Top tips for Mac OS X security - Part 3

Filed Under: Apple, Apple Safari, OS X, Privacy

OS X Security Tips
In the third and final part of my series on OS X security, I will cover system security. If you missed out previous articles, check out part one on hardware security and part two which covers user security.

Simply using a Macintosh computer is not enough to guarantee your security. If you would like some help beyond the advice in these articles, you can download our free Sophos Anti-Virus for Mac Home Edition product to alert you of any threats.

System security

1. Properly configure your firewall

Having a modicum of control over what network traffic is allowed in and out of your machine, and over which applications are running, is essential to running a secure system. To do this, you want to run a firewall.

Apple were nice enough to include a firewall in OS X, and the version in 10.6 is certainly useful. It comprises of two main parts, the Application Firewall and ipfw, a FreeBSD packet filtering firewall that Apple has incorporated into OS X.

To view the Application Firewall settings, go to System Preferences and click on Security -> Firewall. From here, you can control the services that are allowed to accept incoming connections, as well as which applications are authorised to use specific connections.

Turn on your firewall

To begin with, make sure the firewall is switched on. Apple may have been kind enough to include the firewall, but they didn't switch it on for you by default. Sigh.

Next, click on Advanced and review the applications listed and their associated incoming connections. Decide if the permissions are appropriate for each application.

For example, I use iTunes to listen to my music, but i don't share out my library, so there is no need for iTunes to accept incoming connections to my machine. Therefore I have iTunes set to Block incoming connections.

Disable 'Allow all "Signed" Applications'

The default setting in the application firewall on 10.6 will allow all "signed" applications to accept incoming connections automatically once you have switched on the firewall.

Signed applications are application which have been built with code signing enabled. This allows an operating system to verify that the application is what it says it is.

Code signing provides some security, but it is not a flawless system by any stretch of the imagination. Just because an application is signed does not mean you should allow it to accept any incoming connection. Instead, you should manually review all of the applications you have on your system and decide whether they should be allowed to accept incoming connections or not.

Packet filtering firewall

WaterRoof logoThe second part to the firewall solution in OS X is ipfw, a packet filtering firewall, which is built into the sub-system of OS X. Ipfw is immensely powerful, but can be confusing. It is hidden away from most users unless you go looking for it in terminal.

There are a few applications available for download that provide an GUI to ipfw. A GUI makes things far easier for those who are not used to configuring a firewall from the command line. Two applications that I think are good, and free, are WaterRoof and NoobProof.

The "Ready Rule Sets" in WaterRoof provide a very quick way to add additional security to your system.

2. Secure Safari

When it comes to browsers, I actually like Safari. I tend to use it more than Firefox or Chrome on my Mac. But, there one option that I always disable as soon as I set up a new machine: Open "safe" files after downloading.

Disabling 'Open "safe" files after downloading'

This can be found on the 'General' tab on Safari Preferences window. Open "safe" files after downloading means that files deemed to be "safe" are automatically opened by Safari after they have been downloaded.

This is hideously insecure in my view, as it can lead to malicious code being run without the user having to do anything.  If you, by accident visit an website which has been infected, and that site causes your browser to download an infected zip file, Safari will *automatically* unzip that zip file, causing the malicious code to be run! I suggest strongly that you disable this option now.

Anything you download can easily be accessed using either the Finder, or by double-clicking on the item in the Safari Downloads window.

Disabling 'Autofill web forms'

Having the Safari browser (or any browser for that matter) automatically fill in forms for you can be potentially dangerous.  Vulnerabilities have been found that allow websites to grab this auto-fill data without ever showing a form on the page.  Auto-fill data is an identity thief's idea of heaven.

Either go to Safari Preferences, open the AutoFilltab, and Disable Autofill web forms or use a secure application for auto-filling sensitive or personal information like 1Password.

3. Only run the services that you really need

Mac Sharing PreferencesMany users have services running on their systems that they either rarely use, or, more often than not, don't even know are running.

Only run services that you really need. For those that you rarely use, switch them on when you need them and then switch them off as soon as you have completed the task.

Leaving a lot of rarely used services running leaves your Mac more vulnerable to attacks over the network. Only running those services that you need reduces your risk.

To review the services that are running on your system, go to System Preferences -> Sharing.


To stay current on the latest Mac threats check out the Sophos Mac Security Hub.

Until next time, stay secure.

, , , , , ,

You might like

5 Responses to Top tips for Mac OS X security - Part 3

  1. Pete Thompson · 1655 days ago

    Does OSX ignorance really run that deep?
    Even if I had a custom OS with my own kernel written by Einstein and completely locked down, I would still use basic protection of a firewall, not run unecessary services.
    dont think Apples " be safe, just run osx' attitude has helped anything to do with security... especially as they certainly refuse to take it seriously.
    Only a matter of time before a major outbreak, via appstore or other if the ignorance is worldwide and OSX gains market share.. I actually sometimes feel more at risk due to the fact there are no measures in place like my windows box

  2. Steve S. · 1654 days ago

    Norton took it serious. They came out with their antivirus for mac a long while ago to plug holes in their browser and others for it along with firewall. I love when mac users say " Mac's can't get viruses" I direct their attention to the norton box and await their expressions. :)

  3. PhilCat · 1652 days ago

    The intelligent logic of Apple made life as simple as flipping
    on the light.
    6 years with it, only 9 threats logged.
    All were Java related in the same folder of a mystery application
    that was loaded Nov 2010.
    Sophos took care of it smoothly, a brilliant application.

    1 event in over 6 years, vs thousands each year doing the same research
    on the PC.

    A simple activity of chat with Son serving this Country was under constant interruption using Norton.
    Messing with my moment, making it impossible to continue,
    I threw in the towel.

    If all one does is play games and surf, have at it.

    Hers's a perfect scene of how ridiculous it is.
    Fully flip to MacPro, and couple of matching laptops 6 years ago.
    Not one Kb of anti anything used.

    PC tower in the mean time sits off line,
    un-connected or updated for 5 years.
    Hey, I like some of the Games.
    Still, threats appear Norton says to take action immediately.
    Still interrupting even in death.

    With advanced embedded paranoia, they line up gladly paying for more.
    The perfect sales force tactic. Gotta love it. Specialize in fear.

  4. Hans · 1561 days ago

    Most important: Don't do your daily work on a user-id with administrator rights!

    Keep that aside for special tasks, like when you /need/ to install new software.

  5. I follow this steps on my macbook pro and now, I can't even access to te internet! =(

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Ben Jupp is a Senior Technical Specialist for Sophos based our of their Vancouver offices. He lives and breathes all things Mac, Linux and Unix.