Mac OS X Server Hardening Checklist This document was

Mac OS X Server Hardening Checklist
This document was derived from the UT Austin Information Security Office Mac OS X Server Hardening
The hardening checklists are based on the comprehensive checklists produced by the Center for
Information Security (CIS). The UT Austin Information Security Office distilled the CIS lists down to the
most critical steps for your systems, with a particular focus on configuration issues that are unique to
the local computing environment.
How to use the checklist
Print the checklist and check off each item you complete it to ensure that you cover the critical steps for
securing your server. The UTSA Office of Information Security will use this checklist during risk
assessments as part of the process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. Further explanation (for some of the steps) can be found in
the Addendum below.
Check (√) - This is for administrators to check off when the step is complete.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Mac OS X Benchmark (PDF, Requires UT EID
login.) The CIS document outlines in much greater detail how to complete each step.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps
are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are
required (denoted by the !).
Server Information
MAC Address
IP Address
Machine Name
Asset Tag #
Administrator Name
Installation and core Mac OS X
If new install, protect it from hostile network traffic until the OS is installed
and hardened
Enable Open Firmware password
Enable automatic notification of patches and patch if necessary
Time synchronization / configure an NTP server
Enable logging / process accounting
Create complex passphrases for administrator accounts
Disable core dumps
System Services
If services are running – ensure the university warning banner is utilized
Services, applications and user accounts that are not being utilized should
be disabled or uninstalled
Limit connections to services running on the host to authorized users of
the service (utilize firewall technology)
Use an outbound network firewall
Secure Bonjour
Account Configuration
Create an administrator account and a standard account for each
Disable automatic login
Set a strong passphrase policy
Secure home folders
Securely erase files in Finder
Prevent Spotlight from searching confidential folders and backup volumes
Use secure virtual memory
Additional Steps
Integrity checking of system accounts, group memberships and their
associated privileges should be enabled and tested
OIT will provide secure storage for Category I data as required by
confidentiality, integrity and availability needs. Security can be provided
by means such as, but not limited to, encryption, access controls, file
system audits, physically securing the storage media or any combination
thereof, as deemed appropriate.
Services or applications running on systems manipulating Category I data
should implement secure (“encrypted”) communications to ensure
Category I data is not transmitted in clear text.
If the operating system supports it, integrity checking of critical operating
system files should be enabled and tested. Third-party tools also may be
used to accomplish this step.
Install and enable antivirus software.
Configure antivirus software to update at least once a day
Use Firefox with the NoScript extension to protect from browser-based
spyware and malware.
Configure a screensaver to lock the console screen automatically if left
Set a short inactivity interval for the screensaver
If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall
between the network and the host to be protected.
Enable Open Firmware password appropriate for your OS version:
 For Mac OS X 10.1 to 10.3.9, download the Open Firmware Password Application.
 For Mac OS X 10.4 or later, you must use the updated version that can be copied from the
software installation disc (located at /Applications/Utilities/ on the disc).
Verify software update is set:
1. Open System Preferences and click Software Updates.
2. Click Check for Updates and set the interval to Weekly or Daily.
* If you have Microsoft Office installed, launch /Applications/Microsoft,
click Automatically and set the interval to Weekly or Daily.
* If you have other applications that provide security updates, such as Adobe products or
Web browsers, configure them to update Weekly or Daily.
OIT operates <insert service here> for network time synchronization services for network
Turn on process accounting:
mkdir /var/account
touch /var/account/acct
accton /var/account/acct
chmod o-rx /usr/bin/lastcomm
chmod -R o-rx /var/account
UT System Information Resources Use and Security Policy (UTS-165), section 18, lists the
requirements for passwords.
Note that this may not be desirable on development machines as it may make troubleshooting
application and operating system crashes more difficult.
Run the following command from a Terminal window:
launchctl limit core 0
The text of the university's official warning banner can be found in the Standard for Server
Hardening. You may add localized information to the banner as long as the university banner is
The list of available services can be found in System Preferences under the Services tab of the
Sharing icon. Be especially wary of sharing services; misconfiguring this setting could grant full
access to important files or system resources. Much more detailed information regarding services
is available in the CIS benchmark documents. For example, SSH/Remote Login is on by default outof-the-box. Unless it is being utilized, turn it off in 'sharing system preferences.'
The freeware application Lingon may also be of use to identify and remove applications and
services that run at startup. Lingon is a graphical interface for editing launchd configuration files.
10 Administrators may find the firewall native to Mac OS X, ipfw, robust and easily managed. There
are several applications, such as WaterRoof, which provide a GUI to ipfw.
Leopard introduced a new application-based firewall intended to replace ipfw. This firewall is
simple to configure but has few options and can be trivially bypassed. While the application firewall
should be adequate for most desktop users, servers and workstations with a high need for security
should be configured to use ipfw instead.
You may also want to refer to the list of Mac OS X network service ports from Apple KB 106439.
NOTE: OS X Panther has known bugs with its implementation of ipfw. It is strongly recommended
to review the details of the related bug or use a more recent version of OS X.
11 The included firewall (ipfw) can be configured to do this. Additionally, there are commercial
products, namely Little Snitch, that act as outbound application firewalls.
12 Bonjour is an auto-discovery mechanism for TCP/IP devices. An attacker could use Bonjour's
multicast DNS feature to discover a vulnerable or poorly-configured service.
To turn off Bonjour:
For 10.6 and above, follow these steps (listed at
1. Make a backup copy of the mDNSResponder.plist file as a precaution.
2. Open the mDNSResponder.plist file in Terminal using a text editor:
sudo nano "/System/Library/LaunchDaemons/"
3. Add "<string>-NoMulticastAdvertisements</string>" to the array in the
"ProgramArguments" section.
4. Save the file.
For 10.5 and below, run this shell command in Terminal:
sudo launchctl unload --w \
Note that some applications, like Final Cut Studio and AirPort Base Station management,
may not operate properly if the mDNSResponder is turned off.
13 No further explanation.
14 In System Preferences: Accounts, Login Options, disable Automatic Login. Automatic login also can
be disabled in System Preferences: Security.
Alternatively, run the following command:
sudo defaults write /Library/Preferences/.GlobalPreferences \ -bool yes
15 UT System Information Resources Use and Security Policy (UTS-165), section 18, lists the
requirements for passwords. If possible, use pwpolicy or a centrally-managed password policy on a
Mac OS X Server to enforce these requirements.
16 By default, every user is allowed to see into the top level of other home folders so that files can be
placed into the "Drop Box" folders of any user.
To resolve, open a Terminal window and enter:
sudo chmod 700 /Users/<username>
17 If files containing sensitive data are frequently deleted from this machine, set Finder to
automatically use the secure delete option. (Finder: Preferences: Advanced, and check "Empty
Trash Securely")
The command line tool "srm" is also available as an alternative to "rm".
Note that secure deletion of files can take significantly longer than a normal delete operation.
18 Spotlight is a built-in service that, by default, indexes every file on any local hard drive and allows
the contents to the indexed files and folders to be searched. While Spotlight enforces access
controls to limit access to files, the index itself may contain sensitive information about the files.
The Spotlight System Preference Pane allows a user to exclude volume, folders, and data types
from being indexed.
In System Preferences: Spotlight, Search Results tab turn off any categories that should not be
In System Preferences: Spotlight, Privacy tab add any volumes or folders that contain sensitive
Alternatively, you can disable Spotlight from indexing and search specific volumes with the
following command:
sudo mdutil -E -i off <volumename>
19 In System Preferences: Security, General tab, check "Use secure virtual memory."
Alternatively, run this command:
sudo defaults write /Library/Preferences/
\UseEncryptedSwap -bool yes
A reboot is required for this change to take effect.
20 BSD Files
Check in /groups/admin to see who has admin privileges.
Check in /etc/passwd to look for blank passwords.
Use the dscl command
List all users with the nireport utility:
$ nireport . /users uid name home realname shell
To list all of the groups IDs (GIDs) and group names for the local domain, use the nireport utility:
$ nireport . /groups gid name
Utilize pwpolicy to set global or per-user password policies. Using pwpolicy, one can set expiry
date, require alpha or numeric characters, set max failed login counter and password length,
among others. Check the strength of user passwords with tools such as John the Ripper after
seeking approval from the IT Owner. When using John, consider using a simple dictionary for easily
guessed passwords.
Develop a procedure to report and remediate easily guessed passwords.
21 There are a variety of methods available to accomplish this goal.
Mac OS X comes with FileVault. NOTE: FileVault works with local home directories only, not home
directories on the server or any other kind of data. Instead, REALLY important data could be
secured by putting it in encrypted disk images (which FileVault does), but this will be neither
automatic nor transparent to the user.
Some other good candidates are PGP (cost), GNUPG (free), and Truecrypt (free). None of these
options provide whole-disk encryption for Mac OS X.
Whole-disk encryption for Mac OS X is available through the WinMagic SecureDoc service provided
by OIT. SecureDoc also can be used to encrypt USB or Firewire connected external drives, such as
those used for Time Machine backups.
We strongly recommend that if encryption is being used in conjunction with Category I data, one of
the solutions listed in the Standard for Data Encryption be implemented.
22 If you decide to use Remote Login (SSH server), OIT highly recommends that you change the port
from port 22 to anything else. There are scripts online that malicious hackers can use against SSH
servers and the scripts always attack port 22 since most people do not change the default port.
OIT also highly recommends that you do not allow root logins via Remote Login (SSH).
23 Available tools include:
Tripwire (The commercial version is not available for the Mac OS. There is an open source
version, however.)
AIDE, a free tool available from SourceForge
24 Download and install ClamXav. Documentation can be found on the UT Austin ITS website. ClamXav
may impact a production OS X server's performance and may not be deemed essential to ensuring
security of the system or the network. In this case, daily or weekly scheduled scans may be
25 No further explanation.
26 It is highly preferable to not allow Web browsing from any server. However, if this activity must be
permitted, we recommend you use Firefox with the NoScript and AdBlock Plus (with a subscription
to an actively maintained filter list) extensions to protect from spyware, malware and drive-by
downloads as much as possible. It is important to be aware of the fact that even well-known,
trusted sites can be compromised and used to serve malware.
27 In System Preferences: Security, General tab, check "Require a password to wake the computer
from sleep or screen saver."
Alternatively, run this command:
defaults -currentHost write askForPassword -int 1
The current user will need to log off and on for changes to take effect.
28 In System Preferences: Desktop & Screen Saver, Screen Saver Tab, make sure the Start screen saver
slider is set to a value no higher than 30 minutes.
Alternatively, run this command:
defaults -currentHost write idleTime -int [X]
Substitute the number of idle seconds until the screen saver starts for [X]. The user may be
required to log out for the new settings to take effect.
29 Ensure server has been added to the domain.
30 Ensure server resides in the correct Organizational Unit (OU).
 UT Austin ISO Mac OS X Server Hardening Checklist
 Apple's Internet security introduction
 NSA: Mac OS X Security Configuration Guide
 O'Reilly MacDevCenter: A Security Primer for Mac OS X
Download PDF