THE EXPERT’S VOICE ® IN MAC OS X

Foundations of

Mac OS X

Leopard Security
Mac OS X client and server security,
from the home to the enterprise

Charles S. Edge, Jr.,
William Barker, and Zack Smith

Foundations of Mac OS X
Leopard Security

■■■

Charles S. Edge, Jr., William Barker,
and Zack Smith

FOUNDATIONS OF MAC OS X LEOPARD SECURITY
Copyright © 2008 by Charles S. Edge, Jr., William Barker
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN-13 (pbk): 978-1-59059-989-1
ISBN-10 (pbk): 1-59059-989-6
ISBN-13 (electronic): 978-1-4302-0646-0
ISBN-10 (electronic): 1-4302-0646-2
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence
of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark
owner, with no intention of infringement of the trademark.
Lead Editor: Jeffrey Pepper
Technical Reviewers: Mike Lee, Frank Pohlmann
Editorial Board: Clay Andres, Steve Anglin, Ewan Buckingham, Tony Campbell, Gary Cornell, Jonathan
Gennick, Matthew Moodie, Joseph Ottinger, Jeffrey Pepper, Frank Pohlmann, Ben Renow-Clarke,
Dominic Shakeshaft, Matt Wade, Tom Welsh
Project Manager: Candace English
Copy Editor: Kim Wimpsett

Associate Production Director: Kari Brooks-Copony
Senior Production Editor: Laura Cheu
Compositor: Susan Glinert Stevens
Proofreader: Nancy Bell
Indexer: Julie Grady
Cover Designer: Kurt Krames
Manufacturing Director: Tom Debolski
Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor,
New York, NY 10013. Phone 1-800-SPRINGER, fax 201-348-4505, e-mail orders-ny@springer-sbm.com, or
visit http://www.springeronline.com.
For information on translations, please contact Apress directly at 2855 Telegraph Avenue, Suite 600,
Berkeley, CA 94705. Phone 510-549-5930, fax 510-549-5939, e-mail info@apress.com, or visit http://
www.apress.com.
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use.
eBook versions and licenses are also available for most titles. For more information, reference our Special
Bulk Sales–eBook Licensing web page at http://www.apress.com/info/bulksales.
The information in this book is distributed on an “as is” basis, without warranty. Although every precaution
has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to
any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly
by the information contained in this work.

This book is dedicated to my loving wife, Lisa.
—Charles
To my family and friends, who incessantly inspire me to follow my dreams.
—William

Contents at a Glance
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART 1

The Big Picture

■CHAPTER 1

Security Quick-Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

■CHAPTER 2

Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

■CHAPTER 3

Securing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

PART 2

■■■

Security Essentials

■CHAPTER 4

Malware Security: Combating Viruses, Worms, and Root Kits . . . 75

■CHAPTER 5

Securing Web Browsers and E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . 93

■CHAPTER 6

Reviewing Logs and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

PART 3

■■■

Network Security

■CHAPTER 7

Securing Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

■CHAPTER 8

Setting Up the Mac OS X Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

■CHAPTER 9

Securing a Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

PART 4

iv

■■■

■■■

Sharing

■CHAPTER 10

File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

■CHAPTER 11

Web Site Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

■CHAPTER 12

Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

■CHAPTER 13

Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

PART 5

■■■

Workplace Security

■CHAPTER 14

Network Scanning, Intrusion Detection, and
Intrusion Prevention Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

■CHAPTER 15

Backup and Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

■CHAPTER 16

Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

■APPENDIX A

Xsan Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

■APPENDIX B

Acceptable Use Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

■APPENDIX C

Secure Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

■APPENDIX D

Introduction to Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

v

Contents
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART 1

■■■

■CHAPTER 1

The Big Picture

Security Quick-Start

.......................................3

Securing the Mac OS X Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Customizing System Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Accounts Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Login Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Security Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
FileVault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Infrared Controls in Security Preferences . . . . . . . . . . . . . . . . . . . . . 12
Other System Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Software Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Bluetooth Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Printer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Sharing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Securely Erasing Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Using the Secure Empty Trash Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using Encrypted Disk Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Securing Your Keychains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

■CHAPTER 2

Security Fundamentals

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

What Can Be Targeted? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
The Accidental Mac Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Kinds of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
OS 9 vs. OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Darwin vs. Aqua . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
vii

viii

■C O N T E N T S

Unix Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
In the Beginning…the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Equipment Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Physical Devices and Optical Media . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Firmware and Firmware Password Protection . . . . . . . . . . . . . . . . . . . . . 38
Open Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
EFI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Firmware Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Multifactor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Keeping Current: The Cat-and-Mouse Game . . . . . . . . . . . . . . . . . . . . . . 45
The NSA and the Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A Word About Parallels and Boot Camp . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

■CHAPTER 3

Securing User Accounts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Introducing Authentication, Authorization, and Identification . . . . . . . . . 47
Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introducing the Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Adding Users to Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Enabling the Superuser Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting Up Parental Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Managing the Rules Put in Place . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Restricting Access with the Command Line: sudoers . . . . . . . . . . . . . . . 62
Securing Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
SUID Applications: Getting into the Nitty-Gritty . . . . . . . . . . . . . . . . . . . . . 69
Creating Files with Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

PART 2

■■■

■CHAPTER 4

Security Essentials

Malware Security: Combating Viruses,
Worms, and Root Kits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Classifying Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
The Real Threat of Malware on the Mac . . . . . . . . . . . . . . . . . . . . . . 77
Script Virus Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Socially Engineered Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

■C O N T E N T S

Using Antivirus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Antivirus Software Woes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Norton AntiVirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
ClamXav . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Sophos Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
McAfee VirusScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Best Practices for Combating Viruses . . . . . . . . . . . . . . . . . . . . . . . . 86
Other Forms of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Root Kits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

■CHAPTER 5

Securing Web Browsers and E-mail . . . . . . . . . . . . . . . . . . . . . . 93
A Quick Note About Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Securing Your Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Securing Safari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Securing Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring Mail Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Securing Entourage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Fighting Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Filtering Mail for Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Filtering with Entourage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Using White Listing in Entourage . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Using PGP to Encrypt Mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring PGP Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
GPG Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Using Mail Server–Based Solutions for Spam and Viruses . . . . . . . . . . 119
Kerio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Mac OS X Server’s Antispam Tools . . . . . . . . . . . . . . . . . . . . . . . . . 122
CommuniGate Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Outsourcing Your Spam and Virus Filtering . . . . . . . . . . . . . . . . . . . . . . . 124

■CHAPTER 6

Reviewing Logs and Monitoring

. . . . . . . . . . . . . . . . . . . . . . . . . . 125

What Exactly Gets Logged? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Using Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Marking Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Finding Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

ix

x

■C O N T E N T S

Reviewing User-Specific Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Reviewing Library Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
secure.log: Security Information 101 . . . . . . . . . . . . . . . . . . . . . . . . 133
ipfw.log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Breaking Down Maintenance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
daily.out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Yasu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
weekly.out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
monthly.out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
What to Worry About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Parallels and Bootcamp Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Performance Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Review Regularly, Review Often . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

PART 3

■■■

■CHAPTER 7

Network Security

Securing Network Traffic

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Understanding TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Types of Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Peer-to-Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Configuring Peer-to-Peer Networks . . . . . . . . . . . . . . . . . . . . . . . . . 152
Client-Server Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Understanding Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Port Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
DMZ and Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Data Packet Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Understanding Switches and Hubs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Restricting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Security Through 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
A Layered Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

■C O N T E N T S

■CHAPTER 8

Setting Up the Mac OS X Firewall

. . . . . . . . . . . . . . . . . . . . . . . 171

Introducing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Controlling Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Working with the Firewall in Leopard . . . . . . . . . . . . . . . . . . . . . . . . 175
Working with Default Services in Tiger . . . . . . . . . . . . . . . . . . . . . . 177
Allowing Non-Apple Services in Tiger . . . . . . . . . . . . . . . . . . . . . . . 178
Setting Advanced Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Testing the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Using Mac OS X to Protect Other Computers . . . . . . . . . . . . . . . . . . . . . 183
Using Third-Party Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Doorstop X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Flying Buttress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Working from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Getting More Granular Firewall Control . . . . . . . . . . . . . . . . . . . . . . 187
Using ipfw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Using dummynet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

■CHAPTER 9

Securing a Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Wireless Network Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Introducing Apple AirPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Configuring Older AirPorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
AirPort Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configuring Current AirPorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Limiting the DHCP Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Hardware Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
AirPort Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Hiding a Wireless Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Base Station Features in the AirPort Utility . . . . . . . . . . . . . . . . . . . 211
The AirPort Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Wireless Security on Client Computers . . . . . . . . . . . . . . . . . . . . . . 212
Securing Computer-to-Computer Networks . . . . . . . . . . . . . . . . . . . . . . 213
Wireless Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Wireless Hacking Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
KisMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Detecting Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
iStumbler and Mac Stumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
MacStumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Ettercap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
EtherPeek . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

xi

xii

■C O N T E N T S

Cracking WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Cracking WPA-PSK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
General Safeguards Against Cracking Wireless Networks . . . . . . . . . . . 222

PART 4

■■■

Sharing

■CHAPTER 10 File Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
The Risks in File Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Peer-to-Peer vs. Client-Server Environments . . . . . . . . . . . . . . . . . . . . . 227
Using POSIX Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Getting More Out of Permissions with Access Control Lists . . . . . . . . . 229
Sharing Protocols: Which One Is for You? . . . . . . . . . . . . . . . . . . . . . . . . 230
Apple Filing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Using Apple AirPort to Share Files . . . . . . . . . . . . . . . . . . . . . . . . . . 235
DAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Permission Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

■CHAPTER 11 Web Site Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Securing Your Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Introducing the httpd Daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Removing the Default Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Changing the Location of Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Managing httpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Using ModSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Restricting Apache Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Running on a Nonstandard Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Use a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Using CGI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Disabling Unnecessary Services in Apache . . . . . . . . . . . . . . . . . . . 254
PHP and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Securing PHP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Tightening PHP with Input Validation . . . . . . . . . . . . . . . . . . . . . . . . 255

■C O N T E N T S

Taming Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Securing Your Perl Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Securing robots.txt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Blocking Hosts Based on robots.txt . . . . . . . . . . . . . . . . . . . . . . . . . 259
Protecting Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Using the .htaccess File to Customize Error Codes . . . . . . . . . . . . 261
Using .htaccess to Control Access to a Directory . . . . . . . . . . . . . . 262
Tightening Security with SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Implementing Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Protecting the Privacy of Your Information . . . . . . . . . . . . . . . . . . . . . . . 264
Protecting from Google? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Enumerating a Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Securing Files on Your Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Securing Directory Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Uploading Files Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Cross-Site Scripting Attacks (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

■CHAPTER 12 Remote Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Built-in Remote Management Applications . . . . . . . . . . . . . . . . . . . . . . . 272
Screen Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Back to My Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Timbuktu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Using Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Further Securing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Using a VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Connecting to Your Office VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Setting Up PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Setting Up L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
PPP + SSH = VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

■CHAPTER 13 Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Limiting Access to Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
The Root User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Foundations of a Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Defining LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Defining Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

xiii

xiv

■C O N T E N T S

Configuring and Managing Open Directory . . . . . . . . . . . . . . . . . . . . . . . 297
Securing LDAP: Enabling SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Securing Open Directory Accounts by Enabling
Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Securing Open Directory Using Binding Policies . . . . . . . . . . . . . . . 303
Securing Authentication with PasswordServer . . . . . . . . . . . . . . . . 305
Securing LDAP by Preventing Anonymous Binding . . . . . . . . . . . . . 307
Securely Binding Clients to Open Directory . . . . . . . . . . . . . . . . . . 309
Further Securing LDAP: Implementing Custom LDAP ACLs . . . . . 311
Creating Open Directory Users and Groups . . . . . . . . . . . . . . . . . . 311
Securing Kerberos from the Command Line . . . . . . . . . . . . . . . . . . 314
Managed Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Enhanced Security for Managed Preferences in Leopard . . . . . . . 317
Providing Directory Services for Windows Clients . . . . . . . . . . . . . 319
Active Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Web Server Security in OS X Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Using Realms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
SSL Certs on Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
File Sharing Security in OS X Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
A Word About File Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
AFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
SMB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Wireless Security on OS X Server Using RADIUS . . . . . . . . . . . . . . . . . . 333
DNS Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Reimporting Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
SSHD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Server Admin from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . 338
iChat Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Securing the Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Limiting the Protocols on Your Server . . . . . . . . . . . . . . . . . . . . . . . 340

97a7b91d187e1703ee1e25f687516049

■C O N T E N T S

PART 5

■■■

Workplace Security

■CHAPTER 14 Network Scanning, Intrusion Detection, and Intrusion

Prevention Tools

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Scanning Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Firewalk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Vulnerability and Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Other Scanning Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Host Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Using Checkmate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Network Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Security Auditing on the Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
SAINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Nessus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

■CHAPTER 15 Backup and Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Time Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Restoring Files from Time Machine . . . . . . . . . . . . . . . . . . . . . . . . . 377
Using a Network Volume for Time Machine . . . . . . . . . . . . . . . . . . . 378
SuperDuper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Backing Up to .Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Retrospect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Configuring Retrospect to Backup to Tape . . . . . . . . . . . . . . . . . . . 384
Installing the Retrospect Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Checking Your Retrospect Backups . . . . . . . . . . . . . . . . . . . . . . . . . 389
Using Tape Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Backup vs. Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Fault-Tolerant Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Round-Robin DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Load-Balancing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Cold Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Hot Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

xv

xvi

■C O N T E N T S

■CHAPTER 16 Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
MacForensicsLab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Installing MacForensicsLab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Using MacForensicsLab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Image Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Salvage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Performing an Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Reviewing the Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Other GUI Tools for Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Command-Line Tools for Forensic Analysis . . . . . . . . . . . . . . . . . . . . . . 413

■APPENDIX A

Xsan Security

■APPENDIX B

Acceptable Use Policy

■APPENDIX C

Secure Development

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

■APPENDIX D Introduction to Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

About the Authors

■CHARLES EDGE has been working with Apple products since he was a child. Professionally,
Charles started with the Mac OS and Apple server offerings in 1999 after years of working with
various flavors of Unix. Charles began his consulting career working with Support Technologies
and Andersen Consulting. In 2000, he found a new home at 318, a consulting firm in Santa
Monica, California, which is now the largest Mac consultancy in the country. At 318, Charles
leads a team of more than 40 engineers and has worked with network architecture, security,
and storage for various vertical and horizontal markets. Charles has spoken at a variety of
conferences including DefCon, Black Hat, LinuxWorld, Macworld, and the WorldWide Developers
Conference. Charles’ first book, Mac Tiger Server Little Black Book, can be purchased through
Paraglyph Press. Charles recently hung up his surfboard and moved to Minneapolis, Minnesota, with his wife, Lisa. Charles can be contacted at krypted@mac.com.

■WILLIAM BARKER is a technical consultant at 318 and a freelance writer. He has a penchant for
all things Web 2.0 related and is eagerly anticipating the day he can wash his dishes and take out
the trash online. His web site, techiestravel.com, is a hobby haven for two of his passions,
technology and travel. He also wears a musician hat from time to time, making music: DJing,
playing guitar, playing piano, and mixing CDs for friends. He lives in Venice, California, with his
trusty automobile, Lucille.

■ZACK SMITH has been working as an IT consultant his entire adult life. He has consulted for
insurance companies, entertainment companies, medical organizations, and governmental
agencies. Zack is an Apple Certified Trainer and has taught at Apple and various market centers
in Boston, Virginia, Los Angeles, and Cupertino. As a certified instructor, Zack has taught Apple’s
Security Best Practices class, as well as many other system administrator–level classes (such as
Mac OS X Deployment and Mac OS X Directory Services). Zack has been a speaker at Macworld
San Francisco as well as many other smaller venues such as IT user groups. Zack is also the
author of a set of open source IT administration software and scripts and has long-term plans
of being a full-time Objective C developer. When not attending IT and security conferences or
traveling for work at 318, Zack can be found in Portland, Oregon, with his partner in crime,
Anna, and dog, Watson.

xvii

About the Technical Reviewer

■MIKE LEE, the world’s toughest programmer, has been bending computers to his will since the
mid-90s. Having recently retired as majordomo of Delicious Monster Software, he’s now working
at United Lemur, a charity-driven software company dedicated to raising money and awareness for Madagascar and the world’s few remaining lemurs. Mike and his wife are originally
from Honolulu but currently live in Seattle, where they are raising two cats. Mike’s hobbies
include weightlifting, single malts, and fire. Mike can be contacted at mike@unitedlemur.org.

xix

Acknowledgments
I

’d like to thank all the folks at Apple for the hard work they have put into the various flavors of
OS X and into educating the Mac community on their fantastic product, in particular, Joel Rennich,
Schoun Regan, Josh Wisenbaker, Greg Smith, JD Mankovsky, David Winter, Stale Bjorndal,
Eric Senf, Cawan Starks, Martin Libich, and a short list of others who have helped me through
the years! This includes the late Michael Bartosh, who is sorely missed on many fronts.
Thanks are also in order to the crew at 318 for their hard work, especially Kevin Klein.
Without you guys I never would have been able to take the time to complete this book: David,
Tim, Thomas, Beau, Zack, Kevin, Kevin, William, Joel, Robert, Jordan, Susie, Dan, Phil, Max,
Daniel, Adrian, John, John, Jon, Marc, Monica, Karl, Chris, Cade, Christian, Eli, Drake, Erin,
Ehren, Kennon, Theresa, Tony, and everyone else.
Also thanks to the fine staff at Apress for turning this book into something to be proud of:
Jeffrey Pepper, Candace English, Kim Wimpsett, Tina Nielsen, Steve Anglin, and the myriad of
others whose hard work went into this title. Thanks also to the technical reviewer, Mike Lee,
and to my coauthors, Zack and William.
I also have to thank the organizers of SANS, DefCon, BlackHat, LayerOne, and the other
security conferences and those in the white/gray hat and InfoSec communities for bringing to
light many vulnerabilities before they are discovered by others with a flair for exploitation.
Finally, a huge thanks goes out to the open source community. It is on the shoulders of these
giants that we all sit!
Charles S. Edge, Jr.
Many thanks are in order for making this dream a reality. I’d be remiss if I didn’t thank my
coauthor Charles Edge who brought me into this crazy experience in the first place. Thank you
to everyone at Apress (Candace, Laura, Mike, Kim, and all the others) for their tireless work and
dedication to this book. The development team at Apple should be acknowledged for their
constant desire to improve and reinvent a product that continues to amaze novices and experts
alike. My parents deserve a huge thank you for introducing me to the wonders of reading and
computer technology at a very early age. A heartfelt thanks goes to my good friend Adam, who
took a chance at giving me my first paid writing job and is a constant inspiration to my craft.
Last but certainly not least, this book is inspired by the technical writers of the world. It is an
unsung art to write technically, and the attention to detail that those who write books covering
technical materials must provide is truly staggering. Because of their experimentation, we learn
how to make our lives easier and more enjoyable.
William Barker

xxi

Introduction
A

common misconception in the Mac community is that the Mac is more secure than any
other operating system on the market. Although this might be true in most side-by-side analyses of security features right out of the box, what this isn’t taking into account is that security
tends to get overlooked once the machine starts to be configured for its true purposes. For
example, when sharing is enabled or remote control applications are installed, then a variety of
security threats are often established—no matter what the platform is.
In the security sector, the principle of least privilege is a philosophy that security professionals
abide by when determining security policies. This principle states that if you want to be secure,
you need to give every component of your network the absolute minimum permissions required
to do its job. But what are those permissions? What are the factors that need to be determined
when making that decision? No two networks are the same; therefore, it’s certainly not a decision that can be made for you. It’s something you will need to decide for yourself based on what
kinds of policies are implemented to deal with information technology security.

Security Beginnings: Policies
Security in a larger organization starts with a security policy. When looking to develop security
policies, it is important that the higher-level decision makers in the organization work hand in
hand with the IT team to develop their policies and security policy frameworks. A security policy, at
a minimum, should define the tools used on a network for security, the appropriate behavior of
employees and network users, the procedures for dealing with incidents, and the trust levels
within the network.
The reason policies become such an integral part of establishing security in a larger environment is that you must be secure but also be practical about how you approach security in an
organization. Security can be an impediment to productivity, both for support and for nonsupport
personnel. People may have different views about levels of security and how to enforce it. A
comprehensive security policy makes sure everyone is on the same page and that the cost
vs. protection paradigm that IT departments follow are in line with the business logic of the
organization.
On small networks, such as your network at home, you may have a loose security policy
that states you will occasionally run security updates and follow a few of the safeguards outlined in
this book. The smaller a network environment, the less likely security is going to be taken seriously.
However, for larger environments with much more valuable data to protect, the concern for
security should not be so flippant. For example, the Health Insurance Portability and Accountability
Act (HIPAA) authorizes criminal penalties of up to $250,000 and/or 10 years imprisonment
per violation of security standards for patient health information. The Gramm-Leach-Bliley Act
establishes financial institution standards for safeguarding customer information and imposes
penalties of up to $100,000 per violation.
xxiii

xxiv

■I N T R O D U C T I O N

Everyone in an organization should be concerned about security policies because
everyone is affected to some extent. Users are often affected the most, because policies often
consist of a set of rules that regulate their behavior, sometimes making it more difficult for
them to accomplish their tasks throughout their day. The IT staff should also be consulted and
brought into the decision-making process since they will be required to implement and comply
with these policies, while making sure that the policies are realistic given the budget available.
In addition, you must notify people in advance of the development of the policy. You should
contact members of the IT, management, and legal departments as well as a random sampling
of users in your environment. The size of your policy development will be determined by the
scope of the policy and the size of your organization. Larger policies may require many people
to be involved in the policy development. Smaller policies may require participation by only
one or two people within the organization.
As an example, a restrictive policy that requires all wireless users to use a RADIUS server
would incur IT costs not only from the initial install but also with the installs and configurations
necessary to set up the RADIUS clients on each of the workstations. A more secure RADIUS
server would also cause additional labor over other less secure protocols such as WEP. You also
need to consider IT budgeting and staffing downtime.
When developing your actual policy, keep the scope limited to what is technically enforceable and easy to understand, while protecting the productivity of your users. Policies should
also contain the reasons a policy is needed and cover the contacts and responsibilities of each
user. When writing your policy, discuss how policy violations will be handled and why each
item in the policy is required. All