Thursday, March 22, 2007

Securing your Mac: benchmarks and guides

While Macs aren't as heavily used in the corporate world as Windows and Unix systems, they've been steadily penetrating the security world over the past few years. Where security conferences used to be dominated by IBM and Dell, these days a quick visual survey shows a high percentage of Macbooks and Macbook Pros.

For those of us who use a Mac, securing MacOS is an interesting topic. It is regularly claimed to be safer than Windows or other Unix/BSD systems, but that doesn't mean we can ignore locking down our systems. There are some good tips and tweaks out there.

As with any lockdown guide, you should review your usage and needs against the assumptions of the guide. If you are doing this for yourself, you may not need to formalize the process. If you are building a lockdown process or security benchmark for an organization, you will need to document what sections you retained and which sections you discarded, and possibly why. You will also need an exceptions process if you will allow exceptions, and a means of properly documenting alternate acceptable configurations.

So how about some lockdown guides?

Apple's guide is available at
Fair warning, this is a 167 page PDF

The CIS standards are available at: - note that unlike other popular operating systems, the CIS benchmark is only available at level 1 (a "prudent level of minimum due care"), and that there is no automated tool for benchmarking.

The NSA released an updated guide for 10.4, available at

What about NIST you ask? Their linked guides are outdated. Check out the configurations above for a more current checklist.

No comments: