Mac OS X Security Checklist:

Similar documents
How To Harden Ancient Mac Xp On Mac Moonlight (Mac) On A Macbook V.Xo (Apple) With A Hardening Mode On A Windows Xp On A

QuickStart Guide for Managing Computers. Version 9.2

QuickStart Guide for Client Management. Version 8.7

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Guidance End User Devices Security Guidance: Apple OS X 10.9

Take Your Mac OS X Security to NSA Standards June 19, 2014 by Larry Chafin

Apple Security Checklist Companion A practical guide for automating security standards in the Apple Enterprise with the Casper Suite

End User Devices Security Guidance: Apple OS X 10.10

Casper Suite Release Notes. Version 9.1

Apple Client Management with JAMF. Andrew D Huston Client Infrastructure Group Informa8on Services Kent State University

You're reading an excerpt. Click here to read official APPLE REMOTE DESKTOP 1.2 user guide

Initial Setup. How To Run A Mac Server:

Administering FileVault 2 on OS X Mavericks with the Casper Suite v9.2 or Later. Technical Paper October 2013

Manage Your Mac with Active Directory Group Policies

Casper Suite. Security Overview

Local Caching Servers (LCS): User Manual

TIPS FOR USING OS X 10.8 MOUNTAIN LION

Simplifying Device Enrollment and Content Distribution Using the Device Enrollment Program, the Volume Purchase Program, and the Casper Suite

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

The Centrify Vision: Unified Access Management

QuickStart Guide for Mobile Device Management. Version 8.6

Setting up a Mac on the CU network

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

QuickStart Guide for Mobile Device Management

JAMF Software Server Installation and Configuration Guide for Windows. Version 9.3

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.2

Introduction to FileWave

Portal Instructions for Mac

QuickStart Guide for Managing Mobile Devices. Version 9.2

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.0

Back to My Mac User s Guide

Features of AnyShare

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Setup and Configuration Setup Assistant Migration Assistant System Preferences Configuration Profiles System Information

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Administering Adobe Creative Cloud for Enterprise with the Casper Suite v9.0 or Later. Technical Paper October 2013

Freshservice Discovery Probe User Guide

JAMF Software Server Installation Guide for Linux. Version 8.6

Administering Parallels Desktop 7 for Mac with the Casper Suite. Technical Paper November 2012

CIS Apple OSX 10.8 Benchmark. v

Security Best Practice

DeployStudio Server Quick Install

Mobile Device Management Solution Hexnode MDM

VPN: Virtual Private Network Setup Instructions

User Guide. Time Warner Cable Business Class Cloud Solutions Control Panel. Hosted Microsoft Exchange 2007 Hosted Microsoft SharePoint 2007

Using SSH Secure Shell Client for FTP

Shellshock Security Patch for X86

Time Machine Setup for Routers

Casper Suite Administrator s Guide. Version 9.2

Apple Mac VPN Service Setting up Remote Desktop

EZblue BusinessServer The All - In - One Server For Your Home And Business

Casper Suite Administrator s Guide. Version 9.0

Working With Your FTP Site

1. Scope of Service. 1.1 About Boxcryptor Classic

Easy Setup Guide for the Sony Network Camera

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

ManageEngine Desktop Central Training

Avalanche Site Edition

Dell OpenManage Mobile Version 1.4 User s Guide (Android)

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

Remote Configuration for FileBrowser

VMware Horizon FLEX User Guide

Setting up FileMaker 10 Server

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Mac OS VPN Set Up Guide

Release Notes for Dominion SX Firmware 3.1.6

EZblue BusinessServer The All - In - One Server For Your Home And Business

VIRTUAL SOFTWARE LIBRARY REFERENCE GUIDE

Gladinet Cloud Backup V3.0 User Guide

How To Package In Composer (Amd64)

How to configure Mac OS X Server

Thecus N2100 FAQ. 1. NAS Management

Systems Management. Release Notes

ReadyNAS Duo Setup Manual

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Advanced Configuration Steps

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Apple Server Diagnostics User Guide. For Version 3X106

OS X Support Essentials Exam Preparation Guide

Working Together - Your Apple Mac and Microsoft Windows

The. Mac OS X Snow Leopard. PocketGuide. JeffCarlson. Ginormous knowledge, pocket skeed. Peachpit Press

Installing buzztouch Self Hosted

Initial Access and Basic IPv4 Internet Configuration

User guide. Business

Quick Start Guide to Logging in to Online Banking

Administration Guide BES12. Version 12.3

Secure Browser Installation Manual

File Services. File Services at a Glance

Hallpass Instructions for Connecting to Mac with a Mac

Apple Remote Desktop Administrator s Guide. Version 2.0

VPN Web Portal Usage Guide

Transcription:

Mac OS X Security Checklist: Implementing the Center for Internet Security Benchmark for OS X Recommendations for securing Mac OS X The Center for Internet Security (CIS) benchmark for OS X is widely regarded as a comprehensive checklist for organizations to follow to secure their Macs. This white paper from JAMF Software the Apple Management Experts will show you how to implement the independent organizations recommendations.

JSS What is the Casper Suite? The Casper Suite is a set of administrative tools to help you manage your Apple devices. What is the JSS? The JAMF Software Server (JSS) is the management server component to the suite and runs on a Mac, Windows, or Linux server. What is a Policy? A Policy is the main tool used to implement changes to a client Mac. The JSS sends commands to an agent on the Mac. Who is the CIS? The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities. How the CIS benchmark was created The CIS Benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit https://community.cisecurity.org. - CIS Apple OS X 10.10 Benchmark

Categories of security for OS X Updates & Patches System Preferences icloud Logging & Auditing Network Configuration User Accounts Access & Authentication Other Considerations Installing Updates, Patches, and Security Software The Casper Suite enables you to keep your OS and Applications up to date by packaging and deploying updates to your client Macs remotely. You can even report on which machines have been updated and which are still pending. CIS Recommendations: Verify OS and apps are up to date via a Software Update tool Enable Auto Update in App Store Enable Auto Security Updates Patch Management in the Casper Suite allows you to keep Mac OS X up to date A custom Software Update Server lets you whitelist approved updates to your Macs Run a Policy to enable Auto-Update via App Store Run a Policy to check for updates on a client Mac

System Preferences The Casper Suite helps you configure System Preferences to meet your organization s security needs. Common settings such as passwords and screen saver can easily be turned on remotely and en masse to ensure restricted physical access to Macs. Advanced settings such as disabling SSH or file sharing can also be set to make your Mac secure against remote attacks. CIS Recommendations: Bluetooth: Disable Bluetooth Disable Bluetooth Discoverable Mode Date & Time: Enable set time and date automatically Desktop & Screen Saver: Set screen saver to 20 minutes or less Enable hot corner to start screen saver Set Display Sleep to a value larger than Screen Saver Sharing: Disable Remote Apple Events in Sharing Disable Internet Sharing Disable Screen Sharing Disable Printer Sharing Disable Remote Login (SSH) Disable DVD or CD Sharing Disable Bluetooth Sharing Disable File Sharing Disable Remote Management (ARD) Energy Saver: Disable wake for network access Disable sleeping the computer when connected to power Security & Privacy: Enable FileValut 2 Enable Gatekeeper Enable Firewall Enable Firewall Stealth Mode Review Application Firewall rules (http://support.apple.com/en-us/ht201642) Other: icloud (see section below) Enable Secure Keyboard entry in terminal.app Java 6 is not the default Java runtime Use Secure Empty Trash All of the above System Preferences can be set via a JSS Policy and/or Configuration Profile FileVault 2 can be enabled and keys escrowed in the JSS s inventory Screen Saver and Password Settings can be set Sharing Settings can be set Security & Privacy settings can be set Policy to disable Java can be deployed

icloud and Other Cloud Services The Casper Suite helps implement your organization s icloud strategy by giving IT admins the ability to either block or enable the cloud-based service. Apple s icloud is just one of many cloud based solutions being used for data synchronization across multiple platforms and it should be controlled consistently with other cloud services in your environment. Work with your employees and configure the access to best enable data protection for you mission. icloud can be disabled via a Configuration Profile and/or JSS Policy If icloud is not allowed, icloud Drive can be removed from Finder Logging and Auditing The Casper Suite can help IT admins keep track of the logs that OS X generates and centralizes them in one place. Admins can also run advanced reports on those logs to look for any potential security issues. Configure asl.conf Retain system.log for 90 or more days Retain appfirewall.log for 90 or more days Retail auth.log for 90 or more days Enable security auditing Configure Security Auditing Flags Enable remote logging for Macs on trusted networks Retain install.log for 1yr or more Config files can be modified via a script Log files can be sent to the JSS and stored as long as needed Additional logs can be cached by the JSS

Network Configurations The Casper Suite makes rolling out network configurations easy for IT admins by distributing Wi-Fi, VPN, and even DNS settings. The Casper Suite also ensures some of the legacy server components of OS X are disabled so users are not accidentally opening up ports they don t know about. Ensure Wi-Fi status is in the menu bar Create network specific locations Ensure http server is not running (Apache) Ensure ftp server is not running Ensure NFS server is not running Network settings can be built into a Configuration Profile Apache, FTP, and NFS can all be disabled via a script in a JSS Policy User Accounts and Environment The Casper Suite helps an organization manage local accounts on a Mac allowing the creation of admin or standard users. The JAMF binary that lives on client machines creates a hidden management account that has admin rights to execute commands and create new users. Policies can be created to further secure the login screen and disable the guest account. Display login window as name and password only Disable show password hints Disable guest account Disable allow guests to connect to shared folders Turn on filename extensions Disable the automatic run of safe files in Safari for different purposes Login window can be configured via Configuration Profile Guest account can be disabled via JSS Policy User accounts can be created via Setup Assistant and DEP or imaging Accounts created can either be Standard or Admin, based on needs

System Access, Authentication, and Authorization The Casper Suite helps set file permissions, manage keychain access, and set strong password polices for users. By creating a configuration profile or JSS policy, you can remotely enable system access settings to create a more secure Mac. Secure Home Folder (deny read permissions to other home folders) Repair permissions regularly Check system-wide applications for permissions Check System folder for world writable files Check Library folder for world writable files Reduce the sudo timeout period Automatically lock the login keychain for inactivity Ensure login keychain is locked when the computer sleeps Ensure OCSP & CRL certificate checking Do not enable the root account Disable automatic login Require a password to wake the computer from sleep Require an admin password to access systemwide preferences Disable ability to login to another user s active and locked session Complex passwords (contains numbers, letters, and symbols) Set minimum password length Configure account lockout threshold Create a custom message for the Login Screen Create a login window banner Disable password hints Disable Fast User Switching Secure individual keychain items Create specialized keychains for different purposes Folder permissions can be set via a script in a JSS Policy Repair permissions command can be triggered via Self Service or run automatically Reports can be created to scan for files in System and Library for bad permissions Password policies enabled via Configuration Profile Login window and banner can be added via JSS Policy

Additional Considerations The Casper Suite helps IT admins customize additional security settings by setting an EFI password, disabling Wi-Fi in hyper-secure environments, and more. You can also use the JSS to rename your Macs so inventory is easier. Additionally, the Casper Suite allows you to inventory the software assets your organization has and keep track of licenses. Consider disabling Wi-Fi and only use ethernet Cover isight cameras Logically name your computers Inventory your software Inventory your software Put a firewall in place Automatic actions for optical media Disable App Store automatic downloads on other Macs Set an EFI password Apple ID password resets Wi-Fi can be disabled via profile Computer naming can be automated via setting in the JSS Software inventory and license tracking in the JSS EFI passwords can be set via a policy and/or imaging Conclusion The Casper Suite makes it easy to implement and follow the independent organization Center for Internet Security s Apple OS X benchmarks. To learn more about how to secure your Macs with the Casper Suite, visit http://www.jamfsoftware.com/securing-apple info@jamfsoftware.com 612.605.6625 www.jamfsoftware.com 2015 JAMF Software, LLC. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information