NSA OS X Security Configuration Guide notes (continued):
***CHAPTER 4, Configuring System Settings***
- p. 22: Removing Registration Information
Mac OS X stores any registration information gathered during the installation in a
file. The system attempts to send the registration information from that file to Apple
the as soon as a network connection is made. Earlier in this guide, instructions were
given to bypass entry of registration information. If, however, information was
entered into the registration screen, it should be deleted before the system is
connected to a network. The following steps will prevent this information from
1. Make sure the first administrator account is logged in. If the steps in this
guide have been followed, that account will have been logged in automatically
when the machine booted.
2. Open the home folder.
3. If an alias named Send Registration is located in the home folder, drag
it to the Trash.
4. Open the folder Library/Assistants under the home folder of the first
5. If the file Send Registration.setup exists there, drag it to the Trash.
6. Choose Secure Empty Trash from the Finder menu to delete the files.
So, if registration information is entered (which should be bypassed as per the instructions above) a message may be sent to Apple automatically by OS X (aka "calling home"). The registration information is stored in two files, the obvious one on the Desktop and one in ~/Library/Assistants. They both should be securely deleted.
Note that trash can be securely deleted by pulling down the "Finder" menu item in the MainMenu bar.
- pp. 23-24: Screen Saver
4. Use the slider in the panel to set the Start screen saver time to 5 minutes,
or whatever is dictated by site policy.
5. Click on the Hot Corners button at the bottom left of the Desktop &
Screen Saver panel.
6. Choose which corner is to be used as the hot corner for starting the screen
saver (Figure 4).
Ok, so a locking screen saver should used with an activation time of about 5 minutes. Hot Corners should be set-up to immediately start the screen saver (in case of intrusion) or to disable it (like when watching a movie or reading).
- p. 25 FileVault
Mac OS X’s FileVault feature for encrypting home folders is strongly
recommended for systems whose physical security cannot always be
guaranteed, such as portables like the iBook and PowerBook. FileVault
encryption should be enabled for the system and for all user accounts. When
FileVault is enabled for a user account, files in the user’s home folder files are
encrypted, and thereby protected from casual viewing if the system is
compromised. However, FileVault may adversely affect disk-intensive tasks
such as video editing. If delays in disk-intensive tasks interfere with
operational needs, use of FileVault may not be practical.
I have been using FileVault on OSx86 for almost a year and it works great. I only keep "sensitive information" in my home folder. All non-sensitive information is stored elsewhere. Again, the NSA's OS X guide is for Panther 10.3, Tiger 10.4 added a secure virtual memory option. I use this on laptop as well and I might start using it on non-performance critical desktop machines.
One more thing about FileVault, it appears to operate in such a way that it does not immediately "recycle" disk space. So, one has to log out periodically to recover this space.
DVDs and CDs can also be encrypted, I will talk about this later.
- pp. 28-29 Additional Security Settings
7. The Log out after x minutes of inactivity box should be unchecked
for three reasons. First, automatically logging out a user can become
extremely annoying to the user. Second, it can cause operational
difficulties if a user runs processes that may be killed by the automatic
logout process. Third, the automatic logout process can sometimes fail
to complete without intervention, leaving the user with a false sense of
security. If a program is hung or cannot quit properly, the logout
process may be blocked from completing.
So, the NSA recomends that obvious. Require a password to unlock the screen saver, disable automatic login, require password to unlock secure system preferences. It is interesting to note that NSA does not recommend for automatic log-out for some interesting reasons. Again, in Tiger one could also set the "secure virtual memory" option for a performance hit, but I use it on my laptop.
- p. 30 Bluetooth
• Bluetooth, IR ports, CD writers, and any other hardware capability that could
be dangerous in a secure environment should be physically disabled if
It is quite obvious that no wireless devices should be used in a secure enviroment for at least two reasons: (1) they are inherently less secure than wired devices and (2) they can be jammed. Otherwise, the NSA goes farther here by stating that any such hardware threats to a secure environment should be physically disabled.
- pp. 32-34 Energy Saver
8. Uncheck the checkbox in front of the Wake when the modem detects a
ring option to disable it.
9. Uncheck the checkbox in front of the Wake for Ethernet network
administrator access option to disable it.
10. Uncheck the checkbox in front of the Restart automatically after a
power failure option to disable it.
Personally, I never use sleep on desktop hardware (laptop only). I am not concerned about wasting some power and these features have historically been buggy, which I am sure is even more of an concern on OSx86. Otherwise, the NSA recomends that automatic wake and restart features be disabled for somewhat obvious reasons.
- pp. 34-35 Sound
The microphone setting in the Sound panel may carry security implications. This is
especially important as an internal microphone is standard on many Macintosh
computers. If the machine also has a Line In jack, then it will be possible to disable
the microphone in this panel as described below:
7. Use a dummy plug (a plug with no wires, not connected to any other devices)
to plug the Line In jack on the machine.
It interesting that the NSA sees the audio inputs as a security threat, although that do explictly indicate the nature of the threat, I can imagine two issues: (1) using the computer to electronically eavesdrop and (2) using the audio inputs as some channel to attack the computer.
- pp. 36-37 Network
AirPort and Bluetooth wireless connectivity options should be turned off.
Also, uncheck the Internal Modem box if
present and the modem is not operationally required.
Again, all wireless capability, such as AirPort and Bluetooth, should be physically
disabled in secure environments.
This is pretty obvious, but the NSA recommends that modems be disabled too.
Nobody finds you funny. Not in the least.
Originally Posted by skeewiff