Enterprise Mac Security

Transcription

1 Enterprise Mac Security Mac OS X Snow Leopard William Barker Beau Hunter Gene Sullivan Apress* TIB/UB Hannover

2 Contents Contents at a Glance... iv Contents - v About the Authors xv About the Technical Reviewer xvi Acknowledgments xvii Introduction xviii Part I: The Big Picture 1 Chapter 1: Security Quick-Start.- 3 Securing the Mac OS X Defaults 3 Customizing System Preferences 4 Accounts 4 Login Options Passwords 7 Administrators 8 Security Preferences 9 General 9 FileVault 11 Firewall 13 Software Update 14 Bluetooth Security 16 Printer Security 18 Sharing Services 20 Securely Erasing Disks 21 Using Secure Empty Trash 23 Using Encrypted Disk Images 24 Securing Your Keychains 25 Best Practices 27 Chapter 2: Services, Daemons, and Processes 29 Introduction to Services, Daemons, and Processes 29 6 V

3 mcontents Viewing What's Currently Running 31 The Activity Monitor 31 The ps Command 35 The top Output 36 Viewing Which Daemons Are Running 38 Viewing Which Services Are Available 39 Stopping Services, Daemons, and Processes 40 Stopping Processes 41 Stopping Daemons 43 Types of launchd Services 44 GUI Tools for Managing launchd 44 Changing What Runs At Login 45 Validating the Authenticity of Applications and Services 46 Summary 47 V Chapter 3: Securing User Accounts 49 Introducing Identification, Authentication, and Authorization 49 Managing User Accounts 50 Introducing the Account Types 51 Adding Users to Groups 53 Enabling the Superuser Account 54 Setting Up Parental Controls 56 Managing the Rules Put in Place 62 Advanced Settings in System Preferences 64 Working with Local Directory Services 65 Creating a Second Local Directory Node 68 External Accounts 68 Restricting Access with the Command Line: sudoers 69 Securing Mount Points 74 SUID Applications: Getting into the Nitty-Gritty 75 Creating Files with Permissions 77 Summary 78 Chapter 4: File System Permissions 79 Mac OS File Permissions: A Brief History of Time 80 POSIX Permissions 81 Modes in Detail 82 Inheritance 84 The Sticky Bit 87 The suid/sguid Bits 87 POSIX in Practice 88 Access Control Lists 91 Access Control Entries 91 Effective Permissions 94 ACLs in Practice 95 Administering Permissions 97 Using the Finder to Manage Permissions 103 Using chown and chmod to Manage Permissions 104 The Hard Link Dilemma 107 vi

4 ft CONTENTS Using mtree to Audit File system Permissions 109 Summary 111 Chapter 5: Reviewing Logs and Monitoring 113 What Exactly Gets Logged? 113 Using Console 115 Viewing Logs 115 Marking Logs 116 Searching Logs 117 Finding Logs 118 Secure.log: Security Information appfirewall.log 120 Reviewing User-Specific Logs 121 Reviewing Command-Line Logs 123 Reviewing Library Logs 124 Breaking Down Maintenance Logs 124 daily.out 126 Yasu 127 Weekly.out 128 Monthly.out 129 What to Worry About 129 Virtual Machine and Bootcamp Logs 130 Event Viewer 130 Task Manager 131 Performance Alerts 132 Review Regularly, Review Often 133 Accountability Incident Response 134 Summary 135 Part II: Securing the Ecosystem 137 Chapter 6: Application Signing and Sandbox 139 Application Signing 139 Application Authentication 141 Application Integrity Signature Enforcement in OS X 144 Signing and Verifying Applications 153 Sandbox 156 Sandbox Profiles 158 The Anatomy of a Profile 161 Sandbox Profiles in Action 166 The Seatbelt Framework 178 Summary 180 Chapter 7: Securing Web Browsers and 183 A Quick Note About Passwords 184 Securing YourWeb Browser 185 Securing Safari 185 Securing Firefox 189 Securely Configuring Mail Vll

5 * CONTENTS Using SSL 196 Securing Entourage 199 Fighting Spam 202 Anatomy of Spam 202 Desktop Solutions for Securing 207 Using PGP to Encrypt Mail Messages -207 GPG Tools 207 Using Mail Server-Based Solutions for Spam and Viruses 207 Kerio 208 Mac OS X Server's Antispam Tools 210 CommuniGate Pro 211 Outsourcing Your Spam and Virus Filtering 212 Summary 213 Chapter 8: Malware Security: Combating Viruses, Worms, and Root Kits 213 Classifying Threats 213 The Real Threat of Malware on the Mac 216 Script Malware Attacks 217 Socially Engineered Malware 218 Using Antivirus Software 218 Built Into Mac OSX 219 Antivirus Software Woes 220 McAfee VirusScan 220 Norton Antivirus 220 ClamXav 221 Sophos Anti-Virus 226 Best Practices for Combating Malware 227 Other Forms of Malware 228 Adware 228 Spyware 228 Root Kits 230 Summary 232 Chapter 9: Encrypting Files and Volumes 233 Using the Keychain to Secure Sensitive Data 234 The Login Keychain 234 Creating Secure Notes and Passwords 237 Managing Multiple Keychains 240 Using Disk Images as Encrypted Data Stores 243 Creating Encrypted Disk Images 245 Interfacing with Disk Images from the Command Line 251 Encrypting User Data Using FileVault 257 Enabling FileVault for a User 260 The FileVault Master Password 263 Limitations of Sparse Images and Reclaiming Space 264 Full Disk Encryption 266 Check Point 267 PGP Encryption 269 uiii

6 mcontents TrueCrypt 270 WinMagic SecureDoc 271 Summary 272 Part Hi: Network Traffic 275 SChapter 10: Securing Network Traffic 277 Understanding TCP/IP 277 Types of Networks 280 Peer-to-Peer 280 Considerations when Configuring Peer-to-Peer Networks 281 Client-Server Networks 282 Understanding Routing 283 Packets 283 Port Management 285 DMZ and Subnets 286 Spoofing 287 Stateful Packet Inspection 287 Data Packet Encryption 288 Understanding Switches and Hubs 288 Managed Switches 289 Restricting Network Services 291 Security Through 802.1x 292 Proxy Servers 293 Squid 295 Summary 297 Chapter 11: Setting Up the Mac OS X Firewall 299 Introducing Network Services 300 Controlling Services 301 Configuring the Firewall 304 Working with the Firewall in Leopard and Snow Leopard 304 Setting Advanced Features 307 Blocking Incoming Connections 307 Allowing Signed Software to Receive Incoming Connections 308 Going Stealthy 309 Testing the Firewall 310 Configuring the Application Layer Firewall from the Command Line 312 Using Mac OS X to Protect Other Computers 313 Enabling Internet Sharing 313 Working from the Command Line 315 Getting More Granular Firewall Control 315 Using ipfw 317 Using Dummynet 321 Summary 324 Chapter 12: Securing a Wireless Network 325 Wireless Network Essentials 325 Introducing the Apple AirPort 327 Configuring Older AirPorts 328 AirPort Utility 330 IX

7 CONTENTS Configuring the Current AirPorts 330 Limiting the DHCP Scope 333 Hardware Filtering 334 AirPort Logging 336 Hiding a Wireless Network 337 Base Station Features in the AirPort Utility 338 The AirPort Express 339 Wireless Security on Client Computers 339 Securing Computer-to-Computer Networks 340 Wireless Topologies 341 Wireless Hacking Tools 342 KisMAC 342 Detecting Rogue Access Points 343 istumbler and Mac Stumbler 344 MacStumbler 346 Ettercap 347 EtherPeek 347 Cracking WEP Keys 347 Cracking WPA-PSK 348 General Safeguards Against Cracking Wireless Networks 349 Summary 350 Part IV: Sharing 351 Chapter 13: File Services 353 The Risks in File Sharing 353 Peer-to-Peer vs. Client-Server Environments 354 File Security Fundamentals 354 LKDC 355 Using POSIX Permissions 355 Getting More out of Permissions with Access Control Lists 356 Sharing Protocols: Which One Is for You? 357 Apple Filing Protocol 357 Setting Sharing Options Samba 359 Using Apple AirPort to Share Files 362 Third-Party Problem Solver: DAVE 366 FTP 372 Permission Models 374 Summary 375 Chapter 14: Web Site Security 377 Securing Your Web Server 377 Introducing the httpd Daemon 378 Removing the Default Files 379 Changing the Location of Logs 379 Restricting Apache Access 380 Run on a Nonstandard Port 380 Use a Proxy Server 381 Disable CGI 381 X

8 CONTENTS Disable Unnecessary Services in Apache 382 PHP and Security 382 Securing PHP 383 Tightening PHP with Input Validation 383 Taming Scripts 384 Securing Your Perl Scripts 384 Securing robots.txt 386 Blocking Hosts Based on robots.txt 387 Protecting Directories 388 Customizing Error Codes 389 Using.htaccess to Control Access to a Directory 389 Tightening Security with TLS 391 Implementing Digital Certificates 392 Protecting the Privacy of Your Information 392 Protecting from Google? 394 Enumerating a Web Server 395 Securing Files on Your Web Server 396 Disabling Directory Listings 396 Uploading Files Securely 397 Code Injection Attacks 398 SQL Injection 398 Cross Site Scripting 398 Protecting from Code Injection Attacks 399 Summary 399 Chapter 15: Remote Connectivity 401 Remote Management Applications 402 Apple Remote Desktop 402 Screen Sharing 402 Implementing Back to My Mac 404 Configuring Remote Management 405 Using Timbuktu Pro 408 Installing Timbuktu Pro 408 Adding New Users 409 Testing the New Account 410 Using Secure Shell 412 Enabling SSH 412 Further Securing SSH 413 Using a VPN 414 Connecting to Your Office VPN 414 Setting UpL2TP 415 Setting Up PPTP 416 Connecting to a Cisco VPN 417 PPP + SSH = VPN 419 Summary Chapter 16: Server Security 423 Limiting Access to Services 423 The Root User 425 Xi 422

9 CONTENTS Foundations of a Directory Service 425 Defining LDAP 425 Kerberos 426 Configuring and Managing Open Directory 428 Securing LDAP: Enabling SSL 431 Securing Open Directory Accounts by Enabling Password Policies 432 Securing Open Directory Using Binding Policies 435 Securing Authentication with PasswordServer 437 Securing LDAP by Preventing Anonymous Binding 439 Securely Binding Clients to Open Directory 441 Further Securing LDAP: Implementing Custom LDAP ACLs 444 Creating Open Directory Users and Groups 444 Securing Kerberos from the Command Line 448 Managed Preferences 449 Securing Managed Preferences 451 Providing Directory Services for Windows Clients 453 Active Directory Integration 454 Web Server Security in Mac OS X Server 459 Using Realms 459 SSL Certs on Web Servers 461 File Sharing Security in OS X Server 463 A Word About File Size 465 Securing NFS 465 AFP 466 SMB 470 FTP 471 Wireless Security on OS X Server Using RADIUS 471 DNS Best Practices 473 SSL 474 Reimporting Certificates 475 SSH 475 Server Admin from the Command Line 477 ichat Server 477 Securing the Mail Server 478 Limiting the Protocols on Your Server 479 Proxying Services 480 Summary 481 Part V: Securing the Workplace 483 Chapter 17: Network Scanning, Intrusion Detection, and Intrusion Prevention Tools 485 Scanning Techniques 485 Fingerprinting 486 Enumeration 488 Vulnerability and Port Scanning 489 Intrusion Detection and Prevention 492 Host Intrusion Detection System 493 Network Intrusion Detection 494 xii

10 CONTENTS Security Auditing on the Mac 497 Nessus 497 Metasploit 501 SAINT 503 Summary 504 3Chapter 18: Backup and Fault Tolerance 505 Time Machine 506 Restoring Files from Time Machine 510 Using a Network Volume for Time Machine 511 SuperDuper 512 Backing Up to MobileMe 513 Retrospect 517 Checking Your Retrospect Backups 528 Using Tape Libraries 530 Backup vs. Fault Tolerance 531 Fault-Tolerant Scenarios 531 Round-Robin DNS 532 Load-Balancing Devices 533 Cold Sites 533 Hot Sites 534 Backing up Services 534 Summary 535 Chapter 19: Forensics 537 Incident Response 538 MacForensicsLab 539 Installing MacForensicsLab 539 Using MacForensicsLab 544 Image Acquisition 546 Analysis 548 Salvage 551 Performing an Audit 554 Reviewing the Case 554 Reporting 555 Other GUI Tools for Forensic Analysis 556 Forensically Acquiring Disk Images 557 Tools for Safari 557 Command-Line Tools for Forensic Analysis 558 Summary 558 Appendix A: Xsan Security 559 Metadata 560 Fibre Channel 561 Affinities 561 Permissions 561 Quotas 562 Other SAN Solutions 562 Appendix B: InfoSec Acceptable Use Policy Overview 563 Xlii

11 CONTENTS 2.0 Purpose Scope Policy General Use and Ownership Security and Proprietary Information Unacceptable Use Blogging Enforcement Definitions 569 Term Definition Revision History 569 I Appendix C: CDSA 571 lappendix D: Introduction to Cryptography 573!Index 577 xiv