers many security features to users. Some of the most common are discussed below. Password Assistant Mac OS X helps you create stronger passwords through a feature called Password Assistant. You can use recommended passwords for your Mac login, secure websites, and any passwords you need. In System Preferences, click Accounts. When the Accounts window appears, select your account. If the padlock at the bottom of the screen is locked, you’ll need to enter your Mac user account password to unlock it. In your account, select Password tab, then click the Change Password button. Click the key icon next to the New Password field. The Password Assistant window appears.
Password Assistant lets you choose the type of password (such as Memorable or Random) and the length you want. Password Assistant then suggests 10 possible passwords, rated on quality. Choose Manual to try out passwords of your choice and see their quality ratings. Note that one of the Type options is “FIPS-181 compliant.” These passwords meet U.S. Department of Commerce requirements for randomly generated, pronounceable passwords. Application Download Alert Apple’s web browser Safari can tell the difference between ordinary files and those that may contain executable applications. It alerts you whenever you download the latter. If you are confident the application is one you want, click Continue. If you did not expect an executable program, click Cancel to stop the download. Software Installation Authentication On a Mac, software isn’t installed without your consent. You must enter your password when using Installer or dragging the program into the Applications folder. 7
Junk Mail Filtering Apple’s Mail application helps you keep unwanted email out of your inbox. Mail already has certain junk mail filtering enabled. You can turn off that filtering or customize its settings. To begin, choose Preferences from the Mail menu. Then click the Junk Mail icon and set options you prefer.
If your ISP uses Apache SpamAssassin, Brightmail AntiSpam, or other spam analysis tools, Mail leverages that service. If you do not wish to take advantage of your ISP’s filtering, deselect “Trust junk mail headers set by my Internet Service Provider.” Some junk mail may use HTML to embed graphics that reveal your computer’s Internet address when retrieved from the sender’s servers. If Mail detects that a message is junk, it won’t load HTML images associated with it. If you want to view images, click the Load Images button in the Junk Mail alert above the body of the message. Select “Perform custom actions” and click the Advanced button in the Junk Mail settings window. Then you can refine filtering that determines which messages are designated as unwanted and what Mail should do with them. The following screenshot shows some options in the Advanced settings window. 8
Personal Firewall By monitoring network traffic, Mac OS X can act as a firewall to protect your Mac from unauthorized access. When you enable the personal firewall, all inbound connections are denied, except those you explicitly permit. The Mac OS X firewall is based on technology that protects the most mission-critical UNIX computers on the Internet. To turn on the personal firewall in Mac OS X, first open the Security pane from System Preferences. Then click the Firewall tab.
Select either “Allow only essential services” or “Set access for specific services and applications” to activate the firewall. Stealth Mode Stealth mode protects your Mac from uninvited connections by hiding its existence. When hackers send out “pings” over the Internet to find out which computers are available to attack, your Mac won’t respond. You turn on stealth mode with the Advanced button in the Firewall window. Select the Enable Stealth Mode option to hide your Mac on the Internet. Note that in addition to activating stealth mode, you can log the activity of your personal firewall. Secure Empty Trash With Mac OS X, you can permanently delete sensitive files you no longer need. Traditional file deletion removes the filename from the disk directory but leaves the file data in place. Secure Empty Trash immediately overwrites the file with erroneous data, so the file disappears and cannot be reconstructed. To use this more secure type of file deletion, simply choose Secure Empty Trash instead of Empty Trash from the Finder menu. 9
Other Security Settings You can set additional security options on your Mac via the Security pane in System Preferences. Launch System Preferences by clicking its icon in the Dock. Then click the Security icon. From the Security pane, you can turn on FileVault encryption and activate a number of features that control access to the computer. (Note: If you are logged in to the Mac as a regular user rather than as an administrator, you may not have access to these settings.) Some settings in the Security pane are especially valuable for mobile users. For example, activating FileVault will safeguard your home folder, encrypting your data using AES 128-bit encryption, so if your laptop falls into the wrong hands, it can’t be unencrypted and accessed without your login or password. And disabling reception of infrared (IR) remote controls will prevent nearby IR devices from controlling your computer. (As an alternative to completely disabling IR reception, Mac OS X lets you pair your Mac with a specific remote control device.) You can also require a password to wake your computer from the screen saver or sleep mode. Beyond The Office Have multiple computers at your house? Apple’s AirPort Extreme Base Station and Time Capsule includes a built-in firewall that creates a barrier between your network and the Internet. With a firewall, you can create a convenient wireless network for your family while protecting all of your computers from Internet-based attacks. Find out more at www.apple.com/airportextreme/security.html Visit www.apple.com/macosx/features/security for links to PDF files containing further information on security features in Mac OS X and how to get the most from them. Other Mac OS X Security Features • Encryption of disk images for secure backups and data transfers • Secure shell (SSH) for secure logins to remote computers • Secure web (SSL and TLS) for encrypted, authenticated communications over the Internet, such as for email and chat sessions • S/MIME encryption for email • X.509 digital certificates for authentication of websites (see www.apple.com/macosx/ features/security for more information)
For More Information www.apple.com/macosx/features/security www.apple.com/getamac/viruses.html www.apple.com/macosx/features/safari www.apple.com/macosx/features/mail To learn more about Macs in business, visit www.apple.com/business
© 2008 Apple Inc. All rights reserved. Apple, the Apple logo, Keychain, Mac, and Mac OS are trademarks of Apple Inc., registered in the U.S. and other countries. FileVault and Leopard are trademarks of Apple Inc. AppleCare, Apple Store, and .Mac are service marks of Apple Inc., registered in the U.S. and other countries. Intel and Intel Core are trademarks of Intel Corp. in the U.S. and other countries. UNIX is a registered trademark of The Open Group in the U.S. and other countries. Mac OS X Server version 10.5 Leopard is an Open Brand UNIX 03 Registered Product. Other product and company names mentioned herein may be trademarks of their respective companies. Product specifications are subject to change without notice. This material is provided for information purposes only; Apple assumes no liability related to its use. April 2008 L369477A-US