5 Easy to Follow Tips to Enhance Your Mac’s Security

PWN to OWN. This is the name of the contest that made most Mac users worldwide seriously think about reading a security book or two to learn about securing their Macs ASAP. During the aforementioned contest a Mac running OS X Leopard was the first to give in to the intrusion attempts. It may not have been the brightest day in Apple’s history but it surely was the one when every Mac owner out there gave a second thought to the “Macs are the most secure” theory.

So, if Macs aren’t as secure as we have previously thought (I did too and even bet on the Vista computer that it would be the first to be compromised), what can we do to defend ourselves against attacks? One way would be to fire up the old integrated Mac OS X firewall and configure it to accept only incoming connections from IP addresses we know.

Although this is a good thing to do, the integrated firewall doesn’t do as good of a job as Apple would want us to believe. If you are not a very experienced user you’ll probably end up just enabling the damn thing and what protection do you think you’ll get? I’ll tell you: not very much because the machine that got “owned” at the PWN to OWN contest had the default settings and it went down pretty fast.

I know, this really is kind of hilarious, but hey, what else can you do? See, Apple really thinks about everything. It even allows you to stay online giving you a fake sense of security, kind of like walking through a black alley with a gun in your pocket (a gun filled with blanks).

So, this time for real, what can you actually do to protect the data on your Mac? To your surprise, and mine, the answer is given by the guys at Apple. Don’t know if you still remember but a while ago the company released a security configuration document for Leopard in which you can find a huge array of security tips that can help you protect your Mac more efficiently.

I have read the whole 240 pages and picked out the most important 5 tips – in my opinion – that you can use to be sure no one will ever be able to get access to your private data, or at least make their life a living hell while trying to breach into your system.

Tip 1 - Secure the network sharing services

The first and easiest way that comes to mind when dealing with securing your data is to prevent access to it from the outside. The easy way to do that would be to secure its network sharing services. How can this be done? Easy as pie: simply turn off the sharing services that you consider unnecessary and only leave running the ones that you really need.

Under this paragraph you will find the command-line commands you will have to enter to stop the following sharing services: DVD or CD sharing, screen sharing aka VNC, file sharing (trough FTP, SMB and AFP), web sharing (HTTP), remote login (SSH), remote management (ARD), Xgrid sharing, Internet sharing and Bluetooth sharing. Quite a handful if you ask me and as many opportunities for strangers to get their hands on your data.

The following commands are all available in the Leopard security configuration document published by Apple at the beginning of June 2008. To be able to use them you have to open a Terminal window, write each of them in the command-line and hit ENTER to run them. If possible use a copy/paste technique to be sure you don’t miss any characters because you will be the only one responsible in case you break your system.

## Disable DVD or CD Sharing.
service com.apple.ODSAgent stop
## Disable Screen Sharing.
srm /Library/Preferences/com.apple.ScreenSharing.launchd
## Disable FTP.
launctl unload -w /System/Library/LaunchDaemons/ftp.plist
## Disable SMB.
defaults delete /Library/Preferences/SystemConfiguration/
com.apple.smb.server EnabledServices
launctl unload -w /System/Library/LaunchDaemons/nmbd.plist
launctl unload -w /System/Library/LaunchDaemons/smbd.plist
## Disable AFP.
launctl unload -w /System/Library/LaunchDaemons/
com.apple.AppleFileServer.plist
## Disable Web Sharing service.
launctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
## Disable Remote Login.
service ssh stop
## Disable Remote Management.
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/
Resources/kickstart -deactivate -stop
## Disable Remote Apple Events.
launchctl unload -w /System/Library/LaunchDaemons/eppc.plist
## Disable Xgrid Sharing.
xgridctl controller stop
xgridctl agent stop
## Disable Internet Sharing.
defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -
dict Enabled -int 0
launctl unload -w /System/Library/LaunchDaemons/
com.apple.InternetSharing.plist
## Disable Bluetooth Sharing.
defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0

Tip 2 - Secure local access to your system

Once you have stopped the unnecessary sharing services it is time to secure local access to your system. The easiest way to do this is by managing the users that can get administrative privileges on your system. In the UNIX world, obtaining such privileges means that you are able to use the sudo command that will allow you to run any command you want as the one and only superuser aka root.

Why is it important to restrict access to this command? Because if an intruder gains access to your Mac and manages to get his/her hands on the root account (its hands if it’s some kind of super hacking robot) then he/she can do anything he/she wants on your system besides removing pieces of hardware out of the case (although they can be disabled if the intruder has the necessary skills).

To restrict access to the sudo command on certain accounts and only allow the trusted users to be able to run commands as superuser you will have to edit the /etc/sudoers file using the “sudo visudo” command (without the quotes). Next, remove the line that begins with %admin and, for each user that you want to be able to get superuser privileges, add “user ALL=(ALL) ALL” (where user is the user’s shortname). Now what remains to be done is to save and quit.

After editing the /etc/sudoers file this way you will have to repeat the same steps if you add other users to the system and want them to be able to use sudo.

Tip 3 - Encrypt your home folder

Now that you have secured the network and local access to your system and data, the time has come to further reinforce protection by encrypting your home folder. The easiest way to accomplish such a task is to use FileVault, an integrated OS X application that will help you encrypt a user’s home folder and files.

FileVault acts by moving everything you have in your home folder to a bundle disk image that can be encrypted using AES-256 encryption. The only downside to using it is that it will only act locally and will not protect and/or encrypt any data that you decide to move to a removable device or over the network.

Despite the fact that FileVault is not able to protect data outside your home folder, you can still have a bit of security enabled for the data that you temporarily store outside your home directory. When deleting such data you can make sure no one will ever get access to it by securely deleting it. Which brings us to the next tip.

Tip 4 - Securely erase data from your hard drive

I’ve mentioned above that you can securely erase data from your hard drive, which means that an ordinary deletion will not do the trick if you do not want later attempts of retrieving your data from your hard disk to be successful. When you delete something from the drive the system will not actually send it to oblivion. The only thing it actually does is remove the information related to that certain piece of data from the file system. In other words, it just causes itself a bad case of amnesia.

Albeit this will render all your attempts to recover the files using less advanced methods unsuccessful, there still are ways to retrieve it if you have the necessary software. Such a solution is called recovery software and it will be successful in its task if the hard disk space your data has been on has not been overwritten.

To make sure you will always securely erase your data from Finder go to Finder’s Preferences, click on the Advanced tab and there check the “Empty Trash securely” entry.

There are of course other ways to securely delete data on your Mac using the Disk Utility, the srm command-line command, securely emptying the Trash using Finder’s “Secure Empty Trash” option. To get a more detailed overview on how you can use them just download Apple’s document from HERE and head over to the “Securely Erasing Data” sub-chapter.

Tip 5 - Intrusion detection system

What do you call a secure system without an intrusion detection system? Well you can call it anything you want but one thing is certain: there is no system out there that can be considered 100% secure (except maybe the ones with no Internet connection but even those can be stolen).

In case of an intrusion you definitely want to know everything possible related to it. As Apple says, an intrusion detection system is the answer to this problem, because it will allow you to easily monitor everything that happens on your Mac and to examine the data that gets transferred through the network interfaces.

The exact same system will be the one that will automatically alert you in case of suspicious activity and, most of the time, it will also prevent malevolent actions before they are even performed.

The intrusion systems that you can use are of two kinds: network based and host based. From the first category I recommend you to install and use the free HenWen security application for OS X that will allow you to run and configure Snort, which will scan the network for undesirable traffic. The second category’s performer in my opinion is the also free Radmind Assistant, a solution that acts as a tripwire, being able to quickly detect and reverse changes to file system objects like folders, files, links, etc.

Share and Enjoy:

Tags:apple, Apple Events, bluetooth, document, file sharing, firewall, ftp, Internet, Library, Mac, Mac OS, Mac OS X, macs, os x firewall, os x leopard, Security, security book, security tips, SSH, Tip, X Leopard

Related posts

• 10 Steps to Safe Computing (1)
• 10 Computer Security Tips (1)
• Windows Vista: An FAQ for Nonprofits (0)
• Vista taking a nibble out of Apple in OS wars? (0)
• Seven tips for working securely from wireless hotspots (0)
• Safari 3 Public Beta (0)
• Leopard Flies Off the Shelf, But Glitches Reported (1)
• iPhone May Get Infected too (0)
• How to Secure is Your PC? (0)
• How to Move Web Applications to Your Desktop (0)
• Home Computer Networking Tips (1)
• Finding More Information On Google Search Results Page (0)
• Windows Vista and Mac OS X Share Security Threats (0)
• Windows Apps On Os X (1)
• what is google updater and why its running? (0)
• What can you learn from Apple? (1)
• Vista SP1 Solution Accelerator (1)
• Virtually Infallible Protection (1)
• Uninstalling Internet Explorer 8 (0)
• Tweak Vista with Some Usefull Rundll32 Commands For Windows vista (0)
• Troubleshoot Failed Installations of XP SP3 RTM Build 5512 (0)
• Top Security Software of 2007 (2)
• Top Free and Open Source Apps for Mac Users (0)
• Ten tips to increase your Windows security (3)
• Secret Crush to Crash Your Computer (2)

Written by Jason on August 6th, 2008 with no comments.
Read more articles on 1340 and 1354 and 1426 and 1429 and 1673 and 169 and 2065 and 2157 and 401 and 544 and Apple and Contributors and Firewall and Internet and Mac and Security and file sharing and mac os x and tip.

How to set permissions on a shared folder in Windows XP

By default, simple file sharing is enabled on a Microsoft Windows XP-based computer if the computer is not a member of a domain. With simple file sharing, you can share folders with everyone on your workgroup or network and make folders in your user profile private. However, if simple file sharing is enabled, you cannot prevent specific users and groups from accessing your shared folders. If you turn off simple file sharing, you can permit specific users and groups to access a shared folder. Those users must be logged on with the credentials of user accounts that you have granted access to your shared folder.

If simple file sharing is enabled, you see the simple file sharing user interface appears instead of the Security and Sharing tabs. By default, this new user interface is implemented in Windows XP Home Edition and in Microsoft Windows XP Professional if you are working in a workgroup. If you turn off simple file sharing, the classic Security and Sharing tabs appear, and you can specify which users and groups have access to shared folders on your computer.

Note To allow for specific users to access the share folder after the simple file sharing is disabled, you should configure both the NTFS permissions on the Security tab and the share permission on the Sharing tab of the share folder. NTFS permissions can only be set on a partition using NTFS file system. If you remove the Every Group from the NTFS permission, you cannot access the share folder over the network.

How to turn off simple file sharing

To disable simple file sharing, follow these steps:

1. Click Start, and then click My Computer.

2. On the Tools menu, click Folder Options, and then click the View tab.

3. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box.

4. Click OK.

How to share a folder or a drive with other users

To share a folder or a drive with other users, follow these steps:

1. Click Start, click My Computer, and then locate the folder or drive that you want to share.

2. Right-click the folder or drive, and then click Sharing and Security.

3. On the Sharing tab, click Share this folder.

4. To change the share name of the shared folder or drive, type a new name in the Share name box. Other users see the new name when they connect to this shared folder or drive. The actual name of the folder or drive does not change.

5. To add a comment about the shared folder or drive, type the text in the Comment box.

6. To limit the number of people who can connect to the shared folder or drive at the same time, click Allow under User limit, and then type the number of users.

7. To set share permissions on the shared folder or drive, click Permissions.

Note To share folders and drives, you must be logged on as a member of any one of the following groups:

• Administrators

• Server Operators

• Power Users

8. Click OK.

Tags:based computer, Computer, file sharing, folder, how to, Network, ntfs, ntfs permissions, permission, Security, Settings, shared folders, tools, Windows, windows xp, workgroup, XP-based

Related posts

• Enable Remote Desktop in Windows Vista (0)
• Windows XP SP3 RTM Multilingual User Interface (MUI) Pack (3)
• Windows Vista: An FAQ for Nonprofits (0)
• Windows Vista and Malware Immunity (0)
• What is WMPNSCFG.exe? and why it is running? in vista (1)
• See all Computers from your Workgroup without Windows Freezing (0)
• Optimize Windows Vista for better performance (0)
• My Recent Documents displayed in Windows XP (0)
• Make XP computers show up in Vista’s Network Map (3)
• How to Troubleshoot Hardware Problems with Device Manager (1)
• How do I know if a wireless network is secure? (0)
• Easily transfer apps from XP to Vista (0)
• Download Windows Firewall with Advanced Security (5)
• 6 Tips for Windows XP (0)
• 5 Tips For Upgrading To WPA2 Security (0)
• Windows XP Pro Gobbling Uu Your Bandwidth (0)
• Windows XP Infections Coming by Email (0)
• Windows SteadyState for Vista and XP (1)
• Windows Service Pack Blocker Tool Kit (1)
• Windows Malicious Software Removal Tool (0)
• Windows logs off automatically while login (0)
• Windows Easy Transfer Companion (1)
• Windows Automatically Restart (3)
• What is Windows Messenger Service? How to stop Windows Messenger Service? (3)
• Vista System Restore (0)

Written by Jason on July 9th, 2008 with no comments.
Read more articles on 1354 and 1426 and 1429 and 1673 and 169 and 2065 and 2157 and 401 and 544 and Contributors and Network and Security and Settings and Windows XP and computer and file sharing and folder and how to and ntfs and tools and windows.

Enabling Remote Desktop From XP to Vista

Control remotely over a network connection your Windows Vista or XP computer or the other way around. Get access to your Vista applications or data stored on a remote computer from your XP PC connected on your local network for example. Below is a quick video tutorial I created explaining how.



The steps are easy to follow, however if you prefer written instructions

1. On the Vista computer you want to connect to for example, click Start, right-click Computer, and then click Properties.

2. Make note of the Computer name if you do not know the IP address, then, under tasks, click Remote settings.

3. If all your computers are running Vista, click Allow connections only from computers running Remote Desktop with Network Level Authentication. If you have Windows XP that you want to use to connect to this computer, click Allow connections from computers running any version of Remote Desktop.

4. Click Select Users.

5. In the Select Users dialog, click the Add button. Type the name of the user you want to grant access to, and then click OK. Repeat this step to add more users.

6. Click OK twice.

Windows Vista will automatically open the necessary exception in Windows Firewall. Now, you are ready to use Remote Desktop to connect to the computer from another computer.

Watch PCWizKid's Video Tutorial

---

Other Tips Users have watched

• Speed up your Windows Search
• Free Up windows resources which are slowing you down
• Customize Windows Send To (right click menu items)
• How to Change to Owner Name in Windows
• Customize your Windows Explorer View
• Disable User Account Control Popups
• Top 10 Free Downloads to improve and tweak your Windows Vista
• Boot Up Windows Faster
• Windows Vista PowerToys - Tweaks from Microsoft TechNet
  

Written by PCWizKid on February 8th, 2008 with comments disabled.
Read more articles on Microsoft Windows Vista and file sharing and network sharing and rdp and remote desktop connection and tutorial and windows xp vista powertoys tweakui tweak service pack 3.

Moving Files from Windows to Mac

When you make the switch from a Windows box to a Mac, you are going to need to copy all of your data files over to the Mac. The quickest way to do that is over a network. Yes, you can use “old school” media such as CDs, DVDs or USB thumb drives, but this is very tedious and will take forever. Networking the Windows and Mac machines is actually not very hard. It is not quite as straightforward as networking two Windows machines together, but if I can manage to do it on my second day using OS X, it can’t be too hard. (more…)

basic networking, file sharing, folders, ip address, Mac, mac machines, mac os x, move files, networking windows, share files, share name, system preferences, Windows, windows machine

Written by Jason on November 27th, 2007 with comments disabled.
Read more articles on Mac and basic networking and file sharing and folders and ip address and mac machines and mac os x and move files and networking windows and share files and share name and system preferences and windows and windows machine.