10 Mac OS X Server Security Suggestions

—Joel Rennich,

Updated 16 September 2002

10.2 OK!

Security Suggestions

Although Apple has upped Mac OS X‘ security in Jaguar, the suggestions listed below still make good sense.
  1. Understand what services you are enabling. Mac OS X Server comes with most every service disabled when it is first installed. Every box you check after that reduces the security of your machine, so you really need to understand the services that you enable. Be very careful when granting guest access to your machine, and after you turn on the service test permissions and connectivity from another machine before going live with the changes.
  2. Learn to use SSH. With SSH you can create VPN connections and easily administer your machine remotely. O'Reilly has a very comprehensive book on SSH, but most of what you need to know you can learn from this site or other resources on the web. To keep your server as secure as possible you should change a line in /etc/sshd_config from

         #Protocol 2,1

    to

         Protocol 2

    This removes protocol 1, a less secure version of SSH. To enable the change stop and start your SSH server.
  3. Enable your logs. Most of the services in Mac OS X Server have logging facilities. This can be turned on in the Server Admin application. Turn them on and make a habit of looking over them. Create a policy on how long to keep the logs. This won’t help you too much in preventing attacks but can be of immeasurable importance after an attack or other incident has occured.
  4. Check your permissions. Make sure that your sensitive files and most certainly your sharepoints are correctly permissioned. Create an account for every user on the system. Don’t just use one generic username and password. I know this is rather un-Mac like, but will make it easier on you when an employee leaves. Test the permissions of your files both by using the Finder or the Terminal from the local machine and also by logging in as the user from other machines. You can login as any user by using their name and an admin user’s password.
  5. Set home directories and shells with care. When setting up a new user using the Server Admin application pay attention to what shell and home directory you give each user. If they have no business ever making a terminal connection to your server then set the login shell to None. The user can still AppleShare to the server, but they can’t ssh to it. Make sure to dissallow logins by any mail aliases you have set up as users. Only give your users the abilities that they need.
  6. Get a firewall. Now. Preferably you should get a hardware firewall, even if it is just a small SOHO $100 OfficeMax special. If you are running a server on the Internet you need this. $100 is a small price to pay for a good deal of security. Regardless of whether or not you have a hardware device you should also use the Unix ipfw firewall on your machine. The easiest way to do this is through FireWalk or BrickHouse, two very good graphical applications that can help you configure your firewall in minutes.
  7. Create off-line backups. Use Retrospect, I know its only a beta but it’s better than nothing, or any of the command line utilities, like rsync or psync, to create backups of all of your files. Store these backups on removeable media like CDs or FireWire hard drives. If your system ever gets compromised this will get you back up and running quickly. If you don’t have the resources or desire to back up your entire system at least backup your sharepoints.
  8. Keep your software up to date. Run Software Update on a regular basis, either manually or automatically. Don’t blindly install every update. Do a little research on the web first, but keep on top of what updates are there. Macintouch.com and Versiontracker.com are great for checking on third-party updates for your applications. There is no excuse for being subject to a compromise that there is a patch for.
  9. Keep your brain up to date. Pay attention to the news sites and other information sources for trends. Keep on top of the problems other administrators are running into. The Internet makes information easy to find so you don’t need to put too much time into this, but you should be aware of new software and hardware products that can help make your system more secure and your job easier.
  10. Think about your passwords. Don’t make all of your passwords the same. Find cute combinations of letters, numbers and symbols that will be easy for you to remember but hard for other people and programs to guess and crack. Don’t make them too hard so that you are tempted to write them on a sticky note on the monitor, either. Change them every so often and don’t give them out to people who dont need them. Since it is fairly easy to create a new user on Mac OS X Server do it when you need to. Create a password for a specific person for as long as it is needed and then delete it when it is done.