MacOSXServer SecurityConfiguration. ForMacOSXServerVersion10.6 SnowLeopard

Mac

OS

X

Server

Security

Configuration

For

Mac

OS

X

Server

Version

10.6

K AppleInc. ©2010AppleInc.Allrightsreserved. Theownerorauthorizeduserofavalidcopyof MacOSXsoftwaremayreproducethispublicationfor thepurposeoflearningtousesuchsoftware.Nopartof thispublicationmaybereproducedortransmittedfor commercialpurposes,suchassellingcopiesofthis publicationorforprovidingpaid-forsupportservices. Everyefforthasbeenmadetoensurethatthe informationinthismanualisaccurate.Appleisnot responsibleforprintingorclericalerrors. Apple 1InfiniteLoop Cupertino,CA95014 408-996-1010 www.apple.com TheApplelogoisatrademarkofAppleInc.,registered intheU.S.andothercountries.Useofthe“keyboard” Applelogo(Option-Shift-K)forcommercialpurposes withoutthepriorwrittenconsentofApplemay constitutetrademarkinfringementandunfair competitioninviolationoffederalandstatelaws. Apple,theApplelogo,Airport,Bonjour,FileVault, FireWire,iCal,iChat,iMac,iSight,iTunes,Keychain,Mac, MacOS,QuickTime,Safari,SnowLeopard,Spotlight, Tiger,TimeMachine,Xgrid,Xsan,andXserveare trademarksofAppleInc.,registeredintheU.S.andother countries. AppleRemoteDesktop,Finder,andQuickTime BroadcasteraretrademarksofAppleInc. MobileMeisaservicemarkofAppleInc. TheBluetooth®wordmarkandlogosareregistered trademarksownedbyBluetoothSIG,Inc.andanyuseof suchmarksbyAppleisunderlicense. Intel,IntelCore,andXeonaretrademarksofIntelCorp. intheU.S.andothercountries. Java™andallJava-basedtrademarksandlogosare trademarksorregisteredtrademarksofSun Microsystems,Inc.intheU.S.andothercountries. UNIXisaregisteredtrademarkofTheOpenGroup. Thisproductincludessoftwaredevelopedbythe UniversityofCalifornia,Berkeley,FreeBSD,Inc.,The NetBSDFoundation,Inc.,andtheirrespective contributors. Othercompanyandproductnamesmentionedherein aretrademarksoftheirrespectivecompanies.Mention ofthird-partyproductsisforinformationalpurposes onlyandconstitutesneitheranendorsementnora recommendation.Appleassumesnoresponsibilitywith regardtotheperformanceoruseoftheseproducts. 019-1875/2010-06

3 2

Contents

Preface 17 AboutThisGuide

17 Audience 17

What’sinThisGuide

20

UsingThisGuide

20

UsingOnscreenHelp

21

SnowLeopardServerAdministrationGuides

21

ViewingPDFGuidesonScreen

21 PrintingPDFGuides 22

GettingDocumentationUpdates

22

GettingAdditionalInformation

23

Acknowledgments

Chapter1 24 IntroductiontoSnowLeopardServerSecurityArchitecture

25

SecurityArchitecturalOverview

25 UNIXInfrastructure 25 AccessPermissions 26 SecurityFramework 27

LayeredSecurityDefense

27 NetworkSecurity 28 CredentialManagement 28

PublicKeyInfrastructure(PKI)

29

What’sNewinSnowLeopardServerSecurity

29

ExistingSecurityFeaturesinSnowLeopardServer

30 SignedApplications 30

MandatoryAccessControls

31 Sandboxing 32

ManagedUserAccounts

32 EnhancedQuarantining 33

MemoryandRuntimeProtection

33

SecuringSharingandCollaborativeServices

33

ServiceAccessControlLists

34

VPNCompatibilityandIntegration

35

4 Contents 35

ExtendedValidationCertificates

35

WildcardinIdentityPreferences

35

EnhancedCommand-LineTools

36

FileVaultandEncryptedStorage

36

EncryptedDiskImageCryptography

36

SmartCardSupportforUnlockingEncryptedStorage

37

EnhancedSafari4.0Security

Chapter2 38 InstallingSnowLeopardServer

38 InstallationOverview 39

PreparinganAdministratorComputer

40

SettingUpNetworkInfrastructure

40

StartingUpforInstallation

40

StartingUpfromtheInstallDVD

41

StartingUpfromanAlternatePartition

41

StartingUpfromaNetBootEnvironment

41

RemoteAccessDuringInstallation

42

ServerAdminDuringInstallation

42 SSHDuringInstallation 42 VNCDuringInstallation 43

AboutDefaultInstallationPasswords

43

PreparingDisksforInstallingSnowLeopardServer

43

SecurelyErasingaDiskforInstallation

44

InstallingServerSoftware

44

EnablingtheFirewall

45

ApplyingSoftwareandSecurityUpdates

46

UpdatingfromanInternalSoftwareUpdateServer

47

UpdatingfromInternetSoftwareUpdateServers

48

UpdatingManuallyfromInstallerPackages

50

VerifyingtheIntegrityofSoftware

50

SettingUpServicesandUsers

51

AboutSettingsEstablishedDuringServerSetup

51

EnablingtheFirmwarePassword

Chapter3 52 SecuringSystemHardware

52 ProtectingHardware 53

PreventingWirelessEavesdropping

54

UnderstandingWirelessSecurityChallenges

54 AboutOSComponents 55

RemovingWi-FiSupportSoftware

55

RemovingBluetoothSupportSoftware

56

RemovingIRSupportSoftware

57

Contents 5 57

RemovingAudioSupportSoftware

58

RemovingVideoRecordingSupportSoftware

59

PreventingDataPortAccess

60

RemovingUSBSupportSoftware

61

RemovingFireWireSupportSoftware

62

SystemHardwareModifications

Chapter4 63 SecuringGlobalSystemSettings

63

SecuringSystemStartup

64

UsingtheFirmwarePasswordUtility

64

UsingCommand-LineToolsforSecureStartup

65

ConfiguringAccessWarnings

66

EnablingAccessWarningsfortheLoginWindow

67

UnderstandingtheAuthPluginArchitecture

68

TheBannerSampleProject

69

EnablingAccessWarningsfortheCommandLine

70

TurningOnFileExtensions

Chapter5 71 SecuringLocalServerAccounts

71

TypesofUserAccounts

72

GuidelinesforCreatingAccounts

73

DefiningUserIDs

73

SecuringtheGuestAccount

74

SecuringNonadministratorAccounts

74

SecuringExternalAccounts

75

ProtectingDataonExternalVolumes

75

SecuringDirectory-BasedAccounts

75

AvoidingSimultaneousLocalAccountAccess

76

SecuringAdministratorAccounts

76

AboutTieredAdministrationPermissions

77

DefiningAdministrativePermissions

78

AvoidingSharedAdministratorAccounts

78

SecuringtheDirectoryDomainAdministratorAccount

79

ChangingSpecialAuthorizationsforSystemFunctions

79

SecuringtheSystemAdministratorAccount

80

RestrictingsudoUsage

81

UnderstandingDirectoryDomains

82

UnderstandingNetworkServices,Authentication,andContacts

83

ConfiguringLDAPv3Access

83

ConfiguringActiveDirectoryAccess

84

UsingStrongAuthentication

84

UsingPasswordAssistanttoGenerateorAnalyzePasswords

85

6 Contents

86 UsingSmartCards 86 UsingTokens 87 UsingBiometrics

87 SettingGlobalPasswordPolicies 88 StoringCredentialsinKeychains 89 UsingtheDefaultUserKeychain 89 CreatingAdditionalKeychains 91 SecuringKeychainsandTheirItems 91 UsingSmartCardsasKeychains 92 UsingPortableandNetworkKeychains

Chapter6 94 SecuringSystemPreferences

94 SystemPreferencesOverview 96 SecuringMobileMePreferences 99 SecuringAccountsPreferences 102 SecuringAppearancePreferences 103 SecuringBluetoothPreferences 105 SecuringCDs&DVDsPreferences 107 SecuringDate&TimePreferences

109 SecuringDesktop&ScreenSaverPreferences 111 SecuringDisplayPreferences

111 SecuringDockPreferences 112 SecuringEnergySaverPreferences 115 SecuringExposé&SpacesPreferences 116 SecuringLanguage&TextPreferences 116 SecuringKeyboardPreferences 116 SecuringMousePreferences 117 SecuringBluetoothSettings

117 RestrictingAccesstoSpecifiedUsers 118 SecuringNetworkPreferences

118 DisablingUnusedHardwareDevices 120 SecuringPrint&FaxPreferences 122 SecuringSecurityPreferences 122 GeneralSecurity

123 FileVaultSecurity

125 SecuringSharingPreferences

126 SecuringSoftwareUpdatePreferences 128 SecuringSoundPreferences

129 SecuringSpeechPreferences 130 SecuringSpotlightPreferences 133 SecuringStartupDiskPreferences 134 SecuringTimeMachinePreferences 136 SecuringUniversalAccessPreferences

Contents 7

Chapter7 137 SecuringSystemSwapandHibernationStorage

137 SystemSwapFileOverview 138 EncryptingSystemSwap

Chapter8 139 SecuringDataandUsingEncryption

139 AboutTransportEncryption 140 AboutPayloadEncryption 140 AboutFileandFolderPermissions

141 SettingPOSIXPermissions 141 ViewingPOSIXPermissions 142 InterpretingPOSIXPermissions 143 ModifyingPOSIXPermissions 143 SettingFileandFolderFlags 143 ViewingFlags

143 ModifyingFlags 144 SettingACLPermissions 145 EnablingACLPermissions 145 ModifyingACLPermissions

146 ChangingGlobalUmaskforStricterDefaultPermissions 147 RestrictingSetuidPrograms

150 SecuringUserHomeFolders 151 EncryptingHomeFolders 152 OverviewofFileVault 153 ManagingFileVault

153 ManagingtheFileVaultMasterKeychain 155 EncryptingPortableFiles

155 CreatinganEncryptedDiskImage

156 CreatinganEncryptedDiskImagefromExistingData 157 CreatingEncryptedPDFs

158 SecurelyErasingData

158 ConfiguringFindertoAlwaysSecurelyErase

159 UsingDiskUtilitytoSecurelyEraseaDiskorPartition 159 UsingCommand-LineToolstoSecurelyEraseFiles 160 UsingSecureEmptyTrash

160 UsingDiskUtilitytoSecurelyEraseFreeSpace

161 UsingCommand-LineToolstoSecurelyEraseFreeSpace 161 DeletingPermanentlyfromTimeMachineBackups

Chapter9 163 ManagingCertificates

163 UnderstandingPublicKeyInfrastructure 164 PublicandPrivateKeys

164 Certificates

8 Contents

165 AboutIdentities 165 Self-SignedCertificates 165 AboutIntermediateTrust

167 CertificateManagerinServerAdmin 168 ReadyingCertificates

169 CreatingaSelf-SignedCertificate 170 StoringthePrivateKey

170 RequestingaCertificatefromaCA 170 CreatingaCA

172 ImportingaCertificateIdentity 173 ManagingCertificates

173 EditingaCertificate

174 DistributingaCAPublicCertificatetoClients 174 DeletingaCertificate

175 RenewinganExpiringCertificate 175 ReplacinganExistingCertificate

Chapter10 176 SettingGeneralProtocolsandAccesstoServices

176 SettingGeneralProtocols 176 DisablingNTPService 177 DisablingSNMP 178 EnablingSSH

178 AboutRemoteManagement(ARD) 179 RemoteManagementBestPractices 179 LimitingRemoteManagementAccess 180 DisablingRemoteManagementAccess

181 RemoteAppleEvents(RAE) 182 RestrictingAccesstoSpecificUsers 182 SettingtheServer’sHostName 182 SettingtheDateandTime 183 SettingUpCertificates

183 SettingServiceAccessControlLists(SACLs)

Chapter11 185 SecuringRemoteAccessServices

185 SecuringRemoteSSHLogin 186 ConfiguringSSH

187 ModifyingtheSSHConfigurationFile

187 GeneratingKeyPairsforKey-BasedSSHConnections 189 UpdatingSSHKeyFingerprints

190 ControllingAccesstoSSH 190 SSHMan-in-the-MiddleAttacks 191 TransferringFilesUsingSFTP 191 SecuringVPNService

Contents 9

192 VPNandSecurity

193 ConfiguringL2TP/IPSecSettings 194 ConfiguringPPTPSettings 195 VPNAuthenticationMethod

196 UsingVPNServicewithUsersinaThird-PartyLDAPDomain 196 OfferingSecurIDAuthenticationwithVPNService

197 EncryptingObserveandControlNetworkData

197 EncryptingNetworkDataDuringFileCopyandPackageInstallations

Chapter12 198 SecuringNetworkInfrastructureServices

198 UsingIPv6Protocol 199 IPv6-EnabledServices 200 SecuringDHCPService

200 DisablingUnnecessaryDHCPServices 200 ConfiguringDHCPServices

201 AssigningStaticIPAddressesUsingDHCP 202 SecuringDNSService

203 UnderstandingBIND 203 TurningOffZoneTransfers 204 DisablingRecursion

205 PreventingSomeDNSAttacks 207 SecuringNATService

208 ConfiguringPortForwarding

210 DisablingNATPortMappingProtocol 210 SecuringBonjour(mDNS)

Chapter13 213 ConfiguringtheFirewall

213 AboutFirewallProtection 214 PlanningFirewallSetup

214 ConfiguringtheFirewallUsingServerAdmin 214 StartingFirewallService

215 CreatinganIPAddressGroup 216 CreatingFirewallServiceRules 217 CreatingAdvancedFirewallRules 218 EnablingStealthMode

219 ViewingtheFirewallServiceLog 220 ConfiguringtheFirewallManually 220 UnderstandingIPFWRulesets

Chapter14 222 SecuringCollaborationServices

222 SecuringiCalService 223 DisablingiCalService

10 Contents

225 ViewingiCalServiceLogs 225 SecuringiChatService 225 DisablingiChatService

226 SecurelyConfiguringiChatService 229 ViewingiChatServiceLogs 229 SecuringWikiService

229 DisablingWikiService

230 SecurelyConfiguringWikiServices 230 ViewingWikiServiceLogs

231 SecuringPodcastProducerService 231 DisablingPodcastProducerService

231 SecurelyConfiguringPodcastProducerService 232 ViewingPodcastProducerServiceLogs

Chapter15 233 SecuringMailService

234 DisablingMailService

234 ConfiguringMailServiceforSSL

235 EnablingSecureMailTransportwithSSL 235 EnablingSecurePOPAuthentication

236 ConfiguringSSLTransportforPOPConnections 237 EnablingSecureIMAPAuthentication

237 ConfiguringSSLTransportforIMAPConnections 238 EnablingSecureSMTPAuthentication

239 ConfiguringSSLTransportforSMTPConnections 240 UsingACLsforMailServiceAccess

241 LimitingJunkMailandViruses 241 ConnectionControl 245 FilteringSMTPConnections 245 MailScreening

250 ViewingMailServiceLogs

Chapter16 251 SecuringAntivirusServices

252 SecurelyConfiguringandManagingAntivirusServices 252 EnablingVirusScanning

253 ManagingClamAVwithClamXav 253 ViewingAntivirusServicesLogs

Chapter17 254 SecuringFileServicesandSharepoints

254 SecurityConsiderations

254 RestrictingAccesstoFileServices 254 RestrictingAccesstoEveryone 255 RestrictingAccesstoNFSSharePoints 255 RestrictingGuestAccess

Contents 11

255 RestrictingFilePermissions 256 ProtocolSecurityComparison 256 DisablingFileSharingServices 257 ChoosingaFileSharingProtocol 258 ConfiguringAFPFileSharingService 259 ConfiguringFTPFileSharingService 262 ConfiguringNFSFileSharingService 263 ConfiguringSMBFileSharingService 264 ConfiguringSharePoints

265 DisablingSharePoints

265 RestrictingAccesstoaSharePoint 267 AFPSharePoints

267 SMBSharePoints 268 FTPSharePoints 268 NFSSharePoints

Chapter18 271 SecuringWebService

272 DisablingWebService 272 ManagingWebModules 273 DisablingWebOptions

274 UsingRealmstoControlAccess 276 EnablingSecureSocketsLayer(SSL) 278 UsingaPassphrasewithSSLCertificates 278 ViewingWebServiceLogs

279 SecuringWebDAV 280 SecuringBlogServices 280 DisablingBlogServices

280 SecurelyConfiguringBlogServices 281 SecuringTomcat

282 SecuringMySQL

282 DisablingMySQLService 282 SettingUpMySQLService

283 ViewingMySQLServiceandAdminLogs

Chapter19 284 SecuringClientConfigurationManagementServices

284 ManagingApplicationsPreferences

285 ControllingUserAccesstoApplicationsandFolders 287 AllowingSpecificDashboardWidgets

288 DisablingFrontRow

289 AllowingLegacyUserstoOpenApplicationsandFolders 291 ManagingDockPreferences

292 ManagingEnergySaverPreferences 293 ManagingFinderPreferences

12 Contents

295 ManagingLoginPreferences 298 ManagingMediaAccessPreferences 299 ManagingMobilityPreferences 301 ManagingNetworkPreferences

302 ManagingParentalControlsPreferences 303 HidingProfanityinDictionary 303 PreventingAccesstoAdultWebsites 304 AllowingAccessOnlytoSpecificWebsites

306 SettingTimeLimitsandCurfewsonComputerUsage 307 ManagingPrintingPreferences

308 ManagingSoftwareUpdatePreferences 308 ManagingAccesstoSystemPreferences 309 ManagingUniversalAccessPreferences

310 EnforcingPolicy

Chapter20 311 SecuringNetBootService

311 SecuringNetBootService 311 DisablingNetBootService 312 LimitNetBootServiceClients 314 ViewingNetBootServiceLogs

Chapter21 315 SecuringSoftwareUpdateService

315 DisablingSoftwareUpdateService 316 LimitingAutomaticUpdateAvailability 317 ViewingSoftwareUpdateServiceLogs

Chapter22 318 SecuringNetworkAccounts

318 AboutOpenDirectoryandActiveDirectory 319 SecuringDirectoryAccounts

319 ConfiguringDirectoryUserAccounts 321 ConfiguringGroupAccounts 322 ConfiguringComputerGroups 323 ControllingNetworkViews

Chapter23 324 SecuringDirectoryServices

325 OpenDirectoryServerRoles

325 ConfiguringtheOpenDirectoryServicesRole

326 StartingKerberosAfterSettingUpanOpenDirectoryMaster 327 ConfiguringOpenDirectoryforSSL

329 ConfiguringOpenDirectoryPolicies 329 SettingtheGlobalPasswordPolicy

330 SettingaBindingPolicyforanOpenDirectoryMasterandReplicas 331 SettingaSecurityPolicyforanOpenDirectoryMasterandReplicas

Contents 13

Chapter24 333 SecuringRADIUS

333 DisablingRADIUS

334 SecurelyConfiguringRADIUSService 334 ConfiguringRADIUStoUseCertificates 335 EditingRADIUSAccess

335 ViewingRADIUSServiceLogs

Chapter25 337 SecuringPrintService

337 DisablingPrintService 338 SecuringPrintService

338 ConfiguringPrintServiceAccessControlLists(SACLs) 339 ConfiguringKerberos

340 ConfiguringPrintQueues

342 ViewingPrintServiceandQueueLogs

Chapter26 344 SecuringMultimediaServices

344 DisablingQTSS

345 SecurelyConfiguringQTSS 346 ConfiguringaStreamingServer

347 ServingStreamsThroughFirewallsUsingPort80

347 StreamingThroughFirewallsorNetworkswithAddressTranslation 348 ChangingthePasswordRequiredtoSendanMP3BroadcastStream 348 UsingAutomaticUnicast(Announce)withQTSSonaSeparateComputer 349 ControllingAccesstoStreamedMedia

353 ViewingQTSSLogs

Chapter27 354 SecuringGridandClusterComputingServices

354 UnderstandingXgridService 355 DisablingXgridService

355 AboutAuthenticationMethodsforXgrid 356 SingleSign-On

356 Password-BasedAuthentication 357 NoAuthentication

357 SecurelyConfiguringXgridService 357 DisablingtheXgridAgent 358 LimitingtheXgridAgent 359 ConfiguringanXgridController

Chapter28 361 ManagingWhoCanObtainAdministrativePrivileges(sudo)

361 ManagingthesudoersFile

Chapter29 363 ManagingAuthorizationThroughRights

363 UnderstandingthePolicyDatabase 363 TheRightsDictionary

14 Contents

365 Rules

366 ManagingAuthorizationRights 366 CreatinganAuthorizationRight 366 ModifyinganAuthorizationRight 366 ExampleAuthorizationRestrictions

Chapter30 368 MaintainingSystemIntegrity

368 UsingDigitalSignaturestoValidateApplicationsandProcesses 369 ValidatingApplicationBundleIntegrity

370 ValidatingRunningProcesses 370 AuditingSystemActivity 370 InstallingAuditingTools 371 EnablingAuditing 372 SettingAuditMechanisms 372 UsingAuditingTools 372 UsingtheauditTool 373 UsingtheauditreduceTool 374 UsingtheprauditTool 375 DeletingAuditRecords 375 AuditControlFiles

376 ManagingandAnalyzingAuditLogFiles 376 UsingActivityAnalysisTools

377 ValidatingSystemLogging 377 Configuringsyslogd 378 LocalSystemLogging 378 RemoteSystemLogging 379 ViewingLogsinServerAdmin

AppendixA 380 UnderstandingPasswordsandAuthentication

380 PasswordTypes

380 AuthenticationandAuthorization 381 OpenDirectoryPasswords 382 ShadowPasswords 382 CryptPasswords

382 OfflineAttacksonPasswords 383 PasswordGuidelines

383 CreatingComplexPasswords

383 UsinganAlgorithmtoCreateaComplexPassword 384 SafelyStoringYourPassword

385 PasswordMaintenance 385 AuthenticationServices

386 DeterminingWhichAuthenticationOptiontoUse 387 PasswordPolicies

Contents 15

387 SingleSign-OnAuthentication 388 KerberosAuthentication 389 SmartCardAuthentication

AppendixB 390 SecurityChecklist

390 InstallationActionItems

391 HardwareandCoreSnowLeopardServerActionItems 391 GlobalSettingsforSnowLeopardServerActionItems 392 AccountConfigurationActionItems

393 SystemSoftwareActionItems

393 MobileMePreferencesActionItems 393 AccountsPreferencesActionItems 393 AppearancePreferencesActionItems 394 BluetoothPreferencesActionItems 394 CDs&DVDsPreferencesActionsItems 394 Exposé&SpacesPreferencesActionItems 394 Date&TimePreferencesActionItems

395 Desktop&ScreenSaverPreferencesActionItems 395 DisplayPreferencesActionItems

395 DockPreferencesActionItems 395 EnergySaverPreferencesActionItems 396 KeyboardandMousePreferencesActionItems 396 NetworkPreferencesActionItems

396 Print&FaxPreferencesActionItems 396 QuickTimePreferencesActionItems 397 SecurityPreferencesActionItems 397 SharingPreferencesActionItems

397 SoftwareUpdatePreferencesActionItems 397 SoundPreferencesActionItems

398 SpeechPreferencesActionItems 398 SpotlightPreferencesActionItems 398 StartupDiskPreferencesActionItems 398 TimeMachinePreferencesActionItems 398 DataMaintenanceandEncryptionActionItems 399 AccountPoliciesActionItems

399 SharePointsActionItems

399 AccountConfigurationActionItems 400 ApplicationsPreferencesActionItems 400 DockPreferencesActionItems 401 EnergySaverPreferencesActionItems 401 FinderPreferencesActionItems 401 LoginPreferencesActionItems 402 MediaAccessPreferencesActionItems

16 Contents

403 MobilityPreferencesActionItems 403 NetworkPreferencesActionItems 403 PrintingPreferencesActionItems

404 SoftwareUpdatePreferencesActionItems 404 AccesstoSystemPreferencesActionItems 404 UniversalAccessPreferencesActionItems 405 CertificatesActionItems

405 GeneralProtocolsandServiceAccessActionItems 405 RemoteAccessServicesActionItems

407 NetworkandHostAccessServicesActionItems 407 IPv6ProtocolActionItems

407 DHCPServiceActionItems 407 DNSServiceActionItems 408 FirewallServiceActionItems 408 NATServiceActionItems 408 BonjourServiceActionItems 408 CollaborationServicesActionItems 409 MailServiceActionItems

410 FileServicesActionItems

410 AFPFileSharingServiceActionItems 410 FTPFileSharingServiceActionItems 411 NFSFileSharingServiceActionItems 411 SMBActionItems

412 WebServiceActionItems

412 ClientConfigurationManagementServicesActionItems 412 DirectoryServicesActionItems

413 PrintServiceActionItems 413 MultimediaServicesActionItems

413 GridandClusterComputingServicesActionItems 414 ValidatingSystemIntegrityActionItems

AppendixC 415 Scripts

PrefaceAboutThisGuide 17

About

This

Guide

Use

this

guide

as

an

overview

of

Mac

OS

X

v10.6

Snow

Leopard

Server

security

features

that

can

enhance

security

on

your

computer.

ThisguidegivesinstructionsforsecuringSnowLeopardServer,andforsecurely

managingserversandclientsinanetworkedenvironment.Italsoprovidesinformation

aboutthemanyrolesSnowLeopardServercanassumeinanetwork.

Audience

AdministratorsofservercomputersrunningSnowLeopardServeraretheintended

audienceforthisguide.

Ifyou’reusingthisguide,youshouldbeanexperiencedSnowLeopardServeruser,be

familiarwiththeWorkgroupManagerandServerAdminapplications,andhaveatleast

someexperienceusingtheTerminalapplication’scommand-lineinterface.

Youshouldalsohaveexperienceadministeringanetwork,befamiliarwithbasic

networkingconcepts,andbefamiliarwiththeSnowLeopardServeradministration

guides.

Someinstructionsinthisguidearecomplex,anddeviationfromthemcouldresultin

seriousadverseeffectsontheserveranditssecurity.Theseinstructionsshouldonlybe

usedbyexperiencedSnowLeopardServeradministrators,andshouldbefollowedby

thoroughtesting.

What’s

in

This

Guide

Thisguideexplainshowtosecureserversandsecurelymanageserverandclient

computersinanetworkedenvironment.Itdoesnotprovideinformationabout

securingclients.ForhelpwithsecuringcomputersrunningSnowLeopard,see

MacOSXSecurityConfiguration.

Thisguidecannotcoverallpossiblenetworkconfigurationsinwhich

SnowLeopardServermightbeused.Goodnetworksecurityanddesignmustbeused

forthisinformationtobeeffective,andanyoneusingthisguideneedstobefamiliar

18 PrefaceAboutThisGuide

Thisguideincludesthefollowingchapters,arrangedintheorderthatyou’relikelyto

needthemwhensecurelyconfiguringaserver.

 _{Chapter1,“IntroductiontoSnowLeopardServerSecurityArchitecture,”provides}

anoverviewofthesecurityarchitectureandfeaturesofSnowLeopardServer.This

chapterdescribesthesecurityframework,accesspermissions,built-insecurity

services,anddirectoryservices.

 _{Chapter2,“InstallingSnowLeopardServer,”describeshowtosecurelyinstall}

SnowLeopardServerlocallyorremotely.Thischapteralsoincludesinformation

aboutupdatingsystemsoftware,repairingdiskpermissions,andsecurelyerasing

data.

 _{Chapter3,“SecuringSystemHardware,”describeshowtophysicallyprotectyour}

hardwarefromattacks.

 _{Chapter4,“SecuringGlobalSystemSettings,”describeshowtosecuresettingsthat}

affectallusersofthecomputer.

 _{Chapter5,“SecuringLocalServerAccounts,”describesthetypesofuseraccountsand}

howtosecurelyconfigureanaccount.Thisincludessecuringaccountsusingstrong

authentication.

 Chapter6,“SecuringSystemPreferences,”helpsyouconfigurelocalserveraccounts

securely.Thisincludesthesecureconfigurationoflocalsystempreferences,setting

upstrongauthenticationandcredentialstorage,andsecuringdata.

 _{Chapter7,“SecuringSystemSwapandHibernationStorage,”describeshowtoscrub}

yoursystemswapandhibernationspaceofsensitiveinformation.

 _{Chapter8,“SecuringDataandUsingEncryption,”describeshowtoencryptdataand}

howtouseSecureErasetoensureolddataiscompletelyremoved.

 _{Chapter9,“ManagingCertificates,”describeshowtogenerate,request,anddeploy}

certificates.

 _{Chapter10,“SettingGeneralProtocolsandAccesstoServices,”helpsyouconfigure}

generalnetworkmanagementprotocolsandrestrictaccesstootherservices.

 _{Chapter11,“SecuringRemoteAccessServices,”tellsyouhowtocreateremote}

connectionstoyourserverusingencryption.

 _{Chapter12,“SecuringNetworkInfrastructureServices,”explainshowtoconnect}

clientcomputersandconfigureafirewall.

 _{Chapter13,“ConfiguringtheFirewall,”describeshowtoconfiguretheIPFW2firewall.}  Chapter14,“SecuringCollaborationServices,”describeshowtosecurelyconfigure

iChat,iCal,Wiki,andPodcastProducerservices.

 Chapter15,“SecuringMailService,”explainshowtosetupmailservicetouse

encryptionandfilterforspamandviruses.

 Chapter16,“SecuringAntivirusServices,”describeshowtoenableandmanage

PrefaceAboutThisGuide 19 Â _{Chapter17,“SecuringFileServicesandSharepoints,”explainshowtoconfigurefile}

servicestoenablesecuredatasharing.

 _{Chapter18,“SecuringWebService,”describeshowtosetupawebserverandsecure}

websettingsandcomponents.

 _{Chapter19,“SecuringClientConfigurationManagementServices,”helpsyouset}

policiesandenforcethemusingWorkgroupManager.

 _{Chapter20,“SecuringNetBootService,”tellsyouhowtoconfigureNetBootsecurely}

toprovideimagestoclients.

 _{Chapter21,“SecuringSoftwareUpdateService,”describeshowtosecurelyconfigure}

softwareupdateservices.

 _{Chapter22,“SecuringNetworkAccounts,”describessecuritysettingsrelatedto}

manageduserandgroupaccounts.

 _{Chapter23,“SecuringDirectoryServices,”explainshowtoconfigureOpenDirectory}

servicerolesandpasswordpolicies.

 _{Chapter24,“SecuringRADIUS,”tellshowtosecurelyconfigureRADIUS.}

 Chapter25,“SecuringPrintService,”explainshowtosetupprintqueuesandbanner

pages.

 Chapter26,“SecuringMultimediaServices,”providessecurityinformationto

configureastreamingserver.

 Chapter27,“SecuringGridandClusterComputingServices,”explainshowtosecurely

configureanXgridagentandcontroller.

 Chapter28,“ManagingWhoCanObtainAdministrativePrivileges(sudo),”describes

howtorestrictaccesstothesudocommand.

 Chapter29,“ManagingAuthorizationThroughRights,”explainsthepolicydatabase

andhowtocontrolauthorizationbymanagingrightsinthepolicydatabase.

 Chapter30,“MaintainingSystemIntegrity,”describeshowtousesecurityauditsand

loggingtovalidatetheintegrityofyourserveranddata.

 AppendixA,“UnderstandingPasswordsandAuthentication,”describesOpen

Directoryauthentication,shadowandcryptpasswords,Kerberos,LDAPbind,and

singlesign-on.

 _{AppendixB,“SecurityChecklist,”providesachecklistthatguidesyouthrough}

securingyourserver.

 _{AppendixC,“Scripts,”providescommand-linecommandsandscriptsforsecuring}

yourserver.

Note:BecauseApplefrequentlyreleasesnewversionsandupdatestoitssoftware,

20 PrefaceAboutThisGuide

Using

This

Guide

Thefollowinglistcontainssuggestionsforusingthisguide:

 Readtheguideinitsentirety.Subsequentsectionsmightbuildoninformationand

recommendationsdiscussedinpriorsections.

 Theinstructionsinthisguideshouldalwaysbetestedinanonoperational

environmentbeforedeployment.Thisnonoperationalenvironmentshouldsimulate,

asmuchaspossible,theenvironmentwherethecomputerwillbedeployed.

 _{ThisinformationisintendedforcomputersrunningSnowLeopardServer.Before}

securelyconfiguringaserver,determinewhatfunctionthatparticularserverwill

performandapplysecurityconfigurationswhereapplicable.

 UsethesecuritychecklistinAppendixBtotrackandrecordeachsecuritytaskand

notewhatsettingsyouchanged.Thisinformationcanbehelpfulwhendeveloping

asecuritystandardwithinyourorganization.

Important:Anydeviationfromthisguideshouldbeevaluatedtodeterminewhat

securityrisksitmightintroduce.Takemeasurestomonitorormitigatethoserisks.

Using

Onscreen

Help

YoucangettaskinstructionsonscreeninHelpViewerwhileyou’remanaging

SnowLeopardServer.Youcanviewhelponaserveroranadministratorcomputer. (AnadministratorcomputerisacomputerrunningSnowLeopardServerwiththe

serveradministrationtoolsinstalled)

TogethelpforanadvancedconfigurationofSnowLeopardServer: m OpenServerAdminorWorkgroupManagerandthen:

 _{UsetheHelpmenutosearchforataskyouwanttoperform.}

 ChooseHelp>ServerAdminHelporHelp>WorkgroupManagerHelptobrowse

andsearchthehelptopics.

Theonscreenhelpcontainsinstructionstakenfromtheadvancedadministration

guidesdescribedin“SnowLeopardServerAdministrationGuides,”next. Toseethemostrecentserverhelptopics:

m _{MakesuretheserveroradministratorcomputerisconnectedtotheInternetwhile} you’regettinghelp.

HelpViewerautomaticallyretrievesandcachesthemostrecentserverhelptopics

fromtheInternet.WhennotconnectedtotheInternet,HelpViewerdisplayscached

PrefaceAboutThisGuide 21

Snow

Leopard

Server

Administration

Guides

GettingStartedcoversinstallationandsetupforstandardandworkgroupconfigurations

ofSnowLeopardServer.Foradvancedconfigurations,AdvancedServerAdministration

coversplanning,installation,setup,andgeneralserveradministration.

Asuiteofadditionalguidescoversadvancedplanning,setup,andmanagement

ofindividualservices.YoucangettheseguidesinPDFformatfromthe

SnowLeopardServerdocumentationwebsite:

www.apple.com/server/macosx/resources/documentation.html

Viewing

PDF

Guides

on

Screen

WhilereadingthePDFversionofaguideonscreen:

 _{Showbookmarkstoseetheguide’soutline,andclickabookmarktojumptothe}

correspondingsection.

 _{Searchforawordorphrasetoseealistofplaceswhereitappearsinthedocument.}

Clickalistedplacetoseethepagewhereitoccurs.

 _{Clickacross-referencetojumptothereferencedsection.Clickaweblinktovisitthe}

websiteinyourbrowser.

Printing

PDF

Guides

Ifyouwanttoprintaguide,youcantakethesestepstosavepaperandink:

 Saveinkortonerbynotprintingthecoverpage.

 _{SavecolorinkonacolorprinterbylookinginthepanesofthePrintdialogforan}

optiontoprintingraysorblackandwhite.

 _{Reducethebulkoftheprinteddocumentandsavepaperbyprintingmorethan}

onepagepersheetofpaper.InthePrintdialog,changeScaleto115%(155%for

GettingStarted).ThenchooseLayoutfromtheuntitledpop-upmenu.Ifyourprinter

supportstwo-sided(duplex)printing,selectoneoftheTwo-Sidedoptions.

Otherwise,choose2fromthePagesperSheetpop-upmenu,andoptionallychoose

SingleHairlinefromtheBordermenu.(Ifyou’reusingMacOSXv10.4Tigeror

earlier,theScalesettingisinthePageSetupdialogandtheLayoutsettingsarein

thePrintdialog.)

Youmaywanttoenlargetheprintedpagesevenifyoudon’tprintdoublesided,because

thePDFpagesizeissmallerthanstandardprinterpaper.InthePrintdialogorPageSetup

22 PrefaceAboutThisGuide

Getting

Documentation

Updates

Periodically,Applepostsrevisedhelppagesandneweditionsofguides.Somerevised

helppagesupdatethelatesteditionsoftheguides.

 _{Toviewnewonscreenhelptopicsforaserverapplication,makesureyourserveror}

administratorcomputerisconnectedtotheInternetandclick“Latesthelptopics”or

“Stayingcurrent”inthemainhelppagefortheapplication.

 TodownloadthelatestguidesinPDFformat,gototheMacOSXServer

documentationwebsite:

www.apple.com/server/resources/

 _{AnRSSfeedlistingthelatestupdatestoMacOSXServerdocumentationand}

onscreenhelpisavailable.ToviewthefeeduseanRSSreaderapplication,suchas

SafariorMail:

feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml

Getting

Additional

Information

Formoreinformation,consulttheseresources:

 ReadMedocuments—getimportantupdatesandspecialinformation.Lookforthem

ontheserverdiscs.

 MacOSXServerwebsite(www.apple.com/server/macosx)—enterthegatewayto

extensiveproductandtechnologyinformation.

 SnowLeopardServerSupportwebsite(www.apple.com/support/macosxserver)— accesshundredsofarticlesfromApple’ssupportorganization.

 AppleDiscussionswebsite(discussions.apple.com)—sharequestions,knowledge,and

advicewithotheradministrators.

 AppleMailingListswebsite(www.lists.apple.com)—subscribetomailinglistssoyou

cancommunicatewithotheradministratorsusingemail.

 AppleTrainingandCertificationwebsite(www.apple.com/training)—honeyourserver

administrationskillswithinstructor-ledorself-pacedtraining,anddifferentiate

yourselfwithcertification.

 _{AppleProductSecurityMailingListswebsite}

(lists.apple.com/mailman/listinfo/security-announce/)—Mailinglistsforcommunicatingbyemailwithotheradministrators

aboutsecuritynotificationsandannouncements.

 OpenSourcewebsite(developer.apple.com/darwin/)—AccesstoDarwinopensource

code,developerinformation,andFAQs.

 AppleProductSecuritywebsite(www.apple.com/support/security/)—Accessto

PrefaceAboutThisGuide 23

Foradditionalsecurity-specificinformation,consulttheseresources:

 NSAsecurityconfigurationguides(www.nsa.gov/snac/)—TheNationalSecurity

Agency(NSA)providesinformationaboutsecurelyconfiguringproprietaryandopen

sourcesoftware.

 _{NISTSecurityConfigurationChecklistsRepository(checklists.nist.gov/repository/}

category.html)—ThisistheNationalInstituteofStandardsandTechnology(NIST)

repositoryforsecurityconfigurationchecklists.

 DISASecurityTechnicalImplementationGuide(www.disa.mil/gs/dsn/policies.html)— ThisistheDefenseInformationSystemsAgency(DISA)guideforimplementing

securegovernmentnetworks.ADepartmentofDefense(DoD)PKICertificateis

requiredtoaccessthisinformation.

 CISBenchmarkandScoringTool(www.cisecurity.org/bench_osx.html)—Thisisthe

CenterforInternetSecurity(CIS)benchmarkandscoringtoolusedtoestablishCIS

benchmarks.

Acknowledgments

ApplewouldliketothanktheNSA,NIST,andDISAfortheirassistanceincontributing

1

24

1

Introduction

to

Snow

Leopard

Server

Security

Architecture

Use

this

chapter

to

learn

about

the

features

in

Snow

Leopard

Server

that

can

enhance

security

on

your

computer

Whetheryou’reahomeuserwithabroadbandInternetconnection,aprofessionalwith

amobilecomputer,oranITmanagerwiththousandsofnetworkedsystems,youneed

tosafeguardtheconfidentialityofinformationandtheintegrityofyourcomputers. WithSnowLeopardServer,asecuritystrategyisimplementedthatiscentraltothe

designoftheoperatingsystem.Toenhancesecurityonyourcomputer,

SnowLeopardServerprovidesthefollowingfeatures.

 _{Modernsecurityarchitecture.SnowLeopardincludesstate-of-the-art,}

standards-basedtechnologiesthatenableAppleandthird-partydeveloperstobuildsecure

softwarefortheMac.Thesetechnologiessupportallaspectsofsystem,data,and

networkingsecurityrequiredbytoday’sapplications.

 _{Securedefaultsettings.WhenyoutakeyourMacoutofthebox,itissecurely}

configuredtomeettheneedsofmostcommonenvironments,soyoudon’tneed

tobeasecurityexperttosetupyourcomputer.Thedefaultsettingsmakeitvery

difficultformalicioussoftwaretoinfectyourcomputer.Youcanfurtherconfigure

securityonthecomputertomeetorganizationaloruserrequirements.

 Innovativesecurityapplications.SnowLeopardincludesfeaturesthattakethe

worryoutofusingacomputer.Forexample,FileVaultprotectsyourdocuments

byusingstrongencryption,anintegratedVPNclientgivesyousecureaccessto

networksovertheInternet,andapowerfulfirewallsecuresyourhomenetwork.

 Opensourcefoundation.OpensourcemethodologymakesSnowLeopardarobust,

secureoperatingsystem,becauseitscorecomponentshavebeensubjectedtopeer

reviewfordecades.ProblemscanbequicklyidentifiedandfixedbyAppleandthe

Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 25 Â Rapidresponse.Becausethesecurityofyourcomputerisimportant,Apple

respondsrapidlytoprovidepatchesandupdates.Appleworkswithworldwide

partners,includingtheComputerEmergencyResponseTeam(CERT),tonotify

usersofpotentialthreats.Ifvulnerabilitiesarediscovered,thebuilt-inSoftware

Updatetoolnotifiesusersofsecurityupdates,whichareavailableforeasy

retrievalandinstallation.

Security

Architectural

Overview

SnowLeopardServersecurityservicesarebuiltontwoopensourcestandards:

 BerkeleySoftwareDistribution(BSD):BSDisaformofUNIXthatprovides

fundamentalservices,includingtheSnowLeopardServerfilesystemandfile

accesspermissions.

 CommonDataSecurityArchitecture(CDSA):CDSAprovidesanarrayofsecurity

services,includingmorespecificaccesspermissions,authenticationofuseridentities,

encryption,andsecuredatastorage.

UNIX

Infrastructure

TheSnowLeopardServerkernel—theheartoftheoperatingsystem—isbuiltfrom

BSDandMach.

Amongotherthings,BSDprovidesbasicfilesystemandnetworkingservicesand

implementsauserandgroupidentificationscheme.BSDenforcesaccessrestrictions

tofilesandsystemresourcesbasedonuserandgroupIDs.

Machprovidesmemorymanagement,threadcontrol,hardwareabstraction,and

interprocesscommunication.Machenforcesaccessbycontrollingwhichtaskscan

sendamessagetoaMachport.(AMachportrepresentsataskorsomeother

resource.)BSDsecuritypoliciesandMachaccesspermissionsconstituteanessential

partofsecurityinSnowLeopardServer,andarecriticaltoenforcinglocalsecurity.

Access

Permissions

Animportantaspectofcomputersecurityisthegrantingordenyingofaccess

permissions(sometimescalledaccessrights).Apermissionistheabilitytoperform

aspecificoperation,suchasgainingaccesstodataortoexecutecode.

Permissionsaregrantedattheleveloffolders,subfolders,files,orapplications.

Permissionsarealsograntedforspecificdatainfilesorapplicationfunctions. PermissionsinSnowLeopardServerarecontrolledatmanylevels,fromtheMach

andBSDcomponentsofthekernelthroughhigherlevelsoftheoperatingsystem,

26 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture AuthorizationVersusAuthentication

Authorizationistheprocessbywhichanentity,suchasauseroracomputer,obtains

therighttoperformarestrictedoperation.Authorizationcanalsorefertotheright

itself,asin“Annehastheauthorizationtorunthatprogram.”Authorizationusually

involvesauthenticatingtheentityandthendeterminingwhetherithasthecorrect

permissions.

Authenticationistheprocessbywhichanentity(suchastheuser)demonstratesthat

theyarewhotheysaytheyare.Forexample,theuser,enteringapasswordwhichonly

heorshecouldknow,allowsthesystemtoauthenticatethatuser.Authenticationis

normallydoneasastepintheauthorizationprocess.Someapplicationsandoperating

systemcomponentsperformtheirownauthentication.Authenticationmightuse

authorizationserviceswhennecessary.

Security

Framework

ThesecurityframeworkinSnowLeopardisanimplementationoftheCDSA

architecture.Itcontainsanexpandablesetofcryptographicalgorithmstoperform

codesigningandencryptionoperationswhilemaintainingthesecurityofthe

cryptographickeys.ItalsocontainslibrariesthatallowtheinterpretationofX.509

certificates.

TheCDSAcodeisusedbySnowLeopardfeaturessuchasKeychainandURLAccess

forprotectionoflogindata.

ApplebuiltthefoundationofSnowLeopardandmanyofitsintegratedserviceswith

opensourcesoftware—suchasFreeBSD,Apache,andKerberos,amongothers—that

hasbeenmadesecurethroughyearsofpublicscrutinybydevelopersandsecurity

expertsaroundtheworld.

Strongsecurityisabenefitofopensourcesoftwarebecauseanyonecaninspect

thesourcecode,identifytheoreticalvulnerabilities,andtakestepstostrengthen

thesoftware.

Appleactivelyparticipateswiththeopensourcecommunitybyroutinelyreleasing

updatesofSnowLeopardServerthataresubjecttoindependentdevelopers’ongoing

review—andbyincorporatingimprovements.Anopensourcesoftwaredevelopment

approachprovidesthetransparencynecessarytoincreaseSnowLeopardServer

Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 27

Layered

Security

Defense

SnowLeopardServersecurityisbuiltonalayereddefenseformaximumprotection.

Securityfeaturessuchasthefollowingprovidesolutionsforsecuringdataatalllevels,

fromtheoperatingsystemandapplicationstonetworksandtheInternet.

 Secureworldwidecommunication:Firewallandmailfilteringhelpprevent

malicioussoftwarefromcompromisingyourcomputer.

 Secureapplications:EncryptedDiskImagesandFileVaulthelppreventintruders

fromviewingdataonyourcomputer.

 Securenetworkprotocols:SecureSocketsLayer(SSL)isaprotocolthat

helpspreventintrudersfromviewinginformationexchangeacrossanetwork,

andKerberossecurestheauthenticationprocess,andafirewallprevents

unauthorizedaccesstoacomputerornetwork.

 SecurityServices:Authenticationusingkeychains,togetherwithPOSIXandACL

permissions,helpspreventintrudersfromusingyourapplicationsandaccessing

yourfiles.

 Securebootandlockdown:TheFirmwarePasswordUtilityhelpspreventpeople

whocanaccessyourhardwarefromgainingroot-levelaccesspermissionstoyour

computerfiles.

Network

Security

SecureTransportisusedtoimplementSSLandTransportLayerSecurity(TLS)protocols.

TheseprotocolsprovidesecurecommunicationsoveraTCP/IPconnectionsuchas

theInternetbyusingencryptionandcertificateexchange.Afirewallcanthen

filtercommunicationoveraTCP/IPconnectionbypermittingordenyingaccessto

acomputeroranetwork.

Secure Worldwide Communication Internet

Secure Applications

Secure Network Protocols

Security Services

Secure Boot/”Lock Down”

Applications

Network

Operating System

28 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture

Credential

Management

Akeychainisusedtostorepasswords,keys,certificates,andotherdataplacedinthe

keychainbyauser.Duetothesensitivenatureofthisinformation,keychainsuse

cryptographytoencryptanddecryptsecrets,andtheysafelystoresecretsandrelated

datainfiles.

SnowLeopardServerKeychainservicesenableyoutocreatekeychainsandsecurely

storekeychainitems.Afterakeychainiscreated,youcanadd,delete,andeditkeychain

items,suchaspasswords,keys,certificates,andnotesforusers.

Ausercanunlockakeychainthroughauthentication(byusingapassword,digital

token,smartcard)andapplicationscanthenusethatkeychaintostoreandretrieve

data,suchaspasswords.

Public

Key

Infrastructure

(PKI)

ThePublicKeyInfrastructure(PKI)includescertificate,key,andtrustservicesinclude

functionsto:

 _{Create,manage,andreadcertificates}  Addcertificatestoakeychain

 _{Createencryptionkeys}  Managetrustpolicies

ThesefunctionsareusedwhentheservicescallCommonSecurityServiceManager

Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 29

What’s

New

in

Snow

Leopard

Server

Security

SnowLeopardServeroffersthefollowingmajorsecurityenhancements:

 Increasedsecurityformemoryandprotection:SnowLeopardServerrunning

onthe64-bitchipimprovessupportformemoryandexecutableprotection

againstarbitrarycodeexecution.Technologiessuchasexecutedisable,library

randomization,andsandboxinghelppreventattacksthattrytohijackormodify

thesoftwareonyourcomputer.

 BetterTrojanhorseprotection:SnowLeopardServermaintainsprofilesforknown

malicioussoftware,andpreventsitsdownloadthroughmanyapplications.

 IncreasedVPNcompatibility:Virtualprivatenetwork(VPN)supporthasbeen

enhancedtosupportCiscoIPSecVPNconnectionswithoutadditionalsoftware.

 ImprovedCryptologytechnologies:SnowLeopardServerincludesEllipticalCurve

Cryptography(ECC)supportinmostofitsencryptiontechnologies.

 SupportforExtendedValidationCertificates:ExtendedValidation(EV)Certificates

requirestheCertificateAuthoritytoinvestigatetheidentityofthecertificateholder

beforeissuingacertificate.

 SupportforwildcardsindomainsforKeychainAccessidentitypreferences:This

allowsaclientcertificate-authenticatedconnectionstomultipleserversorpaths

definedwithinasingleIDPref.

 Updatedsecuritycommand-linetools:Thesecurityandnetworksetup

command-linetoolshavebeenenhanced.

 EnhancedSafari4.0security:Safarihasenhanceddetectionoffraudulentsites.It

alsorunsmanybrowserplug-insasseparateprocessesforenhancedsecurityand

stability.

Existing

Security

Features

in

Snow

Leopard

Server

SnowLeopardServercontinuestoincludethefollowingsecurityfeaturesand

technologiestoenhancetheprotectionofyourcomputerandyourpersonal

information.

 Applicationsigning:Thisenablesyoutoverifytheintegrityandidentityof

applicationsonyourMac.

 Mandatoryaccesscontrol:Theseenforcerestrictionsonaccesstosystemresources.

 Quarantinedapplications:MacOSXv10.6tagsandmarksdownloadedfileswith

first-runwarningstohelppreventusersfrominadvertentlyrunningmalicious

downloadedapplications.

 Runtimeprotection:Technologiessuchasexecutedisable,libraryrandomization,

andsandboxinghelppreventattacksthattrytohijackormodifythesoftwareon

30 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture

 Meaningfulsecurityalerts:Whenusersreceivesecurityalertsandquestionstoo

frequently,theymayfallintoreflexivemodewhenthesystemasksasecurity-related

question,clickingOKwithoutthought.MacOSXv10.6minimizesthenumberof

securityalertsthatyousee,sowhenyoudoseeone,itgetsyourattention.

Signed

Applications

Bysigningapplications,yourMaccanverifytheidentityandintegrityofanapplication.

ApplicationsshippedwithSnowLeopardServeraresignedbyApple.Inaddition,

third-partysoftwaredeveloperscansigntheirsoftwarefortheMac.Applicationsigning

doesn’tprovideintrinsicprotection,butitintegrateswithseveralotherfeaturesto

enhancesecurity.

Featuressuchasparentalcontrols,managedpreferences,Keychain,andthefirewalluse

applicationsigningtoverifythattheapplicationstheyareworkingwitharethecorrect,

unmodifiedversions.

WithKeychain,theuseofsigningdramaticallyreducesthenumberofKeychaindialogs

presentedtousersbecausethesystemcanvalidatetheintegrityofanapplicationthat

usestheKeychain.Withparentalcontrolsandmanagedpreferences,thesystemuses

signaturestoverifythatanapplicationrunsunmodified.

Theapplicationfirewallusessignaturestoidentifyandverifytheintegrityof

applicationsthataregrantednetworkaccess.Inthecaseofparentalcontrolsand

thefirewall,unsignedapplicationsaresignedbythesystemonanadhocbasis

toidentifythemandverifythattheyremainunmodified.

Mandatory

Access

Controls

SnowLeopardServerusesanaccesscontrolmechanismknownasmandatoryaccess

controls.AlthoughtheMandatoryAccessControltechnologyisnotvisibletousers,itis

includedinSnowLeopardServertoprotectyourcomputer.

Mandatoryaccesscontrolsarepoliciesthatcannotbeoverridden.Thesepoliciesset

securityrestrictionscreatedbythedeveloper.Thisapproachisdifferentfrom

discretionaryaccesscontrolsthatpermituserstooverridesecuritypoliciesaccording

totheirpreferences.

MandatoryaccesscontrolsinSnowLeopardServeraren’tvisibletousers,butthey

aretheunderlyingtechnologythathelpsenableseveralimportantnewfeatures,

includingsandboxing,parentalcontrols,managedpreferences,andasafetynet

Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture 31

TimeMachineillustratesthedifferencebetweenmandatoryaccesscontrolsandthe

userprivilegemodel—itallowsfileswithinTimeMachinebackupstobedeletedonly

byprogramsrelatedtoTimeMachine.Fromthecommandline,nouser—noteven

oneloggedinasroot—candeletefilesinaTimeMachinebackup.

TimeMachineusesthisstrictpolicybecauseitutilizesfilesystemfeaturesin

SnowLeopardServer.Thepolicypreventscorruptioninthebackupdirectoryby

preventingtoolsfromdeletingfilesfrombackupsthatmaynotrecognizethenewfile

systemfeatures.

Mandatoryaccesscontrolsareintegratedwiththeexecsystemservicetopreventthe

executionofunauthorizedapplications.Thisisthebasisforapplicationcontrolsin

parentalcontrolsinSnowLeopardandmanagedpreferencesinSnowLeopardServer. Mandatoryaccesscontrolsenablestrongparentalcontrols.Inthecaseofthenew

sandboxingfacility,mandatoryaccesscontrolsrestrictaccesstosystemresources

asdeterminedbyaspecialsandboxingprofilethatisprovidedforeachsandboxed

application.Thismeansthatevenprocessesrunningasrootcanhaveextremely

limitedaccesstosystemresources.

Sandboxing

Sandboxinghelpsensurethatapplicationsdoonlywhatthey’reintendedtodoby

placingcontrolsonapplicationsthatrestrictwhatfilestheycanaccess,whetherthe

applicationscantalktothenetwork,andwhethertheapplicationscanbeusedto

launchotherapplications.

InSnowLeopardServer,manyofthesystem’shelperapplicationsthatnormally

communicatewiththenetwork—suchasmDNSResponder(thesoftwareunderlying

Bonjour)andtheKerberosKDC—aresandboxedtoguardthemfromabuseby

attackerstryingtoaccessthesystem.

Inaddition,otherprogramsthatroutinelytakeuntrustedinput(forinstance,arbitrary

filesornetworkconnections),suchasXgridandtheQuickLookandSpotlight

backgrounddaemons,aresandboxed.

Sandboxingisbasedonthesystem’smandatoryaccesscontrolsmechanism,which

isimplementedatthekernellevel.Sandboxingprofilesaredevelopedforeach

applicationthatrunsinasandbox,describingpreciselywhichresourcesareaccessible

32 Chapter1IntroductiontoSnowLeopardServerSecurityArchitecture

Managed

User

Accounts

Parentalcontrolsprovidecomputeradministratorswiththetoolstoenforcea

reasonablelevelofrestrictionsforusersofthecomputer.

AdministratoruserscanusefeatureslikeSimpleFindertolimitthelaunchingofaset

ofapplicationsorcreateawhitelistofwebsitesthatuserscanvisit.However,ifan

attackerhasphysicalaccesstothecomputerportssuchasUSBorFireWire,Parental

controlscanbebypassedbymountingadiskimagethatcontainmalicioussoftware.

Youcansecuretheseportsbydisablingthem.Forinformationaboutdisabling

hardware,seeChapter3,“SecuringSystemHardware.”

ThisisthekindofsimpleUIadministratorsofapublicusecomputerenvironmentcan

usetorestrictaccesstoapplicationsorsitestokeepusersfromperformingmalicious

activities.Itisnotafool-proofsecuritysystemforlocalusers.

InSnowLeopardServer,youuseWorkgroupManagertomanagepreferencesforusers

ofSnowLeopardsystems.

Enhanced

Quarantining

ApplicationsthatdownloadfilesfromtheInternetorreceivefilesfromexternalsources

(suchasmailattachments)canusetheQuarantinefeaturetoprovideafirstlineof

defenseagainstmalicioussoftwaresuchasTrojanhorses.Whenanapplicationreceives

anunknownfile,itaddsmetadata(quarantineattributes)tothefileusingfunctions

foundinLaunchServices.

FilesdownloadedusingSafari,Mail,andiChataretaggedwithmetadataindicating

thattheyaredownloadedfilesandreferringtotheURL,date,andtimeofthe

download.Thismetadataispropagatedfromarchivefilesthataredownloaded(such

asZIPorDMGfiles)sothatanyfileextractedfromanarchiveisalsotaggedwith

thesameinformation.Thismetadataisusedbythedownloadinspectortoprevent

dangerousfiletypesfrombeingopenedunexpectedly.

Thefirsttimeyoutrytorunanapplicationthathasbeendownloaded,Download

Inspectorinspectsthefile,promptsyouwithawarningaskingwhetheryouwant

toruntheapplication,anddisplaystheinformationonthedate,time,andlocation

ofthedownload.

Youcancontinuetoopentheapplicationorcanceltheattempt,whichisappropriate

ifyoudon’trecognizeortrusttheapplication.Afteranapplicationisopened,this

messagedoesnotappearagainforthatapplicationandthequarantineattributes