35% off Dell's Most Popular Laptops
10 simple steps for securing your Mac
1. Inspect files with Get Info Even if an application doesn't automatically launch a potentially malicious application or script, you might still be tricked into manually launching one. The problem, in essence, is that Mac OS X allows any item to carry a custom icon. So a shell script could appear to the user as a .jpg image, a movie or any other type of file. Upon double-clicking the seemingly innocuous files, a shell script is executed, or an application launched that can delete local user files and wreak other account-constrained havoc.
As such, one of the best protective methods you can use (after turning off the option to open "safe" files automatically in Safari) is to inspect any newly obtained downloads before launching them. Click on the newly received download once to select it, then press the Command and I keys simultaneously, or go to the "File" menu in the Finder and select "Get Info."
If the file carries the icon representation of an image or some other file, but shows a different "Kind" in the Get Info window, something isn't right. Avoid launching the file and follow up by obtaining information about the authenticity of the download source.
2. Be stingy with your password Password prompts are frequent in Mac OS X, and most users are conditioned to simply enter their administrator password whenever asked.
Before doing so, however, you should consider the circumstances. For what purpose are you being asked to enter your password? Is because the system is asking permission to install an application? If so, is that application from a trusted source?
If you are asked to enter your password when opening a purported document, be suspicious. You should never be asked to enter your administrator password to open a .jpg file, for instance.
3. Do not operate under an administrator account You should avoid being logged in as an administrator whenever possible. Instead, use a standard user account for daily tasks.
Unfortunately, Mac OS X's installation process gently encourages the user to setup only a single administrator account at first.
If you haven't done so already, go to the "Accounts" pane of System Preferences and click the " " button to add a new account. Check the "Allow user to administer this computer" box.
Next, go back and select your current account (which should be set as administrator) and deselect the "Allow user to administer this computer" option.
Your formerly administrative account will now be standard, and you can switch into our newly created administrator account whenever necessary.
4. Apply the latest updates from Apple Don't let Apple's hard work patching the latest published (and unpublished) vulnerabilities go to waste -- apply the latest Security and iterative Mac OS X updates.
Also note that when you revert to an earlier version of Mac OS X, or to a system state prior to a security update in order to avoid troubleshooting issues, you are sacrificing security refinements,
5. Turn on file extension display Go to the Finder's Preferences (make the Finder the front application, then click the "Finder" menu, and select "Preferences), then click on the Advanced tab. Look for the selection box next to "Show all file extensions" and make sure it is checked.
Doing this will allow you to see if that PDF document you are launching is actually an application.
6. Make sure your virus software does more good than harm If you choose to run antivirus software, make sure you do not have it set to automatically delete files that are deemed malicious.
Recently, one virus tool generated false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues. In addition, there was a "highly critical" flaw found in Symantec's Norton AntiVirus a few months ago.
It's also a good idea to keep your virus definitions up-to-date. Use your software's built-in update mechanism, or check for updates on our sister site, VersionTracker.
7. Turn on your Firewall Go to the "Sharing" panel of System Preferences and click on the "Firewall" tab. Make sure it is turned on.
Apple has built a tremendous out-of-the-box Firewall solution that should be in use at all times unless disallowed by organization-specific network configuration.
8. Know your source In at least one of the exploit scares discussed in recent weeks, the vector (vehicle of transmission) was a a file posted to a Mac rumors web site, claiming to be pictures of "Mac OS X Leopard" (an upcoming version of Mac OS X.
Always know where an application or document originated before manually downloading. Be wary instant messages from unknown screen names, and use a trusted download source like VersionTracker to verify application authenticity.
9. Set applications not to automatically accept incoming files Even though Apple plugged the "Zero-day exploit" vulnerability -- which implicated Safari's "Open 'Safe' files after downloading' option -- it's still a good idea to turn this option off unless you absolutely need the convenience. You can do so in the "General" pane of Safari's preferences.
The same goes for other applications that can automatically open downloaded files.
For instance, you should iChat to notify the user before accepting a file. This is accomplished by opening iChat's preferences, then clicking the "Messages" tab, and selecting "Confirm before sending files." This is the default setting for a fresh Mac OS X installation.
10. Protect your account Chances are that when you first set up your Mac (or the last time you re-installed Mac OS X), the system was set to automatically log in a user upon startup -- not a good situation from a security standpoint.
To change this setting, open System Preferences and click on the "Accounts" pane. Click "Login Options" (with the picture of a house beside it) from the bottom of the accounts list. Note that you may need to click the lock icon and enter an administrator password first.
Next, uncheck the "Automatically log in as:" box.
Though its rudimentary, you should also set up a screensaver and wake up password in the "Security" pane of System Preferences.
Like what you've found in this tutorial? Get more troubleshooting guidance (updated daily) by subscribing to MacFixIt Pro.
Resources
being logged in as an administrator whenever possible. Instead, use a
standard user account for daily tasks.
"Unfortunately, Mac OS X's installation process gently encourages the user to
setup only a single administrator account at first.
"If you haven't done so already, go to the "Accounts" pane of System
Preferences and click the "+" button to add a new account. Assign it
"standard" privileges. Use this account for your daily tasks, and switch into an
administrator account whenever necessary."
The above is a woefully inadequate explanation of how to make the
switch from daily use of an "Admin" account to using a "Standard" account on
a regular basis.
Does the MacFixIt author of this article think that users will want to abandon
their old home folder with all its documents, settings, email, bookmarks,
music, etc., etc. and start everything anew?!? If you follow the above
instructions, that is what will happen!
Here is the better way to make this switch:
a) Go to the "Accounts" pane of System Preferences and click on the "+"
button to add a new account.
b) For security, assign the new account a non-obvious name and employ a
strong password.
c) Assign administrator privileges to the new account by clicking on the
"Allow user to administer this computer" option.
d) Select your current account (the one you want to change to a "Standard"
user) and uncheck the "Allow user to administer this computer" option.
e) Use your now "Standard" current account for your daily tasks. Your home
folder and everything else associated with your account will be available to
you.
f) Switch into the newly created "Admin" user level account whenever
necessary.
Cheers,
Jim M.
Apple Certified Help Desk Specialist
Macintosh Help and Consulting, Milwaukee, WI
www.yourmacdoc.com
OK< im a little confused-the default install on X is an ADMIN account?
Ive read that you should also install a ROOT account-(which I have-this is where I store utilities [in the dock] and do housekeeping chores)
Are you saying I should then again create a a 3rd lowly 'users' account?
That is exactly the method I used about three weeks ago to remove admin
privileges from my normal account without having to copy documents to the
new account, and worse yet, to re-install applications.
Alas, this method, while sound in principle, did not work out. I had several
problem. For example, Photoshop CS2 could no longer auto-load Bridge.
Somehow the link to Bridge had been broken in the launch script. I could not
find where Photoshop CS2 stored the script that launched Bridge. Rather than
reinstalling Photoshop CS2, I decided to give my normal account back its
admin privileges.
I do agree that having admin privileges in my everyday account is not a good
idea.
If anybody can give me a hint how to fix the Photoshop CS2 Bridge-loading
script, I will try it again.
Here's the mystery about bridge:
you must verify the aliases in in the launch folder: library/application support/
adobe/launch
each app has its own alias in a separate folder, if the alias is broken, you can't
lauch automatically
It you're not sure if this works, create a new alias of the app and put in the right
folder.
I got this from the support of adobe
Bye Danny
Wonderful walk through of how to do this, Jim. I was floundering there for a while trying to figure out how to make the switch.
Please note that, without notice, since it was originally posted this
morning, MacFixIt has changed recommendation #3.
Recommendation #3 now effectively matches my recommendation.
It sure would have been nice if MacFixIt had noted that they "fixed" their
own recommendation!
Jim M.
Apple Certified Help Desk Specialist
Macintosh Help and Consulting, Milwaukee, WI
www.yourmacdoc.com
I agree with Jim M. It's nice if it says the article is updated.I was confused
because the current statement was different from the one Jim quoted but the
method sounded the same.
I still have a question on the current statement, which reads, "Next, go
back and select your current account (which should be set as administrator)
and deselect the "Allow user to administer this computer" option," but
does it mean "(which should NOT be set as administrator)"?
Also, I would like to know the security benefit of using standard account for
daily use. Isn't it the same as long as the user is not careful in using the
admin password? Or is there any advantage on the system level, perhaps?
The current statement "... (which should be set as administrator)..." still holds
true unless or until such time you "deselect the 'Allow user to
administer this computer' option."
I successfully did this, but now every time I log into my "standardized" account I
get a prompt to "enter an administrator password to make changes to MacOS." I
can click cancel and it seems fine, but it's really annoying. Any way to get rid of
it?
Just to repeat some points here that I picked up from other discussions about
this subject...
After step d) it is not a bad idea to check the Ownership and Permissions on
items that arguably "should" be owned by the -newly created- admin. The
ownership of some items may remain with the user just demoted to a
standard user.
Most importantly, any Applications in the Applications folder, that did not
come from Apple, and that were installed while the now demoted standard
user was still the -sole- admin account.
Unless ownership of such items is tranferred manually it could be argued that
the demotion from admin to standard user of that account is not very
effective.
Also - Any new Applications dowloaded by a standard user will require a
admin password as authentication if/when they are transferred to the
Applications folder but they will still be owned by the standard user who
installed them.
The reason why this should not be the case is that any modification attempts
like the ones pointed out with the Oompa/leapA situation will only require an
admin password if the user that is currently logged in is not the owner of the
item. If the user owns the Applications, modifications can be made without a
password from an admin.
Here a sort of catch 22 situation arises. If you download and install as a
standard user you defeat part of the reason why you operate as standard
user. Unless you manually change ownership and permissions of the items
you download and install.
If you download new software as admin, a malicious download will have an
admin account to start working on first. (I know, I saw step 1 in the original
article, inspect before double clicking.)
Up to each user to decide if he/she can live with that.
A third totally neutered account "for downloads only" or a different machine
maintained purely for the purpose of downloading software... ;)
Few regular people will probably be able to live with that.
the last time you re-installed Mac OS X), the system was set to automatically
log in a user upon startup -- not a good situation from a security standpoint."
I understand that such step is NOT required if you are the only person that
have physical access to a Mac. And it is much more convenient to automatically
login!
Much easier and fulfills the same purpose.
things to do with the one critical step you did not provide in your list. It is the
#1 rule of computing: MAKE A BACKUP, every day, one copy on site, the other
copy off site. I am sure you know the drill. All other security concerns are
secondary. Those who do not back up will lose data. Expect it. Every
computer fails eventually. Everyone will one day thank themselves for having
a backup.
Backups are what I call a 'wetware' security issue. These days, as your list
makes clear, it is fairly simple to provide your computer with hardware and
software security. But wetware security is the biggest issue of them all. No
computer company can write software or integrate hardware that can prevent
a user from doing something dangerous. Not making a backup is inarguably
the most dangerous.
Yeah, undoubtedly with time Mac OS X users will have to actually fend off
real, malicious malware. And when that malware wrecks your machine what is
the first thing you are going to reach for? Yesterday's backup. With a backup
on hand you can say 'malware be damned!' and get back to work after your
restore has completed.
Where to get FREE backup software:
(1) Backup: If you are a member of DotMac you are provided with this flaky
but very useful program. It backs up onto your iDisk, mounted drive or
optical disk all your changed files since the last time it was run. Schedule it to
run daily.
(2) SilverKeeper: Thank you LaCie! It's minimal, but adequate and capable. It
also allows you to schedule daily backups to any mounted drive. Grab it at:
<http://www.lacie.com/silverkeeper/>
:-D
---
:-Derek Currie
derekcurrie(at)mac.com
<http://www.insanely-great.com/>
ICQ # 69626815
connections.
"admin". I also installed MacOS X 10.4.5 on my G4 iBook at the same time. (It
already was installed on my G5 iMac.)
When I restart, I'm not given the option to login to my new Admin account.
Shouldn't that show as an option at login? Maybe not a big deal.
Bigger problem: I cannot network my two Macs as before. Instead of seeing a list
of volumes when I invoke Connect to Server (command-K) from Finder, now I get
a list of user accounts! I cannot use YouSynchronize any longer, to sync my data
files.
After rebooting the iBook twice and the iMac once, all's well again.
(which should be set as administrator) and deselect the "Allow user to
administer this computer" option," but does it mean "(which should
NOT be set as administrator)"?
It seems to be the same way that Jim M. posted, but the statement is now ? I
don't know if it's updated or not, though ? different from the one Jim M. quotes,
which makes it more complicated to understand.
Also, I would like to know the security benefit of using
standard account for daily use. Isn't it the same as long as the user is not careful
in using the admin password? Or is there any advantage on the system level,
perhaps?
Sorry, wrong place, should be in Jim M's thread, please ignore this post.
- by WhiteDog March 9, 2006 4:09 AM PST
- Regarding virus software, I decided to try the free ClanXav because, unlike
- Like this Reply to this comment
-
Showing 1 of 2 pages (28 Comments)most of the commercial products, it has garnered no negative reports on
MacFixIt as far as I can remember. It has a decent feature set and uses a
menu bar item for easy management. Unfortunately, when it starts scanning,
either my designated folders or a newly mounted disk, it gobbles up both
RAM and CPU resources on my dual 1 GHz G4. This causes a severe
performance hit on other applications, particularly in iTunes, while importing
tracks from a CD. Though I turned off the option to scan removable media,
ChanXav continued to do so, even after restarting the computer. Since my
Mac is maxed out at 1.5 GB of RAM, there is little I can do to provide ClanXav
with more headroom. So I turned it off. Unfortunately, it does not distinguish
between locked disks, like CDs and DVDs, and rewritable volumes like
external hard drives. And, when I connected a client's PowerBook in target
disk mode, it started scanning that, too, again consuming an inordinate
amount of system resources. Having it scan mounted volumes is not a bad
idea, actually, but its impact on system performance is a serious problem. I
can get around it if I remember to turn off scanning every time I mount a
volume, but this is a nuisance and rather defeats the purpose of using virus
software.
My reluctant conclusion is that there really is no viable virus protection
software solution for OS X. One can only hope that by the time viruses once
again become a problem for the Mac that these issues will have been resolved
somewhere so that we can have virus protection without hamstringing our
systems.
---
Don't anthropomorphize computers.
They hate that.