Mac OS X Server Security Configuration - Apple OS X Server Security Configuration For Mac OS X...

Click here to load reader

  • date post

    11-May-2018
  • Category

    Documents

  • view

    240
  • download

    5

Embed Size (px)

Transcript of Mac OS X Server Security Configuration - Apple OS X Server Security Configuration For Mac OS X...

  • MacOSXServerSecurityConfiguration

    ForMacOSXServerVersion10.6SnowLeopard

  • K

    AppleInc.2010AppleInc.Allrightsreserved.

    TheownerorauthorizeduserofavalidcopyofMacOSXsoftwaremayreproducethispublicationforthepurposeoflearningtousesuchsoftware.Nopartofthispublicationmaybereproducedortransmittedforcommercialpurposes,suchassellingcopiesofthispublicationorforprovidingpaid-forsupportservices.

    Everyefforthasbeenmadetoensurethattheinformationinthismanualisaccurate.Appleisnotresponsibleforprintingorclericalerrors.

    Apple1InfiniteLoopCupertino,CA95014408-996-1010www.apple.com

    TheApplelogoisatrademarkofAppleInc.,registeredintheU.S.andothercountries.UseofthekeyboardApplelogo(Option-Shift-K)forcommercialpurposeswithoutthepriorwrittenconsentofApplemayconstitutetrademarkinfringementandunfaircompetitioninviolationoffederalandstatelaws.

    Apple,theApplelogo,Airport,Bonjour,FileVault,FireWire,iCal,iChat,iMac,iSight,iTunes,Keychain,Mac,MacOS,QuickTime,Safari,SnowLeopard,Spotlight,Tiger,TimeMachine,Xgrid,Xsan,andXservearetrademarksofAppleInc.,registeredintheU.S.andothercountries.

    AppleRemoteDesktop,Finder,andQuickTimeBroadcasteraretrademarksofAppleInc.

    MobileMeisaservicemarkofAppleInc.

    TheBluetoothwordmarkandlogosareregisteredtrademarksownedbyBluetoothSIG,Inc.andanyuseofsuchmarksbyAppleisunderlicense.

    Intel,IntelCore,andXeonaretrademarksofIntelCorp.intheU.S.andothercountries.

    JavaandallJava-basedtrademarksandlogosaretrademarksorregisteredtrademarksofSunMicrosystems,Inc.intheU.S.andothercountries.

    UNIXisaregisteredtrademarkofTheOpenGroup.

    ThisproductincludessoftwaredevelopedbytheUniversityofCalifornia,Berkeley,FreeBSD,Inc.,TheNetBSDFoundation,Inc.,andtheirrespectivecontributors.

    Othercompanyandproductnamesmentionedhereinaretrademarksoftheirrespectivecompanies.Mentionofthird-partyproductsisforinformationalpurposesonlyandconstitutesneitheranendorsementnorarecommendation.Appleassumesnoresponsibilitywithregardtotheperformanceoruseoftheseproducts.

    019-1875/2010-06

  • 3

    2

    Contents

    Preface 17 AboutThisGuide17

    Audience

    17

    WhatsinThisGuide

    20

    UsingThisGuide

    20

    UsingOnscreenHelp

    21

    SnowLeopardServerAdministrationGuides

    21

    ViewingPDFGuidesonScreen

    21

    PrintingPDFGuides

    22

    GettingDocumentationUpdates

    22

    GettingAdditionalInformation

    23

    Acknowledgments

    Chapter1 24 IntroductiontoSnowLeopardServerSecurityArchitecture25

    SecurityArchitecturalOverview

    25

    UNIXInfrastructure

    25

    AccessPermissions

    26

    SecurityFramework

    27

    LayeredSecurityDefense

    27

    NetworkSecurity

    28

    CredentialManagement

    28

    PublicKeyInfrastructure(PKI)

    29

    WhatsNewinSnowLeopardServerSecurity

    29

    ExistingSecurityFeaturesinSnowLeopardServer

    30

    SignedApplications

    30

    MandatoryAccessControls

    31

    Sandboxing

    32

    ManagedUserAccounts

    32

    EnhancedQuarantining

    33

    MemoryandRuntimeProtection

    33

    SecuringSharingandCollaborativeServices

    33

    ServiceAccessControlLists

    34

    VPNCompatibilityandIntegration

    35

    ImprovedCryptography

  • 4

    Contents

    35

    ExtendedValidationCertificates

    35

    WildcardinIdentityPreferences

    35

    EnhancedCommand-LineTools

    36

    FileVaultandEncryptedStorage

    36

    EncryptedDiskImageCryptography

    36

    SmartCardSupportforUnlockingEncryptedStorage

    37

    EnhancedSafari4.0Security

    Chapter2 38 InstallingSnowLeopardServer38

    InstallationOverview

    39

    PreparinganAdministratorComputer

    40

    SettingUpNetworkInfrastructure

    40

    StartingUpforInstallation

    40

    StartingUpfromtheInstallDVD

    41

    StartingUpfromanAlternatePartition

    41

    StartingUpfromaNetBootEnvironment

    41

    RemoteAccessDuringInstallation

    42

    ServerAdminDuringInstallation

    42

    SSHDuringInstallation

    42

    VNCDuringInstallation

    43

    AboutDefaultInstallationPasswords

    43

    PreparingDisksforInstallingSnowLeopardServer

    43

    SecurelyErasingaDiskforInstallation

    44

    InstallingServerSoftware

    44

    EnablingtheFirewall

    45

    ApplyingSoftwareandSecurityUpdates

    46

    UpdatingfromanInternalSoftwareUpdateServer

    47

    UpdatingfromInternetSoftwareUpdateServers

    48

    UpdatingManuallyfromInstallerPackages

    50

    VerifyingtheIntegrityofSoftware

    50

    SettingUpServicesandUsers

    51

    AboutSettingsEstablishedDuringServerSetup

    51

    EnablingtheFirmwarePassword

    Chapter3 52 SecuringSystemHardware52

    ProtectingHardware

    53

    PreventingWirelessEavesdropping

    54

    UnderstandingWirelessSecurityChallenges

    54

    AboutOSComponents

    55

    RemovingWi-FiSupportSoftware

    55

    RemovingBluetoothSupportSoftware

    56

    RemovingIRSupportSoftware

    57

    PreventingUnauthorizedRecording

  • Contents

    5

    57

    RemovingAudioSupportSoftware

    58

    RemovingVideoRecordingSupportSoftware

    59

    PreventingDataPortAccess

    60

    RemovingUSBSupportSoftware

    61

    RemovingFireWireSupportSoftware

    62

    SystemHardwareModifications

    Chapter4 63 SecuringGlobalSystemSettings63

    SecuringSystemStartup

    64

    UsingtheFirmwarePasswordUtility

    64

    UsingCommand-LineToolsforSecureStartup

    65

    ConfiguringAccessWarnings

    66

    EnablingAccessWarningsfortheLoginWindow

    67

    UnderstandingtheAuthPluginArchitecture

    68

    TheBannerSampleProject

    69

    EnablingAccessWarningsfortheCommandLine

    70

    TurningOnFileExtensions

    Chapter5 71 SecuringLocalServerAccounts71

    TypesofUserAccounts

    72

    GuidelinesforCreatingAccounts

    73

    DefiningUserIDs

    73

    SecuringtheGuestAccount

    74

    SecuringNonadministratorAccounts

    74

    SecuringExternalAccounts

    75

    ProtectingDataonExternalVolumes

    75

    SecuringDirectory-BasedAccounts

    75

    AvoidingSimultaneousLocalAccountAccess

    76

    SecuringAdministratorAccounts

    76

    AboutTieredAdministrationPermissions

    77

    DefiningAdministrativePermissions

    78

    AvoidingSharedAdministratorAccounts

    78

    SecuringtheDirectoryDomainAdministratorAccount

    79

    ChangingSpecialAuthorizationsforSystemFunctions

    79

    SecuringtheSystemAdministratorAccount

    80

    RestrictingsudoUsage

    81

    UnderstandingDirectoryDomains

    82

    UnderstandingNetworkServices,Authentication,andContacts

    83

    ConfiguringLDAPv3Access

    83

    ConfiguringActiveDirectoryAccess

    84

    UsingStrongAuthentication

    84

    UsingPasswordAssistanttoGenerateorAnalyzePasswords

    85

    UsingKerberos

  • 6 Contents

    86 UsingSmartCards86 UsingTokens87 UsingBiometrics87 SettingGlobalPasswordPolicies88 StoringCredentialsinKeychains89 UsingtheDefaultUserKeychain89 CreatingAdditionalKeychains91 SecuringKeychainsandTheirItems91 UsingSmartCardsasKeychains92 UsingPortableandNetworkKeychains

    Chapter6 94 SecuringSystemPreferences94 SystemPreferencesOverview96 SecuringMobileMePreferences99 SecuringAccountsPreferences102 SecuringAppearancePreferences103 SecuringBluetoothPreferences105 SecuringCDs&DVDsPreferences107 SecuringDate&TimePreferences109 SecuringDesktop&ScreenSaverPreferences111 SecuringDisplayPreferences111 SecuringDockPreferences112 SecuringEnergySaverPreferences115 SecuringExpos&SpacesPreferences116 SecuringLanguage&TextPreferences116 SecuringKeyboardPreferences116 SecuringMousePreferences117 SecuringBluetoothSettings117 RestrictingAccesstoSpecifiedUsers118 SecuringNetworkPreferences118 DisablingUnusedHardwareDevices120 SecuringPrint&FaxPreferences122 SecuringSecurityPreferences122 GeneralSecurity123 FileVaultSecurity125 SecuringSharingPreferences126 SecuringSoftwareUpdatePreferences128 SecuringSoundPreferences129 SecuringSpeechPreferences130 SecuringSpotlightPreferences133 SecuringStartupDiskPreferences134 SecuringTimeMachinePreferences136 SecuringUniversalAccessPreferences

  • Contents 7

    Chapter7 137 SecuringSystemSwapandHibernationStorage137 SystemSwapFileOverview138 EncryptingSystemSwap

    Chapter8 139 SecuringDataandUsingEncryption139 AboutTransportEncryption140 AboutPayloadEncryption140 AboutFileandFolderPermissions141 SettingPOSIXPermissions141 ViewingPOSIXPermissions142 InterpretingPOSIXPermissions143 ModifyingPOSIXPermissions143 SettingFileandFolderFlags143 ViewingFlags143 ModifyingFlags144 SettingACLPermissions145 EnablingACLPermissions145 ModifyingACLPermissions146 ChangingGlobalUmaskforStricterDefaultPermissions147 RestrictingSetuidPrograms150 SecuringUserHomeFolders151 EncryptingHomeFolders152 OverviewofFileVault153 ManagingFileVault153 ManagingtheFileVaultMasterKeychain155 EncryptingPortableFiles155 CreatinganEncryptedDiskImage156 CreatinganEncryptedDiskImagefromExistingData157 CreatingEncryptedPDFs158 SecurelyErasingData158 ConfiguringFindertoAlwaysSecurelyErase159 UsingDiskUtilitytoSecurelyEraseaDiskorPartition159 UsingCommand-LineToolstoSecurelyEraseFiles160 UsingSecureEmptyTrash160 UsingDiskUtilitytoSecurelyEraseFreeSpace161 UsingCommand-LineToolstoSecurelyEraseFreeSpace161 DeletingPermanentlyfromTimeMachineBackups

    Chapter9 163 ManagingCertificates163 UnderstandingPublicKeyInfrastructure164 PublicandPrivateKeys164 Certificates165 AboutCertificateAuthorities(CAs)

  • 8 Contents

    165 AboutIdentities165 Self-SignedCertificates165 AboutIntermed