Sophos Cloud Optix
In the first part of this series I covered OS X tips related to physical security, in part two I will focus on the user. I will cover system security in part three.
These simple steps are things every Mac user should do. They provide a large improvement in the security of your computer and data, while imposing an imperceptibly small price.
User security
1. Be smart with your passwords
Your Password is more or less the one thing that keeps your system and your data safe from others. It makes sense to invest in making it as hard to crack as possible.
Apple provides a tool to help select a secure password called Password Assistant. To use the Password Assistant open System Preferences -> System -> Accounts -> Create a user or Change Password -> Click the key icon.
The Password Assistant provides several options to help you generate a password (Memorable, Letters & Numbers, Numbers Only, Random, FIPS-181 compliant), or you can manually enter a password.
Whichever you choose Password Assistant will show you the Quality (or strength) of your password. Watch this video for advice on choosing a complex password you can remember.
2. Securing your Keychain
It is a good idea to make sure that your Keychain has a different password to that of your user account.
The Keychain stores internet passwords, SSL Certificates, notes and more in a nice convenient encrypted store. By default your Keychain has the same password as your user account, which is great as it means your Keychain automatically unlocks and allows any running application to request data from it!
Its like SSO (Single Sign On) gone bad. . . Changing your Keychain password will mean that when an application wants some data you will have to enter your Keychain password.
This is a little inconvenient but means that anyone that cracks your account password doesn’t get instant access to everything in your Keychain, and that you will know whenever an application is trying to gain access to your secured data.
To change your Keychain password open up the Keychain Access application in the Utilities directory. Then click on the Edit menu and select Change Password for Keychain “login”.
3. Never run as an administrative account
If you talk to any Linux or Unix user you will quickly find out that they rarely login as a user that has administrative privileges. The reason for this? If your account is compromised, the attacker has only gained access to your data, but hasn’t gained access to the entire system.
Running as a normal user on any operating system is a sensible thing, and OS X is no different.
Make your everyday account a Standard user, and then authenticate as an Admin account when the system requests it.
Conclusion
Combined with my physical security tips, securing your user profile is a critical part of having a happy and secure Mac. It goes without saying that you should run anti-virus on your Mac as well.
If you are a home user you can get Sophos Anti-Virus for Mac Home Edition for free! Come back to Naked Security soon for the final part in this series system security.
Regarding not running as admin. If you are running as a non-admin is there a way to switch to the admin user for just that task (without logging out as one and in as the other).
It seems that in OSX (when logged in as an admin user) some administrative tasks still require entering the admin password but installing software doesn't WTF?
Use sudo to perform administrative tasks, for instance: sudo vi /etc/hosts.
What about tasks that are done via the GUI?
When you have to perform a task via the GUI needing administrative privileges OSX will pop-up a login screen to type an administrative user name and password. This happens when you install a program, or alter any setting in system preferences.
There are only a very few programs that have faulty installer that would need you to log off and log in as admin. (I know only one, but since that is written in Java I installed it from command line copying jar files.)
So, when creating a standard user do NOT check the box "Allow user to administer this computer?" I will be asked to authenticate the user as Admin when the necessity arises??