Top tips for Mac OS X security - Part 1

Filed Under: Apple, Data loss, OS X, Privacy

OS X Security TipsThis article is the first part of a three part series on Mac OS X security tips. In part two I discuss user profile security and finally I will cover system security in part three.

I am certainly not the first person to write an article like this, and to be honest, I surely won't be the last. So why am I bothering to write this down? Well 'repetitio est mater studiorum'...

Physical security

1. Disable automatic login

Most Mac users only have one account on their systems, so having the system automatically login for them makes perfect sense. Doesn't it?

NO!

Think about it, if anyone gets hold of your precious Mac, all they'd have to do is switch it on, and within seconds they can be rifling through all your documents and dirty secrets.

Turning off automatic login is a simple yet effective way of adding a small amount of security to your system. To turn off automatic login open System Preferences and go to Accounts. Find the option called "Login Options", choose this and set automatic login to off.

Disable automatic login - OS X

2. Set a firmware password

An easy way to bypass security measures on any machine is to boot the system using a Live CD (for example). In the case of OS X, boot from an OS X Installation disk which allows you to make changes like reseting the administrator password, or make changes to partitions and disks.

By setting a firmware password you help to prevent attackers from:

  • Booting a Live CD
  • Running any applications from an OS X Installation disk
  • Booting the machine into Target Disk mode and accessing data without logging in

Rather than trying to cover all the ins and outs of setting a firmware password I'll point you to the Apple support article on the subject: http://support.apple.com/kb/ht1352.

3. Encryption is a good idea

Encrypting all of your personal and private files means that if your computer is stolen it becomes far far harder for anyone to access your data.

Apple provides functionality to encrypt your entire home directory called FileVault. This will encrypt everything inside of your home directory, but will not encrypt anything outside of it. For those that only want to protect the data inside their home directory this may be a good solution.

If there is sensitive data outside of the home directories that you need to protect then a full disk encryption solution is worth looking into. This will encrypt everything on a disk, and means that data stored in temp files, and application directories are also secured.

Sophos offers a business class full disk encryption product for Mac OS X called SafeGuard Disk Encryption for Mac. An additional benefit of full disk encryption is that it prevents someone from booting the system and reading the memory through the FireWire interface.

Encrypting the virtual memory on your system is a wise choice, and something that Apple does turn on by default in 10.6 Snow Leopard.

For older versions of OS X it is strongly recommended that you turn on 'secure virtual memory' in System Preferences. This will prevent others from connecting to your physical machine and reading the data in the virtual memory.

Conclusion

Those of you who are concerned about security on your personal Macs can take advantage of free anti-virus from Sophos. If you have a iPhone/iPad/iPod Touch we also have a free application in the App Store to provide the latest security information.

, , , , , , , ,

You might like

6 Responses to Top tips for Mac OS X security - Part 1

  1. Ray · 1312 days ago

    Would love to use Sophos SafeGuard as the Symantec PGP product dies with every update, so can choose between staying updated or staying encrypted. But I am a home user :(, hopefully, maybe the encryption can be added to the Sophos for Mac that I run now.

  2. Well, that's easy, use Sophos with an encryption software you like best. I don't see no issue doing that.

  3. Nick · 1312 days ago

    A word of warning - the new Macbook Air EFI password cannot be reset with the tools described above. If you forget your password you will need to schedule a visit to the Genius Bar for it to be reset. Word of warning.

    • Chester Wisniewski · 1311 days ago

      Nick, Do you have a link for the Apple KB article explaining this? It may be helpful to people who Google for this information and find this article.

      Chet

      • Bob Stromberg · 1184 days ago

        The KB article is "MacBook Air: Recovering a lost EFI firmware password" at:
        http://support.apple.com/kb/TS2391

        Pertinent text: "If you cannot remember the EFI firmware password for your MacBook Air, please schedule a service appointment with either an Apple Retail Store or an Apple Authorized Service Provider."

  4. Faizan · 1185 days ago

    Thank you for composing this article. I find these tips very useful and as a new Mac user (about 6 months old) all of these features were totally new to me.
    I plan to put almost all of these recommendations into practice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Ben Jupp is a Senior Technical Specialist for Sophos based our of their Vancouver offices. He lives and breathes all things Mac, Linux and Unix.