Mac OS X Server Security Configuration - Apple ?· Mac OS X Server Security Configuration For Mac OS…

  • Published on
    04-Jun-2018

  • View
    213

  • Download
    1

Transcript

MacOSXServerSecurityConfigurationForMacOSXServerVersion10.6SnowLeopardKAppleInc.2010AppleInc.Allrightsreserved.TheownerorauthorizeduserofavalidcopyofMacOSXsoftwaremayreproducethispublicationforthepurposeoflearningtousesuchsoftware.Nopartofthispublicationmaybereproducedortransmittedforcommercialpurposes,suchassellingcopiesofthispublicationorforprovidingpaid-forsupportservices.Everyefforthasbeenmadetoensurethattheinformationinthismanualisaccurate.Appleisnotresponsibleforprintingorclericalerrors.Apple1InfiniteLoopCupertino,CA95014408-996-1010www.apple.comTheApplelogoisatrademarkofAppleInc.,registeredintheU.S.andothercountries.UseofthekeyboardApplelogo(Option-Shift-K)forcommercialpurposeswithoutthepriorwrittenconsentofApplemayconstitutetrademarkinfringementandunfaircompetitioninviolationoffederalandstatelaws.Apple,theApplelogo,Airport,Bonjour,FileVault,FireWire,iCal,iChat,iMac,iSight,iTunes,Keychain,Mac,MacOS,QuickTime,Safari,SnowLeopard,Spotlight,Tiger,TimeMachine,Xgrid,Xsan,andXservearetrademarksofAppleInc.,registeredintheU.S.andothercountries.AppleRemoteDesktop,Finder,andQuickTimeBroadcasteraretrademarksofAppleInc.MobileMeisaservicemarkofAppleInc.TheBluetoothwordmarkandlogosareregisteredtrademarksownedbyBluetoothSIG,Inc.andanyuseofsuchmarksbyAppleisunderlicense.Intel,IntelCore,andXeonaretrademarksofIntelCorp.intheU.S.andothercountries.JavaandallJava-basedtrademarksandlogosaretrademarksorregisteredtrademarksofSunMicrosystems,Inc.intheU.S.andothercountries.UNIXisaregisteredtrademarkofTheOpenGroup.ThisproductincludessoftwaredevelopedbytheUniversityofCalifornia,Berkeley,FreeBSD,Inc.,TheNetBSDFoundation,Inc.,andtheirrespectivecontributors.Othercompanyandproductnamesmentionedhereinaretrademarksoftheirrespectivecompanies.Mentionofthird-partyproductsisforinformationalpurposesonlyandconstitutesneitheranendorsementnorarecommendation.Appleassumesnoresponsibilitywithregardtotheperformanceoruseoftheseproducts.019-1875/2010-0632ContentsPreface 17 AboutThisGuide17Audience17WhatsinThisGuide20UsingThisGuide20UsingOnscreenHelp21SnowLeopardServerAdministrationGuides21ViewingPDFGuidesonScreen21PrintingPDFGuides22GettingDocumentationUpdates22GettingAdditionalInformation23AcknowledgmentsChapter1 24 IntroductiontoSnowLeopardServerSecurityArchitecture25SecurityArchitecturalOverview25UNIXInfrastructure25AccessPermissions26SecurityFramework27LayeredSecurityDefense27NetworkSecurity28CredentialManagement28PublicKeyInfrastructure(PKI)29WhatsNewinSnowLeopardServerSecurity29ExistingSecurityFeaturesinSnowLeopardServer30SignedApplications30MandatoryAccessControls31Sandboxing32ManagedUserAccounts32EnhancedQuarantining33MemoryandRuntimeProtection33SecuringSharingandCollaborativeServices33ServiceAccessControlLists34VPNCompatibilityandIntegration35ImprovedCryptography4Contents35ExtendedValidationCertificates35WildcardinIdentityPreferences35EnhancedCommand-LineTools36FileVaultandEncryptedStorage36EncryptedDiskImageCryptography36SmartCardSupportforUnlockingEncryptedStorage37EnhancedSafari4.0SecurityChapter2 38 InstallingSnowLeopardServer38InstallationOverview39PreparinganAdministratorComputer40SettingUpNetworkInfrastructure40StartingUpforInstallation40StartingUpfromtheInstallDVD41StartingUpfromanAlternatePartition41StartingUpfromaNetBootEnvironment41RemoteAccessDuringInstallation42ServerAdminDuringInstallation42SSHDuringInstallation42VNCDuringInstallation43AboutDefaultInstallationPasswords43PreparingDisksforInstallingSnowLeopardServer43SecurelyErasingaDiskforInstallation44InstallingServerSoftware44EnablingtheFirewall45ApplyingSoftwareandSecurityUpdates46UpdatingfromanInternalSoftwareUpdateServer47UpdatingfromInternetSoftwareUpdateServers48UpdatingManuallyfromInstallerPackages50VerifyingtheIntegrityofSoftware50SettingUpServicesandUsers51AboutSettingsEstablishedDuringServerSetup51EnablingtheFirmwarePasswordChapter3 52 SecuringSystemHardware52ProtectingHardware53PreventingWirelessEavesdropping54UnderstandingWirelessSecurityChallenges54AboutOSComponents55RemovingWi-FiSupportSoftware55RemovingBluetoothSupportSoftware56RemovingIRSupportSoftware57PreventingUnauthorizedRecordingContents557RemovingAudioSupportSoftware58RemovingVideoRecordingSupportSoftware59PreventingDataPortAccess60RemovingUSBSupportSoftware61RemovingFireWireSupportSoftware62SystemHardwareModificationsChapter4 63 SecuringGlobalSystemSettings63SecuringSystemStartup64UsingtheFirmwarePasswordUtility64UsingCommand-LineToolsforSecureStartup65ConfiguringAccessWarnings66EnablingAccessWarningsfortheLoginWindow67UnderstandingtheAuthPluginArchitecture68TheBannerSampleProject69EnablingAccessWarningsfortheCommandLine70TurningOnFileExtensionsChapter5 71 SecuringLocalServerAccounts71TypesofUserAccounts72GuidelinesforCreatingAccounts73DefiningUserIDs73SecuringtheGuestAccount74SecuringNonadministratorAccounts74SecuringExternalAccounts75ProtectingDataonExternalVolumes75SecuringDirectory-BasedAccounts75AvoidingSimultaneousLocalAccountAccess76SecuringAdministratorAccounts76AboutTieredAdministrationPermissions77DefiningAdministrativePermissions78AvoidingSharedAdministratorAccounts78SecuringtheDirectoryDomainAdministratorAccount79ChangingSpecialAuthorizationsforSystemFunctions79SecuringtheSystemAdministratorAccount80RestrictingsudoUsage81UnderstandingDirectoryDomains82UnderstandingNetworkServices,Authentication,andContacts83ConfiguringLDAPv3Access83ConfiguringActiveDirectoryAccess84UsingStrongAuthentication84UsingPasswordAssistanttoGenerateorAnalyzePasswords85UsingKerberos6 Contents86 UsingSmartCards86 UsingTokens87 UsingBiometrics87 SettingGlobalPasswordPolicies88 StoringCredentialsinKeychains89 UsingtheDefaultUserKeychain89 CreatingAdditionalKeychains91 SecuringKeychainsandTheirItems91 UsingSmartCardsasKeychains92 UsingPortableandNetworkKeychainsChapter6 94 SecuringSystemPreferences94 SystemPreferencesOverview96 SecuringMobileMePreferences99 SecuringAccountsPreferences102 SecuringAppearancePreferences103 SecuringBluetoothPreferences105 SecuringCDs&DVDsPreferences107 SecuringDate&TimePreferences109 SecuringDesktop&ScreenSaverPreferences111 SecuringDisplayPreferences111 SecuringDockPreferences112 SecuringEnergySaverPreferences115 SecuringExpos&SpacesPreferences116 SecuringLanguage&TextPreferences116 SecuringKeyboardPreferences116 SecuringMousePreferences117 SecuringBluetoothSettings117 RestrictingAccesstoSpecifiedUsers118 SecuringNetworkPreferences118 DisablingUnusedHardwareDevices120 SecuringPrint&FaxPreferences122 SecuringSecurityPreferences122 GeneralSecurity123 FileVaultSecurity125 SecuringSharingPreferences126 SecuringSoftwareUpdatePreferences128 SecuringSoundPreferences129 SecuringSpeechPreferences130 SecuringSpotlightPreferences133 SecuringStartupDiskPreferences134 SecuringTimeMachinePreferences136 SecuringUniversalAccessPreferencesContents 7Chapter7 137 SecuringSystemSwapandHibernationStorage137 SystemSwapFileOverview138 EncryptingSystemSwapChapter8 139 SecuringDataandUsingEncryption139 AboutTransportEncryption140 AboutPayloadEncryption140 AboutFileandFolderPermissions141 SettingPOSIXPermissions141 ViewingPOSIXPermissions142 InterpretingPOSIXPermissions143 ModifyingPOSIXPermissions143 SettingFileandFolderFlags143 ViewingFlags143 ModifyingFlags144 SettingACLPermissions145 EnablingACLPermissions145 ModifyingACLPermissions146 ChangingGlobalUmaskforStricterDefaultPermissions147 RestrictingSetuidPrograms150 SecuringUserHomeFolders151 EncryptingHomeFolders152 OverviewofFileVault153 ManagingFileVault153 ManagingtheFileVaultMasterKeychain155 EncryptingPortableFiles155 CreatinganEncryptedDiskImage156 CreatinganEncryptedDiskImagefromExistingData157 CreatingEncryptedPDFs158 SecurelyErasingData158 ConfiguringFindertoAlwaysSecurelyErase159 UsingDiskUtilitytoSecurelyEraseaDiskorPartition159 UsingCommand-LineToolstoSecurelyEraseFiles160 UsingSecureEmptyTrash160 UsingDiskUtilitytoSecurelyEraseFreeSpace161 UsingCommand-LineToolstoSecurelyEraseFreeSpace161 DeletingPermanentlyfromTimeMachineBackupsChapter9 163 ManagingCertificates163 UnderstandingPublicKeyInfrastructure164 PublicandPrivateKeys164 Certificates165 AboutCertificateAuthorities(CAs)8 Contents165 AboutIdentities165 Self-SignedCertificates165 AboutIntermediateTrust167 CertificateManagerinServerAdmin168 ReadyingCertificates169 CreatingaSelf-SignedCertificate170 StoringthePrivateKey170 RequestingaCertificatefromaCA170 CreatingaCA172 ImportingaCertificateIdentity173 ManagingCertificates173 EditingaCertificate174 DistributingaCAPublicCertificatetoClients174 DeletingaCertificate175 RenewinganExpiringCertificate175 ReplacinganExistingCertificateChapter10 176 SettingGeneralProtocolsandAccesstoServices176 SettingGeneralProtocols176 DisablingNTPService177 DisablingSNMP178 EnablingSSH178 AboutRemoteManagement(ARD)179 RemoteManagementBestPractices179 LimitingRemoteManagementAccess180 DisablingRemoteManagementAccess181 RemoteAppleEvents(RAE)182 RestrictingAccesstoSpecificUsers182 SettingtheServersHostName182 SettingtheDateandTime183 SettingUpCertificates183 SettingServiceAccessControlLists(SACLs)Chapter11 185 SecuringRemoteAccessServices185 SecuringRemoteSSHLogin186 ConfiguringSSH187 ModifyingtheSSHConfigurationFile187 GeneratingKeyPairsforKey-BasedSSHConnections189 UpdatingSSHKeyFingerprints190 ControllingAccesstoSSH190 SSHMan-in-the-MiddleAttacks191 TransferringFilesUsingSFTP191 SecuringVPNServiceContents 9192 VPNandSecurity193 ConfiguringL2TP/IPSecSettings194 ConfiguringPPTPSettings195 VPNAuthenticationMethod196 UsingVPNServicewithUsersinaThird-PartyLDAPDomain196 OfferingSecurIDAuthenticationwithVPNService197 EncryptingObserveandControlNetworkData197 EncryptingNetworkDataDuringFileCopyandPackageInstallationsChapter12 198 SecuringNetworkInfrastructureServices198 UsingIPv6Protocol199 IPv6-EnabledServices200 SecuringDHCPService200 DisablingUnnecessaryDHCPServices200 ConfiguringDHCPServices201 AssigningStaticIPAddressesUsingDHCP202 SecuringDNSService203 UnderstandingBIND203 TurningOffZoneTransfers204 DisablingRecursion205 PreventingSomeDNSAttacks207 SecuringNATService208 ConfiguringPortForwarding210 DisablingNATPortMappingProtocol210 SecuringBonjour(mDNS)Chapter13 213 ConfiguringtheFirewall213 AboutFirewallProtection214 PlanningFirewallSetup214 ConfiguringtheFirewallUsingServerAdmin214 StartingFirewallService215 CreatinganIPAddressGroup216 CreatingFirewallServiceRules217 CreatingAdvancedFirewallRules218 EnablingStealthMode219 ViewingtheFirewallServiceLog220 ConfiguringtheFirewallManually220 UnderstandingIPFWRulesetsChapter14 222 SecuringCollaborationServices222 SecuringiCalService223 DisablingiCalService223 SecurelyConfiguringiCalService10 Contents225 ViewingiCalServiceLogs225 SecuringiChatService225 DisablingiChatService226 SecurelyConfiguringiChatService229 ViewingiChatServiceLogs229 SecuringWikiService229 DisablingWikiService230 SecurelyConfiguringWikiServices230 ViewingWikiServiceLogs231 SecuringPodcastProducerService231 DisablingPodcastProducerService231 SecurelyConfiguringPodcastProducerService232 ViewingPodcastProducerServiceLogsChapter15 233 SecuringMailService234 DisablingMailService234 ConfiguringMailServiceforSSL235 EnablingSecureMailTransportwithSSL235 EnablingSecurePOPAuthentication236 ConfiguringSSLTransportforPOPConnections237 EnablingSecureIMAPAuthentication237 ConfiguringSSLTransportforIMAPConnections238 EnablingSecureSMTPAuthentication239 ConfiguringSSLTransportforSMTPConnections240 UsingACLsforMailServiceAccess241 LimitingJunkMailandViruses241 ConnectionControl245 FilteringSMTPConnections245 MailScreening250 ViewingMailServiceLogsChapter16 251 SecuringAntivirusServices252 SecurelyConfiguringandManagingAntivirusServices252 EnablingVirusScanning253 ManagingClamAVwithClamXav253 ViewingAntivirusServicesLogsChapter17 254 SecuringFileServicesandSharepoints254 SecurityConsiderations254 RestrictingAccesstoFileServices254 RestrictingAccesstoEveryone255 RestrictingAccesstoNFSSharePoints255 RestrictingGuestAccessContents 11255 RestrictingFilePermissions256 ProtocolSecurityComparison256 DisablingFileSharingServices257 ChoosingaFileSharingProtocol258 ConfiguringAFPFileSharingService259 ConfiguringFTPFileSharingService262 ConfiguringNFSFileSharingService263 ConfiguringSMBFileSharingService264 ConfiguringSharePoints265 DisablingSharePoints265 RestrictingAccesstoaSharePoint267 AFPSharePoints267 SMBSharePoints268 FTPSharePoints268 NFSSharePointsChapter18 271 SecuringWebService272 DisablingWebService272 ManagingWebModules273 DisablingWebOptions274 UsingRealmstoControlAccess276 EnablingSecureSocketsLayer(SSL)278 UsingaPassphrasewithSSLCertificates278 ViewingWebServiceLogs279 SecuringWebDAV280 SecuringBlogServices280 DisablingBlogServices280 SecurelyConfiguringBlogServices281 SecuringTomcat282 SecuringMySQL282 DisablingMySQLService282 SettingUpMySQLService283 ViewingMySQLServiceandAdminLogsChapter19 284 SecuringClientConfigurationManagementServices284 ManagingApplicationsPreferences285 ControllingUserAccesstoApplicationsandFolders287 AllowingSpecificDashboardWidgets288 DisablingFrontRow289 AllowingLegacyUserstoOpenApplicationsandFolders291 ManagingDockPreferences292 ManagingEnergySaverPreferences293 ManagingFinderPreferences12 Contents295 ManagingLoginPreferences298 ManagingMediaAccessPreferences299 ManagingMobilityPreferences301 ManagingNetworkPreferences302 ManagingParentalControlsPreferences303 HidingProfanityinDictionary303 PreventingAccesstoAdultWebsites304 AllowingAccessOnlytoSpecificWebsites306 SettingTimeLimitsandCurfewsonComputerUsage307 ManagingPrintingPreferences308 ManagingSoftwareUpdatePreferences308 ManagingAccesstoSystemPreferences309 ManagingUniversalAccessPreferences310 EnforcingPolicyChapter20 311 SecuringNetBootService311 SecuringNetBootService311 DisablingNetBootService312 LimitNetBootServiceClients314 ViewingNetBootServiceLogsChapter21 315 SecuringSoftwareUpdateService315 DisablingSoftwareUpdateService316 LimitingAutomaticUpdateAvailability317 ViewingSoftwareUpdateServiceLogsChapter22 318 SecuringNetworkAccounts318 AboutOpenDirectoryandActiveDirectory319 SecuringDirectoryAccounts319 ConfiguringDirectoryUserAccounts321 ConfiguringGroupAccounts322 ConfiguringComputerGroups323 ControllingNetworkViewsChapter23 324 SecuringDirectoryServices325 OpenDirectoryServerRoles325 ConfiguringtheOpenDirectoryServicesRole326 StartingKerberosAfterSettingUpanOpenDirectoryMaster327 ConfiguringOpenDirectoryforSSL329 ConfiguringOpenDirectoryPolicies329 SettingtheGlobalPasswordPolicy330 SettingaBindingPolicyforanOpenDirectoryMasterandReplicas331 SettingaSecurityPolicyforanOpenDirectoryMasterandReplicasContents 13Chapter24 333 SecuringRADIUS333 DisablingRADIUS334 SecurelyConfiguringRADIUSService334 ConfiguringRADIUStoUseCertificates335 EditingRADIUSAccess335 ViewingRADIUSServiceLogsChapter25 337 SecuringPrintService337 DisablingPrintService338 SecuringPrintService338 ConfiguringPrintServiceAccessControlLists(SACLs)339 ConfiguringKerberos340 ConfiguringPrintQueues342 ViewingPrintServiceandQueueLogsChapter26 344 SecuringMultimediaServices344 DisablingQTSS345 SecurelyConfiguringQTSS346 ConfiguringaStreamingServer347 ServingStreamsThroughFirewallsUsingPort80347 StreamingThroughFirewallsorNetworkswithAddressTranslation348 ChangingthePasswordRequiredtoSendanMP3BroadcastStream348 UsingAutomaticUnicast(Announce)withQTSSonaSeparateComputer349 ControllingAccesstoStreamedMedia353 ViewingQTSSLogsChapter27 354 SecuringGridandClusterComputingServices354 UnderstandingXgridService355 DisablingXgridService355 AboutAuthenticationMethodsforXgrid356 SingleSign-On356 Password-BasedAuthentication357 NoAuthentication357 SecurelyConfiguringXgridService357 DisablingtheXgridAgent358 LimitingtheXgridAgent359 ConfiguringanXgridControllerChapter28 361 ManagingWhoCanObtainAdministrativePrivileges(sudo)361 ManagingthesudoersFileChapter29 363 ManagingAuthorizationThroughRights363 UnderstandingthePolicyDatabase363 TheRightsDictionary14 Contents365 Rules366 ManagingAuthorizationRights366 CreatinganAuthorizationRight366 ModifyinganAuthorizationRight366 ExampleAuthorizationRestrictionsChapter30 368 MaintainingSystemIntegrity368 UsingDigitalSignaturestoValidateApplicationsandProcesses369 ValidatingApplicationBundleIntegrity370 ValidatingRunningProcesses370 AuditingSystemActivity370 InstallingAuditingTools371 EnablingAuditing372 SettingAuditMechanisms372 UsingAuditingTools372 UsingtheauditTool373 UsingtheauditreduceTool374 UsingtheprauditTool375 DeletingAuditRecords375 AuditControlFiles376 ManagingandAnalyzingAuditLogFiles376 UsingActivityAnalysisTools377 ValidatingSystemLogging377 Configuringsyslogd378 LocalSystemLogging378 RemoteSystemLogging379 ViewingLogsinServerAdminAppendixA 380 UnderstandingPasswordsandAuthentication380 PasswordTypes380 AuthenticationandAuthorization381 OpenDirectoryPasswords382 ShadowPasswords382 CryptPasswords382 OfflineAttacksonPasswords383 PasswordGuidelines383 CreatingComplexPasswords383 UsinganAlgorithmtoCreateaComplexPassword384 SafelyStoringYourPassword385 PasswordMaintenance385 AuthenticationServices386 DeterminingWhichAuthenticationOptiontoUse387 PasswordPoliciesContents 15387 SingleSign-OnAuthentication388 KerberosAuthentication389 SmartCardAuthenticationAppendixB 390 SecurityChecklist390 InstallationActionItems391 HardwareandCoreSnowLeopardServerActionItems391 GlobalSettingsforSnowLeopardServerActionItems392 AccountConfigurationActionItems393 SystemSoftwareActionItems393 MobileMePreferencesActionItems393 AccountsPreferencesActionItems393 AppearancePreferencesActionItems394 BluetoothPreferencesActionItems394 CDs&DVDsPreferencesActionsItems394 Expos&SpacesPreferencesActionItems394 Date&TimePreferencesActionItems395 Desktop&ScreenSaverPreferencesActionItems395 DisplayPreferencesActionItems395 DockPreferencesActionItems395 EnergySaverPreferencesActionItems396 KeyboardandMousePreferencesActionItems396 NetworkPreferencesActionItems396 Print&FaxPreferencesActionItems396 QuickTimePreferencesActionItems397 SecurityPreferencesActionItems397 SharingPreferencesActionItems397 SoftwareUpdatePreferencesActionItems397 SoundPreferencesActionItems398 SpeechPreferencesActionItems398 SpotlightPreferencesActionItems398 StartupDiskPreferencesActionItems398 TimeMachinePreferencesActionItems398 DataMaintenanceandEncryptionActionItems399 AccountPoliciesActionItems399 SharePointsActionItems399 AccountConfigurationActionItems400 ApplicationsPreferencesActionItems400 DockPreferencesActionItems401 EnergySaverPreferencesActionItems401 FinderPreferencesActionItems401 LoginPreferencesActionItems402 MediaAccessPreferencesActionItems16 Contents403 MobilityPreferencesActionItems403 NetworkPreferencesActionItems403 PrintingPreferencesActionItems404 SoftwareUpdatePreferencesActionItems404 AccesstoSystemPreferencesActionItems404 UniversalAccessPreferencesActionItems405 CertificatesActionItems405 GeneralProtocolsandServiceAccessActionItems405 RemoteAccessServicesActionItems407 NetworkandHostAccessServicesActionItems407 IPv6ProtocolActionItems407 DHCPServiceActionItems407 DNSServiceActionItems408 FirewallServiceActionItems408 NATServiceActionItems408 BonjourServiceActionItems408 CollaborationServicesActionItems409 MailServiceActionItems410 FileServicesActionItems410 AFPFileSharingServiceActionItems410 FTPFileSharingServiceActionItems411 NFSFileSharingServiceActionItems411 SMBActionItems412 WebServiceActionItems412 ClientConfigurationManagementServicesActionItems412 DirectoryServicesActionItems413 PrintServiceActionItems413 MultimediaServicesActionItems413 GridandClusterComputingServicesActionItems414 ValidatingSystemIntegrityActionItemsAppendixC 415 ScriptsIndex 445PrefaceAboutThisGuide 17AboutThisGuideUsethisguideasanoverviewofMacOSXv10.6SnowLeopardServersecurityfeaturesthatcanenhancesecurityonyourcomputer.ThisguidegivesinstructionsforsecuringSnowLeopardServer,andforsecurelymanagingserversandclientsinanetworkedenvironment.ItalsoprovidesinformationaboutthemanyrolesSnowLeopardServercanassumeinanetwork.AudienceAdministratorsofservercomputersrunningSnowLeopardServeraretheintendedaudienceforthisguide.Ifyoureusingthisguide,youshouldbeanexperiencedSnowLeopardServeruser,befamiliarwiththeWorkgroupManagerandServerAdminapplications,andhaveatleastsomeexperienceusingtheTerminalapplicationscommand-lineinterface.Youshouldalsohaveexperienceadministeringanetwork,befamiliarwithbasicnetworkingconcepts,andbefamiliarwiththeSnowLeopardServeradministrationguides.Someinstructionsinthisguidearecomplex,anddeviationfromthemcouldresultinseriousadverseeffectsontheserveranditssecurity.TheseinstructionsshouldonlybeusedbyexperiencedSnowLeopardServeradministrators,andshouldbefollowedbythoroughtesting.WhatsinThisGuideThisguideexplainshowtosecureserversandsecurelymanageserverandclientcomputersinanetworkedenvironment.Itdoesnotprovideinformationaboutsecuringclients.ForhelpwithsecuringcomputersrunningSnowLeopard,seeMacOSXSecurityConfiguration.ThisguidecannotcoverallpossiblenetworkconfigurationsinwhichSnowLeopardServermightbeused.Goodnetworksecurityanddesignmustbeusedforthisinformationtobeeffective,andanyoneusingthisguideneedstobefamiliarwithUNIXsecuritybasics,suchassettingfilepermissions.18 PrefaceAboutThisGuideThisguideincludesthefollowingchapters,arrangedintheorderthatyourelikelytoneedthemwhensecurelyconfiguringaserver. Chapter1,IntroductiontoSnowLeopardServerSecurityArchitecture,providesanoverviewofthesecurityarchitectureandfeaturesofSnowLeopardServer.Thischapterdescribesthesecurityframework,accesspermissions,built-insecurityservices,anddirectoryservices. Chapter2,InstallingSnowLeopardServer,describeshowtosecurelyinstallSnowLeopardServerlocallyorremotely.Thischapteralsoincludesinformationaboutupdatingsystemsoftware,repairingdiskpermissions,andsecurelyerasingdata. Chapter3,SecuringSystemHardware,describeshowtophysicallyprotectyourhardwarefromattacks. Chapter4,SecuringGlobalSystemSettings,describeshowtosecuresettingsthataffectallusersofthecomputer. Chapter5,SecuringLocalServerAccounts,describesthetypesofuseraccountsandhowtosecurelyconfigureanaccount.Thisincludessecuringaccountsusingstrongauthentication. Chapter6,SecuringSystemPreferences,helpsyouconfigurelocalserveraccountssecurely.Thisincludesthesecureconfigurationoflocalsystempreferences,settingupstrongauthenticationandcredentialstorage,andsecuringdata. Chapter7,SecuringSystemSwapandHibernationStorage,describeshowtoscrubyoursystemswapandhibernationspaceofsensitiveinformation. Chapter8,SecuringDataandUsingEncryption,describeshowtoencryptdataandhowtouseSecureErasetoensureolddataiscompletelyremoved. Chapter9,ManagingCertificates,describeshowtogenerate,request,anddeploycertificates. Chapter10,SettingGeneralProtocolsandAccesstoServices,helpsyouconfiguregeneralnetworkmanagementprotocolsandrestrictaccesstootherservices. Chapter11,SecuringRemoteAccessServices,tellsyouhowtocreateremoteconnectionstoyourserverusingencryption. Chapter12,SecuringNetworkInfrastructureServices,explainshowtoconnectclientcomputersandconfigureafirewall. Chapter13,ConfiguringtheFirewall,describeshowtoconfiguretheIPFW2firewall. Chapter14,SecuringCollaborationServices,describeshowtosecurelyconfigureiChat,iCal,Wiki,andPodcastProducerservices. Chapter15,SecuringMailService,explainshowtosetupmailservicetouseencryptionandfilterforspamandviruses. Chapter16,SecuringAntivirusServices,describeshowtoenableandmanageantivirusservicestoprotectyourmailandfiles.PrefaceAboutThisGuide 19 Chapter17,SecuringFileServicesandSharepoints,explainshowtoconfigurefileservicestoenablesecuredatasharing. Chapter18,SecuringWebService,describeshowtosetupawebserverandsecurewebsettingsandcomponents. Chapter19,SecuringClientConfigurationManagementServices,helpsyousetpoliciesandenforcethemusingWorkgroupManager. Chapter20,SecuringNetBootService,tellsyouhowtoconfigureNetBootsecurelytoprovideimagestoclients. Chapter21,SecuringSoftwareUpdateService,describeshowtosecurelyconfiguresoftwareupdateservices. Chapter22,SecuringNetworkAccounts,describessecuritysettingsrelatedtomanageduserandgroupaccounts. Chapter23,SecuringDirectoryServices,explainshowtoconfigureOpenDirectoryservicerolesandpasswordpolicies. Chapter24,SecuringRADIUS,tellshowtosecurelyconfigureRADIUS. Chapter25,SecuringPrintService,explainshowtosetupprintqueuesandbannerpages. Chapter26,SecuringMultimediaServices,providessecurityinformationtoconfigureastreamingserver. Chapter27,SecuringGridandClusterComputingServices,explainshowtosecurelyconfigureanXgridagentandcontroller. Chapter28,ManagingWhoCanObtainAdministrativePrivileges(sudo),describeshowtorestrictaccesstothesudocommand. Chapter29,ManagingAuthorizationThroughRights,explainsthepolicydatabaseandhowtocontrolauthorizationbymanagingrightsinthepolicydatabase. Chapter30,MaintainingSystemIntegrity,describeshowtousesecurityauditsandloggingtovalidatetheintegrityofyourserveranddata. AppendixA,UnderstandingPasswordsandAuthentication,describesOpenDirectoryauthentication,shadowandcryptpasswords,Kerberos,LDAPbind,andsinglesign-on. AppendixB,SecurityChecklist,providesachecklistthatguidesyouthroughsecuringyourserver. AppendixC,Scripts,providescommand-linecommandsandscriptsforsecuringyourserver.Note:BecauseApplefrequentlyreleasesnewversionsandupdatestoitssoftware,imagesshowninthisbookmightbedifferentfromwhatyouseeonyourscreen.20 PrefaceAboutThisGuideUsingThisGuideThefollowinglistcontainssuggestionsforusingthisguide: Readtheguideinitsentirety.Subsequentsectionsmightbuildoninformationandrecommendationsdiscussedinpriorsections. Theinstructionsinthisguideshouldalwaysbetestedinanonoperationalenvironmentbeforedeployment.Thisnonoperationalenvironmentshouldsimulate,asmuchaspossible,theenvironmentwherethecomputerwillbedeployed. ThisinformationisintendedforcomputersrunningSnowLeopardServer.Beforesecurelyconfiguringaserver,determinewhatfunctionthatparticularserverwillperformandapplysecurityconfigurationswhereapplicable. UsethesecuritychecklistinAppendixBtotrackandrecordeachsecuritytaskandnotewhatsettingsyouchanged.Thisinformationcanbehelpfulwhendevelopingasecuritystandardwithinyourorganization.Important:Anydeviationfromthisguideshouldbeevaluatedtodeterminewhatsecurityrisksitmightintroduce.Takemeasurestomonitorormitigatethoserisks.UsingOnscreenHelpYoucangettaskinstructionsonscreeninHelpViewerwhileyouremanagingSnowLeopardServer.Youcanviewhelponaserveroranadministratorcomputer.(AnadministratorcomputerisacomputerrunningSnowLeopardServerwiththeserveradministrationtoolsinstalled)TogethelpforanadvancedconfigurationofSnowLeopardServer:m OpenServerAdminorWorkgroupManagerandthen: UsetheHelpmenutosearchforataskyouwanttoperform. ChooseHelp>ServerAdminHelporHelp>WorkgroupManagerHelptobrowseandsearchthehelptopics.TheonscreenhelpcontainsinstructionstakenfromtheadvancedadministrationguidesdescribedinSnowLeopardServerAdministrationGuides,next.Toseethemostrecentserverhelptopics:m MakesuretheserveroradministratorcomputerisconnectedtotheInternetwhileyouregettinghelp.HelpViewerautomaticallyretrievesandcachesthemostrecentserverhelptopicsfromtheInternet.WhennotconnectedtotheInternet,HelpViewerdisplayscachedhelptopics.PrefaceAboutThisGuide 21SnowLeopardServerAdministrationGuidesGettingStartedcoversinstallationandsetupforstandardandworkgroupconfigurationsofSnowLeopardServer.Foradvancedconfigurations,AdvancedServerAdministrationcoversplanning,installation,setup,andgeneralserveradministration.Asuiteofadditionalguidescoversadvancedplanning,setup,andmanagementofindividualservices.YoucangettheseguidesinPDFformatfromtheSnowLeopardServerdocumentationwebsite:www.apple.com/server/macosx/resources/documentation.htmlViewingPDFGuidesonScreenWhilereadingthePDFversionofaguideonscreen: Showbookmarkstoseetheguidesoutline,andclickabookmarktojumptothecorrespondingsection. Searchforawordorphrasetoseealistofplaceswhereitappearsinthedocument.Clickalistedplacetoseethepagewhereitoccurs. Clickacross-referencetojumptothereferencedsection.Clickaweblinktovisitthewebsiteinyourbrowser.PrintingPDFGuidesIfyouwanttoprintaguide,youcantakethesestepstosavepaperandink: Saveinkortonerbynotprintingthecoverpage. SavecolorinkonacolorprinterbylookinginthepanesofthePrintdialogforanoptiontoprintingraysorblackandwhite. Reducethebulkoftheprinteddocumentandsavepaperbyprintingmorethanonepagepersheetofpaper.InthePrintdialog,changeScaleto115%(155%forGettingStarted).ThenchooseLayoutfromtheuntitledpop-upmenu.Ifyourprintersupportstwo-sided(duplex)printing,selectoneoftheTwo-Sidedoptions.Otherwise,choose2fromthePagesperSheetpop-upmenu,andoptionallychooseSingleHairlinefromtheBordermenu.(IfyoureusingMacOSXv10.4Tigerorearlier,theScalesettingisinthePageSetupdialogandtheLayoutsettingsareinthePrintdialog.)Youmaywanttoenlargetheprintedpagesevenifyoudontprintdoublesided,becausethePDFpagesizeissmallerthanstandardprinterpaper.InthePrintdialogorPageSetupdialog,trychangingScaleto115%(155%forGettingStarted,whichhasCD-sizepages).http://www.apple.com/server/macosx/resources/documentation.html22 PrefaceAboutThisGuideGettingDocumentationUpdatesPeriodically,Applepostsrevisedhelppagesandneweditionsofguides.Somerevisedhelppagesupdatethelatesteditionsoftheguides. Toviewnewonscreenhelptopicsforaserverapplication,makesureyourserveroradministratorcomputerisconnectedtotheInternetandclickLatesthelptopicsorStayingcurrentinthemainhelppagefortheapplication. TodownloadthelatestguidesinPDFformat,gototheMacOSXServerdocumentationwebsite:www.apple.com/server/resources/ AnRSSfeedlistingthelatestupdatestoMacOSXServerdocumentationandonscreenhelpisavailable.ToviewthefeeduseanRSSreaderapplication,suchasSafariorMail:feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xmlGettingAdditionalInformationFormoreinformation,consulttheseresources: ReadMedocumentsgetimportantupdatesandspecialinformation.Lookforthemontheserverdiscs. MacOSXServerwebsite(www.apple.com/server/macosx)enterthegatewaytoextensiveproductandtechnologyinformation. SnowLeopardServerSupportwebsite(www.apple.com/support/macosxserver)accesshundredsofarticlesfromApplessupportorganization. AppleDiscussionswebsite(discussions.apple.com)sharequestions,knowledge,andadvicewithotheradministrators. AppleMailingListswebsite(www.lists.apple.com)subscribetomailinglistssoyoucancommunicatewithotheradministratorsusingemail. AppleTrainingandCertificationwebsite(www.apple.com/training)honeyourserveradministrationskillswithinstructor-ledorself-pacedtraining,anddifferentiateyourselfwithcertification. AppleProductSecurityMailingListswebsite(lists.apple.com/mailman/listinfo/security-announce/)Mailinglistsforcommunicatingbyemailwithotheradministratorsaboutsecuritynotificationsandannouncements. OpenSourcewebsite(developer.apple.com/darwin/)AccesstoDarwinopensourcecode,developerinformation,andFAQs. AppleProductSecuritywebsite(www.apple.com/support/security/)Accesstosecurityinformationandresources,includingsecurityupdatesandnotifications.http://discussions.apple.com/http://discussions.apple.com/http://www.apple.com/support/security/http://www.apple.com/support/security/http://developer.apple.com/darwin/http://developer.apple.com/darwin/http://www.apple.com/server/documentation/feed://helposx.apple.com/rss/leopard/serverdocupdates.xmlhttp://www.apple.com/server/macosx/http://www.apple.com/server/macosx/http://www.apple.com/support/macosxserver/http://www.apple.com/support/macosxserver/http://www.lists.apple.com/http://www.lists.apple.com/http://lists.apple.com/mailman/listinfo/security-announcehttp://lists.apple.com/mailman/listinfo/security-announcehttp://www.apple.com/training/http://www.apple.com/training/PrefaceAboutThisGuide 23Foradditionalsecurity-specificinformation,consulttheseresources: NSAsecurityconfigurationguides(www.nsa.gov/snac/)TheNationalSecurityAgency(NSA)providesinformationaboutsecurelyconfiguringproprietaryandopensourcesoftware. NISTSecurityConfigurationChecklistsRepository(checklists.nist.gov/repository/category.html)ThisistheNationalInstituteofStandardsandTechnology(NIST)repositoryforsecurityconfigurationchecklists. DISASecurityTechnicalImplementationGuide(www.disa.mil/gs/dsn/policies.html)ThisistheDefenseInformationSystemsAgency(DISA)guideforimplementingsecuregovernmentnetworks.ADepartmentofDefense(DoD)PKICertificateisrequiredtoaccessthisinformation. CISBenchmarkandScoringTool(www.cisecurity.org/bench_osx.html)ThisistheCenterforInternetSecurity(CIS)benchmarkandscoringtoolusedtoestablishCISbenchmarks.AcknowledgmentsApplewouldliketothanktheNSA,NIST,andDISAfortheirassistanceincontributingtothesecurityconfigurationguidesforSnowLeopardandSnowLeopardServer.http://www.cisecurity.org/bench_osx.htmlhttp://www.cisecurity.org/bench_osx.htmlhttp://www.nsa.gov/snachttp://www.nsa.gov/snachttp://checklists.nist.gov/repository/category.htmlhttp://checklists.nist.gov/repository/category.htmlhttp://www.disa.mil/gs/dsn/policies.htmlhttp://www.disa.mil/gs/dsn/policies.html124 1 IntroductiontoSnowLeopardServerSecurityArchitectureUsethischaptertolearnaboutthefeaturesinSnowLeopardServerthatcanenhancesecurityonyourcomputerWhetheryoureahomeuserwithabroadbandInternetconnection,aprofessionalwithamobilecomputer,oranITmanagerwiththousandsofnetworkedsystems,youneedtosafeguardtheconfidentialityofinformationandtheintegrityofyourcomputers.WithSnowLeopardServer,asecuritystrategyisimplementedthatiscentraltothedesignoftheoperatingsystem.Toenhancesecurityonyourcomputer,SnowLeopardServerprovidesthefollowingfeatures. Modernsecurityarchitecture.SnowLeopardincludesstate-of-the-art,standards-basedtechnologiesthatenableAppleandthird-partydeveloperstobuildsecuresoftwarefortheMac.Thesetechnologiessupportallaspectsofsystem,data,andnetworkingsecurityrequiredbytodaysapplications. Securedefaultsettings.WhenyoutakeyourMacoutofthebox,itissecurelyconfiguredtomeettheneedsofmostcommonenvironments,soyoudontneedtobeasecurityexperttosetupyourcomputer.Thedefaultsettingsmakeitverydifficultformalicioussoftwaretoinfectyourcomputer.Youcanfurtherconfiguresecurityonthecomputertomeetorganizationaloruserrequirements. Innovativesecurityapplications.SnowLeopardincludesfeaturesthattaketheworryoutofusingacomputer.Forexample,FileVaultprotectsyourdocumentsbyusingstrongencryption,anintegratedVPNclientgivesyousecureaccesstonetworksovertheInternet,andapowerfulfirewallsecuresyourhomenetwork. Opensourcefoundation.OpensourcemethodologymakesSnowLeopardarobust,secureoperatingsystem,becauseitscorecomponentshavebeensubjectedtopeerreviewfordecades.ProblemscanbequicklyidentifiedandfixedbyAppleandthelargeropensourcecommunity.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 25 Rapidresponse.Becausethesecurityofyourcomputerisimportant,Applerespondsrapidlytoprovidepatchesandupdates.Appleworkswithworldwidepartners,includingtheComputerEmergencyResponseTeam(CERT),tonotifyusersofpotentialthreats.Ifvulnerabilitiesarediscovered,thebuilt-inSoftwareUpdatetoolnotifiesusersofsecurityupdates,whichareavailableforeasyretrievalandinstallation.SecurityArchitecturalOverviewSnowLeopardServersecurityservicesarebuiltontwoopensourcestandards: BerkeleySoftwareDistribution(BSD):BSDisaformofUNIXthatprovidesfundamentalservices,includingtheSnowLeopardServerfilesystemandfileaccesspermissions. CommonDataSecurityArchitecture(CDSA):CDSAprovidesanarrayofsecurityservices,includingmorespecificaccesspermissions,authenticationofuseridentities,encryption,andsecuredatastorage.UNIXInfrastructureTheSnowLeopardServerkerneltheheartoftheoperatingsystemisbuiltfromBSDandMach.Amongotherthings,BSDprovidesbasicfilesystemandnetworkingservicesandimplementsauserandgroupidentificationscheme.BSDenforcesaccessrestrictionstofilesandsystemresourcesbasedonuserandgroupIDs.Machprovidesmemorymanagement,threadcontrol,hardwareabstraction,andinterprocesscommunication.MachenforcesaccessbycontrollingwhichtaskscansendamessagetoaMachport.(AMachportrepresentsataskorsomeotherresource.)BSDsecuritypoliciesandMachaccesspermissionsconstituteanessentialpartofsecurityinSnowLeopardServer,andarecriticaltoenforcinglocalsecurity.AccessPermissionsAnimportantaspectofcomputersecurityisthegrantingordenyingofaccesspermissions(sometimescalledaccessrights).Apermissionistheabilitytoperformaspecificoperation,suchasgainingaccesstodataortoexecutecode.Permissionsaregrantedattheleveloffolders,subfolders,files,orapplications.Permissionsarealsograntedforspecificdatainfilesorapplicationfunctions.PermissionsinSnowLeopardServerarecontrolledatmanylevels,fromtheMachandBSDcomponentsofthekernelthroughhigherlevelsoftheoperatingsystem,andfornetworkedapplicationsthroughnetworkprotocols.26 Chapter1IntroductiontoSnowLeopardServerSecurityArchitectureAuthorizationVersusAuthenticationAuthorizationistheprocessbywhichanentity,suchasauseroracomputer,obtainstherighttoperformarestrictedoperation.Authorizationcanalsorefertotherightitself,asinAnnehastheauthorizationtorunthatprogram.Authorizationusuallyinvolvesauthenticatingtheentityandthendeterminingwhetherithasthecorrectpermissions.Authenticationistheprocessbywhichanentity(suchastheuser)demonstratesthattheyarewhotheysaytheyare.Forexample,theuser,enteringapasswordwhichonlyheorshecouldknow,allowsthesystemtoauthenticatethatuser.Authenticationisnormallydoneasastepintheauthorizationprocess.Someapplicationsandoperatingsystemcomponentsperformtheirownauthentication.Authenticationmightuseauthorizationserviceswhennecessary.SecurityFrameworkThesecurityframeworkinSnowLeopardisanimplementationoftheCDSAarchitecture.Itcontainsanexpandablesetofcryptographicalgorithmstoperformcodesigningandencryptionoperationswhilemaintainingthesecurityofthecryptographickeys.ItalsocontainslibrariesthatallowtheinterpretationofX.509certificates.TheCDSAcodeisusedbySnowLeopardfeaturessuchasKeychainandURLAccessforprotectionoflogindata.ApplebuiltthefoundationofSnowLeopardandmanyofitsintegratedserviceswithopensourcesoftwaresuchasFreeBSD,Apache,andKerberos,amongothersthathasbeenmadesecurethroughyearsofpublicscrutinybydevelopersandsecurityexpertsaroundtheworld.Strongsecurityisabenefitofopensourcesoftwarebecauseanyonecaninspectthesourcecode,identifytheoreticalvulnerabilities,andtakestepstostrengthenthesoftware.AppleactivelyparticipateswiththeopensourcecommunitybyroutinelyreleasingupdatesofSnowLeopardServerthataresubjecttoindependentdevelopersongoingreviewandbyincorporatingimprovements.AnopensourcesoftwaredevelopmentapproachprovidesthetransparencynecessarytoincreaseSnowLeopardServersecurity.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 27LayeredSecurityDefenseSnowLeopardServersecurityisbuiltonalayereddefenseformaximumprotection.Securityfeaturessuchasthefollowingprovidesolutionsforsecuringdataatalllevels,fromtheoperatingsystemandapplicationstonetworksandtheInternet. Secureworldwidecommunication:Firewallandmailfilteringhelppreventmalicioussoftwarefromcompromisingyourcomputer. Secureapplications:EncryptedDiskImagesandFileVaulthelppreventintrudersfromviewingdataonyourcomputer. Securenetworkprotocols:SecureSocketsLayer(SSL)isaprotocolthathelpspreventintrudersfromviewinginformationexchangeacrossanetwork,andKerberossecurestheauthenticationprocess,andafirewallpreventsunauthorizedaccesstoacomputerornetwork. SecurityServices:Authenticationusingkeychains,togetherwithPOSIXandACLpermissions,helpspreventintrudersfromusingyourapplicationsandaccessingyourfiles. Securebootandlockdown:TheFirmwarePasswordUtilityhelpspreventpeoplewhocanaccessyourhardwarefromgainingroot-levelaccesspermissionstoyourcomputerfiles.NetworkSecuritySecureTransportisusedtoimplementSSLandTransportLayerSecurity(TLS)protocols.TheseprotocolsprovidesecurecommunicationsoveraTCP/IPconnectionsuchastheInternetbyusingencryptionandcertificateexchange.AfirewallcanthenfiltercommunicationoveraTCP/IPconnectionbypermittingordenyingaccesstoacomputeroranetwork.Secure Worldwide Communication InternetSecure ApplicationsSecure Network ProtocolsSecurity ServicesSecure Boot/Lock DownApplicationsNetworkOperating SystemHardware28 Chapter1IntroductiontoSnowLeopardServerSecurityArchitectureCredentialManagementAkeychainisusedtostorepasswords,keys,certificates,andotherdataplacedinthekeychainbyauser.Duetothesensitivenatureofthisinformation,keychainsusecryptographytoencryptanddecryptsecrets,andtheysafelystoresecretsandrelateddatainfiles.SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandsecurelystorekeychainitems.Afterakeychainiscreated,youcanadd,delete,andeditkeychainitems,suchaspasswords,keys,certificates,andnotesforusers.Ausercanunlockakeychainthroughauthentication(byusingapassword,digitaltoken,smartcard)andapplicationscanthenusethatkeychaintostoreandretrievedata,suchaspasswords.PublicKeyInfrastructure(PKI)ThePublicKeyInfrastructure(PKI)includescertificate,key,andtrustservicesincludefunctionsto: Create,manage,andreadcertificates Addcertificatestoakeychain Createencryptionkeys ManagetrustpoliciesThesefunctionsareusedwhentheservicescallCommonSecurityServiceManager(CSSM)functions.Thisistransparenttousers.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 29WhatsNewinSnowLeopardServerSecuritySnowLeopardServeroffersthefollowingmajorsecurityenhancements: Increasedsecurityformemoryandprotection:SnowLeopardServerrunningonthe64-bitchipimprovessupportformemoryandexecutableprotectionagainstarbitrarycodeexecution.Technologiessuchasexecutedisable,libraryrandomization,andsandboxinghelppreventattacksthattrytohijackormodifythesoftwareonyourcomputer. BetterTrojanhorseprotection:SnowLeopardServermaintainsprofilesforknownmalicioussoftware,andpreventsitsdownloadthroughmanyapplications. IncreasedVPNcompatibility:Virtualprivatenetwork(VPN)supporthasbeenenhancedtosupportCiscoIPSecVPNconnectionswithoutadditionalsoftware. ImprovedCryptologytechnologies:SnowLeopardServerincludesEllipticalCurveCryptography(ECC)supportinmostofitsencryptiontechnologies. SupportforExtendedValidationCertificates:ExtendedValidation(EV)CertificatesrequirestheCertificateAuthoritytoinvestigatetheidentityofthecertificateholderbeforeissuingacertificate. SupportforwildcardsindomainsforKeychainAccessidentitypreferences:Thisallowsaclientcertificate-authenticatedconnectionstomultipleserversorpathsdefinedwithinasingleIDPref. Updatedsecuritycommand-linetools:Thesecurityandnetworksetupcommand-linetoolshavebeenenhanced. EnhancedSafari4.0security:Safarihasenhanceddetectionoffraudulentsites.Italsorunsmanybrowserplug-insasseparateprocessesforenhancedsecurityandstability.ExistingSecurityFeaturesinSnowLeopardServerSnowLeopardServercontinuestoincludethefollowingsecurityfeaturesandtechnologiestoenhancetheprotectionofyourcomputerandyourpersonalinformation. Applicationsigning:ThisenablesyoutoverifytheintegrityandidentityofapplicationsonyourMac. Mandatoryaccesscontrol:Theseenforcerestrictionsonaccesstosystemresources. Quarantinedapplications:MacOSXv10.6tagsandmarksdownloadedfileswithfirst-runwarningstohelppreventusersfrominadvertentlyrunningmaliciousdownloadedapplications. Runtimeprotection:Technologiessuchasexecutedisable,libraryrandomization,andsandboxinghelppreventattacksthattrytohijackormodifythesoftwareonyoursystem.30 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture Meaningfulsecurityalerts:Whenusersreceivesecurityalertsandquestionstoofrequently,theymayfallintoreflexivemodewhenthesystemasksasecurity-relatedquestion,clickingOKwithoutthought.MacOSXv10.6minimizesthenumberofsecurityalertsthatyousee,sowhenyoudoseeone,itgetsyourattention.SignedApplicationsBysigningapplications,yourMaccanverifytheidentityandintegrityofanapplication.ApplicationsshippedwithSnowLeopardServeraresignedbyApple.Inaddition,third-partysoftwaredeveloperscansigntheirsoftwarefortheMac.Applicationsigningdoesntprovideintrinsicprotection,butitintegrateswithseveralotherfeaturestoenhancesecurity.Featuressuchasparentalcontrols,managedpreferences,Keychain,andthefirewalluseapplicationsigningtoverifythattheapplicationstheyareworkingwitharethecorrect,unmodifiedversions.WithKeychain,theuseofsigningdramaticallyreducesthenumberofKeychaindialogspresentedtousersbecausethesystemcanvalidatetheintegrityofanapplicationthatusestheKeychain.Withparentalcontrolsandmanagedpreferences,thesystemusessignaturestoverifythatanapplicationrunsunmodified.Theapplicationfirewallusessignaturestoidentifyandverifytheintegrityofapplicationsthataregrantednetworkaccess.Inthecaseofparentalcontrolsandthefirewall,unsignedapplicationsaresignedbythesystemonanadhocbasistoidentifythemandverifythattheyremainunmodified.MandatoryAccessControlsSnowLeopardServerusesanaccesscontrolmechanismknownasmandatoryaccesscontrols.AlthoughtheMandatoryAccessControltechnologyisnotvisibletousers,itisincludedinSnowLeopardServertoprotectyourcomputer.Mandatoryaccesscontrolsarepoliciesthatcannotbeoverridden.Thesepoliciessetsecurityrestrictionscreatedbythedeveloper.Thisapproachisdifferentfromdiscretionaryaccesscontrolsthatpermituserstooverridesecuritypoliciesaccordingtotheirpreferences.MandatoryaccesscontrolsinSnowLeopardServerarentvisibletousers,buttheyaretheunderlyingtechnologythathelpsenableseveralimportantnewfeatures,includingsandboxing,parentalcontrols,managedpreferences,andasafetynetfeatureforTimeMachine.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 31TimeMachineillustratesthedifferencebetweenmandatoryaccesscontrolsandtheuserprivilegemodelitallowsfileswithinTimeMachinebackupstobedeletedonlybyprogramsrelatedtoTimeMachine.Fromthecommandline,nousernotevenoneloggedinasrootcandeletefilesinaTimeMachinebackup.TimeMachineusesthisstrictpolicybecauseitutilizesfilesystemfeaturesinSnowLeopardServer.Thepolicypreventscorruptioninthebackupdirectorybypreventingtoolsfromdeletingfilesfrombackupsthatmaynotrecognizethenewfilesystemfeatures.Mandatoryaccesscontrolsareintegratedwiththeexecsystemservicetopreventtheexecutionofunauthorizedapplications.ThisisthebasisforapplicationcontrolsinparentalcontrolsinSnowLeopardandmanagedpreferencesinSnowLeopardServer.Mandatoryaccesscontrolsenablestrongparentalcontrols.Inthecaseofthenewsandboxingfacility,mandatoryaccesscontrolsrestrictaccesstosystemresourcesasdeterminedbyaspecialsandboxingprofilethatisprovidedforeachsandboxedapplication.Thismeansthatevenprocessesrunningasrootcanhaveextremelylimitedaccesstosystemresources.SandboxingSandboxinghelpsensurethatapplicationsdoonlywhattheyreintendedtodobyplacingcontrolsonapplicationsthatrestrictwhatfilestheycanaccess,whethertheapplicationscantalktothenetwork,andwhethertheapplicationscanbeusedtolaunchotherapplications.InSnowLeopardServer,manyofthesystemshelperapplicationsthatnormallycommunicatewiththenetworksuchasmDNSResponder(thesoftwareunderlyingBonjour)andtheKerberosKDCaresandboxedtoguardthemfromabusebyattackerstryingtoaccessthesystem.Inaddition,otherprogramsthatroutinelytakeuntrustedinput(forinstance,arbitraryfilesornetworkconnections),suchasXgridandtheQuickLookandSpotlightbackgrounddaemons,aresandboxed.Sandboxingisbasedonthesystemsmandatoryaccesscontrolsmechanism,whichisimplementedatthekernellevel.Sandboxingprofilesaredevelopedforeachapplicationthatrunsinasandbox,describingpreciselywhichresourcesareaccessibletotheapplication.32 Chapter1IntroductiontoSnowLeopardServerSecurityArchitectureManagedUserAccountsParentalcontrolsprovidecomputeradministratorswiththetoolstoenforceareasonablelevelofrestrictionsforusersofthecomputer.AdministratoruserscanusefeatureslikeSimpleFindertolimitthelaunchingofasetofapplicationsorcreateawhitelistofwebsitesthatuserscanvisit.However,ifanattackerhasphysicalaccesstothecomputerportssuchasUSBorFireWire,Parentalcontrolscanbebypassedbymountingadiskimagethatcontainmalicioussoftware.Youcansecuretheseportsbydisablingthem.Forinformationaboutdisablinghardware,seeChapter3,SecuringSystemHardware.ThisisthekindofsimpleUIadministratorsofapublicusecomputerenvironmentcanusetorestrictaccesstoapplicationsorsitestokeepusersfromperformingmaliciousactivities.Itisnotafool-proofsecuritysystemforlocalusers.InSnowLeopardServer,youuseWorkgroupManagertomanagepreferencesforusersofSnowLeopardsystems.EnhancedQuarantiningApplicationsthatdownloadfilesfromtheInternetorreceivefilesfromexternalsources(suchasmailattachments)canusetheQuarantinefeaturetoprovideafirstlineofdefenseagainstmalicioussoftwaresuchasTrojanhorses.Whenanapplicationreceivesanunknownfile,itaddsmetadata(quarantineattributes)tothefileusingfunctionsfoundinLaunchServices.FilesdownloadedusingSafari,Mail,andiChataretaggedwithmetadataindicatingthattheyaredownloadedfilesandreferringtotheURL,date,andtimeofthedownload.Thismetadataispropagatedfromarchivefilesthataredownloaded(suchasZIPorDMGfiles)sothatanyfileextractedfromanarchiveisalsotaggedwiththesameinformation.Thismetadataisusedbythedownloadinspectortopreventdangerousfiletypesfrombeingopenedunexpectedly.Thefirsttimeyoutrytorunanapplicationthathasbeendownloaded,DownloadInspectorinspectsthefile,promptsyouwithawarningaskingwhetheryouwanttoruntheapplication,anddisplaystheinformationonthedate,time,andlocationofthedownload.Youcancontinuetoopentheapplicationorcanceltheattempt,whichisappropriateifyoudontrecognizeortrusttheapplication.Afteranapplicationisopened,thismessagedoesnotappearagainforthatapplicationandthequarantineattributesarelifted.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 33Thismechanismdramaticallyreducesthenumberofwarningsrelatedtodownloadsthatyousee.Suchmessagesappearonlywhenyouattempttolaunchadownloadedapplication.Whenyoudoseeawarning,youaregivenusefulinformationaboutthesourceofthedownloadthatcanhelpyoumakeaninformeddecisionaboutwhethertoproceed.Thefileanditscontentsarealsoinspectedformalicioussoftware(malware).Ifmalwareisdetected,adialogappearswiththenameofthemalwarethreatcontainedinthefile.ItwarnstheusertomovethefiletotheTrashorejecttheimageanddeletethesourcefiletopreventdamagetothecomputer.Malwarepatternsarecontinuallyupdatedthroughsoftwareupdates.MemoryandRuntimeProtectionSnowLeopardServerrunningona64-bitchipsupportsmemoryandexecutableprotection.Memoryexecutionpreventionworkstohinderspecifictypesofmalicioussoftware,thosethatrelyonexecutingarbitrarycodefromanareawhichexpectedtocontaindataandnotcode.SnowLeopardhasthefollowing64-bitprotectionfeatures:no-executestack,noexecutedata,andno-executeheap.InSnowLeopard,no-executestackisavailablefor32-and64-bitapplications.For64-bitprocesses,SnowLeopardprovidesprotectionfromcodeexecutioninbothheapandstackdataareas.Stackprotectionisavailableforboth32-bitand64-bitprocesses.Itdetectscertaincasesofstackmemorycorruptionwhichcouldleadtoarbitrarycodeexecutionandterminatestheprocess.SnowLeopardServeralsohasLibraryRandomization.LibraryRandomizationusesshiftingmemorylocationsforoperatingsystemprocesseseachtimethesystemstartsup.Becauseanattackercannotdependonkeysystemprocessesrunninginknownmemorylocations,itishardertocompromisetheoperatingsystem.SnowLeopardServeralsohasprocesssandboxing,whichisawayofrestrictingwhatkindsofactivitiesanapplicationcanperform.SecuringSharingandCollaborativeServicesInSnowLeopardServer,youcanconfigureandsecuresharingservicesbyusingserviceaccesscontrollists(SACLs)andasecureconnection.ServiceAccessControlListsYoucanfurthersecuresharingservicesbyallowingaccessonlytousersthatyouspecifiedinaserviceaccesscontrollists(SACLs).Youcancreateuseraccountsforsharingbasedonexistinguseraccountsonthesystem,andforentriesinyouraddressbook.SharingservicesbecomemoresecurewithSACLs.34 Chapter1IntroductiontoSnowLeopardServerSecurityArchitectureVPNCompatibilityandIntegrationSnowLeopardServersupportsstandards-basedL2TP/IPSecandPPTPtunnelingprotocolstoprovideencryptedVPNconnectionsforMacandWindowssystemsandeveniPhone.TheseVPNservicesusesecureauthenticationmethods,includingMS-CHAPv2andnetwork-layerIPSec.Inaddition,theL2TPVPNservercanauthenticatedusersusingcredentialsfromaKerberosserver.TouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryorLinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.IfyouneedtouseMSCHAPv2toauthenticateusers,youcantofferVPNserviceforusersinathird-partyLDAPdomain.ApplesVPNservercanauthenticateusingRSASecuritysSecureID.Thisprovidesstrongtwo-factorauthentication.Ituseshardwareandsoftwaretokenstoverifyuseridentity.However,SecurIDauthenticationcannotbesetupfromServerAdminandrequiresadditionalmanualsetup.Built-inVPNClientInSnowLeopard,theVPNclientbuiltintoNetworkPreferencesincludessupportforCiscoGroupFilteringandDHCPoverPPPtodynamicallyacquireadditionalconfigurationoptionssuchasstaticroutesandsearchdomains.Youcanalsousedigitalcertificatesandone-timepasswordtokensfromRSAorCRYPTOcardforauthenticationwiththeVPNclient.Theone-timepasswordtokensprovidearandomlygeneratedpasscodenumberthatmustbeenteredwiththeVPNpasswordagreatoptionforthosewhorequireextremelyrobustsecurity.Inaddition,theL2TPVPNclientcanbeauthenticatedusingcredentialsfromaKerberosserver.Ineithercase,youcansavethesettingsforeachVPNserveryouroutinelyuseasalocation,soyoucanreconnectwithoutreconfiguringyoursystemeachtime.ApplesL2TPVPNclientcanconnectyoutoprotectednetworksautomaticallybyusingitsVPN-on-demandfeature.VPN-on-demandcandetectwhenyouwanttoaccessanetworkthatisprotectedbyaVPNserverandcanstarttheconnectionprocessforyou.ThismeansthatyoursecurityisincreasedbecauseVPNconnectionscanbeclosedwhennotinuse,andyoucanworkmoreefficiently.InSnowLeopard,theVPNclientincludessupportforCiscoGroupFiltering.ItalsosupportsDHCPoverPPPtodynamicallyacquireadditionalconfigurationoptionssuchasStaticRoutesandSearchDomains.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 35ImprovedCryptographySnowLeopardServerincludesEllipticalCurveCryptography(ECC)supportinmostofitsencryptiontechnologies.ECCencryptionisanadditionalmathematicalmodelforgeneratingandreadingencryptionkeys.SnowLeopardsupportsEllipticCurveDigitalSignatureAlgorithm(ECDSA)forsigningandkeyexchange.ECC-basedsignatureshavesizeandperformanceadvantages.AnECCkeyofagivenlengthcanbecryptographicallystrongerthanaDSAorRSAkeyofthesamelength.ThismeansthatasmallerECC-basedkey(andthereforeafasterkeytoprocess)canbejustasstrongasaverylongRSA-basedone.ECCissupportedinthefollowingareas:TLS/SSL,S/MIME,Apple'sCertificateAssistant,andApple'scerttool command-linetool.ExtendedValidationCertificatesExtendedValidation(EV)certificatesareaspecialtypeofX.509certificatethatrequirestheCertificateAuthority(CA)toinvestigatetheidentityofthecertificateholderbeforetheCAcanissuethecertificate.CAswhowanttoissueEVcertificatesmustprovideaninvestigationprocessthatpassesanindependentaudit,andalsoestablishesthelegalidentityandlegalclaimtothedomainnameofthecertificateapplicant.WildcardinIdentityPreferencesWildcardscannowbeusedindomainsforKeychainAccessidentitypreferences.Thisallowsclientcertificate-authenticatedconnectionstomultipleserversorpathsdefinedwithinasingleIDPref.ThisisoftenusedwithcertificatesusedbyCommonAccessCards(CACs).FormoreinformationonSmartCards,seeSmartCardSupportforUnlockingEncryptedStorageonpage36.EnhancedCommand-LineToolsThesecuritycommand-linetoolhasexpandedfunctionsinSnowLeopard.Additionally,networksetuphasbeenenhancedtohandleimportingandexporting802.1XprofilesaswellassetaTLSidentityonauserprofile.Formoreinformation,seethetoolsrespectivemanpages.36 Chapter1IntroductiontoSnowLeopardServerSecurityArchitectureFileVaultandEncryptedStorageTheDiskUtilitytoolincludedinMacOSXenablesyoutocreateencrypteddiskimages,soyoucansafelymailvaluabledocuments,files,andfolderstofriendsandcolleagues,savetheencrypteddiskimagetoCDorDVD,orstoreitonthelocalsystemoranetworkfileserver.FileVaultalsousesthissameencrypteddiskimagetechnologytoprotectuserfolders.EncryptedDiskImageCryptographyAdiskimageisafilethatappearsasavolumeonyourharddisk.Itcanbecopied,moved,oropened.Whenthediskimageisencrypted,filesorfoldersplacedinitareencryptedusing128-bitorevenstronger256-bitAESencryption.Toseethecontentsofthediskimage,includingmetadatasuchasfilename,date,size,orotherproperties,ausermustenterthepasswordorhaveakeychainwiththecorrectpassword.Thefileisdecryptedinrealtime,asitisused.Forexample,ifyouopenaQuickTimemoviefromanencrypteddiskimage,MacOSXdecryptsonlytheportionofthemoviecurrentlyplaying.SmartCardSupportforUnlockingEncryptedStorageSmartcardsenableyoutocarrydigitalcertificateswithyou.WithSnowLeopardServer,youcanuseyoursmartcardwheneveranauthenticationdialogispresented.SnowLeopardServerhasthefollowingtokenmodulestosupportthisrobust,two-factorauthenticationmechanismandJavaCard2.1standards: BelgiumNationalIdentificationCard(BELPIC) U.S.DepartmentofDefenseCommonAccessCard(CAC) JapanesegovernmentPKI(JPKI) U.S.FederalGovernmentPersonalIdentityVerification,alsocalledFIPS-201(PIV)OthercommercialsmartcardvendorsprovidetokenmodulestosupportintegrationoftheirsmartcardwiththeSnowLeopardSmartCardarchitecture.SimilartoanATMcardandaPINcode,two-factorauthenticationreliesonsomethingyouhaveandsomethingyouknow.Ifyoursmartcardislostorstolen,itcannotbeusedunlessyourPINisalsoknown.Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 37SnowLeopardServerhasadditionalfunctionalityforsmartcarduse,suchas: Locksystemonsmartcardremoval.YoucanconfigureyourMactolockthesystemwhenyouremoveyoursmartcard. Unlockkeychain.Whenyouinsertasmartcard,thekeychaincanbeunlockedandthenyourstoredinformationandcredentialscanbeused. UnlockFileVault.YoucanuseasmartcardtounlockyourFileVaultencryptedhomedirectory.Youcanenablethisfunctionbyusingaprivatekeyonasmartcard.EnhancedSafari4.0SecuritySafarioffersseveralkindsofenhancedsecurityforwebbrowsing.Itsupportsthebuilt-inmalwarescanningfunction,sodownloadedfilesarecheckedforspecificTrojanHorseattacks.Safarialsoincludesafraudulentsitedetectionfeature.Itworkslikethis:Googlemaintainsablacklistofknownandhighly-suspectedmalware-transmittingsitesandandphishingsites(harvestersofsensitivedata).GoogleaddsahashofeachsitesURLtoadatabasethatsomewebbrowserscanuseatsafebrowsing.clients.google.com.WhenSafarilaunches,itdownloadsanabbreviatedlistofthesesiteshashes.Whenyounavigatetoawebsite,Safaricheckstheblacklist.Ifthewebsiteyoureaccessingmatchesahash,SafaricontactsGoogleforcompleteURLinformation.Ifitisapositivematch,Safariwarnsyouthatyoumaybeattemptingtoaccessamalwaresiteorphishingsite.Safaristoresthedatainthefolderat/private/var/folders/infolderswithtwo-letternames.Thefullpathis/private/var/folders/xx/yy/-Caches-/com.apple.Safari,wherexxandyyareuniquecodes.Whenyoufindthatfolder,youllseetwofiles:Cache.dbandSafeBrowsing.db.238 2 InstallingSnowLeopardServerUsethischaptertocustomizethedefaultinstallationofSnowLeopardServerforyourspecificnetworksecurityneeds.AlthoughthedefaultinstallationofMacOSXishighlysecure,youcancustomizeitforyournetworksecurityneeds.BysecurelyconfiguringthestagesoftheinstallationandunderstandingMacOSXpermissions,youcanhardenyourcomputertomatchyoursecuritypolicy.Important:Whenpossible,computersshouldremainisolatedfromtheoperationalnetworkuntiltheyarecompletelyandsecurelyconfigured.Useanisolatedtestnetworkforinstallationandconfiguration.InstallationOverviewDetailedinstructionsforSnowLeopardServerInstallationarefoundintheAdvancedServerAdministrationguide.ThissectioncontainsbasicpracticesconsistantwithasecureinstallationofSnowLeopardServer.IfSnowLeopardServerwasalreadyinstalledonthecomputer,considerreinstallingit.ByreformattingthevolumeandreinstallingSnowLeopardServer,youavoidvulnerabilitiescausedbypreviousinstallationsorsettings.Becausesomerecoverabledatamightremainonthecomputer,securelyerasethepartitionyoureinstallingSnowLeopardServeron.Formoreinformation,seeSecurelyErasingaDiskforInstallationonpage43.Ifyoudecideagainstsecurelyerasingthepartition,securelyerasefreespaceafterinstallingSnowLeopardServer.Formoreinformation,seeUsingDiskUtilitytoSecurelyEraseFreeSpaceonpage160.Chapter2InstallingSnowLeopardServer 39Thereareseveralwaystoinstalltheoperatingsystem,dependingonyourenvironmentandinstallationstrategy.Ingeneral,allinstallationshaveafewcommonsteps: Prepareanadministratorcomputer. Setupnetworkinfrastructure. Startupfromadiskotherthanthetargetvolume(forexample,theInstalltionDisc). Preparethetargetdisk. StarttheinstallationviaServerAssistant,commandline,orVNC. Enablethefirewall,blockingallincomingconnections. Applysoftwareupdatesandsecurityupdates. Configuretheserverandsetupservices. EnabletheFirmwarePassword.PreparinganAdministratorComputerYoucanuseanadministratorcomputertoinstall,setup,andadministerSnowLeopardServeronanothercomputer.AnadministratorcomputerisacomputerwithSnowLeopardServerorSnowLeopardthatyouusetomanageremoteservers.YoucannotruntheserveradministrationtoolsfromaLeopardorLeopardServercomputer.WhenyouinstallandsetupSnowLeopardServeronacomputerthathasadisplayandkeyboard,itsalreadyanadministratorcomputer.TomakeacomputerwithSnowLeopardintoanadministratorcomputer,youmustinstalladditionalsoftware.Important:IfyouhaveadministrativeapplicationsandtoolsfromLeopardServerorearlier,donotusethemwithSnowLeopardServer.ToinstallSnowLeopardServeradministrationtools:1 MakesurethecomputerhasSnowLeopardinstalled.2 Makesurethecomputerhasatleast1GBofRAMand1GBofunuseddiskspace.3 InserttheMacOSXServerInstallDisc.4 OpentheOtherInstallersfolder.5 OpenserveradministrationSoftware.mpkgtostarttheInstallerandthenfollowtheonscreeninstructions.40 Chapter2InstallingSnowLeopardServerSettingUpNetworkInfrastructureBeforeyoucaninstall,youmustsetuporhavethefollowingsettingsforyournetworkservice: DNS:YoumusthaveafullyqualifieddomainnameforeachserversIPaddessintheDNSsystem.TheDNSzonemusthavethereverse-lookuprecordforthenameandaddresspair.Nothavingastable,functioningDNSsystemwithreverselookupleadstoservicefailuresandunexpectedbehaviors. StaticIPAddress:MakesureyoualreadyhaveastaticIPaddressplannedandassignedtotheserver. DHCP:DonotassigndynamicIPaddressestoservers.IfyourservergetsitsIPaddressthroughDHCP,setupastaticmappingintheDHCPserversoyourservergets(viaitsEthernetaddress)thesameIPaddresseverytime. Firewallorrouting:Inadditiontoanyfirewallrunningonyourserver,thesubnetroutermighthavespecificnetworktrafficrestrictionsinplace.MakesuretheserversIPaddressisavailableforthetrafficitwillhandleandtheservicesyouwillrun.StartingUpforInstallationThecomputercantinstalltoitsownstartupvolume,soyoumuststartupinsomeotherway,suchas: TheInstallationDVD Alternatevolumes(secondpartitionsontheharddiskorexternalFireWiredisks)Forinformationonusingalternatevolumes,seetheAdvancedServerAdministrationguide. NetBoot(ifthenetworkandNetBootserversaretrusted)ForinformationonusingNetBootservers,seetheSystemImagingandSoftwareUpdateAdministrationguide.StartingUpfromtheInstallDVDThecomputermustinstallfromthesamediskorimagethatstartedupthecomputer.Mountinganothersharepointwithaninstallerwontwork.Theinstallerusessomeofthefilesactiveinthebootedsystempartitionforthenewinstallation.TheeasiestandmostsecurewaytoinstallSnowLeopardServeristoinstallitphysicallyatthecomputer,knownasalocalinstallation,usingtheDVD.Whenperformingalocalinstallation,itisrecommended,ifapplicable,thattheentiredrivebereformattedusingatleasta7-passsecureerase,ratherthanonlyreformattingthepartitionwhereSnowLeopardServeristobeinstalled,incasesensitiveinformationwasleftontheotherpartitions.Chapter2InstallingSnowLeopardServer 41IfthetargetserverisanXservewithabuilt-inDVDdrive,starttheserverusingtheInstallDVDbyfollowingtheinstructionsintheXserveUsersGuideforstartingfromasystemdisc.StartingUpfromanAlternatePartitionForasingle-serverinstallation,preparingtostartupfromanalternatepartitioncanbemoretime-consumingthanusingtheInstallDVD.Thetimerequiredtoimage,scan,andrestoretheimagetoastartuppartitioncanexceedthetimetakentoinstalloncefromtheDVD.However,ifyouarereinstallingregularly,orifyouarecreatinganexternalFireWiredrive-basedinstallationtotaketovariouscomputers,orifyouneedsomeotherkindofmassdistribution(suchasclusteredXserveswithoutDVDdrivesinstalled),thismethodcanbeveryefficient.Note:Whencreatingabootableexternaldisk,usetheGUIDPartitioningformat.StartingUpfromaNetBootEnvironmentIfyouhaveanexistingNetBootinfrastructure,thisistheeasiestwaytoperformmassinstallationanddeployment.Thismethodcanbeusedforclustersthathavenoopticaldriveorexistingsystemsoftware.Thismethodcanalsobeusedinenvironmentswherelargenumbersofserversmustbedeployedinanefficientmanner.ThissectionwonttellyouhowtocreatethenecessaryNetBootinfrastructure.IfyouwanttosetupNetBootandNetInstalloptionsforyournetwork,servers,andclientcomputers,seethemanualsatwww.apple.com/server/resources/.RemoteAccessDuringInstallationSnowLeopardServerhasseveralremoteaccessservicesactiveduringinstallation.ItprovidesServerAdminadministration,SSHaccessandVNCaccesswhenstartingfromtheinstallationdisk.Important:BeforeyouinstallorreinstallSnowLeopardServer,makesurethenetworkissecurebecauseremoteaccesstechnologiescanpotentiallygiveothersaccesstothecomputeroverthenetwork.Forexample,designthenetworktopologysoyoucanmaketheservercomputerssubnetaccessibleonlytotrustedusers.42 Chapter2InstallingSnowLeopardServerServerAdminDuringInstallationAcomputerthatstartedupfromtheinstallationdiscbroadcastsitsinstallationavailabilityviaBonjourtothelocalnetwork.YoucanfindserversthatareawaitinginstallbyfindingtheBonjourservicename_sa-rspndr._tcp.Youcanusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucaninstallserversoftware.Enterthefollowingfromacomputeronthesamelocalnetworkastheserver:dns-sd -B _sa-rspndr._tcp.AdministratorcomputersrunningServerAdminsServerAssistantcanprovideadefaultpasswordandcompleteinstallationremotely.ServerAdmintrafficisencrypted.SSHDuringInstallationWhenyoustartupacomputerfromaserverinstallationdisc,SSHstartssothatremoteinstallationscanbeperformedviathecommandline.SSHserviceisgrantedtotherootuserprovidingthedefaultpassword.VNCDuringInstallationVNCenablesyoutouseaVNCviewer(likeScreenSharingorAppleRemoteDesktop)toviewtheuserinterfaceasifyouwereusingtheremotecomputerskeyboard,mouse,andmonitor.Allthethingsyoucandoatthecomputerusingthekeyboardandmouseareavailableremotely,aswellaslocally.Thisexcludeshardwarerestarts(usingthepowerbuttontoshutdownandrestartthecomputer),otherhardwaremanipulation,orholdingdownkeysduringstartup.VNCviewersareavailableforallpopularcomputingplatforms.VNCtrafficisnotsecurewithoutadditionalprecautions.EstablishanSSHtunnelbetweenthelocalhostandtheremoteservertosecurelyperformtheinstallationbyredirectingtheVNCtrafficthroughthetunnel.Forexample,toredirectAppleRemoteDesktoptrafficthroughanSSHtunnel,enter:ssh -v -L 2501:local_host:5900 target_server -l target_server_usernameChapter2InstallingSnowLeopardServer 43AboutDefaultInstallationPasswordsServerserialnumbersareusedformorethaninventorytracking.Theserversbuilt-inhardwareserialnumberisusedasthedefaultpasswordforremoteinstallation.Thepasswordiscasesensitive.Tofindaserversserialnumber,lookforalabelontheserver.Ifyoureinstallingonanoldercomputerthathasnobuilt-inhardwareserialnumber,use12345678forthepassword.IfyoureplaceamainlogicboardonanIntelXserve,thebuilt-inhardwarepasswordisSystemS(noquotes).PreparingDisksforInstallingSnowLeopardServerBeforeperformingacleaninstallationofSnowLeopardServer,youcanpartitiontheservercomputersharddiskintomultiplevolumes,createaRAIDset,orerasethetargetdiskorpartition.IfyoureusinganinstallationdiscforSnowLeopardServerorlater,youcanperformthesetasksfromanothernetworkedcomputerusingVNCviewersoftware,suchasAppleRemoteDesktop,beforebeginningacleaninstallation.SecurelyErasingaDiskforInstallationWhenperforminganinstallation,itisrecommended,ifapplicable,thattheentiredrivebereformattedusingatleasta7-passsecureerase,ratherthanonlyreformattingthepartitionwhereSnowLeopardServeristobeinstalled,incasesensitiveinformationwasleftontheotherpartitions.Youhaveseveraloptionsforerasingadisk,dependingonyourpreferredtoolsandyourcomputingenvironment: ErasingadiskusingDiskUtility:YoucanusetheInstallertoopenDiskUtilityandthenuseittoerasethetargetvolumeoranothervolume.YoucanerasethetargetandallothervolumesusingtheMacOSExtendedformatorMacOSExtended(Journaled)format.Youcaneraseothervolumesusingthoseformats,aswellasMacOSExtendedformat(Case-Sensitive)format,orMacOSExtended(Journaled,Case-Sensitive)format.WARNING:Beforepartitioningadisk,creatingaRAIDset,orerasingadiskorpartitiononaserver,preserveuserdatayouwanttosavebycopyingittoanotherdiskorpartition.44 Chapter2InstallingSnowLeopardServerYoucanfindinstructionsforpartitioningtheharddiskintomultiplevolumes,creatingaRAIDset,anderasingthetargetdiskorpartitionbyviewingDiskUtilityHelp.ToviewDiskUtilityHelp,openDiskUtilityonanotherMaccomputerwithMacOSXv10.6andchooseHelp>DiskUtilityHelp. Erasingadiskusingthecommandline:Youcanusethecommandlinetoerasedisksusingthetooldiskutil.Erasingadiskusingdiskutilresultsinlosingallvolumepartitions.Thecommandtoeraseacompletediskis:sudo diskutil secureErase 2 format name deviceForexample:sudo diskutil secureErase 2 JournaledHFS+ MacProHD disk0Thereisalsoanoptiontosecurelydeletedatabyoverwritingthediskwithrandomdatamultipletimes.Formoredetails,seediskutilsmanpage.Toeraseasinglevolumeonadisk,aslightlydifferentcommandisused:diskutil eraseVolume format name deviceForexample:diskutil eraseVolume JournaledHFS+ UntitledPartition /Volumes/OriginalPartitionForcompletecommandsyntaxfordiskutil,consultthetoolsmanpage.InstallingServerSoftwareWhenthetargetcomputerisstarted,youuseServerAdminsServerAssistant(locallyorremotely),VNCcontrol,ortheinstallercommand-linetooltostartinstallation.FordetailedinstructionsonusingoneofthesemethodstoinstallSnowLeopardServer,seetheAdvancedServerAdministrationguide.EnablingtheFirewallAfterconfiguration,enablethefirewalltopreventunauthorizedconnectionstotheserverwhileyoucompletesetup.Foramorecomprehensivetreatmentoffirewallconfiguration,seeChapter13,ConfiguringtheFirewall.Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdeniesaccesstoincomingpacketsfromremotecomputersexceptthroughportsforremoteconfiguration.Thisprovidesahighlevelofsecurity.Statefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyourcomputerarealsopermitted.Youcanthenaddrulestopermitserveraccesstoclientswhorequireaccesstoservices.Important:Usegreatcareinremotelychanginganyfirwallconfigurationbecauseoftheriskofdisablingcommunicationstotheremotehost.Chapter2InstallingSnowLeopardServer 45Toenablethefirewall:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 FromtheexpandedServerslist,selectFirewall.IfFirewallisnotlistedasanavailableservicetoconfigure,addittheserverviewbydoingthefollowing:a Intheserverlistontheleft,selecttheservername.b ClicktheSettingsbuttoninthetoolbarandthenclicktheServicestab.c SelectthecheckboxforFirewallservice.4 ClicktheStartFirewallbuttonbelowtheServerslist.Fromthecommandline:ApplyingSoftwareandSecurityUpdatesAfterinstallingSnowLeopardServer,installthelatestapprovedsecurityupdates.Beforeconnectingyourcomputertoanetworktoobtainsoftwareupdates,enablethefirewallusingServerAdmintoallowonlyessentialservices.Important:Ifyouhavenotsecuredandvalidatedsettingsfornetworkservices,donotenableyournetworkconnectiontoinstallsoftwareupdates.Forinformation,seeSecuringNetworkInfrastructureServicesonpage198.Untilyousecurelyconfigurenetworkservicessettings,limityourupdateinstallationtousingthemanualmethodofinstallingsoftwareupdates.Formoreinformation,seeUpdatingManuallyfromInstallerPackagesonpage48.# ---------------------------------------------------------------------# Securing Firewall Service# ---------------------------------------------------------------------## Add Firewall to the services view# ---------------------------------sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured = yes# Start Firewall service# ----------------------sudo serveradmin start ipfilter46 Chapter2InstallingSnowLeopardServerSnowLeopardServerincludesSoftwareUpdate,anapplicationthatdownloadsandinstallssoftwareupdatesfromApplesSoftwareUpdateserverorfromaninternalsoftwareupdateserver.YoucanconfigureSoftwareUpdatetocheckforupdatesautomatically.YoucanalsoconfigureSoftwareUpdatetodownload,butnotinstall,updates,ifyouwanttoinstallthemlater.Beforeinstallingupdates,checkwithyourorganizationfortheirpolicyondownloadingupdates.Theymightpreferthatyouuseaninternalsoftwareupdateserver,whichreducestheamountofexternalnetworktrafficandletstheorganizationqualifysoftwareupdatesusingorganizationconfigurationsbeforeupdatingsystems.Important:SecurityupdatespublishedbyApplecontainfixesforsecurityissuesandareusuallyreleasedinresponsetoaspecificknownsecurityproblem.Applyingtheseupdatesisessential.Softwareupdatesareobtainedandinstalledinseveralways: UsingSoftwareUpdatetodownloadandinstallupdatesfromaninternalsoftwareupdateserver UsingSoftwareUpdatetodownloadandinstallupdatesfromInternet-basedsoftwareupdateservers ManuallydownloadingandinstallingupdatesasseparatesoftwarepackagesUpdatingfromanInternalSoftwareUpdateServerYourcomputercanlookforsoftwareupdatesonaninternalsoftwareupdateserver.Byusinganinternalsoftwareupdateserver,youreducetheamountofdatatransferredoutsideofthenetwork,andyourorganizationcancontrolwhichupdatescanbeinstalledonyourcomputer.IfyourunSoftwareUpdateonawirelessnetworkoruntrustednetwork,youmightdownloadmaliciousupdatesfromaroguesoftwareupdateserver.However,SoftwareUpdatewillnotinstallapackagethathasnotbeendigitallysignedbyApple.IfSoftwareUpdatedoesnotinstallapackage,deleteitfrom/Library/Updates/;thendownloadtheupdateagain.Youcanconnectyourcomputertoanetworkthatmanagesitsclientcomputers,whichenablesthenetworktorequirethatthecomputeruseaspecifiedsoftwareupdateserver.Or,youcanmodifythe/Library/Preferences/com.apple.SoftwareUpdate.plistfilebyenteringthefollowingcommandinaTerminalwindowtospecifyyoursoftwareupdateserver.Chapter2InstallingSnowLeopardServer 47Fromthecommandline:UpdatingfromInternetSoftwareUpdateServersBeforeconnectingtotheInternet,makesureyournetworkservicesaresecurelyconfigured.Forinformation,seeSecuringNetworkInfrastructureServicesonpage198.Ifyouareanetworkadministrator,insteadofusingyouroperationalcomputertocheckforandinstallupdates,considerusingatestcomputertodownloadupdatesandverifyfileintegritybeforeinstallingupdates.Formoreinformationaboutverifyingfileintegrity,seeVerifyingtheIntegrityofSoftwareonpage50.Youcanthentransfertheupdatepackagestoyouroperationalcomputer.Forinstructionsoninstallingtheupdates,seeUpdatingManuallyfromInstallerPackagesonpage48.YoucanalsodownloadsoftwareupdatesforAppleproductsatwww.apple.com/support/downloads/.Important:Makesureupdatesareinstalledwhenthecomputercanberestartedwithoutaffectingusersaccessingtheserver.## Updating from an Internal Software Update Server# ------------------------------------------------# Default Settings.# blank# Software updates are downloaded from one of the following software update# servers hosted by Apple.# swscan.apple.com:80# swquery.apple.com:80# swcdn.apple.com:80# Suggested Settings.# Specify the software update server to use.sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog# Available Settings.# Replace swupdate.apple.com with the fully qualified domain name (FQDN)# or IP address of your software update server.# To switch your computer back to the default Apple update server.# sudo defaults delete com.apple.SoftwareUpdate CatalogURLhttp://www.apple.com/support/downloads/http://www.apple.com/support/downloads/http://www.apple.com/support/downloads/48 Chapter2InstallingSnowLeopardServerTodownloadandinstallsoftwareupdatesusingSoftwareUpdate:1 ChooseApple()>SoftwareUpdate.AfterSoftwareUpdatelooksforupdatestoyourinstalledsoftware,itdisplaysalistofupdates.Togetolderversionsofupdates,gotothesoftwareupdatewebsiteatwww.apple.com/support/downloads/.2 Selecttheupdatesyouwanttoinstall,andchooseUpdate>InstallandKeepPackage.Whenyoukeepthepackage,itisstoredintheusersDownloadsfolder(user_name/Downloads/).Ifyoudonotwanttoinstallupdates,clickQuit.3 Acceptthelicensingagreementstostartinstallation.Someupdatesmightrequireyourcomputertorestart.IfSoftwareUpdateasksyoutorestartthecomputer,doso.Fromthecommandline:UpdatingManuallyfromInstallerPackagesYoucanmanuallydownloadsoftwareupdatesforAppleproductsfromsupport.apple.com/downloads/,preferablyusingacomputerdesignatedfordownloadingandverifyingupdates.Performeachdownloadseparatelysofileintegritycanbeverifiedbeforeinstallingtheupdates.Youcanreviewthecontentsofeachsecurityupdatebeforeinstallingit.Toseethecontentsofasecurityupdate,gotoApplesSecuritySupportPageatwww.apple.com/support/security/andclicktheSecurityUpdatespagelink.# Updating from Internet Software Update Server# -----------------------------------# Default Settings.# The softwareupdate command checks and lists available# updates for download. Software Update preferences are set to the# command-line equivalent of.# sudo softwareupdate --list --schedule on# Suggested Settings.# Download and install software updates:sudo softwareupdate --download --all --install# Available Settings.# Use the following commands to view softwareupdate options.# sudo softwareupdate -h# or # man softwareupdatehttp://www.apple.com/support/downloads/http://www.apple.com/support/downloads/http://www.apple.com/support/downloads/http://support.apple.com/downloadshttp://www.apple.com/support/securityhttp://www.apple.com/support/securityChapter2InstallingSnowLeopardServer 49Tomanuallydownload,verify,andinstallsoftwareupdates:1 Gotosupport.apple.com/downloads/anddownloadthesoftwareupdatesonacomputerdesignatedforverifyingsoftwareupdates.Note:UpdatesprovidedthroughSoftwareUpdatemightsometimesappearearlierthanstandaloneupdates.2 Foreachupdatefiledownloaded,reviewtheSHA-1digest(alsoknownasachecksum),whichshouldbepostedonlinewiththeupdatepackage.3 Inspectdownloadedupdatesforviruses.4 Verifytheintegrityofeachupdate.Formoreinformation,seeVerifyingtheIntegrityofSoftwareonpage50.5 Transfertheupdatepackagesfromyourtestcomputertoyourcurrentcomputer.Thedefaultdownloadlocationforupdatepackagesis/Library/Updates/.Youcantransferupdatepackagestoanylocationonyourcomputer.6 Double-clickthepackage.Ifthepackageislocatedinadiskimage(dmg)file,double-clickthedmgfileandthendouble-clickthepackage.7 Proceedthroughtheinstallationsteps.8 Ifrequested,restartthecomputer.Installthesystemupdateandtheninstallsubsequentsecurityupdates.Installtheupdatesinorderbyreleasedate,oldesttonewest.Fromthecommandline:# Updating Manually from Installer Packages# -----------------------------------# Default Settings.# None# Suggested Settings.# Download software updates.sudo softwareupdate --download --all# Install software updates.sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume# Available Settings.# Use the following commands to view installer options.# sudo installer -h# or # man installerhttp://support.apple.com/downloads50 Chapter2InstallingSnowLeopardServerVerifyingtheIntegrityofSoftwareSoftwareimagesandupdatescanincludeanSHA-1digest,whichisalsoknownasacryptographicchecksum.YoucanusethisSHA-1digesttoverifytheintegrityofthesoftware.SoftwareupdatesretrievedandinstalledautomaticallyfromSoftwareUpdateverifythechecksumbeforeinstallation.Fromthecommandline:Ifprovided,theSHA-1digestforeachsoftwareupdateorimageshouldmatchthedigestcreatedforthatfile.Ifnot,thefilewascorrupted.Obtainanewcopy.SettingUpServicesandUsersAfterinstallation,theserverisreadyforconfigurationandlocaladministratoraccountcreation.AnunconfiguredserverbroadcastsitsinstallationavailabilityviaBonjourtothelocalnetwork.YoucanfindserversthatareawaitinginstallbyfindingtheBonjourservicename_svr-unconfig._tcp.Theeasiestwayoffindingaserverthatneedsconfigurationisbyusingthetoolsinstalledontheadministrationcomputer:ServerAdminorServerPreferences.Thesetoolscandetectserverswaitingconfigurationonthelocalsubnet,availableviaBonjour.# Verifying the Integrity of Software# -----------------------------------# Default Settings.# None# Suggested Settings.# Use the sha1 command to display a file's SHA-1 digest.# Replace $full_path_filename with the full path filename of the update# package or image that SHA-1 digest is being checked for.sudo /usr/bin/openssl sha1 $full_path_filename# Available Settings.# Use the following command to view the version of OpenSSl installed on# your computer.# sudo openssl version# Use the following command to view openssl options.# man opensslChapter2InstallingSnowLeopardServer 51Ifyouaretryingtofindserversawaitingconfigurationusingthecommandline,youcanusethedns-sdtooltoidentifycomputersonthelocalsubnetwhereyoucaninstallserversoftware.Enterthefollowingfromacomputeronthesamelocalnetworkastheserver:dns-sd -B _sa-unconfig._tcp.AdministratorcomputersrunningServerAdminsServerAssistantcanprovideadefaultpasswordandcompleteinstallationremotely.ServerAdmintrafficisencrypted.Ineithercase,theloginnameandpasswordaredescribedinthesectionAboutDefaultInstallationPasswordsonpage43.AboutSettingsEstablishedDuringServerSetupDuringserversetup,thefollowingbasicserversettingsareestablished: Thelanguagetouseforserveradministrationandthecomputerkeyboardlayoutisdefined. Theserversoftwareserialnumberisset. Atimezoneisspecified,andnetworktimeserviceissetup. Aserveradministratorlocaluserisdefinedandthelocaladministratorshomefolderiscreated. ThedefaultSSHandAppleRemoteDesktopstateisenabled. Networkinterfaces(ports)areconfigured.TCP/IPandEthernetsettingsaredefinedforeachportyouwanttoactivate. Networknamesaredefined.TheprimaryDNSnameandcomputernamearedefinedbytheadministrator,andthelocalhostnameisderivedfromthecomputername. BasicDirectoryinformationissetup.(Optional)TheserverissetupasanOpenDirectoryMaster,oritissettoobtaindirectoryinformationfromanotheradirectoryservice,orthedirectorysetupcanbedeferreduntilfirstlogin. Someservicesarechosenandconfigured.Foralistofwhichservicesareenabledatstartup,seetheAdvancedServerAdministrationguide.EnablingtheFirmwarePasswordAfterinstallingSnowLeopardServer,enabletheExtensibleFirmwareInterface(EFI)passwordusingtheFirmwarePasswordUtility.Thispreventsunauthorizedusersfromstartinguptheservertoinstallagainorchangesettings.FormoreinformationabouttheFirmwarePasswordUtility,seeChapter4,SecuringGlobalSystemSettings.352 3 SecuringSystemHardwareUsethischaptertosecurethesystemhardwarebydisablingtheOperatingSystem(OS)componentsandkernelextensions.AfterinstallingandsettingupMacOSXServer,makesureyouprotectyoursystembydisablingspecifichardwareOScomponentsandkernelextensions.Important:Thisdocumentisintendedforusebysecurityprofessionalsinsensitiveenvironments.Implementingthetechniquesandsettingsfoundinthisdocumentimpactssystemfunctionalityandmightnotbeappropriateforeveryuserorenvironment.ProtectingHardwareThefirstlevelofsecurityisprotectionfromunwantedphysicalaccess.Ifsomeonecanphysicallyaccessacomputer,itbecomesmucheasiertocompromisethecomputerssecurity.Whensomeonehasphysicalaccesstothecomputer,theycaninstallmalicioussoftwareorevent-trackinganddata-capturingservices.Thephysicalsecurityofaserverisanoftenoverlookedaspectofcomputersecurity.Anyonewithphysicalaccesstoacomputer(forexample,toopenthecase,orpluginakeyboard,andsoforth)hasalmostfullcontroloverthecomputerandthedataonit.Forexample,someonewithphysicalaccesstoacomputercan: Restartthecomputerfromanotherexternaldisc,bypassinganyexistingloginmechanism. Removeharddisksanduseforensicdatarecoverytechniquestoretrievedata. Installhardware-basedkey-loggersonthelocaladministrationkeyboard.Inyourownorganizationandenvironment,youmustdecidewhichprecautionsarenecessary,effective,andcost-effectivetoprotectthevalueofyourdataandnetwork.Chapter3SecuringSystemHardware 53Forexample,inanorganizationwherefloor-to-ceilingbarriersmightbeneededtoprotectaserverroom,securingtheairductsleadingtotheroommightalsoneedtobeconsidered.Otherorganizationsmightonlyneedalockedserverrackoranfirmwarepassword.Useasmanylayersofphysicalprotectionaspossible.Restrictaccesstoroomsthatcontaincomputersthatstoreoraccesssensitiveinformation.Provideroomaccessonlytothosewhomustusethosecomputers.Ifpossible,lockthecomputerinalockedorsecurecontainerwhenitisnotinuse,andboltorfastenittoawallorpieceoffurniture.Theharddiskisthemostcriticalhardwarecomponentinyourcomputer.Takespecialcaretopreventaccesstotheharddisk.Ifsomeoneremovesyourharddiskandinstallsitinanothercomputer,theycanbypasssafeguardsyousetup.Lockorsecurethecomputersinternalhardware.Ifyoucantguaranteethephysicalsecurityoftheharddisk,considerusingFileVaultforeachhomefolder.FileVaultencryptshomefoldercontentandguardsagainstthecontentbeingcompromised.Formoreinformation,seeEncryptingHomeFoldersonpage151.FileVaultdoesnotprotectagainstthethreatofanattackertamperingwithfilesonthediskandreinstallingthedrive.Forexample,anattackercouldinstallamodifiedkernel,anduseittoobtainyourFileVaultpasswordbyloggingyourkeyboardkeystrokes.Topreventsuchanattack,lockyourcomputerwhenitisunattended.Also,ifyoushareyourcomputerwithothers,limitthosewhohavesudoerpermissions.Forinformationaboutlimitingsudoers,seeSecuringDirectoryAccountsonpage319.Ifyouhaveaportablecomputer,keepitsecure.Lockituporhideitwhenitisnotinuse.Whentransportingthecomputer,neverleaveitinaninsecurelocation.Considerbuyingacomputerbagwithalockingmechanismandlockthecomputerinthebagwhenyouarentusingit.PreventingWirelessEavesdroppingIfyouhaveinstalledSnowLeopardServeronacomputerwithwirelessnetworkaccess(forexample,ithasanAirportcardorotherwi-ficardinstalled),considerdisablingwirelessaccesstopreventeavesdroping.Althoughwirelesstechnologygivesyournetworkmoreflexibilitywithyourusers,itcancausesecurityvulnerabilitiesyoumaybeunawareof.Whereverpossible,disablewirelessaccessforsecurityreasons.Whenusingawirelessaccesspoint,makesureyouproperlyconfigurethesecuritysettingstopreventunauthorizedusersfromattemptingtoaccessyournetwork.54 Chapter3SecuringSystemHardwareWirelessaccesspointsthathaveaccesstoyourservershouldrequireencryptionoftheconnection,userauthentication(throughtheuseofcertificatesorsmartcards),andtime-outsforconnections.IfyouneedtouseWi-Fi,seeSnowLeopardSecurityConfigurationforinformationabouthowtoleverage802.1XforsecuringyourWi-Fitraffic.UnderstandingWirelessSecurityChallengesMostMaccomputershaveabuilt-inwirelessnetworkcard.UserscanconfiguretheircomputertobeawirelessaccesspointtosharetheirInternetconnectionwithotherusers.However,suchawirelessaccesspointisntusuallysecure,therebycreatingapointofaccessforanattacker.AnyonewithinwirelessrangecangainaccesstoyournetworkbyusinganauthorizedusersinsecurelyconfiguredwirelessLAN.Thesepossiblepointsofaccesscanbeverylarge,dependingonthenumberofuserswithwirelesstechnologyontheircomputers.Thechallengeariseswhentryingtopreventusersfromcreatingaccesspointstoyournetworkortryingtoidentifywheretheaccesspointsareandwhoisattemptingtousethem.Manyorganizationsrestricttheuseofwirelesstechnologyintheirnetworkenvironment.However,mostMaccomputershavewirelesscapabilitybuiltin,soturningitoffmightnotmeetyourorganizationswirelesstechnologyrestrictions.YoumightneedtoremovecomponentsfromMacOSXtodisablethemfrombeingturnedoninSystemPreferences.AboutOSComponentsSpecialhardware,suchaswirelessnetworkingcardsandaudio/videocomponents,needdriversoftwarethatrunsatthekernellevel.Thisdriversoftwareisimplementedaskernelextensions(kexts)inMacOSXandarealsoknownasOScomponents.ThesekernelextensionscanberemovedfromMacOSXtopreventtheuseofapieceofhardware.DisablingorremovingOScomponentsorkernelextensionsaltersthebehaviororperformanceofthesystem.Important:MacOSXsometimeshasupdatestospecificOScomponents.Whenyourcomputerinstallstheseupdatesthecomponentisoverwrittenorreinstalledifitwaspreviouslyremoved.Thisthenreenablesthehardwareyouwanteddisabled.WhenyouinstallupdatesmakesurethattheinstallationdoesnotreenableanOScomponentyouwanteddisabled.Chapter3SecuringSystemHardware 55RemovingWi-FiSupportSoftwareUsethefollowinginstructionsforremovingAirportsupport.Thistaskrequiresyoutohaveadministratorprivileges.YoucanalsohaveanAppleAuthorizedTechnicianremoveAirporthardwarefromyourApplecomputer.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.ToremovekernelextensionsforAirporthardware:1 Openthe/System/Library/Extensionsfolder.2 DragthefollowingfiletotheTrash:IO80211Family.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopard.4 ChooseFinder>SecureEmptyTrashtodeletethefiles.5 Restartthesystem.Fromthecommandline:RemovingBluetoothSupportSoftwareUsethefollowinginstructionstoremoveBluetoothsupportforperipheralssuchaskeyboards,mice,orphones.Thistaskrequiresyoutohaveadministratorprivileges.YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inBluetoothhardwarefromyourApplecomputer.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.# -------------------------------------------------------------------# Protecting System Hardware# -------------------------------------------------------------------# Securing Wi-Fi Hardware# -----------------------# Remove AppleAirport kernel extensions.sudo srm -r /System/Library/Extensions/IO80211Family.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions56 Chapter3SecuringSystemHardwareToremovekernelextensionsforBluetoothhardware:1 Openthe/System/Library/Extensionsfolder.2 DragthefollowingfilestotheTrash:IOBluetoothFamily.kextIOBluetoothHIDDriver.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopardServer.4 ChooseFinder>SecureEmptyTrashtodeletethefiles.5 Restartthesystem.Fromthecommandline:RemovingIRSupportSoftwareUsethefollowinginstructionstoremoveIRhardwaresupport.Thistaskrequiresyoutohaveadministratorprivileges.YoucanalsohaveanAppleAuthorizedTechnicianremoveIRhardwarefromyourApplecomputer.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.ToremovekernelextensionsforIRhardwaresupport:1 Openthe/System/Library/Extensionsfolder.# Removing BlueTooth Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove Bluetooth kernel extensions.# Remove Bluetooth kernel extensions.sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kextsudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# NoneChapter3SecuringSystemHardware 572 DragthefollowingfiletotheTrash:AppleIRController.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library)aredeletedandrebuiltautomaticallybyMacOSX.4 ChooseFinder>SecureEmptyTrashtodeletethefile.5 Restartthesystem.FromtheCommandLIne:PreventingUnauthorizedRecordingYourcomputermightbeinanenvironmentwhererecordingdevicessuchascamerasormicrophonesarenotpermitted.Youcanprotectyourorganizationsprivacybydisablingthesedevices.Thistaskrequiresyoutohaveadministratorprivileges.Note:Someorganizationsinsertadummyplugintotheaudioinputandoutputportstoensurethataudiohardwareisdisabled.RemovingAudioSupportSoftwareUsethefollowinginstructionstoremovesupportforthemicrophoneandaudiosubsystem.Thismaydisableaudioplayback.YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-inmicrophonehardwarefromyourApplecomputer.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.# Removing IR Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove IR kernel extensions.sudo srm -rf /System/Library/Extensions/AppleIRController.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None58 Chapter3SecuringSystemHardwareToremovekernelextensionsforaudiohardware:1 Openthe/System/Library/Extensionsfolder.2 Toremovesupportforaudiocomponentssuchasthemicrophone,dragthefollowingfilestotheTrash:AppleUSBAudio.kextIOAudioFamily.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopardServer.4 ChooseFinder>SecureEmptyTrashtodeletethefile.5 Restartthesystem.Fromthecommandline:RemovingVideoRecordingSupportSoftwareUsethefollowinginstructionstoremovesupportforanexternalorbuilt-iniSightcamera.Note:ThesupportforexternaliSightcamerasshouldberemovedonallmachines.RemovingonlysupportforinternaliSightcamerasstillleavessupportforexternalcameras.YoucanalsohaveanAppleAuthorizedTechnicianremovethebuilt-invideocamerahardwarefromyourApplecomputer.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.# Securing Audio Support Software# -----------------------------# Default setting:# kext files are installed and loaded.# Suggested Setting.# Remove Audio Recording kernel extensions.sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kextsudo srm -rf /System/Library/Extensions/IOAudioFamily.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# NoneChapter3SecuringSystemHardware 59Toremovekernelextensionsforvideohardware:1 Openthe/System/Library/Extensionsfolder.2 ToremovesupportfortheexternaliSightcamera,dragthefollowingfiletotheTrash:Apple_iSight.kext3 Toremovesupportforthebuilt-iniSightcamera,Control-clickIOUSBFamily.kextandselectShowPackageContents.4 Openthe/Contents/PlugIns/folder.5 DragthefollowingfiletotheTrash:AppleUSBVideoSupport.kext6 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopardServer.7 ChooseFinder>SecureEmptyTrashtodeletethefile.8 Restartthesystem.Fromthecommandline:PreventingDataPortAccessComputerdataportscanbeeasilycompromisedifyourcomputerisunattendedforalongperiodoftimeorisstolen.Topreventyourcomputerfrombeingcompromised,keepitinalockedenvironmentorhiddenwhenyouarenotusingit.# Securing Video Recording Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove Video Recording kernel extensions.# Remove external iSight camera.sudo srm -rf /System/Library/Extensions/Apple_iSight.kext# Remove internal iSight camera.sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\ AppleUSBVideoSupport.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None60 Chapter3SecuringSystemHardwareYoucanprotectyoursystembypreventinganunauthorizeduserfromusingyourdataports.ThispreventsusersfrombootingtoadifferentvolumeusingaUSBFlashdrive,USB,orFireWireexternalharddrive.Thistaskrequiresyoutohaveadministratorprivileges.Also,bysettingafirmwarepasswordusingtheFirmwarePasswordUtility,youcanpreventaphysicalDirectMemoryAccess(DMA)attackoverFireWire.Whenthefirmwarepasswordisset,anyexternaldeviceisdenieddirectaccesstocomputermemorycontent.FormoreinformationabouttheFirmwarePasswordUtility,seeUsingtheFirmwarePasswordUtilityonpage64.RemovingUSBSupportSoftwareUsethefollowinginstructionstoremoveUSBmassstoragedeviceinput/outputsupportsuchasUSBFlashdrivesandexternalUSBharddrives.TheremovalofthiskernelextensiononlyaffectsUSBmassstoragedevices.ItdoesnotaffectotherUSBdevicessuchasaUSBprinter,mouse,orkeyboard.Thistaskrequiresyoutohaveadministratorprivileges.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.Toremovekernelextensionsforspecifichardware:1 Openthe/System/Library/Extensionsfolder.2 ToremovesupportforUSBmassstoragedevices,dragthefollowingfiletotheTrash:IOUSBMassStorageClass.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopardServer.4 ChooseFinder>SecureEmptyTrashtodeletethefile.5 Restartthesystem.Chapter3SecuringSystemHardware 61Fromthecommandline:RemovingFireWireSupportSoftwareUsethefollowinginstructionstoremoveFireWireinput/outputsupportsuchasexternalFireWireharddisks.Thistaskrequiresyoutohaveadministratorprivileges.Important:Repeattheseinstructionseverytimeasystemupdateisinstalled.Toremovekernelextensionsforspecifichardware:1 Openthe/System/Library/Extensionsfolder.2 ToremovesupportforFireWiremassstoragedevices,dragthefollowingfiletotheTrash:IOFireWireSerialBusProtocolTransport.kext3 OpenTerminalandenterthefollowingcommand:sudo touch /System/Library/ExtensionsThetouchcommandchangesthemodifieddateofthe/System/Library/Extensionsfolder.Whenthefolderhasanewmodifieddate,theExtensioncachefiles(locatedin/System/Library/)aredeletedandrebuiltbySnowLeopardServer.4 ChooseFinder>SecureEmptyTrashtodeletethefile.5 Restartthesystem.# Securing USB Support Software# -----------------------------# Remove USB kernel extensions.# Default setting.# kext files are installed and loaded.# Suggested Setting:sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None62 Chapter3SecuringSystemHardwareFromthecommandline:SystemHardwareModificationsRemovingkernelextensionsdoesnotpermanentlydisablecomponents.Youneedadministrativeaccesstorestoreandreloadthem.Althoughdisablinghardwareinthismannerisnotassecureasphysicallydisablinghardware,itismoresecurethandisablinghardwarethroughSystemPreferences.Thismethodofdisablinghardwarecomponentsmightnotbesufficienttomeetanorganizationssecuritypolicy.Consultyourorganizationsoperationalpolicytodetermineifthismethodisadequate.Ifyourenvironmentdoesnotpermittheuseofthefollowinghardwarecomponents,youmustphysicallydisablethem: Airport Bluetooth Microphone Camera IRPortImportant:Attemptingtoremovecomponentswillvoidyourwarranty.Note:IfyouareinagovernmentorganizationandneedaletterofvolatilityforAppleproducts,sendyourrequesttoAppleFederal@apple.com.# Securing FireWire Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove FireWire kernel extensions.sudo srm -rf /System/Library/Extensions/\ IOFireWireSerialBusProtocolTransport.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None4 634 SecuringGlobalSystemSettingsUsethischaptertolearnhowtosecureglobalsystemsettings,securefirmwareandMacOSXstartup,andtouseaccesswarnings.AfterinstallingandsettingupSnowLeopardServer,makesureyouprotectyourhardwareandsecureglobalsystemsettings.SecuringSystemStartupWhenacomputerstartsup,itfirststartsExtensibleFirmwareInterface(EFI).EFIisthesoftwarelinkbetweenthemotherboardhardwareandthesoftwareoperatingsystem.EFIdeterminewhichpartitionordisktoloadMacOSXfrom.Italsodetermineswhethertheusercanentersingle-usermode.Single-usermodelogstheuserinasroot.Thisisdangerousbecauserootuseraccessisthemostpowerfullevelofaccess,andactionsperformedasrootareanonymous.IfyoucreateanEFIpassword,youpreventusersfromaccessingsingle-usermode.Thepasswordalsostopsusersfromloadingunapprovedpartitionsordisksandfromenablingtargetdiskmodeatstartup.AftercreatinganEFIpassword,youmustenterthispasswordwhenyoustartthecomputerfromanalternatedisk(forsituationssuchasharddiskfailureorfilesystemrepair).Tosecurestartup,performoneofthefollowingtasks: UsetheFirmwarePasswordUtilitytosettheEFIFirmwarepassword. Verifyandsetthesecuritymodefromthecommandline.WARNING:EFIsettingsarecritical.TakegreatcarewhenmodifyingthesesettingsandwhencreatingasecureFirmwarepassword.64 Chapter4SecuringGlobalSystemSettingsAnEFIFirmwarepasswordprovidessomeprotection,butitcanberesetifauserhasphysicalaccesstothemachineandchangesthephysicalmemoryconfigurationofthemachine.EFIpasswordprotectioncanbebypassediftheuserchangesthephysicalmemoryconfigurationofthemachineandthenresetsthePRAMthreetimes(byholdingdownCommand,Option,P,andRkeysduringsystemstartup).UsingtheFirmwarePasswordUtilityTheSnowLeopardServerinstallationdiscincludesFirmwarePasswordUtility,whichyoucanusetoenableanEFIpassword.MaccomputerswithIntelprocessorsuseEFItocontrollow-levelhardware.EFIissimilartoBIOSonanx86PCandisthehardwarebaselayerforallcomputersthatcanrunSnowLeopardServer.Byprotectingitfromunauthorizedaccessyoucanpreventattackersfromgainingaccesstoyourcomputer.TousetheFirmwarePasswordUtility:1 LoginwithanadministratoraccountandopentheFirmwarePasswordUtility(locatedontheMacOSXinstallationdiscin/Applications/Utilities/).2 ClickNew.3 SelectRequirepasswordtostartthiscomputerfromanothersource.TodisabletheEFIpassword,deselectRequirepasswordtostartthiscomputerfromanothersource.Youwontneedtoenterapasswordandverifyit.DisablingtheEFIpasswordisonlyrecommendedforinstallingMacOSX.4 InthePasswordandVerifyfields,enteranewEFIpasswordandclickOK.5 ClosetheFirmwarePasswordUtility.Youcantestyoursettingsbyattemptingtostartupinsingle-usermode.RestartthecomputerwhileholdingdowntheCommandandSkeys.Iftheloginwindowloads,changesmadebytheFirmwarePasswordUtilityweresuccessful.UsingCommand-LineToolsforSecureStartupYoucanalsoconfigureEFIfromthecommandlinebyusingthenvramtool.However,youcanonlysetthesecurity-modeenvironmentvariable.Youcansetthesecuritymodetooneofthefollowingvalues: None:Thisisthedefaultvalueofsecurity-modeandprovidesnosecuritytoyourcomputersEFI. Command:ThisvaluerequiresapasswordifchangesaremadetoEFIorifauserattemptstostartupfromanalternatevolumeordevice. Full:Thisvaluerequiresapasswordtostartuporrestartyourcomputer.ItalsorequiresapasswordtomakechangestoEFI.Chapter4SecuringGlobalSystemSettings 65Forexample,tosetthesecurity-modetofullyouwouldusethefollowingcommand:sudo nvram security-mode=fullTosecurelysetthepasswordforEFI,usetheFirmwarePasswordUtility.Fromthecommandline:ConfiguringAccessWarningsYoucanusealoginwindoworTerminalaccesswarningtoprovidenoticeofacomputersownership,towarnagainstunauthorizedaccess,ortoremindauthorizedusersoftheirconsenttomonitoring.# Securing Global System Settings# -------------------------------------------------------------------------# Configuring Firmware Settings# ----------------------------------# Default Setting.# security-mode is off# Suggested Setting.# Secure startup by setting security-mode. Replace $mode-value with# command or full.sudo nvram security-mode=$mode-value# Verify security-mode setting.sudo nvram -x -p# Available Settings.# security-mode.# command# full# Use the following command to view the current nvram settings.# nvram -x -p# Use the following commands to view nvram options.# nvram -h# or # man nvram 66 Chapter4SecuringGlobalSystemSettingsEnablingAccessWarningsfortheLoginWindowBeforeenablinganaccesswarning,reviewyourorganizationspolicyforwhattouseasanaccesswarning.Whenausertriestoaccessthecomputersloginwindow(locallyorthroughAppleRemoteDesktop),theuserseestheaccesswarningyoucreate,suchasthefollowing:Tocreatealoginwindowaccesswarning:1 OpenTerminalandverifythatyourlogged-inaccountcanusesudotoperformadefaultswrite.2 Changeyourloginwindowaccesswarning:sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText Warning TextReplaceWarning Textwithyouraccesswarningtext.3 Logouttotestyourchanges.YouraccesswarningtextappearsbelowtheMacOSXsubtitle.Fromthecommandline:# Enabling Access Warning for the Login Window# ----------------------------------# Create a login window access warning.sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText Warning Text# You can also used the BannerSample project to create an access warning.Chapter4SecuringGlobalSystemSettings 67UnderstandingtheAuthPluginArchitectureAuthPluginsareusedtocontrolaccesstoaserviceorapplication.PreinstalledAuthPluginsforSnowLeopardServerarelocatedinthe/System/Library/CoreServices/SecurtiyAgentPlugins/folder.Theseplug-ins(andtheirassociatedrulesandauthorizationrightsforusers)aredefinedinthe/etc/authorizationdatabase,andarequeriedbytheSecurityServer.Formoreinformationabout/etc/authorization,seeChapter29,ManagingAuthorizationThroughRights,onpage363.ThefollowinggraphicshowstheworkflowoftheSecurityServer.Whenanapplicationrequestsauthorizationrightsfromthesecurityserverthesecurityserverinterrogatestherightsdatabase(/etc/authorization)todeterminethemechanismstobeusedforauthentication.Ifnecessary,thesecurityserverrequestsuserinteractionthroughthesecurityagent.Thesecurityagentthenpromptstheusertoauthenticatethroughtheuseofapassword,smartcard,orbiometricreader.Thenthesecurityagentsendstheauthenticationinformationbacktothesecurityserver,whichpassesitbacktotheapplication.Request user interaction if necessaryRights Database/etc/authorizationRequest authorization for rightAuthorizationCredentailJuan ChavezPassword :PasswordSmart CardBiometricSecurityAgentApplicationsSecurityServer1 5 4 3268 Chapter4SecuringGlobalSystemSettingsTheBannerSampleProjectIfyourcomputerhasdevelopertoolsinstalled,thesamplecodeforthebannersampleprojectislocatedin/Developer/examples/security/bannersample.Youcanmodifyandcustomizethissamplebannercodeforyourorganization.Afteryoucompilethecodeyoucanplaceitinthe/Library/Security/SecurityAgentPlugins/folder.Thenmodifythekeysystem.login.consoleinthe/etc/authorizationfileusingTerminal.Formoreinformationaboutthebannersample,seethebannersampleREADMEfile.Tomodifythe/etc/authorizationfile:1 OpenTerminal.2 Enterthefollowingcommand:sudo pico /etc/authorization3 Locatethesystem.login.consolekey.4 Addbannersample:testabove builtin:smartcard-siffer,privileged,asshowninboldbelow:system.login.consoleclassevaluate-mechanismscommentLogin mechanism based rule. Not for general use, yet.mechanismsbannersample:testbuiltin:smartcard-sniffer,privileged5 Savechangesandexittheeditor.6 Restartthecomputerandverifythatthebannerappears.ForadditionalinformationorsupportfortheBannerSampleprojectcontactAppleFederal@apple.com.Chapter4SecuringGlobalSystemSettings 69EnablingAccessWarningsfortheCommandLineBeforeenablinganaccesswarning,reviewyourorganizationspolicyforwhattouseasanaccesswarning.WhenauseropensTerminallocallyorconnectstothecomputerremotely,theuserseestheaccesswarningyoucreate.Thefollowingtaskmustbeperformedbyanadministratoruserusinganytexteditor.Tocreateacommand-lineaccesswarning:1 OpenTerminal.2 Enterthefollowingcommandtocreatethe/etc/motdfile:sudo touch /etc/motd3 Enterthefollowingcommandtoeditthe/etc/motdfile:sudo pico /etc/motd 4 Enteryouraccesswarningmessage.5 Savechangesandexitthetexteditor.6 OpenanewTerminalwindowtotestchanges.YouraccesswarningtextappearsabovethepromptinthenewTerminalwindow.Fromthecommandline:# Enabling Access Warning for the Command Line# ----------------------------------# Create a command-line access warning.sudo touch /etc/motdsudo chmod 644 /etc/motdsudo echo Warning Text >> /etc/motd70 Chapter4SecuringGlobalSystemSettingsTurningOnFileExtensionsBymakingthefileextensionvisible,youcandeterminethetypeoffileitisandtheapplicationitisassociatedwith.Toturnfileextensionson:1 OpenFinder.2 FromtheFindermenu,selectPreferences.3 ClickAdvancedandselecttheShowallfilenameextensionscheckbox.5 715 SecuringLocalServerAccountsUsethischaptertolearnhowtosecureaccountsbyassigninguseraccounttypes,configuringdirectoryaccess,usingstrongauthenticationprocedures,andsafelystoringcredentials.Securinguseraccountsrequiresdetermininghowaccountsareusedandsettingthelevelofaccessforusers.Whenyoudefineausersaccountyouspecifytheinformationtoprovetheusersidentity,suchasusername,authenticationmethod(password,digitaltoken,smartcard,orbiometricreader),anduseridentificationnumber(userID).Otherinformationinausersaccountisneededbyvariousservicestodeterminewhattheuserisauthorizedtodoandtopersonalizetheusersenvironment.TypesofUserAccountsWhenyoulogintoSnowLeopardServer,youuseanonadministratororadministratoraccount.ThemaindifferenceisthatSnowLeopardServerprovidessafetymechanismstopreventnonadministratorusersfromeditingkeypreferences,orfromperformingactionscriticaltocomputersecurity.Administratorusersarenotaslimitedasnonadministratorusers.Youcanfurtherdefinenonadministratorandadministratoraccountsbyspecifyingadditionaluserprivilegesorrestrictions.Thefollowingtableshowstheaccessprovidedtouseraccounts.UserAccount UserAccessGuestnonadministrator Restricteduseraccess(disabledbydefault)Standardnonadministrator NonprivilegeduseraccessManagednonadministrator RestricteduseraccessDelegatedserveradministrator AdministerspecifiedserviceconfigurationAdministrator Fullserverconfigurationadministration72 Chapter5SecuringLocalServerAccountsUnlessyouneedadministratoraccessforspecificsystemmaintenancetasksthatcannotbeaccomplishedbyauthenticatingwiththeadministratorsaccountwhileloggedinasanormaluser,alwaysloginasanonadministratoruser.Logoutoftheadministratoraccountwhenyouarenotusingthecomputerasanadministrator.Neverbrowsetheweborcheckemailwhileloggedintoanadministratorsaccount.Ifyouareloggedinasanadministrator,youaregrantedprivilegesandabilitiesthatyoumightnotneed.Forexample,youcanpotentiallymodifysystempreferenceswithoutbeingrequiredtoauthenticate.Thisauthenticationbypassesasecuritysafeguardthatpreventsmaliciousoraccidentalmodificationofsystempreferences.Note:ThischapterdescribeshowtosecurelocalaccountsconfiguredonSnowLeopardServer.FormoreinformationaboutsecuringuserandgroupnetworkaccountsusingWorkgroupManager,seeChapter22,SecuringNetworkAccounts.GuidelinesforCreatingAccountsWhenyoucreateuseraccounts,followtheseguidelines: Nevercreateaccountsthataresharedbyseveralusers.Eachusershouldhavehisorherownstandardormanagedaccount.Individualaccountsarenecessarytomaintainaccountability.Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethesameaccountitisdifficulttotrackwhichuserperformedanactivity.Similarly,ifseveraladministratorsshareasingleadministratoraccount,itbecomeshardertotrackwhichadministratorperformedanaction.Ifsomeonecompromisesasharedaccount,itislesslikelytobenoticed.Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyausersharingtheaccount. Eachuserneedingadministratoraccessshouldhaveanadministratoraccountinadditiontoastandardormanagedaccount.Administratorusersshouldonlyusetheiradministratoraccountsforadministratorpurposes.Byrequiringanadministratortohaveapersonalaccountfortypicaluseandanadministratoraccountforadministratorpurposes,youreducetheriskofanadministratorperformingactionslikeaccidentallyreconfiguringsecuresystempreferences.Directorydomainadministrator AdministertheconfigureddomainsontheserverSystemadministrator(root) UnrestrictedaccesstotheserverUserAccount UserAccessChapter5SecuringLocalServerAccounts 73DefiningUserIDsAuserIDisanumberthatuniquelyidentifiesauser.SnowLeopardServercomputersusetheuserIDtotrackausersfolderandfileownership.Whenausercreatesafolderorfile,theuserIDisstoredasthecreatorID.AuserwiththatuserIDhasreadandwritepermissionstothefolderorfilebydefault.TheuserIDisauniquestringofdigitsbetween500and2,147,483,648.NewuserscreatedusingtheAccountspaneofSystemPreferencesareassigneduserIDsstartingat501.ItisriskytoassignthesameuserIDtodifferentusers,becausetwouserswiththesameuserIDhaveidenticaldirectoryandPOSIXfilepermissions.However,eachuserhasauniqueGUIDthatisgeneratedwhentheuseraccountiscreated.YourGUIDisassociatedwithACLpermissionsthataresetonfilesorfolders.BysettingACLpermissionsyoucanpreventuserswithidenticaluserIDsfromaccessingfilesandfolders.TheuserID0isreservedfortherootuser.UserIDsbelow100arereservedforsystemuse.UseraccountswiththeseuserIDsshouldnotbedeletedandshouldnotbemodifiedexcepttochangethepasswordoftherootuser.Ifyoudontwanttheusernametoappearintheloginwindowofaclientcomputer,assignauserIDoflessthan500andenterthefollowingcommandinaTerminalwindow:sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YESUsernamesneverappearintheloginwindowinSnowLeopardServer.Ingeneral,afterauserIDisassignedandtheuserstartscreatingfilesandfolders,youshouldntchangetheuserID.OnepossiblescenarioinwhichyoumightneedtochangeauserIDiswhenmergingusersfromdifferentserversontoanewserverorclusterofservers.ThesameuserIDmighthavebeenassociatedwithadifferentuseronthepreviousserver.SecuringtheGuestAccountTheguestaccountisusedtogiveausertemporaryaccesstoyourcomputer.Theguestaccountisdisabledbydefaultbecauseitdoesnotrequireapasswordtologintothecomputer.Theguestaccountshouldremaindisabled.Ifthisaccountisenabledandnotsecurelyconfigured,malicioususerscangainaccesstoyourcomputerwithouttheuseofapassword.74 Chapter5SecuringLocalServerAccountsInsecuritysensitiveenvironmentstheguestaccountshouldremaindisabled.Ifyouenabletheguestaccount,enableparentalcontrolstolimitwhattheusercando.Enablingparentalcontrolonanaccountdoesnotdefendagainstadeterminedattackerandshouldnotbeusedastheprimarysecuritymechanism.Whetherornottheguestaccountisenabled,disableguestaccountaccesstosharedfilesandfoldersbydeselectingtheAllowguesttoconnecttosharedfolderscheckbox.Ifyoupermittheguestaccounttoaccesssharedfolders,anattackercaneasilyattempttoaccesssharedfolderswithoutapassword.Whenyoufinishwiththisaccount,disableitbydeselectingtheAllowgueststologintothiscomputer.Thispreventstheguestuseraccountfromloggingintothecomputer.SecuringNonadministratorAccountsTherearetwotypesofnonadministratoruseraccounts:standardandmanaged. Standarduseraccounts,whichdonthaveadministratorprivilegesanddonthaveparentalcontrolslimitingtheiractions. Manageduseraccounts,whichdonthaveadministratorprivilegesbuthaveactiveparentalcontrols.Parentalcontrolshelpdeterunsophisticatedusersfromperformingmaliciousactivities.Theycanalsohelppreventusersfrommisusingtheircomputer.Note:Ifyourcomputerisconnectedtoanetwork,amanagedusercanalsobeauserwhosepreferencesandaccountinformationaremanagedthroughthenetwork.Whencreatingnonadministratoraccounts,restricttheaccountssotheycanonlyusewhatisrequired.Forexample,ifyouplantostoresensitivedataonyourlocalcomputer,disabletheabilitytoburnDVDs.SecuringExternalAccountsAnexternalaccountisamobileaccountthathasitslocalhomefolderstoredonavolumeinanexternaldrive.Whenanexternalaccountlogsin,MacOSXonlyshowstheexternalaccountthattheuserloggedinwith.Theexternaluseraccountcannotviewotheraccountsonthecomputer.ExternalaccountsrequireSnowLeopardorlaterandanexternalorejectablevolumethatisformattedasMacOSXExtendedformat(HFSPlus).Ifyouuseanexternalaccount,useFileVaulttoprotectthecontentofyourhomefolderincaseyourexternalvolumeisstolenorlost.Forinformationaboutexternalaccounts,seetheUserManagementguide.Chapter5SecuringLocalServerAccounts 75ProtectingDataonExternalVolumesBydefault,ausershomefolderisnotencrypted.Ifauserstorestheirhomefolderonanexternalvolumeusinganexternalaccount,theusermustsecurethedataontheexternalvolume.Tosecuretheexternalvolume: Thevolumemustbeabletoprocessanexternalauthentication,suchasaPINorsmartcardbeforeitismountedorreadable. TheusershomefoldershoulduseFileVaultorotherencryptionmechanismstosecurethedata.SecuringDirectory-BasedAccountsAdirectory-basedaccountisanaccountlocatedonadirectoryserver.Adirectoryservercontainsuseraccountrecordsandimportantdataforauthenticatingusers.Ifyourcomputerisconnectedtoadirectoryserver,youcanadddirectoryuserstoyourcomputerandgrantthemaccess.YoucanrestrictadirectoryuseraccountbyusingParentalControls.Accesstodirectoryserversisusuallytightlyrestrictedtoprotectthedataonthem.AvoidingSimultaneousLocalAccountAccessMonitoringuseraccountsandactivitiesisimportanttosecuringyourcomputer.Thisenablesyoutodetermineifanaccountiscompromisedorifauserisperformingmalicioustasks.AvoidingFastUserSwitchingAlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultiplelocalusersonasinglecomputer,avoidenablingit.FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficulttotrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackgroundwhileanotheruserisusingthecomputer.Also,anyexternalvolumesattachedtothecomputeraremountedwhenanotheruserlogsin,grantingallusersaccesstothevolumeandignoringaccesspermissions.AvoidingSharedUserAccountsAvoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintainaccountability.Eachusershouldhavehisorherownstandardormanagedaccount.Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethesameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly,ifseveraladministratorsshareasingleadministratoraccount,itbecomeshardertotrackwhichadministratorperformedaspecificaction.76 Chapter5SecuringLocalServerAccountsIfsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyausersharingtheaccount.SecuringAdministratorAccountsEachadministratorshouldhavetwoaccounts:astandardaccountfordailyuseandanadministratoraccountforadministratoraccess.Rememberthatthenonadministrativeaccountshouldbeusedformostdailyactivity,especiallywhenaccessingthenetworkorInternet.Theadministratorsaccountshouldonlybeusedwhenabsolutelynecessarytoaccomplishadministrativetasks.Tosecureadministratoraccounts,restrictthedistributionofadministratoraccountsandlimittheuseoftheseaccounts.Auseraccountwithadministratorprivilegescanperformstandarduserandadministratortaskssuchas: Creatinguseraccounts AddinguserstotheAdmingroup ChangingtheFileVaultmasterpassword Enablingordisablingsharing Enabling,disabling,orchangingfirewallsettings ChangingotherprotectedareasinSystemPreferences Installingsystemsoftware EscalatingprivilegestorootAboutTieredAdministrationPermissionsMacOSXServercanuseanotherlevelofaccesscontrolforaddedsecurity.Administratorscanbeassignedtoservicestheycanconfigure.Theselimitationsareenactedonaserver-by-serverbasis.Thismethodcanbeusedbyanadministratorwithnorestrictionstoassignadministrativedutiestootherusers.InpreviousreleasesofMacOSXServer,thereweretwoclassesofusers:adminandeveryoneelse.Adminuserscanmakeanychangetothesettingsofanyserviceorchangeanydirectorydataincludingpasswordsandpasswordpolicies.InSnowLeopardServer,youcannowgrantindividualsandgroupsspecificadministrativepermissionswithoutaddingthemtotheUNIXadmingroup.Inotherwords,youcanmakethemserviceadministrators.Therearetwolevelsofpermissions: Administer:ThislevelofpermissionisanalogoustobeingintheUNIXadmingroup.Youcanchangeanysettingontheserverforthedesignatedserverandserviceonly.Chapter5SecuringLocalServerAccounts 77 Monitor:ThislevelofpermissionallowsyoutoviewOverviewpanes,Logpanes,andotherinformationpanesinServerAdmin,aswellasgeneralserverstatusdatainserverstatuslists.Youdonothaveaccesstosavedservicesettings.Anyuserorgroupcanbegiventhesepermissionsforallservicesorforselectedservices.Thepermissionsarestoredonaper-serverbasis.TheonlyusersthatcanchangethetieredadministrationaccesslistareusersthatareintheUNIXadmingroup.Thisresultsinatieredadministrationmodel,wheresomeadministratorshavemoreprivilegesthanothersforassignedservices.Thisresultsinamethodofaccesscontrolforindividualserverfeaturesandservices.Forexample,Alice(theleadadministrator)hascontroloverallservicesonagivenserverandcanlimittheabilityofotheradmingroupusers(likeBobandCathy)tochangesettingsontheserver.ShecanassignDNSandFirewallserviceadministrationtoBob,whileleavingmailserviceadministrationtoCathy.Inthisscenario,Cathycantchangethefirewalloranyserviceotherthanmail.Likewise,Bobcantchangeanyservicesoutsideofhisassignedservices.TieredadministrationcontrolsareeffectiveinServerAdminandtheserveradmincommand-linetool.TheyarenoteffectiveagainstmodifyingUNIXconfigurationfilesthroughoutthesystem.ProtectUNIXconfigurationfileswithPOSIX-typepermissionsorACLs.Youcandeterminewhichservicesotheradmingroupuserscanmodify.Todothis,theadministratormakingthedeterminationmusthavefull,unmodifiedaccess.ServerAdminupdatestoreflectwhatoperationsarepossibleforauserspermissions.Forexample,someservicesarehiddenortheSettingspaneisdimmedwhenyoucanonlymonitorthatservice.Becausethefeatureisenforcedontheserverside,thepermissionsalsoimpacttheusageofserveradmin,dscl,dsimport,andpwpolicycommand-linetoolsbecausethesetoolsarelimitedtothepermissionsconfiguredfortheadministratorinuse.DefiningAdministrativePermissionsYoucandecideifauserorgroupcanmonitororadministeraserverorservicewithoutgivingthemthefullpowerofaUNIXadministrativeuser.Assigningeffectivepermissionstouserscreatesatieredadministration,wheresomebutnotalladministrativedutiescanbecarriedoutbydesignatedindividuals.78 Chapter5SecuringLocalServerAccountsToassignpermissions:1 OpenServerAdmin.2 Selectaserver,clicktheSettingsbuttoninthetoolbar,andthenclicktheAccesstab.3 ClicktheAdministratorstab.4 Selectwhethertodefineadministrativepermissionsforallservicesontheserverorforselectservices.5 Ifyoudefinepermissionsbyservice,selecttherelatedcheckboxforeachserviceyouwanttoturnon.Ifyoudefinepermissionsbyservice,besuretoassignadministratorstoallactiveservicesontheserver.6 ClicktheAdd(+)buttontoaddauserorgroupfromtheusersandgroupwindow.Toremoveadministrativepermissions,selectauserorgroupandclicktheRemove(-)button.7 Foreachuserorgroup,selectthepermissionslevelnexttotheuserorgroupname.YoucanchooseMonitororAdminister.ThecapabilitiesofServerAdmintoadministertheserverarelimitedbythissettingwhentheserverisaddedtotheServerlist.AvoidingSharedAdministratorAccountsAvoidcreatingaccountsthataresharedbyseveraladministrators.Individualaccountsmaintainaccountability.Eachusershouldhavehisorherownaccount.Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethesameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Forexample,ifseveraladministratorsshareasingleadministratoraccount,itbecomeshardertotrackwhichadministratorperformedaspecificaction.Ifsomeonecompromisesasharedadministratoraccount,itislesslikelytobenoticed.Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyanadministratorsharingtheaccount.SecuringtheDirectoryDomainAdministratorAccountAdirectorydomaincanresideonacomputerrunningSnowLeopardServer(forexample,theLDAPfolderofanOpenDirectorymaster,orotherread/writedirectorydomain)oritcanresideonanon-Appleserver(forexample,anon-AppleLDAPorActiveDirectoryserver).Onlyadirectorydomainadministratorcanchangethedirectorydomain,includingthemanagedaccountsinthedirectorydomain.Whenconfiguringadirectorydomainadministratoraccount,followthesamesecurityguidelinesasyouwouldwithanyotheradministratoraccount.Chapter5SecuringLocalServerAccounts 79ChangingSpecialAuthorizationsforSystemFunctionsYoucanmodifythe/etc/authorizationconfigurationfiletochangeauthorizationsforadministratorsandstandardusers.Tomodifyauthorizationbychangingthe/etc/authorizationfile:1 Editthe/etc/authorizationfileusingthepicotool,whichallowsforsafeeditingofthefile.Thecommandmustberunasroot:sudo pico /etc/authorization2 Whenprompted,entertheadministratorpassword.Thisdisplaysapropertylistforauthorization,listingallavailablekeys.3 Locatethekeyyouwanttomodify.Forexample,tochangewhohasaccesstounlockthescreensaver,modifythesystem.login.screensaverkeybychangingtherule:ruleauthenticate-session-owner-or-admintoruleauthenticate-session-ownerDoingthisrestrictstheadministratorfromunlockingthescreensaver.4 Saveandquitpico.SecuringtheSystemAdministratorAccountThemostpowerfuluseraccountinSnowLeopardisthesystemadministratororrootaccount.Bydefault,therootaccountonSnowLeopardServerisenabledandusesthesamepasswordasthefirstcreatedadminuser.Youshoulddisableitusingthefollowingcommand:dsenableroot -dImportant:Thesystemadministratororrootaccountshouldonlybeusedwhenabsolutelynecessary.ThemostpowerfuluseraccountinMacOSXisthesystemadministratororrootaccount.Bydefault,therootaccountonMacOSXisdisabledanditisrecommendedyoudonotenableit.WARNING:Changestothisfilecanhaveunanticipatednegativeresults.Editwithcaution.80 Chapter5SecuringLocalServerAccountsTherootaccountisprimarilyusedforperformingUNIXcommands.Generally,actionsthatinvolvecriticalsystemfilesrequireyoutoperformthoseactionsasroot.However,usingthesudocommand,itispossibletoperformroot-levelactionsonanas-neededbasis.IfyouareloggedinasaSnowLeopardServeradministrator,youperformcommandsasrootbyusingthesudocommand.SnowLeopardServerlogsactionsperformedusingthesudocommand.Thishelpsyoutrackmisuseofthesudocommandonacomputer.Keepinmindthattheselogscanbeeditediftheyarestoredlocally,soonlygrantsudoprivilegestotrustedusers.Youcanusethesucommandtologintothecommandlineasanotheruserifyouhavethatuserspassword.Thisincludestherootuser,iftherootaccountisenabled.Whenyouareloggedinasroot,youcanusethesucommandtochangeuserswithoutapassword.Ifmultipleuserscanloginasroot,youcannottrackwhichuserperformedrootactions.Donotallowdirectrootlogin,becausethelogscannotidentifywhichadministratorloggedin.Instead,loginusingaccountswithadministratorprivilege,andthenusethesudocommandtoperformactionsasroot.Iftherootaccountisenabled,youcandisableitbyusinganadministrativeaccountandthedsenablerootcommand.Forexample,thefollowingcommanddisablestherootaccount.sudo dsenableroot -dForinstructionsabouthowtorestrictrootuseraccessinDirectoryUtility,openMacHelpandsearchforDirectoryUtility.RestrictingsudoUsageBydefault,sudoisenabledforadministratorusers.Fromthecommandline,youcandisablerootloginorrestricttheuseofsudo.Limittheadministratorsallowedtousesudotothosewhoneedtoruncommandsasroot.Thecomputerusesafilenamed/etc/sudoerstodeterminewhichuserscanusesudo.Youcanmodifyrootuseraccessbychangingthe/etc/sudoersfiletorestrictsudoaccesstospecificaccounts,andallowthoseaccountstoperformspecificallyallowedcommands.Thisgivesyoucontroloverwhatuserscandoasroot.Torestrictsudousagebychangingthe/etc/sudoersfile:1 Astherootuser,usethefollowingcommandtoeditthe/etc/sudoersfile,whichallowsforsafeeditingofthefile.sudo visudoChapter5SecuringLocalServerAccounts 812 Whenprompted,entertheadministratorpassword.Thereisatimeoutvalueassociatedwithsudo.Thisvalueindicatesthenumberofminutesuntilsudopromptsforapasswordagain.Thedefaultvalueis5,whichmeansthatafterissuingthesudocommandandenteringthecorrectpassword,additionalsudocommandscanbeenteredfor5minuteswithoutreenteringthepassword.Thisvalueissetinthe/etc/sudoersfile.Formoreinformation,seethesudoandsudoersmanpages.3 IntheDefaultsspecificationsectionofthefile,addthefollowinglines.Defaults timestamp_timeout=0Defaults tty_ticketsTheselineslimittheuseofthesudocommandtoasinglecommandperauthenticationandalsoensurethat,evenifatimeoutisactivated,latersudocommandsarelimitedtotheterminalwhereauthenticationoccurred.4 Restrictwhichadministratorsareallowedtorunsudobyremovingthelinethatbeginswith%adminandaddthefollowingentryforeachuser,substitutingtheusersshortnamefortheworduser:user ALL=(ALL) ALLDoingthismeansthatwhenanadministratorisaddedtothecomputer,theadministratormustbeaddedtothe/etc/sudoersfileasdescribed,iftheadministratorneedstousesudo.5 Saveandquitvisudo.Formoreinformation,entermanpicoormanvisudoinaTerminalwindow.Forinformationabouthowtomodifythe/etc/sudoersfile,seethesudoersmanpage.UnderstandingDirectoryDomainsUseraccountsarestoredinadirectorydomain.Yourpreferencesandaccountattributesaresetaccordingtotheinformationstoredinthedirectorydomain.Localaccountsarehostedinalocaldirectorydomain.Whenyoulogintoalocalaccount,youauthenticatewiththatlocaldirectorydomain.Userswithlocalaccountstypicallyhavelocalhomefolders.Whenausersavesfilesinalocalhomefolder,thefilesarestoredlocally.Tosaveafileoverthenetwork,theusermustconnecttothenetworkanduploadthefile.Networkaccountsarehostedinanetworkdirectorydomain,suchasaLightweightDirectoryAccessProtocol(LDAP)orNetworkInformationService(NIS)directory.Whenyoulogintoanetworkaccount,youauthenticatewiththenetworkdirectorydomain.Userswithnetworkaccountstypicallyhavenetworkhomefolders.Whentheysavefilesintheirnetworkhomefolders,thefilesarestoredontheserver.82 Chapter5SecuringLocalServerAccountsMobileaccountscacheauthenticationinformationandmanagedpreferences.Ausersauthenticationinformationismaintainedonthedirectoryserverbutiscachedonthelocalcomputer.Withcachedauthenticationinformation,ausercanloginusingthesameusernameandpassword(oradigitaltoken,smartcard,orbiometricreader),eveniftheuserisnotconnectedtothenetwork.Userswithmobileaccountshavelocalandnetworkhomefoldersthatcombinetoformportablehomedirectories.Whenuserssavefiles,thefilesarestoredinalocalhomefolder.Theportablehomedirectoryisasynchronizedsubsetofauserslocalandnetworkhomefolders.Forinformationaboutprotectingyourhomefolder,seeChapter8,SecuringDataandUsingEncryption.UnderstandingNetworkServices,Authentication,andContactsYoucanuseDirectoryUtilitytoconfigureyourcomputertouseanetworkdirectorydomain.DirectorysearchservicesthatarenotusedshouldbedisabledintheServicespaneofDirectoryUtility.DirectoryUtilitycanbeaccessedfromAccountpreferencesbyclickingLoginOptionsandthenclickingJoinorEditandthenclickingOpenDirectoryUtility.YoucanenableordisableeachkindofdirectoryserviceprotocolinDirectoryUtility.SnowLeopardServerdoesntaccessdisableddirectoryservices,exceptforthelocaldirectorydomain,whichisalwaysaccessed.Inadditiontoenablinganddisablingservices,youcanuseDirectoryUtilitytochoosethedirectorydomainsyouwanttoauthenticatewith.DirectoryUtilitydefinestheauthenticationsearchpolicythatSnowLeopardusestolocateandretrieveuserauthenticationinformationandotheradministrativedatafromdirectorydomains.Theloginwindow,Finder,andotherpartsofSnowLeopardusethisauthenticationinformationandadministrativedata.Fileservice,mailservice,andotherservicesprovidedbyMacOSXServeralsousethisinformation.DirectoryUtilityalsodefinesthecontactssearchpolicythatSnowLeopardusestolocateandretrievename,address,andothercontactinformationfromdirectorydomains.AddressBookcanusethiscontactinformation,andotherapplicationscanbeprogrammedtouseitaswell.Theauthenticationandcontactssearchpolicyconsistsofalistofdirectorydomains(alsoknownasdirectorynodes).Theorderofdirectorydomainsinthelistdefinesthesearchpolicy.Chapter5SecuringLocalServerAccounts 83Startingatthetopofthelist,SnowLeopardServersearcheseachlisteddirectorydomaininturnuntilitfindstheinformationitneedsorreachestheendofthelistwithoutfindingtheinformation.FormoreinformationaboutusingDirectoryUtility,seeOpenDirectoryAdministration.ConfiguringLDAPv3AccessSnowLeopardServerprimarilyusesOpenDirectoryasitsnetwork-baseddirectorydomain.OpenDirectoryusesLDAPv3asitsconnectionprotocol.LDAPv3includesseveralsecurityfeaturesthatyoushouldenableifyourserversupportsthem.EnablingeveryLDAPv3securityfeaturemaximizesyourLDAPv3security.Tomakesureyoursettingsmatchyournetworksrequiredsettings,contactyournetworkadministrator.Wheneverpossible,allLDAPconnectionsshouldbeconfiguredtobeencryptedusingSSL.WhenconfiguringLDAPv3,donotaddDHCP-suppliedLDAPserverstoautomaticsearchpoliciesifyoucannotsecurethenetworkthecomputerisrunningon.Ifyoudo,someonecancreatearogueDHCPserverandarogueLDAPdirectoryandthencontrolyourcomputerastherootuser.ForinformationaboutchangingthesecuritypolicyforanLDAPconnectionoraboutprotectingcomputersfrommaliciousDHCPservers,seeOpenDirectoryAdministration.ConfiguringActiveDirectoryAccessLeopardsupportsmutualauthenticationwithActiveDirectoryservers.Kerberosisaticket-basedsystemthatenablesmutualauthentication.Theservermustidentifyitselfbyprovidingatickettoyourcomputer.Thispreventsyourcomputerfromconnectingtorogueservers.LeopardalsosupportsdigitalsigningandencryptedpacketsecuritysettingsusedbyActiveDirectory.Thesesettingareenabledbydefault.MutualauthenticationoccurswhenyoubindtoActiveDirectoryservers.IfyoureconnectingtoanActiveDirectoryserverwithHighlySecure(HISEC)templatesenabled,youcanusethird-partytoolstofurthersecureyourActiveDirectoryconnection.WhenyouconfigureActiveDirectoryaccess,thesettingsyouchoosearegenerallydictatedbytheActiveDirectoryserverssettings.Tomakesureyoursettingsmatchyournetworksrequiredsettings,contactyournetworkadministrator.84 Chapter5SecuringLocalServerAccountsDonotuseAllowadministrationbysettinginsensitiveenvironments.Itcancauseuntendedprivilegeescalationissuesbecauseanymemberofthegroupspecifiedwillhaveadministratorprivilegesonyourcomputer.Additionally,youshouldonlyconnecttotrustednetworks.FormoreinformationaboutusingDirectoryUtilitytoconnecttoActiveDirectoryservers,seeOpenDirectoryAdministration.UsingStrongAuthenticationAuthenticationistheprocessofverifyingtheidentityofauser.SnowLeopardServersupportslocalandnetwork-basedauthenticationtoensurethatonlyuserswithvalidauthenticationcredentialscanaccessthecomputersdata,applications,andnetworkservices.Youcanrequirepasswordstologin,towakethecomputerfromsleeporfromascreensaver,toinstallapplications,ortochangesystemsettings.SnowLeopardServeralsosupportsauthenticationmethodssuchassmartcards,digitaltokens,andbiometricreaders.Strongauthenticationiscreatedbyusingcombinationsofthefollowingauthenticationdimensions: Whattheuserknows,suchasapasswordorPINnumber Whattheuserhas,suchasaonetimepassword(OTP)tokenorsmartcard, Whattheuseris,suchasafingerprint,retinascan,orDNAsampleUsingacombinationofthesedimensionsmakesauthenticationmorereliableanduseridentificationmorecertain.UsingPasswordAssistanttoGenerateorAnalyzePasswordsMacOSXincludesPasswordAssistant,anapplicationthatanalyzesthecomplexityofapasswordorgeneratesacomplexpasswordforyou.Youcanspecifythelengthandtypeofpasswordyoudliketogenerate.Youcanchoosefromthefollowingtypesofpasswords: Manual:YouenterapasswordandthenPasswordAssistantgivesyouthequalitylevelofyourpassword.Ifthequalitylevelislow,PasswordAssistantgivestipsforincreasingthequalitylevel. Memorable:Accordingtoyourpasswordlengthrequirements,PasswordAssistantgeneratesalistofmemorablepasswordsintheSuggestionmenu. Letters&Numbers:Accordingtoyourpasswordlengthrequirements,PasswordAssistantgeneratesalistofpasswordswithacombinationoflettersandnumbers. NumbersOnly:Accordingtoyourpasswordlengthrequirements,PasswordAssistantgeneratesalistofpasswordscontainingonlynumbers.Chapter5SecuringLocalServerAccounts 85 Random:Accordingtoyourpasswordlengthrequirements,PasswordAssistantgeneratesalistofpasswordscontainingrandomcharacters. FIPS-181compliant:Accordingtoyourpasswordlengthrequirements,PasswordAssistantgeneratesapasswordthatisFIPS-181compliant(whichincludesmixedupperandlowercase,punctuation,andnumbers).YoucanopenPasswordAssistantfromsomeapplications.Forexample,whenyoucreateanaccountorchangepasswordsinAccountspreferences,youcanusePasswordAssistanttohelpyoucreateasecurepassword.UsingKerberosKerberosisanauthenticationprotocolusedforsystemwidesinglesign-on,allowinguserstoauthenticatetomultipleserviceswithoutreenteringpasswordsorsendingthemoverthenetwork.Everysystemgeneratesitsownprincipals,allowingittooffersecureservicesthatarefullycompatiblewithotherKerberos-basedimplementations.Note:SnowLeopardServersupportsKerberosv5butdoesnotsupportKerberosv4.SnowLeopardServerusesKerberostomakeiteasiertoshareserviceswithothercomputers.Akeydistributioncenter(KDC)serverisnotrequiredtouseKerberosauthenticationbetweentwocomputersrunningSnowLeopardServer.WhenyouconnecttoacomputerthatsupportsKerberos,youaregrantedaticketthatpermitsyoutocontinuetouseservicesonthatcomputer,withoutreauthentication,untilyourticketexpires.Forexample,considertwocomputersrunningSnowLeopardServernamedMac01andMac02.Mac02hasscreensharingandfilesharingturnedon.IfMac01connectstoasharedfolderonMac02,Mac01cansubsequentlyconnecttoscreensharingonMac02withoutsupplyinglogincredentialsagain.ThisKerberosexchangeisonlyattemptedifyouconnectusingBonjourifyounavigatetothecomputerinFinder,oryouusetheGomenuinFindertoconnecttoaserverusingthelocalhostnameofthecomputername.Normally,afteryourcomputerobtainsaKerberosticketinthismanner,keepthatKerberosticketuntilitexpires.However,ifyouwanttomanuallyremoveyourKerberosticket,youcandosousingtheKerberosutilityinSnowLeopardServer.TomanuallyremoveaKerberosticket:1 OpenKeychainAccess(in/Applications/Utilities).2 FromtheKeychainAccessmenu,chooseTicketViewer.3 IntheKerberosapplicationsTicketCachewindow,findthekeythatlookslikethis:yourusername@LKDC:SHA1...Itisfollowedbyalongstringofalphanumericcharacters.86 Chapter5SecuringLocalServerAccounts4 ClickDestroyTickettodeletethatkey.Youcanalsousethekinit,kdestroy,andkpasswdcommandstomanageKerberostickets.Formoreinformation,seethekinit,kdestroy,andkpasswdmanpages.UsingSmartCardsAsmartcardisaplasticcard(similarinsizetoacreditcard)orUSBdonglethathasmemoryandamicroprocessorembeddedinit.Thesmartcardcanstoreandprocessinformationsuchaspasswords,certificates,andkeys.Themicroprocessorinsidethesmartcardcandoauthenticationevaluationofflinebeforereleasinginformation.Beforethesmartcardprocessesinformation,youmustauthenticatewiththesmartcardbyaPINorbiometricmeasurement(suchasafingerprint),whichprovidesanadditionallayerofsecurity.SmartcardsupportisintegratedintoSnowLeopardServerandcanbeconfiguredtoworkwiththefollowingservices: Cryptographiclogin(localornetworkbasedaccounts) UnlockofFileVaultenabledaccounts Unlockkeychains Signedandencryptedemail(S/MIME) Securingwebaccess(HTTPS) VPN(L2TP,PPTP,SSL) 802.1X Screensaverunlock Systemadministration KeychainAccessUsingTokensYoucanuseadigitaltokentoidentifyauserforcommerce,communication,oraccesscontrol.Thistokencanbegeneratedbysoftwareorhardware.SomecommontokensaretheRSASecurIDandtheCRYPTOCardKT-1devices.Thesehardwaredevicesgeneratetokenstoidentifytheuser.Thegeneratedtokensarespecifictothatuser,sotwouserswithdifferentRSASecurIDsordifferentCRYPTOCardKT-1shavedifferenttokens.Youcanusetokensfortwo-factorauthentication.Two-factorreferstoauthenticatingthroughsomethingyouhave(suchasaone-time-passwordtoken)andsomethingyouknow(suchasafixedpassword).Theuseoftokensincreasesthestrengthoftheauthentication.TokensarefrequentlyusedforVPNauthentication.Chapter5SecuringLocalServerAccounts 87UsingBiometricsMacOSXsupportsbiometricsauthenticationtechnologiessuchasthumbprintreaders.Password-protectedwebsitesandapplicationscanbeaccessedwithoutrequiringtheusertorememberalonglistofpasswords.Somebiometricdevicesallowyoutoauthenticatebyplacingyourfingeronapad.Unlikeapassword,yourfingerprintcanneverbeforgottenorstolen.Fingerprintidentificationprovidespersonalauthenticationandnetworkaccess.Theuseofbiometricscanenhanceauthenticationbyusingsomethingthatisapartofyou(suchasyourfingerprint).SettingGlobalPasswordPoliciesToconfigureapasswordpolicythatcanapplygloballyortoindividualusers,usethepwpolicycommand-linetool.GlobalpasswordpoliciesarenotimplementedinMacOSX;instead,passwordpoliciesaresetforeachuseraccount.Youcansetspecificrulesgoverningthesizeandcomplexityofacceptablepasswords.Forexample,youcanspecifyrequirementsforthefollowing: Minimumandmaximumcharacterlength Alphabeticandnumericcharacterinclusion MaximumnumberoffailedloginsbeforeaccountlockoutTorequirethatanauthenticatorspasswordbeaminimumof12charactersandhavenomorethan3failedloginattempts,enterthefollowinginaTerminalwindow:sudo pwpolicy -n /Local/Default -setglobalpolicy "minChars=12 maxFailedLoginAttempts=3Foradvancedpasswordpolicies,usePasswordServerinMacOSXServer.Youcanuseittosetglobalpasswordpoliciesthatspecifyrequirementsforthefollowing: Passwordexpirationduration Specialcharacterinclusion Mixed-casecharacterinclusion PasswordreuselimitsYoucanusepwpolicytosetapasswordpolicythatmeetsyourorganizationspasswordstandards.Formoreinformationabouthowtousepwpolicy,enterman pwpolicyinaTerminalwindow.88 Chapter5SecuringLocalServerAccountsStoringCredentialsinKeychainsSnowLeopardServerincludesKeychainAccess,anapplicationthatmanagescollectionsofpasswordsandcertificatesinasinglecredentialstorecalledakeychain.Eachkeychaincanholdacollectionofcredentialsandprotectthemwithasinglepassword.Keychainsstoreencryptedpasswords,certificates,andotherprivatevalues(calledsecurenotes).Thesevaluesareaccessibleonlybyunlockingthekeychainusingthekeychainpasswordandonlybyapplicationsthatareapprovedandaddedtotheaccesscontrolapplicationlist.Youcancreatemultiplekeychains,eachofwhichappearsinakeychainlistinKeychainAccess.Eachkeychaincanstoremultiplevalues.Eachvalueiscalledakeyitem.Youcancreateakeyiteminanyuser-createdkeychain.Whenanapplicationmuststoreaniteminakeychain,itstoresitinthekeychaindesignatedasyourdefault.Thedefaultisnamedlogin,butyoucanchangethattoanyuser-createdkeychain.Thedefaultkeychainnameisdisplayedinbold.EachiteminakeychainhasanAccessControlList(ACL)thatcanbepopulatedwithapplicationsthathaveauthoritytousethatkeychainitem.Afurtherrestrictioncanbeaddedthatforcesanapplicationwithaccesstoconfirmthekeychainpassword.Themainissuewithrememberingpasswordsisthatyourelikelytomakeallpasswordsidenticalorkeepawrittenlistofpasswords.Byusingkeychains,youcangreatlyreducethenumberofpasswordsyouneedtoremember.Becauseyounolongerneedtorememberpasswordsformultipleaccounts,thepasswordsyouchoosecanbeverycomplexandcanevenberandomlygenerated.Keychainsprovideadditionalprotectionforpasswords,passphrases,certificates,andothercredentialsstoredonthecomputer.Insomecases,suchasusingacertificatetosignamailmessage,thecertificatemustbestoredinakeychain.Ifacredentialmustbestoredonthecomputer,storeandmanageitusingKeychainAccess.Checkyourorganizationspolicyonkeychainuse.Duetothesensitivenatureofkeychaininformation,keychainsusecryptographytoencryptanddecryptsecrets,andtheysafelystoresecretsandrelateddatainfiles.SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandprovidesecurestorageofkeychainitems.Afterakeychainiscreated,youcanadd,delete,andeditkeychainitems,suchaspasswords,keys,certificates,andnotes.Ausercanunlockakeychainwithasinglepasswordandapplicationscanthenusethatkeychaintostoreandretrievedata,suchaspasswords.Chapter5SecuringLocalServerAccounts 89Note:Youcanusethesecurityandsystemkeychaincommandstoadministerkeychains,manipulatekeysandcertificates,anddojustaboutanythingtheSecurityframeworkcando.Formoreinformationaboutthiscommand,seeitsmanpage.UsingtheDefaultUserKeychainWhenausersaccountiscreated,adefaultkeychainnamedloginiscreatedforthatuser.Thepasswordfortheloginkeychainisinitiallysettotheusersloginpasswordandisunlockedwhentheuserlogsin.Itremainsunlockedunlesstheuserlocksit,oruntiltheuserlogsout.Youshouldchangethesettingsfortheloginkeychainsotheusermustunlockitwhenheorshelogsin,orafterwakingthecomputerfromsleep.Tosecuretheloginkeychain:1 OpenKeychainAccess.2 Ifyoudonotseealistofkeychains,clickShowKeychains.3 Selecttheloginkeychain.4 ChooseEdit>ChangePasswordforKeychainlogin.5 Enterthecurrentpassword,andcreateandverifyapasswordfortheloginkeychain.Afteryoucreatealoginkeychainpasswordthatisdifferentfromthenormalloginpassword,yourkeychainisnotunlockedatlogin.Tohelpyoucreateamoresecurepassword,usePasswordAssistant.Forinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.6 ChooseEdit>ChangeSettingsforKeychainlogin.7 SelectLockwhensleeping.8 DeselectSynchronizethiskeychainusingMobileMe.9 Secureeachloginkeychainitem.Forinformation,seeSecuringKeychainsandTheirItemsonpage91.CreatingAdditionalKeychainsWhenauseraccountiscreated,itcontainsonlytheinitialdefaultkeychainnamedlogin.Ausercancreateadditionalkeychains,eachofwhichcanhavedifferentsettingsandpurposes.Forexample,ausermightwanttogroupcredentialsformailaccountsintoonekeychain.Becausemailprogramsquerytheserverfrequentlytocheckformail,itisnotpracticalfortheusertoreauthenticatewhensuchacheckisperformed.Theusercancreateakeychainandconfigureitssettings,sothatheorsheisrequiredtoenterthekeychainpasswordatloginandwheneverthecomputerisawakenedfromsleep.90 Chapter5SecuringLocalServerAccountsHeorshecanthenmoveallitemscontainingcredentialsformailapplicationsintothatkeychainandseteachitemsothatonlythemailapplicationassociatedwiththatcredentialcanautomaticallyaccessit.Thisforcesotherapplicationstoauthenticatetoaccessthatcredential.Configuringakeychainssettingsforusebymailapplicationsmightbeunacceptableforotherapplications.Ifauserhasaninfrequentlyusedweb-basedaccount,itismoreappropriatetostorekeychainsettingsinakeychainconfiguredtorequirereauthenticationforeveryaccessbyanyapplication.Youcanalsocreatemultiplekeychainstoaccommodatevaryingdegreesofsensitivity.Byseparatingkeychainsbasedonsensitivity,youpreventtheexposureofsensitivecredentialstolesssensitiveapplicationswithcredentialsonthesamekeychain.Tocreateakeychainandcustomizeitsauthenticationsettings:1 InKeychainAccess,chooseFile>NewKeychain.2 Enteraname,selectalocationforthekeychain,andclickCreate.3 Enterapassword,verifyit,andclickOK.4 Ifyoudonotseealistofkeychains,clickShowKeychains.5 Selectthenewkeychain.6 ChooseEdit>ChangeSettingsforkeychainkeychain_name,andauthenticate,ifrequested.7 ChangetheLockafter#minutesofinactivitysettingbasedontheaccessfrequencyofthesecuritycredentialsincludedinthekeychain.Ifthesecuritycredentialsareaccessedfrequently,donotselectLockafter#minutesofinactivity.Ifthesecuritycredentialsareaccessedfrequently,selectLockafter#minutesofinactivityandselectavalue,suchas15.Ifyouuseapassword-protectedscreensaver,considersettingthisvaluetotheidletimerequiredforyourscreensavertostart.Ifthesecuritycredentialsareaccessedinfrequently,selectLockafter#minutesofinactivityandspecifyavalue,suchas1.8 SelectLockwhensleeping.9 Dragthesecuritycredentialsfromotherkeychainstothenewkeychainandauthenticate,ifrequested.Youshouldhavekeychainsthatonlycontainrelatedcertificates.Forexample,youcanhaveamailkeychainthatonlycontainsmailitems.Chapter5SecuringLocalServerAccounts 9110 Ifyouareaskedtoconfirmaccesstothekeychain,enterthekeychainpasswordandclickAllowOnce.Afterconfirmingaccess,KeychainAccessmovesthesecuritycredentialtothenewkeychain.11 Secureeachiteminthesecuritycredentialsforyourkeychain.SecuringKeychainsandTheirItemsKeychainscanstoremultipleencrypteditems.Youcanconfigureitemssoonlyspecificapplicationshaveaccess.(However,youcannotsetAccessControlforcertificates.)Tosecureakeychainitem:1 InKeychainAccess,selectakeychainandthenselectanitem.2 ClicktheInformation(i)button.3 ClickAccessControlandthenauthenticateifrequested.4 SelectConfirmbeforeallowingaccess.Afteryouenablethisoption,SnowLeopardServerpromptsyoubeforegivingasecuritycredentialtoanapplication.IfyouselectAllowallapplicationstoaccessthisitem,youallowanyapplicationtoaccessthesecuritycredentialwhenthekeychainisunlocked.Whenaccessingthesecuritycredential,thereisnouserprompt,soenablingthisisasecurityrisk.5 SelectAskforKeychainpassword.Afterenablingthis,youmustprovidethekeychainpasswordbeforeapplicationscanaccesssecuritycredentials.Enablingthisisimportantforcriticalitems,suchasyourpersonalidentity(yourpublickeycertificatesandthecorrespondingprivatekey),whichareneededwhensigningordecryptinginformation.Theseitemscanalsobeplacedintheirownkeychains.6 RemovenontrustedapplicationslistedinAlwaysallowaccessbytheseapplicationsbyselectingeachapplicationandclickingtheRemove()button.Applicationslistedhererequiretheusertoenterthekeychainpasswordtoaccesssecuritycredentials.UsingSmartCardsasKeychainsSnowLeopardServerintegratessupportforhardware-basedsmartcardsasdynamickeychainswhereanyapplicationusingkeychainscanaccessthatsmartcard.Asmartcardcanbethoughtofasaportableprotectedkeychain.SmartcardsareseenbytheoperatingsystemasdynamickeychainsandareaddedtothetopoftheKeychainAccesslist.Theyarethefirstsearchedinthelist.Theycanbetreatedasotherkeychainsontheuserscomputer,withthelimitationthatuserscantaddothersecureobjects.92 Chapter5SecuringLocalServerAccountsWhenyouattachasupportedsmartcardtoyourcomputer,itappearsinKeychainAccess.Ifmultiplesmartcardsareattachedtoyourcomputer,theyappearatthetopofthekeychainlistalphabeticallyasseparatekeychains.YoucanmanuallyunlockandchangethePINusingKeychainAccess.WhenchangingthePINonyoursmartcarditisthesameaschangingthepasswordonaregularkeychain.InKeychainAccess,selectyoursmartcardandunlockitbydouble-clickingit.Ifitisnotunlocked,youarepromptedtoenterthepasswordforthesmartcard,whichisthesameasthePIN.EnterthePINandKeychainAccesstoviewthePIN-protecteddataonthatsmartcard.UsingPortableandNetworkKeychainsIfyoureusingaportablecomputer,considerstoringyourkeychainsonaportabledrive,suchasaUSBflashmemorydrive.Youcanremovetheportabledrivefromtheportablecomputerandstoreitseparatelywhenthekeychainsarenotinuse.Anyoneattemptingtoaccessdataontheportablecomputerneedstheportablecomputer,portabledrive,andpasswordforthekeychainstoredontheportabledrive.Thisprovidesanextralayerofprotectionifthelaptopisstolenormisplaced.Touseaportabledrivetostorekeychains,moveyourkeychainfilestotheportabledriveandconfigureKeychainAccesstousethekeychainsontheportabledrive.Thedefaultlocationforyourkeychainis~/Library/Keychains/.However,youcanstorekeychainsinotherlocations.YoucanfurtherprotectportablekeychainsbystoringthemonbiometricUSBflashmemorydrives,orbystoringportabledrivecontentsinanencryptedfile.Forinformation,seeEncryptingPortableFilesonpage155.Checkwithyourorganizationtoseeiftheyallowportabledrivestostorekeychains.Tosetupakeychainforusefromaportabledrive:1 OpenKeychainAccess.2 Ifyoudonotseealistofkeychains,clickShowKeychains.3 ChooseEdit>KeychainList.4 Notethelocationofthekeychainyouwanttosetup.Thedefaultlocationis~/Library/Keychains/.5 ClickCancel.6 Selectthekeychainyouwantsetup.7 ChooseFile>DeleteKeychainkeychain_name.Chapter5SecuringLocalServerAccounts 938 ClickDeleteReferences.9 Copythekeychainfilesfromthepreviouslynotedlocationtotheportabledrive.10 MovethekeychaintotheTrashanduseSecureEmptyTrashtosecurelyerasethekeychainfilestoredonthecomputer.Forinformation,seeUsingSecureEmptyTrashonpage160.11 OpenFinderanddouble-clickthekeychainfileonyourportabledrivetoaddittoyourkeychainsearchlist.694 6 SecuringSystemPreferencesUsethischaptertosetSnowLeopardServersystempreferencestoenhancesystemsecurityandfurtherprotectagainstattacks.SystemPreferenceshasmanyconfigurablepreferencesthatyoucanusetocustomizesystemsecurity.YoucanalsomanagethesepreferencesusingWorkgroupManager.SystemPreferencesOverviewSnowLeopardServerincludessystempreferencesthatyoucanusetocustomizesecurity.Whenmodifyingsettingsforoneaccount,makesureyoursettingsaremirroredonallotheraccounts,unlessthereisanexplicitneedfordifferentsettings.YoucanviewsystempreferencesbychoosingApple>SystemPreferences.IntheSystemPreferenceswindow,clickapreferencetoviewit.Somecriticalpreferencesrequirethatyouauthenticatebeforeyoumodifytheirsettings.Toauthenticate,youclickthelock(seetheimagesbelow)andenteranadministratorsnameandpassword(oruseadigitaltoken,smartcard,orbiometricreader).Ifyouloginasauserwithadministratorprivileges,thesepreferencesareunlockedunlessyouselectRequirepasswordtounlockeachSystemPreferencespaneinSecuritypreferences.Formoreinformation,seeSecuringSecurityPreferencesonpage122.Chapter6SecuringSystemPreferences 95Ifyouloginasastandarduser,thesepreferencesremainlocked.Afterunlockingpreferences,youcanlockthemagainbyclickingthelock.Preferencesthatrequireauthenticationincludethefollowing: Accounts Date&Time EnergySaver MobileMe Network Print&Fax Security Sharing StartupDisk TimeMachineThischapterlistseachsetofpreferencesincludedwithSnowLeopardServeranddescribesmodificationsrecommendedtoimprovesecurity.96 Chapter6SecuringSystemPreferencesSecuringMobileMePreferencesMobileMeisasuiteofInternettoolsthathelpyousynchronizedataandotherimportantinformationwhenyoureawayfromthecomputer.InsensitiveenvironmentsdontuseMobileMe.Ifyoumuststorecriticaldata,onlystoreitonyourlocalcomputer.Youshouldonlytransferdataoverasecurenetworkconnectiontoasecureinternalserver.IfyouuseMobileMe,enableitonlyforuseraccountsthatdonthaveaccesstocriticaldata.AvoidenablingMobileMeforadministratororrootuseraccounts.LeavetheoptionsdisabledintheSyncpaneofMobileMepreferences(shownbelow).Chapter6SecuringSystemPreferences 97LeaveRegisteredComputerforsynchronizationblankintheAdvancedsettingsoftheSyncpane(shownbelow).LeaveiDiskSyncing(shownbelow)disabledbydefault.IfyoumustuseaPublicfolder,enablepasswordprotection.98 Chapter6SecuringSystemPreferencesTodisableMobileMepreferences:1 OpenMobileMepreferences.2 DeselectSynchronizewithMobileMe.3 MakesuretherearenocomputersregisteredforsynchronizationintheAdvancedsettingsoftheSyncpane.4 MakesureiDiskSyncingisdisabledintheiDiskpane.Fromthecommandline:# -------------------------------------------------------------------# Securing System Preferences# -------------------------------------------------------------------# Securing MobileMe Preferences# -------------------------# Default Setting.# If a MobileMe account is entered during setup, MobileMe is configured# for that account.# Use the following command to display current MobileMe settings.# efaults -currentHost read com.apple.# Use the following command to view all current settings for currenHost.# defaults -currentHost read# Suggested Setting.#Disable Sync options.sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer 1# Disable iDisk Syncing.sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool no# Available Settings.# NoneChapter6SecuringSystemPreferences 99SecuringAccountsPreferencesUseAccountspreferencestochangeorresetaccountpasswords(shownbelow),toenableParentalControls,ortomodifyloginoptionsforeachaccount.Youshouldimmediatelychangethepasswordofthefirstaccountthatwascreatedonyourcomputer.Ifyouareanadministrator,youcanresetotheruseraccountpasswordsbyselectingtheaccountandclickingResetPassword.Note:Ifyouareanadministrator,passwordpoliciesarenotenforcedwhenyouchangeyourpasswordorwhenyouchangeanotheruserspassword.Therefore,whenyouarechangingpasswordsasanadministrator,makesureyoufollowthepasswordpolicyyouset.Formoreinformationaboutpasswordpolicies,seeSettingGlobalPasswordPoliciesonpage87.100 Chapter6SecuringSystemPreferencesThepasswordchangedialogandtheresetdialog(shownbelow)provideaccesstoPasswordAssistant,anapplicationthatcananalyzethestrengthofyourpasswordandassistyouincreatingamoresecurepassword.Formoreinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.Considerthefollowingloginguidelines: Disableautomaticloginifenabled. Requirethattheuserenteranameandapassword,andthattheuserauthenticatewithouttheuseofapasswordhint. DisableRestart,Sleep,andShutDownbuttonstheusercannotrestartthecomputerwithoutpressingthepowerkeyorloggingin. Disablefastuserswitchingifenableditisasecurityriskbecauseitallowsmultipleuserstobesimultaneouslyloggedintoacomputer.AlthoughtheuseofFastUserSwitchingisconvenientwhenyouhavemultipleusersonasinglecomputer,therearecasesinwhichyoumaynotwanttoenableit.FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficulttotrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackgroundwhileanotheruserisusingthecomputer.Also,someexternalvolumesattachedtothecomputeraremountedwhenanotheruserlogsin,grantingallusersaccesstothevolumeandignoringaccesspermissions.Avoidcreatingaccountsthataresharedbyseveralusers.Individualaccountsmaintainaccountability.Eachusershouldhavehisorherownstandardormanagedaccount.Chapter6SecuringSystemPreferences 101Systemlogscantrackactivitiesforeachuseraccount,butifseveraluserssharethesameaccount,itbecomesdifficulttotrackwhichuserperformedanactivity.Similarly,ifseveraladministratorsshareasingleadministratoraccount,itbecomeshardertotrackwhichadministratorperformedaspecificaction.Ifsomeonecompromisesasharedaccountitislesslikelytobenoticed.Usersmightmistakemaliciousactionsperformedbyanintruderforlegitimateactionsbyausersharingtheaccount.TosecurelyconfigureAccountspreferences:1 OpenAccountspreferences.2 SelectyouraccountandclickthePasswordtab;thenchangethepasswordbyclickingtheChangePasswordbutton.Amenuappearsaskingyoutoinputtheoldpassword,newpassword,verificationofthenewpassword,andapasswordhint.Toresetausersaccountpassword,selecttheaccountandclickRestPasswordbutton.Thenenterthenewpasswordandverificationofthenewpassword,andleavethepasswordhintblank.3 Donotenterapasswordhint,thenclicktheChangePasswordbutton.4 ClickLoginOptions.Ascreensimilartothefollowingappears:5 UnderDisplayloginwindowas,selectNameandpasswordanddeselectallotheroptions.102 Chapter6SecuringSystemPreferencesFromthecommandline:SecuringAppearancePreferencesOnemethodtosecureappearancepreferencesistochangethenumberofrecentitemsdisplayedintheApplemenutoNone.Recentitemsareapplications,documents,andserversthatyouverecentlyused.YoucanaccessrecentitemsbychoosingApple>RecentItems.Ifintrudersgainaccesstoyourcomputer,theycanuserecentitemstoquicklyviewyourmostrecentlyaccessedfiles.Additionally,intruderscanuserecentitemstoaccessauthenticationmechanismsforserversifthecorrespondingkeychainsareunlocked.Removingrecentitemsprovidesaminimalincreaseinsecurity,butitcandeterveryunsophisticatedintruders.# Securing Accounts Preferences# -----------------------------# Change an account's password on a client system.# Dont use this command if other users are also logged in.sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass# Change an account's password on a server.# Don't use this command if other users are also logged in.sudo dscl . passwd /Users/$User_name $Oldpass $Newpass# Make sure there is no password hint set.sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0# Disable Show the Restart, Sleep, and ShutDown Buttons.sudo defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisable -bool yes# Disable fast user switching. This command does not prevent multiple users# from being logged in.sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO# Disable Automatic login.sudo defaults write /Library/Preferences/.GlobalPreferences\com.apple.userspref.DisableAutoLogin -bool yesChapter6SecuringSystemPreferences 103TosecurelyconfigureAppearancepreferences:1 OpenAppearancepreferences.Ascreensimilartothefollowingappears:2 SetallNumberofRecentItemspreferencestoNone.Fromthecommandline:SecuringBluetoothPreferencesBluetoothallowswirelessdevices,suchaskeyboards,mice,andmobilephones,tocommunicatewiththecomputer.IfthecomputerhasBluetoothcapability,Bluetoothpreferencesbecomeavailable.IfyoudontseeBluetoothpreferences,youcannotuseBluetooth.# Securing Appearance Preferences# -----------------------------# Default Setting.# MaxAmount 10# Suggested Setting.# Disable display of recent applications.sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0# Available Settings.# MaxAmount 0,5,10,15,20,30,50104 Chapter6SecuringSystemPreferencesNote:Somehighsecurityareasdonotallowradiofrequency(RF)communicationsuchasBluetooth.Consultyourorganizationalrequirementsforpossiblefurtherdisablementofthecomponent.WhenyoudisableBluetoothinSystemPreferences,youmustdisableBluetoothforeveryuseraccountonthecomputer.ThisdoesnotpreventusersfromreenablingBluetooth.YoucanrestrictauseraccountsprivilegessotheusercannotreenableBluetooth,buttodothis,youremoveseveralimportantuserabilities,liketheusersabilitytochangehisorherpassword.Formoreinformation,seeTypesofUserAccountsonpage71.Note:ToremoveBluetoothsupportforperipherals,seeRemovingBluetoothSupportSoftwareonpage55.TosecurelyconfigureBluetoothpreferences:1 OpenBluetoothpreferences.Ascreensimilartothefollowingappears:2 DeselectOn.Chapter6SecuringSystemPreferences 105Fromthecommandline:SecuringCDs&DVDsPreferencesTosecureCDsandDVDs,donotallowthecomputertoperformautomaticactionswhentheuserinsertsadisc.WhenyoudisableautomaticactionsinSystemPreferences,youmustdisabletheseactionsforeveryuseraccountonthecomputer.Thisdoesnotpreventusersfromreenablingautomaticactions.Topreventtheuserfromreenablingautomaticactions,youmustrestricttheusersaccountsotheusercannotopenSystemPreferences.Formoreinformationonrestrictingaccounts,seeSecuringNonadministratorAccountsonpage74.TosecurelyconfigureCDs&DVDspreferences:1 OpenCDs&DVDspreferences.Ascreensimilartothefollowingappears:# Securing Bluetooth Preferences# -----------------------------# Default Setting.# Turn Bluetooth on.# Suggested Setting.# Turn Bluetooth off.sudo defaults write /Library/Preferences/com.apple.Bluetooth\ ControllerPowerState -int 0# Available Settings.# 0 (OFF) or 1 (On)106 Chapter6SecuringSystemPreferences2 DisableautomaticactionswheninsertingmediabychoosingIgnoreforeachpop-upmenu.Fromthecommandline:# Securing CDs & DVDs Preferences# -----------------------------# Default Setting.# Preference file non existent: /Library/Preferences/com.apple.digihub# Blank CD: Ask what to do# Blank DVD: Ask what to do# Music CD: Open iTunes# Picture CD: Open iPhoto# Video DVD: Open DVD Player# Suggested Setting.# Disable blank CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1# Disable music CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.music.appeared -dict action 1# Disable picture CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.picture.appeared -dict action 1# Disable blank DVD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1# Disable video DVD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.dvd.video.appeared -dict action 1# Available Settings.# action 1 = Ignore# action 2 = Ask what to do# action 5 = Open other application# action 6 = Run script# action 100 = Open Finder# action 101 = Open itunes# action 102 = Open Disk Utility# action 105 = Open DVD Player# action 106 = Open iDVD# action 107 = Open iPhoto# action 109 = Open Front RowChapter6SecuringSystemPreferences 107SecuringDate&TimePreferencesCorrectdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos.Incorrectdateandtimesettingscancausesecurityissues.YoucanuseDate&Timepreferences(shownbelow)tosetthedateandtimebasedonaNetworkTimeProtocol(NTP)server.Ifyourequireautomaticdateandtime,useatrusted,internalNTPserver.TosecurelyconfigureDate&Timepreferences:1 OpenDate&Timepreferences.2 IntheDate&Timepane,selecttheSetdata&timeautomaticallycheckboxandenterasecureandtrustedNTPserverintheSetdate&timeautomaticallyfield.3 ClicktheTimeZonebutton.108 Chapter6SecuringSystemPreferencesAscreensimilartothefollowingappears:4 Chooseatimezone.Fromthecommandline:# Securing Date & Time Preferences# -----------------------------# Default Setting.# NTP Server: time.apple.com# Time Zone: Set time zone automatically using current location# Suggested Setting.# Set the NTP server.sudo cat >> /etc/ntp.conf Chapter6SecuringSystemPreferences 109SecuringDesktop&ScreenSaverPreferencesYoucanuseDesktop&ScreenSaverpreferences(shownbelow)toconfigureapassword-protectedscreensavertopreventunauthorizedusersfromaccessingunattendedcomputers.Youcanuseseveralauthenticationmethodstounlockthescreensaver,includingdigitaltokens,smartcards,andbiometricreaders.Youshouldalsosetashortinactivityintervaltodecreasetheamountoftimetheunattendedcomputerisunlocked.Forinformationaboutrequiringauthenticationforscreensavers,seeSecuringSecurityPreferencesonpage122.YoucanconfigureDesktop&ScreenSaverpreferencestoallowyoutoquicklyenableordisablescreensaversifyoumoveyourmousecursortoacornerofthescreen,asshownbelow.(YoucanalsodothisbyconfiguringExpos&Spacespreferences.)110 Chapter6SecuringSystemPreferencesBydefault,anyadmincanunlockanyusersdisplay.WhenyouconfigureDesktop&ScreenSaverpreferences,youconfigurethepreferencesforeveryuseraccountonthecomputer.Thisdoesntpreventusersfromreconfiguringtheirpreferences.Youcanrestrictausersaccountprivilegessotheusercannotreconfigurepreferences.Doingthisremovesseveralimportantuserabilities,liketheusersabilitytochangehisorherpassword.Formoreinformation,seeTypesofUserAccountsonpage71.TosecurelyconfigureDesktop&ScreenSaverpreferences:1 OpenDesktop&ScreenSaverpreferences.2 ClicktheScreenSaverpane.3 SetStartscreensavertoashortinactivitytime.4 ClickHotCorners.5 SetacornertoStartScreenSaverforquickenablingofthescreensaver,butdontsetascreencornertoDisableScreenSaver.Chapter6SecuringSystemPreferences 111Fromthecommandline:SecuringDisplayPreferencesIfyouhavemultipledisplaysattachedtoyourcomputer,beawarethatenablingdisplaymirroringmightexposeprivatedatatoothers.Havingthisadditionaldisplayprovidesextraopportunityforotherstoseeprivatedata.SecuringDockPreferencesYoucanconfiguretheDocktobehiddenwhennotinuse.Thiscanpreventothersfromseeingtheapplicationsonyourcomputer.TosecurelyconfigureDockpreferences:1 OpenDockpreferences.# Securing Desktop & Screen Saver Preferences# -----------------------------# Default Setting.# None# Suggested Setting.# Set idle time for screen saver. Replace XX with the idle time in seconds.sudo defaults -currentHost write com.apple.screensaver idleTime -int XX# Set host corner to activate screen saver.sudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_code-corner -int 5# Set modifier key to 0 wvous-corner_code-modifiersudo defaults write /Library/Preferences/com.apple.dock.wvous-corner_code-modifier -int 0# Available Settings.# Corner options.# wvous-bl-corner (bottom-left)# wvous-br-corner(bottom-right)# wvous-tl-corner (top-left)# wvous-tr-corner (top-right)112 Chapter6SecuringSystemPreferencesThefollowingscreenappears:2 SelectAutomaticallyhideandshowtheDock.Fromthecommandline:SecuringEnergySaverPreferencesYoucanuseEnergySaverSleeppreferences(shownbelow)toconfigureaperiodofinactivitybeforeacomputer,display,orharddiskenterssleepmode.Ifthecomputerreceivesdirectoryservicesfromanetworkthatmanagesitsclientcomputers,whenthecomputerisinsleepmode,itisunmanagedandcannotbedetectedasbeingconnectedtothenetwork.Toallowmanagementandnetworkvisibility,configurethedisplayandtheharddisktosleep,butnotthecomputer.Youcanrequireauthenticationbyuseofapassword,digitaltoken,smartcard,orbiometricreadertoreactivatethecomputer(seeSecuringSecurityPreferencesonpage122).Thisissimilartousingapassword-protectedscreensaver.# Securing Dock Preferences# -----------------------------# Default Setting.# None# Suggested Setting.# Automatically hide and show Dock.sudo defaults write /Library/Preferences/com.apple.dock autohide -bool YES# Available Settings.# autohide -bool YES# autohide -bool NOChapter6SecuringSystemPreferences 113YoucanalsousetheOptionspane(shownbelow)tomakesettingsdependingonyourpowersupply(poweradapter,UPS,orbattery).Configurethecomputersoitonlywakeswhenyouphysicallyaccessthecomputer.Also,dontsetthecomputertorestartafterapowerfailure.TosecurelyconfigureEnergySaverpreferences:1 OpenEnergySaverpreferences.Ascreensimilartothefollowingappears:2 FromtheSleeppane,setPutthecomputertosleepwhenitisinactivefortoNever.3 SelectPuttheharddisk(s)tosleepwhenpossibleandthenclicktheOptionspane.4 DeselectWakeforEthernetnetworkaccessandStartupautomaticallyafterapowerfailure.114 Chapter6SecuringSystemPreferencesFromthecommandline:# Securing Energy Saver Preferences# -----------------------------# Default Setting.# None# Suggested Setting.# Disable computer sleep.sudo pmset -a sleep 0# Enable hard disk sleep.sudo pmset -a disksleep 1# Disable Wake for Ethernet network administrator access.sudo pmset -a womp 0# Disable Restart automatically after power failure.sudo pmset -a autorestart 0# Available Settings.# 0 (OFF) or 1 (ON)Chapter6SecuringSystemPreferences 115SecuringExpos&SpacesPreferencesYourcomputershouldrequireauthenticationwhenwakingfromsleeporscreensaver.YoucanconfigureExpos&Spacespreferences(shownbelow)toallowyoutoquicklystartthescreensaverifyoumoveyourmousecursortoacornerofthescreen,butdontconfigureacornertodisablethescreensaver.Forinformationaboutrequiringauthenticationforthescreensaver,seeSecuringSecurityPreferencesonpage122.DashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However,becarefulwhenyouinstallthird-partyDashboardwidgets.YoucaninstallDashboardwidgetswithoutauthenticating.TopreventDashboardfromrunning,removetheDashboardapplicationfromthe/Applicationsfolder.WhenyouconfigureExpos&Spacespreferences,youmustconfigurethesepreferencesforeveryuseraccountonthecomputer.Thisdoesntpreventusersfromreconfiguringtheirpreferences.Youcanrestrictauseraccountsprivilegessotheusercannotreconfigurepreferences.Todothis,youremoveseveralimportantuserabilities,liketheusersabilitytochangehisorherpassword.Formoreinformation,seeTypesofUserAccountsonpage71.IfyourorganizationdoesnotwanttouseDashboardbecauseofitspotentialsecurityrisk,youcandisableit.IftheuserhasaccesstotheTerminalapplication,Dashboardcanbere-enabledatanytime.116 Chapter6SecuringSystemPreferencesDashboardusesthecom.apple.dashboard.fetchservicetofetchupdatestowidgetsfromtheInternet.IfDashboardisdisabled,thisserviceshouldbedisabledaswell.Thisservicemustbedisabledfromthecommandline,usingthecommandshownintheinstructionsbelow.Fromthecommandline:SecuringLanguage&TextPreferencesNosecurity-relatedconfigurationisnecessary.However,ifyourcomputerusesmorethanonelanguage,reviewthesecurityriskofthelanguagecharacterset.ConsiderdeselectingunusedpackagesduringMacOSXinstallation.SecuringKeyboardPreferencesIfyouarenotusingaBluetoothkeyboard,turnBluetoothoff.IfyouareusingaBluetoothkeyboard,disableallowingBluetoothdevicestoawakethecomputerintheadvancedsectionofBluetoothpreferences.FormoreinformationaboutBluetooth,seeSecuringBluetoothSettingsonpage117.SecuringMousePreferencesIfyouarenotusingaBluetoothmouse,turnBluetoothoff.IfyouareusingaBluetoothmouse,disableallowingBluetoothdevicestoawakethecomputerintheadvancedsectionofBluetoothpreferences.FormoreinformationaboutBluetooth,seeSecuringBluetoothPreferencesonpage103.# Securing Expos & Spaces Preferences# -----------------------------# Default Setting.# Enabled# Suggested Setting.# Disable dashboard.sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.dashboard.advisory.fetch.plist# Available Settings.# Enabled or DisabledChapter6SecuringSystemPreferences 117SecuringBluetoothSettingsIfyouhaveaBluetoothmoduleinstalledinyourcomputerorifyouareusinganexternalUSBBluetoothmodule,youcansetupyourcomputertouseBluetoothtosendandreceivefileswithotherBluetooth-enabledcomputersordevices.YoucancontrolhowyourcomputerhandlesfilesthatareexchangedbetweenBluetoothdevices.Youcanchoosetoacceptorrefusefilessenttoyourcomputerandchoosewhichfolderotherdevicescanbrowse.Bydefault,BluetoothSharingisturnedoffandshouldremainoffwhenitisnotused.Thispreventsunauthorizedusersfromaccessingyourcomputer.RestrictingAccesstoSpecifiedUsersIfyouareinanenvironmentwhereyouwouldliketosharefileswithanothercomputerordevice,usetheBluetoothSharingoptionsandBluetoothpreferencestosecurelyenableBluetoothandavoidunauthorizedaccesstoyourcomputer.BluetoothoptionsshouldalwaysrequirepairingandbesettoAskWhattoDowhenreceivingorsharingitems.WhenconfiguringBluetoothpreferences,tosecureBluetoothsharing,usetheDiscoverableoptiononlywhileyouaresettinguptheBluetoothcomputerordevice.Afterthedeviceisconfigured,disabletheDiscoverableoptiontopreventunauthorizedusersfromdiscoveringyourBluetoothconnection.IntheadvancedsectionofBluetoothpreferences,makesurethatAllowBluetoothdevicestowakethiscomputerandSharemyinternetconnectionwithotherBluetoothdevicesarenotselected.Fromthecommandline:# Bluetooth Sharing# -----------------------------# Default Setting.# Bluetooth Sharing: Disabled# Suggested Setting.# Disable Bluetooth Sharing.sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0# Available Settings.# Bluetooth Sharing.# Disabled# Enabled118 Chapter6SecuringSystemPreferencesSecuringNetworkPreferencesTosecureNetworkpreferences,disableunusedhardwaredeviceslistedinNetworkpreferencesandIPv6.YoushouldalsouseastaticIPaddresswhenpossible.ADHCPIPaddressshouldbeusedonlyifnecessary.DisablingUnusedHardwareDevicesConsiderdisablingunusedhardwaredeviceslistedinNetworkpreferences(shownbelow).Enabled,unuseddevices(suchasAirPortandBluetooth)areasecurityrisk.HardwareislistedinNetworkpreferencesonlyifthehardwareisinstalledinthecomputer.Whenconfiguringyourcomputerfornetworkaccess,useastaticIPaddresswhenpossible.ADHCPIPaddressshouldbeusedonlyifnecessary.SomeorganizationsuseIPv6,anewversionoftheInternetprotocol(IP).TheprimaryadvantageofIPv6isthatitincreasestheaddresssizefrom32bits(thecurrentIPv4standard)to128bits.Anaddresssizeof128bitsislargeenoughtosupportalargenumberofaddresses.Thisallowsmoreaddressesornodesthanareotherwiseavailable.IPv6alsoprovidesmorewaystosetuptheaddressandsimplifiesautoconfiguration.BydefaultIPv6isconfiguredautomatically,andthedefaultsettingsaresufficientformostcomputersthatuseIPv6.YoucanalsoconfigureIPv6manually.IfyourorganizationsnetworkcannotuseordoesnotrequireIPv6,turnitoff.Chapter6SecuringSystemPreferences 119TosecurelyconfigureNetworkpreferences:1 OpenNetworkpreferences.2 Fromthelistofhardwaredevices,selectthehardwaredeviceyoudontuse(forexample,Airport,Ethernet,orFireWire).3 ClicktheActionbuttonbelowthelistofhardwaredevicesandselectMakeServiceInactive.4 Repeatsteps2and3todeactivatethedevicesthatyoudontuse.5 Fromthelistofhardwaredevices,selectthehardwaredeviceyouusetoconnecttoyournetwork(forexample,AirportorEthernet).6 FromtheConfigureIPv4pop-upmenu,chooseManually.EnteryourstaticIPaddress,SubnetMask,Router,DNSServer,andSearchDomainconfigurationsettings.7 ClickAdvanced.Ascreensimilartothefollowingappears:8 IntheConfigureIPv6pop-upmenu,chooseOff.IfyoufrequentlyswitchbetweenAirPortandEthernet,youcandisableIPv6forAirPortandEthernetoranyhardwaredevicethatyouusetoconnecttoyournetwork.9 ClickOK.120 Chapter6SecuringSystemPreferencesFromthecommandline:SecuringPrint&FaxPreferencesThePrint&Faxpreferencesscreenlookslikethis:Useprintersonlyinasecurelocation.Ifyouprintconfidentialmaterialinaninsecurelocation,thematerialmightbeviewedbyunauthorizedusers.Becarefulwhenprintingtoasharedprinter.Doingsoallowsothercomputerstocapturetheprintjobdirectly.Anothercomputercanbemaliciouslymonitoringandcapturingconfidentialdatabeingsenttotherealprinter.Inaddition,unauthorizeduserscanadditemstoyourprintqueuewithoutauthenticating.# Securing Network Preferences# -----------------------------# Default Setting.# Enabled# Suggested Setting.# Disable IPv6.sudo networksetup -setv6off $interface# Available Settings.# The interface value can be AirPort, Bluetooth, Ethernet, or FireWireChapter6SecuringSystemPreferences 121YourprintercanbeaccessedusingtheCUPSwebinterface(http://localhost:631).Bydefault: TheCUPSwebinterfacecannotbeaccessedremotely.Itcanonlybeaccessedbythelocalhost. Thetitlesofallprintjobsareavailabletoallusersofthesystem. ThetitlesofallprintjobsareavailabletoeveryonewithaccesstotheCUPSwebinterface.CUPSalsoofferstheabilitytobrowsethenetworkforavailableprinters.Manuallyspecifyingavailableprintersismoresecure.YoucancreatepoliciesinCUPSthatrestrictusersfromsuchactionsascancelingjobsordeletingprintersusingtheCUPSwebinterface.FormoreinformationaboutcreatingCUPSpolicies,see:http://localhost:631/help/policies.htmlToavoidanadditionalavenueofattack,dontreceivefaxesonyourcomputer.TosecurelyconfigurePrint&Faxpreferences:1 OpenPrint&Faxpreferencesandselectafaxfromtheequipmentlist.2 ClickReceiveOptions.Ascreensimilartothefollowingappears:3 DeselectReceivefaxesonthiscomputer.4 ClickOK.5 Selectaprinterfromtheequipmentlist.6 DeselectSharethisprinteronthenetwork.http://localhost:631/help/policies.html122 Chapter6SecuringSystemPreferencesFromthecommandline:SecuringSecurityPreferencesThesettingsinSecuritypreferencescoverarangeofSnowLeopardServersecurityfeatures,includingloginoptions,FileVault,andfirewallprotection.GeneralSecurityConsiderthefollowinggeneralsecurityguidelines: Wakecomputer:Requireapasswordtowakethiscomputerfromsleeporscreensaver.Thishelpspreventunauthorizedaccessonunattendedcomputers.AlthoughthereisalockbuttonforSecuritypreferences,usersdontneedtobeauthorizedasanadministratortomakechanges.Enablethispasswordrequirementforeveryuseraccountonthecomputer. Automaticlogin:Disablingautomaticloginisnecessaryforanylevelofsecurity.Ifyouenableautomaticlogin,anintrudercanloginwithoutauthenticating.Evenifyouautomaticallyloginwitharestricteduseraccount,itisstilleasiertoperformmaliciousactionsonthecomputer. LocationServices:Disablinglocationservicespreventsinformationaboutthelocationofyourcomputerfrombeingprovidedtoapplications.# Securing Print & Fax Preferences# -----------------------------# Default Setting.# Disabled# Suggested Setting.# Disable the receiving of faxes.sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist# Disable printer sharing.sudo cp /etc/cups/cupsd.conf $TEMP_FILEif /usr/bin/grep "Port 631" /etc/cups/cupsd.confthensudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE >\/etc/cups/cupsd.confelseecho "Printer Sharing not on"fi# Available Settings.# Enabled or DisabledChapter6SecuringSystemPreferences 123 Infraredreceiver:Ifyouarenotusingaremotecontrol,disabletheinfraredreceiver.Thispreventsunauthorizedusersfromcontrollingyourcomputerthroughtheinfraredreceiver.IfyouuseanAppleIRRemoteControl,pairittoyourcomputerbyclickingPair.Whenyoupairit,nootherIRremotecancontrolyourcomputer.FileVaultSecurityMacOSXincludesFileVault,whichencryptsinformationinyourhomefolder.FileVaultusesthegovernment-approved128-bit(AES-128)encryptionstandardkeys,andsupportstheAdvancedEncryptionStandardwith256-bit(AES-256)keys.Formoreinformationaboutdataencryption,seeChapter8,SecuringDataandUsingEncryption.FormoreinformationaboutFileVault,seeEncryptingHomeFoldersonpage151.124 Chapter6SecuringSystemPreferencesTosecurelyconfigureSecuritypreferences:1 OpenSecuritypreferences.2 IntheGeneralpane,selectthefollowing: Requirepasswordimmediatelyaftersleeporscreensaverbegins3 SelecttheDisableLocationServicescheckbox,ifavailable.4 SelecttheDisableremotecontrolinfraredreceivercheckbox.5 IntheFileVaultpane,clickTurnonFileVault.6 EnterapasswordintheMasterPasswordandverifyfields.7 Authenticatewithyouraccountpassword.8 SelectUsesecureeraseandclickTurnonFileVault.9 Restartthecomputer.Fromthecommandline:# Securing Security Preferences# -----------------------------# Default Setting.# Required Password Wake: Disabled# Automatic Login: Disabled# Password Unlock Preferences: Enabled# Secure Virtual Memory is Enabled on Portable computer and is Disabled# on Desktop computers.# IR remote control: Enabled# FileVault: Disabled# Suggested Setting.# Enable Require password to wake this computer from sleep or screen saver.sudo defaults -currentHost write com.apple.screensaver askForPassword -int 1# Disable IR remote control.sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no# Enable FileVault.# To enable FileVault for new users, use this command.sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\createmobileaccount# Enable Firewall.# Replace value with# 0 = off# 1 = on for specific services# 2 = on for essential servicessudo defaults write /Library/Preferences/com.apple.alf globalstate -int valueChapter6SecuringSystemPreferences 125SecuringSharingPreferencesBydefault,everyservicelistedinSharingpreferencesisdisabledexceptforremotelogin(SSH).Donotenabletheseservicesunlessyouusethem.ThefollowingservicesaredescribedindetailinSnowLeopardSecurityConfiguration.Bydefaultyourcomputershostnameistypicallyfirstname-lastname-computer,wherefirstnameandlastnamearethesystemadministratorsfirstnameandlastname,respectively,andcomputeristhetypeofcomputerorComputer.WhenusersuseBonjourtodiscoveravailableservices,yourcomputerappearsashostname.local.Toincreaseprivacy,changeyourcomputershostnamesoyouarenotidentifiedastheownerofyourcomputer.FormoreinformationabouttheseservicesandthefirewallandsharingcapabilitiesofSnowLeopard,seeSnowLeopardSecurityConfiguration.TosecurelyconfigureSharingpreferences:1 OpenSharingpreferences.2 Changethedefaultcomputernametoanamethatdoesnotidentifyyouastheowner.Service DescriptionDVDorCDSharing AllowsusersofothercomputerstoremotelyusetheDVDorCDdriveonyourcomputer.ScreenSharing Allowsusersofothercomputerstoremotelyviewandcontrolthecomputer.ScannerSharing Allowsothercomputerstoaccessascannerconnectedtothiscomputer.RemoteLogin AllowsuserstoaccessthecomputerremotelybyusingSSH.Ifyourequiretheabilitytoperformremotelogin,SSHismoresecurethantelnet,whichisdisabledbydefault.RemoteManagement AllowsthecomputertobeaccessedusingAppleRemoteDesktop.RemoteAppleEvents AllowsthecomputertoreceiveAppleeventsfromothercomputers.BluetoothSharing AllowsotherBluetooth-enabledcomputersanddevicestosharefileswithyourcomputer.126 Chapter6SecuringSystemPreferencesFromthecommandline:SecuringSoftwareUpdatePreferencesYourSoftwareUpdatepreferencesconfigurationdependsonyourorganizationspolicy.Forexample,ifyourcomputerisconnectedtoamanagednetwork,themanagementsettingsdeterminewhatsoftwareupdateservertouse.InsteadofusingSoftwareUpdate(shownhere),youcanalsoupdateyourcomputerbyusinginstallerpackages.Youcaninstallandverifyupdatesonatestcomputerbeforeinstallingthemonyouroperationalcomputer.Formoreinformationabouthowtomanuallyupdateyourcomputer,seeUpdatingManuallyfromInstallerPackagesonpage48.# Securing Sharing Preferences# -----------------------------# Default Setting.# $host_name = User's Computer# Suggested Setting.# Change computer name where $host_name is the name of the computer.sudo systemsetup -setcomputername $host_name# Change computer Bonjour host name.sudo scutil --set LocalHostName $host_name# Available Setting.# The host name cannot contain spaces or other non-DNS characters.Chapter6SecuringSystemPreferences 127Aftertransferringinstallerpackagestoyourcomputer,verifytheauthenticityoftheinstallerpackages.Formoreinformation,seeVerifyingtheIntegrityofSoftwareonpage50.WhenyouinstallasoftwareupdateusingSoftwareUpdateoraninstallerpackage,youmustauthenticatewithanadministratorsnameandpassword.Thisreducesthechanceofaccidentalormaliciousinstallationofsoftwareupdates.SoftwareUpdatewillnotinstallasoftwarepackagethathasnotbeendigitallysignedbyApple.TodisableautomatedSoftwareUpdates:1 OpenSoftwareUpdatepreferences.2 ClicktheScheduledCheckpane.3 DeselectDownloadimportantupdatesautomaticallyandCheckforupdates.Fromthecommandline:# Securing Software Updates Preferences# -----------------------------# Default Setting.# Check for Updates: Enabled# Check Updates: Weekly# Suggested Setting.# Disable check for updates and Download important updates automatically.sudo softwareupdate --schedule off# Available Setting.# Check for Updates: Enabled or Disabled# Check Updates: Daily, Weekly, Monthly128 Chapter6SecuringSystemPreferencesSecuringSoundPreferencesManyApplecomputersincludeaninternalmicrophone.YoucanuseSoundpreferences(shownbelow)todisabletheinternalmicrophoneandthelineinport.TosecurelyconfigureSoundpreferences:1 OpenSoundpreferences.Ascreensimilartothefollowingappears:2 SelectInternalmicrophone(ifpresent),andsetInputvolumetozero.3 SelectLineIn(ifpresent),andsetInputvolumetozero.ThisensuresthatLineInisthedeviceselectedratherthantheinternalmicrophonewhenSoundpreferencesisclosed.Thisprovidesprotectionfrominadvertentuseoftheinternalmicrophone.Fromthecommandline:# Securing Sound Preferences# -----------------------------# Default Setting.# Internal microphone or line in: Enabled# Suggested Setting.# Disable internal microphone or line in.# This command does not change the input volume for input devices. It# only sets the default input device volume to zero.sudo osascript -e set volume input volume 0# Available Setting.# Internal microphone or line in: Enabled or DisabledChapter6SecuringSystemPreferences 129SecuringSpeechPreferencesSnowLeopardServerincludesspeechrecognitionandtext-to-speechfeatures,whicharedisabledbydefault.Enablethesefeaturesonlyifyouworkinasecureenvironmentwherenoonecanhearyouspeaktothecomputer,orhearthecomputerspeaktoyou.Alsomakesurenoaudiorecordingdevicescanrecordyourcommunicationwiththecomputer.ThefollowingshowstheSpeechpreferencespane:ThefollowingshowstheTexttoSpeechpane:Ifyouenabletext-to-speech,useheadphonestokeepothersfromoverhearingyourcomputer.130 Chapter6SecuringSystemPreferencesTosecurelyconfigureSpeechpreferences:1 OpenSpeechpreferences.2 ClicktheSpeechRecognitionpaneandsetSpeakableItemsOnorOff.Changethesettingaccordingtoyourenvironment.3 ClicktheTexttoSpeechpaneandchangethesettingsaccordingtoyourenvironment.Fromthecommandline:SecuringSpotlightPreferencesYoucanuseSpotlighttosearchyourcomputerforfiles.Spotlightsearchesthenameandmeta-informationassociatedwitheachfileandthecontentsofeachfile.Spotlightfindsfilesregardlessoftheirplacementinthefilesystem.Youmuststillproperlysetaccesspermissionsonfolderscontainingconfidentialfiles.Formoreinformationaboutaccesspermissions,seeChapter8,SecuringDataandUsingEncryption.# Securing Speech Preferences# -----------------------------# Default Setting.# Speech Recognition: Disabled# Text to Speech: Enabled# Suggested Setting.# Disable Speech Recognition.sudo defaults write "com.apple.speech.recognition.AppleSpeechRecognition.prefs" StartSpeakableItems -bool false# Disable Text to Speech settings.sudo defaults write "com.apple.speech.synthesis.general.prefs" TalkingAlertsSpeakTextFlag -bool falsesudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenNotificationAppActivationFlag -bool falsesudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenUIUseSpeakingHotKeyFlag -bool falsesudo defaults delete "com.apple.speech.synthesis.general.prefs" TimeAnnouncementPrefs# Available Setting.# Each item can be set to ON or OFF.# OFF: -bool false# ON: -bool trueChapter6SecuringSystemPreferences 131TheSpotlightPreferencesSearchResultspaneappears:ByplacingspecificfoldersordisksinthePrivacypane,youcanpreventSpotlightfromsearchingthem.132 Chapter6SecuringSystemPreferencesDisablethesearchingoffoldersthatcontainconfidentialinformation.Considerdisablingtop-levelfolders.Forexample,ifyoustoreconfidentialdocumentsinsubfoldersof~/Documents/,insteadofdisablingeachfolder,disable~/Documents/.Bydefault,theentiresystemisavailableforsearchingusingSpotlight.TosecurelyconfigureSpotlightpreferences:1 OpenSpotlightpreferences.2 IntheSearchResultspane,deselectcategoriesyoudontwantsearchablebySpotlight.3 ClickthePrivacypane.4 ClicktheAddbutton,ordragafolderordiskintothePrivacypane.FoldersanddisksinthePrivacypanearenotsearchablebySpotlight.Note:TopreventusersfromreenablingSpotlight,removetherightstoaccessthe.Spotlight-V100folderattherootlevelofyourdrive(/.Spotlight-V100/).Fromthecommandline:Formoreinformation,enterman mdutilinaTerminalwindow.# Securing Spotlight Preferences# -----------------------------# Default Setting.# ON for all volumes# Suggested Setting.# Disable Spotlight for a volume and erase its current meta data, where# $volumename is the name of the volume.sudo mdutil -E -i off $volumename# Available Setting.# Spotlight can be turned ON or OFF for each volume.Chapter6SecuringSystemPreferences 133SecuringStartupDiskPreferencesYoucanuseStartupDiskpreferences(shownbelow)tomakeyourcomputerstartupfromaCD,anetworkvolume,adifferentdiskordiskpartition,oranotheroperatingsystem.Becarefulwhenselectingastartupvolume: Choosinganetworkinstallimagereinstallsyouroperatingsystemandmighterasethecontentsofyourharddisk. IfyouchooseaFireWirevolume,yourcomputerstartsupfromtheFireWirediskpluggedintothecurrentFireWireportforthatvolume.IfyouconnectadifferentFireWiredisktothatFireWireport,yourcomputerstartsfromthefirstvalidSnowLeopardServervolumeavailabletothecomputer(ifyouhavenotenabledthefirmwarepassword). Whenyouenableafirmwarepassword,theFireWirevolumeyouselectistheonlyvolumethatcanstartthecomputer.ThecomputerfirmwarelockstheFireWireBridgeChipGUIDasastartupvolumeinsteadoftheharddisksGUID(asisdonewithinternalharddisks).IfthediskinsidetheFireWiredriveenclosureisreplacedbyanewdisk,thecomputercanstartfromthenewdiskwithoutusingthefirmwarepassword.Toavoidthisintrusionmakesureyourhardwareisphysicallysecured.firmwarecanalsohavealistofFireWirevolumesthatareapprovedforsystemstartup.Forinformationaboutphysicallyprotectingyourcomputer,seeProtectingHardwareonpage52.InadditiontochoosinganewstartupvolumefromStartupDiskpreferences,youcanrestartinTargetDiskMode.WhenyourcomputerisinTargetDiskMode,anothercomputercanconnecttoyourcomputerandaccessyourcomputersharddisk.Theothercomputerhasfullaccesstoallfilesonyourcomputer.AllfilepermissionsforyourcomputeraredisabledinTargetDiskMode.134 Chapter6SecuringSystemPreferencesToenterTargetDiskMode,holddowntheTkeyduringstartup.YoucanpreventthestartupshortcutforTargetDiskModebyenablingafirmwarepassword.Ifyouenableafirmwarepassword,youcanstillrestartinTargetDiskModeusingStartupDiskpreferences.Formoreinformationaboutenablingafirmwarepassword,seeUsingtheFirmwarePasswordUtilityonpage64.Toselectastartupdisk:1 OpenStartupDiskpreferences.2 Selectavolumetousetostartupyourcomputer.3 ClicktheRestartbuttontorestartfromtheselectedvolume.Fromthecommandline:SecuringTimeMachinePreferencesTimeMachine(shownbelow)makesanup-to-datecopyofeverythingonyourMacdigitalphotos,music,movies,downloadedTVshows,anddocumentsandletsyoueasilygobackintimetorecoverfiles.TimeMachineisoffbydefault.AfteryouenableTimeMachineforthefirsttime,noauthenticationisrequiredandsubsequentchangesrequireauthentication.# Securing Startup Disk Preferences# -----------------------------# Default Setting.# Startup Disk = Macintosh HD# Suggested Setting.# Set startup disk.sudo systemsetup -setstartupdisk $path# Available Setting.# Startup Disk = Valid Boot VolumeChapter6SecuringSystemPreferences 135Informationstoredonyourbackupdiskisnotencryptedandcanbereadbyothercomputersthatareconnectedtoyourbackupdisk.Keepyourbackupdiskinaphysicallysecurelocationtopreventunauthorizedaccesstoyourdata.ToenableTimeMachine:1 OpenTimeMachinepreferences.2 SlidetheswitchtoON.Ascreensimilartothefollowingappears:3 Selectthediskwherebackupswillbestored,andclickUseforbackup.136 Chapter6SecuringSystemPreferencesFromthecommandline:SecuringUniversalAccessPreferencesUniversalAccesspreferencesaredisabledbydefault.However,ifyouuseanassistivedevice,followtheseguidelines: Topreventpossiblesecurityrisks,seethedevicemanual. EnablingVoiceOverconfiguresthecomputertoreadthecontentsunderthecursoroutloud,whichmightdiscloseconfidentialdata. Thesedevicesallowaccesstothecomputerthatcouldrevealorstoreuserinputinformation.Fromthecommandline:# Securing Time Machine Preferences# -----------------------------# Default Setting.# OFF# Suggested Setting.# Enable Time Machine.sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1# Available Setting.# 0 (OFF) or 1 (ON)# Securing Universal Access Preferences# -----------------------------# Default Setting.# OFF# Suggested Setting.# Disable VoiceOver service.launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plistlaunchctl unload -w /System/Library/LaunchAgents/\ com.apple.ScreenReaderUIServer.plistlaunchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist# Available Setting.# None7 1377 SecuringSystemSwapandHibernationStorageUsethischaptertoprotectdatainswapfilesfrombeingreadable.Thedatathatanapplicationwritestorandom-accessmemory(RAM)mightcontainsensitiveinformation,suchasusernamesandpasswords.MacOSXwritesthecontentsofRAMtoyourlocalharddisktofreememoryforotherapplications.TheRAMcontentsstoredontheharddiskarekeptinafilecalledaswapfile.Whilethedataisontheharddisk,itcanbeeasilyviewedoraccessedifthecomputerislatercompromised.Youcanprotectthisdatabysecuringthesystemswapfileincaseofanattackortheftofyourcomputer.SystemSwapFileOverviewWhenyourcomputeristurnedoff,informationstoredinRAMislost,butinformationstoredbyvirtualmemoryinaswapfilecanremainonyourharddriveinunencryptedform.TheMacOSXvirtualmemorysystemcreatesthisswapfileinordertoreduceproblemscausedbylimitedmemory.ThevirtualmemorysystemcanswapdatabetweenyourharddiskandRAM.ItspossiblethatsensitiveinformationinyourcomputersRAMwillbewrittentoyourharddiskintheswapfilewhileyouareworking,andremainthereuntiloverwritten.Thisdatacanbecompromisedifyourcomputerisaccessedbyanunauthorizeduser,becausethedataisstoredontheharddiskunencrypted.Whenyourcomputergoesintohibernation,itwritesthecontentofRAMtothe/var/vm/sleepimagefile.ThesleepimagefilecontainsthecontentsofRAMunencrypted,similartoaswapfile.YoucanpreventyoursensitiveRAMinformationfrombeingleftunencryptedonyourharddiskbyenablingsecurevirtualmemorytoencrypttheswapfileandthe/var/vm/sleepimagefile(whereyourhibernationfilesarestored).138 Chapter7SecuringSystemSwapandHibernationStorageNote:UsingFileVaultincombinationwiththeSecureVirtualMemoryfeatureprovidesprotectionfromattacksonyoursensitivedatawhenitisstoredontheharddisk.EncryptingSystemSwapYoucanpreventsensitiveinformationfromremainingonyourharddiskandeliminatethesecurityriskbyusingsecurevirtualmemory.Securevirtualmemoryencryptsthedatabeingwrittentodisk.Youmustrestarttheserverforthechangetotakeeffect.Toturnonsecurevirtualmemoryfromthecommandline:## Securing System Swap and Hibernation Storage# -----------------------------# Enable secure virtual memory.sudo defaults write /Library/Preferences/com.apple.virtualMemory \ UseEncryptedSwap -bool YES# Restart to take effect.# sudo shutdown -r now8 1398 SecuringDataandUsingEncryptionUsethischaptertolearnhowtosetPOSIX,ACL,andglobalfilepermissions,toencrypthomefoldersandportablefiles,andtosecurelyerasedata.Yourdataisthemostvaluablepartofyourcomputer.Byusingencryptionyoucanprotectdatainthecaseofanattackortheftofyourmobilecomputer.Bysettingglobalpermissions,encryptinghomefolders,andencryptingportabledatayoucanbesureyourdataissecure.Inaddition,byusingthesecureerasefeatureofSnowLeopard,deleteddataiscompletelyerasedfromthecomputer.AboutTransportEncryptionAnydatathatistransferredtoorfromtheservercanbekeptsecurebyeitherencryptingthetransmission,thepayload,orboth.Transferringdatasecurelyacrossanetworkinvolvesencryptingthepacketcontentssentbetweencomputers.MacOSXServercanprovideTransportLayerSecurity(TLS)anditspredecessor,SecureSocketsLayer(SSL)asthecryptographicprotocolsthatprovidesecurecommunicationsontheInternetforsuchthingsaswebbrowsing,mail,andotherdatatransfers.Theseencryptionprotocolsallowclientandserverapplicationstocommunicateinawaythathelpspreventeavesdropping,tampering,andmessageforgery.TLSprovidesendpointauthenticationandcommunicationsprivacyovertheInternetusingcryptography.Theseencryptedconnectionsauthenticatetheserver(soitsidentityisensured)buttheclientremainsunauthenticated.Tohavemutualauthentication(whereeachsideoftheconnectionisassuredoftheidentityoftheother),useapublickeyinfrastructure(PKI)fortheconnectingclients.MacOSXServermakesuseofOpenSSLandhasintegratedtransportencryptionintothefollowingtoolsandservices:140 Chapter8SecuringDataandUsingEncryption ServeradministrationusingServerAdminandServerPreferences UserandgroupmanagementusingWorkgroupManager AddressBookServer iCalServer iChatServer MailService OpenDirectory PodcastProducer RADIUS SSH VPN(L2TP) WebserviceEachservicerequirestransportencryptiontobeenabledindividually.Formoreinformationonsecuringdatatransmissionforaservice,seetheservicesconfigurationdetails.AboutPayloadEncryptionRatherthanencryptingthetransferofafileacrossthenetwork,youcanencryptthecontentsofthefileinstead.Fileswithstrongencryptionmightbecapturedintransit,butarestillunreadable.Mosttransportencryptionrequirestheparticipationofbothpartiesinthetransaction.Someservices(suchasSMTPmailservice)cantreliablyusesuchtechniques,soencryptingthefileitselfistheonlymethodofreliablysecuringthefilecontent.Tolearnmoreaboutencryptingyourfiles,seeEncryptingPortableFilesonpage155.AboutFileandFolderPermissionsYouprotectfilesandfoldersbysettingpermissionsthatrestrictorallowuserstoaccessthem.SnowLeopardsupportstwomethodsofsettingfileandfolderpermissions: PortableOperatingSystemInterface(POSIX)permissionsstandardforUNIXoperatingsystems. AccessControlLists(ACLs)permissionsusedbyMacOSXandcompatiblewithMicrosoftWindowsServer2003andMicrosoftWindowsXP.ACLusesPOSIXwhenverifyingfileandfolderpermissions.TheprocessACLusestodetermineifanactionisallowedordeniedincludesspecificrulescalledaccesscontrolentries(ACEs).IfnoACEsapply,standardPOSIXpermissionsdetermineaccess.Chapter8SecuringDataandUsingEncryption 141SettingPOSIXPermissionsSnowLeopardbasesfilepermissionsonPOSIXstandardpermissionssuchasfileownershipandaccess.Eachsharepoint,file,andfolderhasread,write,andexecutepermissiondefinedforthreecategoriesofusers:owner,group,andeveryone.YoucanassignfourtypesofstandardPOSIXaccesspermissionstoasharepoint,folder,orfile:Read&Write,ReadOnly,WriteOnly,andNone.ViewingPOSIXPermissionsYoucanassignstandardPOSIXaccesspermissionstothesecategoriesofusers: OwnerThisisauserwhocreatesanitem(fileorfolder)ontheserverthatisitsownerandhasRead&Writepermissionsforthatfolder.Bydefaulttheownerofanitemandtheserveradministratorcanchangetheitemsaccessprivileges(allowagrouporeveryonetousetheitem).Theadministratorcanalsotransferownershipoftheshareditemtoanotheruser. GroupYoucanputuserswhoneedthesameaccesstofilesandfoldersintogroupaccounts.Assignaccesspermissionstoashareditemtoonegrouponly.Formoreinformationaboutcreatinggroups,seetheUserManagementguide. EveryoneThisisanyuserwhocanlogintothefileserver(registeredusersandguests).BeforesettingorchangingPOSIXpermissions,viewthecurrentpermissionsettings.Toviewfolderorfilepermissions:1 OpenTerminal.2 Runthelscommand:ls -lOutputsimilartothefollowingappears:computer:~/Documents ajohnson$ ls -ltotal 500drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder-rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txtNote:The~referstoyourhomefolder,whichinthiscaseis/Users/ajohnson.~/Documents/isthecurrentworkingfolder.YoucanalsousetheFindertoviewPOSIXpermissions.IntheFinder,Control-clickafileandchooseGetInfo.OpentheOwnership&PermissionsdisclosuretriangletoviewPOSIXpermissions.142 Chapter8SecuringDataandUsingEncryptionInterpretingPOSIXPermissionsTointerpretPOSIXpermissions,readthefirst10bitsofthelongformatoutputlistedforafileorfolder.Forexample:drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder-rw-r--r-- 1 ajohnson staff 43008 Apr 14 2006 file.txtInthisexample,NewFolderhasthePOSIXpermissionsdrwxr-xr-xandhasanownerandgroupofajohnson.Permissionsareasfollows: The dofthePOSIXpermissionssignifiesthatnewfolderisafolder. Thefirstthreelettersafterthed(rwx)signifythattheownerhasread,write,andexecutepermissionforthatfolder. Thenextthreecharacters,r-x,signifythatthegrouphasreadandexecutepermission. Thelastthreecharacters,r-x,signifythatallothershavereadandexecutepermission.Inthisexample,userswhocanaccessajohnsons~/Documents/foldercanopentheNewFolderfolderbutcantmodifyoropenthefile.txtfile.ReadPOSIXpermissionsarepropagatedthroughthefolderhierarchy.AlthoughNewFolderhasdrwxr-xr-x privileges,onlyajohnsoncanaccessthefolder.Thisisbecauseajohnsons~/Documents/folderhasdrwx------POSIXpermissions.Bydefault,mostuserfoldershavedrwx------ POSIXpermissions.However,onlythe~/,~/Sites/,and~/Public/foldershavedrwxr-xr-xpermissions.Thesepermissionsallowotherpeopletoviewfoldercontentswithoutauthenticating.Ifyoudontwantotherpeopletoviewthecontents,changethepermissionstodrwx------.Inthe~/Public/folder,theDropBoxfolderhasdrwx-wx-wxPOSIXpermissions.Thisallowsotheruserstoaddfilesintoajohnsonsdropboxbuttheycantviewthefiles.Youmightseeatforothersprivilegesonafolderusedforcollaboration.Thistissometimesknownasthestickybit.Enablingthestickybitonafolderpreventspeoplefromoverwriting,renaming,orotherwisemodifyingotherpeoplesfiles.Thiscanbecommonifseveralpeoplearegrantedrwxaccess.ThestickybitbeingsetcanappearastorT,dependingonwhethertheexecutebitissetforothers: Iftheexecutebitappearsast,thestickybitissetandhassearchableandexecutablepermissions. IftheexecutebitappearsasT,thestickybitissetbutdoesnothavesearchableorexecutablepermissions.Formoreinformation,seethestickymanpage.Chapter8SecuringDataandUsingEncryption 143ModifyingPOSIXPermissionsAfteryourdeterminecurrentPOSIXpermissionsettings,youcanmodifythemusingthechmodcommand.TomodifyPOSIXpermissions:1 InTerminal,enterthefollowingtoaddwritepermissionforthegrouptofile.txt:chmod g+w file.txt2 Viewthepermissionsusingthelscommand.ls -l3 Validatethatthepermissionsarecorrect.computer:~/Documents ajohnsonls -ltotal 12346drwxr-xr-x 2 ajohnson staff 68 Apr 28 2006 NewFolder-rw-rw-r-- 1 ajohnson staff 43008 Apr 14 2006 file.txtFormoreinformation,seethechmodmanpage.SettingFileandFolderFlagsYoucanalsoprotectfilesandfoldersbyusingflags.Theseflags,orpermissionextensions,overridestandardPOSIXpermissions.Theycanonlybesetorunsetbythefilesowneroranadministratorusingsudo.Useflagstopreventthesystemadministrator(root)frommodifyingordeletingfilesorfolders.Toenableanddisableflags,usethechflagscommand.ViewingFlagsBeforesettingorchangingfileorfolderflags,viewthecurrentflagsettings.Todisplayflagssetonafolder:ls -lo secret-rw-r--r-- 1 ajohnson staff uchg 0 Mar 1 07:54 secretThisexampledisplaystheflagsettingsforafoldernamedsecret.ModifyingFlagsAfteryourdeterminecurrentfileorfolderflagsettings,modifythemusingthechflags command.Tolockorunlockafolderusingflags:sudo chflags uchg folderName144 Chapter8SecuringDataandUsingEncryptionInthisexample,thefoldernamedsecretislocked.Tounlockthefolder,changeuchgtonouchg:sudo chflags nouchg secretFormoreinformation,seethechflagsmanpage.SettingACLPermissionsForgreaterflexibilityinconfiguringandmanagingfilepermissions,SnowLeopardServerimplementsACLs.AnACLisanorderedlistofrulescalledACEsthatcontrolfilepermissions.EachACEcontainsthefollowingcomponents: Userowner,group,andother Actionread,write,orexecute PermissionallowordenytheactionTherulesspecifythepermissionstobegrantedordeniedtoagrouporuserandcontrolshowthepermissionsarepropagatedthroughafolderhierarchy.ACLsinSnowLeopardServerletyousetfileandfolderaccesspermissionsformultipleusersandgroups,inadditiontostandardPOSIXpermissions.Thismakesiteasytosetupcollaborativeenvironmentsforfilesharinganduninterruptedworkflowswithoutcompromisingsecurity.SnowLeopardServerhasimplementedfilesystemACLsthatarefullycompatiblewithMicrosoftWindowsServer2003andWindowsXP.Todetermineifanactionisallowedordenied,ACEsareconsideredinorder.ThefirstACEthatappliestoauserandactiondeterminesthepermissionandnofurtherACEsareevaluated.IfnoACEsapply,standardPOSIXpermissionsdetermineaccess.WARNING:Thereisanschgoptionforthechflagscommand.Itsetsthesystemimmutableflag.Thissettingcanonlybeundonewhenthecomputerisinsingle-usermode.IfthisisdoneonaRAID,XSan,orotherstoragedevicethatcannotbemountedinsingle-usermode,theonlywaytoundothesettingistoreformattheRAIDorXSandevice.Chapter8SecuringDataandUsingEncryption 145EnablingACLPermissionsBydefault,ACLsareenabledinSnowLeopardServer.Iftheyareturnedoff,youmustenablethevolumetosupportACLs.ThefollowingexampleusesthefsaclctlcommandtoenableACLsonaSnowLeopardServerstartupvolume:sudo /usr/sbin/fsaclctl -p / -eFormoreinformation,enterfsaclctlinaTerminalwindow.ModifyingACLPermissionsYoucansetACLpermissionsforfiles.Thechmod commandenablesanadministratortograntread,write,andexecuteprivilegestospecificusersforasinglefile.TosetACLpermissionsforafile:1 Allowspecificuserstoaccessspecificfiles.Forexample,toallowAnneJohnsonpermissiontoreadthefilesecret.txt,enterthefollowinginTerminal:chmod +a ajohnson allow read secret.txt2 Allowspecificgroupsofuserstoaccessspecificfiles.Forexample,toallowtheengineersgrouppermissiontodeletethefilesecret.txt,enterthefollowinginTerminal:chmod +a engineers allow delete secret.txt3 Denyaccessprivilegestospecificfiles.Forexample,topreventTomClarkfrommodifyingthefilesecret.txt,enterthefollowinginTerminal:chmod +a tclark deny write secret.txt4 ViewandvalidatetheACLmodificationswiththelscommand:ls -le secret.txt-rw------- 1 ajohnson admin 43008 Apr 14 2006 secret.txt0: ajohnson allow read1: tclark deny write2: engineers allow deleteFormoreinformation,entermanchmod inaTerminalwindow.146 Chapter8SecuringDataandUsingEncryptionChangingGlobalUmaskforStricterDefaultPermissionsEveryfileorfolderhasPOSIXpermissionsassociatedwithit.Whenyoucreateafileorfolder,theumasksettingdeterminesthesePOSIXpermissions.Theumaskvalueissubtractedfromthemaximumpermissionsvalue(777)todeterminethedefaultpermissionvalueofanewlycreatedfileorfolder.Forexample,aumaskof022resultsinadefaultpermissionof755.Thedefaultumasksetting022(inoctal)removesgroupandotherwritepermissions.Groupmembersandotheruserscanreadandrunthesefilesorfolders.Changingtheumasksettingto027enablesgroupmemberstoreadfilesandfoldersandpreventsothersfromaccessingthefilesandfolders.Ifyouwanttobetheonlyusertoaccessyourfilesandfolders,settheumasksettingto077.Tochangethegloballydefinedumasksetting,changetheumasksettingin/etc/launchd.conf.Youmustbeloggedinasauserwhocanusesudotoperformtheseoperationsandyoumustusethedecimalequivalent,notanoctalnumber.Note:Usersandapplicationscanoverridedefaultumasksettingsatanytimefortheirownfiles.Tochangetheglobalumaskfilepermission:1 Signinasauserwhocanusesudo.2 OpenTerminal.3 Changetheumasksetting:sudo echo umask 027 >> /etc/launchd.confThisexamplesetstheglobalumasksettingto027.4 Logout.Changestoumasksettingstakeeffectatthenextlogin.UserscanusetheFindersGetInfowindoworthechmodcommand-linetooltochangepermissionsforfilesandfolders.WARNING:Manyinstallationsdependonthedefaultumasksetting.Therecanbeunintendedandpossiblysevereconsequencestochangingit.Instead,useinheritedpermissions,whichareappliedbysettingpermissionsonafolder.Allfilescontainedinthatfolderwillinheritthepermissionsofthatfolder.Chapter8SecuringDataandUsingEncryption 147RestrictingSetuidProgramsWhenappliedtoaprogram,thePOSIXsetuid(setuserID)permissionmeansthatwhentheprogramruns,itwillrunattheprivilegelevelofthefilesowner.ThePOSIXsetgid(setgroupID)permissionisanalogous.Toseeanexampleofafilewiththesetuidbit,runthelscommandonthepingprogramasfollows:ls -l /sbin/ping-r-sr-xr-x 1 root wheel 68448 Nov 28 2007 /sbin/pingThesetuidbitisrepresentedwithansinthefieldofpermissions,inthepositionthatcontainsthefileownersexecutepermission.Theprogramrunswiththeprivilegelevelofthefilesowner.Theownerofthefileisroot,sowhenpingisexecutednomatterwhoexecutesititrunsasroot.Forsetgidprograms,ansappearsinthegroupexecutepermissionandthefilerunswiththeprivilegesofthegroupowner.Thesetuidbitisnecessaryformanyprogramsonthesystemtoperformthespecific,privilegedtasksforwhichtheyaredesignedfor.Thepingprogram,forexample,issetuidbecauseitmustbeabletoengageinnetworkcommunicationthatisonlypossiblewithrootprivileges.Tofindsetuidprogramsonthesystem,usethefollowingcommand:sudo find / -perm -04000 -lsTofindsetgidprograms,use-02000insteadof-04000.MacOSXincludesapproximately75setuidprograms.Manyoftheseprogramsneedthesetuidbitfornormalsystemoperation.However,otherprogramsmayneedthesetuidbitonlyifcertainfunctionalityisneeded,oronlyifadministratorsneedtousetheprogram.Becauseattackerstrytoinfluenceorco-opttheexecutionofsetuidprogramstotrytoelevatetheirprivileges,thereisbenefitinremovingthesetuidbitfromprogramsthatmaynotneedit.Thereisalsobenefitinrestrictingtoadministratorstherighttoexecuteasetuidprogram.Ifaprogramisneededbuthashaditssetuidbitstripped,anadministratorcanruntheprogramusingsudo,whichrunstheprogramastherootuser.Anadministratorcanalsotemporarilyenablethesetuidbitwhiletheprogramisneeded,andthendisableitagainafterward.148 Chapter8SecuringDataandUsingEncryptionStrippingSetuidBitsTostripthesetuidorsetgidbitfromaprogram,usethefollowingcommand:sudo chmod -s programnameThefollowingprogramscanhavetheirsetuidbitremoved,unlessneededforthepurposeshowninthesecondcolumn::Application RelatedService/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgentAppleRemoteDesktop/usr/bin/at JobScheduler/usr/bin/atq JobScheduler/usr/bin/atrm JobScheduler/usr/bin/crontab JobScheduler/usr/bin/postdrop PostfixMail/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/LocumPerformingPrivilegedFileOperationsusingFinder/usr/bin/postqueue PostfixMailQueue/usr/bin/procmail MailProcessor/usr/bin/wall UserMessaging/usr/bin/write UserMessaging/usr/bin/chrfn ChangeFingerInformation/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelperPrinting/usr/sbin/traceroute TraceNetworkPath/usr/sbin/traceroute6 TraceNetworkPath/sbin/mount_fs MountingNFSFilesystems/usr/bin/ipcs IPCStatistics/bin/rcp RemoteAccess(unsecure)/usr/bin/rlogin RemoteAccess(unsecure)/usr/bin/rsh RemoteAccess(unsecure)/usr/lib/sa/sadc SystemActivityReporting/usr/sbin/scselect Allowingnon-administratorstochangeNetworkLocationChapter8SecuringDataandUsingEncryption 149Important:TheRepairPermissionsfeatureofDiskUtilityreenablesthesetuidbitontheseprograms.Softwareupdatesmayalsoreenablethesetuidbitontheseprograms.Toachievesomepersistenceforthepermissionschange,createashellscripttostripthebitsandthenimplementalaunchdjob(fortherootaccount)toexecutethisscripteveryhalfhour.Thisensuresthatnomorethanhalfanhourpassesfromthetimeasystemupdateisapplieduntilthesetuidbitsareremoved.Forinformationabouthowtosetupalaunchdjob,seeIntroductiontoCommand-LineAdministration,availableatwww.apple.com/server/macosx/resources/.UsingACLstoRestrictUsageofSetuidProgramsYoucanalsousetheACLfeatureofMacOSXtorestricttheexecutionofsetuidprograms.Restrictingtheexecutionofsetuidprogramstoadministratorspreventsotherusersfromexecutingthoseprograms.Itshouldalsopreventattackerswhohaveordinaryuserprivilegesfromexecutingthesetuidprogramandtryingtoelevatetheirprivileges.Allusersonthesystemareinthestaffgroup,sothecommandsbelowallowmembersoftheadmingrouptoexecutebutdenythatrighttomembersofthestaffgroup:sudo chmod +a group:staff deny execute sudo chmod +a# 0 group:admin allow execute ToviewtheACL:ls -le Theoutputlookssomethinglikethis:-r-sr-xr-x+ 1 root wheel 12345 Nov 28 2007 0: group:admin allow execute1: group:staff deny executeBecausetheACLisevaluatedinorderfromtoptobottom,usersintheadmingrouparepermittedtoexecutetheprogram.Thefollowingruledeniesthatrighttoallusers.Important:AlthoughtheRepairPermissionsfeatureofDiskUtilitydoesnotstripACLsfromprograms,softwareupdatesmightstriptheseACLs.InordertoachievesomepersistencefortheACLs,createashellscripttosettheACLsandthenimplementalaunchdrecurringevent(fortherootaccount)toexecutethisscript.Forinformationabouthowtosetupalaunchdrecurringevent,consultIntroductiontoCommandLineAdministration,availableatwww.apple.com/server/macosx/resources/.http://www.apple.com/server/macosx/resources/150 Chapter8SecuringDataandUsingEncryptionAlaunchdrecurringeventshouldensurethataspecifiedtimeperiod(orless)shouldpassfromthetimeasystemupdateisappliedandtheACLisreset.BecausetheACLdescribedaboveusesthe+a#optiontoplacerulesinanoncanonicalorder,itsreapplicationresultsinadditionalrules.Thefollowingscriptcansuccessfullyapplyandreapplytherules:chmod a group:admin allow execute chmod +a group:staff deny execute chmod +a# 0 group:admin allow execute SecuringUserHomeFoldersTosecureuserhomefolders,changethepermissionsofeachusershomefoldersothefolderisnotworld-readableorworld-searchable.WhenFileVaultisnotenabled,permissionsonthehomefolderofauseraccountallowotheruserstobrowsethefolderscontents.However,usersmightinadvertentlysavesensitivefilestotheirhomefolder,insteadofintothemore-protected~/Documents,~/Library,or~/Desktopfolders.The~/Sites,~/Public,and~/Public/DropBoxfoldersineachhomefoldermayrequireworld-readableorworld-writeablepermissionsifFileSharingorWebSharingisenabled.Iftheseservicesarenotinuse,thepermissionsonthesefolderscanbesafelychangedtopreventotherusersfrombrowsingorwritingtotheircontents.Astheownerofhisorherhomefolder,theusercanalterthefolderspermissionsettingsatanytime,andcanchangethesesettingsback.InSnowLeopardServerallusersareamemberofthestaffgroup,notofagroupthathasthesamenameastheirusername.Note:Changingpermissionsonausershomedirectoryfrom750to700willdisableApplefilesharing(usingthe~/Publicdirectory)andApplewebsharing(usingthe~/Sitesdirectory).Tochangehomefolderpermissions:m Enterthefollowingcommand,replacingusernamewiththenameoftheaccount:sudo chmod 700 /Users/usernameRunthiscommandimmediatelyaftersomeonecreatesanaccount.Chapter8SecuringDataandUsingEncryption 151EncryptingHomeFoldersLeopardincludesFileVault,whichcanencryptyourhomefolderanditsfiles.UseFileVaultonportablecomputersandothercomputerswhosephysicalsecurityyoucantguarantee.EnableFileVaultencryptionforyourcomputeranditsuseraccounts.FileVaultmovesallcontentofyourhomefolderintoabundlediskimagethatsupportsAES-128encryption.SnowLeopardsupportsTigersparsediskimagecreatedusingAES-128encryption.Thesparseformatallowstheimagetomaintainasizeproportionaltoitscontents,whichcansavediskspace.IfyouremovefilesfromaFileVault-protectedhomefolderittakestimetorecoverfreespacefromthehomefolder.Afterthehomefolderisoptimized,youcanaccessfilesinFileVault-protectedhomefolderswithoutnoticeabledelays.Ifyoureworkingwithconfidentialfilesthatyouplantoeraselater,storethosefilesinseparateencryptedimagesthatarenotlocatedinyourhomefolder.Youcanthenerasethoseimageswithoutneedingtorecoverfreespace.Formoreinformation,seeEncryptingPortableFilesonpage155.IfyouveinsecurelydeletedfilesbeforeusingFileVault,thesefilesarerecoverableafteractivatingit.Topreventthis,whenyouinitiallyenableFileVault,securelyerasefreespace.Forinformation,seeUsingDiskUtilitytoSecurelyEraseFreeSpaceonpage160.BecauseFileVaultisanencryptionofauserslocalhomefolder,FileVaultdoesnotencryptorprotectfilestransferredoverthenetworkorsavedtoremovablemedia,soyoullneedtoencryptspecificfilesorfolders.FileVaultcanonlybeenabledforlocalormobileaccountsandcannotbeenabledfornetworkhomefolders.Toprotectfilesorfoldersonportablemediaoranetworkvolume,createanencrypteddiskimageontheportablemediaornetworkvolume.Thenmounttheseencrypteddiskimages,whichprotectdatatransmittedoverthenetworkusingAES-128encryption.Whenusingthismethod,mounttheencrypteddiskimagefromonecomputeratatimetopreventirreparablecorruptiontotheimagecontent.Forinformationaboutencryptingspecificfilesorfoldersfortransferfromyournetworkhomefolder,seeEncryptingPortableFilesonpage155.WhenyousetupFileVault,youcreateamasterpassword.Ifyouforgetyourloginpassword,youcanuseyourmasterpasswordtorecoverencrypteddata.Ifyouforgetyourloginpasswordandyourmasterpassword,youcannotrecoveryourdata.Becauseofthis,considersealingyourmasterpasswordinanenvelopeandstoringitinasecurelocation.152 Chapter8SecuringDataandUsingEncryptionYoucanusePasswordAssistanttohelpcreateacomplexmasterpasswordthatcannotbeeasilycompromised.Forinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.EnablingFileVaultcopiesdatafromyourhomefolderintoanencryptedhomefolder.Aftercopying,FileVaulterasestheunencrypteddata.BydefaultFileVaultinsecurelyerasestheunencrypteddata,butifyouenablesecureerase,yourunencrypteddataissecurelyerased.OverviewofFileVaultSnowLeopardServerextendstheunlockingofFileVaulttoSmartCards,whichprovidesthemostsecurepracticeforprotectingFileVaultaccounts.AccountsprotectedbyFileVaultsupportauthenticationusingapassphraseoraSmartCard.WithSmartCardauthentication,theAES-256symmetricDataKey(DK)usedtoencrypttheusersdataisunwrappedusingaprivate(encryption)keyontheSmartCard.Thedatawrittentoorreadfromdiskisencryptedanddecryptedontheflyduringaccess.FileVaultencryptstheDataKey(DK)usingtheUserKey(UK1),whichcanbegeneratedfromyourpassphraseorfromthepublickeyonyourSmartCard.FileVaultseparatelyencryptstheDataKeyusingtheFileVaultMasterKey(MK).ThearchitecturaldesignofFileVaultmakesitpossiblefortheMKandUK1toencryptanddecryptfiles.ProvidingstrongencryptionprotectsuserdataatrestwhileensuringaccessmanagementbyITstaff.TheeasiestmethodforcentralizedmanagementofFileVaultonaclientcomputeristouseSnowLeopardServerandWorkGroupManagertoenforcetheuseofFileVaultandtheproperidentity.Chapter8SecuringDataandUsingEncryption 153ManagingFileVaultYoucansetaFileVaultmasterkeychaintodecryptanaccountthatusesFileVaulttoencryptdata.ThenifusersforgettheirFileVaultaccountpassword(whichtheyusetodecryptencrypteddata)youcanusetheFileVaultmasterkeychaintodecryptthedata.TocreatetheFileVaultmasterkeychain:1 OpenSystemPreferences>Security.2 ClickMasterPasswordandsetamasterpassword.Selectastrongpasswordandconsidersplittingthepasswordintoatleasttwocomponents(firsthalfandsecondhalf ).YoucanusePasswordAssistanttoensurethatthequalityofthepasswordisstrong.Toavoidhavingonepersonknowthefullpassword,haveseparatesecurityadministratorskeepeachpasswordcomponent.Thispreventsasinglepersonfromunlocking(decrypting)aFileVaultaccount.Formoreinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.SettingamasterpasswordcreatesakeychaincalledFileVaultMaster.keychainin/Library/Keychains/.TheFileVaultmasterkeychaincontainsaFileVaultrecoverykey(self-signedrootcertificate)andaFileVaultmasterpasswordkey(privatekey).3 DeletethecertificatenamedFileVaultMaster.cerinthesamelocationastheFileVaultMaster.keychain.FileVaultMaster.cerisonlyusedforimportingthecertificateintothekeychain.Thisisonlyacertificateanddoesnotcontaintheprivatekey,sothereisnosecurityconcernaboutsomeonewithgainingaccesstothiscertificate.4 MakeacopyofFileVaultMaster.keychainandputitinasecureplace.5 DeletetheprivatekeyfromFileVaultMaster.keychaincreatedonthecomputertomodifythekeychain.DeletingthekeyensuresthatevenifsomeoneunlockstheFileVaultmasterkeychaintheycannotdecryptthecontentsofaFileVaultaccountbecausethereisnoFileVaultmasterpasswordprivatekeyavailableforthedecryption.ManagingtheFileVaultMasterKeychainThemodifiedFileVaultmasterkeychaincannowbedistributedtonetworkcomputers.ThiscanbedonebytransferringFileVaultMaster.keychaintothecomputersbyusingAppleRemoteDesktop,byusingadistributedinstallerexecutedoneachcomputer,byusingvariousscriptingtechniques,orbyincludingitintheoriginaldiskimageifyourorganizationrestoressystemswithadefaultimage.154 Chapter8SecuringDataandUsingEncryptionThemasterkeychainprovidesnetworkmanagementofanyFileVaultaccountcreatedonanycomputerwiththemodifiedFileVaultMaster.keychainlocatedinthe/Library/Keychains/folder.ThesecomputersindicatethatthemasterpasswordissetinSecuritypreferences.WhenanaccountiscreatedandthemodifiedFileVaultmasterkeychainispresent,thepublickeyfromtheFileVaultrecoverykeyisusedtoencryptthedynamicallygeneratedAES128-bit(default)orAES256-bitsymmetrickeythatisusedfortheencryptionanddecryptionoftheencrypteddiskimage(FileVaultcontainer).Todecryptaccesstotheencrypteddiskimage,theFileVaultmasterpasswordprivatekeyisrequiredtodecrypttheoriginaldynamicallygeneratedAES128-bitor256-bitsymmetrickey.Theusersoriginalpasswordcontinuestoworkasnormal,buttheassumptionhereisthatthemasterpasswordserviceisbeingusedbecausetheuserhasforgottenthepasswordortheorganizationmustperformdatarecoveryfromauserscomputer.TorecoveranetworkmanagedFileVaultsystemaccount:1 RetrievethecopyofFileVaultMaster.keychainthatwasstoredbeforetheprivatekeywasdeletingduringmodification.2 Bringtogetherallsecurityadministratorsinvolvedingeneratingthemasterpassword.Morethanoneindividualisneededifthemasterpasswordwassplitintopasswordcomponents.Note:TheadministratormusthaverootaccesstorestoretheFileVaultMaster.keychainfile.3 Restoretheoriginalkeychaintothe/Library/Keychains/folderofthetargetcomputer,replacingtheinstalledkeychain.4 VerifythattherestoredFileVaultMaster.keychainfilehasthecorrectownershipandpermissionsset,similartothefollowingexample.-rw-r--r-- 1 root admin 24880 Mar 2 18:18 FileVaultMaster.keychain5 VerifythatPasswordHintsisenabledbyloggingintotheFileVaultaccountyouareattemptingtorecoverandincorrectlyentertheaccountpasswordthreetimes.IfPasswordHintsisenabled,youaregrantedanadditionaltryafterthehintappeals.6 Whenpromptedforthemasterpassword,havethesecurityadministratorscombinetheirpasswordcomponentstounlockaccesstotheaccount.7 Whentheaccountisunlocked,provideanewpasswordfortheaccount.Thepasswordisusedtoencrypttheoriginalsymmetrickeyusedtoencryptanddecryptthediskimage.Chapter8SecuringDataandUsingEncryption 155Note:ThisprocessdoesnotreencrypttheFileVaultcontainer.Itreencryptstheoriginalsymmetrickeywithakeyderivedfromthenewuseraccountpasswordyouentered.Youarenowloggedintotheaccountandgivenaccesstotheusershomefolder.8 DeletetheprivatekeyfromFileVaultMaster.keychainagain,orreplacethekeychainfilewiththeoriginalcopyofFileVaultMaster.keychainthatwasstoredbeforetheprivatekeywasdeleted.Thisprocessdoesnotchangethepasswordusedtoprotecttheusersoriginalloginkeychain,becausethatpasswordisnotknownorstoredanywhere.Instead,thisprocesscreatesaloginkeychainwiththepasswordenteredastheusersnewaccountpassword.EncryptingPortableFilesToprotectfilesyouwanttotransferoveranetworkorsavetoremovablemedia,encryptadiskimageorencryptthefilesandfolders.FileVaultdoesntprotectfilestransmittedoverthenetworkorsavedtoremovablemedia.Usingaserver-basedencrypteddiskimageprovidestheaddedbenefitofencryptingnetworktrafficbetweenthecomputerandtheserverhostingthemountedencrypteddiskimage.CreatinganEncryptedDiskImageToencryptandsecurelystoredata,youcancreatearead/writeimageorasparseimage: Aread/writeimageconsumesthespacethatwasdefinedwhentheimagewascreated.Forexample,ifthemaximumsizeofaread/writeimageissetto10GB,theimageconsumes10GBofspaceevenifitcontainsonly2GBofdata. Asparseimageconsumesonlytheamountofspacethedataneeds.Forexample,ifthemaximumsizeofasparseimageis10GBandthedataisonly2GB,theimageconsumesonly2GBofspace.Ifanunauthorizedadministratormightaccessyourcomputer,creatinganencryptedblankdiskimageispreferredtocreatinganencrypteddiskimagefromexistingdata.Creatinganencryptedimagefromexistingdatacopiesthedatafromanunprotectedareatotheencryptedimage.Ifthedataissensitive,createtheimagebeforecreatingthedocuments.Thiscreatestheworkingcopies,backups,orcachesoffilesinencryptedstoragefromthestart.Note:Topreventerrorswhenafilesysteminsideasparseimagehasmorefreespacethanthevolumeholdingthesparseimage,HFSvolumesinsidesparseimagesreportanamountoffreespaceslightlylessthantheamountoffreespaceonthevolumethattheimageresideson.156 Chapter8SecuringDataandUsingEncryptionTocreateanencrypteddiskimage:1 OpenDiskUtility.2 ChooseFile>New>BlankDiskImage.3 Enteranamefortheimage,andchoosewheretostoreit.4 ChoosethesizeoftheimagebyclickingtheSizepop-upmenu.Makesurethesizeoftheimageislargeenoughforyourneeds.Youcannotincreasethesizeofanimageaftercreatingit.5 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu.AES-128orAES-256isastrongencryptionformat.6 ChooseaformatbyclickingtheFormatpop-upmenu.Althoughthereissomeoverhead,thesparseformatallowstheimagetomaintainasizeproportionaltoitscontents(uptoitsmaximumsize),whichcansavediskspace.7 ClickCreate.8 Enterapassword,andverifyit.YoucanaccessPasswordAssistantfromthiswindow.Formoreinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.9 DeselectRememberpassword(addtoKeychain),andclickOK.CreatinganEncryptedDiskImagefromExistingDataIfyoumustmaintaindataconfidentialitywhentransferringfilesfromyourcomputerbutyoudontneedtoencryptfilesonyourcomputer,createadiskimagefromexistingdata.Suchsituationsincludeunavoidableplain-textfiletransfersacrossanetwork,suchasmailattachmentsorFTP,orcopyingtoremovablemedia,suchasaCDorfloppydisk.Ifyouplantoaddfilestothisimageinsteadofcreatinganimagefromexistingdata,createanencrypteddiskimageandaddyourexistingdatatoit.Forinformation,seeCreatinganEncryptedDiskImageonpage155.Tocreateanencrypteddiskimagefromexistingdata:1 OpenDiskUtility.2 ChooseFile>New>DiskImagefromFolder.3 SelectafolderandclickImage.4 Enteranamefortheimageandchoosewheretostoreit.5 ChooseaformatbyclickingtheFormatpop-upmenu.Thecompresseddiskimageformatcanhelpyousaveharddiskspacebyreducingyourdiskimagesize.Chapter8SecuringDataandUsingEncryption 1576 ChooseanencryptionmethodbyclickingtheEncryptionpop-upmenu.AES-128orAES-256providestrongencryption.7 ClickSave.8 Enterapasswordandverifyit.YoucaneasilyaccessPasswordAssistantfromthiswindow.Formoreinformation,seeUsingPasswordAssistanttoGenerateorAnalyzePasswordsonpage84.9 DeselectRememberpassword(addtoKeychain)andclickOK.Youcanalsousethehdiutilcommandtocreateandformatencrypteddiskimages.Formoreinformationaboutthiscommand,seeitsmanpage.CreatingEncryptedPDFsYoucanquicklycreatepassword-protected,read-onlyPDFdocumentsofconfidentialorpersonaldata.Toopenthesefilesyoumustknowthepasswordforthem.SomeapplicationsdonotsupportprintingtoPDF.Inthiscase,createanencrypteddiscimage.Forinformation,seeCreatinganEncryptedDiskImagefromExistingDataonpage156.Tocreateanencrypted,read-onlydocument:1 Openthedocument.2 ChooseFile>Print.SomeapplicationsdontallowyoutoprintfromtheFilemenu.Theseapplicationsmightallowyoutoprintfromothermenus.3 ClickPDFandchooseSaveasPDF.4 ClickSecurityOptionsandselectoneormoreofthefollowingoptions: Requirepasswordtoopendocument Requirepasswordtocopytextimagesandothercontent RequirepasswordtoprintdocumentWhenyourequireapasswordforthePDF,itbecomesencrypted.5 Enterapassword,verifyit,andclickOK.6 Enteranameforthedocument,choosealocation,andclickSave.7 Testyourdocumentbyopeningit.Youmustenterthepasswordbeforeyoucanviewthecontentsofyourdocument.158 Chapter8SecuringDataandUsingEncryptionSecurelyErasingDataWhenyoueraseafile,youreremovinginformationthatthefilesystemusestofindthefile.Thefileslocationonthediskismarkedasfreespace.Ifotherfileshavenotwrittenoverthefreespace,itispossibletoretrievethefileanditscontents.SnowLeopardprovidesthefollowingwaystosecurelyerasefiles. Zero-outerase 7-passerase 35-passeraseAzero-outerasesetsalldatabitsonthediskto0,whilea7-passeraseanda35-passeraseusealgorithmstooverwritethedisk.A7-passerasefollowstheDepartmentofDefensestandardforthesanitizationofmagneticmedia.A35-passeraseusestheextremelyadvancedGutmannalgorithmtohelpeliminatethepossibilityofdatarecovery.Thezero-outeraseisthequickest.The35-passeraseisthemostsecure,butitisalso35timesslowerthanthezero-outerase.Eachtimeyouusea7-passor35-passsecureerase,thefollowingseven-stepalgorithmisusedtopreventthedatafrombeingrecovered: Overwritefilewithasinglecharacter Overwritefilewithzeroes Overwritefilewithasinglecharacter Overwritefilewithrandomcharacters Overwritefilewithzeroes Overwritefilewithasinglecharacter OverwritefilewithrandomcharactersConfiguringFindertoAlwaysSecurelyEraseInSnowLeopardServeryoucanconfigureFindertoalwayssecurelyeraseitemsplacedintheTrash.ThispreventsdatayouplaceintheTrashfrombeingrestored.UsingsecureerasetakelongerthanemptyingtheTrash.ToconfigureFindertoalwaysperformasecureerase:1 InFinder,chooseFinder>Preferences.2 ClickAdvanced.3 SelecttheEmptyTrashsecurelycheckbox.Chapter8SecuringDataandUsingEncryption 159UsingDiskUtilitytoSecurelyEraseaDiskorPartitionYoucanuseDiskUtilitytosecurelyeraseapartition,usingazero-outerase,a7-passerase,ora35-passerase.Note:IfyouhaveapartitionwithSnowLeopardinstalledandyouwanttosecurelyeraseanunmountedpartition,youdontneedtouseyourinstallationdiscs.IntheFinder,openDiskUtility(locatedin/Applications/Utilities/).TosecurelyeraseapartitionusingDiskUtility:1 InsertthefirstoftheSnowLeopardinstallationdiscsintheopticaldrive.2 RestartthecomputerwhileholdingdowntheCkey.Thecomputerstartsupfromthediscintheopticaldrive.3 Proceedpastthelanguageselectionstep.4 ChooseUtilities>DiskUtility.5 Selectthepartitionyouwanttosecurelyerase.Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedonelevelinthelistontheleft.6 ClickErase,chooseMacOSExtendedJournaled,andthenclickSecurityOptions.MacOSExtendeddiskformattingprovidesenhancedmultiplatforminteroperability.7 ChooseaneraseoptionandclickOK.8 ClickErase.Securelyerasingapartitioncantaketime,dependingonthesizeofthepartitionandthemethodyouchoose.UsingCommand-LineToolstoSecurelyEraseFilesYoucanusethesrmcommandinTerminaltosecurelyerasefilesorfolders.Byusingsrm,youcanremoveeachfileorfolderbyoverwriting,renaming,andtruncatingthefileorfolderbeforeerasingit.Thispreventsotherpeoplefromundeletingorrecoveringinformationaboutthefileorfolder.Forexample,srmsupportssimplemethods,likeoverwritingdatawithasinglepassofzeros,tomorecomplexones,likeusinga7-passor35-passerase.WARNING:Securelyerasingapartitionisirreversible.Beforeerasingthepartition,backupcriticalfilesyouwanttokeep.160 Chapter8SecuringDataandUsingEncryptionThesrmcommandcannotremoveawrite-protectedfileownedbyanotheruser,regardlessofthepermissionsofthedirectorycontainingthefile.Tosecurelyeraseafoldernamedsecret:sudo srm -r -s secretThe-roptionremovesthecontentofthedirectory,andthe-soption(simple)overwriteswithasinglerandompass.Foramoresecureerase,usethe-m(medium)optiontoperforma7-passeraseofthefile.The-soptionoverridesthe-moption,ifbotharepresent.Ifneitherisspecified,the35-passisused.Formoreinformation,seethesrm manpage.UsingSecureEmptyTrashSecureEmptyTrashusesa7-passerasetosecurelyerasefilesstoredintheTrash.Dependingonthesizeofthefilesbeingerased,securelyemptyingtheTrashcantaketimetocomplete.TouseSecureEmptyTrash:1 OpentheFinder.2 ChooseFinder>SecureEmptyTrash.3 ClickOK.UsingDiskUtilitytoSecurelyEraseFreeSpaceYoucanuseDiskUtilitytosecurelyerasefreespaceonpartitions,usingazero-outerase,a7-passerase,ora35-passerase.TosecurelyerasefreespaceusingDiskUtility:1 OpenDiskUtility(locatedin/Applications/Utilities/).2 Selectthepartitiontosecurelyerasefreespacefrom.Selectapartition,notadrive.Partitionsarecontainedindrivesandareindentedonelevelinthelistontheleft.3 ClickErase,andthenclickEraseFreeSpace.WARNING:Erasingfileswithsrmisirreversible.Beforesecurelyerasingfiles,backupcriticalfilesyouwanttokeep.WARNING:UsingSecureEmptyTrashisirreversible.Beforesecurelyerasingfiles,backupcriticalfilesyouwanttokeep.Chapter8SecuringDataandUsingEncryption 1614 ChooseaneraseoptionandclickEraseFreeSpace.Securelyerasingfreespacecantaketime,dependingontheamountoffreespacebeingerasedandthemethodyouchoose.5 ChooseDiskUtility>QuitDiskUtility.UsingCommand-LineToolstoSecurelyEraseFreeSpaceYoucansecurelyerasefreespacefromthecommandlinebyusingthediskutilcommand.However,ownershipoftheaffecteddiskisrequired.Thistoolallowsyoutosecurelyeraseusingoneofthethreelevelsofsecureerase: 1Zero-outsecureerase(alsoknownassingle-pass) 27-passsecureerase 335-passsecureeraseToerasefreespaceusinga7-passsecureerase(indicatedbythenumber2):sudo diskutil secureErase freespace 2 /dev/disk0s3Formoreinformation,seethediskutilmanpage.Fromthecommandline:DeletingPermanentlyfromTimeMachineBackupsTimeMachineisbasedontheMacOSXHFS+filesystem.Ittracksfilechangesanddetectsfilesystempermissionsanduseraccessprivileges.WhenTimeMachineperformstheinitialbackup,itcopiesthecontentsofyourcomputertoyourbackupdrive.Everysubsequentbackupisanincrementalbackup,whichcopiesonlythefilesthathavechangedsincethepreviousbackup.YoucanpermanentlydeletefilesorfoldersfromyourcomputerandallTimeMachinebackupsusingTimeMachine.Thiskeepssensitivedatathatyounolongerneedfrombeingrecovered.# -------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space# -------------------------------------------------------------------# Overwrite a device with zeroes.sudo diskutil zeroDisk /dev/device# Secure erase (7-pass) free space on a volume.sudo diskutil secureErase freespace 2 /dev/device# Secure erase (7-pass) a volume.sudo diskutil secureErase 2 /dev/device162 Chapter8SecuringDataandUsingEncryptionTopermanentlydeletefilesorfoldersfromTimeMachinebackups:1 Deletethefileorfolderfromyourcomputer.2 OpenTimeMachine.3 SelectthefileforfolderyouwanttopermanentlydeletefromTimeMachine.4 ClicktheActionpop-upmenuandselectDeleteAllBackupsofFileorFoldername.5 Whenthewarningmessageappears,clickOKtopermanentlydeletethefileorfolder.Allbackupcopiesofyourfileorfolderarepermanentlydeletedfromyourcomputer.9 1639 ManagingCertificatesUsethischaptertolearnhowSnowLeopardServersupportsservicesthatensureencrypteddatatransferthroughcertificates.SnowLeopardServerusesaPublicKeyInfrastructure(PKI)systemtogenerateandmaintaincertificatesofidentities.ServerAdminmakesiteasytomanageSecureSocketsLayer(SSL)certificatesthatcanbeusedbyweb,mail,directoryservices,andotherservicesthatsupportthem.Youcancreateaself-signedcertificateandgenerateaCertificateSigningRequest(CSR)toobtainanSSLcertificatefromanissuingauthorityandinstallthecertificate.FormoreinformationabouthowtouseSSLcertificateswithindividualservices,seeChapter10,SettingGeneralProtocolsandAccesstoServices.Also,formoreinformationaboutcertificatesusingthecommandline,seethemanpageofthesecuritycommand-linetool.UnderstandingPublicKeyInfrastructureSnowLeopardServersupportsservicesthatuseSSLtoensureencrypteddatatransfer.ItusesaPKIsystemtogenerateandmaintaincertificatesforusewithSSL-enabledservices.PKIsystemsallowthetwopartiesinadatatransactiontobeauthenticatedtoeachother,andtouseencryptionkeysandotherinformationinidentitycertificatestoencryptanddecryptmessagestravelingbetweenthem.PKIenablesmultiplecommunicatingpartiestoestablishconfidentiality,messageintegrity,andmessagesourceauthenticationwithoutexchangingsecretinformationinadvance.164 Chapter9ManagingCertificatesSSLtechnologyreliesonaPKIsystemforsecuredatatransmissionanduserauthentication.Itcreatesaninitialsecurecommunicationchanneltonegotiateafaster,secretkeytransmission.SnowLeopardServerusesSSLtoprovideencrypteddatatransmissionforMail,Web,andDirectoryservices.PublicandPrivateKeysWithinaPKI,twodigitalkeysarecreated:thepublickeyandtheprivatekey.Theprivatekeyisntdistributedtoanyoneandisoftenencryptedbyapassphrase.Thepublickeyisdistributedtoothercommunicatingparties.Basickeycapabilitiescanbesummedupas:Web,mail,anddirectoryservicesusethepublickeywithSSLtonegotiateasharedkeyforthedurationoftheconnection.Forexample,supposeamailserversendsitspublickeytoaconnectingclientandinitiatesnegotiationforasecureconnection.Theconnectingclientusesthepublickeytoencryptaresponsetothenegotiation.Themailserver,becauseithastheprivatekey,candecrypttheresponse.Thenegotiationcontinuesuntilmailserverandclienthaveasharedsecrettoencrypttrafficbetweenthetwocomputers.CertificatesAcertificateisanelectronicdocumentthatcontainsapublickeywithidentificationinformation(name,organzation,emailaddress,andsoon).Inapublickeyenvironment,acertificateisdigitallysignedbyaCertificateAuthority,oritsownprivatekey(thelatterbeingaself-signedcertificate).Apublickeycertificateisafileinaspecifiedformat(MacOSXServerusesthex.509format)thatcontains: Thepublickeyhalfofapublic-privatekeypair Thekeyusersidentityinformation,suchasapersonsnameandcontactinformation Avalidityperiod(howlongthecertificatecanbetrustedtobeaccurate) TheURLofsomeonewiththepowertorevokethecertificate(itsrevocationcenter) ThedigitalsignatureofaCA,orthekeyuserKeytype CapabilitiesPublic CanencryptmessagesthatcanonlybydecryptedbytheholderofthecorrespondingPrivatekey. CanverifythesignatureonamessagetoensurethatitiscomingfromaPrivatekey.Private Candigitallysignamessageorcertificate,claimingauthenticity. CandecryptmessagesthatwereencryptedwiththePublickey. CanencryptmessagesthatcanonlybedecryptedbythePrivatekeyitself.Chapter9ManagingCertificates 165AboutCertificateAuthorities(CAs)ACAisanentitythatsignsandissuesdigitalidentitycertificatesclaimingthatapartyiscorrectlyidentified.Inthissense,aCAisatrustedthirdpartyusedbyotherpartieswhenperformingtransactions.Inx.509systemssuchasSnowLeopardServer,CAsarehierarchical,withCAsbeingcertifiedbyhigherCAs,untilyoureacharootauthority.ArootauthorityisaCAthatstrustedbytheparties,soitdoesntneedtobeauthenticatedbyanotherCA.Thehierarchyofcertificatesistop-down,withtherootauthorityscertificateatthetop.ACAcanbeacompanythatsignsandissuesapublickeycertificate.Thecertificateatteststhatthepublickeybelongstotheownerrecordedinthecertificate.Inasense,aCAisadigitalnotarypublic.YourequestacertificatebyprovidingtheCAwithyouridentityinformation,contactinformation,andthepublickey.TheCAthenverifiesyourinformationsouserscantrustcertificatesissuedforyoubytheCA.AboutIdentitiesIdentitiesareacertificateandaprivatekey,together.Thecertificateidentifiestheuser,andtheprivatekeycorrespondstothecertificate.Asingleusercanhaveseveralidentities;foranygivenusereachcertificatecanhaveadifferentname,emailaddress,orissuer.Theseidentitiesareusedfordifferentsecuritycontexts.Forexample,onecanbeusedtosignotherscertificates,onecanbeusedtoidentifytheuserbyemail,andthesedonotneedtobethesameidentity.InthecontextoftheMacOSXServerCertificateManager,identitiesincludeasignedcertificateandbothkeysofaPKIkeypair.TheidentitiesareusedbythesystemkeychainandareavailableforusebyservicesthatsupportSSL.Self-SignedCertificatesSelf-signedcertificatesarecertificatesthataredigitallysignedbytheprivatekeycorrespondingtothepublickeyincludedinthecertificate.ThisisdoneinplaceofaCAsigningthecertificate.Byself-signingacertificate,youreattestingthatyouarewhoyousayyouare.Notrustedthirdpartyisinvolved.AboutIntermediateTrustIfyouareyourownCAandyourcertificatesarenottrustedbythedefaultshippingrootcertificatesinMacOSX,yourclientscanstillbeconfiguredtotrustyourcertificatesthroughanintermediatetrust.Trustistheabilityofaclienttobelievetheidentityofaserverwhenitconnects.Atrustedserverisaknownserverthattheclientcantransactwithsecurely,withoutinterferencefromoutsideandunknownparties.166 Chapter9ManagingCertificatesMacOSXclientsfollowx.509trustvalidationwhenacceptingcertificates,meaningtheyfollowthechainofcertificatesignersbackuntiltheyfindatrustedrootcertificate.MacOSXletsyouspecifyatrustedanchor(inotherwords,acertificatethatisnotarootCAcertificate,butthatyoutrust).Aclientcantrustacertificatecloserinthechainoftrust,orevenjustthesubmittedcertificateitself.Trustingacertificatethatisntashippingrootanchorisintermediatetrust.Toaccomplishthis,trustneedstobebestowedoncertificatesinsteadoftokeychains(aswasdonepreviously).Inv10.4,trustwasgiventocertificatesinthekeychaincalledX509Anchors.TheX509AnchorskeychainwasdeprecatedstartingwithMacOSXv10.5.InSnowLeopardServer,severalkeychainscanholdcertificates: SystemRootCertificates:ThiskeychainholdsrootcertificatesthatshipwithMacOSX.Thecertificatesalreadyhavetrustgiventothem. System:Thiskeychainholdscertificatesthatthecomputeradministratorcanadd.Allusersonagivenclientcanreadfromthiskeychain.ThetrustsettingsofacertificateinthiskeychaincanoverridethoseofacertificateinSystemRootCertificates. Anyotherkeychain:Thisholdscertificatesforagivenuserandisonlyaccessibletothatuser.ThetrustsettingsofacertificateinthiskeychaincanoverridethoseofacertificateinSystemRootCertificatesorSystem.Trustedcertificatescanbeinanyoftheselocations,buttotrustacertificate,trustsettingsmustbegivenexplicitlytoacertificate.Toconfigureclientstotrustacertificate:1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer.Thisispreferablydistributedusingnonrewritablemedia,suchasaCD-R.Usingnonrewritablemediapreventsthecertificatefrombeingcorrupted.2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificatewascopiedontotheclientcomputer.3 DragthecertificatetotheSystemkeychainusingKeychainAccess.Authenticateasanadministrator,ifrequested.4 Double-clickthecertificatetogetthecertificatedetails.5 Inthedetailswindow,clicktheTrustdisclosuretriangle.6 Fromthepop-upmenunexttoWhenusingthiscertificate,selectAlwaysTrustYouhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby.Chapter9ManagingCertificates 167FromthecommandlineAftercopyingthecertificatetothetargetclientcomputer,performthefollowing,replacingwiththefilepathtothecertificate:sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.keychain Youcanusethesecuritytooltosaveandrestoretrustsettingsaswell.Formoreinformationonusingthesecuritycommand-linetool,seethesecuritymanpage.CertificateManagerinServerAdminSnowLeopardServersCertificateManagerisintegratedintoServerAdmintohelpyoucreate,use,andmaintainidentitiesforSSL-enabledservices.TheServerAdmininterfaceisshownbelow,withtheCertificateManagerselected.CertificateManagerprovidesintegratedmanagementofSSLcertificatesinSnowLeopardServerforservicesthatallowtheuseofSSLcertificates.Oninstallation,theservercreatesaself-signedcertificateforimmediateusefrominformationyouputinduringserversetup.CertificateManagerusesMacOSXsCertificateAssistanttocreateself-signedcertificatesandcertificate-signingrequests(CSRs)toobtaincertificatessignedbyaCA.Thecertificates,self-signedorsignedbyaCA,arethenaccessiblebyservicesthatsupportSSL.168 Chapter9ManagingCertificatesCertificateManagerinServerAdmindoesntallowyoutosignandissuecertificatesasaCA,nordoesitallowyoutosignandissuecertificatesasarootauthority.Ifyouneedthesefunctions,youcanuseCertificateAssistantinKeychainAccess(locatedin/Applications/Utilities/).Itprovidesthesecapabilitiesandothersforworkingwithx.509certificates.IdentitiesthatwerecreatedandstoredinOpenSSLfilescanalsobeimportedintoCertificateManager.TheyareaccessibletoservicesthatsupportSSL.Self-signedandCA-issuedcertificatesyoucreatedinCAAssistantcanbeusedinCertificateManagerbyimportingthecertificate.CertificateManagerdisplaysthefollowingforeachcertificate: Thedomainnamethecertificatewasissuedfor Theexpirationdateofthecertificate Whenselected,thedetailedcontentsofthecertificateWhencertificatesandkeysareimportedviaCertificateManager,theyareputinthe/etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesforeveryidentity: Thecertificate Thepublickey Thetrustchain Theconcatenatedversionofthecertificateplusthetrustchain(forusewithsomeservices)Thecertificateandtrustchainareownedbytherootuserandthewheelgroup,withpermissionssetto644.Thepublickeyandconcatenationfileareownedbytherootuserandthecertusersgroup,withpermissionssetto640.Eachfilehasthefollowingnamingconvention:...pemForexample,thecertificateforawebserveratexample.commightlooklikethis:www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pemReadyingCertificatesBeforeyoucanuseSSLinMacOSXServersservices,youmustcreateorimportcertificates.Youcancreateself-signedcertificates,createcertificatesandthengenerateaCertificateSigningRequest(CSR)tosendtoaCA,orimportcertificatespreviouslycreatedwithOpenSSL.Chapter9ManagingCertificates 169IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforusebyMacOSXServerservices.TheOpenSSLkeysandcertificatesmustbeinPEMformat.SelectaCAtosignyourcertificaterequest.IfyoudonthaveaCAtosignyourrequest,considerbecomingyourownCAandthenimportyourCAcertificatesintotheroottrustdatabaseofyourmanagedmachines.WhenyousetupMacOSXServer,theServerAssistantcreatesaself-signedcertificatebasedoninformationyouprovidedwhenitsfirstinstalled.ItcanbeusedforanyservicethatsupportsSSL.Whenyourclientschoosetotrustthecertificate,SSLconnectionscanbeusedwithoutuserinteractionfromthatpointon.Thisinitialself-signedcertificateisusedbyServerAdminandServerPreferencestoencryptadministrativefunctions.CreatingaSelf-SignedCertificateAself-signedcertificateisgeneratedatserversetup.Althoughitisavailableforuse,youmaywanttocustomizetheinformationinthecertificate,soyouwouldcreateanewself-signedcertificate.ThisisespeciallyimportantifyouplanonhavingaCAsignyourcertificate.Whenyoucreateaself-signedcertificate,CertificateManagercreatesaprivatepublickeypairintheSystemkeychainwiththekeysizespecified(512-2048bits).Itthencreatesthecorrespondingself-signedcertificate.Ifyoureusingaself-signedcertificate,considerusinganintermediatetrustforitandimportthecertificateintotheSystemkeychainonallclientcomputers(ifyouhavecontrolofthecomputers).Formoreinformationaboutusingintermediatetrust,seeAboutIntermediateTrustonpage165.Tocreateaself-signedcertificate:1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.2 ClickCertificates.3 ClicktheAdd(+)buttonandchooseCreateaCertificateIdentity.CertificateAssistantlaunches,populatedwithinformationneededtogeneratethecertificate.4 Ifyouoverridethedefaults,chooseLetmeoverridedefaultsandfollowtheonscreeninstructions.5 Whenfinished,clickContinue.6 ConfirmthecertificatecreationbyclickingContinue.TheCertificateAssistantgeneratesakeypairandcertificate.CertificateManagerencryptsthefileswitharandompassphrase,putsthepassphraseintheSystemkeychain,andputstheresultingPEMfilesin/etc/certificates/.170 Chapter9ManagingCertificatesStoringthePrivateKeyTheprivatekeyshouldbegeneratedonacomputerthatisnotconnectedtoyourinternalnetwork.Foraddedsecurity,youcanstorethekeychaincontainingtheprivatekeyonUSBstoragesoyoucankeeptheCAprivatekeyunavailablewhenconnectedtothenetwork.RequestingaCertificatefromaCACertificateManagerhelpsyoucreateaCSRtosendtoyourdesignatedCA.YouneedacertificatefortheCAtosign.Youcanusetheonethatwasgeneratedatserversetup,butmorelikelyyouwillwanttogenerateonethathasallthedetailstheCArequiresbeforesigning.Ifyouneedtogenerateacertificatebeforegettingitsigned,seeCreatingaSelf-SignedCertificateonpage169.Torequestasignedcertificate:1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.2 ClickCertificates.3 Selectthecertificateyouwantsigned.4 ClicktheActionbuttonbelowthecertificateslistandchooseGenerateCertificateSigningRequest(CSR).5 CertificatemanagercreatesthesigningrequestandshowstheASCIItextversioninthesheet.6 ClickSavetosavetheCSRtothedisk.YourCAwillhaveinstructionsonhowtotransfertheCSRtothesigner.SomeCAsrequireyoutouseawebinterface;othersrequiresendingtheCSRinthebodyofamailmessage.FollowtheinstructionsgivenbytheCA.TheCAwillreturnanewlysignedcertificate,whichreplacestheoneyougenerated.Forinstructionsonwhattodonowwithyournewlysignedcertificate,seeReplacinganExistingCertificateonpage175.CreatingaCATosignanotheruserscertificate,youmustcreateaCA.SometimesaCAcertificateisreferredtoasarootoranchorcertificate.Bysigningacertificatewiththerootcertificate,youbecomethetrustedthirdpartyinthatcertificatestransactions,vouchingfortheidentityofthecertificateholder.Ifyouarealargeorganization,youmightdecidetoissueorsigncertificatesforpeopleinyourorganizationtousethesecuritybenefitsofcertificates.However,externalorganizationsmightnottrustorrecognizeyoursigningauthority.Chapter9ManagingCertificates 171TocreateaCA:1 StartKeychainAccess.KeychainAccessisfoundinthe/Applications/Utilities/directory.2 IntheKeychainAccessmenu,selectCertificateAssistant>CreateaCertificateAuthority.TheCertificateAssistantstarts.ItwillguideyouthroughtheprocessofmakingtheCA.3 ChoosetocreateaSelfSignedRootCA.4 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue.YouneedthefollowinginformationtocreateaCA: Anemailaddress Thenameoftheissuingauthority(youoryourorganization)YoualsodecideifyouwanttooverridethedefaultsandwhethertomakethisCAtheorganizationsdefaultCA.IfyoudonothaveadefaultCAfortheorganization,allowtheCertificateAssistanttomakethisCAthedefault.Inmostcircumstances,donotoverridethedefaults.Ifyoudonotoverridethedefaults,skiptostep16.5 Ifyouoverridethedefaults,providethefollowinginformationinthenextfewscreens: Auniqueserialnumberfortherootcertificate ThenumberofdaystheCAfunctionsbeforeexpiring ThetypeofusercertificatethisCAissigning WhethertocreateaCAwebsiteforuserstoaccessforCAcertificatedistribution6 ClickContinue.7 ProvidetheCertificateAssistantwiththerequestedinformationandclickContinue.YouneedthefollowinginformationtocreateaCA: Anemailaddressoftheresponsiblepartyforcertificates Thenameoftheissuingauthority(youoryourorganization) Theorganizationname Theorganizationunitname Thelocationoftheissuingauthority8 SelectakeysizeandanencryptionalgorithmfortheCAcertificate,andthenclickContinue.Alargerkeysizeismorecomputationallyintensivetouse,butmuchmoresecure.Thealgorithmyouchoosedependsmoreonyourorganizationalneedsthanatechnicalconsideration.DSAandRSAarestrongencryptionalgorithms.DSAisaUnitedStatesFederalGovernmentstandardfordigitalsignatures.172 Chapter9ManagingCertificates9 Selectakeysizeandanencryptionalgorithmforthecertificatestobesigned,andthenclickContinue.10 SelecttheKeyUsageExtensionsyouneedfortheCAcertificate,andthenclickContinue.Ataminimum,youmustselectSignatureandCertificateSigning.11 SelecttheKeyUsageExtensionsyouneedforthecertificatestobesigned,andthenclickContinue.DefaultkeyuseselectionsarebasedonthetypeofkeyselectedearlierintheAssistant.12 SpecifyotherextensionstoaddtheCAcertificateandclickContinue.13 SelectthekeychainSystemtostoretheCAcertificate.14 ChoosetotrustcertificatesonthiscomputersignedbythecreatedCA.15 ClickContinueandauthenticateasanadministratortocreatethecertificateandkeypair.16 ReadandfollowtheinstructionsonthelastpageoftheCertificateAssistant.Youcannowissuecertificatestotrustedparties.ImportingaCertificateIdentityYoucanimportapreviouslygeneratedOpenSSLcertificateandprivatekeyintoCertificateManager.TheitemsarelistedasavailableinthelistofidentitiesandareavailabletoSSL-enabledservices.TheOpenSSLkeysandcertificatesmustbeinPEMformat.ToimportanexistingOpenSSLstylecertificate:1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.2 ClickCertificates.3 ClicktheAdd(+)buttonandchooseImportaCertificateIdentity.4 DragthePEMfilecontainingtheprivatekeytothesheet.5 DragthePEMfilecontainingthepubliccertificatetothesheet.6 Ifneeded,dragassociatednonidentitycertificatestothesheetaswell.7 ClicktheImportbutton.Ifprompted,entertheprivatekeypassphrase.Chapter9ManagingCertificates 173ManagingCertificatesAfteryoucreateandsignacertificate,youwontdomuchmorewithit.Becausecertificatescannotbeedited,youcandelete,replace,orrevokecertificatesaftertheyarecreated.YoucannotchangecertificatesafteraCAsignsthem.Iftheinformationacertificatepossesses(suchascontactinformation)isnolongeraccurate,orifyoubelievetheprivatekeyiscompromised,deletethecertificate.IfyouhavepreviouslygeneratedcertificatesforSSL,youcanimportthemforusebyservices.TheOpenSSLkeysandcertificatesmustbeinPEMformat.IfyouchosecustomlocationsforyourSSLcertificateswithSnowLeopardServer,youmustimportthemintoCertificateManagerifyouwantthemtobeavailableforservices.CustomfilesystemlocationsforcertificatescannotbemanagedforservicesusingServerAdminforSnowLeopardServer.Tousecustomfilelocations,edittheconfigurationfilesdirectly.WhencertificatesandkeysareimportedviaCertificateManager,theyareputinthe/etc/certificates/directory.ThedirectorycontainsfourPEMformattedfilesforeveryidentity: Thecertificate Thepublickey Thetrustchain Theconcatenatedversionofthecertificateplusthetrustchain(forusewithsomeservices)Eachfilehasthefollowingnamingconvention:...pemForexample,thecertificateforawebserveratexample.commightlooklikethis:www.example.com.C42504D03B3D70F551A3C982CFA315595831A2E3.cert.pemAfterthecertificatesareimported,CertificateManagerencryptsthefileswitharandompassphrase.ItputsthepassphraseintheSystemkeychain,andputstheresultingPEMfilesin/etc/certificates/.EditingaCertificateAfteryouaddacertificatesignature,youcanteditthecertificate.Youmustreplaceitwithonegeneratedfromthesameprivatekey.Forinstructionsonhowtodothis,seeReplacinganExistingCertificateonpage175.174 Chapter9ManagingCertificatesDistributingaCAPublicCertificatetoClientsIfyoureusingself-signedcertificates,awarningappearsinmostuserapplicationssayingthattheCAisnotrecognized.Othersoftware,suchastheLDAPclient,refusestouseSSLiftheserversCAisunknown.MacOSXServershipsonlywithcertificatesfromwell-knowncommercialCAs.Topreventthiswarning,yourCAcertificatemustbedistributedtoeveryclientcomputerthatconnectstothesecureserver.Todistributeyourcertificatetoyourclients:1 Copytheself-signedCAcertificate(thefilenamedca.crt)ontoeachclientcomputer.Considerusingnonrewritablemedia,suchasaCD-R.Usingnonrewritablemediapreventsthecertificatefrombeingcorrupted.2 OpentheKeychainAccesstoolbydouble-clickingtheca.crticonwherethecertificatewascopiedontotheclientcomputer.3 DragthecertificatetotheSystemkeychainusingKeychainAccess.4 Authenticateasanadministrator,ifrequested.5 Double-clickthecertificatetogetthecertificatedetails.6 Inthedetailswindow,clicktheTrustdisclosuretriangle.7 Fromthepop-upmenunexttoWhenusingthiscertificate,selectAlwaysTrust.Youhavenowaddedtrusttothiscertificate,regardlessofwhoitissignedby.Fromthecommandline:DeletingaCertificateWhenacertificatehasexpiredorbeencompromised,youmustdeleteit.Todeleteacertificate:1 InServerAdmin,selecttheserverthathasservicesthatsupportSSL.2 ClickCertificates.3 SelecttheCertificateIdentitytodelete.4 ClicktheRemove(-)buttonandselectDelete.# -------------------------------------------------------------------# Adding the security tool edit trust settings# -------------------------------------------------------------------# Where is the local file path to the certificate.#sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.keychain Chapter9ManagingCertificates 1755 ClickSave.RenewinganExpiringCertificateCertificateshaveanexpirationdateandmustberenewedperiodically.Renewingacertificateisthesameasreplacingacertificatewithanewlygeneratedonewithanupdatedexpirationdate.Torenewanexpiringcertificate:1 RequestacertificatefromtheCA.IfyouareyourownCA,createoneusingyourownrootcertificate.2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate.3 ClickCertificates.4 SelecttheCertificateIdentitytorenew.5 ClicktheActionbuttonandselectReplaceCertificatewithSignedorRenewedCertificate.6 Dragtherenewedcertificatetothesheet.7 ClickReplaceCertificate.ReplacinganExistingCertificateIfyouchangetheDNSnameoftheserveroranyvirtualhostsontheserver,youmustreplaceanexistingcertificatewithanupdatedone.Toreplaceanexpiringcertificate:1 RequestacertificatefromtheCA.IfyouareyourownCA,createoneusingyourownrootcertificate.2 InServerAdminintheServerlist,selecttheserverthathastheexpiringcertificate.3 ClickCertificates.4 SelecttheCertificateIdentitytoreplace.5 ClicktheActionbuttonandselectReplaceCertificatewithSignedorRenewedCertificate.6 Dragthereplacementcertificatetothesheet.7 ClickReplaceCertificate.10176 10 SettingGeneralProtocolsandAccesstoServicesUsethischaptertolearnhowtouseServerAdmintoconfigureaccesstoservicesandtosetgeneralprotocols.ServerAdminhelpsyouconfigureandmanageservers.Youcansetgeneralprotocols,nameorrenamecomputers,setthedateandtime,managecertificates,andsetuseraccesstospecificservices.SettingGeneralProtocolsSnowLeopardServerincludesbasicnetworkmanagementprotocols,includingnetworktimeprotocol(NTP)andsimplenetworkmanagementprotocol(SNMP).Unlessthesearerequired,theyshouldbedisabled.DisablingNTPServiceNTPallowscomputersonanetworktosynchronizeDate&Timesettings.ClientcomputersspecifytheirNTPserverintheDate&TimepanelofSystemPreferences.NTPclientaccessistypicallyrequired.Ifso,enableitonasingle,trustedserveronthelocalnetwork.Thisserviceshouldbedisabledonallotherservers.Formoreinformationabouttheopensourceimplementation,seewww.ntp.org.TodisableNTPservice:1 OpenServerAdminandconnecttotheserver.2 ClickSettings,thenclickDate&Time.3 UnlessNTPisnotrequired,makesureyourserverisconfiguredtoSetdate&timeautomatically.4 Fromthepop-upmenu,choosetheserveryouwanttoactasatimeserver.5 ClickGeneral.6 DeselecttheNetworkTimeServer(NTP)checkbox.7 ClickSave.http://www.ntp.orgChapter10SettingGeneralProtocolsandAccesstoServices 177Fromthecommandline:DisablingSNMPSNMPsoftwareallowsothercomputerstomonitorandcollectdataonthestateofacomputerrunningSnowLeopardServer.Thishelpsadministratorsidentifycomputersthatwarrantattention,butuseofthisserviceisnotrecommended.TodisableSNMP:1 OpenServerAdminandconnecttotheserver.2 ClickSettings.3 ClickGeneral.4 DeselectNetworkManagementServer(SNMP).5 ClickSave.Fromthecommandline:# ---------------------------------------------------------------------# Setting General Protocols# ---------------------------------------------------------------------## Disable NTP Client access.# -----------sudo systemsetup -setusingnetworktime off## Disable NTP service.#------------sudo serveradmin settings info:ntpTimeServe = no## Disable SNMP.# ------------sudo serveradmin settings info:enableSNMP = no# or alternatively.#sudo service org.net-snmp.snmpd stop178 Chapter10SettingGeneralProtocolsandAccesstoServicesEnablingSSHSnowLeopardServeralsoincludessecureshell(SSH).SSHallowsyoutologintoothercomputersonanetwork,executecommandsremotely,andmovefilesfromonecomputertoanother.Itprovidesstrongauthenticationandsecurecommunication,andisthereforerecommendedifremoteloginisrequired.Formoreinformation,seewww.openssh.org.ToenableSSH:1 OpenServerAdminandconnecttotheserver.2 ClickSettings.3 ClickGeneral.4 SelectRemoteLogin(SSH).5 ClickSave.Fromthecommandline:AboutRemoteManagement(ARD)YoucanuseARDtoperformremotemanagementtaskssuchasscreensharing.Whensharingyourscreenprovideaccessonlytospecificuserstopreventunauthorizedaccesstoyourcomputerscreen.Youmustalsodeterminetheprivilegesuserswillhavewhenviewingyourscreen.ARDisturnedoffbydefaultandshouldremainoffwhenitisnotbeingused.Thispreventsunauthorizedusersfromattemptingtoaccessyourcomputer.YoucanadministerARDusingabuilt-incommand-linetoolcalledkickstart.Youcanfindmoreinformationaboutthetoolanditscapabilitiesbyusingitsbuilt-inhelp.Accessthehelpbyenteringthefollowingcommand:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -helpFormoreinformationaboutARDanditsusesandcapabilities,seeAppleRemoteDesktopAdministratorGuide.## Enable SSH.# ----------sudo service ssh start# or alternatively.# sudo serveradmin settings info:enableSSH = yeshttp://www.openssh.orgChapter10SettingGeneralProtocolsandAccesstoServices 179RemoteManagementBestPracticesAnARDmanagerwithfullprivilegescanrunthesetasksastherootuser.BylimitingtheprivilegesthatanARDmanagerhas,youincreasesecurity.Whensettingprivileges,disableorlimitanadministratorsaccesstoanARDclient.YoucansetaVNCpasswordthatrequiresauthorizeduserstouseapasswordtoaccessyourcomputer.Themostsecurewayistorequireauthorizeduserstorequestpermissiontoaccessyourcomputerscreen.RemoteManagmentcanactasastandardVNCserver,acceptingconnectionsfromVNCclients.EnablingVNCaccessisnotrecommended.IfusersconnecttoyourcomputerusingVNC,requirethattheyuseapasswordbyenablingVNCviewermaycontrolscreenwithpassword.UsePasswordAssistanttocreateastrongpasswordforVNCusers.LimitingRemoteManagementAccessUsersthathaveaccesstoscreencontrolandcommand-linecodeexecutionusingAppleRemoteDesktopeffectivelyhaverootuseraccessonthecomputer,eveniftheiruseraccountisastandardaccount.YoushouldlimitwhatusersareallowedtodowithRemoteManagement.ChangethedefaultsettingforremotemanagementfromAlluserstoOnlytheseusers.ThedefaultsettingAllusersincludesallusersonyourlocalcomputerandallusersinthedirectoryserveryouareconnectedto.AnyaccountusingARDshouldhavelimitedprivilegestopreventremoteusersfromhavingfullcontrolofyourcomputer.YoucansecurelyconfigureARDbyrestrictingaccesstospecificusers.YoucanalsorestricteachusersprivilegesbysettingARDoptions.Limittheusersprivilegestotheuserspermissiononthecomputer.Forexample,youmightnotwanttogiveastandardusertheabilitytochangeyoursettingsordeleteitems.ToLimitRemoteManagementAccess:1 Ontheserver,openSystemPreferencesandclickSharing.Ifthepreferencepaneislocked,clickthelockandentertheusernameandpasswordofauserwithadministratorprivilegesonthecomputer.2 SelectRemoteManagementintheSharingpane.3 SelectOnlytheseusers,clickAdd(+),selectusers,andclickSelect.4 Selectauserinthelisttochangethatusersadministratorprivileges.5 ClickOptions.6 MakethechangestotheaccessprivilegesandthenclickOK.180 Chapter10SettingGeneralProtocolsandAccesstoServicesYourchangestakeeffectimmediately.YoucanholddowntheOptionkeywhileclickinganaccessprivilegecheckboxtoautomaticallyselectallaccesscheckboxes.Formoreinformationabouttheprivilegeslist,seeAppleRemoteDesktopAdministratorAccessintheseeAppleRemoteDesktopAdministratorGuide.7 Ifyourechangingaccessforseveralusers,repeatthisforeachuser.Fromthecommandline:DisablingRemoteManagementAccessYoucandisableRemoteManagementinseveraldifferentways.Youcan: Disableaccessforallusers. StoptheARDAgentprocesstemporarily. Disabletheserviceentirely.YoumightwanttokeepthecomputerrunningasanARDTaskServerbutnotletuserscontrolitremotely.Insuchacase,youwoulddisableaccessfortheusers,butleavetheagentrunningandtheserviceintact.Ifyoustoptheagent,itrelaunchesatsystemrestart,soitdoesntremainpermanentlydisabled.Todisableaccessforallusers:1 Ontheserver,openSystemPreferencesandclickSharing.Ifthepreferencepaneislocked,clickthelockandentertheusernameandpasswordofauserwithadministratorprivilegesonthecomputer.2 SelectRemoteManagementintheSharingpane.3 SelectauserfromtheOnlytheseuserslist.## Remote Management (ARD)# -----------------------------# Limiting Remote Management Access# Repeat for each specified user.sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users $ARD_USERNAME -privs - -restart# Specify the usersudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAMEChapter10SettingGeneralProtocolsandAccesstoServices 1814 ClickRemove(-).5 Repeatforeachuser.TostoptheAgentprocess:1 OpenTerminal.app.2 Enterthefollowingcommand:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stopTodisabletheservice:1 OpenServerAdminandconnecttotheserver.2 ClickSettings.3 ClickGeneral.4 DeselectRemoteManagement.5 ClickSave.Fromthecommandline:RemoteAppleEvents(RAE)IfyouenableRemoteAppleEvents(RAE),youallowyourcomputertorespondtoeventssentbyothercomputersonyournetwork.TheseeventsincludeAppleScriptprograms.AmaliciousAppleScriptprogramcandothingslikedeleteyour~/Documents/folder.RAEisturnedoffbydefaultandshouldremainoffwhenitisnotused.Thispreventsunauthorizedusersfromaccessingyourcomputer.### Disable Remote Management# ---------------------------# To remove user access:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off# To stop the ARD agent:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop# To disable the service:/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\ Resources/kickstart -deactivate -stop#or alternatively.# sudo serveradmin settings info:enableARD = no182 Chapter10SettingGeneralProtocolsandAccesstoServicesFromthecommandline:RestrictingAccesstoSpecificUsersAvoidenablingRAE.IfyouenableRAE,dosoonatrustedprivatenetworkanddisableitimmediatelyafterdisconnectingfromthenetwork.ChangethedefaultsettingforRAEfromAlluserstoOnlytheseusers.ThedefaultsettingAllusersincludesallusersonyourlocalcomputerandallusersinthedirectoryserveryouareconnectedto.WhensecurelyconfiguringRAE,restrictremoteeventstoonlybeacceptedfromspecificusers.Thispreventsunauthorizedusersfromsendingmaliciouseventstoyourcomputer.Ifyoucreateasharinguseraccount,createastrongpasswordusingPasswordAssistant.AvoidacceptingeventsfromMacOS9computers.IfyouneedtoacceptMacOS9events,usePasswordAssistanttocreateastrongpassword.SettingtheServersHostNameYoucanchangeyourcomputernameandlocalhostnameinServerAdmin.WhenotherusersuseBonjourtodiscoveryouravailableservices,theserverisdisplayedashostname.local.Toincreaseyourprivacy,changethehostnameofyourcomputersoyourcomputercannotbeeasilyidentified.Thenameshouldnotindicatethepurposeofthecomputer,andthewordservershouldnotbeusedasthenameorpartofthename.SettingtheDateandTimeCorrectdateandtimesettingsarerequiredforauthenticationprotocols,likeKerberos.Incorrectdateandtimesettingscancausesecurityissues.YoucanuseServerAdmintoconfigureyourcomputertosetthedateandtimebasedonanNTPserver.Ifyourequireautomaticdateandtime,useatrusted,internalNTPserver.## Remote Apple Events (RAE)# -----------------------------# Disable Remote Apple Events.sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plistChapter10SettingGeneralProtocolsandAccesstoServices 183SettingUpCertificatesCertificateManagerisintegratedintoServerAdmintohelpyoucreate,use,andmaintainidentitiesforSSL-enabledservices.CertificateManagerprovidesintegratedmanagementofSSLcertificatesinSnowLeopardServerforservicesthatallowtheuseofSSLcertificates.Formoreinformationaboutsettingupcertificates,seeCertificateManagerinServerAdminonpage167.SettingServiceAccessControlLists(SACLs)YouuseaServiceAccessControlList(SACL)toenforcewhocanuseaspecificservice.Itisnotameansofauthentication.Itisalistofthosewhohaveaccessrightstousetheservice.SACLsallowyoutoaddalayerofaccesscontrolontopofstandardandACLpermissions.AuserorgroupnotinaservicesSACLcannotaccesstheservice.Forexample,topreventusersfromaccessingAFPsharepointsonaserver,includinghomefolders,removetheusersfromtheAFPservicesSACL.ServerAdmininSnowLeopardServerallowsyoutoconfigureSACLs.OpenDirectoryauthenticatesuseraccounts,andSACLsauthorizeuseofservices.IfOpenDirectoryauthenticatesyou,theSACLfortheloginwindowdetermineswhetheryoucanlogin,theSACLforAFPservicedetermineswhetheryoucanconnectforApplefileservice,andsoon.Someservicesalsodeterminewhetherauserisauthorizedtoaccessspecificresources.Thisauthorizationcanrequireretrievingadditionaluseraccountinformationfromthedirectorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembershipinformationtodeterminewhichfoldersandfilestheuserisauthorizedtoreadandwriteto.TosetSACLpermissionsforaservice:1 OpenServerAdminandconnecttotheserver.2 ClickAccess.3 ClickServices4 Torestrictaccesstoallservicesortodeselectthisoptiontosetaccesspermissionsperservice,selectForallservices.5 IfyoudeselectForallservices,selectaservicefromtheServicelist.6 Toprovideunrestrictedaccesstoservices,clickAllowallusersandgroups.Toprovideaccesstospecificusersandgroups:184 Chapter10SettingGeneralProtocolsandAccesstoServicesa SelectAllowonlyusersandgroupsbelow.b ClicktheAdd(+)buttontoopentheUsers&Groupsdrawer.c DragusersandgroupsfromtheUsers&Groupsdrawertothelist.7 ClickSave.Youcanlimitaccesstocommand-linetoolsthatmightrunservicesbylimitingtheuseofthesudocommand.Formoreinformation,seeManagingthesudoersFileonpage361.Fromthecommandline:# Set SACL permissions for a service.# ----------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP11 18511 SecuringRemoteAccessServicesUsethischaptertolearnhowtosecureRemoteAccessservices.Manyorganizationshaveindividualswhoneedtoconnecttonetworkresourcesremotely.Thiscancreateadditionalvulnerabilitiesunlessyourremoteaccessservicesaresecurelyconfigured.SnowLeopardServerallowsremoteaccessusingremoteloginandVPNservices.Theseservicesshouldbedisabledunlesstheyarerequired.RemoteAccessservicesviaremoteloginconsistsoftwocomponentseachusingtheSecureShell(SSH)servicetoestablishanencryptedtunnelbetweenclientandserver.SecuringRemoteSSHLoginonpage185discussessecuringtheservercomponent,whileConfiguringSSHonpage186discussessecuringtheclientcomponent.Foradditionalinformationaboutconfiguringremoteaccessservices,seetheNetworkServicesAdministrationguide.SecuringRemoteSSHLoginRemoteLoginallowsuserstoconnecttoyourcomputerthroughSSH.ByenablingRemoteLogin,youactivatemoresecureversionsofcommonlyusedinsecuretools.BeawareofthefollowingSSHtools: sshd:Daemonthatactsasaservertoallothercommands ssh:Primaryusertoolforremoteshellandport-forwardingsessions scp:Securecopy,atoolforautomatedfiletransfers sftp:SecureFTP,areplacementforFTP186 Chapter11SecuringRemoteAccessServicesThefollowingtableliststoolsenabledwithRemoteLoginandtheirinsecurecounterparts.SSHcreatesasecureencryptedchannelthatprotectscommunicationwithyourcomputers.Donotuseolderservicesthatdonotencrypttheircommunications,suchasTelnetorRSHtheyallownetworkeavesdropperstointerceptpasswordsorotherdata.UnlessyoumustremotelylogintothecomputeroruseanotherprogramthatdependsonSSH,disabletheremoteloginservice.However,ServerAdminrequiresSSH.Ifyoudisableremotelogin,youcannotuseServerAdmintoremotelyadministertheserver.Todisableremotelogin:1 OpenSystemPreferences.2 ClickSharing.3 IntheServicelist,deselectRemoteLogin.ConfiguringSSHSSHletsyousendsecure,encryptedcommandstoaremotecomputer,asifyouweresittingatthecomputer.UsethesshtoolinTerminaltoopenacommand-lineconnectiontoaremotecomputer.Whiletheconnectionisopen,commandsyouenterareperformedontheremotecomputer.Note:YoucanuseanyapplicationthatsupportsSSHtoconnecttoacomputerrunningSnowLeopardorSnowLeopardServer.SSHworksbysettingupencryptedtunnelsusingpublicandprivatekeys.HereisadescriptionofanSSHsession:1 Thelocalandremotecomputersexchangetheirpublickeys.Ifthelocalcomputerhasneverencounteredagivenpublickeybefore,SSHpromptsyouwhethertoaccepttheunknownkey.2 Thetwocomputersusethepublickeystonegotiateasessionkeythatisusedtoencryptsubsequentsessiondata.SecureRemoteLoginTool InsecureToolssh telnetslogin loginscp rcpsftp ftpChapter11SecuringRemoteAccessServices 1873 TheremotecomputerattemptstoauthenticatethelocalcomputerusingRSAorDSAcertificates.Ifthisisnotpossible,thelocalcomputerispromptedforastandarduser-name/passwordcombination.Forinformationaboutsettingupcertificateauthentication,seeGeneratingKeyPairsforKey-BasedSSHConnectionsonpage187.4 Aftersuccessfulauthentication,thesessionbegins.Eitheraremoteshell,asecurefiletransfer,aremotecommand,orsoon,beginsthroughtheencryptedtunnel.ModifyingtheSSHConfigurationFileMakingchangestotheSSHconfigurationfileenablesyoutosetoptionsforeachsshconnection.Youcanmakethesechangessystemwideorforspecificusers.Tomakethechangesystemwide,changetheoptionsinthe/etc/ssh_configfile,whichaffectssshusersonthecomputer.Tomakethechangeforasingleuser,changetheoptionsintheusername/.ssh/configfile.Thesshconfigurationfilehasconnectionoptionsandotherspecificationsforansshhost.AhostisspecifiedbytheHostdeclaration.Bydefault,theHostdeclarationisanasterisk(*),indicatingthatanyhostyouareconnectingtowillusetheoptionslistedbelowtheHostdeclaration.YoucanaddaspecifichostandoptionsforthathostbyaddinganewHostdeclaration.ThenewHostdeclarationwillspecifyanameoraddressinplaceoftheasterisk.YoucanthensettheconnectionoptionforthehostbelowtheHostdeclaration.Thishelpssecureyursshsessionsinenvironmentswithvaryingsecuritylevels.Forexample,ifyouareconnectingtoaserverusingsshthroughtheInternet,theservermightrequireamoresecureorstricterconnection.However,ifyouareinamoresecureenvironment,suchasyourownpersonalnetwork,youcannotrequirethesamestrictconnectionoptions.Formoreinformationaboutsshconfigurationfileoptions,seethesshmanpages.ToenableSSH,seeEnablingSSHonpage178.GeneratingKeyPairsforKey-BasedSSHConnectionsBydefault,SSHsupportstheuseofpassword,key,andKerberosauthentication.ThestandardmethodofSSHauthenticationistosupplylogincredentialsintheformofausernameandpassword.Identitykeypairauthenticationenablesyoutologintotheserverwithoutsupplyingapassword.Thisprocessworksasfollows:1 Aprivateandapublickeyaregenerated,eachassociatedwithausernametoestablishthatusersauthenticity.2 Whenyouattempttologinasthatuser,theusernameissenttotheremotecomputer.188 Chapter11SecuringRemoteAccessServices3 Theremotecomputerlooksintheusers.ssh/folderfortheuserspublickey.ThisfolderiscreatedafterusingSSHthefirsttime.4 Achallengeisthensenttotheuserbasedonhisorherpublickey.5 Theuserverifieshisorheridentitybyusingtheprivateportionofthekeypairtodecodethechallenge.6 Afterthechallengeisdecoded,theuserisloggedinwithouttheneedforapassword.Thisisespeciallyusefulwhenautomatingremotescripts.Key-basedauthenticationrequirespossessionoftheprivatekeyinsteadofapasswordtologin.Aprivatekeyismuchhardertoguessthanapassword.However,ifthehomefolderwheretheprivatekeyisstorediscompromisedassumingtheprivatekeyisnotprotectedbyapasswordthenthisprivatekeycanbeusedtologintoothersystems.Passwordauthenticationcanbecompromisedwithoutneedingaprivatekeyfile.IftheserverusesFileVaulttoencryptthehomefolderoftheuseryouwanttouseSSHtoconnectas,youmustbeloggedinontheservertouseSSH.Alternatively,youcanstorethekeysfortheuserinalocationthatisnotprotectedbyFileVault.However,thisisnotsecure.Togeneratetheidentitykeypair:1 Enterthefollowingcommandonthelocalcomputer.ssh-keygen -t dsa2 Whenprompted,enterafilenametosavethekeysintheusersfolder.3 Enterapasswordfollowedbypasswordverification(emptyfornopassword).Forexample:Generating public/private dsa key pair.Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frogEnter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in frog.Your public key has been saved in frog.pub.The key fingerprint is:4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96 annejohnson1@mac.comThiscreatestwofiles.Youridentificationorprivatekeyissavedinonefile(froginourexample)andyourpublickeyissavedintheother(frog.pubinourexample).Thekeyfingerprint,derivedcryptographicallyfromthepublickeyvalue,isalsodisplayed.Thissecuresthepublickey,makingitcomputationallyinfeasibleforduplication.Note:ThelocationoftheserverSSHkeyis/etc/ssh_host_key.pub.Backupyourkeyincaseyouneedtoreinstallyourserversoftware.Ifyourserversoftwareisreinstalled,youcanretaintheserveridentitybyputtingthekeybackinitsfolder.Chapter11SecuringRemoteAccessServices 1894 Copytheresultantpublicfile,whichcontainsthelocalcomputerspublickey,tothe.ssh/folderintheusershomefolderontheremotecomputer.Thenexttimeyoulogintotheremotecomputerfromthelocalcomputer,youwontneedtoenterapassword(unlessyouenteredoneinStep3above).Note:IfyouareusinganOpenDirectoryuseraccountandhaveloggedinusingtheaccount,youdonotneedtosupplyapasswordforSSHlogin.OnSnowLeopardServercomputers,SSHusesKerberosforsinglesign-onauthenticationwithanyuseraccountthathasanOpenDirectorypassword(butKerberosmustberunningontheOpenDirectoryserver).FormoreinformationseetheOpenDirectoryAdministration.UpdatingSSHKeyFingerprintsThefirsttimeyouconnecttoaremotecomputerusingSSH,thelocalcomputerpromptsforpermissiontoaddtheremotecomputersfingerprint(orencryptedpublickey)toalistofknownremotecomputers.Youmightseeamessagelikethis:The authenticity of host "server1.example.com" cant be established.RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7.Are you sure you want to continue connecting (yes/no)?Thefirsttimeyouconnect,youhavenowayofknowingwhetherthisisthecorrecthostkey.Whenyourespondyes,thehostkeyistheninsertedintothe~/.ssh/known_hostsfilesoitcanbecomparedinlatersessions.Besurethisisthecorrectkeybeforeacceptingit.Ifatallpossible,provideuserswiththeencryptionkeythroughFTP,mail,oradownloadfromtheweb,sotheycanverifytheidentityoftheserver.Ifyoulaterseeawarningmessageaboutaman-in-the-middleattackwhenyoutrytoconnect,thekeyontheremotecomputermightnolongermatchthekeystoredonthelocalcomputer.Thiscanhappenifyou: ChangeyourSSHconfigurationonthelocalorremotecomputer. PerformacleaninstallationoftheserversoftwareonthecomputeryouareattemptingtologintousingSSH. StartupfromaSnowLeopardServerCDonthecomputeryouareattemptingtologintousingSSH. AttempttouseSSHtologintoacomputerthathasthesameIPaddressasacomputerthatyoupreviouslyusedSSHwithonanothernetwork.Toconnectagain,deletetheentriescorrespondingtotheremotecomputeryouareaccessing(whichcanbestoredbybothnameandIPaddress)in~/.ssh/known_hosts.Important:Removinganentryfromtheknown_hostsfilebypassesasecuritymechanismthathelpsyouavoidimpostersandman-in-the-middleattacks.Besureyouunderstandwhythekeyontheremotecomputerhaschangedbeforeyoudeleteitsentryfromtheknown_hostsfile.190 Chapter11SecuringRemoteAccessServicesControllingAccesstoSSHYoucanuseServerAdmintocontrolwhichuserscanopenacommand-lineconnectionusingthesshtoolinTerminal.UserswithadministratorprivilegesarealwaysallowedtoopenaconnectionusingSSH.ThesshtoolusestheSSHservice.Forinformationaboutrestrictinguseraccesstoservices,seeSettingServiceAccessControlLists(SACLs)onpage183.SSHMan-in-the-MiddleAttacksAnattackermightbeabletoaccessyournetworkandcompromiseroutinginformation,sothatpacketsintendedforaremotecomputerareroutedtotheattackerwhoimpersonatestheremotecomputertothelocalcomputerandthelocalcomputertotheremotecomputer.Heresatypicalscenario:AuserconnectstotheremotecomputerusingSSH.Bymeansofspoofingtechniques,theattackerposesastheremotecomputerandreceivestheinformationfromthelocalcomputer.Theattackerthenrelaystheinformationtotheintendedremotecomputer,receivesaresponse,andthenrelaystheremotecomputersresponsetothelocalcomputer.Throughouttheprocess,theattackerisawareofinformationthatgoesbackandforth,andcanmodifyit.Thefollowingmessagecanindicateaman-in-the-middleattackwhenconnectingtotheremotecomputerusingSSH.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Protectagainstthistypeofattackbyverifyingthatthehostkeysentbackisthecorrecthostkeyforthecomputeryouaretryingtoreach.Bewatchfulforthewarningmessage,andalertyouruserstoitsmeaning.Chapter11SecuringRemoteAccessServices 191TransferringFilesUsingSFTPSFTPisasecureFTPprotocolthatusesSSHtotransferfiles.SFTPencryptscommandsanddata,preventingpasswordsandsensitiveinformationfrombeingtransmittedoverthenetwork.AlwaysuseSFTPinsteadofFTP.TotransferafileusingSFTP:1 OpenTerminal.2 StarttheSFTPsession.sftp username@hostnameReplaceusernamewithyourusernameandhostnamewiththeIPaddressorhostnameoftheserveryouareconnectingto.3 Enteryourpasswordwhenprompted.Youarenowconnectedsecurelytotheserver.4 UsetheSFTPcommandstotransferfilesfromtheprompt.sftp> Usetheputcommandtotransferafilefromthelocalcomputertotheremotecomputer.Usethegetcommandtotransferafilefromtheremotecomputertothelocalcomputer.5 Enterthefollowingtotransferapicturefilefromtheremotecomputertothelocalcomputer.sftp> get picture.png /users/annejohnson picture.png6 TodisconnectandendtheSFTPsession,enterexitattheprompt.SecuringVPNServiceByconfiguringaVirtualPrivateNetwork(VPN)onyourserver,youcangiveusersamoresecurewayofremotelycommunicatingwithcomputersonyournetwork.AVPNconsistsofcomputersornetworks(nodes)connectedbyaprivatelinkofencrypteddata.Thislinksimulatesalocalconnection,asiftheremotecomputerwereattachedtotheLAN.VPNssecurelyconnectusersworkingawayfromtheoffice(forexample,athome)totheLANthroughaconnectionsuchastheInternet.Fromtheusersperspective,theVPNconnectionappearsasadedicatedprivatelink.VPNtechnologycanalsoconnectanorganizationtobranchofficesovertheInternetwhilemaintainingsecurecommunications.TheVPNconnectionacrosstheInternetactsasaWANlinkbetweenthesites.192 Chapter11SecuringRemoteAccessServicesVPNshaveseveraladvantagesfororganizationswhosecomputerresourcesarephysicallyseparated.Forexample,eachremoteuserornodeusesthenetworkresourcesofitsInternetServiceProvider(ISP)ratherthanhavingadirect,wiredlinktothemainlocation.VPNandSecurityVPNsincreasesecuritybyrequiringstrongauthenticationofidentityandencrypteddatatransportbetweenthenodesfordataprivacyanddependability.Thefollowingsectionscontaininformationaboutsupportedtransportsandauthenticationmethods.TransportProtocolsTherearetwoencryptedtransportprotocols:LayerTwoTunnelingProtocol,SecureInternetProtocol(L2TP/IPSec)andPointtoPointTunnelingProtocol(PPTP).Youcanenableeitherorbothoftheseprotocols.Eachhasitsownstrengthsandrequirements.L2TP/IPSecL2TP/IPSecusesstrongIPSecencryptiontotunneldatatoandfromnetworknodes.ItisbasedonCiscosL2Fprotocol.IPSecrequiressecuritycertificates(self-signedorsignedbyaCAsuchasVerisign)orapredefinedsharedsecretbetweenconnectingnodes.Thesharedsecretmustbeenteredontheserverandtheclient.Thesharedsecretisnotapasswordforauthentication,nordoesitgenerateencryptionkeystoestablishsecuretunnelsbetweennodes.Itisatokenthatthekeymanagementsystemsusetotrusteachother.L2TPisSnowLeopardServerspreferredVPNprotocolbecauseithassuperiortransportencryptionandcanbeauthenticatedusingKerberos.PPTPPPTPisacommonlyusedWindowsstandardVPNprotocol.PPTPoffersgoodencryption(ifstrongpasswordsareused)andsupportsanumberofauthenticationschemes.Itusestheuser-providedpasswordtoproduceanencryptionkey.Bydefault,PPTPsupports128-bit(strong)encryption.PPTPalsosupportsthe40-bit(weak)securityencryption.PPTPisnecessaryifyouhaveWindowsclientswithversionsearlierthanWindowsXPorifyouhaveMacOSXv10.2clientsorearlier.Chapter11SecuringRemoteAccessServices 193ConfiguringL2TP/IPSecSettingsUseServerAdmintodesignateL2TPasthetransportprotocol.Ifyouenablethisprotocol,youmustalsoconfigureconnectionsettings.YoumustdesignateanIPSecsharedsecret(ifyoudontuseasignedsecuritycertificate),theIPaddressallocationrangetobegiventoyourclients,andthegroupthatwillusetheVPNservice(ifneeded).IfyouuseL2TPandPPTP,provideeachprotocolwithaseparate,nonoverlappingaddressrange.WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswiththefollowingsettings: Fortheanyaddressgroup,enableGRE,ESP,VPNL2TP(port1701),andVPNISAKMP/IKE(port500). Forthe192.168-netaddressgroup,choosetoallowalltraffic.ToconfigureL2TPsettings:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofserversappears.3 FromtheexpandedServerslist,selectVPN.4 ClickSettings,thenclickL2TP.5 SelecttheEnableL2TPoverIPSeccheckbox.6 IntheStartingIPaddressfield,setthebeginningIPaddressoftheVPNallocationrange.ItcantoverlaptheDHCPallocationrange,soenter192.168.0.128.7 IntheEndingIPaddressfield,settheendingIPaddressoftheVPNallocationrange.ItcantoverlaptheDHCPallocationrange,soenter192.168.0.255.8 (Optional)Toload-balancetheVPN,selecttheEnableLoadBalancingcheckboxandenteranIPaddressintheClusterIPaddressfield.9 ChooseaPPPauthenticationtype.IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberosauthenticationserver,fromtheAuthenticationpop-upmenuselectKerberos.Otherwise,chooseMS-CHAPv2.IfyouchooseRADIUS,enterthefollowinginformation:PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver.SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver.SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver.SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver.194 Chapter11SecuringRemoteAccessServices10 IntheIPSecAuthenticationsection,enterthesharedsecretorselectthecertificatetouse.Thesharedsecretisacommonpasswordthatauthenticatesmembersofthecluster.IPSecusesthesharedsecretasapresharedkeytoestablishsecuretunnelsbetweenclusternodes.11 ClickSave.ConfiguringPPTPSettingsUseServerAdmintodesignatePPTPasthetransportprotocol.Ifyouenablethisprotocol,youmustalsoconfigureconnectionsettings.Youshoulddesignateanencryptionkeylength(40-bitor128-bit),theIPaddressallocationrangetobegiventoyourclients,andthegroupthatwillusetheVPNservice(ifneeded).IfyouuseL2TPandPPTP,providetheprotocolswithaseparate,nonoverlappingaddressrange.WhenconfiguringVPN,makesurethefirewallallowsVPNtrafficonneededportswiththefollowingsettings: Fortheanyaddressgroup,enableGRE,ESP,VPNL2TP(port1701),andIKE(port500). Forthe192.168-netaddressgroup,choosetoallowalltraffic.ToconfigurePPTPsettings:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofserversappears.3 FromtheexpandedServerslist,selectVPN.4 ClickSettings,thenclickPPTP.5 SelectEnablePPTP.6 Ifneeded,selectAllow40-bitencryptionkeysinadditionto128-bittopermit40-bitand128-bitkeyencryptionaccesstoVPN.7 IntheStartingIPaddressfield,setthebeginningIPaddressoftheVPNallocationrange.ItcantoverlaptheDHCPallocationrange,soenter192.168.0.128.WARNING:40-bitencryptionkeysaremuchlesssecurebutcanbenecessaryforsomeVPNclientapplications.Chapter11SecuringRemoteAccessServices 1958 IntheEndingIPaddressfield,settheendingIPaddressoftheVPNallocationrange.ItcantoverlaptheDHCPallocationrange,soenter192.168.0.255.9 ChooseaPPPauthenticationtype.IfyouchooseDirectoryServiceandyourcomputerisboundtoaKerberosauthenticationserver,fromtheAuthenticationpop-upmenuselectKerberos.Otherwise,chooseMS-CHAPv2.IfyouchooseRADIUS,enterthefollowinginformation:PrimaryIPAddress:EntertheIPaddressoftheprimaryRADIUSserver.SharedSecret:EnterasharedsecretfortheprimaryRADIUSserver.SecondaryIPAddress:EntertheIPaddressofthesecondaryRADIUSserver.SharedSecret:EnterasharedsecretforthesecondaryRADIUSserver.10 ClickSave.VPNAuthenticationMethodSnowLeopardServerL2TPVPNusesKerberosv5orMicrosoftsChallengeHandshakeAuthenticationProtocolversion2(MS-CHAPv2)forauthentication.SnowLeopardServerPPTPVPNusesMS-CHAPv2forauthentication.KerberosisasecureauthenticationprotocolthatusesaKerberosKeyDistributionServerasatrustedthirdpartytoauthenticateaclienttoaserver.MS-CHAPv2authenticationencodespasswordswhentheyresentoverthenetwork,andstorestheminascrambledformontheserver.Thismethodoffersgoodsecurityduringnetworktransmission.ItisalsothestandardWindowsauthenticationschemeforVPN.SnowLeopardServerPPTPVPNcanalsouseotherauthenticationmethods.Eachmethodhasitsownstrengthsandrequirements.TheseotherauthenticationmethodsforPPTParenotavailableinServerAdmin.Touseanalternativeauthenticationscheme(forexample,touseRSASecuritysSecurIDauthentication),youmustedittheVPNconfigurationfilemanually.Theconfigurationfileislocatedat/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist.Formoreinformation,seeOfferingSecurIDAuthenticationwithVPNServiceonpage196.196 Chapter11SecuringRemoteAccessServicesUsingVPNServicewithUsersinaThird-PartyLDAPDomainTouseVPNserviceforusersinathird-partyLDAPdomain(anActiveDirectoryorLinuxOpenLDAPdomain),youmustbeabletouseKerberosauthentication.IfyouneedtouseMSCHAPv2toauthenticateusers,youcantofferVPNserviceforusersinathird-partyLDAPdomain.OfferingSecurIDAuthenticationwithVPNServiceRSASecurityprovidesstrongauthentication.Ituseshardwareandsoftwaretokenstoverifyuseridentity.SecurIDauthenticationisavailableforL2TPandPPTPtransports.Fordetailsandproductofferings,seewww.rsasecurity.com.SnowLeopardServerVPNservicecanofferSecurIDauthentication,butitcannotbesetupinServerAdmin.YoucanuseServerAdmintoconfigurestandardVPNservices,butServerAdmindoesnothaveaninterfaceforchoosingyourauthenticationmethod.Ifyoumustdesignateanauthenticationscheme(suchasRSASecuritySecurID)otherthanthedefault,changetheVPNconfigurationmanually.Foradditionalinformation,seetheRSASecurIDReadyImplementationGuide,locatedonthewebatrsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdf.TomanuallyconfigureRSASecuritySecurIDauthentication:1 OpenTerminal.2 Createafoldernamed/var/aceonyourSnowLeopardServer.sudo mkdir /var/aceAuthenticate,ifrequested.3 InFinder,chooseGo>GotoFolder.4 Type/var/ace.5 ClickGo.6 Copythesdconf.recfilefromaSecurIDserverto/var/ace/.Youseeadialogindicatingthatthe/var/ace/foldercannotbemodified.ClickAuthenticatetoallowthecopy.7 ConfiguretheVPNservice(PPTPorL2TP)onyourSnowLeopardServertoenableEAP-SecurIDauthenticationfortheprotocolsyouwanttouseitwith.EnterthefollowinginTerminal,replacingprotocolwitheitherpptporl2tp:sudo serveradmin settings vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorEAPPlugins:\_array_index:0 = "EAP-RSA"sudo serveradmin settings vpn:Servers:com.apple.ppp.protocol:PPP:AuthenticatorProtocol:\_array_index: = "EAP"http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdfhttp://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/MacOSX_ACE_51.pdfhttp://www.rsasecurity.comChapter11SecuringRemoteAccessServices 1978 CompletetheremainderofSnowLeopardServerVPNserviceconfigurationusingtheServerAdmin.EncryptingObserveandControlNetworkDataAlthoughAppleRemoteDesktop(RemoteManagement)sendsauthenticationinformation,keystrokes,andmanagementcommandsencryptedbydefault,youmightwantadditionalsecurity.YoucanchoosetoencryptallObserveandControltraffic,ataperformancecost.EncryptionisdoneusinganSSHtunnelbetweenparticipatingcomputers.TouseencryptionforObserveandControltasks,thetargetcomputersmusthaveSSHenabled(RemoteLogininthecomputersSharingPreferencepane).Additionally,firewallsbetweentheparticipatingcomputersmustbeconfiguredtopasstrafficonTCPport22(SSHwellknownport).IfyouaretryingtocontrolaVNCserverthatisnotaremotedesktop,itcannotsupportRemoteDesktopkeystrokeencryption.IfyoutrytocontrolthatVNCserver,yougetawarningthatthekeystrokesarentencrypted,whichyoumustacknowledgebeforeyoucancontroltheVNCserver.Ifyouchosetoencryptallnetworkdata,thenyoucannotcontroltheVNCserverbecauseRemoteDesktopcannotopenthenecessarySSHtunneltotheVNCserver.ToenableObserveandControltransportencryption:1 ChooseRemoteDesktop>Preferences.2 ClicktheSecuritybutton.3 IntheControllingcomputerssection,selectEncryptallnetworkdata.EncryptingNetworkDataDuringFileCopyandPackageInstallationsRemoteDesktopcansendfilesforCopyItemsandInstallPackagesviaencryptedtransport.Thisoptionisnotenabledbydefault,andyoumustenableitexplicitlyforeachcopytask,orinaglobalsettinginRemoteDesktopspreferences.Eveninstallerpackagefilescanbeinterceptedifnotencrypted.Toencryptindividualfilecopyingandpackageinstallationtasks:m IntheCopyItemstaskorInstallPackagestaskconfigurationwindowofRemoteDesktop,selectEncryptnetworkdata.Tosetadefaultencryptionpreferenceforfilecopies:1 IntheRemoteDesktopPreferenceswindow,selecttheSecuritypane.2 SelectEncrypttransferswhenusingCopyItems,orEncrypttransferswhenusingInstallPackagesasneeded.Alternatively,youcanencryptafilearchivebeforecopyingit.Theencryptedarchivecanbeintercepted,butitwouldbeunreadable.12198 12 SecuringNetworkInfrastructureServicesUsethischaptertolearnhowtosecureNetworkandHostAccessservices.YoucantailornetworkandhostaccessservicesinSnowLeopardServertoprotectyourcomputerandnetworkusers.Properconfigurationofservicesisimportantandhelpscreateahardenedshellprotectingyournetwork.SnowLeopardServerincludesseveralnetworkandhostaccessservicesthathelpyoumanageandmaintainyournetwork.Thissectiondescribesrecommendedconfigurationsforsecuringyournetworkservices.Foradditionalinformationaboutconfiguringnetworkandhostaccessservices,seeNetworkServicesAdministration.UsingIPv6ProtocolInternetProtocolVersion6(IPv6)istheInternetsnext-generationprotocoldesignedtoreplacethecurrentInternetProtocol,IPVersion4(IPv4,orjustIP).IPv6improvesroutingandnetworkautoconfiguration.Itincreasesthenumberofnetworkaddressestoover3x1038,andeliminatestheneedforNetworkAddressTranslation(NAT).IPv6isexpectedtograduallyreplaceIPv4overanumberofyears,thoughthetwowillcontinuetocoexistduringthistransition.SnowLeopardServersnetworkservicesarefullyIPv6capableandreadytotransitiontothenextgenerationaddressing,aswellasbeingfullyabletooperatewithIPv4.SnowLeopardServerfullysupportsIPv6,whichisconfigurablefromNetworkpreferences.DisabletheIPv6protocolifyourserverandclientsdonotrequireit.Disablingtheprotocolpreventspotentialvulnerabilitiesonyourcomputer.ForinformationaboutdisablingIPv6,seeSecuringNetworkPreferencesonpage118.Chapter12SecuringNetworkInfrastructureServices 199ToenableIPv6:1 OpenNetworkpreferences.2 Inthenetworkconnectionsserviceslist,clicktheservicetoconfigure.3 ClickAdvanced.4 ClickTCP/IP.5 ChooseAutomaticallyfromtheConfigureIPv6pop-upmenu.IfyouchooseManually,youmustknowyourassignedIPv6address,yourroutersIPaddress,andaprefixlength.6 ClickOK.7 ClickApply.Fromthecommandline:IPv6-EnabledServicesThefollowingservicesinSnowLeopardServersupportIPv6addressing: DNS(BIND) Firewall Mail(POP/IMAP/SMTP) Windows(SMB/CIFS) Web(Apache2)TheseservicessupportIPv6addresses,butnotinServerAdmin.IPv6addressesfailifenteredinIPaddressfieldsinServerAdmin.YoucanconfigureIPv6addressesfortheseserviceswithcommand-linetoolsandbyeditingconfigurationfiles.Anumberofcommand-linetoolsinstalledwithSnowLeopardServersupportIPv6(forexample,ping6andtraceroute6).FormoreinformationaboutIPv6,seewww.ipv6.org.# ---------------------------------------------------------------------# Enabling IPv6# ---------------------------------------------------------------------# Enable IPv6.# -------------------------------sudo networksetup -setv6on [networkservice]http://www.ipv6.org200 Chapter12SecuringNetworkInfrastructureServicesSecuringDHCPServiceSnowLeopardServerincludesdynamichostconfigurationprotocol(DHCP)servicesoftware,whichallowsittoprovideIPaddresses,LDAPserverinformation,andDNSserverinformationtoclients.DisablingUnnecessaryDHCPServicesUsingDHCPisnotrecommended.AssigningstaticIPaddresseseasesaccountabilityandmitigatestherisksposedbyarogueDHCPserver.IfDHCPuseisnecessary,onlyonesystemshouldactastheDHCPserverandtheserviceshouldbedisabledonallothersystems.TodisabletheDHCPservice:1 OpenServerAdminandconnecttotheserver.2 SelectDHCPintheComputers&Serviceslist.3 ClickStopDHCP.4 ClickSave.Fromthecommandline:ConfiguringDHCPServicesTouseaserverasaDHCPserver,configuretheDHCPserviceinServerAdmintonotdistributeDNS,LDAP,andWINSinformation.Thisisasecuritymeasuremeanttoprotectclientsystems.WhenclientsystemsacceptdynamicallyassignedDNS,LDAP,andWINSaddresses,theybecomevulnerabletocertainformsofnetworkbasedattacksfromrogueDHCPservers.Usersmayunknowinglyberedirectedtomaliciouswebsitesorservers.ToconfiguretheDHCPservice:1 OpenServerAdminandconnecttotheserver.2 SelectDHCPintheComputers&Serviceslist.3 SelectSubnets.4 Selectasubnet.5 ClickDNS.# ---------------------------------------------------------------------# Securing DHCP Service# ---------------------------------------------------------------------# Disable DHCP Service# --------------------sudo serveradmin stop dhcpChapter12SecuringNetworkInfrastructureServices 2016 Deleteanynameserverslisted.7 ClickLDAP.8 Deleteanyserverinformationthatappears.9 ClickWINS.10 DeletetheWINSinformation.11 ClickSave.Fromthecommandline:AssigningStaticIPAddressesUsingDHCPYoucanuseServerAdmintoassignIPaddressestospecificcomputers.ThishelpssimplifyconfigurationwhenusingDHCPandletsyouhavesomestaticserversorservices.ToavoidpotentialaddressconflictsandpreventhackersfromeasilyobtainingvalidIPaddresses,useastaticmaptotracknetworkactivity.AstaticmapconsistsofaspecificIPaddressassignedtoanetworkdevice.ToassignastaticIPaddresstoadevice,youneedthedevicesEthernetaddress(sometimescalleditsMACaddressorhardwareaddress).EachnetworkinterfacehasitsownEthernetaddress.Ifyouhaveacomputerthatmovesbetweenwiredandwirelessnetworks,itusestwoEthernetaddresses:oneforthewiredconnection,andoneforthewirelessconnection.ToassignastaticIPaddress:1 OpenServerAdminandconnecttotheserver.2 SelectDHCPintheComputers&Serviceslist.3 ClickStaticMaps.4 ClickAddComputer.# Configuring DHCP Services# -------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no valuesudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_server:_array_index:0 = ""sudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_index:0 = -empty_arraysudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT SET"202 Chapter12SecuringNetworkInfrastructureServices5 Enterthenameofthecomputer.6 IntheNetworkInterfaceslist,clickthecolumntoenterthefollowinginformation:MACAddressofthecomputerthatneedsastaticaddress.IPaddressyouwanttoassigntothecomputer.7 IfthecomputerhasothernetworkinterfacesthatrequirestaticIPaddresses,clicktheAdd(+)buttonandentertheIPaddressforeachinterface.8 ClickOK.9 ClickSave.Fromthecommandline:SecuringDNSServiceSnowLeopardServerusesBerkeleyInternetNameDomain(BIND)v9.4.1foritsimplementationofDNSprotocols.BINDisanopensourceimplementationandisusedbymostnameserversontheInternet.IfyourserverisnotintendedtobetheauthoritativeDNSserverforyournamespace,disabletheDNSserviceinServerAdmin.TodisabletheDNSservice:1 OpenServerAdminandconnecttotheserver.2 SelectDNSintheComputers&Serviceslist.3 ClickStopDNS.4 ClickSave.# Set a DHCP client's static IP address# -------------------------------------# Each computer needs its own GUID within the static map array.# Increment the array index value for network interfaces# for a single computer.serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_index:0 = $ASSIGNED_IP_ADDRESSserveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_index:0 = $COMPUTER_MAC_ADDRESSserveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name = $COMPUTER_NAMEChapter12SecuringNetworkInfrastructureServices 203Fromthecommandline:UnderstandingBINDBINDisthesetofprogramsusedbySnowLeopardServerthatimplementsDNS.Oneofthoseprogramsisthenamedaemon,ornamed.TosetupandconfigureBIND,youmustchangetheconfigurationfileandthezonefile.Theconfigurationfileis/etc/named.conf.Thezonefilenameisbasedonthenameofthezone.Forexample,thezonefileexample.comis/var/named/example.com.zone.Ifyoueditnamed.conftoconfigureBIND,dontchangetheinetsettingsofthecontrolsstatement.Otherwise,ServerAdmincantretrievestatusinformationforDNS.Theinetsettingsshouldlooklikethiscontrols { inet 127.0.0.1 port 54 allow {any;} keys { "rndc-key"; };};UsingServerAdminaftereditingBINDconfigurationfilesmightoverwritechanges.FormoreinformationaboutDNSandBIND,seethefollowing: DNSandBIND,5thedition,byPaulAlbitzandCricketLiu(OReillyandAssociates,2006) TheInternationalSoftwareConsortiumwebsite:www.isc.organdwww.isc.org/sw/bind TheDNSResourcesDirectory:www.dns.net/dnsrdTurningOffZoneTransfersUnlessyoursiterequiresthem,useServerAdmintoturnoffzonetransfersandrecursiveDNSqueries.ToturnoffzonetransfersandrecursiveDNSqueries:1 OpenServerAdminandconnecttotheserver.2 SelectDNSintheComputers&Serviceslist.# ---------------------------------------------------------------------# Securing DNS Service# ---------------------------------------------------------------------# Disable DNS Service.# -------------------sudo serveradmin stop dnshttp://www.isc.org/index.pl?/sw/bind/http://www.isc.org/index.pl?/sw/bind/http://www.isc.orghttp://www.dns.net/dnsrd/204 Chapter12SecuringNetworkInfrastructureServices3 ClickZones.4 Selecttheprimaryzoneyouwanttochange.5 ClickGeneral.6 DeselectAllowszonetransfertopreventhostsonthenetworkfromgettingcopiesoftheprimaryzonedata.Ifneeded,setupzonetransferssotheyonlyoccurbetweentrustedservers.ThisrequiresmanuallyeditingtheBINDconfigurationfiles.7 ClickSave.DisablingRecursionRecursionfullyresolvesdomainnamesintoIPaddresses.ApplicationsdependontheDNSservertoperformthisfunction.OtherDNSserversthatqueryyourDNSserversdontneedtoperformtherecursion.Topreventmalicioususersfromchangingtheprimaryzonesrecords(referredtoascachepoisoning)andtopreventunauthorizeduseoftheserverforDNSservice,youcanrestrictrecursionusingServerAdmin.However,ifyoupreventyourprivatenetworkfromusingrecursion,userscantuseyourDNSservicetolookupnamesoutsideofyourzones.DisablerecursiononlyifnoclientsareusingthisDNSserverfornameresolutionandnoserversareusingitforforwarding.Ifyoursiterequiresrecursion,allowrecursivequeriesonlyfromtrustedclientsandnotfromexternalnetworks.Ifyouenablerecursion,considerdisablingitforexternalIPaddressesbutenablingitforinternalIPaddresses.ThisrequiresmanuallyeditingtheBINDconfigurationfiles.Todisablerecursion:1 OpenServerAdminandconnecttotheserver.2 SelectDNSintheComputers&Serviceslist.3 ClickSettings.4 RemoveallentriesexceptlocalhostfromtheAcceptrecursivequeriesfromthefollowingnetworkslistusingtheRemove()button.5 ClickSave.Makesurethatforwardandreversezonesareestablishedandfullypopulated.Otherwise,anyOpenDirectoryserverusingtheDNSservicewillnotworkcorrectly.Chapter12SecuringNetworkInfrastructureServices 205PreventingSomeDNSAttacksDNSserversaretargetedbymaliciouscomputerusers(hackers).DNSserversaresusceptibletoseveralkindsofattacks.Bytakingextraprecautions,youcanpreventtheproblemsanddowntimeassociatedwithhackers.SeveralkindsofsecurityattacksareassociatedwithDNSservice: DNScachepoisoning Servermining DNSserviceprofiling Denialofservice(DoS) ServicepiggybackingDNSCachePoisoningDNScachepoisoning(aformofDNSspoofing)istheaddingoffalsedatatotheDNSserverscache.Thisenableshackersto: RedirectrealdomainnamequeriestoalternativeIPaddresses.Forexample,afalsifiedArecordforabankcouldpointacomputerusersbrowsertoadifferentIPaddressthatiscontrolledbythehacker.Aduplicatewebsitecouldfoolusersintogivingtheirbankaccountnumbersandpasswordstothehacker.Also,afalsifiedmailrecordcouldenableahackertointerceptmailsenttoorfromadomain.Ifthehackerthenforwardsthatmailtothecorrectmailserveraftercopyingthemail,thiscangoundetected. PreventproperdomainnameresolutionandaccesstotheInternet.ThisisthemostbenignofDNScachepoisoningattacks.ItmakesaDNSserverappeartobemalfunctioning.Themosteffectivemethodtopreventtheseattacksisvigilance.Thisincludesmaintainingup-to-datesoftware.IfexploitsarefoundinthecurrentversionofBIND,theexploitsarepatchedandasecurityupdateismadeavailableforSnowLeopardServer.Applyallsuchsecuritypatches.ServerMiningServerminingisthepracticeofgettingacopyofacompleteprimaryzonebyrequestingazonetransfer.Inthiscase,ahackerpretendstobeasecondaryzonetoanotherprimaryzoneandrequestsacopyoftheprimaryzonesrecords.Withacopyofyourprimaryzone,thehackercanseewhatkindsofservicesadomainoffersandtheIPaddressesoftheserversthatofferthem.Heorshecanthentryspecificattacksbasedonthoseservices.Thisisreconnaissancebeforeanotherattack.206 Chapter12SecuringNetworkInfrastructureServicesTopreventthisattack,disablezonetransfers.Ifrequired,specifywhichIPaddresseshavepermissiontorequestzonetransfers(yoursecondaryzoneservers)anddenyallothers.ZonetransfersareaccomplishedoverTCPonport53.Tolimitzonetransfers,blockzonetransferrequestsfromanyonebutyoursecondaryDNSservers.TospecifyzonetransferIPaddresses:1 CreateafirewallfilterthatpermitsonlyIPaddressesthatareinsideyourfirewalltoaccessTCPport53.2 FollowtheinstructionsinCreatingAdvancedFirewallRulesonpage217usingthefollowingsettings: Packet:Allow Port:53 Protocol:TCP SourceIP:theIPaddressofyoursecondaryDNSserver DestinationIP:theIPaddressofyourprimaryDNSserverDNSServiceProfilingAnothercommonreconnaissancetechniqueusedbymalicioususersistoprofileyourDNSservice.FirstahackermakesaBINDversionrequest.TheserverreportswhatversionofBINDisrunning.ThenthehackercomparestheresponsetoknownexploitsandvulnerabilitiesforthatversionofBIND.Topreventthisattack,configureBINDtorespondwithsomethingotherthanwhatitis.ToalterBINDsversionresponse:1 Openacommand-linetexteditor(forexamplevi,emacs,orpico).2 Opennamed.confforediting.3 Totheoptionsbracketsoftheconfigurationfile,addthefollowing:version "[your text, maybe we're not telling!]";4 Savenamed.conf.DenialofService(DoS)Thiskindofattackiscommonandeasy.Ahackersendssomanyservicerequestsandqueriesthataserverusesallitsprocessingpowerandnetworkbandwidthtryingtorespond.Thehackerpreventslegitimateuseoftheservicebyoverloadingit.Itisdifficulttopreventthistypeofattackbeforeitbegins.ConstantmonitoringoftheDNSserviceandserverloadenablesanadministratortocatchtheattackearlyandmitigateitsdamagingeffect.Chapter12SecuringNetworkInfrastructureServices 207TheeasiestwaytopreventthisattackistoblocktheoffendingIPaddresswithyourfirewall.Unfortunately,thismeanstheattackisalreadyunderwayandthehackersqueriesarebeingansweredandtheactivitylogged.ServicePiggybackingThisattackisdonenotsomuchbymaliciousintrudersbutbycommonInternetuserswholearnthetrickfromotherusers.TheymightfeelthattheDNSresponsetimewiththeirownISPistooslow,sotheyconfiguretheircomputertoqueryanotherDNSserverinsteadoftheirownISPsDNSservers.Effectively,therearemoreusersaccessingtheDNSserverthanwereplannedfor.YoucanpreventthistypeofattackbylimitingordisablingDNSrecursion.IfyouplantoofferDNSservicetoyourLANusers,theyneedrecursiontoresolvedomainnames,butdontprovidethisservicetoInternetusers.Topreventrecursionentirely,seeDisablingRecursiononpage204.ThemostcommonbalanceispermittingrecursionforrequestscomingfromIPaddressesinyourownrangebutdenyingrecursiontoexternaladdresses.ARPSpoofingThistypeofattack,alsoknownasARPpoisoning,allowsanattackertotakeoveracomputersIPaddressbymanipulatingtheARPcachesofotherhostsonthenetwork.Theattackermustbeonthesamenetworkasthecomputeritisattackingorthehostthatthecomputeriscommunicatingwith.TheattackercanalsouseARPspoofingforaman-in-the-middleattack,whichforwardstrafficfromacomputertotheattackerscomputer.Thisallowstheattackertoviewpacketsandlookforpasswordsandconfidentialdata.ARPspoofingcanalsobeusedtocreateaDoSattack,stoppingallnetworktraffic.ByconfiguringyournetworkwithstaticIPaddressesandmonitoringyournetworktraffic,youcankeepunauthorizedusersfrommaliciouslyusingyournetwork.SecuringNATServiceNATisaprotocolyouusetogivemultiplecomputersaccesstotheInternetusingonlyoneassignedpublicorexternalIPaddress.NATpermitsyoutocreateaprivatenetworkthataccessestheInternetthroughaNATrouterorgateway.NATissometimesreferredtoasIPmasquerading.TheNATservicefurtherenhancessecuritybylimitingcommunicationbetweenyourprivatenetworkandapublicnetwork(suchastheInternet): CommunicationfromacomputeronyourprivatenetworkistranslatedfromaprivateIPaddresstoasharedpublicIPaddress.MultipleprivateIPaddressesareconfiguredtouseasinglepublicIPaddress.208 Chapter12SecuringNetworkInfrastructureServices CommunicationtoyourprivatenetworkistranslatedandforwardedtoaninternalprivateIPaddress(IPforwarding).TheexternalcomputercannotdeterminetheprivateIPaddress.Thiscreatesabarrierbetweenyourprivatenetworkandthepublicnetwork. Communicationfromapublicnetworkcannotcomeintoyourprivatenetworkunlessitisrequested.Itisonlyallowedinresponsetointernalcommunication.Note:IfusingNAT,considercombiningNATroutingwithothernetworkservices.TheNATroutertakesalltrafficfromyourprivatenetworkandremembersinternaladdressesthathavemaderequests.WhentheNATrouterreceivesaresponsetoarequest,itforwardsittotheoriginatingcomputer.TrafficthatoriginatesfromtheInternetdoesnotreachcomputersbehindtheNATrouterunlessportforwardingisenabled.Important:FirewallservicemustbeenabledforNATtofunction.IfyourserverisnotintendedtobeaNATserver,deactivatetheNATserversoftware.TodisableNATservice:1 OpenServerAdminandconnecttotheserver.2 SelectNATintheComputers&Serviceslist.3 ClickStopNAT.4 ClickSave.Fromthecommandline:ConfiguringPortForwardingYoucandirecttrafficcomingintoyourNATnetworktoaspecificIPaddressbehindtheNATgateway.Thisiscalledportforwarding.Portforwardingcanbeusedtorouteexternal-facinguncommonopenportsonthefirewalltocommoninternalports,obsfucatingwhatservicesareactivethroughtheNATbarrier.Thispracticeisnotreliableandshouldnotbesolelydependedontohideactiveservicesonthecomputer.# ---------------------------------------------------------------------# Securing NAT Service# ---------------------------------------------------------------------# Disable NAT service.# -------------------sudo serveradmin stop natChapter12SecuringNetworkInfrastructureServices 209Portforwardingletsyousetupcomputersontheinternalnetworkthathandleincomingconnectionswithoutexposingothercomputerstooutsideconnections.Forexample,youcouldsetupawebserverbehindtheNATserviceandforwardincomingTCPconnectionrequestsonport80tothedesignatedwebserver.Youcantforwardthesameporttomultiplecomputers,butyoucanforwardmanyportstoonecomputer.EnablingportforwardingrequirestheuseoftheTerminalapplicationandadministratoraccesstorootprivilegesthroughsudo.Youmustalsocreateaplistfile.Thecontentsoftheplistfileareusedtogenerate/etc/nat/natd.conf.apple,whichispassedtotheNATdaemonwhenitisstarted.Donottrytoedit/etc/nat/natd.conf.appledirectly.Ifyouuseaplisteditorinsteadofacommand-linetexteditor,alterthefollowingproceduretosuit.Toconfigureportforwarding:1 Ifthefile/etc/nat/natd.plistdoesntexist,makeacopyofthedefaultNATdaemonplist.sudo cp /etc/nat/natd.plist.default /etc/nat/natd.plist2 UsingaTerminaleditor,addthefollowingblockofXMLtextto/etc/nat/natd.plistbeforethetwolinesattheendofthefile(and),substitutingyoursettingswhereindicatedbyitalics:redirect_portprototcp or udptargetIPLAN_iptargetPortRangeLAN_ip_rangealiasIPWAN_ipaliasPortRangeWAN_port_range3 Saveyourfilechanges.4 EnterthefollowingcommandsintheTerminal:sudo serveradmin stop natsudo serveradmin start nat5 Verifythatyourchangesremainbyinspectingthe/etc/nat/natd.conf.applefile.210 Chapter12SecuringNetworkInfrastructureServicesThechangesmade,exceptforcommentsandthosesettingsthatServerAdmincanchange,areusedbyserverconfigurationtools(ServerAdmin,GatewaySetupAssistant,andsudoserveradmin).6 ClickSave.7 StartNATservice.DisablingNATPortMappingProtocolNATPortMappingProtocol(NAT-PMP)allowsacomputerbehindtheNATroutertoautomaticallyconfiguretheroutertoallowcomputersoutsidetheprivatenetworktocontactitself.NAT-PMPautomatestheprocessofportforwarding,allowingtheinternalnetworkcomputerscontroltheforwarding.Ifyoudonotwantyourinternalclientstochangeport-forwardingrulesdisableNAT-PMP.ToconfigureNATservice:1 OpenServerAdminandconnecttotheserver.2 SelectNATintheComputers&Serviceslist.3 ClickSettings.4 DeselectEnableNATPortMappingProtocol.5 ClickSave.SecuringBonjour(mDNS)Bonjourisaprotocolfordiscoveringfile,print,chat,musicsharing,andotherservicesonIPnetworks.Bonjourlistensforserviceinquiriesfromothercomputersandprovidesinformationaboutavailableservices.UsersandapplicationsonyourlocalnetworkcanuseBonjourtoquicklydeterminewhichservicesareavailableonyourcomputer,andyoucanuseittodeterminewhichservicesareavailableontheirs.Thiseasyexchangeofinformationmakesservicediscoveryveryconvenient,butitalsoincursasecurityrisk.Bonjourbroadcaststheservicesthatarepresentandtheservicesyouhaveavailable.TheserisksmustbeweighedagainsttheutilityofrunninganetworkservicesuchasBonjour.AsidefromtheinformationfreelyexchangedbyBonjour,networkservicesinherentlyincurasecurityriskduetothepotentialforimplementationerrorstoallowremoteattackerstoaccessyoursystem.However,Bonjourmitigatestheserisksbyimplementingsandboxing.ToreducethesecurityriskofrunningBonjour,connectonlytosecure,trustedlocalnetworks.AlsoverifythatNetworkpreferencesenablesonlyrequirednetworkingconnections.Thisreducesthechanceofconnectingtoaninsecurenetwork.Chapter12SecuringNetworkInfrastructureServices 211BeforeusingBonjourtoconnecttoaservice,verifythattheserviceislegitimateandnotspoofed.Ifyouconnecttoaspoofedservice,youmightdownloadmaliciousfiles.Ifyoucannottrustallservicesonyourlocalnetwork,thenBonjourshouldnotbeused.TodisableBonjouradvertising,enterthefollowingcommands:1 MakeabackupcopyofthemDNSResponder.plistfile.2 OpenTerminalandopenthemDNSResponder.plistfileusingyourpreferredtexteditor.Forexample:sudo vi /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist3 IntheProgramArgumentskeyoftheplistfile,addthefollowingstringtothe...section.-NoMulticastAdvertisementsForexample:ProgramArguments/usr/sbin/mDNSResponder-launchd-NoMulticastAdvertisements4 SavethechangestothemDNSResponder.plistfile.Important:Ifyoueditedthefileusingemacs,removetheemacsbackupfile(thefilewithatildeattheendofthename,/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist~)oryourMacwillnotstartup.YoumustalsoblockBonjourfromlisteningforandacceptingBonjourtrafficbycreatingafirewallruleusingipfw.ThispreventsyourcomputerfromreceivingpotentiallymaliciousBonjourtrafficfromthenetwork.IfyouhaventsetupIPFWtorunwhenthecomputerstartsup,seeChapter13,ConfiguringtheFirewall.Addthefollowingruletothe/etc/ipfw.confinthesamewaythatyouedited/System/Library/LaunchDaemons/com.apple.mDNSResponder.plistinthesectionabove.WARNING:CarefullyfollowthesestepstodisableBonjour.AmalformedorproblematicmDNSResponder.plistfilecanpreventyourMacfromstartingup.UseTimeMachinetoperformafullbackupofyourcomputerbeforeproceeding.212 Chapter12SecuringNetworkInfrastructureServicesToblockBonjourlistening:IfBonjourisdisabled,youmustmanuallyconfigurenetworkprinters.DisablingBonjourcanalsodisablefunctionalityinotherapplicationsthatrelyonBonjourorpossiblymakethemunusable.IfdisablingBonjourinterfereswithotherapplicationsthatareneededbytheuser,removethe-NoMulticastAdvertisementsfromthemDNSResponder.plistfile.ThenunblockUDPport5353onyourfirewall.# Block Bonjour listening.# -------------------------# Default Setting.# Bonjour is enabled# Firewall is disabled# Suggested Setting.# Add the following line to /etc/ipfw.conf.add 00001 deny udp from any to me dst-port 5353# Reload the firewall rules.sudo /sbin/ipfw flushsudo /sbin/ipfw /etc/ipfw.conf13 21313 ConfiguringtheFirewallUsethischaptertolearnhowconfiguretheIPFW2firewall.Usingafirewalltofilternetworktrafficfromahostoranetworkofhostspreventsattackersfromgainingaccesstoyourcomputer.AboutFirewallProtectionFirewallserviceissoftwarethatprotectsnetworkapplicationsrunningonyourSnowLeopardServercomputer.Turningonfirewallserviceissimilartoinstallingafiltertolimitaccesstoyournetwork.firewallservicescansincomingIPpacketsandrejectsoracceptsthesepacketsbasedonrulesyouusetoconfigurefirewallservice.Youcanmonitoractivityinvolvingyourfirewallbyenablingfirewalllogging.Firewallloggingcreatesalogfilethattracksactivitysuchasthesourcesandconnectionattemptsblockedbythefirewall.YoucanviewthislogintheConsoleutility.YoucanrestrictaccesstoanyIPservicerunningontheserver,andyoucancustomizerulesforincomingclientsorforarangeofclientIPaddresses.Important:Firewallservicecandisruptnetworkcommunicationsanditsconfigurationcanbecomplicatedtoimplement.Donotimplementrecommendationswithoutunderstandingtheirpurposeorimpact.ServicessuchasWebandFTPservicesareidentifiedonyourserverbyaTransmissionControlProtocol(TCP)orUserDatagramProtocol(UDP)portnumber.Whenacomputertriestoconnecttoaservice,firewallservicescanstherulelistforamatchingportnumber.Whenrunning,thedefaultfirewallconfigurationonSnowLeopardServerdeniesaccesstoincomingpacketsfromremotecomputersexceptthroughportsforremoteconfiguration.Thisprovidesahighlevelofsecurity.214 Chapter13ConfiguringtheFirewallStatefulrulesareinplaceaswell,soresponsestooutgoingqueriesinitiatedbyyourcomputerarealsopermitted.Youcanthenaddrulestopermitserveraccesstothoseclientswhorequireaccesstoservices.Important:Youshouldnotperformanyfirwallconfigurationremotelybecauseoftheriskofdisablingcommunicationstotheremotehost.PlanningFirewallSetupPlanyourfirewallservicebydecidingwhichservicesyouwanttoprovideaccessto.Mail,Web,andFTPservicesgenerallyrequireaccessbycomputersontheInternet.FileandPrintservicesaremostlikelyrestrictedtoyourlocalsubnet.Afteryoudecidewhichservicestoprotectusingfirewallservice,determinewhichIPaddressesyouwanttoaccessyourserver.Thencreatetheappropriaterules.Afterthefirewallserviceisconfigured,networkusersmightrequestthattherulesbechangedtoallowadditionalservices.Thesechangesshouldberesistedandanapprovalprocessshouldbeputinplacetomonitorthesechanges.ConfiguringtheFirewallUsingServerAdminAdvancedconfigurationserversuseipfw2forfirewallservice.Theapplication-levelfirewallisavailableonlytostandardandworkgroupconfigurationinstallations.StartingFirewallServiceBydefault,firewallserviceblocksincomingTCPconnectionsanddeniesUDPpackets,exceptthosereceivedinresponsetooutgoingrequestsfromtheserver.Beforeyouturnonfirewallservice,makesureyouvesetuprulespermittingaccessfromIPaddressesyouchoose;otherwise,noonecanaccessyourserver.Ifyouaddorchangearuleafterstartingfirewallservice,thenewruleaffectsconnectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyallaccesstoyourFTPserverafterstartingfirewallservice,computersconnectedtoyourFTPserveraredisconnected.Tostartfirewallservice:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClicktheStartFirewallbuttonbelowtheServerslist.Chapter13ConfiguringtheFirewall 215Fromthecommandline:CreatinganIPAddressGroupBygroupingIPaddressesyoucansimultaneouslysetfirewallrulesforlargenumbersofnetworkdevicesandallowformuchbetterorganization.Thisenhancesthesecurityofyournetwork.Thesegroupsareusedtoorganizeandtargettherules.Theanyaddressgroupisforalladdresses.TwootherIPaddressgroupsarepresentbydefault,intendedfortheentire10.0.0.0rangeofprivateaddressesandtheentire192.168.0.0rangeofprivateaddresses.Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandCIDRnotation(192.168.2.0/24),orIPaddressandnetmasknotation(192.168.2.0:255.255.255.0).Bydefault,anIPaddressgroupiscreatedforallincomingIPaddresses.Rulesappliedtothisgroupaffectallincomingnetworktraffic.Tocreateanaddressgroup:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClickSettings,thenclickAddressGroups.4 BelowtheIPAddressGroupslist,clicktheAdd(+)button.5 IntheGroupnamefield,enteragroupname.6 Entertheaddressesandsubnetmaskyouwanttherulestoaffect.UsetheAdd(+)andDelete()buttons.ToindicateanyIPaddress,usethewordany.7 ClickOK.8 ClickSave.# ---------------------------------------------------------------------# Securing Firewall Service# ---------------------------------------------------------------------# Start firewall service.# ----------------------sudo serveradmin start ipfilter216 Chapter13ConfiguringtheFirewallCreatingFirewallServiceRulesBydefault,firewallservicepermitsallUDPconnectionsandblocksincomingTCPconnectionsonportsthatarenotessentialforremoteadministrationoftheserver.Also,bydefault,statefulrulesareinplacethatpermitspecificresponsestooutgoingrequests.Beforeyouturnonfirewallservice,makesureyouvesetuprulespermittingaccessfromIPaddressesyouchoose;otherwise,noonecanaccessyourserver.Youcaneasilypermitstandardservicesthroughthefirewallwithoutadvancedandextensiveconfiguration.Standardservicesinclude: SSHaccess Webservice AppleFileservice WindowsFileservice FTPservice PrinterSharing DNS/MulticastDNS ICMPEchoReply(incomingpings) IGMP PPTPVPN L2TPVPN QTSSmediastreaming iTunesMusicSharingIfyouaddorchangearuleafterstartingfirewallservice,thenewruleaffectsconnectionsalreadyestablishedwiththeserver.Forexample,ifyoudenyallaccesstoyourFTPserverafterstartingfirewallservice,computersconnectedtoyourFTPserveraredisconnected.Toconfigurefirewallstandardservices:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClickSettings,thenclickServices.4 FromtheEditServicesforpop-upmenu,selectanaddressgroup.5 Fortheaddressgroup,choosetopermitalltrafficfromanyportortopermittrafficondesignatedports.Chapter13ConfiguringtheFirewall 2176 Foreachserviceyouwanttheaddressgrouptouse,selectAllow.Ifyoudontseetheserviceyouneed,addaportanddescriptiontotheserviceslist.Tocreateacustomrule,seeCreatingAdvancedFirewallRulesonpage217.7 ClickSave.CreatingAdvancedFirewallRulesYouusetheAdvancedSettingspaneinServerAdmintoconfigurespecificrulesforfirewallservice.FirewallrulescontainoriginatinganddestinationIPaddresseswithsubnetmasks.Theyalsospecifywhattodowithincomingnetworktraffic.YoucanapplyaruletoallIPaddresses,aspecificIPaddress,orarangeofIPaddresses.Addressescanbelistedasindividualaddresses(192.168.2.2),IPaddressandsubnetmaskinCIDRnotation(192.168.2.0/24),orIPaddressandsubnetmaskinnetmasknotation(192.168.2.0:255.255.255.0).Tosetupanadvancedfirewallrule:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClickSettings,thenclickAdvanced.4 ClicktheAdd(+)button.Alternatively,youcanselectarulesimilartotheoneyouwanttocreate,clickDuplicate,andthenclickEdit.5 IntheActionpop-upmenu,selectwhetherthisrulepermitsordeniesaccess.IfyouchooseOther,entertheneededaction(forexample,log).6 FromtheProtocolpop-upmenu,chooseaprotocol.IfyouchooseOther,entertheneededprotocol(forexample,icmp,esp,ipencap).7 FromtheServicepop-upmenu,chooseaservice.Toselectanonstandardserviceport,chooseOther.8 Ifneeded,choosetologallpacketsthatmatchtherule.9 Forthesourceoffilteredtraffic,chooseanaddressgroupfromtheAddresspop-upmenu.Ifyoudontwanttouseanexistingaddressgroup,enterthesourceIPaddressrange(usingCIDRnotation)youwanttofilter.Ifyouwantittoapplytoanyaddress,chooseanyfromthepop-upmenu.10 Ifyouselectedanonstandardserviceport,enterthesourceportnumber.11 Forthedestinationoffilteredtraffic,chooseanaddressgroupfromtheSourcepop-upmenu.218 Chapter13ConfiguringtheFirewallIfyoudontwanttouseanexistingaddressgroup,enterthedestinationIPaddressrange(usingCIDRnotation).Ifyouwantittoapplytoanyaddress,chooseanyfromthepop-upmenu.12 Ifyouselectedanonstandardserviceport,enterthedestinationportnumber.13 FromtheInterfacepop-upmenuthatthisrulewillapplyto,chooseInorOut.Inreferstothepacketsbeingsenttotheserver.Outreferstothepacketsbeingsentfromtheserver.14 IfyouselectOther,entertheinterfacename(en0,en1,fw1,andsoon).15 ClickOK.16 ClickSavetoapplytheruleimmediately.EnablingStealthModeYoucanhideyourfirewallbychoosingnottosendaconnectionfailurenotificationtoanyconnectionthatisblockedbythefirewall.Thisiscalledstealthmodeanditeffectivelyhidesyourserversclosedports.Forexample,ifanetworkintrudertriestoconnecttoyourserver,eveniftheportisblocked,heorsheknowsthatthereisaserverandcanfindotherwaystointrude.Ifstealthmodeisenabled,insteadofbeingrejected,thehackerwontreceivenotificationthatanattemptedconnectiontookplace.Toenablestealthmode:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClickSettings,thenclickAdvanced.4 SelectEnableforTCP,EnableforUDP,orboth,asneeded.5 ClickSave.Fromthecommandline:# Enable stealth mode.# -------------------sudo serveradmin settings ipfilter:blackHoleTCP = truesudo serveradmin settings ipfilter:blackHoleUDP = trueChapter13ConfiguringtheFirewall 219ViewingtheFirewallServiceLogEachruleyousetupinServerAdmincorrespondstorulesintheunderlyingfirewallsoftware.Logentriesshowyouwhentherulewasapplied,theIPaddressoftheclientandserver,andotherinformation.Thelogviewshowsthecontentsof/var/log/ipfw.log.Youcanrefinetheviewusingthetextfilterbox.Toviewthefirewallservicelog:1 OpenServerAdminandconnecttotheserver.2 SelectFirewallintheComputers&Serviceslist.3 ClickLog.Tosearchforspecificentries,usetheFilterfieldabovethelog.Fromthecommandline:ThefiltersyoucreateinServerAdmincorrespondtorulesintheunderlyingfilteringsoftware.Logentriesshowyoutheruleapplied,theIPaddressoftheclientandserver,andotherinformation.Formoreinformationaboutrulesandwhattheymean,seeCreatingAdvancedFirewallRulesonpage217.Herearesomeexamplesoffirewalllogentriesandhowtoreadthem.LogExample1Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP 10.221.41.33:2190 192.168.12.12:80 in via en0Thisentryshowsthatfirewallserviceusedrule65000todeny(unreach)theremoteclientat10.221.41.33:2190fromaccessingserver192.168.12.12onwebport80throughEthernetport0.LogExample2Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP 10.221.41.33:721 192.168.12.12:515 in via en0Thisentryshowsthatfirewallserviceusedrule100topermittheremoteclientat10.221.41.33:721toaccesstheserver192.168.12.12ontheLPRprintingport515throughEthernetport0.# View the firewall service log.# -----------------------------sudo tail /var/log/ipfw.log220 Chapter13ConfiguringtheFirewallLogExample3Dec 12 13:33:15 smithy2 mach_kernel: ipfw: 10 Accept TCP 192.168.12.12:49152 192.168.12.12:660 out via lo0ThisentryshowstheNATdivertruleappliedtoanoutboundpacket.Inthiscaseitdivertstheruletoserviceport660,whichistheporttheNATdaemonuses.ConfiguringtheFirewallManuallyTheIPFW2firewall(alsoreferredtohereasIPFW)allowsforthecreationofcomplexandpowerfulpacketfilteringrulesets.Thisfirewallcanbedifficulttoconfigure,andcanalsodisruptnetworkcommunicationsifimproperlyconfigured.Itrequiresmanuallywrittenrules,andthesystemmustbeconfiguredtoreadthoserulesatstartup.ConfiguringIPFWrulesetsrequiresahigherlevelofexpertisethanmanysystemadministrationtasks.IfanadministratorisnotmindfuloftheIPFWrulesetonthesystem,confusioncanarisewhensomenetworkconnectivityisnotavailablethatshouldbe.UnderstandingIPFWRulesetsAnIPFWconfigurationorrulesetisalistofrulesthataredesignedtomatchpacketsandtakeappropriateaction.IPFWrulesarenumberedfrom1to65535.Thepacketpassedtothefirewalliscomparedagainsteachoftherules(innumericalorder).Whenthepacketmatchesarule,thecorrespondingactionistaken.AmorecompletedescriptionofthecapabilitiesandconfigurationofIPFWcanbefoundintheipfwmanpage.TheIPFWrulesetcanbestoredasalistofIPFWrulesinsideatextfile.Traditionally,thefile/etc/ipfw.confisusedtostoretheserules.ToviewenforcedIPFWrules,runthecommand:sudo ipfw printThedefaultoutputshouldappearsomethinglikethis:65535 allow ip from any to anyThislineshowsthatthedefaultconfigurationallowsalltrafficthroughtheIPFWfirewall,performingnofiltering.LikeallIPFWrules,itconsistsofarulenumber(65535);anaction(allow);andbody(ipfromanytoany).Inthiscase,thebody(ipfromanytoany)matchesallIPpackets.Thisalsohappenstobeaspecialrule,calledthedefaultrule.Itisthehighest-numberedrulepossibleandiscompileddirectlyintothekernel.Chapter13ConfiguringtheFirewall 221Becausenoruleshaveactuallybeenaddedtothesystem,allpacketsarepassedtothisdefaultrule,whichallowsthemallthrough.However,iftheStealthModefeatureisenabledonthesystem,thenthefollowinglineappearsfirstinthelist:33300 deny icmp from any to me in icmptypes 8ThisruleshowstheimplementationofStealthMode,droppingincomingpingechorequests,whichisICMPtype8.Becauseitisalowerrulenumber(andthusappearsearlierwhenlisted),itisconsultedbeforethedefaultrule.14222 14 SecuringCollaborationServicesUsethischaptertolearnhowtosecurecollaborationservices.Collaborationserviceshelpusersshareinformationforincreasedproductivity.Securingtheaccessandtransferofsharedinformationprotectsyourdata.Collaborationservicespromoteinteractionsamongusers,facilitatingteamworkandproductivity.ThischapterdescribeshowtosecureiCal,iChat,Wiki,andPodcastProducercollaborationservices.Forinformationaboutconfiguringcollaborationservices,seeiCalServerAdministration,iChatServiceAdministration,WebTechnologiesAdministration,andPodcastProducerAdministration.SecuringiCalServiceSecurityforiCalserviceconsistsoftwomainareas: Securingtheauthentication:Thismeansusingamethodofauthenticatingusersthatissecureanddoesntpasslogincredentialsincleartextoverthenetwork.Thehigh-securityauthenticationusedpervasivelyinSnowLeopardServerisKerberosv5.Tolearnhowtoconfiguresecureauthentication,seeChoosingandEnablingSecureAuthenticationforiCalServiceonpage223. Securingthedatatransport:Thismeansencryptingthenetworktrafficbetweenthecalendarclientandthecalendarserver.Whenthetransportisencrypted,noonecananalyzethenetworktrafficandreconstructthecontentsofthecalendar.iCalserviceusesSSLtoencryptthedatatransport.TolearnhowtoconfigureandenableSSLforiCalservice,seeConfiguringandEnablingSecureNetworkTrafficforiCalServiceonpage224.Chapter14SecuringCollaborationServices 223DisablingiCalServiceIfyourserverisnotintendedtobeaniCalserver,disabletheiCalserversoftware.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.TodisableiCalservice:1 OpenServerAdminandconnecttotheserver.2 SelectiCalintheComputers&Serviceslist.3 ClickStopiCal.Fromthecommandline:SecurelyConfiguringiCalServiceTosecurelyconfigureiCalservice,youmustsecureauthenticationanddatatransport.ChoosingandEnablingSecureAuthenticationforiCalServiceUsersauthenticatetoiCalservicethroughoneofthefollowingmethods: Kerberosv5:ThismethodusesstrongencryptionandisusedinSnowLeopardforsinglesign-ontoservicesofferedbySnowLeopardServer. Digest:(RFC2617)Thismethodsendssecureloginnamesandencryptedpasswordswithouttheuseofatrustedthird-party(liketheKerberosrealm),andisusablewithoutmaintainingaKerberosinfrastructure. Any:ThismethodincludesKerberosv5andDigestauthentication.Theclientcanchoosethemostrelevantmethodforwhatitcansupport.YoucansettherequiredauthenticationmethodusingServerAdmin.Toenablethehighestsecurity,chooseamethodotherthanAny.Tochooseanauthenticationmethod:1 InServerAdmin,selectaserverandchoosetheiCalservice.2 ClicktheSettingsbuttoninthetoolbar.3 SelectthemethodfromtheAuthenticationpop-upmenu.# ---------------------------------------------------------------------# Securing Collaboration Services# ---------------------------------------------------------------------# ---------------------------------------------------------------------# Securing iCal service# ---------------------------------------------------------------------# Disable iCal service.# -------------------------------sudo serveradmin stop calendar224 Chapter14SecuringCollaborationServices4 ClickSave,thenrestarttheservice.Fromthecommandline:ConfiguringandEnablingSecureNetworkTrafficforiCalServiceWhenyouenableSecureSocketsLayer(SSL),youencryptalldatasentbetweentheiCalserverandtheclient.ToenableSSL,youmustselectacertificate.Ifyouusethedefaultself-signedcertificate,theclientsmustchoosetotrustthecertificatebeforetheycanmakeasecureconnection.ToenablesecurenetworktrafficusingSSLtransport:1 InServerAdmin,selectaserverandchoosetheiCalservice.2 ClicktheSettingsbuttoninthetoolbar.3 ClickEnableSecureSocketsLayer(SSL).4 ChooseaTCPportforSSLtocommunicateon.Thedefaultportis8443.5 Choosethecertificatetobeusedforencryption.6 ClickSave,thenrestarttheservice.Fromthecommandline:# Choose an authentication method for iCal service.# ------------------------------------------------# To enable all auth methods:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"sudo serveradmin stop calendar; sudo serveradmin start calendar# To choose Digest auth only:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "no"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"sudo serveradmin stop calendar; sudo serveradmin start calendar# For Kerberos only:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no"sudo serveradmin stop calendar; sudo serveradmin start calendar# Enable secure network traffic using SSL transport.# --------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443Chapter14SecuringCollaborationServices 225ViewingiCalServiceLogsiCalserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughtheiCalservice.YoucanaccesstheiCalservicelog,/var/log/system.logusingServerAdmin.ToviewtheiCalservicelog:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 ClickiCal.4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:SecuringiChatServiceTheiChatserviceprovidesasecurewayforuserstochat.TouseiChatserviceonaserver,usersmustbedefinedindirectoriestheserverusestoauthenticateusers.Formoreinformationaboutconfiguringsearchpathstodirectories,seetheOpenDirectoryAdministration.DisablingiChatServiceIfyourserverisnotintendedtobeaniChatserver,disabletheiChatserversoftware.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.TodisableiChatservice:1 OpenServerAdminandconnecttotheserver.2 SelectiChatintheComputers&Serviceslist.3 ClickStopiChat.Fromthecommandline:# View the iCal service log# --------------------------sudo tail /var/log/caldavd/access.log# Disable iChat service.# --------------------------sudo serveradmin stop jabber226 Chapter14SecuringCollaborationServicesSecurelyConfiguringiChatServiceIfyourorganizationrequirestheuseofiChatservice,configureittouseSSL.SSLcommunicationcertifiestheidentityoftheserverandestablishessecure,encrypteddataexchange.YouidentifyanSSLcertificateforiChatservicetousethefirsttimeyousetupiChatservice,butyoucanuseadifferentcertificatelater.Youcanuseaself-signedcertificateoracertificateimportedfromaCA.Formoreinformationaboutdefining,obtaining,andinstallingcertificatesonyourserver,seeReadyingCertificatesonpage168.SendingmessagestomultiplerecipientsoveraninternaliChatseverdoesnotrequireaMobileMeidentity.TheinternaliChatserver(jabberd)requiresaserver-sideSSLcertificatethatisusedbyeachclienttoestablishanSSLsession(similartoawebaccesssession).AMobileMecertificateisrequiredtoestablishencryptedsessionsbetweentwoiChatclientscommunicatingusingtext,audio,andvideo.TosecurelyconfigureiChatservice:1 OpenServerAdminandconnecttotheserver.2 SelectiChatintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 ClicktheAdd(+)buttontoaddhostdomains.TheHostDomainslistdesignatesthedomainnamesyouwantiChattosupport.Initially,theserverhostnameisshown.YoucanaddorremoveothernamesthatresolvetotheiChatserviceIPaddresssuchasaliasesdefinedinDNS.WhenstartingiChat,youmustspecifyaDNSfortheservice.HostdomainsareusedtoconstructJabberIDs,whichidentifyiChatusers.AnexampleofaJabberIDisnancy@example1.apple.com.5 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate.ThemenulistsallSSLcertificatesthathavebeeninstalledontheserver.Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificatepop-upmenu.6 ChoosethemethodofauthenticationfromtheAuthenticationpop-upmenu:ChooseStandardifyouwantiChattoonlyacceptpasswordauthentication.ChooseKerberosifyouwantiChattoonlyacceptKerberosauthentication.ChooseAnyMethodifyouwantiChattoacceptpasswordandKerberosauthentication.7 TopermitiChattocommunicatewithotherXMPP-compliantchatservers,selectEnableXMPPserver-to-serverfederation.8 IfyouareusingacertificatewithiChat,selectRequiresecureserver-to-serverfederation.Chapter14SecuringCollaborationServices 227ThisoptionrequiresanSSLcertificatetobeinstalled,whichisusedtosecuretheserver-to-serverfederation.9 Torestrictserver-to-servercommunicationtoserversthatarelisted,selectAllowfederationwiththefollowingdomains.YoucanaddorremovedomainsusingtheAdd(+)orDelete()buttonsbelowthelist.10 ClickSave,andthenclickStartService.11 MakesuretheiChatserversOpenDirectorysearchpathincludesdirectorieswhereusersandgroupmembersthatyouwanttocommunicateusingiChatservicearedefined.TheOpenDirectoryAdministrationGuideexplainshowtosetupsearchpaths.AnyuserorgroupmemberdefinedintheOpenDirectorysearchpathisnowauthorizedtouseiChatserviceontheserver,unlessyoudenythemaccesstoiChatservice.Fromthecommandline:UsingCertificatestoSecureS2SCommunicationUsingServerAdmin,youcansecureS2Scommunicationwithcertificates.Bydefault,iChatselectsaportusingapreinstalled,self-signedSSLcertificate.Youcanselectyourowncertificate.Theselectedcertificateisusedforclient-to-servercommunicationsonports5222and5223andforserver-to-servercommunications.# Securely configure iChat service.# To select an iChat server certificate:sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/Default.crtkey"# (Or replace the path with the full path to the certificate that you want# to select.)# Restart the service if it is running:sudo serveradmin stop jabber; sudo serveradmin start jabber# To select an iChat server auth method use one of the following:sudo serveradmin settings jabber:authLevel = "ANYMETHOD"sudo serveradmin settings jabber:authLevel = "KERBEROS"sudo serveradmin settings jabber:authLevel = "STANDARD"# Then restart the service:sudo serveradmin stop jabbersudo serveradmin start jabber228 Chapter14SecuringCollaborationServicesJabberprovidesthefollowingports: 5222acceptsTLSencryption 5223acceptsSSLencryptionSSLencryptsyourchatmessageoverthenetworkbetweenclient-to-serverandserver-to-serverconnections.However,ifyouriChatserverisloggingchatmessages,yourmessagesarestoredinaunencryptedformatthatcanbeeasilyviewedbyyourserveradministrator.Toselectacertificate:1 OpenServerAdminandconnecttotheserver.2 SelectiChatintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 FromtheSSLCertificatepop-upmenu,chooseanSSLcertificate.ThemenulistsallSSLcertificatesthatareinstalledontheserver.Tocreateoraddcertificates,chooseManageCertificatesfromtheSSLCertificatepop-upmenu.5 ClickSave.Fromthecommandline:AdditionalSecurityEnhancementsForadditionalsecurityenhancements,youcanfurtherrestricttheiChatservicebyusingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganizationsnetworkenvironment.YoucanconfigureSACLstorestrictiChataccesstospecificusersorgroups.FormoreinformationaboutconfiguringSACLs,seeSettingServiceAccessControlLists(SACLs)onpage183.YoucanconfigurefirewallrulesthatpreventiChatconnectionsfromunintendedsources.Formoreinformation,seeCreatingFirewallServiceRulesonpage216.## Select a certificate.# --------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/Default.crtkey"Chapter14SecuringCollaborationServices 229ViewingiChatServiceLogsiChatserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughtheiChatservice.AccesstheiChatservicelog,/var/log/system.log,usingServerAdmin.ToviewtheiChatservicelog:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 ClickiChat.4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:SecuringWikiServiceThelevelofwebsitesecuritydeterminesthelevelofwikisecurity.Wikisecurityisestablishedwhenthewebsitethatthewikiisconfiguredonissecure.DisablingWikiServiceIfyourserverdoesnotprovidewikiservice,disablethewikiportionofthewebservicesoftware.Disablingwikiservicedoesnotpreventpotentialvulnerabilitieswithotherwebsiteshostedontheserver.Todisablewikiservice:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites.4 Selectthewebsitethathoststhewiki.5 ClickWebServices.6 DeselectWikis.# View the iChat service log.# --------------------------sudo tail /var/log/server.log | grep jabberd230 Chapter14SecuringCollaborationServicesFromthecommandline:SecurelyConfiguringWikiServicesMethodsyoucanusetohelpsecuredatamovingtoandfromyourwikiincludethefollowing: SetupSSLforthewebsiteyourwikiisrunningon.SSLprovidessecurityforasiteanditsusersbyauthenticatingtheserver,encryptinginformation,andmaintainingmessageintegrity.Formoreinformation,seeEnablingSecureSocketsLayer(SSL)onpage276. Restrictusersandgroupsthatcancreatewikipagesonyourwebsitebyaddingusersandgroupstothewebserviceslist.Formoreinformation,seeSecuringWebServiceonpage271.ViewingWikiServiceLogsWikiserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughthewikiservice.Accessthewikiservicelogs,/Library/Logs/wikid/error.logand/Library/Logs/wikid/access.log,usingServerAdmin.Toviewthewikiservicelog:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 ClickWiki.4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:# ---------------------------------------------------------------------# Securing Wiki Service# ---------------------------------------------------------------------# Disable Wiki service.# -------------------sudo serveradmin stop teams## View the wiki service log.# --------------------------sudo tail /Library/Logs/wikid/access.logChapter14SecuringCollaborationServices 231SecuringPodcastProducerServiceTosecurePodcastProducerservice,disableitifyoudontuseit.Ifyouusetheservice,useServerAdmintocontrolaccesstoworkflowsandcameras.DisablingPodcastProducerServiceIfyourserverisnotaPodcastProducerserver,disablethePodcastProducerserversoftware.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.TodisablePodcastProducerservice:1 OpenServerAdminandconnecttotheserver.2 SelectPodcastProducerintheComputers&Serviceslist.3 ClickStopPodcastProducer.Fromthecommandline:SecurelyConfiguringPodcastProducerServiceToprotectthePodcastProducerservicefrombeingexploited,controlaccesstoworkflowsandcamerasusingServerAdmin.Tocontrolaccesstoaworkflow:1 OpenServerAdmin.2 SelectPodcastProducerintheComputers&Serviceslist.3 ClickWorkflows.4 SelectaworkflowintheWorkflowlist.5 Torestrictaccesstotheworkflow,clickAllowaccesstoworkflownameforthefollowingusersandgroups.6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcanaccesstheselectedworkflow.IntheUsersandGroupswindow,clickUsersanddraguserstothelist.IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist.Todeleteusersandgroupsfromthelist,selectthemandclick(-).7 ClickSave.# ---------------------------------------------------------------------# Securing Podcast Producer Service# ---------------------------------------------------------------------# Disable Podcast Producer service.# --------------------------------sudo serveradmin stop pcast232 Chapter14SecuringCollaborationServicesTocontrolaccesstoacamera:1 OpenServerAdmin.2 IntheComputersandServiceslist,selectPodcastProducer.3 ClickCameras.4 SelectacameraintheCameraslist.5 Torestrictaccesstothecamera,clickAllowaccesstocameranameforthefollowingusersandgroups.6 Clickthe(+)buttontoaddusersandgroupstothelistofusersandgroupsthatcanaccesstheselectedcamera.IntheUsersandGroupswindow,clickUsersanddraguserstothelist.IntheUsersandGroupswindow,clickGroupsanddraggroupstothelist.Todeleteusersorgroupsfromthelist,selectthemandclick(-).7 ClickSave.ViewingPodcastProducerServiceLogsPodcastProducerserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughthePodcastProducerservice.AccessthePodcastProducerservicelog,/Library/Logs/pcastserverd/application.log,usingServerAdmin.ToviewthePodcastProducerservicelog:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 ClickPodcastProducer.4 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:## View the Podcast Producer service log.# -------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log15 23315 SecuringMailServiceUsethischaptertolearnhowtosecuremailservice.Mailserviceiscrucialintodaysdispersedworkenvironments.Protectyourmailbyusingencryption,adaptivejunkmailfiltering,andvirusdetection.MailserviceinSnowLeopardServerallowsnetworkuserstosendandreceivemailoveryournetworkoracrosstheInternet.MailservicesendsandreceivesmailusingthefollowingstandardInternetmailprotocols:InternetMessageAccessProtocol(IMAP),PostOfficeProtocol(POP),andSimpleMailTransferProtocol(SMTP).MailservicealsousesaDomainNameSystem(DNS)servicetodeterminethedestinationIPaddressofoutgoingmail.SnowLeopardServerusesCyrustoprovidePOPandIMAPservice.MoreinformationaboutCyruscanbefoundatasg.web.cmu.edu/cyrus.SnowLeopardServerusesPostfixasitsmailtransferagent(MTA).PostfixfullysupportsSMTP.YourmailuserswillsettheirmailapplicationsoutgoingmailservertoyourSnowLeopardServerrunningPostfix,andaccessincomingmailfromaSnowLeopardServerrunningincomingmailservice.MoreinformationaboutPostfixcanbefoundatwww.postfix.org.Formoreinformationaboutconfiguringmailservice,seeMailServiceAdministration.http://www.postfix.org/http://asg.web.cmu.edu/cyrus/234 Chapter15SecuringMailServiceDisablingMailServiceIfyourserverisnottomailserver,disablethemailservicesoftware.Disablingtheservicepreventspotentialvulnerabilitiesonyourserver.Todisablemailservice,turnoffsupportfortheIMAP,SMTP,andPOPprotocolsthatarenotrequired.mailserviceisenabledbydefault(exceptinAdvancedmode),soverificationisrecommended.Todisablemailserviceprotocols:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheGeneraltab.4 Makesureatleastoneprotocol(SMTP,POP,orIMAP)isenabled.5 ClickStopServiceinthemenubar.Whentheserviceisturnedon,theStopServicebuttonisavailable.Fromthecommandline:ConfiguringMailServiceforSSLIfmailserviceprotocolsarerequired,protecttheircommunicationsusingSecureSocketsLayer(SSL).SSLconnectionsensurethatthedatasentbetweenyourmailserverandyourusersmailclientsisencrypted.Thisallowssecureandconfidentialtransportofmailmessagesacrossalocalnetwork.SSLtransportdoesntprovidesecureauthentication.Itprovidessecuretransferfromyourmailservertoyourclients.Forsecureauthenticationinformation,seeOpenDirectoryAdministration.Forincomingmail,mailservicesupportssecuremailconnectionswithmailclientsoftwarethatrequeststhem.IfamailclientrequestsanSSLconnection,mailservicecancomplyifthatoptionisenabled.mailservicestillprovidesnon-SSL(unencrypted)connectionstoclientsthatdontrequestSSL.TheconfigurationofeachmailclientdetermineswhetheritconnectswithSSLornot.# ---------------------------------------------------------------------# Securing Mail Service# ---------------------------------------------------------------------# Disable mail service protocols# -------------------------------sudo serveradmin settings mail:imap:enable_pop = nosudo serveradmin settings mail:imap:enable_imap = nosudo serveradmin settings mail:postfix:enable_smtp = noChapter15SecuringMailService 235Foroutgoingmail,mailservicesupportssecuremailconnectionsbetweenSMTPservers.IfanSMTPserverrequestsanSSLconnection,mailservicecancomplyifthatoptionisenabled.mailservicecanstillallownon-SSL(unencrypted)connectionstomailserversthatdontrequestSSL.EnablingSecureMailTransportwithSSLMailservicerequiresconfigurationtoprovideSSLconnectionsautomatically.Thebasicstepsareasfollows:Step1:ObtainasecuritycertificateThiscanbedoneinthefollowingways: GetacertificatefromaCertificateAuthority(CA). GenerateaCertificateSigningRequest(CSR)andcreateakeychain. UsetheCSRtoobtainacertificatefromanissuingCAorcreateaself-signedcertificateinServerAdminsCertificateManager. LocateanexistingcertificatefromapreviousinstallationofSnowLeopardServer.IfyouhavealreadygeneratedasecuritycertificateinapreviousversionofLeopard_Server,youcanimportitforuse.Step2:ImportthecertificateintoServerAdminsCertificateManagerYoucanuseCertificateManagertodraganddropcertificateinformationoryoucanprovideCertificateManagerwiththepathtoanexistinginstalledcertificate.Step3:ConfiguretheservicetousethecertificateForinstructionsforallowingorrequiringSSLtransport,seethefollowingsections: ConfiguringSSLTransportforPOPConnectionsonpage236 ConfiguringSSLTransportforIMAPConnectionsonpage237 ConfiguringSSLTransportforSMTPConnectionsonpage239EnablingSecurePOPAuthenticationYourPOPmailservicecanprotectuserpasswordsbyallowingAuthenticatedPOP(APOP)orKerberos.WhenauserconnectswithAPOPorKerberos,theusersmailclientsoftwareencryptstheuserspasswordbeforesendingittoyourPOPservice.Beforeconfiguringmailservicetorequiresecureauthentication,makesurethatusersmailapplicationsanduseraccountssupportthemethodofauthenticationyouchoose.BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrateSnowLeopardwithaKerberosserver.IfyoureusingSnowLeopardServerforKerberosauthentication,thisisalreadydoneforyou.Formoreinformation,seeOpenDirectoryAdministration.Ifyouwanttorequireeitheroftheseauthenticationmethods,enableonlyonemethod.236 Chapter15SecuringMailServiceTosetthePOPauthenticationmethod:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 ClicktheAPOPorKerberoscheckboxinthePOP3list.6 ClickSave.Fromthecommandline:ConfiguringSSLTransportforPOPConnectionsSSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.YoucanchooseRequire,Use,orDontUseSSLforPOP(andIMAP)connections.BeforeusingSSLconnections,youmusthaveasecuritycertificateformailuse.SettingSSLtransportforPOPalsosetsitforIMAP.TosetSSLtransportforPOPconnections:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 IntheIMAPandPOPSSLpop-upmenus,selectRequireorUsetoenable(orDontUsetodisable).6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouareusingorrequiringSSL.7 ClickSave.Fromthecommandline:# Set the POP authentication method:sudo serveradmin settings mail:imap:pop_auth_apop = nosudo serveradmin settings mail:imap:pop_auth_clear = nosudo serveradmin settings mail:imap:pop_auth_gssapi = no# Set SSL transport for POP connections:sudo serveradmin settings mail:imap:tls_server_options = "use"Chapter15SecuringMailService 237EnablingSecureIMAPAuthenticationYourIMAPmailservicecanprotectuserpasswordsbyrequiringthatconnectionsuseasecuremethodofauthentication.YoucanchooseCRAM-MD5orKerberosv5authentication.Whenauserconnectswithsecureauthentication,theusersmailclientsoftwareencryptstheuserspasswordbeforesendingittoyourIMAPservice.Makesurethatyourusersmailapplicationsanduseraccountssupportthemethodofauthenticationyouchoose.IfyouconfiguremailservicetorequireCRAM-MD5,youmustsetmailaccountstouseaSnowLeopardServerPasswordServerthathasCRAM-MD5enabled.Forinformation,seeOpenDirectoryAdministration.BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrateSnowLeopardServerwithaKerberosserver.IfyoureusingSnowLeopardServerforKerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectoryAdministration.Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod.TosetsecureIMAPauthentication:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 SelectCRAMMD-5orKerberos(asneeded)intheIMAPsection.6 ClickSave.Fromthecommandline:ConfiguringSSLTransportforIMAPConnectionsSSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.YoucanchooseRequire,Use,orDontUseSSLforIMAPconnections.BeforeusingSSLconnections,youmusthaveasecuritycertificateformailuse.SettingSSLtransportforIMAPalsosetsitforPOP.# Set secure IMAP authentication:sudo serveradmin settings mail:imap:imap_auth_login = nosudo serveradmin settings mail:imap:imap_auth_plain = nosudo serveradmin settings mail:imap:imap_auth_gssapi = nosudo serveradmin settings mail:imap:imap_auth_clear = nosudo serveradmin settings mail:imap:imap_auth_cram_md5 = no238 Chapter15SecuringMailServiceToconfigureSSLtransportforIMAPconnections:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 Fromthepop-upmenusintheIMAPandPOPSSLsectionclickRequireorUsetoenable(DontUsetodisable).6 SelecttheCertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouareusingorrequiringSSL.7 ClickSave.Fromthecommandline:EnablingSecureSMTPAuthenticationYourservercanguardagainstbeinganopenrelaybyallowingSMTPauthentication.(Anopenrelayindiscriminatelyrelaysmailtoothermailservers.)YoucanconfiguremailservicetorequiresecureauthenticationusingCRAM-MD5orKerberos.Youcanalsoallowthelesssecureplainandloginauthenticationmethods,whichdontencryptpasswords,ifsomeusershavemailclientsoftwarethatdoesntsupportsecuremethods.IfyouconfiguremailservicetorequireCRAM-MD5,mailusersaccountsmustbesettouseapasswordserverthathasCRAM-MD5enabled.Forinformation,seeOpenDirectoryAdministration.BeforeenablingKerberosauthenticationforincomingmailservice,youmustintegrateSnowLeopardServerwithaKerberosserver.IfyoureusingSnowLeopardServerforKerberosauthentication,thisisdoneforyou.Forinstructions,seeOpenDirectoryAdministration.EnablingSMTPauthenticationwill: Makeyourusersauthenticatewiththeirmailclientbeforeacceptingmailtosend. Frustratemailserverabuserstryingtosendmailwithoutyourconsentthroughyoursystem.Ifyouwanttorequireanyoftheseauthenticationmethods,enableonlyonemethod.# Configure SSL transport for IMAP connections (same as POP)sudo serveradmin settings mail:imap:tls_server_options = "use"Chapter15SecuringMailService 239ToallowsecureSMTPauthentication:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 IntheSMTPsection,clicktheCRAMMD-5orKerberoscheckbox.6 ClickSave.Fromthecommandline:ConfiguringSSLTransportforSMTPConnectionsSSLtransportenablesmailtransmittedoverthenetworktobesecurelyencrypted.YoucanchooseRequire,Use,orDontUseSSLforIMAPconnections.BeforeusingSSLconnections,youmusthaveasecuritycertificateformailuse.ToconfigureSSLtransportforSMTPconnections:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheAdvancedtab.4 SelectSecurity.5 IntheSMTPSSLsection,clickRequireorUsetoenable(orDontUsetodisable).6 Selectthecertificateyouwanttousefromthecorrespondingpop-upmenu,ifyouareusingorrequiringSSL.7 ClickSave.# Allow secure SMTP authentication:sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yessudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:0 = "gssapi"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "cram-md5"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "login"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "plain"240 Chapter15SecuringMailServiceFromthecommandline:UsingACLsforMailServiceAccessAccessControlLists(ACLs)areamethodofdesignatingserviceaccesstospecificusersorgroupsonanindividualbasis.Forexample,youcanuseanACLtoallowonlyoneusertoaccessafileserverorshelllogin,withoutallowingotherusersontheservertoaccessit.MailservicesaredifferentfromservicesthattraditionallyuseACLsfordeterminingserviceaccess.mailserviceisalreadyspecifiedonaper-userbasis.Eitheryouhaveamailaccountonaserveroryoudont.Beingauseronaserverdoesntautomaticallyconferaccesstomailstorageandretrieval.SomeadministratorsfinditeasiertodesignatemailaccessusingACLsiftheyaredoingalltheirotherconfigurationusingACLs.TheyalsomighthavemixednetworkenvironmentsthatnecessitateusingACLstoassignmailaccess.SnowLeopardServerallowsyoutoenablemailaccessforusersusingtheAccesstabinaserversServerAdminlisting.IfyouenableduseraccessviaServerAdminandtraditionalmailaccessusingWorkgroupManager,thesettingsinteractinthefollowingmanner:ToenableausersmailaccessusingACLs:1 InServerAdmin,selecttheserverthathasmailservicerunningandthenclickSettings.2 SelectAccess,thenclickServices.3 SelectMailfromtheServiceslist.4 DeselectUsesameaccessforallservices.5 SelectAllowonlyusersandgroupbelow.# Configure SSL transport for SMTP connections:sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes"AccessviaACLAccessviaWorkgroupManager ResultOn On UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettingsintheGeneralSettingsMailpanelinServerAdmin.On Off UserhasmailaccessgrantedaccordingtotheIMAPorPOPsettingsintheGeneralSettingsMailpanelinServerAdmin.Off On UserhasmailaccessgrantedaccordingtohisorheruserrecordsettingsinWorkgroupManager.Thisisthedefault.Off Off Userhasnomailaccess.Chapter15SecuringMailService 2416 ClicktheAdd(+)buttontorevealaUsersandGroupslist.7 Dragtheuserorgrouptotheaccesslist.8 ClickSave.Fromthecommandline:LimitingJunkMailandVirusesYoucanconfiguremailservicetodecreasethevolumeofunsolicitedcommercialmail,alsoknownasjunkmail(orspam),andmailcontainingviruses.Youcantakestepstoblockjunkmailorvirusesthataresenttomailusers.Additionally,youcansecureyourserveragainstusebymailserviceabusers,whotrytouseyourresourcestosendjunkmailtoothers.Youcanalsopreventsendersofjunkmailfromusingyourserverasarelaypoint.Arelaypointoropenrelayisaserverthatunselectivelyreceivesandforwardsmailaddressedtootherservers.Anopenrelaysendsmailfromanydomaintoanydomain.JunkmailsendersexploitopenrelayserverstoavoidhavingtheirSMTPserversblacklistedassourcesofjunkmail.Youdontwantyourserverblacklistedasanopenrelaybecauseotherserversmayrejectmailfromyourusers.Therearetwomainmethodsofpreventingvirusesandjunkmailpassingthroughorintoyourmailsystem.Usingbothmethodswillhelpensureyourmailsystemintegrity.Thetwomethodsare: ConnectionControlonpage241 MailScreeningonpage245ConnectionControlThismethodofpreventioncontrolswhichserverscanconnecttoyourmailsystemandwhatthoseserversmustdotosendmailthroughyourmailsystem.Yourmailservicecandoanyofthefollowingtoexerciseconnectioncontrol: RequireSMTPauthentication RestrictSMTPrelay,allowingrelayonlybyapprovedservers RejectSMTPconnectionsfromdisapprovedservers Rejectmailfromblacklistedservers FilterSMTPconnectionsThesemethodsareexplainedonthefollowingpages.# Enable a users mail access using ACLssudo dseditgroup -o edit -a $USER -t user com.apple.access_mail242 Chapter15SecuringMailServiceRequiringSMTPAuthenticationIfyourmailservicerequiresSMTPauthentication,yourservercannotbeusedasanopenrelaybyanonymoususers.Someonewhowantstouseyourserverasarelaypointmustfirstprovidethenameandpasswordofauseraccountonyourserver.AlthoughSMTPauthenticationappliesprimarilytomailrelay,yourlocalmailusersmustalsoauthenticatebeforesendingmail.ThismeansyourmailusersmusthavemailclientsoftwarethatsupportsSMTPauthenticationortheycantsendmailtoremoteservers.Mailsentfromexternalmailserversandaddressedtolocalrecipientsisstillacceptedanddelivered.TorequireSMTPauthentication,seeEnablingSecureSMTPAuthenticationonpage238.RestrictingSMTPRelayYourmailservicecanrestrictSMTPrelaybyallowingonlyapprovedhoststorelaymail.Youcreatethelistofapprovedservers.Approvedhostscanrelaythroughyourmailservicewithoutauthenticating.Serversnotonthelistcannotrelaymailthroughyourmailserviceunlesstheyauthenticatefirst.Allhosts,approvedornot,candelivermailtoyourlocalmailuserswithoutauthenticating.Yourmailservicecanlogconnectionattemptsmadebyhostsnotonyourapprovedlist.TorestrictSMTPrelay:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheRelaytab.4 ClicktheAcceptSMTPrelaysonlyfromthesecheckbox.5 Editthelistofhosts: ClicktheAdd(+)buttontoaddahosttothelist. ClicktheRemove()buttontodeleteaselectedhostfromthelist. ClicktheEdit(/)buttontochangeaselectedhostfromthelist.Whenaddingtothelist,youcanuseavarietyofnotations. EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21. Enterahostname,suchasmail.example.com. EnteranInternetdomainname,suchasexample.com.Chapter15SecuringMailService 243Fromthecommandline:SMTPAuthenticationandRestrictedSMTPRelayCombinationsThefollowingtabledescribestheresultsofusingSMTPauthenticationandrestrictedSMTPrelayinvariouscombinations.RejectingSMTPConnectionsfromSpecificServersYourmailservicecanrejectunauthorizedSMTPconnectionsfromhostsonadisapproved-hostslistthatyoucreate.MailtrafficfromhostsonthislistisdeniedandSMTPconnectionsareclosedafterpostinga554SMTPconnectionrefusederror.TorejectunauthorizedSMTPconnectionsfromspecificservers:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheRelaytab.4 ClicktheRefuseallmessagesfromthesecheckbox.5 Editthelistofservers: ClicktheAdd(+)buttontoaddahosttothelist. ClicktheRemove()buttontodeletetheselectedhostfromthelist. ClicktheEdit(/)buttontochangetheselectedhostfromthelist.# Restrict SMTP relay:sudo serveradmin settings mail:postfix:mynetworks_enabled = yesSMTPrequiresauthenticationRestrictedSMTPrelay ResultOn Off Allmailserversmustauthenticatebeforeyourmailserviceacceptsmailforrelay.Yourlocalmailusersmustalsoauthenticatetosendmailout.On On Approvedmailserverscanrelaywithoutauthentication.Serversyouhaventapprovedcanrelayafterauthenticatingwithyourmailservice.Off On Yourmailservicecantbeusedforopenrelay.Approvedmailserverscanrelay(withoutauthenticating).Serversthatyouhaventapprovedcantrelayunlesstheyauthenticate,buttheycandelivertoyourlocalmailusers.Yourlocalmailusersdontneedtoauthenticatetosendmail.Thisisthemostcommonconfiguration.244 Chapter15SecuringMailServiceWhenaddingtothelist,youcanusethefollowingnotations: EnterasingleIPaddressorthenetwork/netmaskpattern,suchas192.168.40.0/21. Enterahostname,suchasmail.example.com. EnteranInternetdomainname,suchasexample.com.Fromthecommandline:RejectingMailfromBlacklistedSendersYourmailservicecanrejectmailfromSMTPserversthatareblacklistedasopenrelaysbyaReal-timeBlacklist(RBL)server.YourmailserviceusesanRBLserverthatyouspecify.RBLsarealsocalledblack-holeservers.Blockingunsolicitedmailfromblacklistedsendersmightnotbecompletelyaccurate.Sometimesitpreventsvalidmailfrombeingreceived.Torejectmailfromblacklistedsenders:1 InServerAdmin,selectMailintheComputers&Servicespane.2 ClickSettings.3 SelecttheRelaytab.4 ClicktheUsethesejunkmailrejectionserverscheckbox.5 EditthelistofserversbyaddingtheDNSnameofanRBLserver: ClicktheAdd(+)buttontoaddaservertothelist,thenenterthedomainnameofaRBLserver,suchasrbl.example.com. ClicktheRemove()buttontodeleteaserverfromthelist. ClicktheEdit(/)buttontochangeaserver.Fromthecommandline:# Reject unauthorized SMTP connections:sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yessudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 = "$NETWORK"# Reject mail from blacklisted senders:sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 = "$BLACKLIST_SERVER"sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yesChapter15SecuringMailService 245FilteringSMTPConnectionsYoucanusefirewallserviceofSnowLeopardServertoallowordenyaccesstoyourSMTPmailservicefromspecificIPaddresses.Filteringdisallowscommunicationbetweenanoriginatinghostandyourmailserver.mailservicedoesntreceivetheincomingconnectionandnoSMTPerrorisgeneratedorsentbacktotheclient.TofilterSMTPconnections:1 InServerAdmin,selectFirewallintheComputers&Servicespane.2 CreateafirewallIPfilterusingtheinstructionsinNetworkServicesAdministration,usingthefollowingsettings: Access:denied Portnumber:25(oryourincomingSMTPport,ifyouuseanonstandardport) Protocol:TCP Source:theIPaddressoraddressrangeyouwanttoblock Destination:yourmailserversIPaddress3 Ifneeded,logthepacketstomonitortheSMTPabuse.4 AddmorefiltersfortheSMTPporttoallowordenyaccessfromotherIPaddressesoraddressranges.Foradditionalinformationaboutfirewallservice,seeNetworkServicesAdministration.MailScreeningAfteramaildeliveryconnectionismadeandthemessageisacceptedforlocaldelivery(relayedmailisnotscreened),themailservercanscreenitbeforedelivery.SnowLeopardServerusesSpamAssassin(fromspamassassin.apache.org)toanalyzethetextofamessage,andgivesitaprobabilityratingforbeingjunkmail.Nojunkmailfilteris100%accurateinidentifyingunwantedmail.ForthisreasonthejunkmailfilterinSnowLeopardServerdoesntdeleteorremovejunkmailfrombeingdelivered.Instead,itmarksthemailaspotentialjunkmail.Theusercanthendecideifitsreallyunsolicitedcommercialmailanddealwithitaccordingly.ManymailclientsusetheratingsthatSpamAssassinaddsasaguideinclassifyingmailfortheuser.SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesforviruses.Ifasuspectedvirusisfound,youcandealwithitinseveralways,asdescribedinEnablingJunkMailScreening(BayesianFilters)onpage245.Virusdefinitionsarekeptuptodate(ifenabled)viatheInternetusingaprocesscalledfreshclam.EnablingJunkMailScreening(BayesianFilters)Beforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenablingscreening,youconfigurescreeningparameters.246 Chapter15SecuringMailServiceBayesianmailfilteringistheclassificationofmailmessagesbasedonstatistics.Eachmessageisanalyzedandwordfrequencystatisticsaresaved.Mailmessagesthathavemoreofthesamewordsasthoseinjunkmailreceiveahighermarkingofprobabilitythattheyarealsojunkmail.Whenthemessageisscreened,theserveraddsaheader(X-Spam-Level)withthejunkmailprobabilityscore.Forexample,letssayyouhave400mailmessageswhere200ofthemarejunkmailand200aregoodmail.Whenamessagearrives,itstextiscomparedtothe200junkmailandthe200goodmessages.Thefilterassignstheincomingmessageaprobabilityofbeingjunkorgood,dependingonwhatgroupitmostresembles.Bayesianfilteringhasshownitselftobeaveryeffectivemethodoffindingjunkmail,ifthefilterhasenoughdatatocompare.Oneofthestrengthsofthismethodisthemoremailyougetandclassify(aprocesscalledtraining),themoreaccuratethenextroundofclassificationis.Evenifjunkmailsendersaltertheirmailings,thefiltertakesthatintoaccountthenexttimearound.Toenablejunkmailscreening:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheFilterstab.4 SelectScanMailforJunkMail.5 Setthelevelofpermissiveness(Cautious,Moderate,Aggressive).Thepermissivenessmetersetshowmanyjunkmailflagscanbeappliedtoamessagebeforeitisprocessedasjunkmail.IfyousetittoLeastpermissive,mildlysuspiciousmailistaggedandprocessedasjunkmail.IfyousetittoMostpermissiveittakesahighscore(inotherwords,manyjunkmailcharacteristics)tomarkitasjunk.6 Decidehowtodealwithjunkmailmessages. Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamailnotificationofthebouncetoamailaccount,probablythepostmaster. Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamailnotificationofthebouncetoamailaccount,probablythepostmaster. Delivered:Deliversthemessageeventhoughitsprobablyjunkmail.Youcanoptionallyaddtexttothesubjectline,indicatingthatthemessageisprobablyjunkmail,orencapsulatethejunkmailasaMIMEattachment. Redirected:Deliversthemessagetosomeoneotherthantheintendedrecipient.7 Choosehowoftentoupdatethejunkmaildatabaseupdated,ifdesired.8 ClickSave.Foranexplanationofotheroptions,seeFilteringMailbyLanguageandLocaleonpage248.Chapter15SecuringMailService 247Fromthecommandline:ManuallyTrainingtheJunkMailFilterItsimportanttoteachthefilterwhatisandisntjunkmail.Initially,thefilterwontbeveryaccurateatmarkingjunkmail,butyoucantrainittodobetter.Accuratetrainingrequiresalargesample,soaminimumof200messagesofeachtypeisadvised.Totrainthefilter:1 Chooseamailboxof200messagesmadeofonlyjunkmail.2 UseTerminalandthefilterscommand-linetrainingtooltoanalyzeitandrememberitasjunkmailusingthefollowingcommand:sudo sa-learn --showdots --spam /*3 Chooseamailboxof200messagesmadeofonlygoodmail.4 UseTerminalandthefilterscommand-linetrainingtooltoanalyzeitandrememberitasgoodmailusingthefollowingcommand:sudo sa-learn --showdots --ham /*Ifthejunkmailfilterfailstoidentifyajunkmailmessage,trainitagainsoitcandobetternexttime.Usesa-learnagainwiththe--spamargumentonthemislabeledmessage.Likewise,ifyougetafalsepositive(agoodmessagemarkedasjunkmail),usesa-learnagainwiththe--hamargumenttofurthertrainthefilter.Fromthecommandline:# Enable junk mail screening:sudo serveradmin settings mail:postfix:spam_scan_enabled = yes# Train the filter:sudo sa-learn --showdots --spam $JUNK_DIRECTORY/*sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/*248 Chapter15SecuringMailServiceAutomaticallyTrainingtheJunkMailFilterThejunkmailfiltermustbetoldwhatisandisntjunkmail.SnowLeopardServerprovidesamethodofautomaticallytrainingthefilterwiththehelpofmailusers.Theserverrunsanautomatedcommandat1am(alaunchdrecurringevent)thatscanstwospeciallynamedmailusersinboxes.ItrunsSpamAssassinssa-learntoolonthecontentsoftheinboxesandusestheresultsforitsadaptivejunkmailfilter.Toautomaticallytrainthejunkmailfilter:1 Enablejunkmailfiltering.SeeEnablingJunkMailScreening(BayesianFilters)onpage245.2 Createtwolocalaccounts:junkmailandnotjunkmail.3 UseWorkgroupManagertoenablethemtoreceivemail.4 Instructyourmailuserstoredirectjunkmailmessagesthathavenotbeentaggedasjunkmailtojunkmail@.5 Instructyourmailuserstoredirectrealmailmessagesthatwerewronglytaggedasjunkmailtonotjunkmail@.Eachdayat1am,thejunkmailfilterwilllearnwhatisjunkandwhatwasmistakenforjunk,butisnot.6 Deletethemessagesinthejunkmailandnotjunkmailaccountsdaily.Fromthecommandline:FilteringMailbyLanguageandLocaleYoucanfilterincomingmailbasedonlocalesorlanguages.Mailmessagescomposedinforeigntextencodingsareoftenerroneouslymarkedasjunkmail.Youcanconfigureyourmailservertonotmarkmessagesfromdesignatedoriginatingcountriesorlanguagesasjunkmail.Toallowmailbylanguageandlocale:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheFilterstab.4 SelectScanEmailforJunkMail.5 ClicktheEdit(/)buttonnexttoAcceptedLanguagestochangethelist,selectthelanguageencodingstoallowasnon-junkmail,andclickOK.# Automatically train the junk mail filter:sudo /etc/mail/spamassassin/learn_junk_mailChapter15SecuringMailService 2496 ClicktheEdit(/)buttonnexttoAcceptedLocalestochangethelist,selectthecountrycodestoallowasnon-junkmail,andclickOK.7 ClickSave.Fromthecommandline:EnablingVirusScreeningBeforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenablingscreening,youconfigurescreeningparameters.SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesforviruses.Ifasuspectedvirusisfound,youcanchoosetodealwithitseveralways,asdescribedbelow.Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternetusingaprocesscalledfreshclam.Toenablevirusscreening:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheFilterstab.4 SelectScanEmailforViruses.5 Decidehowtodealwithmessagescontainingviruses.Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamailnotificationofthebouncetoamailaccount(probablythedomainspostmaster)andnotifytheintendedrecipient.Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamailnotificationtosomemailaccount,probablythepostmaster,aswellastheintendedrecipient.Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcanoptionallysendamailnotificationofthequarantinetosomemailaccount,probablythepostmaster.6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered.7 Choosehowoftentoupdatethevirusdatabase.Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday.8 ClickSave.# Allow mail by language and locale:sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de"sudo serveradmin settings mail:postfix:spam_ok_locales = "en"250 Chapter15SecuringMailServiceFromthecommandline:ViewingMailServiceLogsMailservicemaintainsthefollowinglogsthatyoucanviewinServerAdmin.ThefilelocationforeachlogisshownbeneaththeShowpop-upmenu. MailAccess:Generalmailserviceinformationgoesintothislog. IMAPlog:IMAP-specificactivitygoesintothislog. POPlog:POPspecificactivitygoesintothislog. SMTPlog:SMTPspecificactivitygoesintothislog. MailingListlogs:ThelogsrecordMailmainsactivity,includingservice,error,deliveryfailures,postings,andsubscriptions. JunkMailandViruslogs:Theseshowactivityformailfiltering,includinglogsforvirusdefinitionupdates(freshclamlog),virusscanning(clamavlog),andmailfiltering(amavislog).Logscanberefinedbyusingthetextfilterboxinthewindow.Toviewamailservicelog:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClicktheLogsbutton.3 FromtheViewpop-upmenuchoosealogtype.4 ClickSave.Fromthecommandline:# Enable virus screening:sudo serveradmin settings mail:postfix:virus_scan_enabled = yes# View a mail service log:sudo tail /var/log/mail.log16 25116 SecuringAntivirusServicesUsethischaptertolearnhowtousetheantivirusservicesbuiltintoyoursystemtodetectandremoveviruses.Installingantivirustoolshelpspreventinfectionofyourcomputerbyviruses,andhelpspreventyourcomputerfrombecomingahostforspreadingvirusestoothercomputers.Thesetoolsquicklyidentifysuspiciouscontentandcomparethemtoknownmaliciouscontent.SnowLeopardServerusesClamAV(fromwww.clamav.net)toscanmailmessagesandattachmentsforviruses.Ifasuspectedvirusisfound,ClamAVdeletesthemessageorquarantinesittoaspecifieddirectoryontheserverforfurtheranalysis.Thevirusdefinitionsarekeptuptodate(ifenabled)viatheInternetusingaprocesscalledfreshclam.Inadditiontousingantivirustools,youshoulddevelopcomputerusagehabitsthatpreventvirusinfection.Forexample,dontdownloadoropencontentyoudidntspecificallyrequest,andneveropenafilesenttoyoubysomeoneyoudontknow.Whenyouuseantivirustools,makesureyouhavethelatestvirusdefinitionfiles.Theprotectionprovidedbyyourantivirustooldependsonthequalityofyourvirusdefinitionfiles.Ifyourantivirustoolsupportsit,enableautomaticdownloadingofvirusdefinitions.Foralistofantivirustools,seetheMacintoshProductsGuideatguide.apple.com.http://guide.apple.com/252 Chapter16SecuringAntivirusServicesSecurelyConfiguringandManagingAntivirusServicesThissectiondescribeshowtosecurelyconfigureandmanageantivirusservices.EnablingVirusScanningBeforeyoucanbenefitfrommailscreening,itmustbeenabled.Whileenablingscreening,youconfigurescreeningparameters.Toenablevirusscreening:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClickSettings.3 SelecttheFilterstab.4 SelectScanEmailforViruses.5 Decidehowtodealwithjunkmailmessages.Bounced:Sendsthemessagebacktothesender.Youcanoptionallysendamailnotificationofthebouncetoamailaccount(probablythedomainspostmaster)andnotifytheintendedrecipient.Deleted:Deletesthemessagewithoutdelivery.Youcanoptionallysendamailnotificationtosomemailaccount,probablythepostmaster,aswellastheintendedrecipient.Quarantined:Deliversthemessagetoadirectoryforfurtheranalysis.Youcanoptionallysendamailnotificationofthequarantinetosomemailaccount,probablythepostmaster.6 Chooseifyouwanttonotifytheintendedrecipientifthemessagewasfiltered.7 Choosehowoftentoupdatethevirusdatabase.Aminimumoftwiceadayissuggested.Someadministratorschooseeighttimesaday.8 ClickSave.Fromthecommandline:# ---------------------------------------------------------------------# Securing Antivirus Services# ---------------------------------------------------------------------# Enable virus screeningsudo serveradmin settings mail:postfix:virus_scan_enabled = yesChapter16SecuringAntivirusServices 253ManagingClamAVwithClamXavYoucanuseClamXav,afreeGUIfront-endtotheClamAVopensourceviruschecker.Thistoolallowsyouto: Updatevirusdefinitions ScanfilesandfoldersforvirusesClamXavperformsthefollowingtasks: Logsresultstoalogfile Placesinfectedfilesintoquarantine MonitorsfoldersforchangestotheircontentsYoucanaccessClamXavservicesthroughcontextualpop-upmenusintheFinder.ViewingAntivirusServicesLogsMailservicemaintainsthefollowingjunkmailandviruslogsthatyoucanviewinServerAdmin.ThefilelocationforeachlogisshownbeneaththeShowpop-upmenu. JunkMail/VirusScanning(/var/log/amavis.log) Virus(/var/log/clamav.log) VirusDatabaseUpdates(/var/log/freshclamlog)Toviewavirusservicelog:1 InServerAdmin,selectacomputerintheServerslist,thenselectMail.2 ClicktheLogsbutton.3 FromtheViewpop-upmenuchoosealogtype.4 ClickSave.Fromthecommandline:# View a virus log:sudo tail /var/log/amavisd.log17254 17 SecuringFileServicesandSharepointsUsethischaptertolearnhowtosecurefileservices.Securelyconfiguringfileservicesisanimportantstepintheprocessofprotectingyourprivatedatafromnetworkattacks.SnowLeopardServerscross-platformfilesharingserviceshelpgroupsworkmoreefficientlybylettingthemshareresources,archiveprojects,exchangeandbackupimportantdocuments,andconductotherfile-relatedactivities.Sharingfilesoveranetworkopensyourcomputersuptoahostofvulnerabilities.Withfileservicesenabled,youareallowingaccesstofilesandfoldersonyourserver(alsocalledsharepoints).Formoreinformationaboutconfiguringfileservices,seeFileServicesAdministration.SecurityConsiderationsThemosteffectivemethodofsecuringyournetworkistoassigncorrectprivilegesforeachfile,folder,andsharepointyoucreate.RestrictingAccesstoFileServicesUseServiceAccessControlLists(SACLs)torestrictaccesstoAFP,FTP,andSMBservices.RestrictingAccesstoEveryoneBecarefulwhencreatingandgrantingaccesstosharepoints,especiallyifyoureconnectedtotheInternet.GrantingaccesstoEveryoneortoWorld(inNFSservice)canexposeyourdatatoanyoneontheInternet.ForNFS,itisrecommendedthatyoudonotexportvolumestoWorldandthatyouuseKerberostoprovidesecurityforNFSvolumes.Chapter17SecuringFileServicesandSharepoints 255RestrictingAccesstoNFSSharePointsNFSsharepointswithouttheuseofKerberosdonthavethesamelevelofsecurityasAFPandSMB,whichrequireuserauthentication(enteringausernameandpassword)togainaccesstoasharepointscontents.IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers,orconfigureNFSwithKerberos.NFSdoesntsupportSACLs.Formoreinformation,seeProtocolSecurityComparisononpage256.RestrictingGuestAccessWhenyouconfigurefileservice,youcanturnonguestaccess.Guestsareuserswhoconnecttotheserveranonymouslywithoutenteringausernameorpassword.UserswhoconnectanonymouslyarerestrictedtofilesandfoldersthathaveprivilegessettoEveryone.Toprotectyourinformationfromunauthorizedaccess,andtopreventpeoplefromintroducingsoftwarethatmightdamageyourinformationorequipment,takethefollowingprecautionsbyusingFileSharinginServerAdmin: Dependingonthecontrolsyouwanttoplaceonguestaccesstoasharepoint,considerthefollowingoptions: SetprivilegesforEveryonetoNoneforfilesandfoldersthatguestusersshouldntaccess.Itemswiththissettingcanbeaccessedonlybytheitemsownerorgroup. PutfilesavailabletoguestsinonefolderorsetoffoldersandthenassigntheReadOnlyprivilegetotheEveryonecategoryforthatfolderandeachfileinit. AssignRead&WriteprivilegestotheEveryonecategoryforafolderonlyifguestsmustbeabletochangeoradditemsinthefolder.Makesureyoukeepabackupcopyofinformationinthisfolder. DontexportNFSvolumestoWorld.RestrictNFSexportstoasubnetoraspecificlistofcomputers. DisableaccesstoguestsoranonymoususersoverAFP,FTP,andSMBusingServerAdmin. Shareindividualfoldersinsteadofentirevolumes.Thefoldersshouldcontainonlythoseitemsyouwanttoshare.RestrictingFilePermissionsBeforeafolderisshared,itspermissionsshouldberestrictedasmuchaspossible.Permissionsonsharepointssetasuserhomefoldersareparticularlyimportant.Bydefault,usershomefoldersaresettoallowanyotherusertoreadtheircontents.Formoreinformationaboutsettingfilepermissions,seeChapter6,SecuringSystemPreferences.256 Chapter17SecuringFileServicesandSharepointsProtocolSecurityComparisonWhensharingnetworkresources,configureyourservertoprovidethenecessarysecurity.AFPandSMBprovidesomelevelofencryptiontosecurepasswordauthentication.AFPandSMBdonotencryptdatatransmissionsoverthenetworksoyoushouldonlyusethemonasecurelyconfigurednetwork.FTPdoesnotprovidepasswordordataencryption.WhenusingFTP,makesureyournetworkissecurelyconfigured.InsteadofusingFTP,considerusingthescporsftpcommand-linetools.Thesetoolssecurelyauthenticateandsecurelytransferfiles.Thefollowingtableprovidesacomparisonoftheprotocolsandtheirauthenticationandencryptioncapabilities.DisablingFileSharingServicesUnlessyouusetheserverasafileserver,disablefilesharingservices.Disablingtheseservicespreventsyourcomputerfrombeingusedbyanattackertoaccessothercomputersonyournetwork.Todisablefilesharingservices:1 OpenServerAdminandconnecttotheserver.2 SelectthefilesharingprotocolintheComputers&Serviceslist.YoucanchooseAFP,FTP,NFS,orSMB.3 ClickStop(protocolname)belowtheComputers&Serviceslist.4 Repeatforeachprotocol.Protocol Authentication DataEncryptionAFP Cleartextandencrypted(Kerberos)passwords.Notencryptedanddataisvisibleduringtransmission.NFS Encrypted(Kerberos)passwordandsystemauthentication.Canbeconfiguredtoencryptdatatransmission.SMB Cleartextandencrypted(NTLMv1,NTLMv2,LANManager,andKerberos)passwords.Notencryptedanddataisvisibleduringtransmission.FTP Cleartextpasswords. Notencrypted.Dataissentascleartext.Chapter17SecuringFileServicesandSharepoints 257Fromthecommandline:ChoosingaFileSharingProtocolIfyourequirefilesharingservices,youmustchoosewhichfilesharingprotocolsareneededbeforeconfiguringtheservices.Theprotocolisconfiguredforthefoldersyouaresharing,calledsharepoints.ThesharepointsarecreatedandconfiguredusingWorkgroupManager.Mostinstallationsonlyneedonefilesharingprotocol,andyoushoulduseasfewprotocolsaspossible.Limitingthenumberofprotocolsusedbyaserverlimitsitsexposuretovulnerabilitiesdiscoveredinthoseprotocols.Theprotocolchoicesare: AppleFilingProtocol(AFP):AFPisthepreferredmethodoffilesharingforMacintoshorcompatibleclientsystems.AFPsupportsauthenticationofclients,andalsosupportsencryptednetworktransportusingSSH. FileTransferProtocol(FTP):FTPshouldgenerallynotbeusedforfilesharing.UsetheSFTPfeatureofSSHinstead.SFTPprovidesasecuremeansofauthenticationanddatatransfer,whileFTPdoesnot.TheonlysituationwhereFTPisacceptableiswhentheservermustactasafileserverforanonymoususers.ThismightbenecessaryoverWANs,wherethereisnoconcernfortheconfidentialityofdataandresponsibilityfortheintegrityofthedatarestswithitsrecipient. NetworkFileSystem(NFS):NFSisacommonfilesharingprotocolforUNIXcomputers.AvoidusingNFS,becauseitdoesnotperformauthenticationofitsclientsitgrantsaccessbasedonclientIPaddressesandfilepermissions.UsingNFSmaybeappropriateiftheclientcomputeradministrationandthenetworkaretrusted.# ---------------------------------------------------------------------# Securing File Services# ---------------------------------------------------------------------# Disable file sharing services.sudo serveradmin stop afpsudo serveradmin stop smbsudo serveradmin stop ftpsudo serveradmin stop nfs258 Chapter17SecuringFileServicesandSharepoints MicrosoftWindowsServerMessageBlock(SMB):SMBisthenativefilesharingprotocolforMicrosoftWindows.AvoidusingSMBitsupportsauthenticationbutdoesnotsupportencryptednetworktransport,anditusesNTLMv1andNTLMv2encryption,bothofwhichareweakpasswordhashingschemes.SMBmaybeanappropriateprotocolforWindowsclientswhenthenetworkbetweentheserverandclientisnotatriskforeavesdropping.Eachprotocolisappropriateforspecificsituations.Decidingwhichprotocoltousedependsontheclientsandnetworkingneeds.Afteryouchooseaprotocolforfilesharing,youmustconfigurethefilesharingprotocol.Ifnosharepointsaresharedwithaprotocol,disabletheservicethatrunsthatprotocolusingServerAdmin.TheNFSservicestopswhennosharepointsspecifyitsuse.ConfiguringAFPFileSharingServiceAppleFileService,whichusesAFP,letsyousharefilesamongMacintoshclients.Becauseitprovidesauthenticationandencryption,AFPserviceisthepreferredfilesharingmethodforMacintoshorcompatibleclients.Note:Encryptiondoesnotapplytoautomaticallymountedhomefolders,whereonlyauthenticationisprovided.TosecurelyconfigureAFPService:1 OpenServerAdminandconnecttotheserver.2 SelectAFPintheComputers&Serviceslist.3 ClickSettings.4 ClickGeneral.5 Enterthelogingreetingaccordingtositepolicy.6 ClickAccess.7 ForAuthentication,chooseKerberosifyoursystemisintegratedintoaKerberossystem;otherwise,chooseStandard.8 DeselectEnableadministratortomasqueradeasanyregistereduser.9 UnderMaximumConnections,enterthelargestexpectednumberforClientConnections.10 ClickLogging.11 SelectEnableaccessLogtoenablelogging.12 SelectArchiveevery__day(s)andsetthefrequencytothreedaysoraccordingtoyourorganizationsrequirements.Chapter17SecuringFileServicesandSharepoints 25913 SelectLoginandLogouttoincludeeventsintheaccesslog.Ifyouneedstrongeraccounting,selecttheotherevents.14 UnderErrorLog,selectArchiveevery__day(s)andsetthefrequencyaccordingtoyourorganizationsrequirements.15 ClickIdleUsersandconfigureIdleUserssettings: DeselectAllowclientstosleep__hour(s)-willnotshowasidle. SelectDisconnectidleusersafter__minute(s)andenteravalueinthetextfieldtomitigateriskfromacomputeraccidentallybeingleftunattended. DeselectGuests,Administrators,RegisteredUsers,andIdleUserswhohaveopenfiles. EnteraDisconnectMessagenoticeaccordingtositepolicy.16 ClickSave.17 ClickStartAFP.18 Foradditionalsecurityenhancements,furtherrestrictAFPbyusingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganizationsnetworkenvironment: YoucanconfigureSACLstorestrictAFPaccesstospecificusersorgroups.Formoreinformation,seeSettingServiceAccessControlLists(SACLs)onpage183. YoucanconfigurefirewallrulesthatpreventAFPconnectionsfromunintendedsources.Formoreinformation,seeCreatingFirewallServiceRulesonpage216.Fromthecommandline:ConfiguringFTPFileSharingServiceIfauthenticationofusersispossible,usetheSFTPportionofSSHinsteadofFTPtosecurelytransmitfilestoandfromtheserver.Formoreinformation,seeTransferringFilesUsingSFTPonpage191.# Securely configure AFP service:sudo serveradmin settings afp:registerNSL = nosudo serveradmin settings afp:attemptAdminAuth = nosudo serveradmin settings afp:clientSleepOnOff = nosudo serveradmin settings afp:idleDisconnectOnOff = yessudo serveradmin settings afp:authenticationMode = "kerberos"sudo serveradmin settings afp:activityLog = yessudo serveradmin settings afp:guestAccess = no260 Chapter17SecuringFileServicesandSharepointsFTPisacceptableonlyifitsanonymousaccessfeatureisrequired,whichallowsunauthenticatedclientstodownloadfiles.Thefilesaretransferredunencryptedoverthenetworkandnoauthenticationisperformed.Althoughthetransferdoesnotguaranteeconfidentialityorintegritytotherecipient,itisappropriateinsomecases.Ifthiscapabilityisnotspecificallyrequired,disableit.ToconfigureFTPtoprovideanonymousFTPdownloads:1 OpenServerAdminandconnecttotheserver.2 SelectFTPintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 InDisconnectclientafter__loginfailures,enter1.Eventhoughauthenticatedconnectionsarenotaccepted,loginsshouldfailquicklyifaccidentallyactivated.5 EnteramailaddressspeciallysetuptohandleFTPadministrationforexample,ftpadmin@hostname.com.6 UnderAccess,selectKerberosforAuthentication.IfaKerberosserverisnotsetup,theauthenticationprocessisblocked.7 InAllowamaximumof__authenticatedusers,enter1.TheGUIdoesnotallowsettingthisto0,butauthenticatedusersaredisabledinlatersteps.8 SelectEnableanonymousaccess.Anonymousaccesspreventsusercredentialsfrombeingsentopenlyoverthenetwork.Important:Beforeselectingthisoption,reviewtheprivilegesassignedtoyoursharepointsunderFilePrivilegesintheSharingpanetomakesuretherearenosecurityholes.Anonymoususerscanloginusingthenameftporanonymous.Theydonotneedapasswordtologin,buttheyarepromptedtoentertheiremailaddress.9 DetermineamaximumnumberofanonymoususersandenterthenumberinAllowamaximumof__anonymoususers.10 UnderFileconversion,deselectEnableMacBinaryanddiskimageauto-conversion.11 ClickMessages.12 SelectShowWelcomeMessageandenterawelcomemessageaccordingtositepolicy.13 SelectShowBannerMessageandenterabannermessageaccordingtositepolicy.Donotrevealsoftwareinformation,suchasoperatingsystemtypeorversion,inthebanner.Chapter17SecuringFileServicesandSharepoints 26114 ClickLogging.15 SelectalloptionsunderLogAuthenticatedUsersandLogAnonymousUsers.Eventhoughauthenticatedusersarenotallowedtologin,theirattemptsshouldbeloggedsocorrectiveactioncanbetaken.16 ClickAdvanced.17 SetAuthenticatedusersseetoFTPRootandSharePoints.AuthenticatedusersandanonymoususersseethesameFTProot.18 VerifythatFTProotissettothe/Library/FTPServer/FTPRoot/folder.19 ClickSave.20 ClickStartFTP.21 Openthe/Library/FTPServer/FTPRoot/folderanddragthecontents(Users,Groups,Public)tothetrash.22 Dragthefilestosharewithanonymoususerstothe/Library/FTPServer/FTPRoot/folder.23 Verifythatthefilepermissionsforthe/Library/FTPServer/FTPRoot/folderdonotallowpublicwriteaccess.24 Openthefile/Library/FTPServer/Configuration/ftpaccessforediting.25 Deletelinesthatbeginwithupload.Thefollowingtwolinearepresentbydefault:upload /Library/FTPServer/FTPRoot /uploads yes ftp daemon 0666 nodirsupload /Library/FTPServer/FTPRoot /uploads/mkdirs yes ftp daemon 0666 dirs 077726 Insertthefollowinglinetopreventadvertisementofoperatingsystemandversioninformation:greeting terse27 Insertthefollowinglinestopreventusersfromauthenticating.deny-gid %-99 %65535deny-uid %-99 %65535allow-gid ftpallow-uid ftpThisforcesuserstoaccessFTPanonymously,protectingtheirlogincredentials.28 Foradditionalsecurityenhancements,youcanfurtherrestricttheFTPservicebyusingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganizationsnetworkenvironment. YoucanconfigureSACLstorestrictFTPaccesstospecificusersorgroups.FormoreinformationaboutconfiguringSACLs,seeSettingServiceAccessControlLists(SACLs)onpage183.262 Chapter17SecuringFileServicesandSharepoints YoucanconfigurefirewallrulesthatpreventFTPconnectionsfromunintendedsources.Formoreinformation,seeCreatingFirewallServiceRulesonpage216.Fromthecommandline:ConfiguringNFSFileSharingServiceNFSdoesnotsupportusernameandpasswordauthentication.ItreliesonclientIPaddressestoauthenticateusers,andonclientenforcementofpermissions.Thisisnotasecureapproachinmostnetworks.Therefore,useNFSonlyifyouareonaLANwithtrustedclientcomputers,orifyouareinanenvironmentthatcantuseApplefilesharingorWindowsfilesharing.TheNFSserverincludedwithSnowLeopardServerletsyoulimitaccesstoasharepointbasedonaclientsIPaddress.RestrictaccesstoasharepointexportedusingNFStothoseclientsthatrequireit.YoucanreshareNFSmountsusingAFP,Windows,andFTPsothatuserscanaccessNFSvolumesinamorerestrictedfashion.ToconfigureandstartNFSservice,useServerAdmin.ForinformationabouthowtosetupandrestrictNFSservice,seeNFSSharePointsonpage268.Foradditionalsecurityenhancements,youcanfurtherrestrictNFSservicebyusingfirewallrules.YoucanconfigurefirewallrulesthatpreventAFPconnectionsfromunintendedsources.Formoreinformation,seeCreatingFirewallServiceRulesonpage216.Rulesareconfiguredbasedonyourorganizationsnetworkenvironment.# Configure FTP to provide anonymous FTP downloads:sudo serveradmin settings ftp:logSecurity:anonymous = yessudo serveradmin settings ftp:logSecurity:guest = yessudo serveradmin settings ftp:logSecurity:real = yessudo serveradmin settings ftp:maxRealUsers = 1sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = nosudo serveradmin settings ftp:authLevel = "KERBEROS"sudo serveradmin settings ftp:anonymousAccessPermitted = yessudo serveradmin settings ftp:bannerMessage = "$BANNER"sudo serveradmin settings ftp:maxAnonymousUsers = 500sudo serveradmin settings ftp:administratorEmailAddress = "user@domain.com"sudo serveradmin settings ftp:logCommands:anonymous = yessudo serveradmin settings ftp:logCommands:guest = yessudo serveradmin settings ftp:logCommands:real = yessudo serveradmin settings ftp:loginFailuresPermitted = 1sudo serveradmin settings ftp:welcomeMessage = "$WELCOME"Chapter17SecuringFileServicesandSharepoints 263ConfiguringSMBFileSharingServiceIfsharepointsneedtouseSMB,activateWindowsfileserviceandconfigureit.SupportforSMBisprovidedbytheopensourceSambaproject,whichisincludedwithSnowLeopardServer.SMBusesNTLMv1andNTLMv2encryption,whichareveryweakpasswordhashingschemes.FormoreinformationaboutconfiguringtheSambasoftware,gotowww.samba.org.TosecurelyconfigureWindowsfilesharingservice:1 OpenServerAdminandconnecttotheserver.2 SelectSMBintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 ChoosetheRoleaccordingtooperationalneeds.Iftheserversharesfilesbutdoesnotprovideauthenticationservices,StandaloneServeristherelevantchoice.5 Fillinthetextfieldsappropriately,leavingtheDescriptionfieldblank.Itishelpfulforthecomputernametomatchthehostname(withoutthedomainname).TheWorkgroupnamedependsontheconfigurationofWindowsdomainsonyoursubnet.6 ClickAccess.7 DeselectAllowGuestaccess.8 ForClientconnections,select__maximumandenterthemaximumnumberofclientconnectionsexpected.TheGraphspaneshowscurrentusage,whichcanhelpyouadjustthenumberofconnectionsforyournetwork.9 ClickLogging.10 ChangeLogDetailtoatleastmediumtocaptureauthenticationfailures.11 ClickAdvanced.12 UnderServices,deselectWorkgroupMasterBrowserandDomainMasterBrowserunlesstheseservicesarerequired.13 SelectOffforWINSregistration.14 ClickSave.15 ClickStartSMB.16 Foradditionalsecurityenhancements,furtherrestricttheWindowsservicebyusingSACLsandfirewallrules.Theseareconfiguredbasedonyourorganizationsnetworkenvironment:http://www.samba.org264 Chapter17SecuringFileServicesandSharepoints YoucanconfigureSACLstorestrictWindowsaccesstospecificusersorgroups.FormoreinformationaboutconfiguringSACLs,seeSettingServiceAccessControlLists(SACLs)onpage183. YoucanconfigurefirewallrulesthatpreventWindowsconnectionsfromunintendedsources.Formoreinformation,seeCreatingFirewallServiceRulesonpage216.Fromthecommandline:ConfiguringSharePointsAsharepointisaharddisk(orharddiskpartition),discmedia,orfolderthatcontainsfilesyouwantuserstoshare.Youcanusesharepointstohosthomefolders.YoucanuseServerAdmintosetupsharepointsandthenusethesharepointstohostlocalhomefolders.Oryoucanmountthesharepointsoithostsnetworkhomefolders.Usingnetworkhomefoldersstoredonasharepointisinherentlylesssecurethanusinglocalhomefolders.Anintrudercanaccessyournetworkhomefolderthroughaninsecurenetworkconnection.Makesurethatsharepointsonlocalsystemdrivesareconfiguredtograntaccesstoonlyspecificusersorgroups,andarenotopentoeveryone.Removingopensharepointspreventsunwantedaccesstoyourcomputerandpreventsyourcomputerfrombeingusedtomaliciouslyaccessadditionalcomputersonthenetwork.Donotsharefilesunnecessarily.# Securely configure Windows file sharing servicesudo serveradmin settings smb:wins support = nosudo serveradmin settings smb:domain master = nosudo serveradmin settings smb:map to guest = "Never"sudo serveradmin settings smb:auth methods = "odsam"sudo serveradmin settings smb:ntlm auth = "no"sudo serveradmin settings smb:max smbd processes = 1000sudo serveradmin settings smb:log level = 1sudo serveradmin settings smb:preferred master = nosudo serveradmin settings smb:os level = 65Chapter17SecuringFileServicesandSharepoints 265DisablingSharePointsDisableunusedsharepointsandsharingprotocols.Enabledsharepointsandsharingprotocolscanprovideanavenueofattackforintruders.Ifyoudisableallsharepointsusingaspecificsharingprotocol,youshouldalsodisablethatprotocol.Todisableasharepoint:1 OpenServerAdminandconnecttotheserver.2 ClickthefilesharingprotocolintheComputers&Serviceslist.3 ClickSharePointsandselectthesharepointfromthelist.4 ClickSharePointbelowthelist.5 ClickProtocolOptions.6 Disablethefollowingsharingoptions:ClickAFPanddeselectSharethisitemusingAFP.ClickSMBanddeselectSharethisitemusingSMB.ClickFTPanddeselectSharethisitemusingFTP.ClickNFSanddeselectExportthisitemanditscontentsto.7 ClickOK.8 ClickSave.RestrictingAccesstoaSharePointBeforeenablingasharepoint,restricttheaccesspermissionsforthefolderthatwillactasthesharepointandonlyallowuserswhomustusethesharepointtoaccessit.YoucanthenuseServerAdminsFileSharingpanetosetPOSIXandACLpermissionstorestrictsharepointstoonlybeingaccessiblebyspecificusers.Youcanuseacombinationofthetwopermissiontypestocustomizeaccessibilityforyourusers.YoucanalsouseWorkgroupManagerseffectivepermissionsinspectortodeterminethepermissionsauserisgranted.Torestrictaccesstoasharepoint:1 OpenServerAdminandconnecttotheserver.2 ClickthefilesharingprotocolintheComputers&Serviceslist.3 ClickSharePointsandselectthesharepointfromthelist.WARNING:Carefullysetaccesspermissions.Incorrectlysetaccesspermissionscanpreventlegitimateusersfromaccessingfoldersandfiles,ortheycanallowmalicioususerstoaccessfoldersandfiles.266 Chapter17SecuringFileServicesandSharepoints4 ClickPermissionsbelowthelist.5 Tosettheownerorgroupoftheshareditem,enternamesordragnamesfromtheUsersandGroupsdrawertotheownerorgrouprecordsinthepermissionstable.TheownerandgrouprecordsarelistedunderthePOSIXheading.Theownerrecordhasthesingleusericon.Thegrouprecordhasthegroupicon.Toopenthedrawer,clicktheAdd(+)button.Ifyoudontseearecentlycreateduserorgroup,clicktheRefreshbutton.Ownerandgroupnamescanalsobeeditedbydouble-clickingapermissionsrecordanddraggingintoortypingintheUser/Groupfieldinthewindowthatappears.Note:Tochangetheautorefreshinterval,chooseServerAdmin>PreferencesandchangethevalueoftheAuto-refreshstatuseveryfield.Makesureyouunderstandtheimplicationsofchangingafoldersownerandgroup.Formoreinformation,seeSettingPOSIXPermissionsonpage141.6 TochangethepermissionsforOwner,Group,andOthers,usethePermissionpop-upmenuintherelatedrowofthepermissionstable.Othersisanyuserthatlogsintothefileserverwhoisnottheowneranddoesnotbelongtothegroup.Ifyoureconfiguringahomefolderspermissions,givetheownerRead&Writeprivileges,butreducegroupandeveryoneprivilegestoNone.Thedefaultforhomefoldersisthatthestaffgroupandeveryonehavereadprivileges.Allaccountsarealsomembersofthestaffgroup.Thesetwoprivilegesalloweveryonetoviewthecontentsofthehomefolder.Ifyouwantsomeoneotherthantheownertoviewthecontentsofthehomefolder,replacestaffwiththataccount.7 ClickSave.ThenewsharepointissharedusingAFP,SMB,andFTP,butnotNFS.TosetACLpermissionsonasharepointorafolder:1 OpenServerAdminandconnecttotheserver.2 ClickthefilesharingprotocolintheComputers&Serviceslist.3 ClickSharePointsandselectthesharepointfromthelist.4 ClickPermissionsbelowthelist.5 OpentheUsersandGroupsdrawerbyclickingtheAdd(+)button.6 DraggroupsandusersfromthedrawerintotheACLPermissionslisttocreateACEs.Bydefault,eachnewACEgivestheuserorgroupfullreadandinheritancepermissions.Chapter17SecuringFileServicesandSharepoints 267Thefirstentryinthelisttakesprecedenceoverthesecond,whichtakesprecedenceoverthethird,andsoon.Forexample,ifthefirstentrydeniesausertherighttoeditafile,otherACEsthatallowthesameusereditingpermissionsareignored.Inaddition,theACEsintheACLtakeprecedenceoverstandardpermissions.7 IntheAccessControlList,selecttheACE.8 ClicktheEdit(/)button.9 FromthePermissionTypepop-upmenu,chooseAlloworDeny.10 InthePermissionslist,selectpermissions.IfyouchoseCustomfromthePermissionpop-upmenu,clickthedisclosuretrianglestodisplayspecificattributes.ChooseAlloworDenyfromthePermissionTypepop-upmenu.SelectspecificpermissionsandclickOK.YoucanfurthergrantordenyspecificpermissionsthatyoucannotspecifythroughPOSIXpermissions.Forexample,youcanallowausertolistfoldercontentsbutdisallowthatuserfromreadingfileattributes.11 ClickSave.AFPSharePointsIfyousupplynetworkhomefolders,useAFPbecauseitprovidesauthentication-levelaccesssecurity.Ausermustloginwithavalidusernameandpasswordtoaccessfiles.YoucanalsoenableAFPusinganSSH-securedtunnelforfilesharing.ThistunnelpreventsintrudersfrominterceptingyourcommunicationwithanAFPsharepoint.YoucannotenableSSH-securedtunnelsforAFPsharepointsthathosthomefolders.Formoreinformation,seeConfiguringAFPFileSharingServiceonpage258.SMBSharePointsDonotuseSMBunlessyourehostingasharepointspecificallyforWindowsusers.YoucansetupasharepointforSMBaccessonly,sothatWindowsusershaveanetworklocationforfilesthatcantbeusedonotherplatforms.LikeAFP,SMBalsorequiresauthenticatingwithavalidusernameandpasswordtoaccessfiles.However,therearewell-knownrisksassociatedwithSMB.Forexample,SMBusesNTLMv1andNTLMv2encryption,whichareweakpasswordhashingschemes.Formoreinformation,seeConfiguringSMBFileSharingServiceonpage263.268 Chapter17SecuringFileServicesandSharepointsFTPSharePointsYoucannotuseFTPsharepointstohosthomefoldersandyoushouldonlyenableFTPsharepointsifyourequireanonymousaccess.FilesaretransferredfromFTPsharepointsunencryptedoverthenetwork.TransferringfilesoverFTPdoesnotguaranteeconfidentialityorfileintegrity.IfyouneedtouseFTPforfiletransfers,considerusingtheSSHserviceinstead.Thesftpcommand,partoftheSSHsuiteoftools,providesanFTP-likeexperienceforuserswhileprovidingamoresecuresetting.Formoreinformation,seethesftpmanpage.FormoreinformationaboutsettingupFTPsharepoints,seeConfiguringFTPFileSharingServiceonpage259.NFSSharePointsNFSfileaccessisnotbasedonuserauthentication(enteringausernameandpassword).ItisbasedontheuserIDandtheclientIPaddress.Assuch,NFSsharepointswithouttheuseofKerberosdonthavethesamelevelofsecurityasAFPandSMB,whichrequireuserauthenticationtogainaccesstoasharepointscontents.IfyouhaveNFSclients,considersettingupasharepointtobeusedonlybyNFSusers,orconfigureNFSwithKerberos.NFSdoesntsupportSACLs.UseNFSonlyifyoumustprovidehomefoldersforalargenumberofuserswhouseUNIXworkstations.UseServerAdmintorestrictaccesstoanNFSsharepoint,sothatonlyrequiredcomputerscanaccessit.TorestrictaccesstoanNFSsharepoint:1 OpenServerAdminandconnecttotheserver.2 ClickthefilesharingprotocolintheComputers&Serviceslist.3 ClickSharePointsandselectthesharepointfromthelist.4 ClickSharePointbelowthelist.5 ClickProtocolOptions.6 ClickNFS.7 Ifonlyafewcomputersneedaccesstothesharepoint,selectExportthisitemanditscontentstoandchooseClientListfromthepop-upmenu.Toaddaclient,clickAdd(+)andentertheIPaddressoftheclientcomputer.Addonlythoseclientcomputersthatrequireaccesstothesharepoint.8 Ifeverycomputerinasubnetrequiresaccesstothesharepoint,selectExportthisitemanditscontentstoandchooseSubnetfromthepop-upmenu.IntheSubnetaddressfield,enterthesubnetaddress.IntheSubnetmaskfield,enterthesubnetmask.Chapter17SecuringFileServicesandSharepoints 2699 FromtheMappingpop-upmenu,chooseAlltonobody.AuserwithnobodyprivilegeshasOthersPOSIXpermissions.10 FromtheMinimumSecuritypop-upmenu,setthelevelofauthentication:ChooseStandardifyoudontwanttosetalevelofauthentication.ChooseAnyifyouwantNFStoacceptanymethodauthentication.ChooseKerberosv5ifyouwantNFStoonlyacceptKerberosauthentication.ChooseKerberosv5withdataintegrityifyouwantNFStoacceptKerberosauthenticationandvalidatethedata(checksum)duringtransmission.ChooseKerberosv5withdataintegrityandprivacytohaveNFSacceptKerberosauthentication,tovalidateusingthechecksum,andtoencryptdataduringtransmission.11 SelectRead-only.12 ClickSave.270 Chapter17SecuringFileServicesandSharepoints18 27118 SecuringWebServiceUsethischaptertolearnhowtosecurewebservice.Webserviceprovidesaneasymethodofaccessingdatafromanywhereintheworld.However,thisaccessisoftenattackedduetoitsweaknessonotherplatforms.SnowLeopardServerprovidesmanyconfigurationoptionstoprotectwebservice.WebserviceisbasedonApache,anopensourceHTTPwebserver.AwebserverrespondstorequestsforHTMLwebpagesstoredonyoursite.Opensourcesoftwaregivesyouthecapabilitytoviewandchangethesourcecodetomakechangesandimprovements.ThishasledtoApacheswidespreaduse,makingitoneofthemostpopularwebserversontheInternettoday.WebadministratorscanuseServerAdmintoadministerwebservicewithoutknowingaboutadvancedsettingsorconfigurationfiles.WebadministratorsproficientwithApachecanalsoadministerwebtechnologiesusingApachesadvancedfeatures.BecausewebserviceinSnowLeopardServerisbasedonApache,youaddadvancedfeatureswithplug-inmodules.ApachemodulesletyouaddsupportforSimpleObjectAccessProtocol(SOAP),Java,andCGIlanguagessuchasPython.ForemoreinformationabouttheApacheproject,seewww.apache.org.TheCenterforInternetSecurity(CIS)atwww.cisecurity.orgprovidesanApacheBenchmarkandScoringtool.CISBenchmarksenumeratesecurityconfigurationsettingsandactionsthathardenyourcomputer.Formoreinformationaboutconfiguringwebservice,seeWebTechnologiesAdministration.http://www.apache.orghttp://www.apache.orghttp://www.cisecurity.orghttp://www.cisecurity.org272 Chapter18SecuringWebServiceDisablingWebServiceIfthesystemisnotintendedtobeawebserver,disablewebserversoftware.Securewebadministrationdemandsscrutinyofconfigurationsettings.UseSSLencryptiontoencryptsensitivewebtraffic.Ifthesystemisnotawebserver,disablewebservicesusingtheServerAdmintool.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Webserviceisdisabledbydefault,butverificationisrecommended.Todisablewebservice:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickStopWeb.4 ClickSave.Fromthecommandline:ManagingWebModulesIfyoursystemdoesnotrequireactivewebmodules,disablethem.Webmodules(sometimescalledplug-ins)consistofwebcomponentsthataddfunctionalitytowebservice.Usingunnecessarymodulescreatespotentialsecurityriskswhenthewebserviceisrunning.Manytypesofwebmodulesareavailableforusewithwebservice.Verifythateachmoduleusedisrequiredandthatyouunderstandtheimpactithastosecuritywhenwebserviceisrunning.Important:Whendisablingwebmodules,makesurethemoduleisnotneededbyanotherwebserviceyouarerunning.Ifyoudisableawebmodulethatanotherwebserviceisdependenton,thatwebservicemightnotwork.# ---------------------------------------------------------------------# Securing Web Service# ---------------------------------------------------------------------# Disable web service:sudo serveradmin stop webChapter18SecuringWebService 273Todisablewebmodules:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSettings,thenclickModules.4 Deselectallmodulesexceptforthemodulesyoursiterequires.5 ClickSave.DisablingWebOptionsEnabledweboptionscanbeasecurityriskifyoudontunderstandtheimpactthemodulehastosecuritywhenawebserviceisrunning.Disablethefollowingwebmodulesunlesstheyarespecificallyrequiredforawebservice: FolderListing:DisplaysalistoffolderswhenusersspecifytheURLandnodefaultwebpage(suchasindex.html)ispresent.Insteadofviewingadefaultwebpage,theservershowsalistofthewebfolderscontents.Folderlistingsappearonlyifnodefaultdocumentisfound. WebDAV:TurnsonWeb-basedDistributedAuthoringandVersioning(WebDAV),whichallowsuserstomakechangestowebsiteswhilethesitesarerunning.IfyouenableWebDAVyoumustalsoassignaccessprivilegesforthesitesandforthewebfolders. CGIExecution:PermitsCommonGatewayInterface(CGI)programsorscriptstorunonyourwebserver.CGIprogramsorscriptsdefinehowawebserverinteractswithexternalcontent-generatingprograms. ServerSideIncludes(SSI):PermitsSSIdirectivesplacedinwebpagestobeevaluatedontheserverwhilethewebsiteisactive.Youcanadddynamicallygeneratedcontenttoyourwebpageswhilethefilesarebeingviewedbyusers. AllowAllOverrides:Instructswebservicetolookforadditionalconfigurationfilesinsidethewebfolderforeachrequest. SpotlightSearching:Allowswebbrowserstosearchthecontentofyourwebsite.Todisableweboptions:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslists.3 ClickSites,thenselectthewebsiteinthelist.4 ClickOptionsbelowthewebsiteslist.5 DeselectFolderListing,WebDAV,CGIExecution,ServerSideIncludes(SSI),andAllowAllOverridesunlesstheyarerequired.274 Chapter18SecuringWebServiceFromthecommandline:UsingRealmstoControlAccessYoucanuserealmstocontrolaccessandprovidesecuritytolocationsorfoldersinawebsite.RealmsarelocationsattheURLorfilesinthefolderthatuserscanview.IfWebDAVisenabled,userswithauthoringprivilegescanalsochangecontentintherealm.Yousetuptherealmsandspecifytheusersandgroupsthathaveaccesstothem.WhenanassigneduserorgrouppossessesfewerpermissionsthanthepermissionsassignedtouserEveryone,thatuserorgroupisdeleteduponarefresh.ThishappensbecausetheaccessassignedtoEveryonepreemptstheaccessassignedtospecificusersorgroupswithfewerpermissionsthanthosepossessedbyEveryone.Thegreaterpermissionsalwaystakeprecedence.Consequently,thelistofassignedusersandgroupswithfewerpermissionsarenotsavedintheRealmspaneuponrefreshiftheirpermissionsaredeterminedtobepreemptedbythepermissionsassignedtoEveryone.Aftertherefresh,thenamesarenolongerlistedinthelistontherightintheRealmspane.Also,forabriefperiodoftime,userEveryonewillswitchitsdisplayednametono-user.# Disable web options:sudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled = nosudo serveradmin settings web:Modules:_array_id:dav_module:enabled = nosudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = nosudo serveradmin settings web:Modules:_array_id:apple_spotlight_module:enabled = nosudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:AllowOverride = "None"sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:Includes = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:ExecCGI = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:Indexes = nosudo serveradmin settings web:Sites:_array_id:default_default:SpotlightIndexing = noChapter18SecuringWebService 275Tousearealmtocontrolwebsiteaccess:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites,thenselectthewebsiteinthelist.4 Belowthewebsiteslist,clickRealms.5 ClicktheAdd(+)buttontocreatearealm.Therealmisthepartofthewebsiteuserscanaccess.6 IntheRealmNamefield,entertherealmname.Thisisthenameusersseewhentheylogintothewebsite.7 FromtheAuthenticationpop-upmenu,chooseamethodofauthentication: Basicauthenticationisonbydefault.Donottousebasicauthenticationforsensitivedata.Itsendsyourpasswordtotheserverunencrypted. Digestauthenticationismoresecurethanbasicauthenticationbecauseitusesanencryptedhashofyourpassword. Kerberosauthenticationisthemostsecurebecauseitimplementsservercertificatestoauthenticate.IfyouwantKerberosauthenticationfortherealm,jointheservertoaKerberosdomain.8 Entertherealmlocationorfolderyouarerestrictingaccessto:a ChooseLocationfromthepop-upmenuandenteraURLtothelocationinthewebsitethatyouwanttorestrictaccessto.b ChooseFolderfromthepop-upmenuandenterthepathtothefolderthatyouwanttorestrictaccessto.YoucanalsoclicktheBrowsebuttontolocatethefolderyouwanttouse.9 ClickOK.10 SelectthenewrealmandclickAdd(+)toopentheUsers&Groupspanel.ToswitchbetweentheUserslistandtheGroupslist,clickUsersorGroupsinthepanel.UsetheRealmspanetodeleteauserorgroupbyselectingthenameandclickingtheDelete()button.11 Toaddusersorgroupstoarealm,draguserstothelistontherightintheRealmspane.Whenusersormembersofagroupyouveaddedtotherealmconnecttothesite,theymustsupplytheirusernameandpassword.276 Chapter18SecuringWebService12 LimitrealmaccesstospecifiedusersandgroupsbysettingthefollowingpermissionsusingtheupanddownarrowsinthePermissionscolumn. BrowseOnly:Permitsusersorgroupstobrowsethewebsite. BrowseandReadWebDAV:PermitsusersorgroupstobrowsethewebsiteandalsoreadthewebsitefilesusingWebDAV. BrowseandRead/WriteWebDAV:PermitsusersorgroupstobrowsethewebsiteandalsoreadandwritetowebsitefilesusingWebDAV. None:Preventsusersorgroupsfromusingpermissions.13 ClickSave.EnablingSecureSocketsLayer(SSL)SecureSocketsLayer(SSL)providessecurityforasiteanditsusersbyauthenticatingtheserver,encryptinginformation,andmaintainingmessageintegrity.SSLisaper-sitesettingthatletsyousendencrypted,authenticatedinformationacrosstheInternet.Forexample,ifyouwanttopermitcreditcardtransactionsthroughawebsite,youcanprotecttheinformationthatspassedtoandfromthatsite.TheSSLlayerisbelowapplicationprotocols(forexample,HTTP)andaboveTCP/IP.ThismeansthatwhenSSLisoperatingontheserverandontheclientcomputer,informationisencryptedbeforebeingsent.TheApachewebserverinSnowLeopardServerusesapublickey-privatekeycombinationtoprotectinformation.Abrowserencryptsinformationusingapublickeyprovidedbytheserverandonlytheserverhasaprivatekeythatcandecryptthatinformation.ThewebserversupportsSSLv2,SSLv3,andTLSv1.Moreinformationabouttheseprotocolversionsisavailableatwww.modssl.org.WhenSSLisimplementedonaserver,abrowserconnectstoitusingthehttpsprefixintheURL,ratherthanhttp.Thesindicatesthattheserverissecure.WhenabrowserinitiatesaconnectiontoanSSL-protectedserver,itconnectstoaspecificport(443)andsendsamessagethatdescribestheencryptionciphersitrecognizes.Theserverrespondswithitsstrongestcipher,andthebrowserandserverthencontinueexchangingmessagesuntiltheserverdeterminesthestrongestcipherthatitandthebrowsercanrecognize.Theserverthensendsitscertificate(anISOX.509certificate)tothebrowser.Thiscertificateidentifiestheserverandusesittocreateanencryptionkeyforthebrowsertouse.Atthispointasecureconnectionisestablishedandthebrowserandservercanexchangeencryptedinformation.http://www.modssl.orgChapter18SecuringWebService 277BeforeyoucanenableSSLprotectionforawebsite,youmustobtainthepropercertificates.Fordetailedinformationaboutcertificatesandtheirmanagement,seeAdvancedServerAdministration.TosetupSSLforawebsite:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites,thenselectthewebsiteinthelist.4 ClickSecuritybelowthewebsiteslist.5 IntheSecuritypane,selectEnableSecureSocketsLayer(SSL).WhenyouturnonSSL,amessageappears,notingthattheportischangedto443.6 IntheCertificatepop-upmenu,choosethecertificateyouwant.Ifthecertificateisprotectedbyapassphrase,thenameofthecertificatemustmatchthevirtualhostname.Ifthenamesdontmatch,webservicewontrestart.7 IfyouchooseCustomConfigurationorwanttoeditacertificate,youmightneedtodothefollowing:a ClicktheEdit(/)buttonandsupplytheinformationineachfieldforthecertificate.b Ifyoureceivedaca.crtfilefromtheCA,clicktheEdit(/)buttonandpastethetextfromtheca.crtfileintheCertificateAuthorityFilefield.Note:Theca.crtfilemightberequiredbutmightnotbesentdirectlytoyou.ThisfilemustbeavailableonthewebsiteoftheCA.c InthePrivateKeyPassphrasefield,enterapassphraseandclickOK.8 IntheSSLLogFilefield,enterthepathnameforthefolderwhereyouwanttokeeptheSSLlog.YoucanalsousetheBrowsebuttontonavigatetothefolder.9 ClickSave.10 Confirmthatyouwanttorestartwebservice.ServerAdminletsyouenableSSLwithorwithoutsavingtheSSLpassphrase.IfyoudidnotsavethepassphrasewiththeSSLcertificatedata,theserverpromptsyouforthepassphraseuponrestartbutwontacceptmanuallyenteredpassphrases.UsetheSecuritypaneforthesiteinServerAdmintosavethepassphrasewiththeSSLcertificatedata.Formoreinformation,seeUsingaPassphrasewithSSLCertificatesonpage278.278 Chapter18SecuringWebServiceUsingaPassphrasewithSSLCertificatesIfyoumanageSSLcertificatesusingServerAdminandyouuseapassphraseforcertificates,ServerAdminensuresthatthepassphraseisstoredinthesystemkeychain.Whenawebsiteisconfiguredtousethecertificateandthatwebserverisstarted,thegetsslpassphrase(8)utilityextractsthepassphrasefromthesystemkeychainandpassesittothewebserver,aslongasthecertificatenamematchesthevirtualhostname.Ifyoudonotwanttorelyonthismechanism,youcanhavetheApachewebserverpromptyouforthepassphrasewhenyoustartorrestartit.Usethesudo serveradmincommand-linetooltoconfigurethis.ToconfigureApachetopromptyouforapassphrasewhenitstarts:1 OpenTerminalandenterthefollowingcommand.sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtin2 StartApachewiththecommand:sudo serveradmin start web3 Whenprompted,enterthecertificatepassphrase.Fromthecommandline:ViewingWebServiceLogsUseServerAdmintoviewtheerrorandaccesslogsforwebservice,ifyouhaveenabledthem.webserviceinSnowLeopardServerusesthestandardApachelogformat,soyoucanalsouseathird-partyloganalysistooltointerpretthelogdata.Toviewlogs:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickLogs,thenchoosebetweenanaccessorerrorlogbyselectingthelogfromthelistoflogs.Tosearchforspecificentries,usetheFilterfieldinthelowerright.## Configure Apache to prompt you for a passphrase when it starts.#---------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtinChapter18SecuringWebService 279Fromthecommandline:SecuringWebDAVWebserviceincludessupportforWeb-basedDistributedAuthoringandVersioning,knownasWebDAV.WithWebDAVcapability,youruserscancheckoutwebpages,makechanges,andthencheckthepagesbackinwhilethesiteisrunning.Inaddition,theWebDAVcommandsetisrichenoughthatclientcomputerswithSnowLeopardinstalledcanuseaWebDAV-enabledwebserverasifitwereafileserver.Sharingfilesoveranetworkopensyourcomputerstoahostofvulnerabilities.ToreducethesecurityriskwhenusingWebDAV,assignaccessprivilegesforthesitesandforthewebfolders.TosecurelyconfigureWebDAVforasite:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites,thenselectthewebsiteinthelist.4 ClickOptionsbelowthewebsiteslist.5 SelecttheWebDAVcheckbox.ThisoptionturnsWebDAVon,allowinguserstomakechangestowebsiteswhilethesitesarerunning.IfyouenableWebDAV,youmustalsoassignaccessprivilegesforthesitesandwebfolders.Note:IfyouturnedofftheWebDAVmoduleintheModulespaneofServerAdmin,youmustturnitonagainbeforeWebDAVtakeseffectforasite.ThisistrueeveniftheWebDAVoptionisselectedintheOptionspaneforthesite.Formoreaboutenablingmodules,seeManagingWebModulesonpage272.6 ClickSave.AfterWebDAVisturnedon,youcanuserealmstocontrolaccesstothewebsite.Formoreinformationaboutconfiguringrealms,seeUsingRealmstoControlAccessonpage274.## View logs.#-----------sudo tail /var/log/apache2/access_log280 Chapter18SecuringWebServiceSecuringBlogServicesAblogislikeadiaryorjournal,withentriesthatarearrangedintheordertheywerecreatedin.Ontheotherhand,awikicontainssharedcontentthatdoesntappearinchronologicalorder.Thetypeofinformationyouwanttoputonyoursitehelpsdeterminewhetheritappearsinawikiorinablog.Bydefault,blogsaredisabledwhenyoustartwebservice.Blogscanopenyourcomputerstoahostofvulnerabilities.Ifblogsarenotrequired,disablethem.DisablingBlogServicesIfyoudonotneedblogservices,disablethem.Todisableblogservice:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites.4 IntheSiteslist,clickthesitewhereyouwantblogservicedisabled.5 ClickWebServices.6 IntheServicesforGroupssection,deselecttheWikiandblogcheckbox.7 ClickSave.Fromthecommandline:SecurelyConfiguringBlogServicesYoucanenableuserandgroupblogserviceonyourwebsite.SnowLeopardServerincludesagroupwikiandagroupblog.Theseareenabledtogether.Groupblogsletusersinagroupaccessandpostentriestothesameblog.Userscanalsopublishtheirownpersonalblogusingwebservicesassociatedwiththeirserveraccount.Thisgivesuserstheabilitytomaintainpersonalblogsontheirownuserpages.Tosetupblogservice:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSites.## Disable blog service.#---------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = noChapter18SecuringWebService 2814 IntheSiteslist,clickthesitewhereyouwantblogserviceenabled.Tomaximizethesecurityofuserinteractionswiththeserverhostingblogs,haveusersaccessblogsthroughasitethathasSSLenabled.5 ClickWebServices.6 IntheServicesforGroupssection,selecttheWikiandblogcheckbox.7 ClickSettings.8 ClickWebServices.9 Clickblogs.10 FromthedefaultWikiandBlogThemepop-upmenu,chooseatheme.Athemecontrolstheappearanceofablog.Themesdeterminethecolor,size,location,andotherattributesofblogelements.Eachthemeisimplementedusingastylesheet.Thedefaultthemeisusedwhenablogiscreated,butblogownerscanchangethetheme.Thedefaultthemealsocontrolstheappearanceoftheblogsfrontpage.11 Identifyablogfolder,usedtostoreblogfiles.Bydefault,blogfilesarestoredin/Library/Collaborationonthecomputerhostingblogservice.YoucanclickChoosetoselectadifferentfolder,suchasafolderonaRAIDdeviceoronanothercomputer.12 ClickSave.13 MakesuretheblogserversOpenDirectorysearchpathincludesdirectorieswhereusersandgroupmembersyouwanttosupportwithblogservicearedefined.TheOpenDirectoryAdministrationguideexplainshowtosetupsearchpaths.AnyuserorgroupmemberdefinedintheOpenDirectorysearchpathcancreateandaccessblogsontheserverunlessyoudenythemaccesstoblogservice.SecuringTomcatYouuseServerAdminorTerminaltodisableTomcatifyoudontneedit.TostopTomcatusingServerAdmin:1 OpenServerAdminandconnecttotheserver.2 SelectWebintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 DeselecttheEnableTomcatcheckbox.5 ClickSave.282 Chapter18SecuringWebServiceFromthecommandline:SecuringMySQLMySQLprovidesarelationaldatabasemanagementsolutionforyourwebserver.Withthisopensourcesoftware,youcanlinkdataintablesordatabasesandprovidetheinformationonyourwebsite.DisablingMySQLServiceIfyoudonotneedtorunMySQLservice,disableitinServerAdmin.ToturnMySQLserviceon:1 OpenServerAdminandconnecttotheserver.2 SelectMySQLintheComputers&Serviceslist.3 ClickStopMySQL.Fromthecommandline:SettingUpMySQLServiceUseMySQLserviceSettingsinServerAdmintospecifythedatabaselocation,toenablenetworkconnections,andtosettheMySQLrootpassword.ToconfigureMySQLservicesettings:1 OpenServerAdminandconnecttotheserver.2 SelectMySQLintheComputers&Serviceslist.3 ClickSettings.# ---------------------------------------------------------------------# Securing Tomcat# ---------------------------------------------------------------------# Stop Tomcat using Server Admin:sudo /Library/Tomcat/bin/startup.sh stop# ---------------------------------------------------------------------# Securing MySQL# ---------------------------------------------------------------------# Turn MySQL service offsudo serveradmin stop mysqlChapter18SecuringWebService 2834 TopreventusertoaccessMySQLservicedeselecttheAllownetworkconnectionscheckbox.Thisprohibitsuseraccesstodatabaseinformationthroughthewebserver.5 IntheDatabaselocationfieldenterthepathtothelocationofyourdatabase.YoucanalsoclicktheChoosebuttonandbrowseforthefolderyouwanttouse.6 ClickSave.Fromthecommandline:ViewingMySQLServiceandAdminLogsMySQLservicekeepstwotypesoflogs,aMySQLservicelogandMySQLadminlogs: TheMySQLservicelogrecordsthetimeofeventssuchaswhenMySQLserviceisstartedandstopped. TheMySQLadminlogrecordsinformationsuchaswhenclientsconnectordisconnectandeachSQLstatementreceivedfromclients.Thislogislocatedat/Library/Logs/MySQL.log.YoucanviewMySQLservicelogsusingServerAdmin.ToviewMySQLservicelogs:1 OpenServerAdminandconnecttotheserver.2 SelectMySQLintheComputers&Serviceslist.3 ClickLogs.UsetheFilterfieldtosearchforspecificentries.Fromthecommandline:## Configure MySQL service settings.#---------------------------------sudo serveradmin settings mysql:allowNetwork = no## View MySQL service logs.# ------------------------sudo tail /Library/Logs/MySQL.log19284 19 SecuringClientConfigurationManagementServicesUsethischaptertolearnhowtosecureClientConfigurationManagementservices.Securelyconfiguringclientconfigurationmanagementhelpsstandardizetheclientsacrossyournetworkandprovidesasecuredeployment.Bymanagingpreferencesforusers,workgroups,computers,andcomputergroups,youcancustomizetheusersexperienceandrestrictuseraccesstoonlytheapplicationsandnetworkresourcesyouchoose.Tomanagepreferences,usethePreferencespaneinWorkgroupManager.Properlysetmanagedpreferenceshelpdeterusersfromperformingmaliciousactivities.Theycanalsohelppreventusersfromaccidentallymisusingtheircomputer.ManagingApplicationsPreferencesUseApplicationspreferencestoalloworrestrictuseraccesstoapplications.Computersidentifyapplicationsusingoneoftwomethods:digitalsignatures(usedinLeopardorlater),andbundleIDs(usedinTigerorearlier,butcanbeusedinSnowLeopardorlater).DigitalsignaturesaremuchmoresecurebecausecleveruserscanmanipulatebundleIDs.WorkgroupManagersupportsbothmethods.UsetheApplicationspanetoworkwithdigitalsignatures.UsetheLegacypanetoworkwithbundleIDs.Chapter19SecuringClientConfigurationManagementServices 285ApplicationrestrictionsdependonwhichpaneyouremanagingandtheversionofMacOSXrunbyclientcomputers: IfyoumanagetheApplicationspaneandyourusersrunSnowLeopardorlater,ApplicationssettingstakeeffectandLegacysettingsareignored. IfyoudontmanagetheApplicationspane,LegacysettingstakeeffectforanyversionofMacOSX. IfyourusersrunTigerorearlier,onlyLegacysettingstakeeffect.YoucanalsousesettingsinApplicationspreferencestoallowonlyspecificwidgetsinDashboardortodisableFrontRow.ThetablebelowdescribesthesettingsineachApplicationspane.ControllingUserAccesstoApplicationsandFoldersYoucanuseWorkgroupManagertopreventusersfromlaunchingunapprovedapplicationsorapplicationslocatedinunapprovedfolders.InTigerorearlier,applicationswereidentifiedbytheirbundleIDs.IfusershaveSnowLeopardorlaterinstalled,youcanusedigitalsignaturestoidentifyapplications.DigitalsignaturesaremuchmoredifficulttocircumventthanabundleID.WorkgroupManagercansignapplicationsthatarentalreadysigned.Whensigninganapplication,youcanembedasignatureoryoucanstoreadetachedsignatureseparatelyfromtheapplication.Embeddingasignaturehasseveralperformancebenefitsoveradetachedsignature,butwithsignatureembeddingyoumustmakesureeverycomputerhasthesamesignedapplication.ForapplicationsrunfromaCD,DVD,orotherread-onlymedia,youmustusedetachedsignatures.Applicationspreferencepane WhatyoucancontrolApplications Accesstospecificapplicationsandpathstoapplicationsusingdigitalsignatures(forusersofSnowLeopardorlater)Widgets AllowedDashboardwidgetsforusersofSnowLeopardFrontRow WhetherFrontRowisallowedLegacy AccesstospecificapplicationsandpathstoapplicationsusingbundleIDs(primarilyforusersofTigerorearlier)286 Chapter19SecuringClientConfigurationManagementServicesWorkgroupManagerusesthefollowingiconstodenotethekindofsignatureassociatedwithanapplication.Applicationsthatincludehelperapplicationsaredenotedbyadisclosuretriangle.Whenyouclickthedisclosuretriangle,youllseealistofhelperapplications.Bydefault,thesehelperapplicationsareallowedtoopen.Youcandisableindividualhelperapplications,buttheapplicationmightbehaveerraticallyifitrequiresthehelperapplications.Toalloworpreventusersfromlaunchinganapplication,addtheapplicationorapplicationpathtooneofthreelists: Alwaysallowtheseapplications.Addapplicationsthatshouldalwaysbeallowed,regardlessoftheirinclusioninotherlists.Youcansignapplicationsaddedtothislist.Donotaddunsignedapplicationstothislistbecausetheyallowuserstodisguiseunapprovedapplicationsasapprovedapplications. Disallowapplicationswithinthesefolders.Addapplicationsandfolderscontainingapplicationsyouwanttopreventusersfromopening.Allapplicationsinthesubfoldersofadisallowedfolderarealsodisallowed.Disallowingafolderinanapplicationpackagecancausetheapplicationtobehaveerraticallyorfailtoload. Allowapplicationswithinthesefolders.Addapplicationsandfolderscontainingapplicationsyouwanttoallow.Allapplicationsinthesubfoldersofanallowedfolderarealsoallowed.UnlikeapplicationsintheAlwaysallowtheseapplicationslist,applicationslistedherearenotallowediftheyortheirpathsarelistedintheDisallowapplicationswithinthesefolderslist.Ifanapplicationoritsfolderdoesntappearintheselists,theusercantopentheapplication.Someapplicationsdontfullysupportsignatures.Tomakesureasignedapplicationisrestricted,makeacopyoftheapplication,signit,andmoveittoalocationintheDisallowapplicationswithinthesefolderslist.Whenyoutrytoopentheapplicationonamanagedcomputer,itshouldopenbecausethesignatureisvalid.Next,voidthesignedapplicationssignaturebycopyingafileintoitsapplicationpackage.Nowwhenyoutrytoopentheapplicationonamanagedcomputer,itshouldnotopenbecausethesignatureisvoidandtheapplicationisinadisallowedfolder.Icon Indicatestheapplicationhasthistypeofsignature(noicon) EmbeddedsignatureDetachedsignatureNosignatureChapter19SecuringClientConfigurationManagementServices 287TomanageApplicationspreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickApplicationsandthenclicktheApplicationstab.5 SetthemanagementsettingtoAlways.6 SelectRestrictwhichapplicationsareallowedtolaunch.7 ClicktheApplicationstab(intheApplicationspane),clicktheAdd(+)button,chooseanapplicationyouwanttoalwaysallow,andthenclickAdd.Whenyouallowanapplication,youalsoallowallhelperapplicationsincludedwiththatapplication.Youcandeselecthelperapplicationstodisallowthem.8 Ifyoureaskedtosigntheapplication,clickSign;ifyoureaskedtoauthenticate,authenticateasalocaladministrator.Toaddtheapplicationtothelistasanunsignedapplication,clickDontSign.Whenyousigntheapplication,WorkgroupManagertriestoembedthesignature.Ifyoudonthavewriteaccesstotheapplication,WorkgroupManagercreatesadetachedsignature.9 ClicktheFolderstab,clicktheAdd(+)buttonnexttoDisallowapplicationswithinthesefolders,andthenchoosefolderscontainingapplicationsyouwanttopreventusersfromlaunching.10 ClicktheAdd(+)buttonnexttotheAllowapplicationswithinthesefoldersfieldandchoosefolderscontainingapplicationsyouwanttoallow.Disallowingfolderstakesprecedenceoverallowingthem.Ifyouallowafolderthatisasubfolderofadisallowedfolder,thesubfolderisstilldisallowed.11 ClickApplyNow.AllowingSpecificDashboardWidgetsIfyourusershaveSnowLeopardorlaterinstalled,youcanpreventthemfromopeningunapprovedDashboardwidgetsbycreatingalistofapprovedwidgets(whichcanincludewidgetsincludedwithSnowLeopardandthird-partywidgets).Toapprovethird-partywidgets,youmustbeabletoaccessthemfromyourserver.TheDashboardwidgetsincludedwithSnowLeopardServercanbetrusted.However,userscaninstallthird-partyDashboardwidgetswithoutauthenticating.Toprotectsystemsagainstunauthorizeduse,allowuserstouseonlytrustedthird-partyDashboardwidgets.288 Chapter19SecuringClientConfigurationManagementServicesNote:Becausecodesigningisnotsupported,userscanbypassrestrictionstoDashboardwidgets.Therefore,implementamechanismtoregularlycheckavailableDashboardwidgetstoensurepolicycompliance.ToallowspecificDashboardwidgets:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickApplicationsandthenclickWidgets.5 SetthemanagementsettingtoAlways.6 SelectAllowonlythefollowingDashboardwidgetstorun.7 Toallowspecificwidgets,clicktheAdd(+)button,selectthewidgets.wdgtfile,andthenclickAdd.ThewidgetsincludedwithSnowLeopardarein/Library/Widgets.8 Topreventusersfromopeningspecificwidgets,selectthewidgetandclicktheRemove()button.9 ClickApplyNow.DisablingFrontRowWithWorkgroupManager,youcandisableFrontRow.TodisableFrontRow:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickApplicationsandthenclickFrontRow.5 SetthemanagementsettingtoAlways.6 DeselectAllowFrontRow.7 ClickApplyNow.Chapter19SecuringClientConfigurationManagementServices 289Fromthecommandline:AllowingLegacyUserstoOpenApplicationsandFoldersTocontroluseraccesstoapplicationsinTigerorearlier,you: Provideaccesstoasetofapprovedapplicationsthatuserscanopen PreventusersfromopeningasetofunapprovedapplicationsYoucanalsosetoptionstofurthercontroluseraccesstoapplications.Whenusershaveaccesstolocalvolumes,theycanaccessapplicationsonthecomputerslocalharddisk.Ifyoudontwanttoallowthis,disablelocalvolumeaccess.Applicationsusehelperapplicationsfortaskstheycantcompleteindependently.Forexample,ifausertriestoopenaweblinkinamailmessage,themailapplicationmightneedtoopenawebbrowsertodisplaythewebpage.Disallowinghelperapplicationsimprovessecuritybecauseanapplicationcandesignateanyotherapplicationasahelperapplication.However,youmightwanttoincludecommonhelperapplicationsintheapprovedapplicationslist.Thisavoidsproblemssuchasusersbeingunabletoopenandviewmailcontentorattachedfiles.Occasionally,applicationsortheoperatingsystemmightrequiretheuseofUNIXtools,suchasQuickTimeImageConverter.Thesetoolscantbeaccesseddirectly,andgenerallyoperateinthebackgroundwithouttheusersknowledge.IfyoudisallowaccesstoUNIXtools,someapplicationsmightnotwork.AllowingUNIXtoolsenhancesapplicationcompatibilityandefficientoperation,butcandecreasesecurity.IfyoudontmanageApplicationssettingsforcomputersrunningSnowLeopardorlater,Legacysettingsareused.# Securing Client Configuration Management Services# =================================================# If the intended target is a client system, the target for the dscl# commands should be "/LDAPv3/127.0.0.1". If the management target is the# server itself, the target should be ".".# Disable Front Row:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow PreventActivation always -bool 1290 Chapter19SecuringClientConfigurationManagementServicesTosetupalistofaccessibleapplications:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickApplicationsandthenclickLegacy.5 SetthemanagementsettingtoAlways.6 SelectUsercanonlyopentheseapplicationsorUsercanopenallapplicationsexceptthese.7 Additemstoorremoveitemsfromthelist.Toselectmultipleitems,holddowntheCommandkey.8 Toallowaccesstoapplicationsstoredontheuserslocalharddisk,selectUsercanalsoopenallapplicationsonlocalvolumes.9 Toallowhelperapplications,selectAllowapprovedapplicationstolaunchnon-approvedapplications.10 ToallowuseofUNIXtools,selectAllowUNIXtoolstorun.11 ClickApplyNow.Fromthecommandline:# Setting up a list of accessible applications# --------------------------------------------# Allow access to applications stored on the users local hard disk:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess OpenItemsInternalDrive always -bool 1# Allow helper applications:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1# Allow UNIX tools:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess AllowUnbundledApps always -bool 1Chapter19SecuringClientConfigurationManagementServices 291ManagingDockPreferencesYoucancustomizetheusersDocktodisplayspecificapplications.Thishelpsyouguidetheusertowardusingrecommendedapplications.YoucanalsoadddocumentsandfolderstotheDock.Addingspecific,requirednetworkfolderstotheDockhelpspreventtheuserfromnavigatingthroughyournetworkhierarchy.Thisalsohelpspreventthemfrommisusingtheserver.TomanageDockpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickDockandthenclickDockDisplay.5 SetthemanagementsettingtoOnceorAlways.6 DragtheDockSizeslidertomaketheDocksmallerorlarger.7 IfyouwantitemsintheDocktobemagnifiedwhenausermovesthepointeroverthem,selectMagnificationandthenadjusttheslider.MagnificationisusefulifyouhavemanyitemsintheDock.8 FromthePositiononscreenradiobuttons,selectwhethertoplacetheDockontheleft,right,orbottomofthedesktop.9 FromtheMinimizeusingpop-upmenu,chooseaminimizingeffect.10 IfyoudontwanttouseanimatediconsintheDockwhenanapplicationopens,deselectAnimateopeningapplications.11 IfyoudontwanttheDocktobevisibleallthetime,selectAutomaticallyhideandshowtheDock.WhentheusermovesthepointertotheedgeofthescreenwheretheDockislocated,theDockappears.12 ClickApplyNow.292 Chapter19SecuringClientConfigurationManagementServicesFromthecommandline:ManagingEnergySaverPreferencesEnergySaverpreferencesettingshelpyousaveenergyandbatterypowerbymanagingwake,sleep,andrestarttimingforserversandclientcomputers.YoucanonlymanageEnergySaverpreferencesforcomputerlists.Whenclientcomputersgotosleep,theybecomeunmanaged.Donotenablesleepmodeforclientcomputers.TomanageEnergySaverpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectcomputersorcomputergroups.4 ClickEnergySaverandthenclickDesktop.5 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsettingtoAlways.6 Toadjustsleepsettings,chooseSleepfromtheSettingspop-upmenuandmovethePutthecomputertosleepwhenitisinactiveforslidertoNever.7 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagementsettingtoAlways.8 FromtheSettingspop-upmenu,chooseSleepandmovethePutthecomputertosleepwhenitisinactiveforslidertoNever.9 ClickPortable.10 FromthePowerSourcepop-upmenu,chooseAdapterandsetthemanagementsettingtoAlways.11 FromtheSettingspop-upmenu,chooseSleepandmovethePutthecomputertosleepwhenitisinactiveforslidertoNever.# Managing Dock Preferences# -------------------------# Set Dock hidingsudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide always -bool 1Chapter19SecuringClientConfigurationManagementServices 29312 FromthePowerSourcepop-upmenu,chooseBatteryandsetthemanagementsettingtoAlways.13 FromtheSettingspop-upmenu,chooseSleepandmovethePutthecomputertosleepwhenitisinactiveforslidertoNever.14 ClickSchedule.15 FromtheOSpop-upmenu,chooseMacOSXandsetthemanagementsettingtoAlways.16 DeselectStartupthecomputer.17 FromtheOSpop-upmenu,chooseSnowLeopardServerandsetthemanagementsettingtoAlways.18 DeselectStartupthecomputer.19 ClickApplyNow.ManagingFinderPreferencesYoucancontrolaspectsofFindermenusandwindowstoimproveorcontrolworkflow.Youcanpreventusersfromburningmediaorfromejectingdisks,andfromconnectingtoremoteservers.WhenusedwithDockpreferences,youcanguidetheuserexperience.TomanageFinderpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickOverview.5 ClickFinder,clickthePreferencestab,andthenselectAlways.6 SelectUsenormalFinder.SimpleFinderisbestusedforcomputersinkiosksituations.SimpleFinderremovestheabilitytouseaFinderwindowtoaccessapplicationsormodifyfiles.ThislimitsuserstoaccessingonlywhatisintheDock.IfyouenableSimpleFinder,userscannotmountnetworkvolumes.WithSimpleFinderenabled,userscannotcreatefoldersordeletefiles.7 DeselectHarddisks,Removablemedia(suchasCDs),andConnectedservers.Bydeselectingthese,youhelppreventusersfromcasuallynavigatingthroughlocalandnetworkfilesystems.294 Chapter19SecuringClientConfigurationManagementServices8 SelectAlwaysshowfileextensions.Important:Operatingsystemsusefileextensionsasonemethodofidentifyingtypesoffilesandtheirassociatedapplications.UsingonlyfileextensionstocheckthesafetyofincomingfilesleavesyoursystemvulnerabletoattacksbyTrojans.ATrojanisamaliciousapplicationthatusescommonfileextensionsoriconstomasqueradeasadocumentormediafile(suchasaPDF,MP3,orJPEG).Forfurtherexplanationandguidanceonhandlingmailattachmentsandcontentdownloadedfromtheinternet,seeKBaseArticle108009:SafetytipsforhandlingemailattachmentsandcontentdownloadedfromtheInternetatdocs.info.apple.com/article.html?artnum=108009.9 ClickCommandsandselectAlways.10 DeselectConnecttoServer,GotoiDisk,andGotoFolder.Insteadofallowingtheusertochoosewhichserversorfolderstoload,addapprovedservers.11 DeselectEjectandBurnDisc.Disallowingexternalmediagivesyoumorecontrol.12 DeselectRestartandShutDown.Bydisallowingrestartingandshuttingdownclientcomputers,youhelpensurethatyourcomputersareavailabletootherusers.13 ClickApplyNow.http://docs.info.apple.com/article.html?artnum=108009Chapter19SecuringClientConfigurationManagementServices 295Fromthecommandline:ManagingLoginPreferencesUseLoginpreferencestosetoptionsforuserlogin,toprovidepasswordhints,andtocontroltheusersabilitytorestartandshutdownthecomputerfromtheloginwindow.Youcanalsomountagroupvolumeorsetapplicationstoopenwhenauserlogsin.ThetablebelowsummarizeswhatyoucandowithsettingsineachLoginpane.# Managing Finder Preferences# ---------------------------# Manage Finder preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder AppleShowAllExtensions-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitBurn always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitConnectTo always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitEject always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitGoToFolder always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitGoToiDisk always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowHardDrivesOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowMountedServersOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowRemovableMediaOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences AppleShowAllExtensions always -bool 1Loginpreferencepane WhatyoucancontrolWindow Forcomputersandcomputergroupsonly:Theappearanceoftheloginwindowsuchastheheading,message,whichusersarelistediftheListofusersisspecified,andtheabilitytorestartorshutdownOptions Forcomputersandcomputergroupsonly:Loginwindowoptionslikeenablingpasswordhints,automaticlogin,console,fastuserswitching,inactivitylogout,disablingofmanagement,settingthecomputernametomatchthecomputerrecord,andexternalaccountloginAccess Forcomputersandcomputergroupsonly:Whocanlogin,iflocaluserscanuseworkgroupsettings,andthecombinationandselectionofworkgroups296 Chapter19SecuringClientConfigurationManagementServicesBymanagingscriptsettings,youcanhelpprotectyourusersfrommaliciousloginorlogoutscriptsthatcouldbeusedtocompromisetheiraccountsintegrity.Youcanmanageloginwindowsettingstomakeitmoredifficultforintruderstoattempttologinaslegitimateusers.Youcanconfigureoptionstotrackmalicioususeractions.TomanageLoginpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectuseraccounts.Toperformthestepsinvolvingapplyingscriptsandloginwindowsettings,selectcomputersorcomputergroups.4 ClickOverviewandclickLogin.5 ClickItemsandselectAlways.DifferentloginitemssettingsareavailabledependingonwhetheryouremanagingOnceorAlways.Likeallmanagedpreferences,youshouldusetheAlwayssettingtoensurethatyoursettingsstayineffectpasttheusersfirstlogin.6 Toloadapplicationsortomountagroupvolumeatstartup,clickAddtoopenadialogwhereyoucanaddanapplicationorvolume.7 Addtheapplicationsrequired,includingantivirusandfileintegritycheckingapplicationsrequiredbyyourorganization.8 DeselectAddnetworkhomesharepoint.Insteadofautomaticallymountingsharepoints,theusershouldmountsharepointsasrequired.9 DeselectUsermayaddandremoveadditionalitemsandUsermaypressShifttokeepitemsfromopening.Deselectingtheseoptionshelpspreventtheuserfromloadingpotentiallymaliciousapplications.Italsohelpsensurethattheusercannotbypassloadingapplicationsrequiredbyyourorganization.Scripts Forcomputersandcomputergroupsonly:AscripttorunduringloginorlogoutandwhethertoexecuteordisabletheclientcomputersownLoginHookorLogoutHookscriptsItems Accesstothegroupvolume,whichapplicationsopenautomaticallyfortheuser,andifuserscanaddorremoveloginitemsLoginpreferencepane WhatyoucancontrolChapter19SecuringClientConfigurationManagementServices 29710 ClickScriptsandselectAlways.11 Unlessyourorganizationrequirestheuseofspecificloginorlogoutscripts,deselectLoginScriptandLog-OutScript,andthendeselectAlsoexecutetheclientcomputersLoginHookscript,andAlsoexecutetheclientcomputersLogoutHookscript.Torunloginandlogoutscripts,theclientscomputermusthavealeveloftrustwiththeserver.Thisleveloftrustisbasedonhowsecuretheclientsconnectioniswiththeserver.Byrequiringaleveloftrust,thisensuresthattheclientcomputerdoesnotrunscriptsfrommaliciousservers.Formoreinformationabouthowtoenabletheuseofloginandlogoutscripts,seetheUserManagementguide.12 ClickWindowandselectAlways.13 SelectLoginWindowmessageandenterhelpdeskcontactinformationintheadjacentfield.Donotenterinformationaboutthecomputerstypicalusageorwhoitsusersare.14 InDisplayLoginWindowas,selectNameandpasswordtextfields.Requiringthatusersknowtheiraccountnamesaddsalayerofsecurityandhelpspreventintrudersfromcompromisingaccountswithweakpasswords.15 DeselectShowRestartbuttonintheLoginWindowandShowShutDownbuttonintheLoginWindow.Preventingusersfromeasilyrestartingorshuttingdownthecomputerhelpsensurethatthecomputerisavailabletoallusers.16 DeselectShowpasswordhintafter3attemptstoenterapassword.Passwordhintscanhelpmalicioususerscompromiseaccounts.Ifyouenablethissetting,setthepasswordhintperuseraccounttoinformationforyourorganizationshelpdesk.17 DeselectAutoLoginClientSetting.EnablingthissettingallowsuserstoenableautomaticloginthroughSystemPreferences.Automaticloginbypassesallloginwindow-basedsecuritymechanisms.18 DeselectAllowuserstologinusing>console.EnablingthissettingallowstheusertobypasstheloginwindowandusetheDarwinconsole(command-lineinterface).19 ClickOptionsandselectAlways.20 DeselectEnableFastUserSwitching.FastUserSwitchingallowsmultipleuserstologinsimultaneously.Thismakesitdifficulttotrackuseractionsandallowsuserstorunmaliciousapplicationsinthebackgroundwhileanotheruserisactivelyusingthecomputer.298 Chapter19SecuringClientConfigurationManagementServices21 DeselectLogoutusersafter#minutesofinactivity.IfyouselectLogoutusersafter#minutesofinactivity,enablepassword-protectedscreensaversincaseadialogpreventsloggingout.22 ClickApplyNow.Fromthecommandline:ManagingMediaAccessPreferencesMediaAccesspreferencesletyoucontrolsettingsfor,andaccessto,CDs,DVDs,thelocalharddisk,andexternaldisks(forexample,floppydisksandFireWiredrives).Disableunnecessarymedia.Ifuserscanaccessexternalmedia,itprovidesopportunitiesforperformingmaliciousactivities.Forexample,theycantransfermaliciousfilesfromthemediatotheharddisk.Anotherexampleisifanintrudergainstemporaryaccesstothecomputer,heorshecanquicklytransferconfidentialfilestothemedia.Carefullyweightheadvantagesanddisadvantagesofdisablingmedia.Forexample,disablingexternaldiskspreventsyoufromusingUSBflashmemorydrivesforstoringkeychains.Formoreinformation,seeStoringCredentialsinKeychainsonpage88.# Managing Login Preferences# --------------------------# Manage login preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow LoginwindowText always -string "$LOGIN_WINDOW_MESSAGE"sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow mcx_UseLoginWindowText always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow RestartDisabled always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow ShutDownDisabled always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow SHOWFULLNAME always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow DisableConsoleAccess always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences MultipleSessionEnabled always -bool 0Chapter19SecuringClientConfigurationManagementServices 299TomanageMediaAccesspreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickOverviewandclickMediaAccess.5 SelectAlwaysandclickDiscMedia.6 Unlessyoumustusediscmedia,deselectAllowforCDs&CD-ROMs,DVDs,andRecordableDiscs.Toenablediscmedia,selectbothAllowandRequireAuthenticationforthatdiscmedia.7 ClickOtherMedia.8 Unlessyoumustusemedia,deselectAllowforInternalDisksandExternalDisks.Ifyoumustenablemedia,selectAllowandRequireAuthenticationforthatdiscmedia.SelectRead-Onlyifyoudonotneedtosavefilestothatmedia.9 SelectEjectallremovablemediaatlogout.Thishelpspreventusersfromforgettingtheyhavemediainsertedinthecomputer.10 ClickApplyNow.ManagingMobilityPreferencesYoucanuseMobilitypreferencestoenableandconfiguremobileaccountsforusersduringtheirnextlogin.IfyourcomputershaveSnowLeopardorlater,youcanalsoencryptthecontentsofthemobileaccountsportablehomedirectory,restrictitssize,chooseitslocation,orsetanexpirationdateontheaccount.Mobileaccountsincludeanetworkhomefolderandalocalhomefolder.Byhavingthesetwotypesofhomefolders,clientscantakeadvantageoffeaturesavailableforlocalandnetworkaccounts.Youcansynchronizespecificfoldersofthesetwohomefolders,creatingaportablehomedirectory.Avoidusingmobileaccounts.Whenyouaccessamobileaccountfromaclientcomputerandcreateaportablehomedirectory,youcreatealocalhomefolderonthatclientcomputer.Ifyouaccessthemobileaccountfrommanycomputers,creatingportablehomedirectoriesoneachcomputer,yourhomefoldersfilesarestoredonseveralcomputers.Thisprovidesadditionalavenuesofattack.300 Chapter19SecuringClientConfigurationManagementServicesIfyouusemobileaccounts,donotcreateportablehomedirectoriesoncomputersthatarephysicallyinsecure,orthatyouinfrequentlyaccess.EnableFileVaultoneverycomputerwhereyoucreateportablehomedirectories.FormoreinformationaboutenablingFileVault,seeSecuringSecurityPreferencesonpage122.TomanageMobilitypreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectauseraccount,groupaccount,computer,orcomputergroup.4 ClickOverview.5 ClickMobility,clickAccountCreation,andthenclickCreation.6 SetthemanagementsettingtoAlways.7 Todisablemobileaccounts,deselectCreatemobileaccountwhenuserlogsintonetworkaccount;toenablemobileaccounts,selectthisoption.8 SelectRequireconfirmationbeforecreatingamobileaccount.Ifthisisdeselected,aportablehomedirectoryiscreatedeverytimetheuseraccessesadifferentcomputer.9 Selectwithsyncingoff.10 ClickRules,clickLogin&LogoutSync,andselectAlways.11 IntheSyncatloginandlogoutlist,clicktheAdd(+)buttonandenterthepathsoffolderslocatedintheusershomefolder.Alternatively,clickthebrowse()buttontoopenadialogwhereyoucanchoosefolderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles.12 IntheSkipitemsthatmatchanyofthefollowinglist,clicktheAdd(+)buttonandenterthepathsoffolderslocatedintheusershomefolder.Alternatively,clickthebrowse()buttontoopenadialogwhereyoucanchoosefolderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles.13 DeselectMergewithuserssettings.Bydeselectingthissetting,thefoldersyousynchronizereplacethosechosenbytheuser.14 ClickBackgroundSync.SelectAlways.15 IntheSyncatloginandlogoutlist,clicktheAdd(+)buttonandenterthepathsoffolderslocatedintheusershomefolder.Alternatively,clickthebrowse()buttontoopenadialogwhereyoucanchoosefolderstoaddtothelistandthenaddfoldersthatdonotcontainconfidentialfiles.Chapter19SecuringClientConfigurationManagementServices 30116 IntheSkipitemsthatmatchanyofthefollowinglist,clicktheAdd(+)buttonandenterthepathsoffolderslocatedintheusershomefolder.Alternatively,clickthebrowse()buttontoopenadialogwhereyoucanchoosefolderstoaddtothelistandthenaddfoldersthatcontainconfidentialfiles.17 DeselectMergewithuserssettings.Bydeselectingthissetting,thefoldersyouchoosetosynchronizereplacethosechosenbytheuser.18 ClickApplyNow.ManagingNetworkPreferencesNetworkpreferencesletyouselectandconfigureproxyserversthatcanbeusedbyusersandgroups.Youcanalsospecifyhostsanddomainstobypassproxysettings.Usingproxyserverscontrolledbyyourorganizationcanhelpimprovesecurity.Youcanalsodecreasetheperformancehitfromusingproxiesifyouselectivelybypasstrustedhostsanddomains(likechoosinglocalresourcesortrustedsites).YoucanalsodisableInternetSharing,Airport,orBluetooth.Disablingthesecanimprovesecuritybyremovingavenuesforattack.TomanageNetworkpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickOverview.5 ClickNetworkandthenclickProxies.6 SetthemanagementsettingtoAlways.7 Selectatypeofproxyserverandenterthenetworkaddressandportofaproxyservercontrolledbyyourorganization.8 IfyouselectAutomaticProxyConfiguration,entertheURLofyourautomaticproxyconfiguration(.pac)file.302 Chapter19SecuringClientConfigurationManagementServices9 IntheBypassproxysettingsfortheseHosts&Domainsfield,entertheaddressesofthehostsanddomainsthatyouwantuserstoconnecttodirectly.Toentermultipleaddress,separatethesubnetmaskswithnewlines,spaces,semicolons,orcommas.Thereareseveralwaystoenteraddresses: Asubdomainorfullyqualifieddomainname(FQDN)ofatargetserver,suchasserver1.apple.comorstore.apple.com. ThespecificIPaddressofaserver,suchas192.168.2.1. Adomainname,suchasapple.com.Thisbypassesapple.com,butnotsubdomains,suchasstore.apple.com. Anwebsite,includingsubdomains,suchas*.apple.com. AsubnetinClasslessInter-DomainRouting(CIDR)notation.Forexample,toaddasubnetofIPaddressesfrom192.168.2.0to192.168.2.255,namethatview192.168.2.0/24.ForadescriptionofsubnetmasksandCIDRnotation,seetheNetworkServicesAdministrationguide.10 DeselectUsePassiveFTPMode(PASV).11 ClickApplyNow.Fromthecommandline:ManagingParentalControlsPreferencesParentalControlspreferencesallowyoutohideprofanityinDictionary,limitaccesstowebsites,orsettimelimitsorotherconstraintsoncomputerusage.TomanageParentalControlspreferences,computersmusthaveSnowLeopardorlater.Note:Parentalcontroldoesnotapplytodirectoryusers.Itappliestoonlylocalusers.ThetablebelowdescribesParentalControlssettings.# Managing Network Preferences# ----------------------------# Manage network preferences:sudo networksetup -setwebproxystate Ethernet onsudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008sudo networksetup -setpassiveftp Ethernet onParentalControlspreferencepane WhatyoucancontrolContentFiltering WhetherprofanityisallowedinDictionary,andlimitationsonwhichwebsitesuserscanviewTimeLimits HowlongandwhenuserscanlogintotheiraccountsChapter19SecuringClientConfigurationManagementServices 303HidingProfanityinDictionaryYoucanhideprofanetermsfromtheDictionaryapplicationincludedwithSnowLeopardorlater.Whenyouhideprofaneterms,entirelyprofanetermsareremovedfromsearchresults.Ifyousearchforaprofanetermthathasanalternatenonprofanedefinition,Dictionaryonlydisplaysthenonprofanedefinition.TohideprofanityinDictionary:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickParentalControlsandthenclickContentFiltering.5 SetthemanagementsettingtoAlways.6 SelectHideprofanityinDictionary.7 ClickApplyNow.Fromthecommandline:PreventingAccesstoAdultWebsitesYoucanuseWorkgroupManagertohelppreventusersfromvisitingadultwebsites.Youcanalsoblockaccesstospecificwebsiteswhileallowinguserstoaccessotherwebsites.Youcanallowordenyaccesstospecificsubfoldersinthesamewebsite.Insteadofpreventingaccesstospecificwebsites,youcanallowaccessonlytospecificwebsites.Formoreinformation,seeAllowingAccessOnlytoSpecificWebsitesonpage304.Topreventaccesstowebsites:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.# Managing Parental Control Preferences# -------------------------------------# Hide profanity:sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary parentalControl always -bool 1304 Chapter19SecuringClientConfigurationManagementServices4 ClickParentalControlsandthenclickContentFiltering.5 SetthemanagementsettingtoAlways.6 SelectLimitaccesstowebsitesbyandchoosetryingtolimitaccesstoadultwebsites.7 Toallowaccesstospecificsites,clicktheAdd(+)buttonnexttotheAlwaysallowsitesattheseURLslistandthenentertheURLofthesiteyouwanttoallow.8 Toblockaccesstospecificsites,clicktheAdd(+)buttonnexttotheNeverallowsitesattheseURLslistandthenentertheURLofthesiteyouwanttoblock.Toalloworblockasite,includingallcontentstoredinitssubfolders,enterthehighestlevelURLofthesite.Forexample,allowingwww.example.comletstheuserviewallpagesinwww.example.com.However,blockingwww.example.com/banned/preventstheuserfromviewingcontentstoredinwww.example.com/banned/,includingallsubfoldersin/banned/,butitallowstheusertoviewpagesinwww.example.comthatarenotin/banned/.9 ClickApplyNow.AllowingAccessOnlytoSpecificWebsitesYoucanuseWorkgroupManagertoallowaccessonlytospecificwebsitesoncomputerswithSnowLeopardorlater.Iftheusertriestovisitawebsitethatheorsheisnotallowedtoaccess,thewebbrowserloadsawebpagethatlistsallsitestheuserisallowedtoaccess.Tohelpdirectuserstoallowedsites,theusersbookmarksarereplacedbywebsitesyouallowaccessto.Thebookmarkscreatedbyallowingaccesstowebsitesarecalledmanagedbookmarks.IftheusersyncsbookmarkswithMobileMe,thefirsttimetheusersyncsheorsheisaskedifMobileMeshouldmergeorreplaceitsbookmarkswiththemanagedbookmarks.Iftheusermergesbookmarks,theMobileMebookmarkswillincludetheoriginalMobileMebookmarksandthemanagedbookmarks.Iftheuserreplacesbookmarks,theMobileMebookmarksincludeonlythemanagedbookmarks.YoucanalsouseWorkgroupManagertoblockspecificwebsitesinsteadofblockingallwebsites.Formoreinformation,seePreventingAccesstoAdultWebsitesonpage303.Toallowaccessonlytospecificwebsites:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.Chapter19SecuringClientConfigurationManagementServices 3053 Selectusers,groups,computers,orcomputergroups.4 ClickParentalControlsandthenclickContentFiltering.5 SetthemanagementsettingtoAlways.6 SelectLimitaccesstowebsitesbyandchooseallowingaccesstothefollowingwebsitesonly.7 Useoneofthefollowingmethodstoaddwebsitesthatyouwanttoallowaccessto: InSafari,openthesiteandthendragtheiconfromtheaddressbar(ofSafari)tothelist. InSafari,chooseBookmarks>ShowAllBookmarks,thendragiconsfromthebookmarklisttothelistinWorkgroupManager. Ifyouhavea.weblocfileofthewebsiteyouwanttoallowaccessto,dragthefileintothelist. Ifyoudonthavea.weblocfileofthewebsiteyouwanttoallowaccessto,clicktheAdd(+)buttonandentertheURLofthewebsiteyouwanttoallow.IntheWebsitetitlefield,namethewebsite.IntheAddressfield,enterthehighestlevelURLofthesite.Forexample,allowingwww.example.comletstheuserviewallpagesinwww.example.com.Allowingwww.example.com/allowed/letstheuserviewcontentstoredinwww.example.com/allowed/,includingallsubfoldersin/allowed/,butnotfolderslocatedoutsideof/allowed/.8 Tocreatefolderstoorganizewebsites,clicktheNewFolder(folder)button,thendouble-clickthefoldertorenameit.ToaddURLswithinafolder,openthefoldersdisclosuretriangle,selectthefolder,andthenclicktheAdd(+)button.Tocreateasubfolder,openafoldersdisclosuretriangle,selectthefolder,andthenclicktheNewFolder(folder)button.9 TochangethenameorURLofawebsite,double-clickthewebsiteentry;then,torenameafolder,double-clickthefolderentry.10 Torearrangewebsitesorfolders,dragthewebsitesorfoldersinthelist.11 ClickApplyNow.306 Chapter19SecuringClientConfigurationManagementServicesSettingTimeLimitsandCurfewsonComputerUsageYoucanuseWorkgroupManagertosettimelimitsandcurfewsforcomputerusageoncomputerswithSnowLeopardorlater.Ifyousetatimelimitforcomputerusage,userswhomeettheirdailytimelimitscantloginuntilthenextdaywhentheirquotaisreset.Youcansetdifferenttimelimitsforweekdays(MondaythroughFriday)andweekends(SaturdayandSunday).Thetimelimitcanrangefrom30minutesto8hours.Ifyousetacurfew,userscantloginduringthedaysandtimesyouspecify.Ifauserisloggedinwhentheircurfewstarts,theuserisimmediatelyloggedout.Youcansetdifferenttimesforweekdays(denyingaccessSundaynightsthroughThursdaynights)andweekends(FridayandSaturdaynights).Tosettimelimitsandcurfews:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickParentalControlsandthenclickTimeLimits.5 SetthemanagementsettingtoAlwaysandthenselectEnforcelimits.6 Tosettimelimits,clickAllowances,thenunderWeekdaysorWeekendsselectLimitcomputerusetoanddragtheslidertoamountoftimeyouwanttolimituse.7 Tosetcurfews,clickCurfews,selectSundaythroughThursdayorFridayandSaturday,andthenentertherangeoftimewhenyouwanttopreventcomputeraccess.Youcanhighlightthetimeandreplaceitwithanewtime,oryoucanhighlightthetimeandclicktheupordownbuttonsnexttothetime.8 ClickApplyNow.Chapter19SecuringClientConfigurationManagementServices 307ManagingPrintingPreferencesPrinterpreferencesletyoucontrolwhichprinterstheusercanaccess.Ideally,reducetheprinterlisttoonlythoseprinterstheuserneedstoaccess.Youshouldrequirethattheuserauthenticateasanadministratorbeforeprinting.TomanagePrintingpreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickPrintingandthenclickPrinters.5 SetthemanagementsettingtoAlways.6 ClickPrinterList.7 IntheAvailablePrinterslist,selectaprinterandclickAdd;thenaddprintersthatyouwanttheusertoaccess.8 Toaddadditionalprinterstotheusersprinterlist,clickOpenPrinterSetup.Formoreinformation,seePrinterSetupUtilityHelp.9 DeselectAllowusertomodifytheprinterlist.10 DeselectAllowprintersthatconnectdirectlytouserscomputer.Ifyouselectthissetting,selectRequireanadministratorpassword.11 ClickAccess.12 Selectaprinter,andselectRequireanadministratorpassword.RepeatforallprintersintheUsersPrinterList.13 ClickApplyNow.Fromthecommandline:# Managing Printing Preferences# -----------------------------# Manage printing preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting RequireAdminToAddPrinters always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting AllowLocalPrinters always -bool 0308 Chapter19SecuringClientConfigurationManagementServicesManagingSoftwareUpdatePreferencesWithSnowLeopardServer,youcancreateyourownSoftwareUpdateservertocontrolupdatesthatareappliedtospecificusersorgroups.Thisishelpfulbecauseitreducesexternalnetworktrafficwhilealsoprovidingmorecontroltoserveradministrators.ByconfiguringaSoftwareUpdateserver,serveradministratorscanchoosewhichupdatestoprovide.TomanageSoftwareUpdatepreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickSoftwareUpdate.5 SetthemanagementsettingtoAlways.6 SpecifyaURLintheformhttp://updateserver.example.com:8088/index.sucatalog.7 ClickApplyNow.Fromthecommandline:ManagingAccesstoSystemPreferencesYoucanspecifywhichpreferencestoshowinSystemPreferences.Ifausercanseeapreference,itdoesnotmeantheusercanmodifythatpreference.Somepreferences,suchasStartupDiskpreferences,requireanadministratornameandpasswordbeforeausercanmodifyitssettings.ThepreferencesthatappearinWorkgroupManagerarethoseinstalledonthecomputeryoureusing.Ifyouradministratorcomputerismissingpreferencesthatyouwanttodisableonclientcomputers,installtheapplicationsrelatedtothosepreferencesoruseWorkgroupManageronacomputerthatincludesthosepreferences.# Managing Software Update Preferences# ------------------------------------# Manage Software Update preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.SoftwareUpdate CatalogURL always -string "http:/$SERVER:8088/index.sucatalog"Chapter19SecuringClientConfigurationManagementServices 309TomanageSystemPreferencespreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickSystemPreferences.5 SetthemanagementsettingtoAlways.6 ClickShowNone.7 SelectthefollowingitemstoshowinSystemPreferences: Appearance SelectDisplays SelectDock SelectExpose&Spaces SelectKeyboard&Mouse SelectSecurity SelectUniversalAccess8 ClickApplyNow.ManagingUniversalAccessPreferencesUniversalAccesssettingscanhelpimprovetheuserexperience.Forexample,ifauserhasdifficultyusingacomputerorwantstoworkinadifferentway,youcanchoosesettingsthatenabletheusertoworkmoreeffectively.MostUniversalAccesssettingsdonotnegativelyimpactsecurity.However,somesettingsallowotheruserstomoreeasilyseewhatyouredoing.TomanageUniversalAccesspreferences:1 InWorkgroupManager,clickPreferences.2 Makesurethecorrectdirectoryisselectedandyouareauthenticated.Toswitchdirectories,clicktheglobeicon.Ifyouarenotauthenticated,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectusers,groups,computers,orcomputergroups.4 ClickUniversalAccess.5 ClickSeeingandthensetthemanagementsettingtoAlways.310 Chapter19SecuringClientConfigurationManagementServices6 DeselectTurnonZoom.PressingandholdingtheOption,Command,and+keyswillzoomin,whilepressingandholdingtheOption,Command,and-keyswillzoomout.7 ClickKeyboardandselectAlways.8 SelectStickyKeysOffanddeselectShowpressedkeysonscreen.IfStickyKeysareonandyouselectShowpressedkeysonscreen,modifierkeyssuchasControl,Option,Command,andShiftaredisplayedonscreen.Otherkeysarenotdisplayed.9 ClickApplyNow.Fromthecommandline:EnforcingPolicyWhenyouimplementapolicyforcontrollingtheuserexperiencebyremovingfiles(fromexample,Kernelextensions)orbymanaginguser-controllablesettings(forexample,screensaversettings),youshouldalsoimplementamechanismforreenforcingthepolicyincasethedeletedfilesarerestoredorthesettingsarechangedbyusersorbysoftwareupdates.Usingmcx,cron,orlaunchdjobs,createscriptsthatrunduringstartupandshutdownandaftersoftwareupdatestoreenforcepolicyincaseofviolations.Toprotectthepolicyenforcementsscripts,compilethemintobinaryformatsouserscantmodifythem.# Managing Universal Access Preferences# -------------------------------------# Manage Universal Access preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKey always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyShowWindow always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewDriver always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewShowPreview always -bool 020 31120 SecuringNetBootServiceUsethischaptertolearnhowtosecureNetBootservice.SecurelyconfiguringclientconfigurationmanagementthroughNetBoothelpsstandardizetheclientsacrossyournetworkandprovidesasecuredeployment.NetworkcomputerscanbemanagedthroughNetBoot,whichdecreasesmaintenancetimeandcanhelppreventmalicioussoftwareattacks.SecuringNetBootServiceByusingNetBootyoucanhaveyourclientcomputersstartupfromastandardizedSnowLeopardconfigurationsuitedtotheirspecifictasks.Becausetheclientcomputersstartupfromthesameimage,youcanquicklyupdatetheoperatingsystemforanentiregroupbyupdatingasinglebootimage.Abootimageisafilethatlooksandactslikeamountablediskorvolume.NetBootimagescontainthesystemsoftwareneededtoactasastartupdiskforclientcomputersoverthenetwork.Aninstallationimageisanimagethatstartsuptheclientcomputerlongenoughtoinstallsoftwarefromtheimage.Theclientcanthenstartupfromitsownharddrive.Bootimages(NetBoot)andinstallationimages(NetInstall)aredifferentkindsofdiskimages.Themaindifferenceisthata.dmgfileisaproperdiskimageanda.nbifolderisabootablenetworkvolume(whichcontainsa.dmgdiskimagefile).Diskimagesarefilesthatbehavelikediskvolumes.FormoreinformationaboutconfiguringNetBootservice,seetheSystemImagingandSoftwareUpdateAdministrationguide.DisablingNetBootServiceIfyourserverisnotaNetBootserver,disabletheNetBootservice.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.TheNetBootserviceisdisabledbydefault,butverificationisrecommended.312 Chapter20SecuringNetBootServiceThebestwaytopreventclientsfromusingNetBootontheserveristodisableNetBootserviceonallEthernetports.TodisableNetBoot:1 OpenServerAdminandconnecttotheserver.2 SelectNetBootintheComputers&Serviceslist.3 ClickGeneral.4 DisableNetBootonallports.5 ClickStopNetBoot.Fromthecommandline:LimitNetBootServiceClientsIfNetBootserviceisrequired,itshouldbeprovidedoveratrustednetwork.SecurelyconfigureNetBootservicewithrestrictionsontheportsituses,theimagesavailable,andclientaccesstotheservice.NetBootserviceusesAppleFilingProtocol(AFP),NetworkFileSystem(NFS),DynamicHostConfigurationProtocol(DHCP),Web,andTrivialFileTransferProtocol(TFTP)services,dependingonthetypesofclientsyouraretryingtoboot.Youmustalsosecurelyconfigureservicestoreducenetworkvulnerabilities.NetBootservicecreatessharepointsforstoringNetBootandNetInstallimagesin/Library/NetBoot/oneachvolumeyouenableandnamesthemNetBootSPn,wherenis0forthefirstsharepointandincreasesby1foreachextrasharepoint.Forexample,ifyoudecidetostoreimagesonthreeserverdisks,NetBootservicesetsupthreesharepointsnamedNetBootSP0,NetBootSP1,andNetBootSP2.YoucanrestrictaccesstoNetBootserviceonacase-by-casebasisbylistingthehardwareaddresses(alsoknownastheEthernetorMACaddresses)ofcomputersthatyouwanttopermitordenyaccessto.ThehardwareaddressofaclientcomputerisaddedtotheNetBootFilteringlistwhentheclientstartsupusingNetBootandis,bydefault,enabledtouseNetBootservice.Youcanspecifyotherservices.# ---------------------------------------------------------------------# Securing NetBoot Service# ---------------------------------------------------------------------## Disable NetBoot.# ---------------------------sudo serveradmin stop netbootChapter20SecuringNetBootService 313TolimitNetBootclients:1 OpenServerAdminandconnecttotheserver.2 SelectNetBootintheComputers&Serviceslist.3 ClickSettings,thenclickFilters.NetBootservicefilteringletsyourestrictaccesstotheservicebasedontheclientsEthernethardware(MAC)address.Aclientsaddressisaddedtothefilterlistthefirsttimeitstartsupfromanimageontheserverandisallowedaccessbydefault.4 SelectEnableNetBoot/DHCPfiltering.5 SelectAllowonlyclientslistedbelow(denyothers)orDenyonlyclientslistedbelow(allowothers).6 UsetheAdd(+)buttontoenterthecanonicalornoncanonicalformofahardwareaddresstothefilterlist,orusetheDelete()buttontoremoveaMACaddressfromthefilterlist.TolookupaMACaddress,entertheclientsDNSnameorIPaddressintheHostNamefieldandclickSearch.TofindthehardwareaddressforacomputerusingSnowLeopard,lookontheTCP/IPpaneofthecomputersNetworkpreferenceorrunAppleSystemProfiler.7 ClickOK.8 ClickSave.Note:YoucanalsorestrictaccesstoaNetBootimagebyselectingthenameoftheimageintheImagespaneoftheNetBootservicesettingsinServerAdmin,clickingtheEdit(/)button,andprovidingtherequiredinformation.Fromthecommandline:## Securely configure NetBoot.# ---------------------------sudo defaults rename /etc/bootpd allow_disabled allow314 Chapter20SecuringNetBootServiceViewingNetBootServiceLogsNetBootserviceloggingisimportanttosecurity.Withlogs,youcanmonitorandtrackclientcommunicationtotheNetBootserver.TheNetBootservicelogis/var/log/system.logandcanbeaccessedusingServerAdmin.ToviewNetBootservicelogs:1 OpenServerAdminandconnecttotheserver.2 SelectNetBootintheComputers&Serviceslist.3 ClickLogstodisplaythecontentsofsystem.log.Fromthecommandline:## View NetBoot service logs.# ---------------------------sudo tail /var/log/system.log | grep bootpd21 31521 SecuringSoftwareUpdateServiceUsethischaptertolearnhowtosecureSoftwareUpdateservice.YoucanprotectagainstattacksbyconfiguringaninternalSoftwareUpdateserver.Thisallowsyoutomaintainasecurenetworkbycontrollingwhatsoftwareupdatesareinstalledonyournetworkcomputers.DisablingSoftwareUpdateServiceIfyourserverisnotintendedtobeasoftwareupdateserver,disabletheSoftwareUpdateservice.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.SoftwareUpdateserviceisdisabledbydefault,butverificationisrecommended.TodisableSoftwareUpdate:1 OpenServerAdminandconnecttotheserver.2 SelectSoftwareUpdateintheComputers&Serviceslist.3 ClickSettings.4 ClickStopSoftwareUpdate.5 ClickSave.Fromthecommandline:# ---------------------------------------------------------------------# Securing Software Update Service# ---------------------------------------------------------------------# Disable Software Update:sudo serveradmin stop swupdate316 Chapter21SecuringSoftwareUpdateServiceLimitingAutomaticUpdateAvailabilitySoftwareUpdateserviceoffersyouwaystomanageMacintoshsoftwareupdatesfromAppleonyournetwork.Inanuncontrolledenvironment,usersmightconnecttoAppleSoftwareUpdateserversatanytimeandupdateclientcomputerswithsoftwarethatisnotapprovedbyyourITgroup.ByusinglocalSoftwareUpdateservers,yourclientcomputersaccessonlythesoftwareupdatesyoupermitfromsoftwareliststhatyoucontrol,givingyoumoreflexibilityinmanagingcomputersoftwareupdates.YoucanrestrictclientaccessinaSoftwareUpdateserverbydisablingautomaticmirror-and-enablefunctionsintheGeneralSettingspane.YoumanagespecificupdatesintheUpdatespaneoftheSoftwareUpdateserver.Tospecifywhichupdatesareautomaticallyavailableassoftwareupdates:1 OpenServerAdminandconnecttotheserver.2 SelectSoftwareUpdateintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 Toimmediatelydisableallsoftwareupdatesforclientusers,deselectAutomaticallyenablecopiedupdates.5 ClickUpdates.6 IntheEnablecolumn,selectthecheckboxforeachupdateyouwanttomakeavailabletoclientcomputers.7 ClickSave.Fromthecommandline:## Specify which client can access software updates.# ----------------------------------sudo serveradmin settings swupdate:autoEnable = noChapter21SecuringSoftwareUpdateService 317ViewingSoftwareUpdateServiceLogsSoftwareUpdateserviceloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughtheSoftwareUpdateservice.AccesstheSoftwareUpdateservicelog,/var/log/system.log,usingServerAdmin.ToviewSoftwareUpdateservicelogs:1 OpenServerAdminandconnecttotheserver.2 SelectSoftwareUpdateintheComputers&Serviceslist.3 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:## View Software Update service logs.# ----------------------------------sudo tail /var/log/swupd/swupd_*22318 22 SecuringNetworkAccountsUsethischaptertolearnhowtouseServerAdminandWorkgroupManagertosetupandmanagehomefolders,accounts,andsettingsforclients.SnowLeopardServerincludesServerAdminandWorkgroupManager.YoucanuseServerAdmintocreateandmanagesharepoints.YoucanuseWorkgroupManager,ausermanagementtool,tomanageuser,group,computer,andcomputergroupaccounts.Youcandefinecoreaccountsettingslikename,password,homefolderlocation,andgroupmembership.Youcanalsomanagepreferences,allowingyoutocustomizetheusersexperience,grantingorrestrictingaccesstohisorhercomputerssettingsandtonetworkresources.WorkgroupManagerworkscloselywithadirectorydomain.Directorydomainsarelikedatabases,onlytheyarespecificallygearedtowardsstoringaccountinformationandhandlingauthentication.FormoreinformationaboutOpenDirectory,seeChapter23,SecuringDirectoryServices.ForinformationaboutusingWorkgroupManager,seetheUserManagementguide.AboutOpenDirectoryandActiveDirectorySnowLeopardServersupportsOpenDirectoryandActiveDirectorydomainsforclientauthentication.OpenDirectoryusesOpenLDAP,theopensourceimplementationofLightweightDirectoryAccessProtocol(LDAP),toprovidedirectoryservices.Itscompatiblewithotherstandards-basedLDAPservers,andcanbeintegratedwithproprietaryservicessuchasMicrosoftsActiveDirectoryandNovellseDirectory.Formoreinformationabouthowtoconfiguretheseoptions,seeConfiguringOpenDirectoryPoliciesonpage329.Chapter22SecuringNetworkAccounts 319TheActiveDirectoryplug-insupportspacketsigningandpacketencryptionandissettoallow,whichmeansitnegotiatestheconnectionbydefaultandcanbechangedtorequireifneeded.Also,ifyouconnecttoanActiveDirectoryserverwithHighlySecure(HISEC)templatesenabled,youcanusethird-partytoolstofurthersecureyourActiveDirectoryconnection.UserscanmutuallyauthenticatewithOpenDirectoryandActiveDirectory.BothuseKerberostoauthenticate.Kerberosisaticket-basedsystemthatenablesmutualauthentication.Theservermustidentifyitselfbyprovidingatickettoauserscomputer.Thispreventsyourcomputerfromconnectingtorogueservers.UsersmustenabletrustedbindingtomutuallyauthenticatewithOpenDirectoryorActiveDirectory.FormoreinformationaboutOpenDirectoryandActiveDirectory,seetheOpenDirectoryAdministrationguide.SecuringDirectoryAccountsYoucanmodifyseveralaccountsettingstoimprovesecurity.Checkwithyourorganizationtoensurethatthesesettingsdonotconflictwithnetworksettingsororganizationalrequirements.InWorkgroupManager,youcanusepresetstosaveyoursettingsasatemplateforfutureaccounts.Ifyouhavesettingsthatapplytoseveralaccounts,usepresetstoexpeditethecreationoftheseaccounts.Usingpresetsalsoensuresthatyouuseuniformaccountsettingsandhelpsyouavoidconfigurationerrors.Formoreinformation,seetheUserManagementguide.ConfiguringDirectoryUserAccountsIfyouwanttomanageindividualusersorifyouwantthoseuserstohaveuniqueidentitiesonyournetwork,createuseraccounts.Beforecreatingormodifyinguseraccounts,youshouldhaveafirmunderstandingofwhattheaccountwillbeusedforandwhatauthenticationmethodyouwanttouse.Toconfigureuseraccounts:1 InWorkgroupManager,clickAccounts.2 Selectthedirectorydomainwheretheaccountresidesbyclickingthesmallglobeicon,andthenauthenticateasthedomainadministrator.Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selecttheuseraccountyouwanttoworkwithfromtheuseraccountslist.4 ClickBasic.320 Chapter22SecuringNetworkAccounts5 Ifyouwanttograntserveradministrationprivilegestotheuser,selectadministerthisserver.ServeradministrationprivilegesallowstheusertouseServerAdminandmakechangestoaserverssearchpolicyusingDirectoryUtility.6 ClickAdvanced,thendeselectAllowsimultaneousloginonmanagedcomputers.Bydisallowingsimultaneouslogin,youreducethechancesofversionconflictswhenloadingandsavingfiles.Thishelpsremindusersthattheyshouldlogoffofcomputerswhentheyarenotusingthem.7 ChoosethemostsecurepasswordtypeavailableintheUserPasswordTypepop-upmenu.Ifyoudontusesmartcards,youcanchooseOpenDirectoryorcryptpassword.OpenDirectoryismoresecurethancryptpassword.IfyournetworkusesOpenDirectoryforauthentication,authenticatewithit.FormoreinformationaboutOpenDirectoryandcryptpasswords,seetheOpenDirectoryAdministrationguide.Smartcardsarealsoasecureformofauthentication.Smartcardsusetwo-factorauthentication,whichhelpsensurethatyouraccountsarenotcompromised.8 IfyouchosetheOpenDirectorypasswordtype,clickOptionsandcompletethefollowing:a Inthedialogthatappears,selectDisableloginonspecificdateandenterthedatethattheusernolongerneedstheaccount.b SelectDisableloginafterinactivefor#days,andreplace#withthenumberofdayswhentheusernolongerneedstheaccount.c SelectDisableloginafterusermakes#failedattempts,andreplace#with3.d SelectAllowtheusertochangethepassword.e SelectPasswordmustcontainatleast#characters,andreplace#with8.f SelectPasswordmustberesetevery#days,andreplace#with90.g Ifyouwanttorequiretheusertocreateapasswordduringtheirnextlogin,selectPasswordmustbechangedatnextlogin.h Replacethesesuggestedvalueswithvaluesthatmeettherequirementsofyourorganization.i ClickOK.9 ClickGroups.10 ClicktheAdd(+)buttontoopenadrawerlistingallavailablegroups,thendraggroupsfromthedrawerintothePrimaryGroupIDfieldortheOtherGroupslist.Aprimarygroupisthegroupauserbelongstoiftheuserdoesnotbelongtoothergroups.Ifauserselectsadifferentworkgroupatlogin,theuserstillretainsaccesspermissionsfromtheprimarygroup.Chapter22SecuringNetworkAccounts 321TheIDoftheprimarygroupisusedbythefilesystemwhentheuseraccessesafileheorshedoesntown.Thefilesystemchecksthefilesgrouppermissions,andiftheprimarygroupIDoftheusermatchestheIDofthegroupassociatedwiththefile,theuserinheritsgroupaccesspermissions.Addingausertoagroupallowstheusertoaccessthegroupsgroupfolder.Carefullychoosewhichgroupstoaddusersto.Formoreinformation,seeConfiguringGroupAccountsonpage321.11 ClickHome.12 SelectasecurelocationfortheusershomefolderinthehomelistandthenenteranappropriatevalueintheDiskQuotafield.Byusingadiskquota,youpreventmalicioususersfromperformingadenialofserviceattackwheretheyfillthehomevolume.13 ClickMailandselectNone.Ifyoumustenablemail,selectPOPonlyorIMAPonly,butnotboth.Usingfewerprotocolsreducesthenumberofpossibleavenuesofattack.14 ClickInfo.15 Donotenterinformationintheuserinformationfieldsprovided.Userinformationcanbeusedbymaliciousattackerswhentheytrytocompromisetheusersaccount.16 ClickWindowsandthenclickSave.ConfiguringGroupAccountsCreategroupsofindividualswithsimilaraccessneeds.Forexample,ifyoucreateaseparategroupforeachoffice,youcanspecifythatonlymembersofacertainofficecanlogintospecificcomputers.Whenyoumorespecificallydefinegroups,youhavegreatercontroloverwhocanusewhat.YoucangrantordenyPOSIXorACLpermissionstogroups.Ifyouhavenestedgroups,youcanpropagateACLpermissionstochildgroups.Groupsalsohaveaccesstogroupfolders,whichprovideaneasywayforgroupmemberstosharefileswitheachother.Toconfiguregroupaccounts:1 InWorkgroupManager,clickAccounts.2 Selectthedirectorydomainwherethegroupaccountresidesbyclickingthesmallglobeicon,andthenauthenticateasthedomainadministrator.Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectthegroupaccountyouwanttoworkwithfromthegroupaccountslist.322 Chapter22SecuringNetworkAccounts4 IntheMemberspane,clicktheAdd(+)buttontoopenadrawerthatliststheusersandgroupsdefinedinthedirectorydomainyoureworkingwith.Makesurethegroupaccountresidesinadirectorydomainspecifiedinthesearchpolicyofcomputersthattheuserlogsinto.5 ClickGroupFolder.6 IntheAddresslistselectasecurelocationforthegroupfolder.7 IntheOwnerNamefields,entertheshortnameandlongnameoftheuseryouwanttoassignastheownerofthegroupfoldersotheusercanactasgroupfolderadministrator.Tochooseanownerfromalistofusersinthecurrentdirectorydomain,clickthebrowse()button.Clicktheglobeiconinthedrawertochooseadifferentdirectorydomain.Thegroupfolderownerisgivenread/writeaccesstothegroupfolder.8 ClickSave.ConfiguringComputerGroupsAcomputergroupcomprisescomputerswiththesamepreferencesettings.YoucanuseWorkgroupManagertocreateandmodifycomputergroups.Everycomputeronyournetworkshouldbeamemberofacomputergroup.Ifyoudontassignacomputertoacomputergroup,thecomputerusesthemanagedpreferencesfortheGuestComputeraccount.Bygroupingcomputersintocomputergroups,yousimplifythetaskofsecuringcomputersonyournetwork.Toconfigurecomputergroups:1 InWorkgroupManager,clickAccounts.2 Selectthedirectorydomainwherethecomputergroupresidesbyclickingthesmallglobeicon,andthenauthenticateasthedomainadministrator.Toauthenticate,clickthelockandenterthenameandpasswordofadirectorydomainadministrator.3 Selectthecomputegroupyouwanttoworkwithfromtheuseraccountslist.4 ClickMembers,clicktheAdd(+)button,andthendragcomputersorcomputergroupsfromthedrawertothelist.Youcanalsoclickthebrowse()button,selectacomputer,andthenclickAdd.Continueaddingcomputersandcomputergroupsuntilthelistiscomplete.5 ClickSave.Chapter22SecuringNetworkAccounts 323ControllingNetworkViewsSnowLeopardServerdoesntsupportmanagednetworkviews.TomanagenetworkviewshostedonserversrunningTigerServer,usetheWorkgroupManagerincludedwithTigerServer.23324 23 SecuringDirectoryServicesUsethischaptertolearnhowtosecureDirectoryservice.Directoryservicesarethebackboneofyournetworkssecuritypolicy.Thegrantingofaccesstotheinformationandservicesonyournetworkshouldbewell-plannedandthoughtout.Adirectoryserviceprovidesacentralrepositoryforinformationaboutcomputerusersandnetworkresourcesinanorganization.SnowLeopardServerusesOpenDirectoryforitsdirectoryservice.ThedirectoryservicesprovidedbySnowLeopardServeruseLDAPv3,asdomanyotherservers.LDAPv3isanopenstandardcommoninmixednetworksofMacintosh,UNIX,andWindowssystems.Someserversusetheolderversion,LDAPv2,toprovidedirectoryservice.OpenDirectoryalsoprovidesauthenticationservice.Itcansecurelystoreandvalidatethepasswordsofuserswhowanttologintoclientcomputersonyournetworkoruseothernetworkresourcesthatrequireauthentication.OpenDirectorycanalsoenforcepoliciessuchaspasswordexpirationandminimumlength.Formoreinformationaboutpasswordsandauthentication,seeAppendixA,UnderstandingPasswordsandAuthentication,onpage380.OpenDirectorymustbesettotheproperroleandconfiguredtouseSSLtoencryptitscommunicationstoprotecttheconfidentialityofitsimportantauthenticationdata.PasswordpoliciescanalsobeenforcedbyOpenDirectory.Formoreinformationaboutunderstandingandconfiguringdirectoryandauthenticationservices,seetheOpenDirectoryAdministrationguide.Chapter23SecuringDirectoryServices 325OpenDirectoryServerRolesOpenDirectorycanbeconfiguredtooneofseveralroles,dependingontheserversplaceinthenetworkanddirectorystructure: StandaloneServerThisroledoesnotshareinformationwithothercomputersonthenetwork.Itisalocaldirectorydomainonly. ConnectedtoaDirectoryServerThisroleallowstheservertogetdirectoryandauthenticationinformationfromanotherserversshareddirectorydomain. OpenDirectoryMasterThisroleprovidesanOpenDirectoryPasswordServer,whichsupportsconventionalauthenticationmethodsrequiredbySnowLeopardServerservices.Inaddition,anOpenDirectoryMastercanprovideKerberosauthenticationforsinglesign-on. OpenDirectoryReplicaThisroleactsasabackuptotheOpenDirectorymaster.Itcanprovidethesamedirectoryandauthenticationinformationtoothernetworksasthemaster.Ithasaread-onlycopyofthemastersLDAPdirectorydomain.ConfiguringtheOpenDirectoryServicesRoleIftheserverisnotadirectoryserver,makesuretheLDAPserverisstoppedusingServerAdmin.TostopLDAPserver,settheOpenDirectoryroletoStandaloneServer.ThispreventsOpenDirectoryfromengaginginunnecessarynetworkcommunications.Onanewlyinstalledserver,theLDAPservershouldbestoppedbydefault,butverificationisrecommended.ToconfiguretheOpenDirectoryrole:1 OpenServerAdminandconnecttotheserver.2 SelectOpenDirectoryintheComputers&Serviceslist.3 ClickSettings,thenclickGeneral.4 ClickChange.TheServiceConfigurationAssistantopens.5 Choosearole,thenclickContinue.6 ConfirmtheOpenDirectoryconfigurationsettings,thenclickContinue.7 IftheserverwasanOpenDirectorymasterandyouaresurethatusersandservicesnolongerneedaccesstothedirectorydatastoredintheshareddirectorydomainthattheserverhasbeenhosting,clickClose.326 Chapter23SecuringDirectoryServices8 ClicktheOpenDirectoryUtilitybuttontoconfigureaccesstodirectorysystems.9 IftheserveryoureconfiguringhasaccesstoadirectorysystemthatalsohostsaKerberosrealm,youcanjointheservertotheKerberosrealm.TojointheKerberosrealm,youneedthenameandpasswordofaKerberosadministratororauserwhohastheauthoritytojointherealm.10 ClickSave.Fromthecommandline:StartingKerberosAfterSettingUpanOpenDirectoryMasterIfKerberosdoesntstartwhenyousetupanOpenDirectorymaster,youcanuseServerAdmintostartitmanually,butfirstyoumustfixtheproblemthatpreventedKerberosfromstarting.UsuallytheproblemisthattheDNSserviceisntcorrectlyconfiguredorisntrunning.Note:AfteryoumanuallystartKerberos,userswhoseaccountshaveOpenDirectorypasswordsandwerecreatedintheOpenDirectorymastersLDAPdirectorywhileKerberoswasstoppedmightneedtoresettheirpasswordsthenexttimetheylogin.AuseraccountisthereforeaffectedonlyifallrecoverableauthenticationmethodsforOpenDirectorypasswordsweredisabledwhileKerberoswasstopped.TostartKerberosmanuallyonanOpenDirectorymaster:1 OpenServerAdminandconnecttotheserver.2 SelectOpenDirectoryintheComputers&Serviceslist.3 ClickRefresh(orchooseView>Refresh)andverifythestatusofKerberosasreportedintheOverviewpane.IfKerberosisrunning,theresnothingmoretodo.4 VerifythattheDNSnameandaddressresolvebyusingNetworkUtility(in/Applications/Utilities/)todoaDNSlookupoftheOpenDirectorymastersDNSnameandareverselookupoftheIPaddress.IftheserversDNSnameorIPaddressdoesntresolvecorrectly:# ---------------------------------------------------------------------# Securing Directory Services# ---------------------------------------------------------------------# Configure the Open Directory role:sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME $ADMIN_UID $SEARCH_BASE $REALMChapter23SecuringDirectoryServices 327 IntheNetworkpaneofSystemPreferences,lookattheTCP/IPsettingsfortheserversprimarynetworkinterface(usuallybuilt-inEthernet).MakesurethefirstDNSserverlistedistheonethatresolvestheOpenDirectoryserversname. ChecktheconfigurationofDNSserviceandmakesureitsrunning.5 InServerAdmin,selectOpenDirectoryforthemasterserver,clickSettings,thenclickGeneral.6 ClickKerberize,thenenterthefollowinginformation: AdministratorNameandPassword:YoumustauthenticateasanadministratoroftheOpenDirectorymastersLDAPdirectory. RealmName:ThisfieldispresettobethesameastheserversDNSnameconvertedtocapitalletters.ThisistheconventionfornamingaKerberosrealm.Ifnecessary,youcanenteradifferentname.Fromthecommandline:ConfiguringOpenDirectoryforSSLUsingServerAdmin,youcanenableSecureSocketsLayer(SSL)forencryptedcommunicationsbetweenanOpenDirectoryserversLDAPdirectorydomainandcomputersthataccessit.SSLusesadigitalcertificatetoprovideacertifiedidentityfortheserver.Youcanuseaself-signedcertificateoracertificateobtainedfromaCA.SSLcommunicationsforLDAPuseport636.IfSSLisdisabledforLDAPservice,communicationsaresentascleartextonport389.TosetupSSLcommunicationsforLDAPservice:1 OpenServerAdminandconnecttotheOpenDirectorymasteroranOpenDirectoryreplicaserver.2 SelectOpenDirectoryintheComputers&Serviceslist.3 ClickSettings,thenclickLDAP.4 FromtheConfigurepop-upmenu,chooseLDAPSettings,thenselectEnableSSL.5 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAPservicetouse.ThemenulistsallSSLcertificatesinstalledontheserver.Touseacertificatenotlisted,chooseCustomConfigurationfromthepop-upmenu.# Start Kerberos manually on an Open Directory master:sudo kdcsetup -a $ADMIN $REALM328 Chapter23SecuringDirectoryServices6 ClickSave.Fromthecommandline:Thefollowingstepsdescribethecommand-linemethodforcreatingcertificates.Forinformationaboutdefining,obtaining,andinstallingcertificatesonyourserverusingCertificateManagerinServerAdmin,seeReadyingCertificatesonpage168.TocreateanOpenDirectoryservicecertificate:1 Generateaprivatekeyfortheserverinthe/usr/share/certs/folder:Ifthe/usr/share/certsfolderdoesnotexistcreateit.sudo openssl genrsa -out ldapserver.key 20482 GenerateaCSRfortheCAtosign:sudo openssl req -new -key ldapserver.key -out ldapserver.csr3 Filloutthefollowingfieldsascompletelyaspossible,makingcertainthattheCommonNamefieldmatchesthedomainnameoftheLDAPserverexactly:Country Name:Organizational Unit:State or Province Name:Common Name:Locality Name (city):Email Address:Organization Name:Leavethechallengepasswordandoptionalcompanynameblank.4 Signtheldapserver.csrrequestwiththeopensslcommand.sudo openssl ca -in ldapserver.csr -out ldapserver.crt5 Whenprompted,entertheCApassphrasetocontinueandcompletetheprocess.ThecertificatefilesneededtoenableSSLontheLDAPserverarenowinthe/usr/share/certs/folder.6 OpenServerAdmin.7 IntheComputers&Serviceslist,selectOpenDirectoryfortheserverthatisanOpenDirectorymasteroranOpenDirectoryreplica.8 ClickSettings.9 ClickProtocols.10 FromtheConfigurepop-upmenu,chooseLDAPSettings.11 SelectEnableSecureSocketsLayer(SSL).Chapter23SecuringDirectoryServices 32912 UsetheCertificatepop-upmenutochooseanSSLcertificatethatyouwantLDAPservicetouse.ThemenulistsSSLcertificatesthathavebeeninstalledontheserver.Touseacertificatenotlisted,chooseCustomConfigurationfromthepop-upmenu.13 ClickSave.ConfiguringOpenDirectoryPoliciesYoucansetpassword,binding,andsecuritypoliciesforanOpenDirectorymasteranditsreplicas.YoucanalsocansetseveralLDAPoptionsforanOpenDirectorymasterorreplica.Formoreinformationaboutconfiguringpolicies,seeConfiguringDirectoryUserAccountsonpage319.SettingtheGlobalPasswordPolicyUsingServerAdmin,youcansetaglobalpasswordpolicyforuseraccountsinaSnowLeopardServerdirectorydomain.Theglobalpasswordpolicyaffectsuseraccountsintheserverslocaldirectorydomain.IftheserverisanOpenDirectorymasterorreplica,theglobalpasswordpolicyalsoaffectsuseraccountsthathaveanOpenDirectorypasswordtypeintheserversLDAPdirectorydomain.IfyouchangetheglobalpasswordpolicyonanOpenDirectoryreplica,thepolicysettingsbecomesynchronizedwiththemasterandreplicas.Administratoraccountsareexemptfrompasswordpolicies.Eachusercanhaveapasswordpolicythatoverridesglobalpasswordpolicysettings.Formoreinformation,seePasswordPoliciesonpage387.KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately.SnowLeopardServersynchronizestheKerberospasswordpolicyruleswithOpenDirectoryPasswordServerpasswordpolicyrules.Tochangetheglobalpasswordpolicyofuseraccountsinthesamedomain:1 OpenServerAdminandconnecttoanOpenDirectorymasterorreplicaserver.2 SelectOpenDirectoryintheComputers&Serviceslist.3 ClickSettings,thenclickPolicy.4 ClickPasswords.Thisallowsyoutosetpasswordpolicyoptionsyouwantenforcedforuserswhodonothaveindividualpasswordpolicies.330 Chapter23SecuringDirectoryServices5 Selectthefollowing: Afterusermakes3failedattempts. Differfromaccountname. Containatleastoneletter. Containatleastonenumericcharacter. Beresetonfirstuserlogin. Containatleast12characters. Differfromlast3passwordsused. Beresetevery3months.Note:Ifyouselectanoptionthatrequiresresettingthepassword,rememberthatsomeserviceprotocolsdontpermituserstochangepasswords.Forexample,userscantchangetheirpasswordswhenauthenticatingforIMAPmailservice.6 ClickSave.ReplicasoftheOpenDirectorymasterautomaticallyinherititsglobalpasswordpolicy.Fromthecommandline:SettingaBindingPolicyforanOpenDirectoryMasterandReplicasUsingServerAdmin,youcanconfigureanOpenDirectorymastertopermitorrequiretrustedbindingbetweentheLDAPdirectoryandthecomputersthataccessit.ReplicasofanOpenDirectorymasterinheritthemastersbindingpolicy.TrustedLDAPbindingismutuallyauthenticated.ThecomputerprovesitsidentitybyusinganLDAPdirectoryadministratorsnameandpasswordtoauthenticatetotheLDAPdirectory.TheLDAPdirectoryprovesitsauthenticitybymeansofanauthenticatedcomputerrecordcreatedinthedirectorywhenyousetuptrustedbinding.ClientscantbeconfiguredtousetrustedLDAPbindingandaDHCP-suppliedLDAPserver(alsoknownasDHCPoption95).TrustedLDAPbindingisinherentlyastaticbinding,butDHCP-suppliedLDAPisadynamicbinding.Note:TousetrustedLDAPbinding,clientsneedTigerorTigerServerorlater.ClientsusingMacOSXv10.3orearliercantsetuptrustedbinding.## Change the global password policy of user accounts in the same domain.# ----------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12 maxFailedLoginAttempts=3"Chapter23SecuringDirectoryServices 331TosetthebindingpolicyforanOpenDirectorymaster:1 OpenServerAdminandconnecttotheOpenDirectorymasterserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 FromtheexpandedServerslist,selectOpenDirectory.4 ClickSettings,thenclickPolicy.5 ClickBinding,thensetthedirectorybindingoptionsyouwant: Topermittrustedbinding,selectEnableauthenticateddirectorybinding. Torequiretrustedbinding,alsoselectRequireauthenticatedbindingbetweendirectoryandclients.6 ClickSave.Important:IfyouenableEncryptallpackets(requiresSSLorKerberos)andEnableauthenticateddirectorybinding,makesureusersuseonlyoneforbindingandnotboth.Fromthecommandline:SettingaSecurityPolicyforanOpenDirectoryMasterandReplicasUsingServerAdmin,youcanconfigureasecuritypolicyforaccesstotheLDAPdirectoryofanOpenDirectorymaster.ReplicasoftheOpenDirectorymasterinheritthemasterssecuritypolicy.Note:IfyouchangethesecuritypolicyfortheLDAPdirectoryofanOpenDirectorymaster,youmustdisconnectandreconnect(unbindandrebind)everycomputerconnected(bound)tothisLDAPdirectoryusingDirectoryUtility.TosetthesecuritypolicyforanOpenDirectorymaster:1 OpenServerAdminandconnecttotheOpenDirectorymasterserver.2 SelectOpenDirectoryintheComputers&Serviceslist.3 ClickSettings,thenclickPolicy.## Set the binding policy for an Open Directory master.# ---------------------------------sudo slapconfig -setmacosxodpolicy -binding required332 Chapter23SecuringDirectoryServices4 ClickBinding,thensetthesecurityoptionsyouwant: Disablecleartextpasswordsdetermineswhetherclientscansendpasswordsascleartextifthepasswordscantbevalidatedusinganyauthenticationmethodthatsendsanencryptedpassword. Digitallysignallpackets(requiresKerberos)certifiesthatdirectorydatafromtheLDAPserverwontbeinterceptedandmodifiedbyanothercomputerwhileenroutetoclientcomputers. Encryptallpackets(requiresSSLorKerberos)requirestheLDAPservertoencryptdirectorydatausingSSLorKerberosbeforesendingittoclientcomputers. Blockman-in-the-middleattacks(requiresKerberos)protectsagainstarogueserverposingastheLDAPserver.BestifusedwiththeDigitallysignallpacketsoption. Disableclient-sidecachingpreventsclientcomputersfromcachingLDAPdatalocally. AllowuserstoedittheirowncontactinformationpermitsuserstochangecontactinformationontheLDAPserver.5 ClickSave.Fromthecommandline:## Set the security policy for an Open Directory master.# ----------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes -sign yes -man-in-the-middle blocked -clientcaching no24 33324 SecuringRADIUSUsethischaptertolearnhowtosecureRADIUS.ByconfiguringaRADIUS(RemoteAuthenticationDialInUserService)serverwithOpenDirectory,youcansecureyourwirelessenvironmentfromunauthorizedusers.Wirelessnetworkinggivescompaniesgreaternetworkflexibility,seamlesslyconnectinglaptopuserstothenetworkandgivingthemthefreedomtomovewithinthecompanywhilestayingconnectedtothenetwork.ThischapterdescribeshowtoconfigureanduseRADIUStokeepyourwirelessnetworksecureandtomakesureitisusedonlybyauthorizedusers.DisablingRADIUSIfyourserverisnotintendedtobeaRADIUSserver,disableRADIUS.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.RADIUSisdisabledbydefault,butverificationisrecommended.TodisableRADIUS:1 OpenServerAdminandconnecttotheserver.2 SelectRADIUSintheComputers&Serviceslist.3 ClickStopRADIUS.4 ClickSave.Fromthecommandline:# ---------------------------------------------------------------------# Securing RADIUS Service# ---------------------------------------------------------------------# Disable RADIUSsudo serveradmin stop radiusc334 Chapter24SecuringRADIUSSecurelyConfiguringRADIUSServiceRADIUSisusedtoauthorizeOpenDirectoryusersandgroupssotheycanaccessAirportBaseStationsonanetwork.ByconfiguringRADIUSandOpenDirectoryyoucancontrolwhohasaccesstoyourwirelessnetwork.RADIUSworkswithOpenDirectoryandPasswordServertograntauthorizedusersaccesstothenetworkthroughanAirportBaseStation.WhenauserattemptstoaccessanAirportBaseStation,AirportcommunicateswiththeRADIUSserverusingExtensibleAuthenticationProtocol(EAP)toauthenticateandauthorizetheuser.UsersaregivenaccesstothenetworkiftheirusercredentialsarevalidandtheyareauthorizedtousetheAirportBaseStation.Ifauserisnotauthorized,heorshecannotaccessthenetworkthroughtheAirportBaseStation.ConfiguringRADIUStoUseCertificatesToincreasesthesecurityandmanageabilityofAirportBaseStations,useServerAdmintoconfigureRADIUStousecustomcertificates.UsingacertificateincreasesthesecurityandmanageabilityofAirportBaseStations.Touseacustomcertificate:1 OpenServerAdminandconnecttotheserver.2 SelectRADIUSintheComputers&Serviceslist.3 ClickSettings.4 FromtheRADIUSCertificatepop-upmenu,chooseacertificate.Ifyouhaveacustomcertificate,chooseCustomConfigurationfromtheCertificatepop-upmenuandenterthepathtothecertificatefile,privatekeyfile,andcertificateauthorityfile.Iftheprivatekeyisencrypted,entertheprivatekeypassphraseandclickOK.Ifyoudonthaveacertificateandwanttocreateone,clickManageCertificates.Formoreinformationaboutcreatingcertificates,seeChapter9,ManagingCertificates.5 ClickSave.Fromthecommandline:# Use a custom certificate:sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/$CA_CRT"sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/certificates/$KEY"sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS"sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/certificates/$CERT"Chapter24SecuringRADIUS 335EditingRADIUSAccessYoucanrestrictaccesstoRADIUSbycreatingagroupofusersandaddingthemtotheserviceaccesscontrollist(SACL)ofRADIUS.ToeditRADIUSaccess:1 OpenServerAdminandconnecttotheserver.2 SelectRADIUSintheComputers&Serviceslist.3 ClickSettings,thenclickEditAllowedUsers.4 SelectForselectedservicesbelow,thenselectRADIUS.5 SelectAllowonlyusersandgroupsbelow.6 ClicktheAdd(+)button.7 FromtheUsersandGroupslist,dragusersorgroupsofuserstotheAllowonlyusersandgroupsbelowlist.IfyouwanttoremoveusersfromtheAllowonlyusersandgroupsbelowlist,selecttheusersorgroupsofusersandclicktheDelete(-)button.TheusersinthislistaretheonlyoneswhocanuseRADIUS.Fromthecommandline:ViewingRADIUSServiceLogsRADIUSloggingisimportantforsecurity.Withlogs,youcanmonitorandtrackcommunicationthroughRADIUS.YoucanaccesstheRADIUSlog,/var/log/system.log,usingServerAdmin.ToviewtheRADIUSlog:1 OpenServerAdminandconnecttotheserver.2 SelectRADIUSintheComputers&Serviceslist.3 ClickLogsandthenchoosealogfromtheViewpop-upmenu.## Edit RADIUS access.# -------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius336 Chapter24SecuringRADIUSFromthecommandline:## View the RADIUS log# ---------------------------sudo tail /var/log/radius/radius.log25 33725 SecuringPrintServiceUsethischaptertolearnhowtosecureprintservice.Printserviceisoftenanoverlookedpartofasecurityconfiguration.Importantinformationpassesintoyournetworkedprinterssoitisimportantthatyourprintersarenotmisused.Withaprintserver,youcanshareprintersbysettingupprintqueuesaccessiblebyanynumberofusersoveranetworkconnection.Whenauserprintstoasharedqueue,theprintjobwaitsontheserveruntiltheprinterisavailableoruntilestablishedschedulingcriteriaaremet.ApplesprintinginfrastructureisbuiltonCommonUNIXPrintingSystem(CUPS).CUPSusesopenstandardssuchasInternetPrintingProtocol(IPP)andPostScriptPrinterDescriptionfiles(PPDs).Formoreinformationaboutconfiguringprintservice,seethePrintServerAdministrationguide.DisablingPrintServiceIfyourserverisnotintendedtobeaprintserver,disabletheprintserversoftware.Disablingtheservicepreventspotentialvulnerabilitiesonyourcomputer.Printserviceisdisabledbydefault,butverificationisrecommended.Todisableprintservice:1 OpenServerAdminandconnecttotheserver.2 SelectPrintintheComputers&Serviceslist.3 ClickStopPrint.338 Chapter25SecuringPrintServiceFromthecommandline:SecuringPrintServiceToincreasesecurityofyourprintservice,configureserviceaccesscontrolsandKerberos.ConfiguringPrintServiceAccessControlLists(SACLs)YoucanconfigureSACLsusingServerAdmin.SACLsenableyoutospecifywhichadministratorshaveaccesstoprintservice.SACLsprovideyouwithgreatercontroloverwhichadministratorshaveaccesstomonitorandmanageaservice.TheusersandgroupslistedinaservicesSACLaretheonlyoneswhocanaccesstheservice.Forexample,togiveadministratoraccesstousersorgroupsfortheprintserviceonyourserver,addthemtotheprintserviceSACL.TosetadministratorSACLpermissionsforprintservice:1 OpenServerAdminandconnecttotheserver.2 Selecttheserversname.3 ClickAccess.4 ClickAdministrators.5 Selectthelevelofrestrictionthatyouwantfortheservices.Torestrictaccesstoallservices,selectForallservices.Tosetaccesspermissionsforindividualservices,selectForselectedservicesbelowandthenselectprintservicefromtheServicelist.6 ToopentheUsersandGroupslist,clicktheAdd(+)button.7 DragusersandgroupsfromUsersandGroupstothelist.8 Settheuserspermission.Tograntadministratoraccess,chooseAdministratorfromthePermissionpop-upmenunexttotheusername.Tograntmonitoringaccess,chooseMonitorfromthePermissionpop-upmenunexttotheusername.# ---------------------------------------------------------------------# Securing Print Service# ---------------------------------------------------------------------## Disable print service.# ----------------------sudo serveradmin stop printChapter25SecuringPrintService 3399 ClickSave.Fromthecommandline:ConfiguringKerberosYoucanconfigureKerberossupportforprintserviceIPPsharedqueuesusingCUPSv1.3onlinewebtools.TheprintservicethenusesthelocalKerberosservertoauthorizeclientstoprint.ForyourclientcomputerstouseKerberoswithprintservice,theclientsmustbepartofthesameKerberosrealm.ForinformationonhowtojoinyourclientcomputerstoaKerberosrealm,seeOpenDirectoryAdministration.InadditiontojoiningtheKerberosrealm,clientcomputersmustalsouseCUPSonlinewebtoolstoconfigureKerberossettings.ThestepsforconfiguringCUPSarethesameontheclientandservercomputers.ToconfigureKerberosforprintservice:1 OpenSafaribrowser.2 NavigatetotheCUPSonlinewebadministrationtoolathttp://localhost:631.3 ClicktheAdministrationtab.4 UnderBasicServerSettings,selecttheUseKerberosAuthenticationcheckbox.5 ClickChangeSettingsandauthenticateifprompted.PrintserviceisrestartedandKerberosisenabled.YoucanalsoedittheconfigurationfileinCUPSbyclickingEditConfigurationFileintheAdministrationtabtoopenthe/etc/cups/cupsd.conffile.ChangethedefaultauthenticationtypefromBasictoNegotiate,asshown:# Default authentication type, when authentication is requiredDefaultAuthType NegotiateFromthecommandline:# Set administrator SACL permissions for print service:sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print## Configure Kerberos for print service.# ------------------------------------sudo serveradmin settings sudo serveradmin settings print:authType = KERBEROS340 Chapter25SecuringPrintServiceConfiguringPrintQueuesIfprintserviceisrequired,createaprintqueueforsharedprintersthatisaccessiblebyusersoveranetworkconnection.AppleTalkandLinePrinterRemote(LPR)printerqueuesdonotsupportauthentication.Printservicereliesontheclienttoprovideuserinformation.AlthoughstandardMacintoshandWindowsclientsprovidecorrectinformation,acleverusercouldpotentiallymodifytheclienttosubmitfalseinformationandavoidprintquotas.SMBservicesupportsauthentication,requiringuserstologinbeforeusingSMBprinters.PrintserviceusesBasicandDigest(MD5)authenticationandsupportstheIPPprintjobsubmissionmethod.Youcanshareanyprinterthatissetupinaprintqueueontheserver.YoucreateprintqueuesusingServerAdmin.Tocreateaprintqueue:1 OpenServerAdminandconnecttotheserver.2 SelectPrintintheComputers&Serviceslist.3 ClickQueues.4 ClicktheAdd(+)buttontoaddaprintqueueforaspecificprinter,andprovidethefollowingprinterinformationfortheprinterthequeueiscreatedfor:Fromthepop-upmenu,choosetheprotocolusedbytheprinter.ForanLPRprinter,entertheprinterIPaddressorDNSnameandclickOK.ForanOpenDirectoryprinter,selecttheprinterinthelistandclickOK.5 EntertheInternetaddressorDNSnamefortheprinter.Ifyoudontwanttousetheprintersdefaultqueue,deselectUsedefaultqueueonserver,enteraqueuename,andclickOK.6 Selectthequeueyouaddedtothequeuelist.Toverifythatyouselectedthecorrectqueue,makesurethequeuenamematchesthenamenexttoPrinter.Note:ChangingtheSharingNamealsochangesthequeuenamethatappearsinPrint&Faxpreferencesontheserver.Chapter25SecuringPrintService 3417 IntheSharingNamefield,enterthequeuenameyouwantclientstosee.Makesurethenameiscompatiblewithnamingrestrictionsimposedbyyourclients.Forexample,someLPRclientsdonotsupportnamesthatcontainspaces,andsomeWindowsclientsrestrictnamesto12characters.QueuenamessharedusingLPRorSMBmustnotcontaincharactersotherthanAZ,az,09,and_(underscore).AppleTalkqueuenamescannotbelongerthan32bytes.Thismightbefewerthan32typedcharacters.Thequeuenameisencodedaccordingtothelanguageusedontheserverandmightnotbereadableonclientcomputersusinganotherlanguage.8 Selecttheprintingprotocolsyourclientsuse.IfyouselectSMB,makesureyoustartSMBservice.9 IfyouwanttoenforcetheprintquotasyouestablishforusersinWorkgroupManager,selecttheEnforcequotasforthisqueuecheckbox.10 Ifyouwanttheprintertocreateacoversheet,choosethetitleofthecoversheetfromtheCoverSheetpop-upmenu;otherwise,chooseNone.11 ClickSave.342 Chapter25SecuringPrintServiceFromthecommandline:ViewingPrintServiceandQueueLogsPrintservicekeepstwotypesoflogs:aprintservicelogandindividualprintqueuelogs. Theprintservicelogrecordsthetimeofeventssuchaswhenprintserviceisstartedandstoppedandwhenaprintqueueisputonhold. Aprintqueuelogrecordsinformationsuchasthenameofuserswhosubmittedjobsandthesizeofeachjob.YoucanviewprintservicelogsusingServerAdmin.## Configure a Print queue.# -----------------------sudo serveradmin settings print:lprQueues:_array_index:0 = $PRINTER_SHARING_NAMEsudo serveradmin settings print:queuesArray:_array_id:example_com:sharingName = $PRINTER_SHARING_NAMEsudo serveradmin settings print:queuesArray:_array_id:example_com:quotasEnforced = yessudo serveradmin settings print:queuesArray:_array_id:example_com:showNameInBonjour = nosudo serveradmin settings print:queuesArray:_array_id:example_com:defaultCoverPage = "classified"sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:service = "IPP"sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:sharingEnable = yessudo serveradmin settings print:queuesArray:_array_id:example_com:printerURI = "lpd://example.com"sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable = yessudo serveradmin settings print:queuesArray:_array_id:example_com:printerName = "example_com"sudo serveradmin settings print:useRemoteQueues = yessudo serveradmin settings print:coverPageNames:_array_index:0 = "classified"Chapter25SecuringPrintService 343Toviewprintservicelogs:1 OpenServerAdminandconnecttotheserver.2 SelectPrintintheComputers&Serviceslist.3 ClickLogs.UsetheFilterfieldtosearchforspecificentries.Fromthecommandline:## View print service logs.# -----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log26344 26 SecuringMultimediaServicesUsethischaptertolearnhowtosecureMultimediaservices.ProtectingQuickTimemultimediastreamsandonlyallowingaccesstothosewhoareauthorizedtoviewthemcanhelpkeepinformationprivate.ThefollowingsectionhelpsyouunderstandandconfigureQuickTimeStreamingServer(QTSS)securely.Streamingisthedeliveryofmedia,suchasmoviesandlivepresentations,overanetworkinrealtime.Acomputer(streamingserver)sendsthemediatoanothercomputer(clientcomputer),whichplaysthemediaasitisdelivered.WithQTSSsoftware,youcandeliver: Broadcastsofliveeventsinrealtime Videoondemand PlaylistsofprerecordedcontentAlevelofsecurityisinherentinreal-timestreaming,becausecontentisdeliveredonlyastheclientneedsitandnofilesremainafterward,butyoumightneedtoaddresssomesecurityissues.Formoreinformationaboutconfiguringmultimediaservices,seetheQuickTimeStreamingandBroadcastingAdministrationguide.DisablingQTSSIfyourserverisnotintendedtobeaQuickTimestreamingserver,disabletheQuickTimeStreamingserversoftware.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.QTSSisdisabledbydefault,butverificationisrecommended.TodisableQTSS:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickStopQuickTimeStreaming.Chapter26SecuringMultimediaServices 345Fromthecommandline:SecurelyConfiguringQTSSAlevelofsecurityisinherentinreal-timestreamingbecausecontentisdeliveredonlyastheclientneedsitandnofilesremainafterward.However,youmightneedtoaddresssomesecurityissues.ThestreamingserverusestheIETFstandardRTSP/RTPprotocols.RTSPrunsontopofTCPandRTPrunsonUDP.ManyfirewallsareconfiguredtorestrictTCPpacketsbyportnumber,andareveryrestrictiveonUDP.TherearethreeoptionsforstreamingthroughfirewallswithQTSS.Theseoptionsarenotmutuallyexclusive.Typicallyoneormoreareusedtoprovidethemostflexiblesetup.Thethreeconfigurationsoutlinedbelowareforclientsbehindafirewall. Streamviaport80:ThisoptionenablesthestreamingservertoencapsulateRTSPandRTPtrafficinsideTCPport80packets.BecausethisisthedefaultportusedforHTTP-basedwebtraffic,thestreamedcontentgetsthroughmostfirewalls.However,encapsulatingthestreamingtrafficlowersperformanceonthenetworkandrequiresfasterclientconnectionstomaintainstreams.Italsoincreasesloadontheserver. Opentheappropriateportsonthefirewall:ThisoptionallowsthestreamingservertobeaccessedviaRTSP/RTPonthedefaultports,andprovidesbetteruseofnetworkresources,lowerspeedsforclientconnections,andlessloadontheserver.Theportsthatmustbeopeninclude: TCPport80:UsedforsignalingandstreamingRTSP/HTTP(ifenabledonserver). TCPport554:UsedforRTSP. UDPports69709999:UsedforUDPstreaming.AsmallerrangeofUDPports,typically6970-6999,canusuallybeused. TCPport7070:OptionallyusedforRTSP.(RealServerusesthisport;QTSS/Darwincanalsobeconfiguredtousethisport.) TCPports8000and8001:CanbeopenedforIcecastMP3streaming.# ---------------------------------------------------------------------# Securing Multimedia Services# ---------------------------------------------------------------------## Disable QTSS.# -------------sudo serveradmin stop qtss346 Chapter26SecuringMultimediaServices Setupastreamingproxyserver:Theproxyserverisplacedinthenetworkdemilitarizedzone(DMZ)anareaonthenetworkthatisbetweenanexternalfirewallthatconnectstotheInternetandaninternalfirewallbetweentheDMZandtheinternalnetwork.Usingfirewallrules,packetswiththeportsdefinedaboveareallowedfromtheproxyservertoclientsthroughtheinternalfirewall,andalsobetweentheproxyserverandtheInternetviatheexternalfirewall.However,clientsarenotallowedtomakedirectconnectionstoexternalresourcesoverthoseports.Thisapproachensuresthatallpacketsboundfortheinternalnetworkcomethroughtheproxyserver,providinganadditionallayerofnetworksecurity.ConfiguringaStreamingServerIfyourequireQTSS,configureitinconjunctionwithyourfirewallandbindittoasingleIPaddress.Toconfigureastreamingserver:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickSettings.3 ClickIPBinding.BybindingQTSSwithanIPaddress,youcaneasilytracknetworkactivity.YoucanalsoconfigurethefirewalltorestrictnetworkaccesstothisIPaddress.IPbindingisalsohelpfulwhenyourserverismultihomed(forexample,ifyourealsohostingawebserver).4 SelecttheIPaddressfromthelist.5 ClickSave.6 ClickStartQuickTimeStreaming.Fromthecommandline:## Configure a streaming server.# ----------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 = "$BIND_IP_ADDRESS"Chapter26SecuringMultimediaServices 347ServingStreamsThroughFirewallsUsingPort80IfyouaresettingupastreamingserverontheInternetandsomeofyourclientsarebehindfirewallsthatallowonlywebtraffic,enablestreamingonport80.Withthisoption,thestreamingserveracceptsconnectionsonport80,thedefaultportforwebtraffic,andQuickTimeclientscanconnecttoyourstreamingservereveniftheyarebehindaweb-onlyfirewall.Ifyouenablestreamingonport80,makesureyoudisableanywebserverwiththesameIPaddresstoavoidconflictswithyourstreamingserver.ToserveQuickTimestreamsoverHTTPport80:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickSettings.3 ClickIPBindings.4 SelectEnablestreamingonport80.Streamingforselectedaddressesmustbeenabled.Important:Ifyouenablestreamingonport80,makesureyourserverisnotalsorunningawebserver,suchasApache.RunningQTSSandawebserverwithstreamingonport80enabledcancauseaportconflictthatresultsinoneorbothserversnotbehavingproperly.Fromthecommandline:StreamingThroughFirewallsorNetworkswithAddressTranslationThestreamingserversendsdatausingUDPpackets.FirewallsdesignedtoprotectinformationonanetworkoftenblockUDPpackets.Asaresult,clientcomputerslocatedbehindafirewallthatblocksUDPpacketscantreceivestreamedmedia.However,thestreamingserveralsoallowsstreamingoverHTTPconnections,whichallowsstreamedmediatobeviewedthroughevenverytightlyconfiguredfirewalls.SomeclientcomputersonnetworksthatuseaddresstranslationcannotreceiveUDPpackets,buttheycanreceivemediathatsstreamedoverHTTPconnections.# Serve QuickTime streams over HTTP port 80:sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 = 554qtss:server:rtsp_port:_array_index:1 = 80qtss:server:rtsp_port:_array_index:2 = 8000qtss:server:rtsp_port:_array_index:3 = 8001348 Chapter26SecuringMultimediaServicesIfusershaveproblemsviewingmediathroughafirewallorviaanetworkthatusesaddresstranslation,havethemupgradetheirclientsoftwaretoQuickTime5orlater.Ifusersstillhaveproblems,havetheirnetworkadministratorsprovidethemwiththerelevantsettingsforthestreamingproxyandstreamingtransportsettingsontheircomputers.NetworkadministratorscanalsosetfirewallsoftwaretopermitRTPandRTSPthroughput.ChangingthePasswordRequiredtoSendanMP3BroadcastStreamBroadcastingMP3stoanotherserverrequiresauthentication.TochangetheMP3broadcastpassword:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickSettings,thenclickAccess.3 IntheMP3BroadcastPasswordbox,enteranewpassword.4 ClickSave.Fromthecommandline:UsingAutomaticUnicast(Announce)withQTSSonaSeparateComputerYoucanbroadcastfromQuickTimeBroadcastertoQTSS.ThissettingcanalsobeusedtoreceiveAnnouncedUDPstreamsfromanotherQuickTimestreamingserverviaarelayusingtheAutomaticUnicast(Announce)transmissionmethod.Todoso,youmustcreateabroadcastusernameandpasswordonthestreamingserver.Tocreateabroadcastusernameandpasswordonthestreamingserver:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickSettings,thenclickAccess.3 ClicktheAcceptincomingbroadcastscheckbox.4 ClickSetPasswordandenterthenameandpassword.5 ClickSave.# Change the MP3 broadcast password:sudo serveradmin settingsqtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password = "$QTMP3_PASSWORD"Chapter26SecuringMultimediaServices 349Fromthecommandline:ControllingAccesstoStreamedMediaYoucansetupauthenticationtocontrolclientaccesstostreamedmediafiles.YoucanuseWorkgroupManagertospecifywhocanaccessthemediafiles,oryoucanuseanaccessfile.Twoschemesofauthenticationaresupported:basicanddigest.Bydefault,theserverusesthemoresecuredigestauthentication.Youcanalsocontrolplaylistaccessandadministratoraccesstoyourstreamingserver.Authenticationdoesnotcontrolaccesstomediastreamedfromarelayserver.Theadministratoroftherelayservermustsetupauthenticationforrelayedmedia.TheabilitytomanageuseraccessisbuiltintoQTSS,soitisalwaysenabled.Foraccesscontroltowork,anaccessfilemustbepresentinthedirectoryyouselectedasyourmediadirectory.IfanaccessfileisnotpresentintheQTSSmediadirectory,allclientsareallowedaccesstothemediainthedirectory.TocontrolaccessusingOpenDirectory:m AuthorizeeachuserinWorkgroupManager.Formoreinformation,seeOpenDirectoryAdministration.Tocontrolaccessusinganaccessfile:1 Usethesudoqtpasswdcommand-lineutilitytocreateuseraccountswithpasswords.2 Createanaccessfileandplaceitinthemediadirectoryyouwanttoprotect.3 Todisableauthenticationforamediadirectory,removetheaccessfile(namedqtaccess)orrenameit(forexample,qtaccess.disabled).CreatinganAccessFileAnaccessfileisatextfilenamedqtaccessthatcontainsinformationaboutusersandgroupswhoareauthorizedtoviewmediainthedirectorywheretheaccessfileisstored.Thedirectoryyouusetostorestreamedmediacancontainotherdirectories,andeachdirectorycanhaveitsownaccessfile.## Create a broadcast user name and password on the streaming server.# ------------------------sudo serveradmin settings qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes350 Chapter26SecuringMultimediaServicesWhenausertriestoviewamediafile,theserverchecksforanaccessfiletoseewhethertheuserisauthorizedtoviewthemedia.Theserverlooksfirstinthedirectorywherethemediafileislocated.Ifanaccessfileisnotfound,itlooksintheenclosingdirectory.Thefirstaccessfilethatsfoundisusedtodeterminewhethertheuserisauthorizedtoviewthemediafile.TheaccessfileforthestreamingserverworksliketheApachewebserveraccessfile.Youcancreateanaccessfilewithatexteditor.Thefilenamemustbeqtaccessandthefilecancontainsomeorallofthefollowinginformation:AuthName AuthUserFile AuthGroupFile require user require group require valid-userrequire any-userTermsnotinanglebracketsarekeywords.Anythinginanglebracketsisinformationyousupply.Savetheaccessfileasplaintext(not.rtforanyotherfileformat).Heresabriefexplanationofeachkeyword: messageistextyourusersseewhentheloginwindowappears.Itsoptional.Ifyourmessagecontainswhitespace(suchasaspacecharacterbetweenterms),enclosethemessageinquotationmarks. user filenameisthepathandfilenameoftheuserfile.ForSnowLeopard,thedefaultis/Library/QuickTimeStreaming/Config/qtusers. group filenameisthepathandfilenameofthegroupfile.ForSnowLeopard,thedefaultis/Library/QuickTimeStreaming/Config/qtgroups.Agroupfileisoptional.Ifyouhavemanyusers,itmightbeeasiertosetupgroupsandthenenterthegroupnames,insteadoflistingeachuser. usernameisauserwhoisauthorizedtologinandviewthemediafile.Theusersnamemustbeintheuserfileyouspecified.Youcanalsospecifyvalid-user,whichdesignatesanyvaliduser. groupnameisagroupwhosemembersareauthorizedtologinandviewthemediafile.Thegroupanditsmembersmustbelistedinthegroupfileyouspecified.Chapter26SecuringMultimediaServices 351Youcanusetheseadditionalusertags: valid-userisanyuserdefinedintheqtusersfile.Thestatementrequirevalid-userspecifiesthatanyauthenticateduserintheqtusersfilecanhaveaccesstothemediafiles.Ifthistagisused,theserverpromptsusersforusernameandpassword. any-userallowsanyusertoviewmediawithoutprovidinganameorpassword. AuthSchemeisakeywordwiththevaluesbasicordigesttoaqtaccessfile.Thisoverridestheglobalauthenticationsettingonadirectory-by-directorybasis.Ifyoumakecustomizedchangestothedefaultqtaccessaccessfile,beawarethatmakingchangestobroadcastusersettingsinServerAdminmodifiesthedefaultqtaccessfileattherootlevelofthemoviesdirectory.Therefore,customizedmodificationsyoumakearenotpreserved.WhatClientsNeedWhenAccessingProtectedMediaUsersmusthaveQuickTime5orlatertoaccessamediafilethatdigestauthenticationisenabledfor.Ifyourstreamingserverissetuptousebasicauthentication,usersneedQuickTime4.1orlater.Usersmustentertheirusernamesandpasswordstoviewthemediafile.UserswhotrytoaccessamediafilewithanearlierversionofQuickTimewillseetheerrormessage401:Unauthorized.AddingUserAccountsandPasswordsYoucanaddauseraccountandpasswordifyoulogintotheservercomputer.Toaddauseraccount:1 Logintotheservercomputerasroot,openaterminalwindow,andenterthefollowing:sudo qtpasswd Alternatively,usesudotoexecutethecommandasroot.2 Enterapasswordfortheuserandreenteritwhenprompted.Fromthecommandline:## Add a user account.# ------------------sudo qtpasswd $USER352 Chapter26SecuringMultimediaServicesAddingorDeletingGroupsYoucaneditthe/Library/QuickTimeStreaming/Config/qtgroupsfilewithanytexteditoraslongthefileusesthisformat:: ForWindows,thepathisc:\ProgramFiles\DarwinStreamingServer\qtgroups.Forothersupportedplatforms,itis/etc/streaming/qtgroups.Toaddordeleteagroup,editthegroupfileyousetup.Fromthecommandline:MakingChangestotheUserorGroupFileYoucanmakechangestotheuserorgroupfileifyoulogintotheservercomputer.Todeleteauserfromauserorgroupfile:1 Logintotheservercomputerasadministratoranduseatexteditortoopentheuserorgroupfile.2 Deletetheusernameandencryptedpasswordslinefromtheuserfile.3 Deletetheusernamefromthegroupfile.Tochangeauserpassword:1 Logintotheservercomputerasroot,openaterminalwindow,andenterthefollowing:sudo qtpasswd Alternatively,usesudotoexecutethecommandasroot.2 Enterapasswordfortheuser.Thepasswordyouenterreplacesthepasswordinthefile.Fromthecommandline:# Adding groups:echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/Config/qtgroups## Change a user password.# -----------------------sudo qtpasswd $USERChapter26SecuringMultimediaServices 353ViewingQTSSLogsQTSSprovidesthefollowinglogfiles: Errorlogs.Theselogfilesrecorderrorssuchasconfigurationproblems.Forexample,ifyoubindtoaspecificIPaddressthatcantbefound,oraifuserdeletesstreamingfiles,theseitemsarelogged. Accesslogs.Whensomeoneplaysamoviestreamedfromyourserver,thelogreportssuchinformationasthedate,time,andIPaddressofthecomputerthatplayedthemovie.QTSSlogfilesarestoredin/Library/QuickTimeStreaming/Logs.QTSSkeepsitslogsinstandardW3Cformat,allowingyoutouseanumberofpopularloganalysistoolstoparsethedata.ToviewtheQTSSlog:1 InServerAdmin,clickQuickTimeStreamingundertheserverintheServerslist.2 ClickLogsandthenchoosealogfromtheViewpop-upmenu.Fromthecommandline:# View the QTSS log:sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE27354 27 SecuringGridandClusterComputingServicesUsethischaptertolearnhowtosecureGridandClusterComputingservices.ProtectinggridandclusterserviceshelpscontrolyournetworksfreeCPUcyclesfrommisuse.ThischapterhelpsyourestrictyournetworksCPUstoauthorizedusers.Xgrid,atechnologyinSnowLeopardServerandSnowLeopard,simplifiesdeploymentandmanagementofcomputationalgrids.Xgridenablesyoutogroupcomputersintogridsorclusters,andallowsuserstoeasilysubmitcomplexcomputationstogroupsofcomputers(local,remote,orboth),asanadhocgridoracentrallymanagedcluster.Formoreinformationaboutconfiguringmultimediaservices,seetheXgridAdministrationandHighPerformanceComputingguide.UnderstandingXgridServiceXgridservicehandlesthetransferringofcomputingjobstothegridandreturnstheresults.Xgriddoesnotcalculateanything,doesnotknowanythingaboutcalculating,doesnothavecontentforcalculating,anddoesnotevenknowthatyouarecalculatinganything.Thecomputingjobishandledbysoftware(suchasperl)thatrunsonnetworkcomputers,canbeinstalledbeforerunningthecomputingjob,oristransferredtothecomputersusingXgrid.Theprimarycomponentsofacomputationalgridperformthefollowingfunctions: AnagentrunsonetaskatatimeperCPU.(Adual-processorcomputercanruntwotaskssimultaneously.) Acontrollerqueuestasks,distributesthosetaskstoagents,andhandlestaskreassignment. AclientsubmitsjobstotheXgridcontrollerintheformofmultipletasks.(AclientcanbeanycomputerrunningTigerorlaterorTigerServerorlater.)Chapter27SecuringGridandClusterComputingServices 355Inprinciple,theagent,controller,andclientcanrunonthesameserver,butitisoftenmoreefficienttohaveadedicatedcontrollernode.DisablingXgridServiceIfyourserverisnotintendedtobeanXgridserver,disabletheXgridserversoftware.Disablingthesoftwarepreventspotentialvulnerabilitiesonyourcomputer.TheXgridserviceisdisabledbydefault,butverificationisrecommended.TodisableXgridservice:1 SelectXgridintheComputers&Serviceslist.2 ClckStopXgrid.3 ClickSave.Fromthecommandline:AboutAuthenticationMethodsforXgridYoucanconfigureXgridwithorwithoutauthentication.Ifyourequireauthenticationofcontrollerstomutuallyauthenticatewithclientsandagents,youcanchooseSingleSign-OnorPassword-BasedAuthentication.YousetupanXgridcontrollerusingServerAdmin.Youcanspecifythetypeofauthenticationforagentsandclients.ThepasswordsenteredinServerAdminforthecontrollermustmatchthoseenteredforeachagentandclient.Whenestablishingpasswordsforagentsandclients,considerthesepoints: Kerberosauthentication(singlesign-on).IfyouuseKerberosauthenticationforagentsorclients,theserverthatstheXgridcontrollermustbeconfiguredforKerberos,mustbeinthesamerealmastheserverrunningtheKerberosdomaincontroller(KDC)system,andmustbeboundtotheOpenDirectorymaster.Theagentusesthehostprincipalfoundinthe/etc/krb5.keytabfile.ThecontrollerusestheXgridserviceprincipalfoundinthe/etc/krb5.keytabfile.# ---------------------------------------------------------------------# Xgrid Service# ---------------------------------------------------------------------## Disable Xgrid service.# ----------------------sudo serveradmin stop xgrid356 Chapter27SecuringGridandClusterComputingServices Agents.Theagentdeterminestheauthenticationmethod.Thecontrollermustconformtothatmethodandpassword(ifapasswordisused).Whenanagentisconfiguredwithastandardpassword(notsinglesign-on),youmustusethesamepasswordforagentswhenyouconfigurethecontroller.Iftheagenthasspecifiedsinglesign-on,thecorrectserviceprincipalandhostprincipalsmustbeavailable. Clients.Ifyourserveristhecontrollerforagrid,besurethatSnowLeopardandSnowLeopardServerclientsusethecorrectauthenticationmethodforthecontroller.Aclientcannotsubmitajobtothecontrollerunlesstheuserchoosesthecorrectauthenticationmethodandenterstheirpasswordcorrectly,orhasthecorrectticket-grantingticketfromKerberos.Formoreinformation,seeXgridAdministrationandHighPerformanceComputing.SingleSign-OnSinglesign-on(SSO)isthemostpowerfulandflexibleformofauthentication.ItleveragestheOpenDirectoryandKerberosinfrastructuresinSnowLeopardServertomanageauthenticationbehindthescenes,withoutuserintervention.EachXgridparticipantmusthaveaKerberosprincipal.Theclientsandagentsobtainticket-grantingticketsfortheirprincipal,whichisusedtoobtainaserviceticketforthecontrollerserviceprincipal.Thecontrollerlooksattheticketgrantedtotheclienttodeterminetheusersprincipalandverifiesitwiththerelevantserviceaccesscontrollists(SACLs)andgroupstodetermineprivileges.Generally,usethisoptionifanyofthefollowingconditionsaretrue: Youhavesinglesign-oninyourenvironment. Youhaveadministratorcontroloverallagentsandclientsinuse. Jobsmustrunwithspecialprivileges(suchasforlocal,network,orSANfilesystemaccess).Password-BasedAuthenticationWhenyoucantusesinglesign-on,youcanrequirepasswordauthentication.Youmaynotbeabletousesinglesign-onif: PotentialXgridclientsarenottrustedbyyoursinglesign-ondomain(oryoudonthaveone). YouwanttouseagentsacrosstheInternetorthatareoutsideyourcontrol. Itisanadhocgrid,withouttheabilitytoprearrangeaweboftrust.Inthesesituations,yourbestoptionistospecifyapassword.Youhavetwopasswordoptions:oneforcontroller-clientandoneforcontroller-agent.Forsecurityreasons,theseshouldbedifferentpasswords.Chapter27SecuringGridandClusterComputingServices 357Note:Youcanalsocreatehybridenvironments,suchaswithclient-controllerauthenticationdoneusingpasswordsbutcontroller-agentauthenticationdoneusingsinglesign-on(orviceversa).NoAuthenticationTheNoAuthenticationmethodcreatespotentialsecurityrisks,becauseanyonecanconnectorrunajob,whichcanexposesensitivedata.Thisoptionisappropriateonlyfortestingaprivatenetworkinahomeorlabthatisinaccessiblefromanyuntrustedcomputer,orwhennoneofthejobsorthecomputerscontainsensitiveorimportantinformation.SecurelyConfiguringXgridServiceXgridservicemustberunningforyourservertocontrolagridorparticipateinagridasanagent.IfXgridserviceisrequired,configuretheXgridagentandcontroller.TheXgridcontrollerandagentaredisabledbydefault.WhenconfiguringtheXgridagentandcontroller,requireauthenticationtoprotectyournetworkfrommalicioususers.AuthenticationrequiresthatagentandcontrollerusethesamepasswordorauthenticateusingKerberossinglesign-on.Withnoauthentication,amaliciousagentcouldreceivetasksandpotentiallyaccesssensitivedata.DisablingtheXgridAgentAnXgridagentrunsthecomputationaltasksofajob.InSnowLeopardServer,theagentisturnedoffbydefault.Whenanagentisturnedonandbecomesactiveatstartup,itregisterswithacontroller.(Anagentcanbeconnectedtoonlyonecontrolleratatime.)Thecontrollersendsinstructionsanddatatotheagentforthecontrollersjobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesitsassignedtasksandsendstheresultsbacktothecontroller.YouuseServerAdmintomakesureyourserverisnotactinglikeanXgridagent.TodisableanXgridagentontheserver:1 SelectXgridintheComputers&Serviceslist.2 ClickSettings.3 ClickAgent.4 DeselectEnableagentservice.358 Chapter27SecuringGridandClusterComputingServicesFromthecommandline:LimitingtheXgridAgentAnXgridagentregisterswithacontrollerandreceivesinstructionsanddataforthecontrollersjobs.Afteritreceivesinstructionsfromthecontroller,theagentexecutesitsassignedtasksandsendstheresultsbacktothecontroller.YouuseServerAdmintosetupyourserverasanXgridagent.Inaddition,youcanassociatetheagentwithaspecificcontrollerorpermitittojoinagrid,specifywhentheagentacceptstasks,andsetapasswordthatthecontrollermustrecognize.ToconfigureanXgridagentontheserver:1 OpenServerAdminandconnecttotheserver.2 SelectXgridintheComputers&Serviceslist.3 ClickSettings.4 ClickAgent.5 ClickEnableagentservice.6 SpecifyacontrollerbychoosingitsnameintheControllerpop-upmenuorbyenteringthecontrollername.Bydefault,theagentusesthefirstavailablecontroller.Note:Anagentcanfindacontrollerinoneofthreeways:aspecifichostnameorIPaddress,thefirstavailablecontrollerthatadvertisesonBonjouronthelocalsubnet,orbyaspecificBonjourservicename.servicelookupagainstthedomainnameserverfor_xgrid._tcp._ip.7 Specifywhentheagentwillaccepttasks.Taskscanbeacceptedwhenthecomputerisidleoralways.AcomputerisconsideredidlewhenithasnomouseorkeyboardinputandignoresCPUandnetworkactivity.Ifauserreturnstoacomputerthatisrunningagridtask,thecomputercontinuestorunthetaskuntilitisfinished.8 Fromthepop-upmenu,chooseoneofthefollowingauthenticationoptionsandenterthepassword. Passwordrequiresthattheagentandcontrollerusethesamepassword. KerberosusesSSOauthenticationfortheagentsadministrator.# Configure an Xgrid agent on the server:sudo /usr/sbin/xgridctl agent stopsudo serveradmin settings xgrid:AgentSettings:Enabled = noChapter27SecuringGridandClusterComputingServices 359 Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommendedbecauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withnoauthentication,anunapprovedagentcouldreceivetasksandpotentiallyaccesssensitivedata.9 ClickSave.Important:Ifyourequireauthentication,theagentandcontrollermustusethesamepasswordormustauthenticateusingKerberossinglesign-on.Fromthecommandline:ConfiguringanXgridControllerYouuseServerAdmintoconfigureanXgridcontroller.Whenconfiguringthecontroller,youcanalsosetapasswordforanyagentusingthegridandforanyclientthatsubmitsajobtothegrid.ToconfigureanXgridcontroller:1 OpenServerAdminandconnecttotheserver.2 SelectXgridintheComputers&Serviceslist.3 ClickSettings.4 ClickController.5 ClickEnablecontrollerservice.6 FromtheClientAuthenticationpop-upmenu,chooseoneofthefollowingauthenticationoptionsforclientsandenterthepassword. Passwordrequiresthattheagentandcontrollerusethesamepassword. Kerberosusessign-onauthenticationfortheagentsadministrator. Nonedoesnotrequireapasswordfortheagent.Thisoptionisnotrecommendedbecauseitprovidesnoprotectionfromunapproveduseofyourgrid.Withnoauthentication,anunapprovedagentcouldreceivetasksandpotentiallyaccesssensitivedata.7 ClickSave.# Configure an Xgrid agent on the server.# ---------------------------sudo serveradmin settings xgrid:AgentSettings:prefs:Enabled = yessudo serveradmin settings xgrid:AgentSettings:prefs:ControllerAuthentication = "Kerberos"sudo serveradmin settings xgrid:AgentSettings:prefs:ControllerName = "$XGRID_CONTROLLER_HOST"sudo serveradmin settings xgrid:AgentSettings:Enabled = yes360 Chapter27SecuringGridandClusterComputingServicesImportant:Ifyourequireauthentication,theagentandcontrollermustusethesamepasswordormustauthenticateusingKerberossinglesign-on.Fromthecommandline:# Configure an Xgrid controller.sudo serveradmin settings xgrid:ControllerSettings:Enabled = yessudo serveradmin settings xgrid:ControllerSettings:prefs:ClientAuthentication = Passwordsudo serveradmin settings xgrid:ControllerSettings:ClientPassword = $XGRID_CLIENT_PASS28 36128 ManagingWhoCanObtainAdministrativePrivileges(sudo)Usethischaptertorestrictadministratoraccesstothesudocommandbyspecifyingwhocanusethiscommandinthesudoersfile.Thesudocommandgivesrootuserprivilegestousersspecifiedinthesudoersfile.Ifyoureloggedinasanadministratoruserandyourusernameisspecifiedinthe/etc/sudoersfile,youcanusethiscommand.ManagingthesudoersFileLimitthelistofadministratorsallowedtousethesudotooltothoseadministratorswhorequiretheabilitytoruncommandswithrootuserprivileges.Tochangethe/etc/sudoersfile:1 Editthe/etc/sudoersfileusingthevisudotool,whichallowsforsafeeditingofthefile,thenrunthefollowingcommandwithrootuserprivileges:sudo visudo2 Whenprompted,enteryouradministratorpassword.Thereisatimeoutvalueassociatedwiththesudotool.Thisvalueindicatesthenumberofminutesuntilsudopromptsforapasswordagain.Thedefaultvalueis5,whichmeansthatafterissuingthesudo commandandenteringthecorrectpassword,additionalsudocommandscanbeenteredfor5minuteswithoutreenteringthepassword.Thisvalueissetinthe/etc/sudoersfile.Formoreinformation,seethesudoandsudoersmanpages.3 IntheDefaultsspecificationsectionofthefile,addthefollowingline:Defaults timestamp_timeout=0362 Chapter28ManagingWhoCanObtainAdministrativePrivileges(sudo)4 Restrictwhichadministratorsareallowedtorunthesudotoolbyremovingthelinethatbeginswith%adminandaddingthefollowingentryforeachuser,substitutingtheusersshortnamefortheworduser:user ALL=(ALL) ALLDoingthismeansthatwhenanadministratorisaddedtoasystem,theadministratormustbeaddedtothe/etc/sudoersfileasdescribedaboveifthatadministratorneedstousethesudotool.5 Saveandquitvisudo.Formoreinformation,seethepicoandvisudomanpages.29 36329 ManagingAuthorizationThroughRightsUsethischaptertocontrolauthorizationonyoursystembymanagingthepolicydatabase.AuthorizationonSnowLeopardServeriscontrolledbyapolicydatabase.Thisdatabaseisstoredin/etc/authorization.Thedatabaseformatisdescribedincommentsatthetopofthatfile.TheSecurityAgentplug-inprocessesrequestsforauthenticationbygatheringrequirementsfromthepolicydatabase(/etc/authorization).Actionscanbesuccessfullyperformedonlywhentheuserhasacquiredtherightstodoso.UnderstandingthePolicyDatabaseThepolicydatabaseisapropertylistthatconsistsoftwodictionaries: Therightsdictionary TherulesdictionaryTheRightsDictionaryTherightsdictionarycontainsasetofkey/valuepairs,calledrightspecifications.Thekeyistherightnameandthevalueisinformationabouttheright,includingadescriptionofwhattheusermustdotoacquiretheright.Thefollowingisanextractfromthepolicydatabaseinstalledonyoursystem.rights364 Chapter29ManagingAuthorizationThroughRightsclassrulecommentMatches otherwise unmatched rights (i.e., is a default).ruledefaultsystem.device.dvd.setregion.initialclassusercommentUsed by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).groupadminsharedconfig.add.classallowcommentWildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.Inthisextractfromthepolicydatabase,therearethreerights: Therightspecificationwithanemptykeystringisknownasthedefaultrightspecification.Toobtainthisrightausermustsatisfythedefaultrulewhich,bydefaultoncurrentversionsofMacOSX,istoprovethattheyareanadministrator. system.device.dvd.setregion.initialcontrolswhethertheuserisallowedtosettheinitialregioncodefortheDVDdrive.Bydefault,ausermustprovethattheyareanadministrator(ingroupadmin)tosettheDVDregion. config.add.isawildcardrightspecification(itendswithadot)thatmatchesanyrightwhosenamestartswiththeconfig.add.characters.Thisrightcontrolswhetherausercanaddarightspecificationtothepolicydatabase.Bydefault,anyusercanaddarightspecification.Whenaprogramasksforaright,AuthorizationServicesexecutesthefollowingalgorithm:Chapter29ManagingAuthorizationThroughRights 3651 Itsearchesthepolicydatabaseforarightspecificationwhosekeymatchestherightname.2 Ifthatfails,itsearchesthepolicydatabaseforawildcardrightspecificationwhosekeymatchestherightname.Ifmultiplerightsarepresent,itusestheonewiththelongestkey.3 Ifthatfails,itusesthedefaultrightspecification.Afterithasfoundtherelevantrightspecification,AuthorizationServicesevaluatesthespecificationtodecidewhethertogranttheright.Insomecasesthisiseasy(intheextractfromthepolicydatabaseabove,config.add.isalwaysgranted),butinothercasesitcanbemorecomplex(forexample,settingtheDVDregionrequiresthatyouenteranadministratorpassword).RulesAruleconsistsofasetofattributes.RulesarepreconfiguredwhenSnowLeopardServerisinstalled,butapplicationscanchangethematanytime.Thefollowingtabledescribestheattributesdefinedforrules.TherearesomespecificrulesinthepolicydatabaseforMacOSXapplications.ThereisalsoagenericruleinthepolicydatabasethattheSecurityServerusesforanyrightthatdoesnthaveaspecificrule.Ruleattribute Genericrulevalue Descriptionkey Thekeyisthenameofarule.Akeyusesthesamenamingconventionsasaright.SecurityServerusesaruleskeytomatchtherulewitharight.Wildcardkeysendwitha.Thegenericrulehasanemptykeyvalue.Anyrightsthatdonotmatchaspecificruleusethegenericrule.group admin Theusermustauthenticateasamemberofthisgroup.Thisattributecanbesettoanyonegroup.shared true Ifthisissettotrue,SecurityServermarksthecredentialsusedtogainthisrightasshared.SecurityServercanuseanysharedcredentialstoauthorizethisright.Formaximumsecurity,setsharingtofalsesocredentialsstoredbySecurityServerforoneapplicationarenotusedbyanotherapplication.timeout 300 Thecredentialusedbythisruleexpiresinthespecifiednumberofseconds.Formaximumsecuritywheretheusermustauthenticateeverytime,setthetimeoutto0.Forminimumsecurity,removethetimeoutattributesotheuserauthenticatesonlyoncepersession.366 Chapter29ManagingAuthorizationThroughRightsManagingAuthorizationRightsManagingauthorizationrightsinvolvescreatingandmodifyingrightandrulevalues.CreatinganAuthorizationRightToauthorizeauserforspecificrights,youmustcreateanauthorizationrightintherightsdictionary.Eachrightconsistsofthefollowing: Thenameoftheright Avaluethatcontainsoptionaldatapertainingtotheright Thebytelengthofthevaluefield OptionalflagsTherightalwaysmatchesupwiththegenericruleunlessanewruleisaddedtothepolicydatabase.ModifyinganAuthorizationRightTomodifyaright,changetherelevantvaluein/etc/authorizationandsavethefile: Tolockoutallprivilegedoperationsnotexplicitlyallowed,changethegenericrulebysettingthetimeoutattributeto0. Toallowprivilegedoperationsaftertheuserisauthorized,removethetimeoutattributefromthegenericrule. Topreventapplicationsfromsharingrights,setthesharedattributetofalse. Torequireuserstoauthenticateasamemberofthestaffgroupinsteadoftheadmingroup,setthegroupattributetostaff.Note:ThereareAPIsthatyoucanuseformodifying/etc/authorization.ItsbettertousetheseAPIsthantomanuallychangethevalues.ExampleAuthorizationRestrictionsAsanexampleofhowtheSecurityServermatchesarightwitharuleinthepolicydatabase,consideragrades-and-transcriptsapplication.Theapplicationrequeststherightcom.myOrganization.myProduct.transcripts.create.SecurityServerlooksuptherightinthepolicydatabase.Notfindingamatch,SecurityServerlooksforarulewithawildcardkeysettocom.myOrganization.myProduct.transcripts.,com.myOrganization.myProduct.,com.myOrganization.,orcom.inthatordercheckingforthelongestmatch.Ifnowildcardkeymatches,SecurityServerusesthegenericrule.SecurityServerrequestsauthenticationfromtheuser.Theuserprovidesausernameandpasswordtoauthenticateasamemberofthegroupadmin.SecurityServercreatesacredentialbasedontheuserauthenticationandtherightrequested.Chapter29ManagingAuthorizationThroughRights 367Thecredentialspecifiesthatotherapplicationscanuseit,andSecurityServersetstheexpirationtofiveminutes.Threeminuteslater,achildprocessoftheapplicationstartsup.Thechildprocessrequeststherightcom.myOrganization.myProduct.transcripts.create.SecurityServerfindsthecredential,seesthatitallowssharing,andusestheright.Twoandahalfminuteslater,thesamechildprocessrequeststherightcom.myOrganization.myProduct.transcripts.createagain,buttherighthasexpired.SecurityServerbeginstheprocessofcreatingacredentialbyconsultingthepolicydatabaseandrequestinguserauthentication.30368 30 MaintainingSystemIntegrityUsethischaptertolearnhowtomonitoreventsandlogstohelpprotecttheintegrityofyourcomputer.Usingauditingandloggingtoolstomonitoryourcomputercanhelpyousecureyourcomputer.Byreviewingtheseauditsandlogfiles,youcanstoploginattemptsfromunauthorizedusersorcomputersandfurtherprotectyourconfigurationsettings.Thischapteralsodiscussesantivirustools,whichdetectunwantedviruses.UsingDigitalSignaturestoValidateApplicationsandProcessesAdigitalsignatureusespublickeycryptographytoensuretheintegrityofdata.Liketraditionalsignatureswrittenwithinkonpaper,theycanbeusedtoidentifyandauthenticatethesignerofthedata.However,digitalsignaturesgobeyondtraditionalsignaturesinthattheycanalsoensurethatthedataitselfhasnotbeenaltered.Thisislikedesigningacheckinsuchawaythatifsomeonealterstheamountofthesumwrittenonthecheck,anInvalidwatermarkbecomesvisibleonthefaceofthecheck.Tocreateadigitalsignature,thesignergeneratesamessagedigestofthedataandthenusesaprivatekeytosignthedigest.Thesignermusthaveavaliddigitalcertificatecontainingthepublickeythatcorrespondstotheprivatekey.Thecombinationofacertificateandrelatedprivatekeyiscalledanidentity.Thesignatureincludesthesigneddigestandinformationaboutthesignersdigitalcertificate.Thecertificateincludesthepublickeyandthealgorithmneededtoverifythesignature.Toverifythatthesigneddocumenthasnotbeenaltered,therecipientusesthealgorithmtocreateamessagedigestandappliesthepublickeytothesigneddigest.Ifthetwodigestsproveidentical,themessagecannothavebeenalteredandmusthavebeensentbytheownerofthepublickey.Chapter30MaintainingSystemIntegrity 369Toensurethatthepersonwhoprovidedthesignatureisnotonlythesamepersonwhoprovidedthedatabutisalsowhotheysaytheyare,thecertificateisalsosignedinthiscasebythecertificateauthority(CA)whoissuedthecertificate.Signedcodeusesseveraldigitalsignatures: Ifthecodeisuniversal,theobjectcodeforeacharchitectureissignedseparately. Componentsoftheapplicationbundle(suchastheInfo.plistfile,ifthereisone)arealsosigned.ValidatingApplicationBundleIntegrityTovalidatethesignatureonasignedapplicationbundle,usethecodesigncommandwiththe-voption.Fromthecommandline:Thiscommandchecksthatthecodebinariesatcode-patharesigned,thatthesignatureisvalid,thatsealedcomponentsareunaltered,andthatthebundlepassesbasicconsistencychecks.Itdoesnotverifythatthecodesatisfiesrequirementsexceptitsowndesignatedrequirement.Toverifyarequirement,usethe-Roption.Forexample,toverifythattheAppleMailapplicationisidentifiedasMail,signedbyApple,andsecuredwithApplesrootsigningcertificate,usethefollowingcommand:Fromthecommandline:Unlikethe-roption,the-Roptiontakesonlyasinglerequirementratherthanarequirementscollection(no=>tags).Addadditional-voptionstogetdetailsonthevalidationprocess.# ---------------------------------------------------------------------# Maintaining System Integrity# ---------------------------------------------------------------------# Validate application bundle integrity.sudo codesign -v $code_path# Verify a requirement.sudo codesign -v -R="identifier com.apple.Mail and anchor apple" /Applications/Mail.app370 Chapter30MaintainingSystemIntegrityFormoreinformationaboutsigningandverifyingapplicationbundlesignatures,seeCodeSigningGuideatdeveloper.apple.com/documentation/Security/Conceptual/CodeSigningGuide.Formoreinformationaboutthecodesigncommand,seeitsmanpage.ValidatingRunningProcessesYoucanalsousecodesigntovalidatethesignaturesofrunningprocesses.Ifyoupassanumberratherthanapathtotheverifyoption,codesigntakesthenumbertobetheprocessID(pid)ofarunningprocess,andperformsdynamicvalidationinstead.AuditingSystemActivityAuditingisthecaptureandmaintenanceofinformationaboutsecurity-relatedevents.Auditinghelpsdeterminethecausesandmethodsusedforsuccessfulandfailedaccessattempts.Theauditsubsystemallowsauthorizedadministratorstocreate,read,anddeleteauditinformation.Theauditsubsystemcreatesalogofauditableeventsandallowstheadministratortoreadallauditinformationfromtherecordsinamannersuitableforinterpretation.Thedefaultlocationforthesefilesisthe/var/audit/folder.Theauditsubsystemiscontrolledbytheauditutilitylocatedinthe/usr/sbin/folder.Thisutilitytransitionsthesysteminandoutofauditoperation.Thedefaultconfigurationoftheauditmechanismiscontrolledbyasetofconfigurationfilesinthe/etc/security/folder.Ifauditingisenabled,the/etc/rcstartupscriptstartstheauditdaemonatsystemstartup.Allfeaturesofthedaemonarecontrolledbytheauditutilityandaudit_controlfile.InstallingAuditingToolsTheCommonCriteriaToolsdiskimage(.dmg)filecontainstheinstallerforauditingtools.ThisdiskimagefileisavailablefromtheCommonCriteriawebpagelocatedatwww.apple.com/support/security/commoncriteria/.AfterdownloadingtheCommonCriteriaToolsdiskimagefile,copyittoaremovabledisk,suchasaCD-Rdisc,FireWiredisk,orUSBdisk.developer.apple.com/documentation/Security/ Conceptual/CodeSigningGuidedeveloper.apple.com/documentation/Security/ Conceptual/CodeSigningGuidehttp://www.apple.com/support/security/commoncriteria/Chapter30MaintainingSystemIntegrity 371ToinstalltheCommonCriteriaToolssoftware:1 InsertthediskthatcontainstheCommonCriteriaToolsdiskimagefileandopenthefiletomountthevolumecontainingthetoolsInstaller.2 Double-clicktheCommonCriteriaTools.pkginstallerfile.3 ClickContinue,thenproceedthroughtheinstallationbyfollowingtheonscreeninstructions.4 Whenpromptedtoauthenticate,entertheusernameandpasswordoftheadministratoraccount.Fromthecommandline:EnablingAuditingModifythehostconfigfiletoenableauditing.Toturnauditingon:1 OpenTerminal.2 Enterthefollowingcommandtoeditthe/etc/hostconfigfile.sudo pico /etc/hostconfig3 Addthefollowingentrytothefile.AUDIT=-YES-4 Savethefile.Auditingisenabledwhenthecomputerstartsup.Thefollowingtableshowsthepossibleauditsettingsandwhattheydo.IftheAUDITentryismissingfromthe/etc/hostconfigfile,auditingisturnedoff.Afailureisanyoccurrencethatpreventsauditeventsfrombeinglogged.Theauditsubsystemgenerateswarningswhenrelevanteventssuchasstoragespaceexhaustionanderrorsinoperationarerecognizedduringauditstartuporlogrotation.Thesewarningsarecommunicatedtotheaudit_warnscript,whichcanthencommunicatetheseeventstotheauthorizedadministrator.# Install the common criteria tools software.sudo installer -pkg CommonCriteriaTools.pkg -target /Parameter DescriptionAUDIT=-YES- Enableauditing;ignorefailure.AUDIT=-NO- Disableauditing.AUDIT=-FAILSTOP- Enableauditing;processesmaystopiffailureoccurs.AUDIT=-FAILHALT- Enableauditing;thesystemhaltsiffailureoccurs.372 Chapter30MaintainingSystemIntegrityFromthecommandline:SettingAuditMechanismsSystemstartupscriptsattempttoconfigureauditingearlyinthesystemstartupprocess.Afterauditingisenabled,thesettingsfortheauditmechanismaresetwiththe/etc/security/audit_controlconfigurationfile.Filescontainingauditsettingscanbeeditedwithanytexteditor.Terminalcanbeusedwithpicooremacstexteditortools.FormoreinformationaboutusingtexteditorswithTerminal,seethepicooremacsmanpage.Auditflagsaredefinedintermsofauditclasses.Auditflagscanbeforthewholesystem,orspecificflagscanbeusedforauser.Auditflagscanincludeorexcludeclassesofeventsfromtheauditrecordstreambasedontheoutcomeoftheevent.Forexample,theoutcomecouldbesuccess,failure,orboth.Whenauserlogsin,thesystem-wideauditflagsfromtheaudit_controlfilearecombinedwiththeuser-specificauditflags(ifany)fromtheaudit_userfile,andtogetherestablishthepreselectionmaskfortheuser.Thepreselectionmaskdetermineswhicheventswillgenerateauditrecordsforauser.Ifthepreselectionmaskischanged,restartthecomputertoensurethatallcomponentsareproducingauditeventsconsistently.UsingAuditingToolsThissectiondescribeshowtouseauditingtools.UsingtheauditToolAuditingismanagedbytheaudittool.Theaudittoolusesthissyntax:audit [-nst] [file]Theaudittoolcontrolsthestateoftheauditingsubsystem.Theoptionalfileoperandspecifiesthelocationoftheaudit_controlinputfile.Thedefaultfileis/etc/security/audit_control.# Enable auditing.sudo cp /etc/hostconfig /tmp/testif /usr/bin/grep AUDIT /etc/hostconfigthensudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/hostconfigelse/bin/echo AUDIT=-YES- >> /etc/hostconfigfiChapter30MaintainingSystemIntegrity 373Youcanusethefollowingoptionswiththeaudittool.Formoreinformation,seetheauditmanpage.UsingtheauditreduceToolTheauditreducetoolenablesyoutoselecteventsthathavebeenloggedinauditrecords.Matchingauditrecordsareprintedtothestandardoutputintheirrawbinaryform.Ifnofilenameisspecified,thestandardinputisusedbydefault.Theauditreducetoolfollowsthissyntax:auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]] [-c flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid] [-r ruid] [-u auid] [-j id] [-m event] [-o object=value] [file ]Formoreinformation,seetheauditreducemanpages.Parameter Description-n Forcestheauditsystemtoclosetheexistingauditlogfileandrotatetoanewlogfileinalocationspecifiedintheauditcontrolfile.-s Specifiesthattheauditsystemshouldrestartandrereaditsconfigurationfromtheauditcontrolfile.Anewlogfileiscreated.-t Specifiesthattheauditsystemshouldterminate.Logfilesareclosedandrenamedtoindicatethetimeoftheshutdown.Parameter Description-A Selectsallrecords.-a YYYYMMDD [HH[MM[SS]]]Selectsrecordsthatoccurredonorafterthespecifieddateandtime.-b YYYYMMDD [HH[MM[SS]]]Selectsrecordsthatoccurredbeforethespecifieddateandtime.-c flagsSelectsrecordsmatchingthegivenauditclasses,specifiedasacomma-separatedlistofauditflags.-d YYYYMMDDSelectsrecordsthatoccurredonaspecifieddate.Cannotbeusedwith-aor-boptionflags.-e euidSelectsrecordswiththespecifiedeffectiveuser.-f egidSelectsrecordswiththespecifiedeffectivegroup.-g gidSelectsrecordswiththespecifiedrealgroup.-r ruidSelectsrecordswiththespecifiedrealuser.374 Chapter30MaintainingSystemIntegrityToselectallrecordsassociatedwitheffectiveuserIDrootfromtheauditlog/var/audit/20031016184719.20031017122634:auditreduce -e root /var/audit/20031016184719.20031017122634Toselectallsetlogineventsfromthatlog:auditreduce -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634:UsingtheprauditToolThepraudittoolprintsthecontentsofauditrecords.Auditrecordsappearinstandardoutput(stdout).Ifnofilenameisspecified,standardinput(stdin)isused.Thepraudittoolusesthissyntax:praudit [options] audit-trail-file []Youcanuseprauditwiththefollowingoptions:Ifraworshortformarenotspecified,tokensareprintedintheirlongform.Eventsaredisplayedaccordingtotheirdescriptionsgiveninaudit_event,UIDsandGIDsareexpandedtotheiractualASCIIrepresentation,dateandtimeisdisplayedinstandarddateformat,andsoon.-u auidSelectsrecordswiththespecifiedauditID.-j idSelectsrecordshavingasubjecttokenwithmatchingID.-m eventSelectsrecordswiththespecifiedeventnameornumber.-o object =valuefile=Selectsrecordscontainingthespecifiedpathname.file="/usr"matchespathsstartingwithusr.file="~/usr"matchespathsnotstartingwithusr.msgqid=SelectsrecordscontainingthespecifiedmessagequeueID.pid=SelectsrecordscontainingthespecifiedprocessID.semid=SelectsrecordscontainingthespecifiedsemaphoreID.shmid=SelectsrecordscontainingthespecifiedsharedmemoryID.Parameter DescriptionParameter Description-l Printstherecordinthesameline.Ifthisoptionisnotspecified,everytokenappearsinadifferentline.-r Printsrecordsintheirrawformat.Thisoptionisseparatefrom-s.-s Printsthetokensintheirshortform.ShortASCIIrepresentationsforrecordandeventtypearedisplayed.Thisoptionisseparatefrom-r.del Specifiesthedelimiter.Thedefaultdelimiteristhecomma.Chapter30MaintainingSystemIntegrity 375Formoreinformation,seetheprauditmanpage.DeletingAuditRecordsYoucancleartheaudittrailbydeletingauditfilesusingthecommandline.Todeleteanauditfile:sudo srm /var/audit/20031016184719.20031017122634AuditControlFilesTheauditsystemusesthefollowingtextfilestocontrolauditingandwriteauditrecords.Thedefaultlocationforthesefilesisthe/etc/security/folder. audit_classTheaudit_classfilecontainsdescriptionsofauditableeventclassesonthesystem.Eachauditableeventisamemberofaneventclass.Eachlinemapsanauditeventmask(bitmap)toaclassandadescription. audit_controlTheaudit_controlfilecontainsseveralauditsystemparameters.Eachlineofthisfileisoftheformparameter:value.Auditflagsareacomma-delimitedlistofauditclassesasdefinedintheaudit_classfile.Eventclassescanbeprecededbyaprefixthatchangestheirinterpretation. audit_eventTheaudit_eventfilecontainsdescriptionsofauditableeventsonthesystem.Eachlinemapsanauditeventnumbertoaname,adescription,andaclass.Eacheventclassshouldhaveacorrespondingentryintheaudit_classfile. audit_userTheaudit_userfilespecifieswhichauditeventclassesaretobeauditedforspecificusers.Ifspecified,theseflagsarecombinedwithsystemwideauditflagsintheaudit_controlfiletodeterminewhichclassesofeventstoauditforauser.Thesesettingstakeeffectwhentheuserlogsin.Eachlinemapsausernametoalistofclassesthatshouldbeauditedandalistofclassesthatshouldnotbeaudited. audit_warnTheaudit_warnfilerunswhenauditdgenerateswarningmessages.Thedefaultaudit_warnisascriptwhosefirstparameteristhetypeofwarning.Thescriptappendsitsargumentsto/etc/security/audit_messages.Administratorscanreplacethisscriptwithamorecomprehensiveonethattakesdifferentactionsbasedonthetypeofwarning.Forexample,alow-spacewarningcouldresultinamailmessagebeingsenttotheadministrator.Formoreinformationabouteditingauditcontrolfiles,seetheCommonCriteriaAdministrationguideatwww.apple.com/support/security.WARNING:Donotdeletethecurrentauditlog.http://www.apple.com/support/security376 Chapter30MaintainingSystemIntegrityManagingandAnalyzingAuditLogFilesIfauditingisenabled,theauditingsubsystemaddsrecordsofauditableeventstoanauditlogfile.Thenameofanauditlogfileconsistsofthedateandtimeitwascreated,followedbyaperiod,andthedateandtimeitwasterminated.Forexample:20040322183133.20040322184443.ThislogwascreatedonMarch22,2004at18:31:33andwasterminatedonMarch22,2004at18:44:43.Theauditsubsystemappendsrecordstoonlyoneauditlogfileatatime.Thecurrentlyactivefilehasasuffix.not_terminatedinsteadofadateandtime.Auditlogfilesarestoredinthefoldersspecifiedintheaudit_controlfile.Theauditsubsystemcreatesanauditlogfileinthefirstfolderspecified.Whenlessthantheminfreeamountofdiskspaceisavailableonthevolumecontainingtheauditlogfile,theauditsubsystem:1 Issuesanaudit_warnsoftwarning.2 Terminatesthecurrentauditlogfile.3 Createsanewauditlogfileinthenextspecifiedfolder.Afterallfoldersspecifiedhaveexceededthisminfreelimit,auditingresumesinthefirstfolderagain.However,ifthatfolderisfull,anauditingsubsystemfailurecanoccur.Youcanalsochoosetoterminatethecurrentauditlogfileandcreateanewonemanuallyusingtheauditutility.Thisactioniscommonlyreferredtoasrotatingtheauditlogs.Useaudit -ntorotatethecurrentlogfile.Useaudit -stoforcetheauditsubsystemtoreloaditssettingsfromtheaudit_controlfile(whichalsorotatesthecurrentlogfile).UsingActivityAnalysisToolsSnowLeopardServerincludesseveralcommand-linetoolsthatyoucanusetoanalyzecomputeractivity.Dependingonthetoolsconfigurationsandyourcomputersactivity,runningthesetoolscanuselargeamountsofdiskspace.Additionally,thesetoolsareonlyeffectivewhenotherusersdonthaveadministratoraccess.Userswithadministratoraccesscaneditlogsgeneratedbythetoolandtherebycircumventthetool.Ifyourcomputercontainssensitivedata,considerusingbothauditingandloggingtools.Byusingbothtypesoftools,youcanresearchandanalyzeintrusionattemptsandchangesinyourcomputersbehavior.Youmustconfigurethesetoolstomeetyourorganizationsneeds,andthenchangetheirloggingsettingstocreaterelevantinformationforreviewingorarchivingpurposes.Chapter30MaintainingSystemIntegrity 377ValidatingSystemLoggingLoggingistherecordingofvariousevents,includingchangestoservicestatus,processes,andoperatingsystemcomponents.Someeventsaresecurityrelated,whileothersareinformationmessagesaboutyourcomputersactivity.Ifanunexpectederroroccurs,youcananalyzelogstohelpdeterminethecauseoftheerror.Forexample,thelogsmightexplainwhyasoftwareupdatecantbeinstalled,orwhyyoucantauthenticate.Loggingtoolscanbeusefulifyouhavemultipleuserswhocanaccessthesudocommand.Youcanviewlogstoseewhatusersdidusingthesudocommand.Somesudocommandsperformadditionalactionsthatarenotlogged.Limitthesudocommandsthatindividualusersareallowedtouse.Formoreinformation,seeManagingthesudoersFileonpage361.UseConsoletoviewandmaintainlogfiles.Consoleislocatedinthe/Applications/Utilities/folder.Uponstarting,theConsolewindowshowstheconsole.logfile.ClickLogstodisplayapanethatshowsotherlogfilesonthesysteminatreeview.Thetreeviewincludesfoldersforservices,suchaswebandmailserversoftware.InSnowLeopardServer,logfilesarehandledbytheBSDsubsystemorbyaspecificapplication.TheBSDsubsystemhandlesmostimportantsystemlogging,whilesomeapplicationshandletheirownlogging.LikeotherBSDsystems,SnowLeopardServerusesabackgroundprocesscalledsyslogdtohandlelogging.Aprimarydecisiontomakewhenconfiguringsyslogdiswhethertouselocalorremotelogging.Inlocallogging,logmessagesarestoredontheharddisk.Inremotelogging,logmessagesaretransferredoverthenetworktoadedicatedlogserverthatstoresthem.Usingremoteloggingisstronglyrecommended.ConfiguringsyslogdTheconfigurationfileforthesystemloggingprocess,syslogd,is/etc/syslog.conf.Amanualforconfigurationofthisfileisavailablebyissuingthecommandman syslog.confinaTerminalwindow.Eachlinein/etc/syslog.confconsistsoftextcontainingthreetypesofdata:afacility,apriority,andanaction. Facilitiesarecategoriesoflogmessages.Standardfacilitiesincludemail,news,user,andkern(kernel).Prioritiesdealwiththeurgencyofthemessage.Inorderfromleasttomostcritical,theyaredebug,info,notice,warning,err,crit,alert,andemerg. Thepriorityofthelogmessageissetbytheapplicationsendingit,notbysyslogd. Theactionspecifieswhattodowithalogmessageofaspecificfacilityandpriority.Messagescanbesenttofiles,namedpipes,devices,oraremotehost.378 Chapter30MaintainingSystemIntegrityThefollowingexamplespecifiesthatforlogmessagesinthecategorymailwithapriorityofemergorhigher,themessageiswrittentothe/var/log/mail.logfile:mail.emerg /var/log/mail.logThefacilityandpriorityareseparatedbyaperiod,andtheseareseparatedfromtheactionbytabs.Wildcards(*)canalsobeusedintheconfigurationfile.Thefollowingexamplelogsallmessagesofanyfacilityorprioritytothefile/var/log/all.log:*.* /var/log/all.logLocalSystemLoggingThedefaultconfigurationin/etc/newsyslog.confisconfiguredforlocallogginginthe/var/logfolder.Thecomputerissettorotatelogfilesusingtheperiodiclaunchdjobaccordingtotimeintervalsspecifiedinthe/etc/newsyslog.conffile.Rotationentailscompressingthecurrentlogfile,incrementingtheintegerinthefilenameofcompressedlogfiles,andcreatingalogfilefornewmessages.Thefollowingtabledescribestherotationprocessaftertworotations.Logfilesarerotatedbyalaunchdjob,andtherotationoccursifthecomputerisonwhenthejobisscheduled.Bydefault,logrotationtasksarescheduledbetweenmidnightand1inthemorning,tobeasunobtrusiveaspossibletousers.Ifthesystemwillnotbepoweredonatthistime,adjustthesettingsin/etc/newsyslog.conf.Forinformationabouteditingthe/etc/newsyslog.conffile,issuetheman 5 newsyslog.conf commandinaTerminalwindow.RemoteSystemLoggingUsingremotelogginginadditiontolocalloggingisstronglyrecommended,becauselocallogscaneasilybealteredifthesystemiscompromised.Considerthefollowingsecurityissueswhenmakingthedecisiontouseremotelogging. Thesyslogprocesssendslogmessagesintheclear,whichcouldexposesensitiveinformation.Filesbeforerotation Filesafterfirstrotation Fileaftersecondrotationsystem.log system.log system.logmail.log mail.log mail.logmail.log.1.gz mail.log.1.gzsystem.log.1.gz system.log.1.gzmail.log.2.gzsystem.log.2.gzChapter30MaintainingSystemIntegrity 379 Toomanylogmessagesfillstoragespaceontheloggingsystem,renderingfurtherloggingimpossible. Logfilescanindicatesuspiciousactivityonlyifabaselineofnormalactivityisestablished,andifthefilesareregularlymonitoredforsuchactivity.Ifthesesecurityissuesoutweighthesecuritybenefitofremoteloggingforthenetworkbeingconfigured,donotuseremotelogging.Thefollowinginstructionsassumearemotelogserverhasbeenconfiguredonthenetwork.Toenableremotelogging:1 Open/etc/syslog.confasroot.2 Addthefollowinglinetothetopofthefile,replacingyour.log.serverwiththenameorIPaddressofthelogserver,andmakingsuretokeepallotherlinesintact:*.* @your.log.server3 Exit,savingchanges.4 Sendahangupsignaltosyslogdtomakeitreloadtheconfigurationfile:sudo killall -HUP syslogdViewingLogsinServerAdminServerAdminprovidesloggingforsomeservicesenabledonyourserver.Afilterfeatureallowsyoutosearchthroughthelogforspecificinformation.ToviewlogsinServerAdmin:1 OpenServerAdminandconnecttotheserver.2 Clickthetriangleattheleftoftheserver.Thelistofservicesappears.3 FromtheexpandedServerslist,selectaservice.4 ClickLogs.Someserviceshavemultiplelogsassociatedwiththem.Fromthecommandline:# View logs in Server Admin.# Use tail or more to view the log files.# The audit files are individually named based on the date.sudo /usr/bin/tail $AUDIT_FILE380 AppendixAA UnderstandingPasswordsandAuthenticationUsethisappendixtolearnthedifferenttypesofpasswordsandhowtheyauthenticateusers.Passwordsareacommonmethodforauthenticating.Thereareseveraltypesofservicesthatusepasswordstoverifytheidentityofusers.PasswordTypesEachuseraccounthasapasswordtypethatdetermineshowtheuseraccountisauthenticated.Inalocaldirectorydomain,thestandardpasswordtypeisshadowpassword.ForuseraccountsintheLDAPdirectoryofSnowLeopardServer,thestandardpasswordtypeisOpenDirectory.UseraccountsintheLDAPdirectorycanalsohaveapasswordtypeofcryptpassword.AuthenticationandAuthorizationServicessuchastheloginwindowandApplefileservicerequestuserauthenticationfromOpenDirectory.Authenticationispartoftheprocessbywhichaservicedetermineswhetheritshouldgrantauseraccesstoaresource.Usuallythisprocessalsorequiresauthorization.Authenticationprovesausersidentity,andauthorizationdetermineswhattheauthenticateduserispermittedtodo.Ausertypicallyauthenticatesbyprovidingavalidnameandpassword.Aservicecanthenauthorizetheauthenticatedusertoaccessspecificresources.Forexample,fileserviceauthorizesfullaccesstofoldersandfilesthatanauthenticateduserowns.Youexperienceauthenticationandauthorizationwhenyouuseacreditcard.Themerchantauthenticatesyoubycomparingyoursignatureonthesalessliptothesignatureonyourcreditcard.Thenthemerchantsubmitsyourauthorizedcreditcardaccountnumbertothebank,whichauthorizespaymentbasedonyouraccountbalanceandcreditlimit.AppendixAUnderstandingPasswordsandAuthentication 381OpenDirectoryauthenticatesuseraccounts,andserviceaccesscontrollists(SACLs)authorizeuseofservices.IfOpenDirectoryauthenticatesyou,theSACLforloginwindowdetermineswhetheryoucanlogin,theSACLforAppleFilingProtocol(AFP)servicedetermineswhetheryoucanconnectforfileservice,andsoon.Someservicesalsodeterminewhetherausercanaccessspecificresources.Thisauthorizationcanrequireretrievingotheruseraccountinformationfromthedirectorydomain.Forexample,AFPserviceneedstheuserIDandgroupmembershipinformationtodeterminewhichfoldersandfilestheusercanreadandwriteto.OpenDirectoryPasswordsWhenausersaccounthasapasswordtypeofOpenDirectory,theusercanbeauthenticatedbyKerberosortheOpenDirectoryPasswordServer.Kerberosisanetworkauthenticationsystemthatusescredentialsissuedbyatrustedserver.OpenDirectoryPasswordServersupportstraditionalpasswordauthenticationmethodsthatsomeclientsofnetworkservicesrequire.KerberosandOpenDirectoryPasswordServerdonotstorethepasswordintheusersaccount.KerberosandOpenDirectoryPasswordServerstorepasswordsinsecuredatabasesapartfromthedirectorydomain,andpasswordscanneverberead.Passwordscanonlybesetandverified.MalicioususersmightattempttologinoverthenetworkhopingtogainaccesstoKerberosandOpenDirectoryPasswordServer.OpenDirectorylogscanalertyoutounsuccessfulloginattempts.UseraccountsinthefollowingdirectorydomainscanhaveOpenDirectorypasswords: TheLDAPdirectoryofSnowLeopardServer ThelocaldirectorydomainofSnowLeopardServerNote:OpenDirectorypasswordscantbeusedtologintoMacOSXv10.1orearlier.UserswhologinusingtheloginwindowofMacOSXv10.1orearliermustbeconfiguredtousecryptpasswords.Thepasswordtypedoesntmatterforotherservices.Forexample,auserofMacOSXv10.1couldauthenticateforApplefileservicewithanOpenDirectorypassword.382 AppendixAUnderstandingPasswordsandAuthenticationShadowPasswordsShadowpasswordssupportthesametraditionalauthenticationmethodsasOpenDirectoryPasswordServer.Theseauthenticationmethodsareusedtosendshadowpasswordsoverthenetworkinascrambledform,orhash.Ashadowpasswordisstoredasseveralhashesinafileonthesamecomputerasthedirectorydomainwheretheuseraccountresides.Becausethepasswordisnotstoredintheuseraccount,thepasswordisnoteasytocaptureoverthenetwork.Eachusersshadowpasswordisstoredinaseparatefile,namedashadowpasswordfile,andthesefilesareprotectedsotheycanbereadonlybytherootuseraccount.Useraccountsstoredinacomputerslocaldirectorydomainaretheonlyonesthatcanhaveashadowpassword.Useraccountsthatarestoredinashareddirectorycanthaveashadowpassword.Shadowpasswordsalsoprovidecachedauthenticationformobileuseraccounts.Formoreinformationaboutmobileuseraccounts,seeUserManagement.CryptPasswordsAcryptpasswordisstoredinahashintheuseraccountrecord.Thisstrategy,historicallynamedbasicauthentication,ismostcompatiblewithsoftwarethatneedstoaccessuserrecordsdirectly.Forexample,MacOSXv10.1orearlierexpecttofindacryptpasswordstoredintheuseraccount.Cryptauthenticationsupportsamaximumpasswordlengthofeightbytes(eightASCIIcharacters).Ifalongerpasswordisenteredinauseraccount,onlythefirsteightbytesareusedforcryptpasswordvalidation.ShadowpasswordsandOpenDirectorypasswordsarenotsubjecttothislengthlimit.Forsecuretransmissionofpasswordsoveranetwork,cryptsupportstheDHXauthenticationmethod.OfflineAttacksonPasswordsBecausecryptpasswordsarestoredinuseraccounts,theyaresubjecttocracking.Useraccountsinashareddirectorydomainareaccessibleonthenetwork.AnyoneonthenetworkwhohasWorkgroupManagerorknowshowtousecommand-linetoolscanreadthecontentsofuseraccounts,includingthepasswordsstoredinthem.OpenDirectorypasswordsandshadowpasswordsarentstoredinuseraccounts,sothesepasswordscantbereadfromdirectorydomains.AmaliciousattackercoulduseWorkgroupManagerorUNIXcommandstocopyuserrecordstoafile.Theattackercantransportthisfiletoasystemandusevarioustechniquestodecodecryptpasswordsstoredinuserrecords.Afterdecodingacryptpassword,theattackercanloginunnoticedwithalegitimateusernameandcryptpassword.AppendixAUnderstandingPasswordsandAuthentication 383Thisformofattackisknownasanofflineattack,becauseitdoesnotrequiresuccessiveloginattemptstogainaccesstoasystem.ShadowpasswordsandOpenDirectorypasswordsarefarlesssusceptibletoofflineattacksbecausetheyarenotstoredinuserrecords.Shadowpasswordsarestoredinseparatefilesthatcanbereadonlybysomeonewhoknowsthepasswordoftherootuser.OpenDirectorypasswordsarestoredsecurelyintheKerberosKDCandintheOpenDirectoryPasswordServerdatabase.AusersOpenDirectorypasswordcantbereadbyotherusers,notevenbyauserwithadministratorrightsforOpenDirectoryauthentication.(ThisadministratorcanchangeonlyOpenDirectorypasswordsandpasswordpolicies.)PasswordGuidelinesManyapplicationsandservicesrequirethatyoucreatepasswordstoauthenticate.SnowLeopardServerincludesapplicationsthathelpcreatecomplexpasswords(PasswordAssistant),andsecurelystoreyourpasswords(KeychainAccess).SnowLeopardServersupportspasswordsthatcontainUTF-8charactersoranyNUL-terminatedbytesequence.CreatingComplexPasswordsUsethefollowingtipstocreatecomplexpasswords: Useamixtureofalphabetic(upperandlowercase),numeric,andspecialcharacters(suchas!or@). Dontusewordsorcombinationsofwordsfoundinadictionaryofanylanguage.Also,dontusenamesoranythingelsethatisintelligible. Createapasswordofatleasttwelvecharacters.Longerpasswordsaregenerallymoresecurethanshorterpasswords. Createasrandomapasswordaspossible.YoucanusePasswordAssistanttoverifythecomplexityofyourpassword.UsinganAlgorithmtoCreateaComplexPasswordConsidercreatinganalgorithmtomakeacomplex(butmemorable)password.Usinganalgorithmcanincreasetherandomnessofyourpassword.Additionally,insteadofneedingtorememberacomplexpassword,youmustrememberonlythealgorithm.Thefollowingexampleshowsonepossiblealgorithmforcreatingacomplexpassword.Insteadofusingthisalgorithm,createyourownormodifythisone.384 AppendixAUnderstandingPasswordsandAuthenticationTocreateanalgorithmforcreatingacomplexpassword:1 Chooseyourfavoritephraseorsaying.Inthisexample,welluse:FourscoreandsevenyearsagoourfathersbroughtforthIdeallyyoushouldchooseaphraseofatleasteightwords.2 Reduceyourfavoritephrasetoanacronymbykeepingonlythefirstletterofeachword.Thesamplephrasebecomes:Fsasyaofbf3 Replacealetterwithanumber.IfwereplaceFandthelastf(fromfourandforth)with4,ands(fromseven)with7,thesamplephrasebecomes:4sa7yaofb44 Addspecialcharacters.Ifweadd$after4,and&after7,thesamplephrasebecomes:4$sa7&yaofb4$5 Makesomelettersuppercase.Ifweconvertallvowelstouppercase,thesamplephrasebecomes:4$sA7&yAOfb4$SafelyStoringYourPasswordIfyoustoreyourpasswordorthealgorithmusedtomakeyourpasswordinasafeplace,youcancreatemorecomplexpasswordswithoutthefearofbeingunabletorecoverforgottenpasswords.Whenstoringpasswords,makesureyourstoragelocationissafe,unknown,andinaccessibletointruders.Considerstoringyourpasswordsinasealedenvelopeinsidealockedcontainer.Alternatively,youcanstoreyourpasswordsinyourwallet.Bykeepingyourpasswordsinyourwallet,youkeeppasswordsinasafelocationthatisalsoconvenient.Itisrecommendednottostoreyourpasswordanywherenearyourcomputer.AppendixAUnderstandingPasswordsandAuthentication 385Whenwritingdownyourpassword,takethefollowingprecautions: Dontidentifythepasswordasbeingapassword. Dontincludeaccountinformationonthesamepieceofpaper. Addsomefalsecharactersormisinformationtothewrittenpasswordinawaythatyouremember.Makethewrittenpassworddifferentfromtherealpassword. Neverrecordapasswordonline,andneversendapasswordtoanotherpersonthroughemail.YoucanuseKeychainAccesstostoreyourmorecomplex,longerpasswords.YoullstillneedapasswordtounlockKeychainAccesssoyoucanviewandusethesepasswords.BecauseKeychainAccessrequiresthatyouauthenticatetounlockkeychains,itisconvenientforyouandinaccessibletointruders.StoretheKeychainAccesspasswordinasafelocation.Formoreinformation,seeStoringCredentialsinKeychainsonpage88.PasswordMaintenanceAfteryoucreateagoodpasswordandstoreitinasafelocation,dothefollowingtomakesureyourpasswordremainssecure: Nevertellanyoneyourpassword.Ifyoutellsomeoneyourpassword,immediatelychangeyourpassword. Changeyourpasswordfrequently,andwhenyouthinkyourpasswordhasbeencompromised.Ifyouraccountiscompromised,notifyauthoritiesandclosetheaccount. Beawareofwhentrustedapplicationsaskforyourpassword.Maliciousapplicationscanmimicatrustedapplicationandaskyouforyourpasswordwhenyourenotexpectingit. Dontreusethesamepasswordformultipleaccounts.Ifyoudo,anintruderwhocompromisesyourpasswordcanusethepasswordforallofthoseaccounts. Dontenterpassword-relatedhintsinpasswordhintfields.Byprovidingahint,youcompromisetheintegrityofyourpassword. Dontaccessyouraccountonpubliccomputersorothercomputersthatyoudonttrust.Maliciouscomputerscanrecordyourkeystrokes. Dontenteryourpasswordinfrontofotherpeople.AuthenticationServicesOpenDirectoryoffersoptionsforauthenticatinguserswhoseaccountsarestoredindirectorydomainsonSnowLeopardServer,includingKerberosandtraditionalauthenticationmethodsthatnetworkservicesrequire.386 AppendixAUnderstandingPasswordsandAuthenticationOpenDirectorycanauthenticateusersby: UsingKerberosauthenticationforsinglesign-on. UsingtraditionalauthenticationmethodsandapasswordstoredsecurelyintheOpenDirectoryPasswordServerdatabase. Usingtraditionalauthenticationmethodsandashadowpasswordstoredinasecureshadowpasswordfileforeachuser. Usingacryptpasswordstoreddirectlyintheusersaccount,forbackwardcompatibilitywithlegacysystems. Usinganon-AppleLDAPserverforLDAPbindauthentication.Inaddition,OpenDirectoryletsyousetupapasswordpolicyforallusersaswellasspecificpasswordpoliciesforeachuser,suchasautomaticpasswordexpirationandminimumpasswordlength.(Passwordpoliciesdonotapplytoadministrators,cryptpasswordauthentication,orLDAPbindauthentication.)DeterminingWhichAuthenticationOptiontoUseToauthenticateauser,OpenDirectorymustdeterminewhichauthenticationoptiontouseKerberos,OpenDirectoryPasswordServer,shadowpassword,orcryptpassword.Theusersaccountcontainsinformationthatspecifieswhichauthenticationoptiontouse.Thisinformationistheauthenticationauthorityattribute.OpenDirectoryusesthenameprovidedbytheusertolocatetheusersaccountinthedirectorydomain.ThenOpenDirectoryconsultstheauthenticationauthorityattributeintheusersaccountandlearnswhichauthenticationoptiontouse.YoucanchangeausersauthenticationauthorityattributebychangingthepasswordtypeintheAdvancedpaneofWorkgroupManager,asshowninthefollowingtable.Passwordtype Authenticationauthority AttributeinuserrecordOpenDirectory OpenDirectoryPasswordServerandKerberosEitherorboth: ;ApplePasswordServer; ;Kerberosv5;Shadowpassword Passwordfileforeachuser,readableonlybytherootuseraccountEither: ;ShadowHash;1 ;ShadowHash;Cryptpassword Encodedpasswordinuserrecord Either: ;basic; noattributeatall1 Iftheattributeintheuserrecordis;ShadowHash;withoutalistofenabledauthenticationmethods,defaultauthenticationmethodsareenabled.ThelistofdefaultauthenticationmethodsisdifferentforSnowLeopardServerandSnowLeopard.AppendixAUnderstandingPasswordsandAuthentication 387Theauthenticationauthorityattributecanspecifymultipleauthenticationoptions.Forexample,auseraccountwithanOpenDirectorypasswordtypenormallyhasanauthenticationauthorityattributethatspecifiesKerberosandOpenDirectoryPasswordServer.Auseraccountdoesntneedtoincludeanauthenticationauthorityattribute.Ifausersaccountcontainsnoauthenticationauthorityattribute,SnowLeopardServerassumesacryptpasswordisstoredintheusersaccount.Forexample,useraccountscreatedusingMacOSXv10.1orearliercontainacryptpasswordbutnotanauthenticationauthorityattribute.PasswordPoliciesOpenDirectoryenforcespasswordpoliciesforuserswhosepasswordtypeisOpenDirectoryorshadowpassword.Forexample,auserspasswordpolicycanspecifyapasswordexpirationinterval.IftheuserislogginginandOpenDirectorydeterminesthattheuserspasswordhasexpired,theusermustreplacetheexpiredpassword.ThenOpenDirectorycanauthenticatetheuser.Passwordpoliciescandisableauseraccountonaspecifieddate,afteranumberofdays,afteraperiodofinactivity,orafteranumberoffailedloginattempts.Passwordpoliciescanalsorequirepasswordstobeaminimumlength,containatleastoneletter,containatleastonenumber,differfromtheaccountname,differfromrecentpasswords,orbechangedperiodically.Thepasswordpolicyforamobileuseraccountapplieswhentheaccountisusedwhiledisconnectedfromthenetworkandwhileconnectedtothenetwork.Amobileuseraccountspasswordpolicyiscachedforusewhileoffline.Formoreinformationaboutmobileuseraccounts,seeUserManagement.Passwordpoliciesdonotaffectadministratoraccounts.Administratorsareexemptfrompasswordpoliciesbecausetheycanchangethepoliciesatwill.Inaddition,enforcingpasswordpoliciesonadministratorscouldsubjectthemtodenial-of-serviceattacks.KerberosandOpenDirectoryPasswordServermaintainpasswordpoliciesseparately.AnOpenDirectoryserversynchronizestheKerberospasswordpolicyruleswithOpenDirectoryPasswordServerpasswordpolicyrules.SingleSign-OnAuthenticationSnowLeopardServerusesKerberosforsinglesign-onauthentication,whichrelievesusersfromenteringanameandpasswordseparatelyforeveryservice.Withsinglesign-on,auseralwaysentersanameandpasswordintheloginwindow.Thereafter,theuserdoesnotneedtoenteranameandpasswordforApplefileservice,mailservice,orotherservicesthatuseKerberosauthentication.388 AppendixAUnderstandingPasswordsandAuthenticationTotakeadvantageofsinglesign-on,usersandservicesmustbeKerberizedconfiguredforKerberosauthenticationandusethesameKerberosKeyDistributionCenter(KDC)server.UseraccountsthatresideinanLDAPdirectoryofSnowLeopardServerandhaveapasswordtypeofOpenDirectoryusetheserversbuilt-inKDC.TheseuseraccountsareconfiguredforKerberosandsinglesign-on.TheserversKerberizedservicesusetheserversbuilt-inKDCandareconfiguredforsinglesign-on.ThisSnowLeopardServerKDCcanalsoauthenticateusersforservicesprovidedbyotherservers.HavingmoreserverswithSnowLeopardServerusetheSnowLeopardServerKDCrequiresonlyminimalconfiguration.KerberosAuthenticationKerberoswasdevelopedatMITtoprovidesecureauthenticationandcommunicationoveropennetworksliketheInternet.Itsnamedforthethree-headeddogthatguardedtheentrancetotheunderworldofGreekmythology.Kerberosprovidesproofofidentityfortwoparties.Itenablesyoutoprovewhoyouaretonetworkservicesyouwanttouse.Italsoprovestoyourapplicationsthatnetworkservicesaregenuine,notspoofed.Likeotherauthenticationsystems,Kerberosdoesnotprovideauthorization.Eachnetworkservicedetermineswhatyouarepermittedtodobasedonyourprovenidentity.Kerberospermitsaclientandaservertoidentifyeachothermuchmoresecurelythantypicalchallenge-responsepasswordauthenticationmethods.Kerberosalsoprovidesasinglesign-onenvironmentwhereusersauthenticateonlyonceaday,week,orotherperiodoftime,easingauthenticationfrequency.SnowLeopardServeroffersintegratedKerberossupportthatvirtuallyanyonecandeploy.Kerberosdeploymentissoautomaticthatusersandadministratorsmightnotrealizeitsdeployed.MacOSXv10.3andlateruseKerberoswhensomeonelogsinusinganaccountsetforOpenDirectoryauthentication.ItisthedefaultsettingforuseraccountsintheSnowLeopardServerLDAPdirectory.OtherservicesprovidedbytheLDAPdirectoryserver,suchasAFPandmailservice,alsouseKerberos.IfyournetworkhasotherserverswithSnowLeopardServer,joiningthemtotheKerberosserveriseasy,andmostoftheirservicesuseKerberosautomatically.Alternatively,ifyournetworkhasaKerberossystemsuchasMicrosoftActiveDirectory,youcansetupyourSnowLeopardServerandSnowLeopardcomputerstouseitforauthentication.AppendixAUnderstandingPasswordsandAuthentication 389SnowLeopardServerandSnowLeopardorlatersupportKerberosv5.SnowLeopardServerandSnowLeoparddonotsupportKerberosv4.SmartCardAuthenticationSmartcardsenableyoutocarryyourdigitalcertificateswithyou.SnowLeopardallowsyoutouseyoursmartcardwhenanauthenticationdialogispresented.Thisrobust,two-factorauthenticationmechanismcomplieswithDepartmentofDefenseCommonAccessCard,U.S.PIV,BelgiumNationalIdentificationCard,JapanesegovernmentPKI,andJavaCard2.1standards.SimilartoanATMcardandaPINcode,two-factorauthenticationreliesonsomethingyouhaveandsomethingyouknow.Ifyoursmartcardislostorstolen,itcannotbeusedunlessyourPINisalsoknown.390 AppendixBB SecurityChecklistThisappendixcontainsachecklistofrecommendedstepsrequiredtosecureSnowLeopardServer.Thisappendixcontainsactionitemchecklistsorderedbychapter.Youcancustomizethesecheckliststosuityourneeds.Forexample,youcanmarkthecompletionstatusofactionitemsintheCompleted?column.Ifyoudeviatefromthesuggestedactionitem,youcanusetheNotescolumntojustifyorclarifyyourdecision.InstallationActionItemsFordetails,seeChapter2,InstallingSnowLeopardServer.ActionItem Completed? NotesSecurelyerasetheMacOSXinstallpartitionbeforeinstallationDisablethefirmwarepasswordbeforeinstallationInstallSnowLeopardServerusingMacOSExtendeddiskformattingDonotinstallunnecessarypackagesDonottransferconfidentialinformationinServerAssistantDonotconnecttotheInternetCreateadministratoraccountswithdifficult-to-guessnamesCreatecomplexpasswordsforadministratoraccountsAppendixBSecurityChecklist 391HardwareandCoreSnowLeopardServerActionItemsFordetails,seeChapter3,SecuringSystemHardware.GlobalSettingsforSnowLeopardServerActionItemsFordetails,seeChapter4,SecuringGlobalSystemSettings.Donotenterapassword-relatedhint;instead,enterhelpdeskcontactinformationEntercorrecttimesettingsUseaninternalSoftwareUpdateserverUpdatesystemsoftwareusingverifiedpackagesRepairdiskpermissionsafterinstallingsoftwareorsoftwareupdatesActionItem Completed? NotesActionItem Completed? NotesRestrictaccesstoroomsthathavecomputersStorecomputersinlockedorsecurecontainerswhennotinuseUseapasswordprotectedscreensaverActionItem Completed? NotesRequireafirmwarepasswordCreateanaccesswarningfortheloginwindowCreateanaccesswarningforthecommandlineDisablefastuserswitchingwithnon-trustedusersorwhenmultipleusersaccesslocalaccounts392 AppendixBSecurityChecklistAccountConfigurationActionItemsFordetails,seeChapter5,SecuringLocalServerAccounts.ActionItem Completed? NotesCreateanadministratoraccountandastandardaccountforeachadministratorCreateastandardoramanagedaccountforeachnonadministratorSetparentalcontrolsformanagedaccountsRestrictthedistributionanduseofadministratoraccountsModifythe/etc/authorizationfiletosecuredirectorydomainaccessDisablesuDisablerootaccountRestrictsudouserstoonlybeingabletoaccessrequiredcommandsSetastrongpasswordpolicyUsePasswordAssistanttogeneratecomplexpasswordsAuthenticateusingasmartcard,token,orbiometricdeviceSecuretheloginkeychainSecurekeychainitemsCreatespecializedkeychainsfordifferentpurposesUseaportabledrivetostorekeychainsAppendixBSecurityChecklist 393SystemSoftwareActionItemsChapter5,SecuringLocalServerAccounts,describeshowtosecuresystempreferences.Everysystempreferencewithsecurity-relatedconfigurationsettingshasitsownactionitemchecklist.MobileMePreferencesActionItemsFordetails,seeSecuringMobileMePreferencesonpage96.AccountsPreferencesActionItemsFordetails,seeSecuringAccountsPreferencesonpage99.AppearancePreferencesActionItemsFordetails,seeSecuringAppearancePreferencesonpage102.ActionItem Completed? NotesDisableallSyncoptionsDisableiDiskSyncingEnablePublicFolderpasswordprotectionDonotregistercomputersforsynchronizationActionItem Completed? NotesChangetheinitialpasswordforthesystemadministratoraccountDisableautomaticloginDisplaytheloginwindowasnameandpasswordDisableShowpasswordhintsDisableEnablefastuserswitchingDisableShowtheRestart,Sleep,andShutDownbuttonsActionItem Completed? NotesDonotdisplayrecentapplicationsDonotdisplayrecentdocumentsDonotdisplayrecentservers394 AppendixBSecurityChecklistBluetoothPreferencesActionItemsFordetails,seeSecuringBluetoothPreferencesonpage103.CDs&DVDsPreferencesActionsItemsFordetails,seeSecuringCDs&DVDsPreferencesonpage105.Expos&SpacesPreferencesActionItemsFordetails,seeSecuringExpos&SpacesPreferencesonpage115Date&TimePreferencesActionItemsFordetails,seeSecuringDate&TimePreferencesonpage107.ActionItem Completed? NotesDisableBluetoothforeachuseraccountinSystemPreferencesRemoveprivilegestomodifyBluetoothSystemPreferencesActionItem Completed? NotesDisableautomaticactionsforblankCDsforeachuseraccountDisableautomaticactionsforblankDVDsforeachuseraccountDisableautomaticactionsformusicCDsforeachuseraccountDisableautomaticactionsforpictureCDsforeachuseraccountDisableautomaticactionsforvideoDVDsforeachuseraccountRemoveprivilegestomodifyCDs&DVDsSystemPreferencesActionItem Completed? NotesDisableDashboardActionItem Completed? NotesSetacorrectdateandtimeUseasecureinternalNTPserverforautomaticdateandtimesettingAppendixBSecurityChecklist 395Desktop&ScreenSaverPreferencesActionItemsFordetails,seeSecuringDesktop&ScreenSaverPreferencesonpage109.DisplayPreferencesActionItemsFordetails,seeSecuringDisplayPreferencesonpage111.DockPreferencesActionItemsFordetails,seeSecuringDockPreferencesonpage111.EnergySaverPreferencesActionItemsFordetails,seeSecuringEnergySaverPreferencesonpage112.ActionItem Completed? NotesSetashortinactivityintervalforthescreensaverSetascreencornertoStartScreenSaverforeachuseraccountDonotsetascreencornertoDisableScreenSaverforeachuseraccountRemoveprivilegestomodifyDashboardandExposSystemPreferencesActionItem Completed? NotesDisabledisplaymirroringActionItem Completed? NotesSetthedocktohidewhennotinuseActionItem Completed? NotesDisablesleepingthecomputerforallpowersettingsEnablesleepingthedisplayforallpowersettingsEnablesleepingtheharddiskforallpowersettingsDisableWakewhenthemodemdetectsaringforallpowersettingsDisableWakeforEthernetnetworkadministratoraccessforpoweradaptersettings396 AppendixBSecurityChecklistKeyboardandMousePreferencesActionItemsFordetails,seeSecuringBluetoothPreferencesonpage103.NetworkPreferencesActionItemsFordetails,seeSecuringNetworkPreferencesonpage118.Print&FaxPreferencesActionItemsFordetails,seeSecuringPrint&FaxPreferencesonpage120.QuickTimePreferencesActionItemsFordetails,seeSecuringSecurityPreferencesonpage122.DisableRestartautomaticallyafterapowerfailureforpowersettingsDisableRestartautomaticallyifthecomputerfreezesforpowersettingsActionItem Completed? NotesActionItem Completed? NotesTurnoffBluetoothActionItem Completed? NotesDisableunusedhardwaredevicesDisableIPv6ActionItem Completed? NotesUseprintersinsecurelocationsonlyDisableprintersharingDisableprintbrowsingDisablereceivingfaxesDisablesendingfaxesActionItem Completed? NotesDisableSavemoviesindiskcacheDonotinstallthird-partyQuickTimesoftwareAppendixBSecurityChecklist 397SecurityPreferencesActionItemsFordetails,seeSecuringSecurityPreferencesonpage122.SharingPreferencesActionItemsFordetails,seeSecuringSharingPreferencesonpage125.SoftwareUpdatePreferencesActionItemsFordetails,seeSecuringSoftwareUpdatePreferencesonpage126.SoundPreferencesActionItemsFordetails,seeSecuringSoundPreferencesonpage128.ActionItem Completed? NotesRequireapasswordtowakethecomputerfromsleeporscreensaverforeachaccountActionItem Completed? NotesDisableRemoteLoginDisableAppleRemoteDesktopDisableRemoteAppleEventsRenameyourcomputertoanamethatdoesnotindicatethepurposeofthecomputerActionItem Completed? NotesSetCheckforupdatesaccordingtopolicyDisableDownloadimportantupdatesinthebackgroundManuallyupdateusinginstallerpackagesTransferinstallerpackagesfromatestcomputerVerifyinstallerpackagesbeforeinstallingActionItem Completed? NotesMinimizeinputvolumefortheinternalmicrophoneMinimizeinputvolumefortheaudiolineinport398 AppendixBSecurityChecklistSpeechPreferencesActionItemsFordetails,seeSecuringSpeechPreferencesonpage129.SpotlightPreferencesActionItemsFordetails,seeSecuringSpotlightPreferencesonpage130.StartupDiskPreferencesActionItemsFordetails,seeSecuringStartupDiskPreferencesonpage133.TimeMachinePreferencesActionItemsFordetails,seeSecuringTimeMachinePreferencesonpage134.DataMaintenanceandEncryptionActionItemsFordetails,seeChapter8,SecuringDataandUsingEncryption.ActionItem Completed? NotesEnablespeechrecognitioninasecureenvironmentonlyUseheadphonesifyouenabletexttospeechActionItem Completed? NotesPreventSpotlightfromsearchingconfidentialfoldersActionItem Completed? NotesCarefullychoosethestartupvolumeActionItem Completed? NotesTurnTimeMachineonSelectasafelocationtostorebackupsinActionItem Completed? NotesSetglobalpermissionsusingPOSIXorACLsStripsetuidbitsSecurehomedirectorypermissionsEnableFileVaultforeveryuserEncryptportablefilesAppendixBSecurityChecklist 399AccountPoliciesActionItemsChapter22,SecuringNetworkAccounts,describeshowtosetupandmanageaccountpoliciesanduseraccounts,aswellashowtoconfiguresettingsandpreferencesforclients.Eachtopicwithsecurity-relatedconfigurationsettingshasitsownactionitemchecklist.SharePointsActionItemsFordetails,seeChapter17,SecuringFileServicesandSharepoints.AccountConfigurationActionItemsFordetails,seeSecuringDirectoryAccountsonpage319.SetglobalumaskbychangingNSUmasksettingsMandatesecureerasingoffilesMandatesecreterasingofpartitionsMandatesecurelyerasingfreespaceActionItem Completed? NotesActionItem Completed? NotesEnableSSLinWorkgroupManagerDisableunusedsharepointsDisableunusedsharingprotocolsRestrictsharepointaccessActionItem Completed? NotesDisallowsimultaneousloginUseanOpenDirectorypasswordinsteadofacryptpasswordEnteradiskquotaUsePOPorIMAPformail,notbothUsePOSIXorACLpermissionstodeterminegroupaccountaccessRestrictaccesstospecificgroupsbyassigningcomputerstoalist400 AppendixBSecurityChecklistApplicationsPreferencesActionItemsFordetails,seeManagingApplicationsPreferencesonpage284.DockPreferencesActionItemsFordetails,seeManagingDockPreferencesonpage291.Ifaccountsarestoredinanetworkdomain,disablelocalaccountsSpecifyatimeintervaltoupdatethepreferencescacheActionItem Completed? NotesActionItem Completed? NotesCreatealistofapprovedapplicationsthatuserscanopenDeselectUsercanalsoopenallapplicationsonlocalvolumesDeselectAllowapprovedapplicationstolaunchnon-approvedapplicationsDeselectAllowUNIXtoolstorunActionItem Completed? NotesModifytheApplicationslisttoincluderequiredapplicationsModifytheDocumentsandFolderslisttoincluderequireddocumentsandfoldersDeselectMergewithusersDockDeselectMyApplicationsDeselectDocumentsDeselectNetworkHomeSelectAutomaticallyhideandshowtheDockAppendixBSecurityChecklist 401EnergySaverPreferencesActionItemsFordetails,seeManagingEnergySaverPreferencesonpage292.FinderPreferencesActionItemsFordetails,seeManagingFinderPreferencesonpage293.LoginPreferencesActionItemsFordetails,seeManagingLoginPreferencesonpage295.ActionItem Completed? NotesDisablesleepingthecomputerforallpowersettingsDeselectStartupthecomputerActionItem Completed? NotesSelectUsenormalfinderDeselectHardDisksDeselectRemovablemedia(suchasCDs)DeselectConnectedServersSelectAlwaysshowfileextensionsDeselectConnecttoServerDeselectGotoiDiskDeselectGotoFolderDeselectEjectDeselectBurnDiskDeselectRestartDeselectShutDownActionItem Completed? NotesDeselectAddnetworkhomesharepointDeselectUsermayaddandremoveadditionalitemsDeselectUsermaypressShifttokeepitemsfromopeningDonotallowloginorlogoutscriptsDonotallowLoginHookorLogoutHookscripts402 AppendixBSecurityChecklistMediaAccessPreferencesActionItemsFordetails,seeManagingMediaAccessPreferencesonpage298.EnterhelpdeskinformationastheloginmessageDisplaytheloginwindowasnameandpasswordtextfieldsDonotallowRestartorShutDownbuttonstoshowintheLoginWindowDonotallowpasswordhintsDeselectAutoLoginClientSettingDeselectAllowuserstologinusingconsole.DeselectEnableFastUserSwitchingDeselectLogoutusersafter#minutesofactivityActionItem Completed? NotesActionItem Completed? NotesDisableunnecessarymediaDeselectAllowforCDsDeselectAllowforCD-ROMsDeselectAllowforDVDsDeselectAllowforRecordableDisksDeselectAllowforInternalDisksDeselectAllowforExternalDisksSelectEjectallremovablemediaatlogoutAppendixBSecurityChecklist 403MobilityPreferencesActionItemsFordetails,seeManagingMobilityPreferencesonpage299.NetworkPreferencesActionItemsFordetails,seeManagingNetworkPreferencesonpage301.PrintingPreferencesActionItemsFordetails,seeManagingPrintingPreferencesonpage307.ActionItem Completed? NotesDisablemobileaccountoninsecureorinfrequentlyaccessedcomputersUseFileVaultoneverycomputerwithportablehomefoldersDeselectSynchronizeaccountforofflineuseActionItem Completed? NotesUseyourorganization-controlledproxyserversBypasstrustedhostsanddomainsDeselectUsePassiveFTPMode(PASV)ActionItem Completed? NotesReduceaccesstoprintersDeselectAllowusertomodifytheprinterlistDeselectAllowprintersthatconnectdirectlytouserscomputerIfselectingAllowprintersthatconnectdirectlytouserscomputer,thenselectRequireanadministratorpasswordSelectaprinterandselectRequireanadministratorpassword404 AppendixBSecurityChecklistSoftwareUpdatePreferencesActionItemsFordetails,seeManagingSoftwareUpdatePreferencesonpage308.AccesstoSystemPreferencesActionItemsFordetails,seeManagingAccesstoSystemPreferencesonpage308.UniversalAccessPreferencesActionItemsFordetails,seeManagingUniversalAccessPreferencesonpage309.ActionItem Completed? NotesDesignateaninternalservertocontrolsoftwareupdatesActionItem Completed? NotesSelectAppearancetoappearintheSystemPreferencespreferencesSelectDashboard&ExpostoappearintheSystemPreferencespreferencesSelectDisplaystoappearintheSystemPreferencespreferencesSelectDocktoappearintheSystemPreferencespreferencesSelectKeyboard&MousetoappearintheSystemPreferencespreferencesSelectSecuritytoappearintheSystemPreferencespreferencesSelectUniversaltoappearintheSystemPreferencespreferencesDisablewidgetsfornetworkmanagedusersActionItem Completed? NotesDeselectTurnonZoomSetStickyKeystoOffDeselectShowpressedkeysonscreenAppendixBSecurityChecklist 405CertificatesActionItemsFordetails,seeManagingCertificatesonpage163.GeneralProtocolsandServiceAccessActionItemsFordetails,seeSettingGeneralProtocolsandAccesstoServicesonpage176.RemoteAccessServicesActionItemsFordetails,seeSecuringRemoteAccessServicesonpage185.ActionItem Completed? NotesObtaincertificatestousewithSSL-enabledservicesCreateaCAtoissuecertificatesCreateanSSLcertificatefordistributionCreatethefilesandfoldersneededbySSLExportcertificatetoclientcomputersActionItem Completed? NotesConfigureNTPtouseaninternaltimeserverDisableSNMPEnableSSHDonotuseserveroryournametoidentifytheserverSetacorrectdateandtimeUseasecureinternalNTPserverforautomaticdateandtimesettingUseCertificateManagertocreate,use,andmaintainidentitiesforSSL-enabledservicesUseSACLtorestrictaccesstoAFP,FTP,andWindowsfileservices406 AppendixBSecurityChecklistActionItem Completed? NotesDisablerootloginusingSSHModifythe/private/etc/sshd_configfiletofurthersecureSSHGenerateidentitykeypairsforloginauthenticationConfigureaccessforusingSSHthroughServerAdminusingSACLsUseSFTPinsteadofFTPDisableVPNservicesIfusingVPNservices,enableeitherorbothL2TPandPPTPTouseSecurIDauthentication,edittheVPNconfigurationfilemanuallyConfigureanaccesswarningbannerDisableAppleRemoteDesktopEncryptObserveandControltrafficbysettingEncryptallnetworkdataEncryptnetworkdataduringfilecopyandpackageinstallationbysettingEncrypttransferswhenusingInstallPackagesDisableRemoteAppleEventsAppendixBSecurityChecklist 407NetworkandHostAccessServicesActionItemsSecuringNetworkInfrastructureServicesonpage198describesconfigurationinformationtosecureyournetworkservices.Severalservicesareprovidedtomaintainyournetwork.Eachservicewithsecurity-relatedconfigurationsettingshasitsownactionitemchecklist.IPv6ProtocolActionItemsFordetails,seeUsingIPv6Protocolonpage198.DHCPServiceActionItemsFordetails,seeSecuringDHCPServiceonpage200.DNSServiceActionItemsFordetails,seeSecuringDNSServiceonpage202.ActionItem Completed? NotesEnableIPv6ConfigureIPv6manuallyorautomaticallyActionItem Completed? NotesDisabletheDHCPserviceifnotrequiredIfusingDHCP,disableDNS,LDAP,andWINSAssignstaticIPaddressesActionItem Completed? NotesDisabletheDNSserviceAllowonlyonesystemtoactastheDNSserverAllowrecursivequeriesandzonetransfersonlyfromtrustedclients,notfromexternalnetworks.UpdateandauditDNSregularlySpecifywhichIPaddressesareallowedtorequestzonetransfersConfigureBINDtorespondwithsomethingotherthanthecurrentversionLimitordisableDNSrecursion408 AppendixBSecurityChecklistFirewallServiceActionItemsFordetails,seeConfiguringtheFirewallonpage213.NATServiceActionItemsFordetails,seeSecuringNATServiceonpage207.BonjourServiceActionItemsFordetails,seeSecuringBonjour(mDNS)onpage210.CollaborationServicesActionItemsFordetails,seeSecuringiCalServiceonpage222andSecuringiChatServiceonpage225.ActionItem Completed? NotesCreateIPaddressgroupsConfigurefirewallrulesforgroupsandservicesConfigureadvancedrulesforgroupsandservicesEnablestealthmodeSetuploggingActionItem Completed? NotesDisableNATserviceifnotrequiredConfigureNATserviceIfnecessary,forwardincomingtraffictoanIPaddressActionItem Completed? NotesDisableBonjourunlessrequiredDisableunusedservicesthatshouldnotbediscoveredthroughBonjourActionItem Completed? NotesDisableiCalserviceDisableiChatserviceIfusingiChatservice,designatedomainnamestouseAppendixBSecurityChecklist 409MailServiceActionItemsFordetails,seeSecuringMailServiceonpage233.DesignateacertificatetouseMonitorcommunicationusingiChatservicelogsActionItem Completed? NotesActionItem Completed? NotesTurnoffsupportforanyprotocolthatisnotrequiredUsedifferentsystemsforprovidingoutgoingandincomingmailserviceEnableSSLforthemailserverCreateandinstallasignedmailcertificateforoutgoingandincomingmailserviceprotocolsUsetherequiresettingintheSSLsupportoptions(recommended)ConfigureSMTPauthenticationrequirementstoreducejunkmailCreatealistofapprovedhostserverstorelaymailEnablejunkmailfilteringEnablevirusfilteringUpdatethevirusdatabaseatleasttwiceadaySetupaproblemreportaccountDisabletheSMTPbanner410 AppendixBSecurityChecklistFileServicesActionItemsSecuringFileServicesandSharepointsonpage254describesconfiguringfilesharingservices.Eachtypeoffilesharingservicewithsecurity-relatedconfigurationsettingshasitsownactionitemchecklist.AFPFileSharingServiceActionItemsFordetails,seeConfiguringAFPFileSharingServiceonpage258.FTPFileSharingServiceActionItemsFordetails,seeConfiguringFTPFileSharingServiceonpage259.ActionItem Completed? NotesDisablefilesharingservicesifnotrequiredUseasfewprotocolsaspossibleUseAFPDisableFTPDisableNFSDisableSMBActionItem Completed? NotesDisableBonjourregistrationDisablebrowsingwithAppleTalkDisableGuestaccessDisableadministratortomasqueradeasanotheruserEnter1forGuestConnectionsEnableaccesslogSetfrequencyofarchivingImplementsettingsforidleuserActionItem Completed? NotesIfauthenticationispossible,useSFTPinsteadofFTPDisconnectclientafter1loginfailureEnteramailaddresssetuptohandleFTPadministrationSelectKerberosforaccessauthenticationAllowamaximumof1authenticateduserAppendixBSecurityChecklist 411NFSFileSharingServiceActionItemsFordetails,seeConfiguringNFSFileSharingServiceonpage262.SMBActionItemsFordetails,seeConfiguringSMBFileSharingServiceonpage263.EnableanonymousaccessanddesignatethenumberofanonymoususersDisableMacBinaryanddiskimageautoconversionEnableShowWelcomeMessageEnableShowBannerMessageLogallloginattemptsSetAuthenticateduserssee:toFTProotandSharePointsDesignatefilestosharewithanonymoususersConfigurethe/Library/FTPServer/Configuration/ftpaccessActionItem Completed? NotesActionItem Completed? NotesUseNFSonlyonasecureLANorwhenAppleandWindowsfilesharingsystemsareunavailableRestrictanNFSsharepointtothosesystemsthatrequireitMakethelistofexportoptionsasrestrictiveaspossibleActionItem Completed? NotesDonotallowguestaccessEnterthemaximumnumberofclientsconnectionsexpectedSetLogDetailtoatleastmediumDeselectWorkgroupMasterBrowserandDomainMasterBrowserservicesTurnoffWINSregistration412 AppendixBSecurityChecklistWebServiceActionItemsFordetails,seeSecuringWebServiceonpage271.ClientConfigurationManagementServicesActionItemsFordetails,seeSecuringClientConfigurationManagementServicesonpage284.DirectoryServicesActionItemsFordetails,seeSecuringDirectoryServicesonpage324.ActionItem Completed? NotesDisablewebserviceifnotrequiredDisablewebmodulesifnotrequiredDisableweboptionsifnotrequiredCreateorobtainsignedcertificatesforeachdomainnameEnableSSLforwebserviceIfWebDAVisenabled,assignaccessprivilegesforthesitesandwebfoldersDonotallowwebcontentfilesandfolderstobewritablebyworldConfigurearealmtoallowuseraccesstowebsitesAllowuserstoaccessblogsthroughanSSLenabledsiteActionItem Completed? NotesDisableNetBootandNetBootdiskimagesUseServerAdmintoviewNetBootclientsandthestatusofNetBootserviceActionItem Completed? NotesConfigureOpenDirectoryrolesConfigureKerberosAppendixBSecurityChecklist 413PrintServiceActionItemsFordetails,seeSecuringPrintServiceonpage337.MultimediaServicesActionItemsFordetails,seeSecuringMultimediaServicesonpage344.GridandClusterComputingServicesActionItemsFordetails,seeSecuringGridandClusterComputingServicesonpage354.SetaserveroutsideofdirectorydomainsasStandaloneServerEnableSSLSetglobalpasswordpoliciesSetbindingpoliciesSetsecuritypoliciesforOpenDirectoryActionItem Completed? NotesActionItem Completed? NotesUseServerAdmintomanageprintqueuesandconfiguresettingsSpecifyadefaultLPRqueueActionItem Completed? NotesUserServerAdmintoconfigureQTSSUsesecuredigestauthenticationtoconfigureclientaccesstostreamedmediafilesActionItem Completed? NotesIfpossible,useasinglesign-onpasswordAlwaysrequireauthenticationEnableXgridagentserviceSetapasswordforXgridEnableXgridcontrollerserviceSetapasswordforXgridcontroller414 AppendixBSecurityChecklistValidatingSystemIntegrityActionItemsFordetails,seeMaintainingSystemIntegrityonpage368.SetapasswordfortheserveractingasagridagentSetapasswordforagentstojoinagridandclientstosubmitjobsActionItem Completed? NotesActionItem Completed? NotesInstallandenableauditingtoolsConfigureauditsettingsConfigurelogfilesConfigurelocalsystemusingsyslog.confEnableremotesystemloggingInstallfileintegritytoolsInstallantivirustools 415C AppendixC Scripts# ---------------------------------------------------------------------# Securing Firewall Service# ---------------------------------------------------------------------## Add Firewall to the services view# ---------------------------------sudo serveradmin settings info:serviceConfig:services:com.apple.ServerAdmin.ipfilter:configured = yes# Start Firewall service# ----------------------sudo serveradmin start ipfilter## Updating from an Internal Software Update Server# ------------------------------------------------# Default Settings.# blank# Software updates are downloaded from one of the following software update# servers hosted by Apple.# swscan.apple.com:80# swquery.apple.com:80# swcdn.apple.com:80# Suggested Settings.# Specify the software update server to use.sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog# Available Settings.# Replace swupdate.apple.com with the fully qualified domain name (FQDN)# or IP address of your software update server.# To switch your computer back to the default Apple update server.# sudo defaults delete com.apple.SoftwareUpdate CatalogURL# Updating from Internet Software Update Server# -----------------------------------416 AppendixCScripts# Default Settings.# The softwareupdate command checks and lists available# updates for download. Software Update preferences are set to the# command-line equivalent of.# sudo softwareupdate --list --schedule on# Suggested Settings.# Download and install software updates:sudo softwareupdate --download --all --install# Available Settings.# Use the following commands to view softwareupdate options.# sudo softwareupdate -h# or# man softwareupdate# Updating Manually from Installer Packages# -----------------------------------# Default Settings.# None# Suggested Settings.# Download software updates.sudo softwareupdate --download --all# Install software updates.sudo installer -pkg $Package_Path -target /Volumes/$Target_Volume# Available Settings.# Use the following commands to view installer options.# sudo installer -h# or# man installer# Verifying the Integrity of Software# -----------------------------------# Default Settings.# None# Suggested Settings.# Use the sha1 command to display a file's SHA-1 digest.# Replace $full_path_filename with the full path filename of the update# package or image that SHA-1 digest is being checked for.sudo /usr/bin/openssl sha1 $full_path_filename# Available Settings.# Use the following command to view the version of OpenSSl installed on# your computer.# sudo openssl version# Use the following command to view openssl options.# man opensslAppendixCScripts 417# -------------------------------------------------------------------# Protecting System Hardware# -------------------------------------------------------------------# Securing Wi-Fi Hardware# -----------------------# Remove AppleAirport kernel extensions.sudo srm -r /System/Library/Extensions/IO80211Family.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Removing BlueTooth Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove Bluetooth kernel extensions.# Remove Bluetooth kernel extensions.sudo srm -r /System/Library/Extensions/IOBluetoothFamily.kextsudo srm -r /System/Library/Extensions/IOBluetoothHIDDriver.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None# Removing IR Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove IR kernel extensions.sudo srm -rf /System/Library/Extensions/AppleIRController.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None# Securing Audio Support Software# -----------------------------# Default setting:# kext files are installed and loaded.# Suggested Setting.# Remove Audio Recording kernel extensions.sudo srm -rf /System/Library/Extensions/AppleUSBAudio.kext418 AppendixCScriptssudo srm -rf /System/Library/Extensions/IOAudioFamily.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None# Securing Video Recording Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove Video Recording kernel extensions.# Remove external iSight camera.sudo srm -rf /System/Library/Extensions/Apple_iSight.kext# Remove internal iSight camera.sudo srm -rf /System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/\ AppleUSBVideoSupport.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None# Securing USB Support Software# -----------------------------# Remove USB kernel extensions.# Default setting.# kext files are installed and loaded.# Suggested Setting:sudo srm -rf /System/Library/Extensions/IOUSBMassStorageClass.kext# Remove Extensions cache files.sudo touch /System/Library/Extensions# Available Settings.# None# Securing FireWire Support Software# -----------------------------# Default setting.# kext files are installed and loaded.# Suggested Setting.# Remove FireWire kernel extensions.sudo srm -rf /System/Library/Extensions/\ IOFireWireSerialBusProtocolTransport.kext# Remove Extensions cache files.sudo touch /System/Library/ExtensionsAppendixCScripts 419# Available Settings.# None# Securing Global System Settings# -------------------------------------------------------------------------# Configuring Firmware Settings# ----------------------------------# Default Setting.# security-mode is off# Suggested Setting.# Secure startup by setting security-mode. Replace $mode-value with# "command" or "full."sudo nvram security-mode="$mode-value"# Verify security-mode setting.sudo nvram -x -p# Available Settings.# security-mode.# "command"# "full"# Use the following command to view the current nvram settings.# nvram -x -p# Use the following commands to view nvram options.# nvram -h# or# man nvram# Enabling Access Warning for the Login Window# ----------------------------------# Create a login window access warning.sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText Warning Text# You can also used the BannerSample project to create an access warning.# Enabling Access Warning for the Command Line# ----------------------------------# Create a command-line access warning.sudo touch /etc/motdsudo chmod 644 /etc/motdsudo echo "Warning Text" >> /etc/motd# -------------------------------------------------------------------# Securing System Preferences# -------------------------------------------------------------------# Securing MobileMe Preferences# -------------------------# Default Setting.# If a MobileMe account is entered during setup, MobileMe is configured# for that account.# Use the following command to display current MobileMe settings.420 AppendixCScripts# defaults -currentHost read com.apple.# Use the following command to view all current settings for currenHost.# defaults -currentHost read# Suggested Setting.#Disable Sync options.sudo defaults -currentHost write com.apple.DotMacSync ShouldSyncWithServer 1# Disable iDisk Syncing.sudo defaults -currentHost write com.apple.idisk $USER_MirrorEnabled -bool no# Available Settings.# None# Securing Accounts Preferences# -----------------------------# Change an account's password on a client system.# Don't use this command if other users are also logged in.sudo dscl /LDAPv3/127.0.0.1 passwd /Users/$User_name $Oldpass $Newpass# Change an account's password on a server.# Don't use this command if other users are also logged in.sudo dscl . passwd /Users/$User_name $Oldpass $Newpass# Make sure there is no password hint set.sudo defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0# Disable Show the Restart, Sleep, and ShutDown Buttons.sudo defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisable -bool yes# Disable fast user switching. This command does not prevent multiple users# from being logged in.sudo defaults write /Library/Preferences/.GlobalPreferences MultipleSessionEnabled -bool NO# Disable Automatic login.sudo defaults write /Library/Preferences/.GlobalPreferences\com.apple.userspref.DisableAutoLogin -bool yes# Securing Appearance Preferences# -----------------------------# Default Setting.# MaxAmount 10# Suggested Setting.# Disable display of recent applications.sudo defaults write com.apple.recentitems Applications -dict MaxAmount 0# Available Settings.# MaxAmount 0,5,10,15,20,30,50AppendixCScripts 421# Securing Bluetooth Preferences# -----------------------------# Default Setting.# Turn Bluetooth on.# Suggested Setting.# Turn Bluetooth off.sudo defaults write /Library/Preferences/com.apple.Bluetooth\ ControllerPowerState -int 0# Available Settings.# 0 (OFF) or 1 (On)# Securing CDs & DVDs Preferences# -----------------------------# Default Setting.# Preference file non existent: /Library/Preferences/com.apple.digihub# Blank CD: "Ask what to do"# Blank DVD: "Ask what to do"# Music CD: "Open iTunes"# Picture CD: "Open iPhoto"# Video DVD: "Open DVD Player"# Suggested Setting.# Disable blank CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1# Disable music CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.music.appeared -dict action 1# Disable picture CD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.picture.appeared -dict action 1# Disable blank DVD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1# Disable video DVD automatic action.sudo defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.dvd.video.appeared -dict action 1# Available Settings.# action 1 = "Ignore"# action 2 = "Ask what to do"# action 5 = "Open other application"# action 6 = "Run script# action 100 = "Open Finder"# action 101 = "Open itunes"# action 102 = "Open Disk Utility"# action 105 = "Open DVD Player"# action 106 = "Open iDVD"422 AppendixCScripts# action 107 = "Open iPhoto"# action 109 = "Open Front Row"# Securing Date & Time Preferences# -----------------------------# Default Setting.# NTP Server: time.apple.com# Time Zone: Set time zone automatically using current location# Suggested Setting.# Set the NTP server.sudo cat >> /etc/ntp.conf AppendixCScripts 423# autohide -bool YES# autohide -bool NO# Securing Energy Saver Preferences# -----------------------------# Default Setting.# None# Suggested Setting.# Disable computer sleep.sudo pmset -a sleep 0# Enable hard disk sleep.sudo pmset -a disksleep 1# Disable Wake for Ethernet network administrator access.sudo pmset -a womp 0# Disable Restart automatically after power failure.sudo pmset -a autorestart 0# Available Settings.# 0 (OFF) or 1 (ON)# Securing Expos & Spaces Preferences# -----------------------------# Default Setting.# Enabled# Suggested Setting.# Disable dashboard.sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.dashboard.advisory.fetch.plist# Available Settings.# Enabled or Disabled# Bluetooth Sharing# -----------------------------# Default Setting.# Bluetooth Sharing: Disabled# Suggested Setting.# Disable Bluetooth Sharing.sudo defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0# Available Settings.# Bluetooth Sharing.# Disabled# Enabled# Securing Network Preferences# -----------------------------424 AppendixCScripts# Default Setting.# Enabled# Suggested Setting.# Disable IPv6.sudo networksetup -setv6off $interface# Available Settings.# The interface value can be AirPort, Bluetooth, Ethernet, or FireWire# Securing Print & Fax Preferences# -----------------------------# Default Setting.# Disabled# Suggested Setting.# Disable the receiving of faxes.sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.efax.plist# Disable printer sharing.sudo cp /etc/cups/cupsd.conf $TEMP_FILEif /usr/bin/grep "Port 631" /etc/cups/cupsd.confthensudo /usr/bin/sed "/^Port 631.*/s//Listen localhost:631/g" $TEMP_FILE > \/etc/cups/cupsd.confelseecho "Printer Sharing not on"fi# Available Settings.# Enabled or Disabled# Securing Security Preferences# -----------------------------# Default Setting.# Required Password Wake: Disabled# Automatic Login: Disabled# Password Unlock Preferences: Enabled# Secure Virtual Memory is Enabled on Portable computer and is Disabled# on Desktop computers.# IR remote control: Enabled# FileVault: Disabled# Suggested Setting.# Enable Require password to wake this computer from sleep or screen saver.sudo defaults -currentHost write com.apple.screensaver askForPassword -int 1# Disable IR remote control.sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool no# Enable FileVault.# To enable FileVault for new users, use this command.sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/\AppendixCScripts 425createmobileaccount# Enable Firewall.# Replace value with# 0 = off# 1 = on for specific services# 2 = on for essential servicessudo defaults write /Library/Preferences/com.apple.alf globalstate -int value# Securing Sharing Preferences# -----------------------------# Default Setting.# $host_name = User's Computer# Suggested Setting.# Change computer name where $host_name is the name of the computer.sudo systemsetup -setcomputername $host_name# Change computer Bonjour host name.sudo scutil --set LocalHostName $host_name# Available Setting.# The host name cannot contain spaces or other non-DNS characters.# Securing Software Updates Preferences# -----------------------------# Default Setting.# Check for Updates: Enabled# Check Updates: Weekly# Suggested Setting.# Disable check for updates and Download important updates automatically.sudo softwareupdate --schedule off# Available Setting.# Check for Updates: Enabled or Disabled# Check Updates: Daily, Weekly, Monthly# Securing Sound Preferences# -----------------------------# Default Setting.# Internal microphone or line in: Enabled# Suggested Setting.# Disable internal microphone or line in.# This command does not change the input volume for input devices. It# only sets the default input device volume to zero.sudo osascript -e set volume input volume 0# Available Setting.# Internal microphone or line in: Enabled or Disabled426 AppendixCScripts# Securing Speech Preferences# -----------------------------# Default Setting.# Speech Recognition: Disabled# Text to Speech: Enabled# Suggested Setting.# Disable Speech Recognition.sudo defaults write "com.apple.speech.recognition.AppleSpeechRecognition.prefs" StartSpeakableItems -bool false# Disable Text to Speech settings.sudo defaults write "com.apple.speech.synthesis.general.prefs" TalkingAlertsSpeakTextFlag -bool falsesudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenNotificationAppActivationFlag -bool falsesudo defaults write "com.apple.speech.synthesis.general.prefs" SpokenUIUseSpeakingHotKeyFlag -bool falsesudo defaults delete "com.apple.speech.synthesis.general.prefs" TimeAnnouncementPrefs# Available Setting.# Each item can be set to ON or OFF.# OFF: -bool false# ON: -bool true# Securing Spotlight Preferences# -----------------------------# Default Setting.# ON for all volumes# Suggested Setting.# Disable Spotlight for a volume and erase its current meta data, where# $volumename is the name of the volume.sudo mdutil -E -i off $volumename# Available Setting.# Spotlight can be turned ON or OFF for each volume.# Securing Startup Disk Preferences# -----------------------------# Default Setting.# Startup Disk = Macintosh HD# Suggested Setting.# Set startup disk.sudo systemsetup -setstartupdisk $path# Available Setting.# Startup Disk = Valid Boot VolumeAppendixCScripts 427# Securing Time Machine Preferences# -----------------------------# Default Setting.# OFF# Suggested Setting.# Enable Time Machine.sudo defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1# Available Setting.# 0 (OFF) or 1 (ON)# Securing Universal Access Preferences# -----------------------------# Default Setting.# OFF# Suggested Setting.# Disable VoiceOver service.launchctl unload -w /System/Library/LaunchAgents/com.apple.VoiceOver.plistlaunchctl unload -w /System/Library/LaunchAgents/\ com.apple.ScreenReaderUIServer.plistlaunchctl unload -w /System/Library/LaunchAgents/com.apple.scrod.plist# Available Setting.# None## Securing System Swap and Hibernation Storage# -----------------------------# Enable secure virtual memory.sudo defaults write /Library/Preferences/com.apple.virtualMemory \ UseEncryptedSwap -bool YES# Restart to take effect.# sudo shutdown -r now# -------------------------------------------------------------------# Using Disk Utility to Securely Erase Free Space# -------------------------------------------------------------------# Overwrite a device with zeroes.sudo diskutil zeroDisk /dev/device# Secure erase (7-pass) free space on a volume.sudo diskutil secureErase freespace 2 /dev/device# Secure erase (7-pass) a volume.sudo diskutil secureErase 2 /dev/device# -------------------------------------------------------------------# Adding the security tool edit trust settings428 AppendixCScripts# -------------------------------------------------------------------# Where is the local file path to the certificate.#sudo /usr/bin/security add-trusted-cert -d -k /Library/Keychains/System.keychain # ---------------------------------------------------------------------# Setting General Protocols# ---------------------------------------------------------------------## Disable NTP Client access.# -----------sudo systemsetup -setusingnetworktime off## Disable NTP service.#------------sudo serveradmin settings info:ntpTimeServe = no## Disable SNMP.# ------------sudo serveradmin settings info:enableSNMP = no# or alternatively.#sudo service org.net-snmp.snmpd stop## Enable SSH.# ----------sudo service ssh start# or alternatively.# sudo serveradmin settings info:enableSSH = yes## Remote Management (ARD)# -----------------------------# Limiting Remote Management Access# Repeat for each specified user.sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users $ARD_USERNAME -privs - -restart# Specify the usersudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -allowAccessFor -specifiedUsers $ARD_USERNAMEAppendixCScripts 429### Disable Remote Management# ---------------------------# To remove user access:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off# To stop the ARD agent:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -agent -stop# To disable the service:/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\ Resources/kickstart -deactivate -stop#or alternatively.# sudo serveradmin settings info:enableARD = no## Remote Apple Events (RAE)# -----------------------------# Disable Remote Apple Events.sudo launchctl unload -w /System/Library/LaunchDaemons/eppc.plist# Set SACL permissions for a service.# ----------------------------------sudo dseditgroup -o edit -a $USER -t user $SACL_GROUP# ---------------------------------------------------------------------# Enabling IPv6# ---------------------------------------------------------------------# Enable IPv6.# -------------------------------sudo networksetup -setv6on [networkservice]# ---------------------------------------------------------------------# Securing DHCP Service# ---------------------------------------------------------------------# Disable DHCP Service# --------------------sudo serveradmin stop dhcp# Configuring DHCP Services# -------------------------# Set a DHCP subnet's DNS, LDAP, and WINS parameters to no valuesudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_domain_name_server:_array_index:0 = ""430 AppendixCScriptssudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:dhcp_ldap_url:_array_index:0 = -empty_arraysudo serveradmin set dhcp:configuation:subnets:_array_id:$SUBNET_GUID:WINS_node_type =" NOT SET"# Set a DHCP client's static IP address# -------------------------------------# Each computer needs its own GUID within the static map array.# Increment the array index value for network interfaces# for a single computer.serveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:ip_address:_array_index:0 = $ASSIGNED_IP_ADDRESSserveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:en_address:_array_index:0 = $COMPUTER_MAC_ADDRESSserveradmin settings dhcp:static_maps:_array_id:$GUID_FOR_STATIC_CLIENT:name = $COMPUTER_NAME# ---------------------------------------------------------------------# Securing DNS Service# ---------------------------------------------------------------------# Disable DNS Service.# -------------------sudo serveradmin stop dns# ---------------------------------------------------------------------# Securing NAT Service# ---------------------------------------------------------------------# Disable NAT service.# -------------------sudo serveradmin stop nat# Block Bonjour listening.# -------------------------# Default Setting.# Bonjour is enabled# Firewall is disabled# Suggested Setting.# Add the following line to /etc/ipfw.conf.add 00001 deny udp from any to me dst-port 5353# Reload the firewall rules.sudo /sbin/ipfw flushsudo /sbin/ipfw /etc/ipfw.conf# ---------------------------------------------------------------------# Securing Firewall ServiceAppendixCScripts 431# ---------------------------------------------------------------------# Start firewall service.# ----------------------sudo serveradmin start ipfilter# Enable stealth mode.# -------------------sudo serveradmin settings ipfilter:blackHoleTCP = truesudo serveradmin settings ipfilter:blackHoleUDP = true# View the firewall service log.# -----------------------------sudo tail /var/log/ipfw.log# ---------------------------------------------------------------------# Securing Collaboration Services# ---------------------------------------------------------------------# ---------------------------------------------------------------------# Securing iCal service# ---------------------------------------------------------------------# Disable iCal service.# -------------------------------sudo serveradmin stop calendar# Choose an authentication method for iCal service.# ------------------------------------------------# To enable all auth methods:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"sudo serveradmin stop calendar; sudo serveradmin start calendar# To choose Digest auth only:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "no"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "yes"sudo serveradmin stop calendar; sudo serveradmin start calendar# For Kerberos only:sudo serveradmin settings calendar:Authentication:Kerberos:Enabled = "yes"sudo serveradmin settings calendar:Authentication:Digest:Enabled = "no"sudo serveradmin stop calendar; sudo serveradmin start calendar# Enable secure network traffic using SSL transport.# --------------------------------------------------sudo serveradmin settings calendar:SSLPort = 8443# View the iCal service log# --------------------------sudo tail /var/log/caldavd/access.log432 AppendixCScripts# Disable iChat service.# --------------------------sudo serveradmin stop jabber# Securely configure iChat service.# To select an iChat server certificate:sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/Default.crtkey"# (Or replace the path with the full path to the certificate that you want# to select.)# Restart the service if it is running:sudo serveradmin stop jabber; sudo serveradmin start jabber# To select an iChat server auth method use one of the following:sudo serveradmin settings jabber:authLevel = "ANYMETHOD"sudo serveradmin settings jabber:authLevel = "KERBEROS"sudo serveradmin settings jabber:authLevel = "STANDARD"# Then restart the service:sudo serveradmin stop jabbersudo serveradmin start jabber## Select a certificate.# --------------------sudo serveradmin settings jabber:sslKeyFile = "/etc/certificates/Default.crtkey"# View the iChat service log.# --------------------------sudo tail /var/log/server.log | grep jabberd# ---------------------------------------------------------------------# Securing Wiki Service# ---------------------------------------------------------------------# Disable Wiki service.# -------------------sudo serveradmin stop teams## View the wiki service log.# --------------------------sudo tail /Library/Logs/wikid/access.log# ---------------------------------------------------------------------# Securing Podcast Producer Service# ---------------------------------------------------------------------AppendixCScripts 433# Disable Podcast Producer service.# --------------------------------sudo serveradmin stop pcast## View the Podcast Producer service log.# -------------------------------------sudo tail /Library/Logs/pcastserverd/pcastserverd_out.log# ---------------------------------------------------------------------# Securing Mail Service# ---------------------------------------------------------------------# Disable mail service protocolssudo serveradmin settings mail:imap:enable_pop = nosudo serveradmin settings mail:imap:enable_imap = nosudo serveradmin settings mail:postfix:enable_smtp = no# Set the POP authentication method:sudo serveradmin settings mail:imap:pop_auth_apop = nosudo serveradmin settings mail:imap:pop_auth_clear = nosudo serveradmin settings mail:imap:pop_auth_gssapi = no# Set SSL transport for POP connections:sudo serveradmin settings mail:imap:tls_server_options = "use"# Set secure IMAP authentication:sudo serveradmin settings mail:imap:imap_auth_login = nosudo serveradmin settings mail:imap:imap_auth_plain = nosudo serveradmin settings mail:imap:imap_auth_gssapi = nosudo serveradmin settings mail:imap:imap_auth_clear = nosudo serveradmin settings mail:imap:imap_auth_cram_md5 = no# Configure SSL transport for IMAP connections (same as POP)sudo serveradmin settings mail:imap:tls_server_options = "use"# Allow secure SMTP authentication:sudo serveradmin settings mail:postfix:smtpd_sasl_auth_enable = yessudo serveradmin settings mail:postfix:smtpd_use_pw_server = "yes"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:0 = "gssapi"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "cram-md5"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "login"sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "plain"# Configure SSL transport for SMTP connections:sudo serveradmin settings mail:postfix:smtpd_use_tls = "yes"434 AppendixCScripts# Enable a user's mail access using ACLssudo dseditgroup -o edit -a $USER -t user com.apple.access_mail# Restrict SMTP relay:sudo serveradmin settings mail:postfix:mynetworks_enabled = yes# Reject unauthorized SMTP connections:sudo serveradmin settings mail:postfix:smtp_reject_list_enabled = yessudo serveradmin settings mail:postfix:smtp_reject_list:_array_index:0 = "$NETWORK"# Reject mail from blacklisted senders:sudo serveradmin settings mail:postfix:black_hole_domains:_array_index:0 = "$BLACKLIST_SERVER"sudo serveradmin settings mail:postfix:maps_rbl_domains_enabled = yes# Enable junk mail screening:sudo serveradmin settings mail:postfix:spam_scan_enabled = yes# Train the filter:sudo sa-learn --showdots --spam $JUNK_DIRECTORY/*sudo sa-learn --showdots --ham $NON_JUNK_DIRECTORY/*# Automatically train the junk mail filter:sudo /etc/mail/spamassassin/learn_junk_mail# Allow mail by language and locale:sudo serveradmin settings mail:postfix:spam_ok_languages = "en fr de"sudo serveradmin settings mail:postfix:spam_ok_locales = "en"# Enable virus screening:sudo serveradmin settings mail:postfix:virus_scan_enabled = yes# View a mail service log:sudo tail /var/log/mail.log# ---------------------------------------------------------------------# Securing Antivirus Services# ---------------------------------------------------------------------# Enable virus screeningsudo serveradmin settings mail:postfix:virus_scan_enabled = yes# View a virus log:sudo tail /var/log/amavisd.log# ---------------------------------------------------------------------# Securing File Services# ---------------------------------------------------------------------AppendixCScripts 435# Disable file sharing services.sudo serveradmin stop afpsudo serveradmin stop smbsudo serveradmin stop ftpsudo serveradmin stop nfs# Securely configure AFP service:sudo serveradmin settings afp:registerNSL = nosudo serveradmin settings afp:attemptAdminAuth = nosudo serveradmin settings afp:clientSleepOnOff = nosudo serveradmin settings afp:idleDisconnectOnOff = yessudo serveradmin settings afp:authenticationMode = "kerberos"sudo serveradmin settings afp:activityLog = yessudo serveradmin settings afp:guestAccess = no# Configure FTP to provide anonymous FTP downloads:sudo serveradmin settings ftp:logSecurity:anonymous = yessudo serveradmin settings ftp:logSecurity:guest = yessudo serveradmin settings ftp:logSecurity:real = yessudo serveradmin settings ftp:maxRealUsers = 1sudo serveradmin settings ftp:enableMacBinAndDmgAutoConversion = nosudo serveradmin settings ftp:authLevel = "KERBEROS"sudo serveradmin settings ftp:anonymousAccessPermitted = yessudo serveradmin settings ftp:bannerMessage = "$BANNER"sudo serveradmin settings ftp:maxAnonymousUsers = 500sudo serveradmin settings ftp:administratorEmailAddress = "user@domain.com"sudo serveradmin settings ftp:logCommands:anonymous = yessudo serveradmin settings ftp:logCommands:guest = yessudo serveradmin settings ftp:logCommands:real = yessudo serveradmin settings ftp:loginFailuresPermitted = 1sudo serveradmin settings ftp:welcomeMessage = "$WELCOME"# Securely configure Windows file sharing servicesudo serveradmin settings smb:wins support = nosudo serveradmin settings smb:domain master = nosudo serveradmin settings smb:map to guest = "Never"sudo serveradmin settings smb:auth methods = "odsam"sudo serveradmin settings smb:ntlm auth = "no"sudo serveradmin settings smb:max smbd processes = 1000sudo serveradmin settings smb:log level = 1sudo serveradmin settings smb:preferred master = nosudo serveradmin settings smb:os level = 65# ---------------------------------------------------------------------# Securing Web Service# ---------------------------------------------------------------------# Disable web service:sudo serveradmin stop web# Disable web options:436 AppendixCScriptssudo serveradmin settings web:Modules:_array_id:authz_host_module:enabled = nosudo serveradmin settings web:Modules:_array_id:dav_module:enabled = nosudo serveradmin settings web:Modules:_array_id:dav_fs_module:enabled = nosudo serveradmin settings web:Modules:_array_id:apple_spotlight_module:enabled = nosudo serveradmin settings web:Sites:_array_id:$SITE:SpotlightIndexing = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:AllowOverride = "None"sudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:IfModule:_array_id:mod_dav.c:DAV = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:Includes = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:ExecCGI = nosudo serveradmin settings web:Sites:_array_id:$SITE:Directory:_array_id:/Library/WebServer/Documents:Options:Indexes = nosudo serveradmin settings web:Sites:_array_id:default_default:SpotlightIndexing = no## Configure Apache to prompt you for a passphrase when it starts.#---------------------------------sudo serveradmin settings web:IfModule:_array_id:mod_ssl.c:SSL PassPhraseDialog=builtin## View logs.#-----------sudo tail /var/log/apache2/access_log## Disable blog service.#---------------------sudo serveradmin settings web:Sites:_array_id:$SITE:weblog = no# ---------------------------------------------------------------------# Securing Tomcat# ---------------------------------------------------------------------# Stop Tomcat using Server Admin:sudo /Library/Tomcat/bin/startup.sh stop# ---------------------------------------------------------------------# Securing MySQL# ---------------------------------------------------------------------# Turn MySQL service offsudo serveradmin stop mysql#AppendixCScripts 437# Configure MySQL service settings.#---------------------------------sudo serveradmin settings mysql:allowNetwork = no## View MySQL service logs.# ------------------------sudo tail /Library/Logs/MySQL.log# Securing Client Configuration Management Services# =================================================# If the intended target is a client system, the target for the dscl# commands should be "/LDAPv3/127.0.0.1". If the management target is the# server itself, the target should be ".".# Disable Front Row:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.frontrow PreventActivation always -bool 1# Setting up a list of accessible applications# --------------------------------------------# Allow access to applications stored on the user's local hard disk:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess OpenItemsInternalDrive always -bool 1# Allow helper applications:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess ApprovedAppLaunchesOthers always -bool 1# Allow UNIX tools:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.applicationaccess AllowUnbundledApps always -bool 1# Managing Dock Preferences# -------------------------# Set Dock hidingsudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.dock autohide always -bool 1# Managing Finder Preferences# ---------------------------# Manage Finder preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder AppleShowAllExtensions-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitBurn always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitConnectTo always -bool 1438 AppendixCScriptssudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitEject always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitGoToFolder always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ProhibitGoToiDisk always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowHardDrivesOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowMountedServersOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.finder ShowRemovableMediaOnDesktop-immutable always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences AppleShowAllExtensions always -bool 1# Managing Login Preferences# --------------------------# Manage login preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow LoginwindowText always -string "$LOGIN_WINDOW_MESSAGE"sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow mcx_UseLoginWindowText always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow RestartDisabled always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow ShutDownDisabled always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow SHOWFULLNAME always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.loginwindow DisableConsoleAccess always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER .GlobalPreferences MultipleSessionEnabled always -bool 0# Managing Network Preferences# ----------------------------# Manage network preferences:sudo networksetup -setwebproxystate Ethernet onsudo networksetup -setwebproxy Ethernet "http://$SERVER" 8008sudo networksetup -setpassiveftp Ethernet on# Managing Parental Control Preferences# -------------------------------------# Hide profanity:sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.Dictionary parentalControl always -bool 1# Managing Printing Preferences# -----------------------------# Manage printing preferences:AppendixCScripts 439sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting RequireAdminToAddPrinters always -bool 1sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER com.apple.mcxprinting AllowLocalPrinters always -bool 0# Managing Software Update Preferences# ------------------------------------# Manage Software Update preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Computers/$COMPUTER com.apple.SoftwareUpdate CatalogURL always -string "http:/$SERVER:8088/index.sucatalog"# Managing Universal Access Preferences# -------------------------------------# Manage Universal Access preferences:sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKey always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyBeepOnModifier always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess stickyKeyShowWindow always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewDriver always -bool 0sudo dscl /LDAPv3/127.0.0.1 mcxset /Users/$USER -v 2 com.apple.universalaccess closeViewShowPreview always -bool 0# ---------------------------------------------------------------------# Securing NetBoot Service# ---------------------------------------------------------------------## Disable NetBoot.sudo serveradmin stop netboot## Securely configure NetBoot.## View NetBoot service logs.sudo tail /var/log/system.log | grep bootpd# ---------------------------------------------------------------------# Securing Software Update Service# ---------------------------------------------------------------------# Disable Software Update:sudo serveradmin stop swupdate## Specify which client can access software updates.# ----------------------------------sudo serveradmin settings swupdate:autoEnable = no440 AppendixCScripts## View Software Update service logs.# ----------------------------------sudo tail /var/log/swupd/swupd_*# ---------------------------------------------------------------------# Securing Directory Services# ---------------------------------------------------------------------# Configure the Open Directory role:sudo slapconfig -createldapmasterandadmin $ADMIN $ADMIN_FULL_NAME $ADMIN_UID $SEARCH_BASE $REALM# Start Kerberos manually on an Open Directory master:sudo kdcsetup -a $ADMIN $REALM## Change the global password policy of user accounts in the same domain.# ----------------------------------sudo pwpolicy -a $ADMIN_USER -setglobalpolicy "usingHistory=3 requiresAlpha requiresNumeric maxMinutesUnilChangePassword=131487 minChars=12 maxFailedLoginAttempts=3"## Set the binding policy for an Open Directory master.# ---------------------------------sudo slapconfig -setmacosxodpolicy -binding required## Set the security policy for an Open Directory master.# ----------------------------------------sudo slapconfig -setmacosxodpolicy -cleartext blocked -encrypt yes -sign yes -man-in-the-middle blocked -clientcaching no# ---------------------------------------------------------------------# Securing RADIUS Service# ---------------------------------------------------------------------# Disable RADIUSsudo serveradmin stop radiusc# Use a custom certificate:sudo serveradmin settings radius:eap.conf:CA_file = "/etc/certificates/$CA_CRT"sudo serveradmin settings radius:eap.conf:private_key_file = "/etc/certificates/$KEY"sudo serveradmin settings radius:eap.conf:private_key_password = "$PASS"sudo serveradmin settings radius:eap.conf:certificate_file = "/etc/certificates/$CERT"AppendixCScripts 441## Edit RADIUS access.# -------------------sudo dseditgroup -o edit -a $USER -t user com.apple.access_radius## View the RADIUS log# ---------------------------sudo tail /var/log/radius/radius.log# ---------------------------------------------------------------------# Securing Print Service# ---------------------------------------------------------------------## Disable print service.# ----------------------sudo serveradmin stop print# Set administrator SACL permissions for print service:sudo dseditgroup -o edit -a $USER -t user com.apple.monitor_print## Configure Kerberos for print service.# ------------------------------------sudo serveradmin settings sudo serveradmin settings print:authType = KERBEROS## Configure a Print queue.# -----------------------sudo serveradmin settings print:lprQueues:_array_index:0 = $PRINTER_SHARING_NAMEsudo serveradmin settings print:queuesArray:_array_id:example_com:sharingName = $PRINTER_SHARING_NAMEsudo serveradmin settings print:queuesArray:_array_id:example_com:quotasEnforced = yessudo serveradmin settings print:queuesArray:_array_id:example_com:showNameInBonjour = nosudo serveradmin settings print:queuesArray:_array_id:example_com:defaultCoverPage = "classified"sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:service = "IPP"sudo serveradmin settings print:queuesArray:_array_id:example_com:sharingList:_array_index:0:sharingEnable = yessudo serveradmin settings print:queuesArray:_array_id:example_com:printerURI = "lpd://example.com"sudo serveradmin settings print:queuesArray:_array_id:example_com:shareable = yes442 AppendixCScriptssudo serveradmin settings print:queuesArray:_array_id:example_com:printerName = "example_com"sudo serveradmin settings print:useRemoteQueues = yessudo serveradmin settings print:coverPageNames:_array_index:0 = "classified"## View print service logs.# -----------------------sudo tail /Library/Logs/PrintService/PrintService_admin.log# ---------------------------------------------------------------------# Securing Multimedia Services# ---------------------------------------------------------------------## Disable QTSS.# -------------sudo serveradmin stop qtss## Configure a streaming server.# ----------------------------sudo serveradmin settings qtss:server:bind_ip_addr:_array_index:0 = "$BIND_IP_ADDRESS"# Serve QuickTime streams over HTTP port 80:sudo serveradmin settings qtss:server:rtsp_port:_array_index:0 = 554qtss:server:rtsp_port:_array_index:1 = 80qtss:server:rtsp_port:_array_index:2 = 8000qtss:server:rtsp_port:_array_index:3 = 8001# Change the MP3 broadcast password:sudo serveradmin settingsqtss:modules:_array_id:QTSSMP3StreamingModule:mp3_broadcast_password = "$QTMP3_PASSWORD"## Create a broadcast user name and password on the streaming server.# ------------------------sudo serveradmin settings qtss:modules:_array_id:QTSSReflectorModule:allow_broadcasts = yes## Add a user account.# ------------------sudo qtpasswd $USER# Adding groups:echo "$GROUP_NAME: $USER1 $USER2 $USER3" /Library/QuickTimeStreaming/Config/qtgroups#AppendixCScripts 443# Change a user password.# -----------------------sudo qtpasswd $USER# View the QTSS log:sudo tail /Library/QuickTimeStreaming/Logs/$LOG_FILE# ---------------------------------------------------------------------# Xgrid Service# ---------------------------------------------------------------------## Disable Xgrid service.# Configure an Xgrid agent on the server:sudo /usr/sbin/xgridctl agent stop# Configure an Xgrid agent on the server.# Configure an Xgrid controller.sudo serveradmin settings xgrid:ControllerSettings:Enabled = yessudo serveradmin settings xgrid:ControllerSettings:prefs:ClientAuthentication = Passwordsudo serveradmin settings xgrid:ControllerSettings:ClientPassword = $XGRID_CLIENT_PASS# ---------------------------------------------------------------------# Maintaining System Integrity# ---------------------------------------------------------------------# Validate application bundle integrity.sudo codesign -v $code_path# Verify a requirement.sudo codesign -v -R="identifier com.apple.Mail and anchor apple" /Applications/Mail.app# Install the common criteria tools software.sudo installer -pkg CommonCriteriaTools.pkg -target /# Enable auditing.sudo cp /etc/hostconfig /tmp/testif /usr/bin/grep AUDIT /etc/hostconfigthensudo /usr/bin/sed "/^AUDIT.*/s//AUDIT=-YES-/g" /tmp/test > /etc/hostconfigelse/bin/echo AUDIT=-YES- >> /etc/hostconfigfi# View logs in Server Admin.# Use tail or more to view the log files.444 AppendixCScripts# The audit files are individually named based on the date.sudo /usr/bin/tail $AUDIT_FILE 445IndexIndexAaccessACLs183,240,381application284,285,289connectioncontrol241245DirectoryAccess320file349media299passwords348,351playlists349printing338QTSS347,348,349,353restrictingNetBoot313restrictingSoftwareUpdate316SACLs183,228sharepoint264268UniversalAccess309310user3033,274,348,349,351weblogs280281website274,302304wirelessusers333SeealsoACLs;IMAP;LDAP;permissionsaccesscontrollists.SeeACLsaccesswarnings6569Seealsopermissionsaccountsadministrator7172,7681,319authentication349authenticationsetup8494creatingsecure7481credentialstorage8893directorydomains8184group321322,352mobile82,299301nonadministratoruser7172preferences99101types71user351,352Seealsouseraccounts;WorkgroupManagerACEs(accesscontrolentries)144Acknowledgments23ACLs(accesscontrollists)keychainservices88mailserviceaccess240permissions140,144145,265printserviceaccess338SACLs183,381ActiveDirectory8384,319activityanalysistools376379AddressBook82addresses.Seeemailaddresses;IPaddresses;NATaddresstranslation347administratoraccountsfor319auditingtools370376directorydomain78,318passwordsfor329,387privilegesof361administratoraccount7172,7681administratorcomputer39adultwebsites,accesscontrol302AdvancedEncryptionStandard(AES-128)122AFP(AppleFilingProtocol)serviceauthentication256configuration258259sharepoints267agentsauthentication355,356controllers358functionsof354setup358Xgrid357359AirPort,disabling55AirPortBaseStationandRADIUS334anonymousaccess,FTP260antivirustools.Seevirusscreeningany-user tag351APOP(authenticatedPOP)235appearancepreferences102103AppleFilingProtocolservice.SeeAFPAppleRemoteDesktop.SeeARDAppleSoftwareRestore.SeeASRAppleTalk340446 Indexapplicationsaccesscontrol31,284,285legacyaccess289securing30applications,useraccesstoSeealsospecificapplicationsARD(AppleRemoteDesktop)178179ARP(AddressResolutionProtocol)spoofing207assistivedevices136attributesACL267authentication386configuration365audiorecordingdevices,disabling57audit_classfile375audit_controlfile375audit_eventfile375audit_userfile375audit_warnfile375auditingtools370376auditreducetool373374audittool372373authenticatedPOP.SeeAPOP233authenticationActiveDirectory83AFP256attributes386vs.authorization26cached382credential-based381definition380DirectoryAccess8283directoryservices318EAP196,334fileservices258259FTP256iCalservice223IMAP237Kerberos192,196,235,237,238,339,385methods326,382NFS256options356,358passwords277,278,356,359POP235QTSS348,349,351ServerAdmin167SMB/CIFS-related256SMTP242,243SSH187189strengtheningmethods8487systempreferences94user380,385387,388VPN192WebDAV275WorkgroupManager318319Seealsokeychainservices;passwords;RADIUSauthenticationauthorityattributes386authorization2634,79,380Seealsoauthenticationauthorizationrights366367AuthSchemekeyword351automaticactions,disabling105AutomaticUnicast348Bbackups161162BannerSamplefile,modifying68bayesianfilters246BerkeleySoftwareDistribution.SeeBSDBIND(BerkeleyInternetNameDomain)202,203,206binding330blacklistedservers241,244blogs280281blogservice280Bluetoothpreferences55,103104,117Bonjourbrowsingservice210bootimage,definition311broadcasting,MP3348BSD(BerkeleySoftwareDistribution)25,377bundleIDs284By139CCA.Seecertificateauthoritycachedauthentication382cachepoisoningDNS205cameras58,232CDs40CDs,preferences105CDSA(CommonDataSecurityArchitecture)25CERT(ComputerEmergencyResponseTeam)25Certificate167,170CertificateAuthority(CA)requestingcertificatesfrom169certificateauthority(CA)Seealsocertificatesoverview165requestingcertificatesfrom235CertificateManager167certificates163175FileVault153iChatserver226IPSec192mailservice234235managementof3637OpenDirectory327overview163167POP236privatekeys164Index 447publickeys164,368369requesting170,235self-signed165,169andServerAdmin167168SSL224,228,277webservice278CertificateSigningRequest.SeeCSR233CGI(CommonGatewayInterface)scriptsenabling273chatservice225229CIFS(CommonInternetFileSystem).SeeSMB/CIFSClamAV245,249clientsaccesscontrol348,349authentication356earlieroperatingsystems192groupaccounts321322groups352andSSL234Seealsoclientcomputers;userscodesigncommand369370collaborationservicesgroupaccounts321322Seealsomailservice;specificfileservicescommand349command-lineinterfaceaccesswarnings69erasingfiles159160options349,350security256startupsecuritysetup64command-linetoolserasingdisks44logviewing278sudo209CommonCriteriaTools370CommonDataSecurityArchitecture.SeeCDSACommonSecurityServiceManager.SeeCSSMCommonUNIXPrintingSystem.SeeCUPSComputerEmergencyResponseTeam.SeeCERTcomputergroups322computername182computersidlestatus358name182Seealsoportablecomputerscomputers,administrator39configurationaccesscontrol338agents358controller359DHCP40Firewallservice216,217iChat226227incomingmail237Kerberos326keychainservices8991MacOSXServerfilechanges203overview233RADIUS334sharepoints264SSH186187VPN193,194SeealsoMailmansetupconfigurationfiles,SSH187Consoleapplication377contactssearchpolicy8283,320controllersandagents358nodes355setup359controllers,Xgrid359360CRAM-MD5authentication237,238credential-basedauthentication366367,381credentialstorage8893cryptpasswordsdefinition382encryption320,386CSR(CertificateSigningRequest)163,169,170CSSM(CommonSecurityServiceManager)28CUPS(CommonUNIXPrintingSystem)337curfewsoncomputeruse306Cyrusmailservice233DDashboardpreferences115116,285,287databases318datasecurity5960,137162datatransportencryption224Date&Timepreferences107108,182decryption.SeeencryptionDesktoppreferences109110DHCP(DynamicHostConfigurationProtocol)service40,200,330DHXauthentication382dictionariesrights363367Dictionary,hidingprofanityin303digestauthentication223,349digestauthentication,WebDAV275digitalsignatures284,285,368369directories.Seedirectoryservices;domains,directory;foldersDirectoryAccess8283,320directorydomainadministrator78,318directoryservicesActiveDirectory8384,319directorydomains8184OpenDirectory83organizationof318overview324448 IndexSeealsodomains,directory;OpenDirectorydirectoryservices,OpenDirectory333discovery,service82diskimagesencrypting155157installingwith41read/write155diskscommand-linemanagementof44erasingfreespace43installationpreparation43partitions41,43quotas321startup133134DiskUtility43,159,160diskutiltool44displaymirroring111Displayspreferences111distributedcomputingarchitecture354360DNS(DomainNameSystem)serviceBIND202,203,206IPaddresses206recursion204,207securingserver205,206setup40Dockpreferences111,291292documentation2123DomainNameSystem.SeeDNSdomains,directoryActiveDirectory319administratorfor78,318bindingof330databases318LDAP196managementof318overview8184SeealsoLDAP;OpenDirectoryDoSattack(denialofservice)206,387duplicationofsettings319DVDs40,298299DVDs,preferences105DynamicHostConfigurationProtocol(DHCP)200EEAP(ExtensibleAuthenticationProtocol)334EAP-SecurIDauthentication196EFI(ExtensibleFirmwareInterface)63,134email.SeemailserviceEnabling145encryptionAFP258certificates164cryptpasswords320,386FileVault151157mailservice235networkconfiguration197ports228securevirtualmemory137138SSH178,197,257259SSL276VPNprotocols192SeealsoSSLEnergySaverpreferences112113erasingdatapermanently38,158160errormessages.SeetroubleshootingEveryonepermissionlevel141Expos&Spacespreferences115116ExtensibleAuthenticationProtocol.SeeEAPExtensibleFirmwareInterface.SeeEFIFFastUserSwitching75,297faxpreferences120filesaccesscontrol349backupof161162encryption151157,197erasing38,158160permissions140143,146qtaccess350qtgroups350qtusers350sharedsecret164transferring191fileservicesauthentication258259disabling256FTP259262,268NFS262SeealsoAFP;FTP;NFS;sharepointsfilesharing254255filesystemserasingdata158securing38FileTransferProtocol.SeeFTPFileVault3637,53,122,151155,300FileVaultmasterkeychain153filtersblacklistedmailsenders241,244junkmail245,247virus241,249,251Finderpreferences293294fingerprints,server189firewalls245,345,347SeealsoFirewallserviceFirewallservice213advancedrulessetup217introduction213logs219andNAT207Index 449servicessettings216settings40starting214stealthmode218FireWire61,133FireWireBridgeChipGUID133firmware,password64flagsforfilesandfolders143144foldersflagsfor143144group321,322home81,150155,267,299permissionsfor150website273freediskspace,erasing160,161FrontRow285,288FTP(FileTransferProtocol)service256,257,259262,268GGID(groupID)320globalfilepermissions146globalpasswordpolicy329grids,computational354grids,computer354groupaccounts321322,352Seealsogroupsgroup filenamekeyword350groupfolders321,322groupnamekeyword350groupsblogservice280configuration321322permissions141guestaccountspermissions141,255Hharddrive53hardware,protectionof52hash,password382help,using20helperapplications289HISEC(HighlySecure)templates83,319homefolders82,150155,264,267,299hostconfigentries371hostname182hosts.SeeserversHTTP(HypertextTransferProtocol)276,345,347IiCalservice222225iChatservice225229identitycertificates.SeecertificatesIETF(InternetEngineeringTaskForce)standard345images.Seediskimages;NetBoot;NetworkInstallIMAP(InternetMessageAccessProtocol)authentication237log250,253incomingmailsecurity234setup237installationadministratorcomputer39auditingtools370withdiskimages41diskpreparation43fromearlierOSversions39fromremovablemedia40installerpackages126interactive44networkservicessetup40overview3851serversoftware40startingupfor40,41installerpackages126installimage,definition311instantmessaging225229Intel-basedMacintosh63Internationalpreferences116Internet-basedSoftwareUpdate46InternetMessageAccessProtocol.SeeIMAPInternetPrintingProtocol.SeeIPPInternetsecurityMobileMepreferences9698sharing125wirelessconnections56IPaddresses118DHCP200DNSrecursion203204DNSservice206andfirewalls40groups215IPv6notation198199portforwarding208QTSS346andrecursion204IPFilterservice.SeeFirewallserviceIPmasquerading.SeeNATIPP(InternetPrintingProtocol)337IPSec(IPsecurity)192,193IPv6addressing118,198199iSight,disabling58ISP(Internetserviceprovider)192JJabberinstantmessagingproject225229jobs354junkmailscreeningconnectioncontrol241245450 Indexfilters245,247log250,253overview241KKDC(KerberosKeyDistributionCenter).SeeKerberosKerberosActiveDirectory83authentication8586,192,223,235238,385features381,387,388OpenDirectory319passwords387printservice339setup326users326,388WebDAV275Xgridadministration355,356kernelextensions,removing62key-basedSSHconnection187189Keyboardpreferences116KeychainAccess88keychainservices28,30,8893,153LL2TP/IPSec(LayerTwoTunnelingProtocol,SecureInternetProtocol)34,192,193LANs(localareanetworks)191,262layeredsecurityarchitecture27LayerTwoTunnelingProtocol,SecureInternetprotocol(L2TP/IPSec).SeeL2TP/IPSecLDAP(LightweightDirectoryAccessProtocol)serviceadvancedsettings324configuration83overview324security327,331,380VPN196Seealsoattributes;mappings;objectclasses;trustedbindingLDAPv3access318,324Legacypreferences285,289LightweightDirectoryAccessProtocol.SeeLDAPLinePrinterRemote(LPR)printing340localareanetworks(LANs)262localdirectorydomainspasswordtypes380,382localinstallation40localsystemlogging378localversusnetworkhomefolders264lockingfolders143loginaccesswarnings6569keychain89preferences295298preferencesoverview295remote178securitymeasures99101loginscripts296logsaudit376configuration377379Firewallservice219iChat229,230,232mailservice250,253MySQLservice283NetBoot314printservice342QTSS353RADIUS335SoftwareUpdateservice317webservice278LPR(LinePrinterRemote)printing340MMach25MacOSXinstallationconsiderations39OpenDirectorypasswords381MacOSXServeragentsetup358authenticationssupported388configurationfilechanges203trustedbinding330mailservicecertificates234235disabling234groupsettings321logs250,253security234,235virusfiltering251mailtransferagent.SeeMTAmanagedaccounts319322managedpreferencesDashboard115116,285,287Date&Time107108,182Desktop109110Displays111Dock111,291292EnergySaver112113Expos&Spaces115116Finder293294FrontRow285,288International116Keyboard116Legacy285,289Login295298MediaAccess298299MobileMe9698Mobility299301Mouse116Index 451Network118119,301302overview284ParentalControls302,303,304Print&Fax120122Printing307Security122Sharing125,180SoftwareUpdate4649,126,308Sound128Spotlight130132StartupDisk133134System308309SystemPreferences308,309TimeMachine161162UniversalAccess136,309310Seealsopreferencesmanageduseraccounts71,319322mandatoryaccesscontrols3033man-in-the-middleattacks190MediaAccess298299messagekeyword350microphones,disabling57MicrosoftWindowscompatibilities144mobileaccounts82,192,299301,387MobileMepreferences9698Mobilitypreferences299301Mousepreferences116movies,QuickTimecacheSeealsostreamingmediaMP3files348MS-CHAPv2authentication195MTA(mailtransferagent)233multimedia344353MySQLservice282,283Nnameserver.SeeDNSnamingconventions,computers182NAT(NetworkAddressTranslation)andFirewallservice207introduction207NetBootservice41,311314NetworkAddressTranslation.SeeNATnetwork-baseddirectorydomains8184network-basedkeychains9293NetworkFileSystem.SeeNFSnetworkinstallimage133Networkpreferences301302networksclientconnections34preferences302viewstroubleshooting323networkservicesDHCP40,200DNS40FileVaultlimitations151,155homefolders318installation40IPv6addressing198199keychains92managedusers74NTP176preferences118119,301302sharing125sleepmodesecurity112SoftwareUpdatecautions45VPN191197wirelesspreferences103104SeealsoIPaddressesnetworksettingsfirewallconsideration347NetworkTimeProtocol.SeeNTPnewsyslog command378NFS(NetworkFileSystem)filesharing255,262,268security256sharepoints254,257,268269nodes,controller355nodes,directory.Seedomains,directorynonadministratoruseraccounts7172NTDomainservices263264,340NTP(networktimeprotocol)176nvramtool64OOpenDirectoryaccesscontrol349ActiveDirectory318bindingpolicy330configuration83,325330definition318DNSrecursion203andKerberos381optionssettings330overview324passwordtype320,329andRADIUS333andSACLs183securitypolicy331Seealsodomains,directoryOpenDirectorymasterauthentication355binding330securitypolicy331OpenDirectoryPasswordServeraccesscontrol334authentication325,381passwordpolicy387opensourcemodulesApache271452 IndexJabber226Kerberos223,275opensourcesoftware2527option95,DHCP330Othersusercategory254outgoingmail,security235Overview152ownerpermission141PParentalControls7475,302,303,304partitions,disk4143PasswordAssistant8485,100passwordsadministrator329,387Apache278authentication356,359authenticationset84authenticationsetup235237changing99101command-linetools64crypt320,386firmware64,133134hash382keychain89masterFileVault151155OpenDirectory381,386policies329,387security384385vs.singlesign-on387SSLpassphrase277StartupDiskpreferences133134streamingmedia348tokens86types380,381,382useraccount351VPN192Windowsdomain386PasswordServer.SeeOpenDirectoryPasswordServerPDFs,encrypting157permissionsaccess25ACLs265,338administrator361folders150guest255manipulating143overview140146sharepoints265267types254user274,278,320322viewing141WebDAV274physicalaccess,securing53physicalcomputershardwaresecurity53piggybacking,service207PKI(publickeyinfrastructure)163,164Seealsocertificatesplaylistsaccessing349QTSS344plistfiles209PodcastProducerservice231232policydatabase363367POP(PostOfficeProtocol)236,250,253port347portablecomputersFileVault151keychains9293mobileaccounts82,192,299301portablefiles,encrypting155157portablekeychains92portforwarding208portsencryption228QTSS345347andSSL276VPN193POSIX(PortableOperatingSystemInterface)141146Postfixtransferagent233PostOfficeProtocol.SeePOPPPTP(Point-to-PointTunnelingProtocol)192,194praudittool374375preferencesaccounts99101appearance102103Bluetoothwireless103104,117CDs105,298299DVDs105fax120122login295298overview9495screensaver109110speechrecognition129time107108,182Seealsomanagedpreferencespresets319primaryzone,DNS205Print&Faxpreferences120122printserviceaccesscontrol307,338security337privatekey164,165privatekeycryptography276privileges,administrator361Seealsopermissionsproblems.Seetroubleshootingprofanity,hiding303Index 453profiling,DNSservice206protocolsEAP334fileservices257HTTP276LDAP196networkservice40POP236,250,253RTP345RTSP345TCP216VPN192,193,194,196Seealsospecificprotocolsproxyserversettings301302,346publickeycertificates189publickeycertificates.Seecertificatespublickeycryptography276,368369publickeyinfrastructure.SeePKIpwpolicycommand86Qqtaccessfile350qtgroupsfile350qtpasswdtool349QTSS.SeeQuickTimeStreamingServerqtusersfile350Quarantine32queues,printcreating340logs342QuickTimeStreamingServer(QTSS)344353quotas,diskspace321RRADIUS(RemoteAuthenticationDial-InUserService)introduction333read/writediskimages155ReallySimpleSyndication.SeeRSSrealms.SeeKerberos;WebDAV;websites,accessingrecentitemslist102103recursion,DNS203204,207relays,accesscontrol349RemoteAppleEvents181RemoteAuthenticationDial-InUserService(RADIUS).SeeRADIUSRemoteLogin185186remoteserverslogin178systemlogging378removablemediaFileVaultlimitations151,155installationfrom40preferences298299removablemedia,accessing299rightsdictionary363365rightspecifications363365rootpermissions63,7980RSASecurIDs196197RTP(Real-TimeTransportProtocol)345RTSP(Real-TimeStreamingProtocol)345rules365SSACLs(serviceaccesscontrollists)183,228,259,261,338,381sandboxing31scptool185screeningvirus251Seealsofiltersscreensaverpreferences109110,122searchingSpotlight273searchingpreferences130132SecureEmptyTrashcommand160securenotes88SecureShell.SeeSSHSecureSocketsLayer.SeeSSLSecureTransport27SecurID196197Securing210securityACLs338authentication223bestpractices254certificates327DNS205,206firewall245firewalls345,347Firewallservice40IPSec192,193LDAP327,331,380NetBootservice312network256overview234passwords235237,348,351printservice339QTSS345,347serverpolicysettings331servicelevel183SSL226228,234239,276,327tools222,224VPN192websites276,278wiki229Seealsoaccess;authentication;permissionssecurityarchitectureoverview2528security-modeenvironmentvariable64security-passwordenvironmentvariable64Securitypreferences122454 IndexSecuritypreferencesIndex 455tasks354TCP(TransmissionControlProtocol)213,216,345The30third-partyapplications115ticket-basedauthentication83timelimitsoncomputeruse306TimeMachine3031,134,161timesettings107108timesynchronization176,177timezonesettings182TLS(TransportLayerSecurity)protocoltokens,digital86TransmissionControlProtocol(TCP)213TransportLayerSecurityprotocol.SeeTLStransportservices27troubleshootingnetworkviews323QTSS353trustedbinding,policies330UUDP(UserDatagramProtocol)345,347UIDs(userIDs)73,284UniversalAccessoverview309preferences309310UniversalAccesspreferences136UNIX289UNIXandsecurity25updatingsoftware126,308updatingsoftware4549USBstoragedevices,disabling60useraccountsadministrator319group321322,352indirectorydomains319mobile299301overview7181passwords351security71settings75Seealsousersuser filenamekeyword350userID.SeeUIDusernamekeyword350usersaccesscontrol3033,7175,190,274,348,349,351auditing376authentication324325,326,380,385387,388automaticactionscontrol105andblogservice280categories254certificates165FastUserSwitching297homefolders82,150153,267,299identities284keychainmanagement91mobile82,192passwords320permissions141,274,278,320322preferencescontrol115root63unregistered255wirelessaccess333Seealsoclients;computerlists;preferences;useraccounts;WorkgroupManagerVvalidation,systemintegrity368370valid-user tag351videorecordingdevices,disabling58viewsettings323virtualmemory137138VirtualPrivateNetwork.SeeVPNvirusscreening241249,250,251,253visudotool361volumeserasing44erasingdata158securing38startup41VPN(VirtualPrivateNetwork)authentication192clients34introduction191197L2TPsettings34,193andLDAP196PPTPsettings194security192WWAN(wideareanetwork)191Web271WebDAV(Web-BasedDistributedAuthoringandVersioning)authentication275configuration279enabling273permissions274realmdefinitions274starting273weblogservice280281webmodules273webservice272278websitesaccesscontrol274accessing302304folders274456 Indexsecurity229,276wideareanetwork.SeeWANwidgetsinDashboard285,287wikis229Windowsdomainpasswords386Windowsservices263264,340wirelesspreferences103104workflows231WorkgroupManageraccesscontrol32accounts319322ACLpermissions240authentication349directorydomains318groupaccountmanagement321322overview318319SeealsomanagedpreferencesworkgrouppreferencesSeeWorkgroupManagerWorldpermissionlevel254XXgrid354360Zzones,DNSsecurity205zonetransfer,DNS203Security ConfigurationContentsAbout This GuideAudienceWhats in This GuideUsing This GuideUsing Onscreen HelpSnowLeopardServer Administration GuidesViewing PDF Guides on ScreenPrinting PDF GuidesGetting Documentation UpdatesGetting Additional InformationAcknowledgmentsIntroduction to SnowLeopardServer Security ArchitectureSecurity Architectural OverviewUNIX InfrastructureAccess PermissionsSecurity FrameworkLayered Security DefenseNetwork SecurityCredential ManagementPublic Key Infrastructure (PKI)Whats New in SnowLeopardServer SecurityExisting Security Features in SnowLeopardServerSigned ApplicationsMandatory Access ControlsSandboxingManaged User AccountsEnhanced QuarantiningMemory and Runtime ProtectionSecuring Sharing and Collaborative ServicesService Access Control ListsVPN Compatibility and IntegrationImproved CryptographyExtended Validation CertificatesWildcard in Identity PreferencesEnhanced Command-Line ToolsFileVault and Encrypted StorageEncrypted Disk Image CryptographySmart Card Support for Unlocking Encrypted StorageEnhanced Safari 4.0 SecurityInstalling SnowLeopardServerInstallation OverviewPreparing an Administrator ComputerSetting Up Network InfrastructureStarting Up for InstallationStarting Up from the Install DVDStarting Up from an Alternate PartitionStarting Up from a NetBoot EnvironmentRemote Access During InstallationServer Admin During InstallationSSH During InstallationVNC During InstallationAbout Default Installation PasswordsPreparing Disks for Installing SnowLeopardServerSecurely Erasing a Disk for InstallationInstalling Server SoftwareEnabling the FirewallApplying Software and Security UpdatesUpdating from an Internal Software Update ServerUpdating from Internet Software Update ServersUpdating Manually from Installer PackagesVerifying the Integrity of SoftwareSetting Up Services and UsersAbout Settings Established During Server SetupEnabling the Firmware PasswordSecuring System HardwareProtecting HardwarePreventing Wireless EavesdroppingUnderstanding Wireless Security ChallengesAbout OS ComponentsRemoving Wi-Fi Support SoftwareRemoving Bluetooth Support SoftwareRemoving IR Support SoftwarePreventing Unauthorized RecordingRemoving Audio Support SoftwareRemoving Video Recording Support SoftwarePreventing Data Port AccessRemoving USB Support SoftwareRemoving FireWire Support SoftwareSystem Hardware ModificationsSecuring Global System SettingsSecuring System StartupUsing the Firmware Password UtilityUsing Command-Line Tools for Secure StartupConfiguring Access WarningsEnabling Access Warnings for the Login WindowUnderstanding the AuthPlugin ArchitectureThe BannerSample ProjectEnabling Access Warnings for the Command LineTurning On File ExtensionsSecuring Local Server AccountsTypes of User AccountsGuidelines for Creating AccountsDefining User IDsSecuring the Guest AccountSecuring Nonadministrator AccountsSecuring External AccountsProtecting Data on External VolumesSecuring Directory-Based AccountsAvoiding Simultaneous Local Account AccessSecuring Administrator AccountsAbout Tiered Administration PermissionsDefining Administrative PermissionsAvoiding Shared Administrator AccountsSecuring the Directory Domain Administrator AccountChanging Special Authorizations for System FunctionsSecuring the System Administrator AccountRestricting sudo UsageUnderstanding Directory DomainsUnderstanding Network Services, Authentication, and ContactsConfiguring LDAPv3 AccessConfiguring Active Directory AccessUsing Strong AuthenticationUsing Password Assistant to Generate or Analyze PasswordsUsing KerberosUsing Smart CardsUsing TokensUsing BiometricsSetting Global Password PoliciesStoring Credentials in KeychainsUsing the Default User KeychainCreating Additional KeychainsSecuring Keychains and Their ItemsUsing Smart Cards as KeychainsUsing Portable and Network KeychainsSecuring System PreferencesSystem Preferences OverviewSecuring MobileMe PreferencesSecuring Accounts PreferencesSecuring Appearance PreferencesSecuring Bluetooth PreferencesSecuring CDs & DVDs PreferencesSecuring Date & Time PreferencesSecuring Desktop & Screen Saver PreferencesSecuring Display PreferencesSecuring Dock PreferencesSecuring Energy Saver PreferencesSecuring Expos & Spaces PreferencesSecuring Language & Text PreferencesSecuring Keyboard PreferencesSecuring Mouse PreferencesSecuring Bluetooth SettingsRestricting Access to Specified UsersSecuring Network PreferencesDisabling Unused Hardware DevicesSecuring Print & Fax PreferencesSecuring Security PreferencesGeneral SecurityFileVault SecuritySecuring Sharing PreferencesSecuring Software Update PreferencesSecuring Sound PreferencesSecuring Speech PreferencesSecuring Spotlight PreferencesSecuring Startup Disk PreferencesSecuring Time Machine PreferencesSecuring Universal Access PreferencesSecuring System Swap and Hibernation StorageSystem Swap File OverviewEncrypting System SwapSecuring Data and Using EncryptionAbout Transport EncryptionAbout Payload EncryptionAbout File and Folder PermissionsSetting POSIX PermissionsViewing POSIX PermissionsInterpreting POSIX PermissionsModifying POSIX PermissionsSetting File and Folder FlagsViewing FlagsModifying FlagsSetting ACL PermissionsEnabling ACL PermissionsModifying ACL PermissionsChanging Global Umask for Stricter Default PermissionsRestricting Setuid ProgramsSecuring User Home FoldersEncrypting Home FoldersOverview of FileVaultManaging FileVaultManaging the FileVault Master KeychainEncrypting Portable FilesCreating an Encrypted Disk ImageCreating an Encrypted Disk Image from Existing DataCreating Encrypted PDFsSecurely Erasing DataConfiguring Finder to Always Securely EraseUsing Disk Utility to Securely Erase a Disk or PartitionUsing Command-Line Tools to Securely Erase FilesUsing Secure Empty TrashUsing Disk Utility to Securely Erase Free SpaceUsing Command-Line Tools to Securely Erase Free SpaceDeleting Permanently from Time Machine BackupsManaging CertificatesUnderstanding Public Key InfrastructurePublic and Private KeysCertificatesAbout Certificate Authorities (CAs)About IdentitiesSelf-Signed CertificatesAbout Intermediate TrustCertificate Manager in Server AdminReadying CertificatesCreating a Self-Signed CertificateStoring the Private KeyRequesting a Certificate from a CACreating a CAImporting a Certificate IdentityManaging CertificatesEditing a CertificateDistributing a CA Public Certificate to ClientsDeleting a CertificateRenewing an Expiring CertificateReplacing an Existing CertificateSetting General Protocols and Access to ServicesSetting General ProtocolsDisabling NTP ServiceDisabling SNMPEnabling SSHAbout Remote Management (ARD)Remote Management Best PracticesLimiting Remote Management AccessDisabling Remote Management AccessRemote Apple Events (RAE)Restricting Access to Specific UsersSetting the Servers Host NameSetting the Date and TimeSetting Up CertificatesSetting Service Access Control Lists (SACLs)Securing Remote Access ServicesSecuring Remote SSH LoginConfiguring SSHModifying the SSH Configuration FileGenerating Key Pairs for Key-Based SSH ConnectionsUpdating SSH Key FingerprintsControlling Access to SSHSSH Man-in-the-Middle AttacksTransferring Files Using SFTPSecuring VPN ServiceVPN and SecurityConfiguring L2TP/IPSec SettingsConfiguring PPTP SettingsVPN Authentication MethodUsing VPN Service with Users in a Third-Party LDAP DomainOffering SecurID Authentication with VPN ServiceEncrypting Observe and Control Network DataEncrypting Network Data During File Copy and Package InstallationsSecuring Network Infrastructure ServicesUsing IPv6 ProtocolIPv6-Enabled ServicesSecuring DHCP ServiceDisabling Unnecessary DHCP ServicesConfiguring DHCP ServicesAssigning Static IP Addresses Using DHCPSecuring DNS ServiceUnderstanding BINDTurning Off Zone TransfersDisabling RecursionPreventing Some DNS AttacksSecuring NAT ServiceConfiguring Port ForwardingDisabling NAT Port Mapping ProtocolSecuring Bonjour (mDNS)Configuring the FirewallAbout Firewall ProtectionPlanning Firewall SetupConfiguring the Firewall Using Server AdminStarting Firewall ServiceCreating an IP Address GroupCreating Firewall Service RulesCreating Advanced Firewall RulesEnabling Stealth ModeViewing the Firewall Service LogConfiguring the Firewall ManuallyUnderstanding IPFW RulesetsSecuring Collaboration ServicesSecuring iCal ServiceDisabling iCal ServiceSecurely Configuring iCal ServiceViewing iCal Service LogsSecuring iChat ServiceDisabling iChat ServiceSecurely Configuring iChat ServiceViewing iChat Service LogsSecuring Wiki ServiceDisabling Wiki ServiceSecurely Configuring Wiki ServicesViewing Wiki Service LogsSecuring Podcast Producer ServiceDisabling Podcast Producer ServiceSecurely Configuring Podcast Producer ServiceViewing Podcast Producer Service LogsSecuring Mail ServiceDisabling Mail ServiceConfiguring Mail Service for SSLEnabling Secure Mail Transport with SSLEnabling Secure POP AuthenticationConfiguring SSL Transport for POP ConnectionsEnabling Secure IMAP AuthenticationConfiguring SSL Transport for IMAP ConnectionsEnabling Secure SMTP AuthenticationConfiguring SSL Transport for SMTP ConnectionsUsing ACLs for Mail Service AccessLimiting Junk Mail and VirusesConnection ControlFiltering SMTP ConnectionsMail ScreeningViewing Mail Service LogsSecuring Antivirus ServicesSecurely Configuring and Managing Antivirus ServicesEnabling Virus ScanningManaging ClamAV with ClamXavViewing Antivirus Services LogsSecuring File Services and SharepointsSecurity ConsiderationsRestricting Access to File ServicesRestricting Access to EveryoneRestricting Access to NFS Share PointsRestricting Guest AccessRestricting File PermissionsProtocol Security ComparisonDisabling File Sharing ServicesChoosing a File Sharing ProtocolConfiguring AFP File Sharing ServiceConfiguring FTP File Sharing ServiceConfiguring NFS File Sharing ServiceConfiguring SMB File Sharing ServiceConfiguring Share PointsDisabling Share PointsRestricting Access to a Share PointAFP Share PointsSMB Share PointsFTP Share PointsNFS Share PointsSecuring Web ServiceDisabling Web ServiceManaging Web ModulesDisabling Web OptionsUsing Realms to Control AccessEnabling Secure Sockets Layer (SSL)Using a Passphrase with SSL CertificatesViewing Web Service LogsSecuring WebDAVSecuring Blog ServicesDisabling Blog ServicesSecurely Configuring Blog ServicesSecuring TomcatSecuring MySQLDisabling MySQL ServiceSetting Up MySQL ServiceViewing MySQL Service and Admin LogsSecuring Client Configuration Management ServicesManaging Applications PreferencesControlling User Access to Applications and FoldersAllowing Specific Dashboard WidgetsDisabling Front RowAllowing Legacy Users to Open Applications and FoldersManaging Dock PreferencesManaging Energy Saver PreferencesManaging Finder PreferencesManaging Login PreferencesManaging Media Access PreferencesManaging Mobility PreferencesManaging Network PreferencesManaging Parental Controls PreferencesHiding Profanity in DictionaryPreventing Access to Adult WebsitesAllowing Access Only to Specific WebsitesSetting Time Limits and Curfews on Computer UsageManaging Printing PreferencesManaging Software Update PreferencesManaging Access to System PreferencesManaging Universal Access PreferencesEnforcing PolicySecuring NetBoot ServiceSecuring NetBoot ServiceDisabling NetBoot ServiceLimit NetBoot Service ClientsViewing NetBoot Service LogsSecuring Software Update ServiceDisabling Software Update ServiceLimiting Automatic Update AvailabilityViewing Software Update Service LogsSecuring Network AccountsAbout Open Directory and Active DirectorySecuring Directory AccountsConfiguring Directory User AccountsConfiguring Group AccountsConfiguring Computer GroupsControlling Network ViewsSecuring Directory ServicesOpen Directory Server RolesConfiguring the Open Directory Services RoleStarting Kerberos After Setting Up an Open Directory MasterConfiguring Open Directory for SSLConfiguring Open Directory PoliciesSetting the Global Password PolicySetting a Binding Policy for an Open Directory Master and ReplicasSetting a Security Policy for an Open Directory Master and ReplicasSecuring RADIUSDisabling RADIUSSecurely Configuring RADIUS ServiceConfiguring RADIUS to Use CertificatesEditing RADIUS AccessViewing RADIUS Service LogsSecuring Print ServiceDisabling Print ServiceSecuring Print ServiceConfiguring Print Service Access Control Lists (SACLs)Configuring KerberosConfiguring Print QueuesViewing Print Service and Queue LogsSecuring Multimedia ServicesDisabling QTSSSecurely Configuring QTSSConfiguring a Streaming ServerServing Streams Through Firewalls Using Port 80Streaming Through Firewalls or Networks with Address TranslationChanging the Password Required to Send an MP3 BroadcastStreamUsing Automatic Unicast (Announce) with QTSS on a SeparateComputerControlling Access to Streamed MediaViewing QTSS LogsSecuring Grid and Cluster Computing ServicesUnderstanding Xgrid ServiceDisabling Xgrid ServiceAbout Authentication Methods for XgridSingle Sign-OnPassword-Based AuthenticationNo AuthenticationSecurely Configuring Xgrid ServiceDisabling the Xgrid AgentLimiting the Xgrid AgentConfiguring an Xgrid ControllerManaging Who Can Obtain Administrative Privileges (sudo)Managing the sudoers FileManaging Authorization Through RightsUnderstanding the Policy DatabaseThe Rights DictionaryRulesManaging Authorization RightsCreating an Authorization RightModifying an Authorization RightExample Authorization RestrictionsMaintaining System IntegrityUsing Digital Signatures to Validate Applications and ProcessesValidating Application Bundle IntegrityValidating Running ProcessesAuditing System ActivityInstalling Auditing ToolsEnabling AuditingSetting Audit MechanismsUsing Auditing ToolsUsing the audit ToolUsing the auditreduce ToolUsing the praudit ToolDeleting Audit RecordsAudit Control FilesManaging and Analyzing Audit Log FilesUsing Activity Analysis ToolsValidating System LoggingConfiguring syslogdLocal System LoggingRemote System LoggingViewing Logs in Server AdminUnderstanding Passwords and AuthenticationPassword TypesAuthentication and AuthorizationOpen Directory PasswordsShadow PasswordsCrypt PasswordsOffline Attacks on PasswordsPassword GuidelinesCreating Complex PasswordsUsing an Algorithm to Create a Complex PasswordSafely Storing Your PasswordPassword MaintenanceAuthentication ServicesDetermining Which Authentication Option to UsePassword PoliciesSingle Sign-On AuthenticationKerberos AuthenticationSmart Card AuthenticationSecurity ChecklistInstallation Action ItemsHardware and Core SnowLeopardServer Action ItemsGlobal Settings for SnowLeopardServer Action ItemsAccount Configuration Action ItemsSystem Software Action ItemsMobileMe Preferences Action ItemsAccounts Preferences Action ItemsAppearance Preferences Action ItemsBluetooth Preferences Action ItemsCDs & DVDs Preferences Actions ItemsExpos & Spaces Preferences Action ItemsDate & Time Preferences Action ItemsDesktop & Screen Saver Preferences Action ItemsDisplay Preferences Action ItemsDock Preferences Action ItemsEnergy Saver Preferences Action ItemsKeyboard and Mouse Preferences Action ItemsNetwork Preferences Action ItemsPrint & Fax Preferences Action ItemsQuickTime Preferences Action ItemsSecurity Preferences Action ItemsSharing Preferences Action ItemsSoftware Update Preferences Action ItemsSound Preferences Action ItemsSpeech Preferences Action ItemsSpotlight Preferences Action ItemsStartup Disk Preferences Action ItemsTime Machine Preferences Action ItemsData Maintenance and Encryption Action ItemsAccount Policies Action ItemsShare Points Action ItemsAccount Configuration Action ItemsApplications Preferences Action ItemsDock Preferences Action ItemsEnergy Saver Preferences Action ItemsFinder Preferences Action ItemsLogin Preferences Action ItemsMedia Access Preferences Action ItemsMobility Preferences Action ItemsNetwork Preferences Action ItemsPrinting Preferences Action ItemsSoftware Update Preferences Action ItemsAccess to System Preferences Action ItemsUniversal Access Preferences Action ItemsCertificates Action ItemsGeneral Protocols and Service Access Action ItemsRemote Access Services Action ItemsNetwork and Host Access Services Action ItemsIPv6 Protocol Action ItemsDHCP Service Action ItemsDNS Service Action ItemsFirewall Service Action ItemsNAT Service Action ItemsBonjour Service Action ItemsCollaboration Services Action ItemsMail Service Action ItemsFile Services Action ItemsAFP File Sharing Service Action ItemsFTP File Sharing Service Action ItemsNFS File Sharing Service Action ItemsSMB Action ItemsWeb Service Action ItemsClient Configuration Management Services Action ItemsDirectory Services Action ItemsPrint Service Action ItemsMultimedia Services Action ItemsGrid and Cluster Computing Services Action ItemsValidating System Integrity Action ItemsScriptsIndex