Enterprise Mac Security: Mac OS X Snow Leopard

Title Page

Copyright Page

Contents at a Glance

Table of Contents

About the Authors

About the Technical Reviewer

Acknowledgments

Introduction

Security Beginnings: Policies

A Word About Network Images

Risk Management

How This Book Is Organized

Part 1: The Big Picture

Part 2: Securing the Ecosystem

Part 3: Securing the Network

Part 4: Securely Sharing Resources

Part 5: Securing the Workplace

Appendixes

Part I The Big Picture

Chapter 1 Security Quick-Start

Securing the Mac OS X Defaults

Customizing System Preferences

Accounts

Login Options

Passwords

Administrators

Security Preferences

General

FileVault

Firewall

Software Update

Bluetooth Security

Printer Security

Sharing Services

Securely Erasing Disks

Using Secure Empty Trash

Using Encrypted Disk Images

Securing Your Keychains

Best Practices

Chapter 2 Services, Daemons, and Processes

Introduction to Services, Daemons, and Processes

Viewing What’s Currently Running

The Activity Monitor

The ps Command

The top Output

Viewing Which Daemons Are Running

Viewing Which Services Are Available

Stopping Services, Daemons, and Processes

Stopping Processes

Stopping Daemons

Types of launchd Services

GUI Tools for Managing launchd

Changing What Runs At Login

Validating the Authenticity of Applications and Services

Summary

Chapter 3 Securing User Accounts

Introducing Identification, Authentication, and Authorization

Managing User Accounts

Introducing the Account Types

Adding Users to Groups

Enabling the Superuser Account

Setting Up Parental Controls

Managing the Rules Put in Place

Advanced Settings in System Preferences

Working with Local Directory Services

Creating a Second Local Directory Node

External Accounts

Restricting Access with the Command Line: sudoers

Securing Mount Points

SUID Applications: Getting into the Nitty-Gritty

Creating Files with Permissions

Summary

Chapter 4 File System Permissions

Mac OS File Permissions: A Brief History of Time

POSIX Permissions

Modes in Detail

Inheritance

The Sticky Bit

The suid/sguid Bits

POSIX in Practice

Access Control Lists

Access Control Entries

Administration

Read Permissions

Write Permissions

Inheritance

Effective Permissions

ACLs in Practice

Administering Permissions

Using the Finder to Manage Permissions

Using chown and chmod to Manage Permissions

The Hard Link Dilemma

Using mtree to Audit File system Permissions

Summary

Chapter 5 Reviewing Logs and Monitoring

What Exactly Gets Logged?

Using Console

Viewing Logs

Marking Logs

Searching Logs

Finding Logs

Secure.log: Security Information 101

appfirewall.log

Reviewing User-Specific Logs

Reviewing Command-Line Logs

Reviewing Library Logs

Breaking Down Maintenance Logs

daily.out

Yasu

Weekly.out

Monthly.out

What to Worry About

Virtual Machine and Bootcamp Logs

Event Viewer

Task Manager

Performance Alerts

Review Regularly, Review Often

Accountability

Incident Response

Summary

Part II Securing the Ecosystem

Chapter 6 Application Signing and Sandbox

Application Signing

Application Authentication

Application Integrity

Signature Enforcement in OS X

Keychain Access

The OS X Application Firewall

Client Management – MCX and Parental Controls

Signing and Verifying Applications

Sandbox

Sandbox Profiles

The Anatomy of a Profile

Sandbox Profiles in Action

Using Sandbox to Secure User Shells

base.sb

shell.sb

sbshell

Carbon Copy Cloner

Securely Automating Remote rsync

BIND

The Seatbelt Framework

Summary

Chapter 7 Securing Web Browsers and E-mail

A Quick Note About Passwords

Securing Your Web Browser

Securing Safari

Setting the Safari Security Preferences

Privacy and Safari

Network Administrators Configuring Safari’s Security Preferences

Securing Firefox

Privacy and Firefox

Master Passwords in Firefox

Securely Configuring Mail

Using SSL

Securing Entourage

Fighting Spam

Anatomy of Spam

Filtering Apple Mail for Spam

Filtering with Entourage

Using White Listing in Entourage

Desktop Solutions for Securing E-mail

Using PGP to Encrypt Mail Messages

GPG Tools

Using Mail Server-Based Solutions for Spam and Viruses

Kerio

Mac OS X Server’s Antispam Tools

CommuniGate Pro

Outsourcing Your Spam and Virus Filtering

Summary

Chapter 8 Malware Security: Combating Viruses, Worms, and Root Kits

Classifying Threats

The Real Threat of Malware on the Mac

Script Malware Attacks

Socially Engineered Malware

Using Antivirus Software

Built Into Mac OS X

Antivirus Software Woes

McAfee VirusScan

Norton AntiVirus

ClamXav

Sophos Anti-Virus

Best Practices for Combating Malware

Other Forms of Malware

Adware

Spyware

MacScan

Root Kits

Summary

Chapter 9 Encrypting Files and Volumes

Using the Keychain to Secure Sensitive Data

The Login Keychain

Creating Secure Notes and Passwords

Managing Multiple Keychains

Using Disk Images as Encrypted Data Stores

Creating Encrypted Disk Images

Interfacing with Disk Images from the Command Line

Encrypting User Data Using FileVault

Enabling FileVault for a User

The FileVault Master Password

Limitations of Sparse Images and Reclaiming Space

Full Disk Encryption

Check Point

PGP Encryption

TrueCrypt

WinMagic SecureDoc

Summary

Part III Network Traffic

Chapter 10 Securing Network Traffic

Understanding TCP/IP

Types of Networks

Peer-to-Peer

Considerations when Configuring Peer-to-Peer Networks

Client-Server Networks

Understanding Routing

Packets

Gateways

Routers

Firewalls

Port Management

DMZ and Subnets

Spoofing

Stateful Packet Inspection

Data Packet Encryption

Understanding Switches and Hubs

Managed Switches

Restricting Network Services

Security Through 802.1x

Proxy Servers

Squid

Summary

Chapter 11 Setting Up the Mac OS X Firewall

Introducing Network Services

Controlling Services

Configuring the Firewall

Working with the Firewall in Leopard and Snow Leopard

Setting Advanced Features

Blocking Incoming Connections

Allowing Signed Software to Receive Incoming Connections

Going Stealthy

Testing the Firewall

Configuring the Application Layer Firewall from the Command Line

Using Mac OS X to Protect Other Computers

Enabling Internet Sharing

Configuring Clients

Dangers of Internet Sharing

Working from the Command Line

Getting More Granular Firewall Control

Using ipfw

Inspecting ipfw Rules

ipfwloggerd

/etc/ipfilter/ipfw.conf

Using Dummynet

Creating Pipes

Pipe Masks

Queues

Summary

Chapter 12 Securing a Wireless Network

Wireless Network Essentials

Introducing the Apple AirPort

Configuring Older AirPorts

AirPort Utility

Configuring the Current AirPorts

Limiting the DHCP Scope

Hardware Filtering

AirPort Logging

Hiding a Wireless Network

Base Station Features in the AirPort Utility

The AirPort Express

Wireless Security on Client Computers

Securing Computer-to-Computer Networks

Wireless Topologies

Wireless Hacking Tools

KisMAC

Detecting Rogue Access Points

iStumbler and Mac Stumbler

MacStumbler

Ettercap

EtherPeek

Cracking WEP Keys

Cracking WPA-PSK

General Safeguards Against Cracking Wireless Networks

Summary

Part IV Sharing

Chapter 13 File Services

The Risks in File Sharing

Peer-to-Peer vs. Client-Server Environments

File Security Fundamentals

LKDC

Using POSIX Permissions

Getting More out of Permissions with Access Control Lists

Sharing Protocols: Which One Is for You?

Apple Filing Protocol

Setting Sharing Options

Samba

The SMB.conf File

Using Apple AirPort to Share Files

Third-Party Problem Solver: DAVE

FTP

Permission Models

Summary

Chapter 14 Web Site Security

Securing Your Web Server

Introducing the httpd Daemon

Removing the Default Files

Changing the Location of Logs

Restricting Apache Access

Run on a Nonstandard Port

Use a Proxy Server

Disable CGI

Disable Unnecessary Services in Apache

PHP and Security

Securing PHP

Tightening PHP with Input Validation

Taming Scripts

Securing Your Perl Scripts

Securing robots.txt

Blocking Hosts Based on robots.txt

Protecting Directories

Customizing Error Codes

Using .htaccess to Control Access to a Directory

Tightening Security with TLS

Implementing Digital Certificates

Protecting the Privacy of Your Information

Protecting from Google?

Enumerating a Web Server

Securing Files on Your Web Server

Disabling Directory Listings

Uploading Files Securely

Code Injection Attacks

SQL Injection

Cross Site Scripting

Protecting from Code Injection Attacks

Summary

Chapter 15 Remote Connectivity

Remote Management Applications

Apple Remote Desktop

Screen Sharing

Enabling Screen Sharing

Implementing Back to My Mac

Configuring Remote Management

Enabling Remote Management

Using Timbuktu Pro

Installing Timbuktu Pro

Adding New Users

Testing the New Account

Using Secure Shell

Enabling SSH

Further Securing SSH

Using a VPN

Connecting to Your Office VPN

Setting Up L2TP

Setting Up PPTP

Connecting to a Cisco VPN

PPP + SSH = VPN

Setting Up the VPN account

Setting Up SSH

Setting Up PPP

Configuring Routing

Disconnecting

Summary

Chapter 16 Server Security

Limiting Access to Services

The Root User

Foundations of a Directory Service

Defining LDAP

Kerberos

Kerberos Deconstructed

Configuring and Managing Open Directory

Securing LDAP: Enabling SSL

Securing Open Directory Accounts by Enabling Password Policies

Securing Open Directory Using Binding Policies

Securing Authentication with PasswordServer

Securing LDAP by Preventing Anonymous Binding

Securely Binding Clients to Open Directory

Further Securing LDAP: Implementing Custom LDAP ACLs

Creating Open Directory Users and Groups

Securing Kerberos from the Command Line

Managed Preferences

Securing Managed Preferences

Providing Directory Services for Windows Clients

Active Directory Integration

Using the AD-Plugin

Setting Up Network Homes with Active Directory Clients

Using the AD-Plugin from the Command Line

Integrating Open Directory with Active Directory: Dual Directory

Web Server Security in Mac OS X Server

Using Realms

SSL Certs on Web Servers

File Sharing Security in OS X Server

A Word About File Size

Securing NFS

AFP

AFP Authentication Options

Kerberized AFP

AFP Logging

SMB

FTP

Wireless Security on OS X Server Using RADIUS

DNS Best Practices

SSL

Reimporting Certificates

SSH

Server Admin from the Command Line

iChat Server

Securing the Mail Server

Limiting the Protocols on Your Server

Proxying Services

Summary

PartV Securing the Workplace

Chapter 17 Network Scanning, Intrusion Detection, and Intrusion Prevention Tools

Scanning Techniques

Fingerprinting

Enumeration

Vulnerability and Port Scanning

nmap

Running a SYN/Stealth Scan

Other nmap Scans

Intrusion Detection and Prevention

Host Intrusion Detection System

Tripwire

Tripwire Installation

Network Intrusion Detection

Snort from the Command Line

Honeypots

Security Auditing on the Mac

Nessus

Installing Nessus

Running a Scan

Metasploit

SAINT

Installation

Summary

Chapter 18 Backup and Fault Tolerance

Time Machine

Restoring Files from Time Machine

Using a Network Volume for Time Machine

SuperDuper

Backing Up to MobileMe

Retrospect

Configuring a Backup

Grooming Scripts

Utility Scripts

Checking Your Retrospect Backups

Using Tape Libraries

Backup vs. Fault Tolerance

Fault-Tolerant Scenarios

Round-Robin DNS

Load-Balancing Devices

Cold Sites

Hot Sites

Backing up Services

Summary

Chapter 19 Forensics

Incident Response

MacForensicsLab

Installing MacForensicsLab

Using MacForensicsLab

Image Acquisition

Analysis

Salvage

Performing an Audit

Reviewing the Case

Reporting

Other GUI Tools for Forensic Analysis

Forensically Acquiring Disk Images

Tools for Safari

Command-Line Tools for Forensic Analysis

Summary

Appendix A Xsan Security

Metadata

Fibre Channel

Affinities

Permissions

Quotas

Other SAN Solutions

Appendix B InfoSec Acceptable Use Policy

1.0 Overview

2.0 Purpose

3.0 Scope

4.0 Policy

4.1 General Use and Ownership

4.2 Security and Proprietary Information

4.3 Unacceptable Use

System and Network Activities

Email and Communications Activities

4.4 Blogging

5.0 Enforcement

6.0 Definitions

Term Definition

7.0 Revision History

Appendix C CDSA

Appendix D Introduction to Cryptography

Index