Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | milo-baker |
View: | 220 times |
Download: | 0 times |
November 22, 2002 3Securing a Macintosh - Richard Straka
Securing a Macintosh:What do you think?
MacOS: Inherently network secure or not? MacOS 9
Yes, few if any vulnerabilities MacOS X
Inherits many BSD-style vulnerabilities All network services turned off by default All security parameter defaults set to most conservative
values
Easy or difficult to secure? Clients relatively easy Servers need more care, of course But … Physical security is weak
November 22, 2002 4Securing a Macintosh - Richard Straka
Outline:
Macintosh History Current Hardware and OS File, Physical Security Network Security Virus Threats Administrative Practices
November 22, 2002 6Securing a Macintosh - Richard Straka
Macintosh Product History
First introduced in 1984 - 128KB RAM, 3.5" 400KB floppy only
First commercially successful GUI First modular (slotted) Mac in 1987
Real plug-and play - drivers in ROM on the card Motorola 68K family CPUs - 1984-1994 IBM/Motorola PowerPC CPU - 1995-present Recent rumors of Intel-based CPUs
Don't hold your breath. This basic rumor has been around for at least 10 years.
November 22, 2002 7Securing a Macintosh - Richard Straka
Software Compatibility
This file encoder/decoder Written in 1985 The Mac was 1 year old Originally written for an 8MHz
68000 CPU (CISC) Mac OS 1.1
still runs flawlessly today On the latest hardware and
software GHz+ dual G4 PowerPC CPU
(RISC) MacOS X 10.2
November 22, 2002 8Securing a Macintosh - Richard Straka
GUI Roots
Current GUIs are rooted in work from Xerox PARC Late 70s, early 80s Alto and Star
Alan Kay (creator of Smalltalk) went to Apple
Rob Pike went to Bell Labs working on UNIX
November 22, 2002 9Securing a Macintosh - Richard Straka
Mac Paradigm
Make the computing experience easy for users
Modularity / regularity / orthogonality Hide complexities from end users Application acting badly?
Windows - fiddle with the registry (complicated, risky). Mac - trash the application's preferences file (easy,
safe). Rebuild the OS from scratch on a Mac?
Just copy the previous preference files to the new System Folder.
No need to reinstall your applications.
November 22, 2002 10Securing a Macintosh - Richard Straka
Mac Users
Heavy use in the creative arts Publishing Music
Studio and Live Video Film
Elitists who insist on the best UI available From any profession, even computer science Roger Ebert, February, 2001:
"Actually, we have six Macs here in my office at home. Life is too short to use anything but a Mac; Windows is just not a human environment."
Common thread? Significant amounts of right-brain thinking
November 22, 2002 11Securing a Macintosh - Richard Straka
Software Timeline
Year Release Most notable feature 1984 System 1.0 1987 System 4.2 early multitasking 1991 System 7 improved multitasking 1996 MacOS 7.5.3 improved networking 1998 MacOS 8.1 extended file system 1999 MacOS 9 2001 MacOS X UNIX-based
(Runs MacOS 9 as a single process- transition period)
November 22, 2002 12Securing a Macintosh - Richard Straka
Mac OS X
MacOS X (pronounced "ten", not "ex") BSD 4.4 based Tenon's Mach 3.0 microkernel Introduced in 2001
MacOS X Server 10.0 also based on BSD 4.4 A precursor to MacOS X Introduced in 2000 (the GUI wasn't tweaked yet) 10.2 (Jaguar) now reintegrated with MacOSX - sharing
code base (2002)
November 22, 2002 13Securing a Macintosh - Richard Straka
Desktops / Towers vs. Servers
Just desktops and mini-towers … until now:
Apple recently introduced Xserve Rack-mount server platform 1U high Runs OS X and OS X Server only 1 or 2 CPUs Dual Gigabit Ethernet Up to 480 GB of hot-pluggable RAID
disk (4 spindles)
November 22, 2002 15Securing a Macintosh - Richard Straka
File Security Model -Very Similar to UNIX
User, group, other Read, Write, Sticky
Bit (drop box) No ACLs (Access
Control Lists)
November 22, 2002 16Securing a Macintosh - Richard Straka
File Security -Differences
MacOS 9 Volume level Folder level Not file level (except for applications) Network level
MacOS 10 Full UNIX permissions down to the file level
MacOS X Server 10.2.2 - supports file system journaling.
November 22, 2002 17Securing a Macintosh - Richard Straka
File System Security
Macintosh file systems (HFS+, UFS) do not provide native file encryption Unlike NTFS under Windows 2000 or Windows XP
Secure sensitive data with a data encryption utility. Disk locking, encrypting software is available from
several vendors. Disk "images" can be encrypted. (Combine with
"Keychain".) Do not require files system changes.
November 22, 2002 18Securing a Macintosh - Richard Straka
Disk Image Security
MacOS 9 introduced the "Keychain" - a local login and password storage tool for both local and external services (e.g. authentication)
You can encrypt a disk image file and manage access with the Keychain.
November 22, 2002 19Securing a Macintosh - Richard Straka
Physical Security
Since 1997, Macs support Open Firmware (IEEE 1275-1994) Controls boot functions and PCI cards Recent Apple firmware updates support a firmware
password feature like most PC BIOS Password feature not well supported by Apple, however.
November 22, 2002 21Securing a Macintosh - Richard Straka
The Upshot
MacOS 9 is innately relatively secure ASIP (AppleShare IP) - adds many services
MacOS X is also reasonably secure MacOS X Server - adds many services
Small virus target, but… Anti-virus software still important A "personal firewall" is a good idea.
MacOS9 - 3rd party software MacOS X has one built in.
November 22, 2002 22Securing a Macintosh - Richard Straka
CERT Vulnerability Note Alerts -Comparison by Platform
Notes: These numbers are not scientific These are vulnerabilities reports relevant to a well-
administered machine
Windows - 161 Linux - 51 MacOS - 8
OS - 2 3rd party software - 3 Microsoft apps - 2 UNIX (CDE) - 1
November 22, 2002 23Securing a Macintosh - Richard Straka
MacOS 9
MacOS 9 is relatively secure Because all services are turned off by default Users can turn on services which introduce potential
vulnerabilities File sharing Web services
Additional software packages introduce vulnerabilities Remote control Instant messaging Mactella, Limewire, etc. SNMP
November 22, 2002 24Securing a Macintosh - Richard Straka
Open Ports
By default, all MacOS TCP ports are turned off
A port scan on vanilla MacOS 9
One TCP port showed up.
Specific software that I had installed. :-)
November 22, 2002 25Securing a Macintosh - Richard Straka
A nice GUI integrated with BSD 4.4 and a Mach 3.0 microkernel
Many more network services available
Telnet, SSH, X, FTP, SMB/CIFS easily provided Both clients and daemons
Like OS9, all network services turned off by default
But, it still has some inherent BSD-inherited security weaknesses
MacOS X
November 22, 2002 26Securing a Macintosh - Richard Straka
Peer-to-PeerFile Sharing, Program Linking
Apple Filing Protocol (AFP)
File Sharing Moderate risk
Program Linking Higher risk (AppleScript)
On MacOS9, this is also where the owner password of the computer is entered
November 22, 2002 27Securing a Macintosh - Richard Straka
Apple Filing Protocol:via AppleTalk Protocol
AppleTalk goes back to ~1982 Used for file sharing, printing Routable, but not commonly routed Think of it as a routable NetBEUI Some badly configured cable modem ISP
do route it Naturally limits client visibility (to local LAN
segment) Note: AFP Data stream is not encrypted
November 22, 2002 28Securing a Macintosh - Richard Straka
Apple Filing Protocol:via TCP
Uses TCP port 548 Fully routable, of course Client side functionality since
MacOS 8 Server side functionality as of
MacOS 9 This presents more of a
security risk, especially Program Linking
AFP supports SLP - Service Location Protocol (RFC 2165)
November 22, 2002 29Securing a Macintosh - Richard Straka
User Administration
User logins, passwords and basic privileges are set here.
MacOS 9 passwords limited to 8 characters
MacOS X has longer ones, but many UNIX utilities only look at the first 8 characters (i.e., POSIX compliance).
November 22, 2002 30Securing a Macintosh - Richard Straka
Client Authentication
Via UAM (User Authentication Module)
Extensible UAM API Enables security upgrades orthogonal
to both client and server Early MacOS UAM was
primitive Login, password sent in clear text Limited to 8 character passwords
More recent UAMs use 2-way encryption, support longer passwords
A 3rd party UAM is also available from Microsoft
November 22, 2002 31Securing a Macintosh - Richard Straka
ASIP - AppleShare IP
Pre MacOS X Services analogous to NT Server, Win 2K
Server Authentication Directory Services File and Print Netboot (for kiosk-style or diskless clients) Email, Web, services, etc.
But sold as a software package, not a separate OS
MacOS X Server replaces ASIP
November 22, 2002 32Securing a Macintosh - Richard Straka
MacOS X Server 10.2
Adds recent security standards SSH2, IPsec, Kerberos v5
Other Open Standards IMAP, LDAPv3, DHCP, DNS, IPv6, NFS
Proprietary (Microsoft) Standards WINS, SMB/CIFS via SAMBA
NFS "republishing" Can share out remote NFS volumes over AFP
Keeps the clear text NIS authentication localized Nobody ever really adopted NIS+, right?
November 22, 2002 33Securing a Macintosh - Richard Straka
Additional Add-on (3rd party) Services
PC File Sharing (via SMB/CIFS) Database (e.g., ODBC) Remote control for desktops Remote backup daemons HTTP FTP (still a bad idea, right?) Instant Messaging Gnutella, etc.
November 22, 2002 34Securing a Macintosh - Richard Straka
And with OS X (regular and server)
Any UNIX service you activate, load, compile, etc. X NFS http (Apache) mySQL Samba ssh finger etc.
November 22, 2002 36Securing a Macintosh - Richard Straka
Network Subsystem
From MacOS 7.5.3 through MacOS 9.2, Apple used the Mentat TCP and IP stack components
Sun also bought the Mentat stack for use in Solaris
OS X is BSD-based instead
November 22, 2002 37Securing a Macintosh - Richard Straka
MacOS Network Layers -TCP
Very modular and simple interface
Layers 2 and 3 separated from and orthogonal to each other
November 22, 2002 38Securing a Macintosh - Richard Straka
Another Layer 3 Protocol
AppleTalk Notice that the
available interfaces Ethernet Modem Port Printer Port
are different from TCP's Ethernet AppleTalk (MacIP)
(interesting!) PPP
November 22, 2002 40Securing a Macintosh - Richard Straka
Viruses, Worms and Trojan Horses
Mac desktop market share is tiny - ~5% Presents a very small - and mostly ignored - target for
virus and trojan horse writers Viral, etc. activity minimal on this platform Not suspectible to MS-oriented mail viruses Certainly not susceptible to x86 .exe viruses
Commercial antiviral software available Norton, NAI (McAfee's Virex) Effective protection, auto-updaters for virus "dat" files
November 22, 2002 41Securing a Macintosh - Richard Straka
MS Office Macro Viruses
The only true multi-platform virus type so far Office:Mac is susceptible Turn off the macro options within Word,
Excel and Powerpoint.
November 22, 2002 42Securing a Macintosh - Richard Straka
AppleScript
Powerful system-level scripting language AppleScripts sent as email attachments can
be executed and can be very dangerous This is essentially unheard of, but could be
just as dangerous as executing a .exe file attachment on a PC.
AppleScripts can be run remotely - over TCP (if enabled) - much like RMI File sharing security governs authentication and
authorization of remote AppleScripts.
November 22, 2002 43Securing a Macintosh - Richard Straka
Javascript
HTML email with malicious Javascript is always a security exposure
Turn off this option in mail clients
November 22, 2002 45Securing a Macintosh - Richard Straka
Security Administration Facets
Users Protocols Ports Services Network
Most Macintosh security exposures come from simple misconfiguration and/or lack of attention to security
November 22, 2002 46Securing a Macintosh - Richard Straka
Users
Use a centralized file and authentication server where practical AppleShare IP MacOS X Server Microsoft NT, … Services For Macintosh (SFM)
Standard admin practices Ensure that guest access is turned off. Set and implement password policies Don't let users have root (admin) access
Install virus protection software Establish consistent user training on
security and virus policies
November 22, 2002 47Securing a Macintosh - Richard Straka
Protocols
AppleTalk networking more limited in scope than TCP (less exposure)
Shareway IP Pro can republish AppleTalk-only accessible volumes over TCP - handy, but decreases security
MacOS X can republish an NFS volume - actually improving security.
November 22, 2002 48Securing a Macintosh - Richard Straka
Ports
Scan for open well-known Mac ports on user machines
Install a personal firewall and scan the "attacked" logs.
November 22, 2002 49Securing a Macintosh - Richard Straka
Services
Set proper passwords on all services - used or not. Don't leave the default passwords.
Turn on only the services you really need Turn on file sharing only where needed
Better to have a central file server than peer-peer Use IP address filters on the server
Don't support FTP FTP is said to have negative security Better to just have anonymous FTP for download. Consider using WebDAV instead.
November 22, 2002 50Securing a Macintosh - Richard Straka
Network
Several personal firewalls are available Norton, DoorStop, etc.
NAT/NAPT ("broadband") routers are a good first line of defense - and cheap.
Apple supports 802.11b very well. But 802.11 has some holes:
WEP and MAC cloning. Use maximum key length (128 bit) WEP. Combine MAC registration and WEP. Better approach to secure any important wireless
network: VPN client on each wireless device VPN gateway to the rest of the network
November 22, 2002 51Securing a Macintosh - Richard Straka
General, Security Patches
MacOS 9 is very stable. (9.2.2)Strictly maintenance mode now. Will be around for many years. No security patches at this time. Apple never released security-specific patches before
MacOS X. MacOS X is new.
All new Macs can boot MacOS X or MacOS 9. Macs introduced after 2002 will not boot MacOS 9.
MacOS X Security Patches Keep on top of security patches from Apple.
November 22, 2002 52Securing a Macintosh - Richard Straka
Macintosh Security Products, Vendors
Anti-virus Software Symantec (Norton) NAI (Virex) Intego (VirusBarrier)
Access Control Intego (DiskGuard) Hi-Resolution (MacAdministrator) PowerOnSoftware (DiskLock)
Low-Level Disk Encryption Intego (FileGuard)
November 22, 2002 53Securing a Macintosh - Richard Straka
A Few References:
Book: Internet Security for Your Macintosh http://www.opendoor.com/books.html
MacOS Security Sites http://www.securemac.com/ http://www.macintoshsecurity.com/
MacOS X Security http://www.apple.com/macosx/technologies/security.html http://developer.apple.com/internet/macosx/securityintro.html http://www.stanford.edu/group/itss-crc/osx/final-report/
Well-Known Mac Port List: http://www.opendoor.com/doorstop/ports.html