Search and Find
Service
Title Page
1
Copyright Page
2
Contents at a Glance
4
Table of Contents
5
About the Authors
15
About the Technical Reviewer
16
Acknowledgments
17
Introduction
18
Security Beginnings: Policies
18
A Word About Network Images
19
Risk Management
19
How This Book Is Organized
20
Part 1: The Big Picture
20
Part 2: Securing the Ecosystem
21
Part 3: Securing the Network
21
Part 4: Securely Sharing Resources
22
Part 5: Securing the Workplace
22
Appendixes
23
Part I The Big Picture
24
Chapter 1 Security Quick-Start
25
Securing the Mac OS X Defaults
25
Customizing System Preferences
26
Accounts
26
Login Options
28
Passwords
29
Administrators
30
Security Preferences
31
General
31
FileVault
33
Firewall
35
Software Update
36
Bluetooth Security
38
Printer Security
40
Sharing Services
42
Securely Erasing Disks
43
Using Secure Empty Trash
45
Using Encrypted Disk Images
46
Securing Your Keychains
47
Best Practices
49
Chapter 2 Services, Daemons, and Processes
50
Introduction to Services, Daemons, and Processes
50
Viewing What’s Currently Running
52
The Activity Monitor
52
The ps Command
56
The top Output
57
Viewing Which Daemons Are Running
59
Viewing Which Services Are Available
60
Stopping Services, Daemons, and Processes
61
Stopping Processes
62
Stopping Daemons
64
Types of launchd Services
65
GUI Tools for Managing launchd
65
Changing What Runs At Login
66
Validating the Authenticity of Applications and Services
67
Summary
68
Chapter 3 Securing User Accounts
69
Introducing Identification, Authentication, and Authorization
69
Managing User Accounts
70
Introducing the Account Types
71
Adding Users to Groups
73
Enabling the Superuser Account
74
Setting Up Parental Controls
76
Managing the Rules Put in Place
82
Advanced Settings in System Preferences
84
Working with Local Directory Services
85
Creating a Second Local Directory Node
88
External Accounts
88
Restricting Access with the Command Line: sudoers
89
Securing Mount Points
94
SUID Applications: Getting into the Nitty-Gritty
95
Creating Files with Permissions
97
Summary
98
Chapter 4 File System Permissions
99
Mac OS File Permissions: A Brief History of Time
100
POSIX Permissions
101
Modes in Detail
102
Inheritance
104
The Sticky Bit
107
The suid/sguid Bits
107
POSIX in Practice
108
Access Control Lists
111
Access Control Entries
111
Administration
111
Read Permissions
112
Write Permissions
112
Inheritance
113
Effective Permissions
114
ACLs in Practice
115
Administering Permissions
117
Using the Finder to Manage Permissions
123
Using chown and chmod to Manage Permissions
124
The Hard Link Dilemma
127
Using mtree to Audit File system Permissions
129
Summary
131
Chapter 5 Reviewing Logs and Monitoring
132
What Exactly Gets Logged?
132
Using Console
134
Viewing Logs
134
Marking Logs
135
Searching Logs
136
Finding Logs
137
Secure.log: Security Information 101
138
appfirewall.log
139
Reviewing User-Specific Logs
140
Reviewing Command-Line Logs
142
Reviewing Library Logs
143
Breaking Down Maintenance Logs
143
daily.out
145
Yasu
146
Weekly.out
147
Monthly.out
148
What to Worry About
148
Virtual Machine and Bootcamp Logs
149
Event Viewer
149
Task Manager
150
Performance Alerts
151
Review Regularly, Review Often
152
Accountability
152
Incident Response
153
Summary
154
Part II Securing the Ecosystem
155
Chapter 6 Application Signing and Sandbox
156
Application Signing
156
Application Authentication
158
Application Integrity
160
Signature Enforcement in OS X
161
Keychain Access
162
The OS X Application Firewall
164
Client Management – MCX and Parental Controls
166
Signing and Verifying Applications
170
Sandbox
173
Sandbox Profiles
175
The Anatomy of a Profile
178
Sandbox Profiles in Action
183
Using Sandbox to Secure User Shells
183
base.sb
184
shell.sb
187
sbshell
188
Carbon Copy Cloner
189
Securely Automating Remote rsync
191
BIND
194
The Seatbelt Framework
195
Summary
197
Chapter 7 Securing Web Browsers and E-mail
199
A Quick Note About Passwords
200
Securing Your Web Browser
201
Securing Safari
201
Setting the Safari Security Preferences
202
Privacy and Safari
204
Network Administrators Configuring Safari’s Security Preferences
205
Securing Firefox
205
Privacy and Firefox
206
Master Passwords in Firefox
208
Securely Configuring Mail
212
Using SSL
212
Securing Entourage
215
Fighting Spam
218
Anatomy of Spam
218
Filtering Apple Mail for Spam
219
Filtering with Entourage
220
Using White Listing in Entourage
221
Desktop Solutions for Securing E-mail
223
Using PGP to Encrypt Mail Messages
223
GPG Tools
223
Using Mail Server-Based Solutions for Spam and Viruses
223
Kerio
224
Mac OS X Server’s Antispam Tools
226
CommuniGate Pro
227
Outsourcing Your Spam and Virus Filtering
228
Summary
228
Chapter 8 Malware Security: Combating Viruses, Worms, and Root Kits
229
Classifying Threats
229
The Real Threat of Malware on the Mac
232
Script Malware Attacks
233
Socially Engineered Malware
234
Using Antivirus Software
234
Built Into Mac OS X
235
Antivirus Software Woes
235
McAfee VirusScan
236
Norton AntiVirus
236
ClamXav
237
Sophos Anti-Virus
242
Best Practices for Combating Malware
243
Other Forms of Malware
244
Adware
244
Spyware
244
MacScan
245
Root Kits
246
Summary
248
Chapter 9 Encrypting Files and Volumes
249
Using the Keychain to Secure Sensitive Data
250
The Login Keychain
250
Creating Secure Notes and Passwords
253
Managing Multiple Keychains
256
Using Disk Images as Encrypted Data Stores
259
Creating Encrypted Disk Images
261
Interfacing with Disk Images from the Command Line
267
Encrypting User Data Using FileVault
273
Enabling FileVault for a User
276
The FileVault Master Password
279
Limitations of Sparse Images and Reclaiming Space
280
Full Disk Encryption
282
Check Point
283
PGP Encryption
285
TrueCrypt
286
WinMagic SecureDoc
287
Summary
288
Part III Network Traffic
290
Chapter 10 Securing Network Traffic
291
Understanding TCP/IP
291
Types of Networks
294
Peer-to-Peer
294
Considerations when Configuring Peer-to-Peer Networks
295
Client-Server Networks
296
Understanding Routing
297
Packets
297
Gateways
297
Routers
298
Firewalls
299
Port Management
299
DMZ and Subnets
300
Spoofing
301
Stateful Packet Inspection
301
Data Packet Encryption
302
Understanding Switches and Hubs
302
Managed Switches
303
Restricting Network Services
305
Security Through 802.1x
306
Proxy Servers
307
Squid
308
Summary
311
Chapter 11 Setting Up the Mac OS X Firewall
312
Introducing Network Services
313
Controlling Services
314
Configuring the Firewall
317
Working with the Firewall in Leopard and Snow Leopard
317
Setting Advanced Features
320
Blocking Incoming Connections
320
Allowing Signed Software to Receive Incoming Connections
321
Going Stealthy
322
Testing the Firewall
323
Configuring the Application Layer Firewall from the Command Line
325
Using Mac OS X to Protect Other Computers
326
Enabling Internet Sharing
326
Configuring Clients
327
Dangers of Internet Sharing
327
Working from the Command Line
328
Getting More Granular Firewall Control
328
Using ipfw
330
Inspecting ipfw Rules
331
ipfwloggerd
333
/etc/ipfilter/ipfw.conf
333
Using Dummynet
334
Creating Pipes
334
Pipe Masks
335
Queues
336
Summary
337
Chapter 12 Securing a Wireless Network
338
Wireless Network Essentials
338
Introducing the Apple AirPort
340
Configuring Older AirPorts
341
AirPort Utility
343
Configuring the Current AirPorts
343
Limiting the DHCP Scope
346
Hardware Filtering
347
AirPort Logging
349
Hiding a Wireless Network
350
Base Station Features in the AirPort Utility
351
The AirPort Express
352
Wireless Security on Client Computers
352
Securing Computer-to-Computer Networks
353
Wireless Topologies
354
Wireless Hacking Tools
355
KisMAC
355
Detecting Rogue Access Points
356
iStumbler and Mac Stumbler
357
MacStumbler
359
Ettercap
360
EtherPeek
360
Cracking WEP Keys
360
Cracking WPA-PSK
361
General Safeguards Against Cracking Wireless Networks
362
Summary
363
Part IV Sharing
364
Chapter 13 File Services
365
The Risks in File Sharing
365
Peer-to-Peer vs. Client-Server Environments
366
File Security Fundamentals
366
LKDC
367
Using POSIX Permissions
367
Getting More out of Permissions with Access Control Lists
368
Sharing Protocols: Which One Is for You?
369
Apple Filing Protocol
369
Setting Sharing Options
371
Samba
371
The SMB.conf File
373
Using Apple AirPort to Share Files
374
Third-Party Problem Solver: DAVE
378
FTP
384
Permission Models
386
Summary
387
Chapter 14 Web Site Security
388
Securing Your Web Server
388
Introducing the httpd Daemon
389
Removing the Default Files
390
Changing the Location of Logs
390
Restricting Apache Access
391
Run on a Nonstandard Port
391
Use a Proxy Server
392
Disable CGI
392
Disable Unnecessary Services in Apache
392
PHP and Security
393
Securing PHP
393
Tightening PHP with Input Validation
394
Taming Scripts
395
Securing Your Perl Scripts
395
Securing robots.txt
397
Blocking Hosts Based on robots.txt
397
Protecting Directories
398
Customizing Error Codes
399
Using .htaccess to Control Access to a Directory
400
Tightening Security with TLS
402
Implementing Digital Certificates
402
Protecting the Privacy of Your Information
403
Protecting from Google?
404
Enumerating a Web Server
405
Securing Files on Your Web Server
406
Disabling Directory Listings
407
Uploading Files Securely
408
Code Injection Attacks
408
SQL Injection
408
Cross Site Scripting
408
Protecting from Code Injection Attacks
409
Summary
409
Chapter 15 Remote Connectivity
411
Remote Management Applications
412
Apple Remote Desktop
412
Screen Sharing
412
Enabling Screen Sharing
413
Implementing Back to My Mac
414
Configuring Remote Management
415
Enabling Remote Management
415
Using Timbuktu Pro
418
Installing Timbuktu Pro
418
Adding New Users
419
Testing the New Account
420
Using Secure Shell
422
Enabling SSH
422
Further Securing SSH
423
Using a VPN
424
Connecting to Your Office VPN
424
Setting Up L2TP
425
Setting Up PPTP
426
Connecting to a Cisco VPN
427
PPP + SSH = VPN
429
Setting Up the VPN account
429
Setting Up SSH
430
Setting Up PPP
431
Configuring Routing
432
Disconnecting
432
Summary
432
Chapter 16 Server Security
433
Limiting Access to Services
433
The Root User
435
Foundations of a Directory Service
435
Defining LDAP
435
Kerberos
436
Kerberos Deconstructed
436
Configuring and Managing Open Directory
438
Securing LDAP: Enabling SSL
441
Securing Open Directory Accounts by Enabling Password Policies
442
Securing Open Directory Using Binding Policies
445
Securing Authentication with PasswordServer
447
Securing LDAP by Preventing Anonymous Binding
449
Securely Binding Clients to Open Directory
451
Further Securing LDAP: Implementing Custom LDAP ACLs
454
Creating Open Directory Users and Groups
454
Securing Kerberos from the Command Line
458
Managed Preferences
459
Securing Managed Preferences
461
Providing Directory Services for Windows Clients
463
Active Directory Integration
464
Using the AD-Plugin
465
Setting Up Network Homes with Active Directory Clients
466
Using the AD-Plugin from the Command Line
467
Integrating Open Directory with Active Directory: Dual Directory
468
Web Server Security in Mac OS X Server
469
Using Realms
469
SSL Certs on Web Servers
471
File Sharing Security in OS X Server
473
A Word About File Size
475
Securing NFS
475
AFP
476
AFP Authentication Options
477
Kerberized AFP
478
AFP Logging
479
SMB
480
FTP
481
Wireless Security on OS X Server Using RADIUS
481
DNS Best Practices
483
SSL
484
Reimporting Certificates
485
SSH
485
Server Admin from the Command Line
487
iChat Server
487
Securing the Mail Server
488
Limiting the Protocols on Your Server
489
Proxying Services
490
Summary
491
PartV Securing the Workplace
492
Chapter 17 Network Scanning, Intrusion Detection, and Intrusion Prevention Tools
493
Scanning Techniques
493
Fingerprinting
494
Enumeration
496
Vulnerability and Port Scanning
497
nmap
497
Running a SYN/Stealth Scan
499
Other nmap Scans
500
Intrusion Detection and Prevention
500
Host Intrusion Detection System
501
Tripwire
501
Tripwire Installation
501
Network Intrusion Detection
502
Snort from the Command Line
502
Honeypots
504
Security Auditing on the Mac
505
Nessus
505
Installing Nessus
505
Running a Scan
508
Metasploit
509
SAINT
511
Installation
511
Summary
512
Chapter 18 Backup and Fault Tolerance
513
Time Machine
514
Restoring Files from Time Machine
518
Using a Network Volume for Time Machine
519
SuperDuper
520
Backing Up to MobileMe
521
Retrospect
525
Configuring a Backup
527
Grooming Scripts
533
Utility Scripts
535
Checking Your Retrospect Backups
536
Using Tape Libraries
538
Backup vs. Fault Tolerance
539
Fault-Tolerant Scenarios
539
Round-Robin DNS
540
Load-Balancing Devices
541
Cold Sites
541
Hot Sites
542
Backing up Services
542
Summary
543
Chapter 19 Forensics
545
Incident Response
546
MacForensicsLab
547
Installing MacForensicsLab
547
Using MacForensicsLab
552
Image Acquisition
554
Analysis
556
Salvage
559
Performing an Audit
562
Reviewing the Case
562
Reporting
563
Other GUI Tools for Forensic Analysis
564
Forensically Acquiring Disk Images
565
Tools for Safari
565
Command-Line Tools for Forensic Analysis
566
Summary
566
Appendix A Xsan Security
567
Metadata
568
Fibre Channel
569
Affinities
569
Permissions
569
Quotas
570
Other SAN Solutions
570
Appendix B InfoSec Acceptable Use Policy
571
1.0 Overview
571
2.0 Purpose
571
3.0 Scope
572
4.0 Policy
572
4.1 General Use and Ownership
572
4.2 Security and Proprietary Information
573
4.3 Unacceptable Use
574
System and Network Activities
574
Email and Communications Activities
575
4.4 Blogging
576
5.0 Enforcement
577
6.0 Definitions
577
Term Definition
577
7.0 Revision History
577
Appendix C CDSA
578
Appendix D Introduction to Cryptography
580
Index
584
All prices incl. VAT