Previous Page | 1 2 3 4 5 6 | Next Page

Out Of The Box Security and Additional Hardening Measures

The out of the box security settings of OS X, in comparison to other popular operating systems, can only be described as conservative. A security technology brief from Apple explains the approach to security in OS X as “Secure from the start, easy to keep secure, and easy to make even more secure.” As advertised, the default installation of OS X, with all relevant security updates applied is quite secure. There are several important factors that play into this.

The superuser of OS X, in tradition with other UNIX systems, is a user called root. However, in OS X, the root user plays somewhat of a phantom role. Although it is present in all OS X systems and plays a role behind the scenes, the account itself is disabled by default. Most users of OS X will never need to enable it or even know that it exists. This is a striking departure from systems like Windows, whose default user is in effect, root.

In addition to the root user, OS X has also inherited a fully functional multiuser operating system. OS X is designed for use by multiple people, each sharing their own Home Directory, complete with application preferences. All files and folders in the system have built-in permissions settings and each user’s Home Directory is designed so that no one but that user and root has access to it. New user accounts in OS X are always set to ‘normal’ unless otherwise specified, meaning the account only has basic privileges by default. This follows the security rule commonly known as the “principle of least privileges.”

One important aspect in host security is turning off all unnecessary network services. In the past some operating systems turned on many services by default to ease initial configurations; this is now considered bad practice because for each service enabled, a new attack vector is instantiated. In Corporate Computer and Network Security, Raymond Panko comments that “security experts now agree that a firm should turn off all unnecessary services because a large number of exploits take advantage of vulnerabilities in obscure and little used services…”(* Panko, Raymond R. Corporate Computer and Network Security. 228.*) OS X goes one step further by disabling most of these services by default.

In a default OS X installation, only four network services are enabled by default: automounter, syslog, sunrpc and NetInfo. These four services are essential parts of the operating system and cannot be turned off. Some of the important services included with OS X but disabled by default are SSH, FTP, File sharing over AFP and personal web sharing. These services can be easily turned on and off through a GUI dialogue in the System Preferences application. By including these features but disabling them by default, Apple has taken a very important step that sacrifices neither security nor ease of use.

No matter how secure any system is at its release, there will be inevitably be vulnerabilities and bugs. The reasonable approach to counteract this is to provide regular software and security updates. Similar to Windows, OS X also provides a method for automatic updating that is built in to the operating system. The update application, called Software Update, checks for updates weekly by default (citation same as last link). In addition to system-related updates, Software Update also checks for updates to all other Apple software installed on the operating system.

Lastly, OS X also includes a built-in system for logging all important system related events. The logs can be easily viewed in the Console application or at the command line interface for advanced users. OS X logs system events, crash reports and also all security related events, including any invocations of sudo (citation same as last link).

Despite the “secure from the start”, security motto for OS X, there are still some weak points in the default installation of OS X. Most of these weak points can be easily remedied, but they do require active intervention by the user and usually at least some knowledge of the features in general.

As previously mentioned, OS X is designed to be a multiuser system and each newly created user is a normal user without administrative privileges. This is true, with one notable exception; upon installing OS X for the first time you are required to create a user account, which is actually an administrative account. After successfully creating the account the user is logged in to the system without any further notices regarding additional users.

While the admin group in OS X is not quite the equivalent of the root user, it does have the ability to escalate privileges for short periods of time in order to authenticate actions that would normally require root access. An example of this is the UNIX sudo command, which allows all users and groups listed in the sudoers file to perform root-level operations on the system. In layman’s terms, this means they can do anything, including deleting the system.

The most unfortunate aspect of this is that the normal setup routine in the OS X installation does nothing to describe the security implications of this. There is no indication as to the fact that the user being created is an admin and more importantly, no indication that this should not be the primary user of the system. This is clearly a direct violation of the “principle of least privileges” rule.

Moving past the unfortunate design decisions regarding this first user, it is a relatively painless process to add an additional non-admin user for everyday use. If just starting out with a fresh installation, the user can simply proceed to make an additional non-admin account and use that one regularly. The design of OS X allows for a normal user to authenticate system changes (i.e. network settings and application installations) using an administrative account and password. There is no need to actually change accounts. Furthermore, there is nothing special about the first user of an OS X system. The user can always at a later point in time create a new admin account and then deescalate the privileges of the first account. This avoids the frustrating and time consuming operation of having to change a user accounts.

Modern security suggests that no operating system is complete without some sort of built-in firewall. OS X has included a firewall with the system since OS X 10.2. The interface for the firewall is somewhat primitive by design in an attempt to encourage normal users to make use of it. FJ de Kermadec elaborates on this by stating “some users may argue that the interface provided by Apple does not allow a lot of fine-tuning: this true, but is done on purpose to allow even newcomers to benefit from reliable security settings, without having to worry too much about settings.” Up until the release of Leopard, the built in firewall GUI interface was based entirely on services. Users select which network services, such as personal file sharing, remote login and printer sharing, they would like to allow or restrict (Mac OS X Security Configuration For Version 10.4 or Later Second Edition (PDF)). Behind the basic GUI interface of the OS X firewall is the ipfw command line firewall tool. This allows a much more fine- grained customization for advanced OS X users.

While the simplification of the GUI interface for the OS X firewall can arguably be better or worse for security, and even perhaps both, there are some additional serious shortcomings. First and foremost is that the firewall is not enabled by default on any version of OS X. Furthermore, the interface to access it is buried deep in the System Preferences application. This is a real problem for most users; Kermadec notes, “few Mac OS X users know that their operating system of choice comes with a built-in, time-tested, industrial strength firewall that they can turn on by simply using the ‘Sharing’ preferences pane.” Looking past the issue of enabling the firewall, the technology itself has a few holes.

It was not until OS X 10.4 that the firewall enabled anything more than TCP filtering rules. Even in 10.4, UDP and ICMP filtering is only available through advanced configuration of the firewall. Apple’s Bonjour service also proves to be somewhat problematic as well. Bonjour is Apple’s version of a local network discovery protocol for devices such as printers and computers and is known as mDNSResponder to the system. To enable it to work properly, “mDNSResponder listens by default on UDP port 5353.” This is also true regardless of whether or not UDP has been disabled through the firewall. See: The Mac OS X Threat Landscape: An Overview, pages 9-10(PDF) Any service that listens by default on a port and cannot be disabled by the user is certainly problematic.

One last missing security detail to highlight involves the Software Update application. The application checks for system and security updates weekly by default. It can also be set to check for updates as frequently as daily and even download the updates automatically in the background. Bafflingly, it is not possible to automatically install updates. In his review of OS X Tiger, Paul Thurrott expounds upon this:

While you can check Software Update for new updates manually, you can also configure it to check for updates on a regular basis (say, daily) and download important updates in the background while your working [...]. However, Software Update cannot be configured to automatically install security updates, which I find somewhat confusing.

This configuration may make sense in a large firm setting; there are other methods with which IT professionals can roll out the updates, allowing them to pick and choose which to apply and when. Unfortunately, for single users and small businesses, this decision seems to leave an unnecessary burden on users to manually apply each update.

The most recent release of OS X, 10.5 (Leopard) touts many new security features. Some of the major new features include application sandboxing, address space randomization, an application based firewall and input manager restrictions.

Both application sandboxing and address space randomization are important security additions to any operating system. Application sandboxing, also called mandatory access controls, provides kernel level control over what individual applications have access to and can do. See: A Roundup Of Leopard Security Features In the case of an exploit that might use a browser to arbitrarily execute code, a sandbox- type environment might prevent this.

Address space randomization goes a long ways towards preventing buffer overflow exploits. This feature randomizes important address references in the system, making it harder for hackers to anticipate where an overflow might occur. It also makes it much more difficult to write an exploit that will reliably work on a wide range of systems, since each system is randomized. See: The Mac OS X Threat Landscape: An Overview, pages 9-10(PDF).

While acknowledging that each of these features are important, some security experts have leveled criticism on their implementation. In the case of sandboxing, the default profiles don’t seem to actually stop any of the most obvious threats. Important applications that have regular access to remote networks, such as Mail, Safari and iChat aren’t actually sandboxed. Apple’s current implementation and documentation of the feature also make it difficult for responsible third-party developers to use it. Leopard’s implementation of address space randomization has been criticized for not being random enough. See: A Roundup Of Leopard Security Features.

The new application based firewall in Leopard switches from the previous service based model to an application based one. While this isn’t necessarily a bad thing, it also hasn’t made any inroads towards a more robust and configurable firewall. In fact, it seems to have taken a step backward. The firewall allows three basic settings: allow all incoming connections, block all incoming connections and set access for specific services and applications. Clearly the first two options are not practical, so we are left with the third option, which seems to have a rather odd and confusing interface as Rich Mogull explains in “Leopard Firewall Takes One Step Forward, Three Steps Back”:

The first problem [...] is that it’s difficult to tell what the Set Access option does. It starts the new application-level firewall and lists in the Sharing pane any services you’ve opened, but it doesn’t indicate if they are allowed or blocked. There’s also no option for you to add your own open services or ports anymore. Instead, you can add or remove individual applications, but not network services. Stealth mode is still available in the Advanced settings, but the UDP blocking, useful to stop port scanning and some other attacks, is gone.

Leopard has also changed the internal implementation of the firewall, replacing ipfw with an Apple developed firewall, which is less well known and possibly harder to do advanced configurations in. Most importantly, Apple still has not changed the default firewall setting to be on rather than off.

The restrictions on input managers in Leopard are an important step in closing what was previously a major security risk in OS X. Security expert Thomas Ptacek describes input managers:

Input managers are terrifying. They’re arbitrary blobs of code that get injected into almost every Mac application. They are a “UI extension interface” in the same way that Back Orifice 2k is a “remote system administration facility”.

Leopard puts serious restrictions on what input managers can do, effectively closing this security hole.

The new security features introduced in Leopard have a range in significance and quality of implementation. Considering that 10.5 is only a few months old, it is possible that they will be adjusted in future releases or updates.

The Mac OS X operating system does clearly demonstrate good out-of-the-box security, with only a few glaring weaknesses. Fortunately there are several easy steps that users can take to harden OS X. First and foremost, users should make sure to take the extra step at installation time to make an additional non-administrative account for every day use. Users can also choose from several other options via the Security panel in System Preferences to further harden the system. Users can disable automatic login, enable automatic logout, require a password to wake the computer from sleep or screen saver and require a password to unlock each secure system preference. The firewall can also be easily enabled and users can refrain from enabling unnecessary network services. Installing system and security updates does require active user participation, but is not an undo burden.

Other important, but more complex, options that the security panel provides are the options to use secure virtual memory and FileVault encryption. Choosing to use secure virtual memory allows the system to encrypt the memory’s swap file, which can contain confidential data. While this is easy to implement, it is unlikely that most users understand what this does. FileVault is Apple’s only implementation of file encryption for user data and can be easily enabled; however because of some serious shortcomings in the implementation and the drastic consequences of losing a decryption key, most professionals do not necessarily recommend this particular option.

Taking these few simple steps goes a long ways towards closing any security holes in the default OS X installation. While clearly not all attacks will be avoided using these methods, they do cut off many attack vectors. A considerable advantage of the approach taken with OS X, combining secure defaults and ease of use, is that it presents security in a way that is accessible to normal users. OS X makes implementing many fundamental security practices quite trivial.

Previous Page | 1 2 3 4 5 6 | Next Page