Top tips for Mac OS X security – Part 3

OS X Security Tips
In the third and final part of my series on OS X security, I will cover system security. If you missed out previous articles, check out part one on hardware security and part two which covers user security.

Simply using a Macintosh computer is not enough to guarantee your security. If you would like some help beyond the advice in these articles, you can download our free Sophos Anti-Virus for Mac Home Edition product to alert you of any threats.

System security

1. Properly configure your firewall

Having a modicum of control over what network traffic is allowed in and out of your machine, and over which applications are running, is essential to running a secure system. To do this, you want to run a firewall.

Apple were nice enough to include a firewall in OS X, and the version in 10.6 is certainly useful. It comprises of two main parts, the Application Firewall and ipfw, a FreeBSD packet filtering firewall that Apple has incorporated into OS X.

To view the Application Firewall settings, go to System Preferences and click on Security -> Firewall. From here, you can control the services that are allowed to accept incoming connections, as well as which applications are authorised to use specific connections.

Turn on your firewall

To begin with, make sure the firewall is switched on. Apple may have been kind enough to include the firewall, but they didn’t switch it on for you by default. Sigh.

Next, click on Advanced and review the applications listed and their associated incoming connections. Decide if the permissions are appropriate for each application.

For example, I use iTunes to listen to my music, but i don’t share out my library, so there is no need for iTunes to accept incoming connections to my machine. Therefore I have iTunes set to Block incoming connections.

Disable ‘Allow all “Signed” Applications’

The default setting in the application firewall on 10.6 will allow all “signed” applications to accept incoming connections automatically once you have switched on the firewall.

Signed applications are application which have been built with code signing enabled. This allows an operating system to verify that the application is what it says it is.

Code signing provides some security, but it is not a flawless system by any stretch of the imagination. Just because an application is signed does not mean you should allow it to accept any incoming connection. Instead, you should manually review all of the applications you have on your system and decide whether they should be allowed to accept incoming connections or not.

Packet filtering firewall

WaterRoof logoThe second part to the firewall solution in OS X is ipfw, a packet filtering firewall, which is built into the sub-system of OS X. Ipfw is immensely powerful, but can be confusing. It is hidden away from most users unless you go looking for it in terminal.

There are a few applications available for download that provide an GUI to ipfw. A GUI makes things far easier for those who are not used to configuring a firewall from the command line. Two applications that I think are good, and free, are WaterRoof and NoobProof.

The “Ready Rule Sets” in WaterRoof provide a very quick way to add additional security to your system.

2. Secure Safari

When it comes to browsers, I actually like Safari. I tend to use it more than Firefox or Chrome on my Mac. But, there one option that I always disable as soon as I set up a new machine: Open “safe” files after downloading.

Disabling ‘Open “safe” files after downloading’

This can be found on the ‘General’ tab on Safari Preferences window. Open “safe” files after downloading means that files deemed to be “safe” are automatically opened by Safari after they have been downloaded.

This is hideously insecure in my view, as it can lead to malicious code being run without the user having to do anything.  If you, by accident visit an website which has been infected, and that site causes your browser to download an infected zip file, Safari will *automatically* unzip that zip file, causing the malicious code to be run! I suggest strongly that you disable this option now.

Anything you download can easily be accessed using either the Finder, or by double-clicking on the item in the Safari Downloads window.

Disabling ‘Autofill web forms’

Having the Safari browser (or any browser for that matter) automatically fill in forms for you can be potentially dangerous.  Vulnerabilities have been found that allow websites to grab this auto-fill data without ever showing a form on the page.  Auto-fill data is an identity thief’s idea of heaven.

Either go to Safari Preferences, open the AutoFilltab, and Disable Autofill web forms or use a secure application for auto-filling sensitive or personal information like 1Password.

3. Only run the services that you really need

Mac Sharing PreferencesMany users have services running on their systems that they either rarely use, or, more often than not, don’t even know are running.

Only run services that you really need. For those that you rarely use, switch them on when you need them and then switch them off as soon as you have completed the task.

Leaving a lot of rarely used services running leaves your Mac more vulnerable to attacks over the network. Only running those services that you need reduces your risk.

To review the services that are running on your system, go to System Preferences -> Sharing.


To stay current on the latest Mac threats check out the Sophos Mac Security Hub.

Until next time, stay secure.