In a recent blog post titled "Hardening macOS," Ricard Bejarano offers an extensive list of settings you can tweak to make macOS as secure as possible. It's a comprehensive list of tasks — and we love it — but it's important that you understand the "why" behind his recommendations, too. Here are a few of his top tips and explanations for why you're adjusting, installing, or modifying your Mac that way.
System Preferences is your new best friend
Ricard's advice: "Keep your system up-to-date, both macOS and installed software"
Apple frequently releases security updates and is often quick to provide patches for new threats. Keeping your software updated is a critical component of your system's security, and not everyone checks System Preferences all the time for the latest updates. If you aren't running macOS Mojave, you should be looking at Software Update frequently. Make it a biweekly to-do on your calendar, even.
And if you are running Mojave, you can set Mac updates to install automatically. Go to System Preferences > Software Update and check "Automatically keep my Mac up to date." If the checkbox isn't fully selected (it has a hyphen instead of a checkmark), open Advanced and ensure that all of the boxes are selected (especially "Install system data files and security updates").
Use two accounts instead of one
"Create an administrator user account with a strong password and no hint. This user is for administration purposes only."
"Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself"
It might feel a little strange to be setting up two accounts for yourself when you only use one most of the time, but it's a great way to strengthen your system's security for everyday use.
Set up an Administrator account with a strong password, which you'll use whenever you need to modify software, update keychains, etc. Then, set up a separate, non-privileged account to use as your default account, which sets some limitations when you're installing software or working with some "Power User" apps (e.g. for automation).
This limits your exposure by limiting capabilities. (And you can always use your admin account, with its super-secure password, to approve activities your user account is prevented from executing by default.)
Let identified developers' apps work, too
Ricard's advice: "Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers"
While the App Store offers the best app security (most of the time), a lot of your favourite apps might come directly from third-party developers. "Identified developers" means that the creator of the app has used code signing, a process regulated by Apple which requires developers to have accounts with Apple and provide apps that verify their own authenticity.
This isn't a foolproof security measure, as anyone can get a developer account and sign their app, though but Apple can revoke a developer's certificate if it detects malware activity or other impropriety in their apps. If you only want to run apps that Apple has inspected and approved themselves, choose "App Store" only — but we, and Ricard, think it's fine to expand to "identified developers" as well.
Protecting your privacy
Ricard's advice: "Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time)"
FileVault is Apple's built-in method for encrypting your data, which safeguards it against other people accessing it if they have physical access to your system. There's really no good reason not to use FileVault — it won't impact your system's performance if you're running anything reasonably new (within the last few years or so).
You should also ensure that your backups (you are backing up, right?) are encrypted and password-protected, whether you're making a Time Machine backup or sending your data off to a cloud service. Fortunately, most of the popular backup services automatically encrypt the data you send their way — make sure you pick a strong password (and use two-factor authentication, if possible).
Maybe don't share your location with every app
Ricardo's advice: "Go to System Preferences > Security & Privacy > Privacy > Location and uncheck Enable Location Services"
Location Services is an area that requires you to trade convenience for privacy. Do you want Spotlight (and Siri) to offer suggestions based on wherever you are? If you type "weather" in Spotlight, do you want the local forecast? These are fairly harmless use cases, but there are other apps that might take advantage of location services for more nefarious means. And do you really want to let some random developer (or company) know where you are when you're using their apps on your system?
Stop Your Mac's suggestions
Ricardo's advice: "Go to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions and Allow Spotlight Suggestions in Look up"
The related privacy concerns came up quickly when Spotlight Suggestions were introduced in OS X Yosemite. Spotlight queries not only send limited personal data to Apple, but also to Microsoft's Bing search engine. From Apple's privacy statement:
When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple. Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple.
Searches for common words and phrases will be forwarded from Apple to Microsoft's Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services.
If you use Safari, you'll also want to go to Preferences > Search within the browser and uncheck Include Spotlight Suggestions.
Surfing securely with a different DNS
Ricardo's advice: "Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for 126.96.36.199 and 188.8.131.52 and remove any other server"
There's a complete list of ways to set up your web browser for security and privacy in Ricard's list. One point worth further explanation is the use of 3rd-party DNS resolvers. Ricardo recommends
184.108.40.206 (Cloudflare's service) and
220.127.116.11 (Google's). Both Cloudflare and Google have their own secondary addresses, and there are additional options like OpenDNS as well.
A third-party DNS is a better choice than your ISP's because it's probably going to be (slightly) faster. In general, third-party DNS records are updated more often and require less bouncing around to find the domain you're looking for. You can check your ISP's performance (as well as the performance of any new DNS service you pick) using a tool like Domain Name Speed Benchmark.
More importantly, the servers listed above (Cloudflare, Google, OpenDNS) offer phishing protection and stronger security against things like DNS poisoning, spoofing and DDoS attacks. All of the listed DNS servers offer either or both DNSSEC or DNSCrypt, security features that protect your requests from being spied on, hijacked, or redirected.