Virus & Security Information
Security Checklist for Macintosh Computers
Required steps for all Macintosh computers
- Make sure your OSX software updates are current. You should receive alerts
about new updates every month or so. If you have disabled "Software
Update", after you register you should re-enable "Software Update" from
the Apple menu to check for new updates
- Don't set your Mac to automatically log into your account on startup. In the “Security & Privacy” System Preferences pane, click on the "Lock" icon and then make sure “Disable automatic login” is unchecked. Also, in the “Users & Groups” System Preferences pane, click on the "Lock" icon and then click on "Login Options" (above the "Lock" icon). Make sure "Display login window as" is set to "Name and password".
- Enable your screen saver and have it set to ask for a password to wake
from sleep and from screensaver. In the "Security & Privacy" System Preferences pane and the "General" tab. Make sure after “Require password”, immediately is selected. Also, make sure there is a check in front of "Require password immediately after sleep or screen save begins”. You can also set a "hot corner" in the "Desktop & Screen Saver" System Preferences pane so that you can activate your screen saver immediately by moving your cursor to one of the corners of your screen. This is useful when you have confidential information on your screen that you don't want others to see or if you're leaving your desk for a while and want your computer secured immediately.
- Sharing settings.
OSX 10.5 and 10.6 Users: In the "Sharing" System Preferences Pane make
sure that nothing is checked. Then, click on the "Security" System
Preference pane, and the "General" tab. Make sure that there's
a check in front of "Require password to wake from sleep" and
also "Disable automatic login".
OSX 10.8: In the "Sharing" System Preferences Pane make sure that nothing is checked. Then, click on the "Security & Privacy" System Preference pane, and the "General" tab. Make sure after “Require password”, immediately is selected. Also, make sure that there is a check in front of "Require password immediately after sleep or screen saver begins" and also "Disable automatic login".
- Make your KeyChain password different from your login account password (Applications:Utilities:KeyChain
Access/Utility). From the Edit menu, select "Change password for keychain
"login:. This may cause you to be asked for your KeyChain password more
frequently In the the "FileVault" tab
of the Security System Preferences pane you probably don't need to turn
but you might need to turn it on if you have files that require additional
securing (more information on FileVault in "Additional Steps", below).
Additional steps if your computer stores or accesses private data
- In the Bluetooth System Preference pane,
click on "Turn Bluetooth Off". If you need to use
Bluetooth for wireless mice or keyboards then keep Bluetooth "On", but do
not check "Discoverable"
- Use the "Secure Empty Trash" option from the Finder's File menu to delete confidential data.
- Enter a "master password" for FileVault in the "Security" System Preferences (this is under the FileVault tab in OSX 10.5 and 10.6). This password is used to unlock any account encrypted with FileVault if the password is forgotten. Note: FileVault encrypts your home directory when you log out. We do not recommend enabling FileVault unless you have private data on your computer. The FileVault function can slow down using your computer and creates some potential of making your data unavailable. Rather than using FileVault we recommend using Disk Utility to create a secure disk image. This is a disk image file that requires a password to mount the disk on the Desktop. ITSS can help you create secure disk images. There is not a master password for 10.8. It is all setup with login info and a recovery key.
- Set a firmware password: If someone has physical access to your
Mac they can access your files by starting the Mac from an CD and change
any of the passwords on your Mac. If you have private data on your computer
you should set a firmware password. This will prevent others from starting
your Mac from an external device and changing your passwords. Keep in mind
that even the Open Firmware password can be disabled if someone has access
to the inside of your Mac. Most Macintoshes have a locking mechanism that
would prevent someone from opening up your Macintosh computer's case. ITSS
can help you set an Open Firmware password and physically secure your Mac.
- Set a secure password for the disabled "root" account. The high-level "root" account
in OSX is disabled by default, but does not have a password set for it. You
want it to be disabled, but it's more secure if it has a password set.
OSX 10.5 users • Run Directory
Utility located in Applications/Utilities.
Click the lock in the Directory Utility window and enter
your administrator account name and password. From the Edit menu on
the menu bar, choose Enable
Root User. Enter a secure (not easy to guess) password that's
different from your other passwords and click OK. Choose Disable
Root User from the Edit menu and quit Directory
OSX 10.6 users • Directory
Utility is located in /System/Library/CoreServices.
OSX 10.8 users • In the “Users & Groups” System Preferences pane, click on the "Lock" icon and then click on "Login Options" (above the "Lock" icon). Then, click on “Join” (at the bottom after “Network Account Server”). Next, click on “Open Directory Utility” and then click on the “Lock” icon. Open the Edit menu and “Enable Root User” or “Disable Root User will be listed. If “Enable Root User” is listed then choose it and enter a secure (not easy to guess) password that's different from your other passwords and click OK. Choose Disable Root User from the Edit menu and quit Directory Utility.
Security tools and utilities
Following are tools and utilities that provide additional security, depending on your computing needs.
- VPN - Secure off-campus or wireless connection.