Enterprise Mac Security: Mac OS X Snow Leopard (eBook)

Charles Edge has been working with Apple products since he was a child. Professionally, Charles started with the Mac OS and Apple server offerings in 1999 after years working with various flavors of Unix. Charles began his consulting career working with Support Technologies and Andersen Consulting. In 2000, he found a new home at 318, Inc., a consulting firm in Santa Monica, California which is now the largest Mac consultancy in the country. At 318, Charles leads a team of over 40 engineers and has worked with network architecture, security and storage for various vertical and horizontal markets. Charles has spoken at a variety of conferences including DefCon, BlackHat, LinuxWorld, MacWorld and the WorldWide Developers Conference. Charles' first book, Mac Tiger Server Little Black Book, can be purchased through Paraglyph Press. Charles recently hung up his surfboard and moved to Minneapolis, Minnesota, with his wife, Lisa. Charles can be contacted at krypted@mac.com.

Title Page 1
Copyright Page 2
Contents at a Glance 4
Table of Contents 5
About the Authors 15
About the Technical Reviewer 16
Acknowledgments 17
Introduction 18
Security Beginnings: Policies 18
A Word About Network Images 19
Risk Management 19
How This Book Is Organized 20
Part 1: The Big Picture 20
Part 2: Securing the Ecosystem 21
Part 3: Securing the Network 21
Part 4: Securely Sharing Resources 22
Part 5: Securing the Workplace 22
Appendixes 23
Part I The Big Picture 24
Chapter 1 Security Quick-Start 25
Securing the Mac OS X Defaults 25
Customizing System Preferences 26
Accounts 26
Login Options 28
Passwords 29
Administrators 30
Security Preferences 31
General 31
FileVault 33
Firewall 35
Software Update 36
Bluetooth Security 38
Printer Security 40
Sharing Services 42
Securely Erasing Disks 43
Using Secure Empty Trash 45
Using Encrypted Disk Images 46
Securing Your Keychains 47
Best Practices 49
Chapter 2 Services, Daemons, and Processes 50
Introduction to Services, Daemons, and Processes 50
Viewing What’s Currently Running 52
The Activity Monitor 52
The ps Command 56
The top Output 57
Viewing Which Daemons Are Running 59
Viewing Which Services Are Available 60
Stopping Services, Daemons, and Processes 61
Stopping Processes 62
Stopping Daemons 64
Types of launchd Services 65
GUI Tools for Managing launchd 65
Changing What Runs At Login 66
Validating the Authenticity of Applications and Services 67
Summary 68
Chapter 3 Securing User Accounts 69
Introducing Identification, Authentication, and Authorization 69
Managing User Accounts 70
Introducing the Account Types 71
Adding Users to Groups 73
Enabling the Superuser Account 74
Setting Up Parental Controls 76
Managing the Rules Put in Place 82
Advanced Settings in System Preferences 84
Working with Local Directory Services 85
Creating a Second Local Directory Node 88
External Accounts 88
Restricting Access with the Command Line: sudoers 89
Securing Mount Points 94
SUID Applications: Getting into the Nitty-Gritty 95
Creating Files with Permissions 97
Summary 98
Chapter 4 File System Permissions 99
Mac OS File Permissions: A Brief History of Time 100
POSIX Permissions 101
Modes in Detail 102
Inheritance 104
The Sticky Bit 107
The suid/sguid Bits 107
POSIX in Practice 108
Access Control Lists 111
Access Control Entries 111
Administration 111
Read Permissions 112
Write Permissions 112
Inheritance 113
Effective Permissions 114
ACLs in Practice 115
Administering Permissions 117
Using the Finder to Manage Permissions 123
Using chown and chmod to Manage Permissions 124
The Hard Link Dilemma 127
Using mtree to Audit File system Permissions 129
Summary 131
Chapter 5 Reviewing Logs and Monitoring 132
What Exactly Gets Logged? 132
Using Console 134
Viewing Logs 134
Marking Logs 135
Searching Logs 136
Finding Logs 137
Secure.log: Security Information 101 138
appfirewall.log 139
Reviewing User-Specific Logs 140
Reviewing Command-Line Logs 142
Reviewing Library Logs 143
Breaking Down Maintenance Logs 143
daily.out 145
Yasu 146
Weekly.out 147
Monthly.out 148
What to Worry About 148
Virtual Machine and Bootcamp Logs 149
Event Viewer 149
Task Manager 150
Performance Alerts 151
Review Regularly, Review Often 152
Accountability 152
Incident Response 153
Summary 154
Part II Securing the Ecosystem 155
Chapter 6 Application Signing and Sandbox 156
Application Signing 156
Application Authentication 158
Application Integrity 160
Signature Enforcement in OS X 161
Keychain Access 162
The OS X Application Firewall 164
Client Management – MCX and Parental Controls 166
Signing and Verifying Applications 170
Sandbox 173
Sandbox Profiles 175
The Anatomy of a Profile 178
Sandbox Profiles in Action 183
Using Sandbox to Secure User Shells 183
base.sb 184
shell.sb 187
sbshell 188
Carbon Copy Cloner 189
Securely Automating Remote rsync 191
BIND 194
The Seatbelt Framework 195
Summary 197
Chapter 7 Securing Web Browsers and E-mail 199
A Quick Note About Passwords 200
Securing Your Web Browser 201
Securing Safari 201
Setting the Safari Security Preferences 202
Privacy and Safari 204
Network Administrators Configuring Safari’s Security Preferences 205
Securing Firefox 205
Privacy and Firefox 206
Master Passwords in Firefox 208
Securely Configuring Mail 212
Using SSL 212
Securing Entourage 215
Fighting Spam 218
Anatomy of Spam 218
Filtering Apple Mail for Spam 219
Filtering with Entourage 220
Using White Listing in Entourage 221
Desktop Solutions for Securing E-mail 223
Using PGP to Encrypt Mail Messages 223
GPG Tools 223
Using Mail Server-Based Solutions for Spam and Viruses 223
Kerio 224
Mac OS X Server’s Antispam Tools 226
CommuniGate Pro 227
Outsourcing Your Spam and Virus Filtering 228
Summary 228
Chapter 8 Malware Security: Combating Viruses, Worms, and Root Kits 229
Classifying Threats 229
The Real Threat of Malware on the Mac 232
Script Malware Attacks 233
Socially Engineered Malware 234
Using Antivirus Software 234
Built Into Mac OS X 235
Antivirus Software Woes 235
McAfee VirusScan 236
Norton AntiVirus 236
ClamXav 237
Sophos Anti-Virus 242
Best Practices for Combating Malware 243
Other Forms of Malware 244
Adware 244
Spyware 244
MacScan 245
Root Kits 246
Summary 248
Chapter 9 Encrypting Files and Volumes 249
Using the Keychain to Secure Sensitive Data 250
The Login Keychain 250
Creating Secure Notes and Passwords 253
Managing Multiple Keychains 256
Using Disk Images as Encrypted Data Stores 259
Creating Encrypted Disk Images 261
Interfacing with Disk Images from the Command Line 267
Encrypting User Data Using FileVault 273
Enabling FileVault for a User 276
The FileVault Master Password 279
Limitations of Sparse Images and Reclaiming Space 280
Full Disk Encryption 282
Check Point 283
PGP Encryption 285
TrueCrypt 286
WinMagic SecureDoc 287
Summary 288
Part III Network Traffic 290
Chapter 10 Securing Network Traffic 291
Understanding TCP/IP 291
Types of Networks 294
Peer-to-Peer 294
Considerations when Configuring Peer-to-Peer Networks 295
Client-Server Networks 296
Understanding Routing 297
Packets 297
Gateways 297
Routers 298
Firewalls 299
Port Management 299
DMZ and Subnets 300
Spoofing 301
Stateful Packet Inspection 301
Data Packet Encryption 302
Understanding Switches and Hubs 302
Managed Switches 303
Restricting Network Services 305
Security Through 802.1x 306
Proxy Servers 307
Squid 308
Summary 311
Chapter 11 Setting Up the Mac OS X Firewall 312
Introducing Network Services 313
Controlling Services 314
Configuring the Firewall 317
Working with the Firewall in Leopard and Snow Leopard 317
Setting Advanced Features 320
Blocking Incoming Connections 320
Allowing Signed Software to Receive Incoming Connections 321
Going Stealthy 322
Testing the Firewall 323
Configuring the Application Layer Firewall from the Command Line 325
Using Mac OS X to Protect Other Computers 326
Enabling Internet Sharing 326
Configuring Clients 327
Dangers of Internet Sharing 327
Working from the Command Line 328
Getting More Granular Firewall Control 328
Using ipfw 330
Inspecting ipfw Rules 331
ipfwloggerd 333
/etc/ipfilter/ipfw.conf 333
Using Dummynet 334
Creating Pipes 334
Pipe Masks 335
Queues 336
Summary 337
Chapter 12 Securing a Wireless Network 338
Wireless Network Essentials 338
Introducing the Apple AirPort 340
Configuring Older AirPorts 341
AirPort Utility 343
Configuring the Current AirPorts 343
Limiting the DHCP Scope 346
Hardware Filtering 347
AirPort Logging 349
Hiding a Wireless Network 350
Base Station Features in the AirPort Utility 351
The AirPort Express 352
Wireless Security on Client Computers 352
Securing Computer-to-Computer Networks 353
Wireless Topologies 354
Wireless Hacking Tools 355
KisMAC 355
Detecting Rogue Access Points 356
iStumbler and Mac Stumbler 357
MacStumbler 359
Ettercap 360
EtherPeek 360
Cracking WEP Keys 360
Cracking WPA-PSK 361
General Safeguards Against Cracking Wireless Networks 362
Summary 363
Part IV Sharing 364
Chapter 13 File Services 365
The Risks in File Sharing 365
Peer-to-Peer vs. Client-Server Environments 366
File Security Fundamentals 366
LKDC 367
Using POSIX Permissions 367
Getting More out of Permissions with Access Control Lists 368
Sharing Protocols: Which One Is for You? 369
Apple Filing Protocol 369
Setting Sharing Options 371
Samba 371
The SMB.conf File 373
Using Apple AirPort to Share Files 374
Third-Party Problem Solver: DAVE 378
FTP 384
Permission Models 386
Summary 387
Chapter 14 Web Site Security 388
Securing Your Web Server 388
Introducing the httpd Daemon 389
Removing the Default Files 390
Changing the Location of Logs 390
Restricting Apache Access 391
Run on a Nonstandard Port 391
Use a Proxy Server 392
Disable CGI 392
Disable Unnecessary Services in Apache 392
PHP and Security 393
Securing PHP 393
Tightening PHP with Input Validation 394
Taming Scripts 395
Securing Your Perl Scripts 395
Securing robots.txt 397
Blocking Hosts Based on robots.txt 397
Protecting Directories 398
Customizing Error Codes 399
Using .htaccess to Control Access to a Directory 400
Tightening Security with TLS 402
Implementing Digital Certificates 402
Protecting the Privacy of Your Information 403
Protecting from Google? 404
Enumerating a Web Server 405
Securing Files on Your Web Server 406
Disabling Directory Listings 407
Uploading Files Securely 408
Code Injection Attacks 408
SQL Injection 408
Cross Site Scripting 408
Protecting from Code Injection Attacks 409
Summary 409
Chapter 15 Remote Connectivity 411
Remote Management Applications 412
Apple Remote Desktop 412
Screen Sharing 412
Enabling Screen Sharing 413
Implementing Back to My Mac 414
Configuring Remote Management 415
Enabling Remote Management 415
Using Timbuktu Pro 418
Installing Timbuktu Pro 418
Adding New Users 419
Testing the New Account 420
Using Secure Shell 422
Enabling SSH 422
Further Securing SSH 423
Using a VPN 424
Connecting to Your Office VPN 424
Setting Up L2TP 425
Setting Up PPTP 426
Connecting to a Cisco VPN 427
PPP + SSH = VPN 429
Setting Up the VPN account 429
Setting Up SSH 430
Setting Up PPP 431
Configuring Routing 432
Disconnecting 432
Summary 432
Chapter 16 Server Security 433
Limiting Access to Services 433
The Root User 435
Foundations of a Directory Service 435
Defining LDAP 435
Kerberos 436
Kerberos Deconstructed 436
Configuring and Managing Open Directory 438
Securing LDAP: Enabling SSL 441
Securing Open Directory Accounts by Enabling Password Policies 442
Securing Open Directory Using Binding Policies 445
Securing Authentication with PasswordServer 447
Securing LDAP by Preventing Anonymous Binding 449
Securely Binding Clients to Open Directory 451
Further Securing LDAP: Implementing Custom LDAP ACLs 454
Creating Open Directory Users and Groups 454
Securing Kerberos from the Command Line 458
Managed Preferences 459
Securing Managed Preferences 461
Providing Directory Services for Windows Clients 463
Active Directory Integration 464
Using the AD-Plugin 465
Setting Up Network Homes with Active Directory Clients 466
Using the AD-Plugin from the Command Line 467
Integrating Open Directory with Active Directory: Dual Directory 468
Web Server Security in Mac OS X Server 469
Using Realms 469
SSL Certs on Web Servers 471
File Sharing Security in OS X Server 473
A Word About File Size 475
Securing NFS 475
AFP 476
AFP Authentication Options 477
Kerberized AFP 478
AFP Logging 479
SMB 480
FTP 481
Wireless Security on OS X Server Using RADIUS 481
DNS Best Practices 483
SSL 484
Reimporting Certificates 485
SSH 485
Server Admin from the Command Line 487
iChat Server 487
Securing the Mail Server 488
Limiting the Protocols on Your Server 489
Proxying Services 490
Summary 491
PartV Securing the Workplace 492
Chapter 17 Network Scanning, Intrusion Detection, and Intrusion Prevention Tools 493
Scanning Techniques 493
Fingerprinting 494
Enumeration 496
Vulnerability and Port Scanning 497
nmap 497
Running a SYN/Stealth Scan 499
Other nmap Scans 500
Intrusion Detection and Prevention 500
Host Intrusion Detection System 501
Tripwire 501
Tripwire Installation 501
Network Intrusion Detection 502
Snort from the Command Line 502
Honeypots 504
Security Auditing on the Mac 505
Nessus 505
Installing Nessus 505
Running a Scan 508
Metasploit 509
SAINT 511
Installation 511
Summary 512
Chapter 18 Backup and Fault Tolerance 513
Time Machine 514
Restoring Files from Time Machine 518
Using a Network Volume for Time Machine 519
SuperDuper 520
Backing Up to MobileMe 521
Retrospect 525
Configuring a Backup 527
Grooming Scripts 533
Utility Scripts 535
Checking Your Retrospect Backups 536
Using Tape Libraries 538
Backup vs. Fault Tolerance 539
Fault-Tolerant Scenarios 539
Round-Robin DNS 540
Load-Balancing Devices 541
Cold Sites 541
Hot Sites 542
Backing up Services 542
Summary 543
Chapter 19 Forensics 545
Incident Response 546
MacForensicsLab 547
Installing MacForensicsLab 547
Using MacForensicsLab 552
Image Acquisition 554
Analysis 556
Salvage 559
Performing an Audit 562
Reviewing the Case 562
Reporting 563
Other GUI Tools for Forensic Analysis 564
Forensically Acquiring Disk Images 565
Tools for Safari 565
Command-Line Tools for Forensic Analysis 566
Summary 566
Appendix A Xsan Security 567
Metadata 568
Fibre Channel 569
Affinities 569
Permissions 569
Quotas 570
Other SAN Solutions 570
Appendix B InfoSec Acceptable Use Policy 571
1.0 Overview 571
2.0 Purpose 571
3.0 Scope 572
4.0 Policy 572
4.1 General Use and Ownership 572
4.2 Security and Proprietary Information 573
4.3 Unacceptable Use 574
System and Network Activities 574
Email and Communications Activities 575
4.4 Blogging 576
5.0 Enforcement 577
6.0 Definitions 577
Term Definition 577
7.0 Revision History 577
Appendix C CDSA 578
Appendix D Introduction to Cryptography 580
Index 584