RSS Feeds
Lock Down Your Mac
Posted by Adam Pash at 5:00 AM on April 18, 2008
Apple often boasts the security of OS X, but tech web site Ars Technica suggests that your Mac is no more secure than you make it, rounding up a handful of security features you should set on your Mac to bolster its security. Off the bat, for example, the article recommends setting a firmware password for your Mac that prevents anyone from booting your Mac at all without entering the password. Why?
If someone can get to your computer, the chances of them acquiring your data just skyrocketed. Physical security is the critical first step in keeping your Mac safe. A firmware password prevents a user with physical access to the computer from starting up from an optical disk, a network boot volume, a separate drive connected in Target Disk Mode, or into single-user mode.The article also examines several other OS X security features that aren't enabled by default that can do a lot to enhance your Mac's security. Got a favourite Mac security tweak of your own? Let's hear about it in the comments.
Comments (AU Comments · US Comments)
Allie
Posted May 2, 2008 6:33 PM
Hey,
I have had a firmware password, to protect my MB against roommate pranks, but the stupid thing is that the safe sleep feature does not work.
I tried it several times (by taking the battery out and then putting it in), and when you turn the machine on, it just doesn't work...a gray screen.
also when it boots up, there is short window of time after the chimes that I have to press "ALT" or nothing gets done...Am I way off. GUIDE ME.
TinyApps.Org
Posted 5:40 AM 18/4/08
The Open Firmware Password "protection" is generally overrated. Encryption (like OS X's FileVault, which the article mentions) is a far better method to keep your data safe from those who have gained physical access to a machine. Just be sure to *shut down* your Mac (rather than using Sleep or Safe Sleep) to prevent the recently discussed Cold Boot Attacks on Encryption Keys.
TinyApps.Org
tecnobabble
Posted 5:33 AM 18/4/08
I personally like locking Single User Mode:
[tech.tedthepenguin.com]
tecnobabble
EchoD
Posted 5:22 AM 18/4/08
I rely on the most simple security method ever...
Most people don't use Mac's. So, while they figure out how to use it in order to steal my information, they'll get distracted by all of the great features and software.
EchoD
conigs
Posted 5:22 AM 18/4/08
I definitely recommend the OpenFirmware/EFI password (though I don't recall it requiring a password to boot of the normal boot disk, could be wrong though). Just keep in mind that someone can still remove that password fairly easily...
conigs
Joseph
Posted 5:19 AM 18/4/08
I really don't like when people try to make an operating system seem more secure than another one. If you're jacked into the net, looking at this page, someone could be jacked into your box looking at your files.
Joseph
spicedham
Posted 6:08 AM 18/4/08
Don't make you're main user an administrator. If you need to change something that requires that authority, you can enter an admin username/password to complte the action.
spicedham
CapitalC
Posted 8:01 AM 18/4/08
I have my account password protected and my files aren't shared but I intentionally leave my guest account enabled specifically because I run Undercover, which works with the computer running in order to be recovered (in case of theft).
For 99.9% of people who would try to access my data, they're not smart enough to get through my password... the other 0.01% would just steal my laptop first, remove the hard drive and try to get in that way. :p
CapitalC
balls187++
Posted 7:55 AM 18/4/08
Laughable.
Once someone has physical access to your mac, you're SOL.
balls187++
phoenix
Posted 9:14 AM 18/4/08
I'm with the author of the original post here - it's all about physical security as well as data security. If you really do keep a lot of information on your Mac that you need to keep locked down, it's worth looking into these kinds of things, but it's also important not to overstep the basics, like password protecting your Mac and telling it not to automatically log you in when you boot it up. Remember, the biggest security risk at any organization or in any office is most likely the users themselves, regardless of their technical prowess.
phoenix
discounteggroll
Posted 8:42 AM 18/4/08
is your stuff really that sensitive/private that you need to activate file vault or something similar in order to protect it? I ask this seriously because if you run into bad sectors on your HD or just have bad luck with hardware, good luck trying to get it back. File Vault is a great feature to have if the data you keep on your computer is truly sensitive. your term paper isn't sensitive-spend your time and paranoia elsewhere. If data privacy is really that important make an encrypted disk image with disk utility and go wild.
discounteggroll
dhlt25
Posted 10:48 AM 18/4/08
does any of these trick prevent people from creating new admin account with applesetupdone? I've tried on mac osx from 10.3 to 10.5 and was able to create new admin account on all of them
dhlt25
Myles
Posted 10:30 AM 18/4/08
Going to college in September so I think I should actually try and secure my mac now. Generally don't have to worry about "hackers" in small town Nova Scotia.
Myles
BugMeNot
Posted 12:00 PM 18/4/08
Corsaire has also published some good security guides for Mac OS X 10.4 Tiger and Securing Mac OS X 10.3 Panther. Available at:
[research.corsaire.com]
BugMeNot
derelk
Posted 2:01 PM 18/4/08
Setting an Open Firmware password is a total waste of your time. All it will ever do is inconvenience you. As mentioned above, it's ridiculously easy to bypass. More importantly, if someone has physical access to your machine, booting to another device is the LEAST of your worries. Why wouldn't they just take your hard drive if they really want the data on it? Or the whole machine? Encrypting sensitive data is your only real protection-don't bother with a firmware password.
derelk
tamoko
Posted 11:14 PM 18/4/08
Most of your "average" computer thieves don't give a damn what's on your computer... it's just something to sell or pawn, and the harddrive is someone else's problem. Protecting your data is important, but so might be physically securing your desktop or laptop with a laptop lock and mounting plates...
tamoko
JediSthlm
Posted 5:23 PM 18/4/08
I use Truecrypt for Mac. Does the trick.
[www.truecrypt.org]
JediSthlm
mrosedal
Posted 10:47 AM 19/4/08
Just face it if someone gets physical access to your machine you are just fucked! Setting a firmware password will only serve to piss the person off, but it certainly won't stop him if he wants your data. Encrypting your hard drive is the only way to come close to true security, but even that has its limitations. The Ars article was ok, but I think the guy is giving false hope on things that really don't secure machine particularly if someone steals your machine.
mrosedal