Complete Mac Security, Part 2

Matt Willmore Skip to comments 7 Comments (Comments Closed Closed)

In Part 1 of the Complete Mac Security series, we discussed physical security of your Mac, as well as Open Firmware and how you can utilize it to safeguard your system. Unfortunately, this is but a part of the steps everyone needs to take to completely safeguard your Mac against information (or physical) theft. This week, we'll discuss login security in all its forms, and how you can be completely sure that no one can login to your Mac except you.

Theory

Suppose you use a Mac running OS X at the office, and you step away to take a call. Obviously, you aren't going to turn off the computer for such a short period of time, just to protect your data. What if you have a server and can't turn it off at night? What if you just LIKE having the computer on when you come in every morning? What if you have a laptop and simply put it to sleep instead of shutting it down? (My PowerBook hasn't been off on months.) If you leave it like this, you have initially bypassed Open Firmware as a security level (although someone resetting the machine would encounter it again) and left them at the next level - OS X itself. What can we do at that point to keep your machines secure? By changing a couple simple settings, we can make your Mac impervious from random people looking for any tasty morsel of information on your computer. We'll use two technologies that come with OS X 10.3: the LoginWindow application, and Fast User Switching. Ready? Let's get started.

Long-Term Protection with LoginWindow

Mac OS X: Login WindowDepending on how long your Mac will be unattended, there are different methods for preventing someone from using your OS X account while you are away. The first is when you are away for an extended period of time - say, overnight. In this case, logging out is the best way to deter unauthorized access from someone sitting at your computer. All documents are saved and closed, and all applications have quit, with the exception of LoginWindow. The sole job of LoginWindow is to control access to the Finder's launch, based on user credentials. LoginWindow can authenticate against both local (NetInfo) and network (LDAP, Active Directory, etc.) user databases. Regardless of how LoginWindow authenticates, however, you still need to implement the security on your end so that the intruder doesn't have a chance to find out on his own.

LoginWindow should be enabled on every Mac, but sadly Apple has chosen to disable it by default. If autologin is enabled on your Mac (as it is by default), anyone who starts your machine (or resets it via the reset button on every Mac) will be automatically logged into your account (and have all the privileges you have on your account as well). This, obviously, is not good. Here's how to fix this problem:

  1. Select the Accounts tab in System Preferences.
  2. Below the list of users created on your Mac, you should see a picture of a house and Login Options. If it is disabled, you need to unlock the control panel by clicking the lock and entering any administrator login and password. The lock will then unlock and you can click on Login Options.
  3. Look for the checkbox marked Automatically logged in as: and uncheck it, if checked. Unchecking this will stop autologin from occuring.
  4. While we're here, find Display Login Window as: and select Name and password instead of List of users. This will show text boxes for the user's name password. Why this? If you have a list of users, there's no need to guess the username - it's right there! This forces anyone attempting entry to know both the username (either short name or long name) and password to log in to the machine.
  5. Click the lock again to secure the control panel, preventing future changes without admin authorization. Close System Preferences. You're all set!
Login Preferences

To test this, log out of the machine (try the key combo - command-shift-Q - if you like). When you start up your machine, you should see a text box for the name and password, and that's it. Looks pretty frustrating to an intruder, huh? Good - that's exactly how we want it. This isn't the only scenario that people use every day, though.

Short-Term Protection with Fast User Switching

Mac OS X: Fast User SwitchingLet's go back to that original scenario: you're at work, on your Mac, saving the world as usual, when you're called away for some reason - a phone call, another promotion, whatever. As soon as your back is to your computer, it's literally open season for anyone to pop a seat and take the scenic route through your personal account. Obviously, this doesn't work. We could log out, but that's quite a pain, considering you'll definitely be coming back in a few minutes. What to do? Enter the power of Fast User Switching.

Before we get too deep, what is Fast User Switching (FUS)? This is a technology introduced to Mac users in OS X 10.3 "Panther". In a nutshell, it allows multiple people to be logged into OS X at the same time, with one user viewing their session at a time. Users have the ability to switch back and forth between logged in users via the FUS menu extra (enabled when FUS is turned on), as well as log in to users that are not logged in yet. Users can also bring up the login screen, allowing only someone with login credentials to get to their opened (or unopened) OS X session.

How does this relate to making your Mac completely secure? The beautiful part of Fast User Switching (apart from the gorgeous Quartz Extreme-driven transitions) is that you don't need two users to apply the security tools of the feature! Even if you're the single user on that Mac, you can still benefit from FUS by turning it on when you step away from the computer. This way, only you can switch back to your account, in a matter of seconds - and your work is just as you left it! With the right settings, anyone who looks at your screen won't even know you're logged in. Ready? Here we go:

  1. The hardest part of this process (if you can consider it hard) is to enable Fast User Switching in the Accounts control panel. So, let's head back over there.
  2. Open the Accounts control panel in System Preferences.
  3. Once again, find the Login Options button below the list of user accounts and click. If the option is disabled, click the lock in the lower left corner and enter an admin login/password to unlock the control panel.
  4. Once you're in the login options, check Enable fast user switching. When you do so, a warning dialog will appear:

    This feature will allow other users to stay logged in and continue running software in the background while you're using this computer. This feature should only be enabled if you trust the other users of this computer. (Incidentally, we're enabling this feature specifically because we don't trust the other users, as they're not intended to be users in the first place.)

  5. Click OK, and Fast User Switching will be enabled. You will notice that a new menu extra will appear on the very right side of the menu bar with the name of the current user. Clicking on the menu will list the icon and name of every local user on the computer. Next to each logged in user you will see an orange circle with a checkmark. This menu extra is exactly what you'll use to enable LoginWindow when you step away.
  6. Make sure that the radio button setting for Display Login Window as: is Name and password, so as not to show the list of accounts.
  7. Click the lock to secure the settings, and close System Preferences.

Now, go ahead and test it. Click on the FUS menu and select Login Window... You will be instantly be taken to LoginWindow, requestiong a name and password. Because you selected Name and password as the LoginWindow display type, it doesn't show who's logged in, or that anyone is at all. Now enter your user name (either short name or long name will do) and your password, and you will be whisked back to your work environment, exactly as you left it, completely secure while you walked away.

Disuse of OS X Screensaver as Security Measure

Mac OS X Screen Saver

One of the things OS X brought to the Mac community was a unified, built-in screensaver engine. Apple included the ability to require a password to exit the screensaver. While this is initally a good idea, there are two major points that are often overlooked:

  1. When you activate the dialog box to enter the user name and password to exit the screensaver, the username is already in the text box! Suddenly, half the work of the intruder is done and the password is all that is required.
  2. One thing that people do not realize is that any admin password (including root) can be entered in the dialog box to exit the screensaver. Go ahead, try it some time. While this might generally be seen as "still secure", the fact that any admin password can view the contents of a user's account (including and admin or root account) is disturbing, considering the fact that otherwise, this wouldn't be possible (with the exception of root).

Now, the use of a screensaver in itself isn't a bad idea; it saves CRT monitors and looks cool. However, using Fast User Switching is just a smarter overall choice when it comes to protecting the information on your computer.

In the coming weeks, MacZealots.com will publish additional articles in the Complete Mac Security series, covering every aspect of practical OS X security, including permissions, FileVault, network ports, file/web sharing, and other topics.

Matt WillmoreMatt Willmore is a founding partner of MacZealots.com. Matt is also a Resident Assistant at Owen Hall and does Mac support at ECN, and is active in PUMUG. He can be reached at .

Reader Comments (7)

DISCLAIMER: The views expressed below are those of their authors and not necessarily endorsed or supported by MacZealots.com. In all cases, the comments provided here are offered as a courtesy and will be moderated. Any content deemed off-topic or offensive will be removed without notice. Posting a comment here boils down to two things: 1.) Think before you type 2.) Respect the thoughts of others. See our commenting guidelines and/or privacy policy for more information.

1 Jeremy Lavergne remarks:
#1) On January 30, 2004 7:06 AM

Viewing user directories is possible for all admins in a Unix environment, even one such as OS X. That’s why they are admins.

2 Matt Willmore remarks:
#2) On January 30, 2004 7:31 AM

Jeremy -

Perhaps I should have clarified. Admins (and non-admins) can see the base contents of other users’ directories, but can only view the contents of the Sites and Public directories (and any other user-created folders with appropriate permissions, such as 755). However, just because they are admins does not give them the permission to view other users’ directories in full (ie. read all folder contents) any more than a non-admin status would. The root user is the only user able to accomplish this.

3 Chris Seymour remarks:
#3) On February 3, 2004 4:07 PM

If you have only one user account on your machine (like I do), try this. Instead of enabling FUS and having it eat up valuable Menubar space, just make a simple Apple Script Application with the following script:

try
do shell script “/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend”
on error error_message
beep
end try

(NOTE: everything from ‘do’ to ‘suspend”’ should be on one line.)

Now just make an alias on your desktop, assign it to a hotkey, or stick it in your Dock. Same results. Half the price! :)

4 Matthew Davenport remarks:
#4) On February 25, 2004 7:31 PM

Question… In the LoginWindow, should the screen still go to sleep/screensaver, say if the computer is left overnight. Mine does not

5 Fletcher Thompson Penney M.D. remarks:
#5) On March 22, 2004 9:25 AM

Regarding admins vs root and access to other users information. Remember, ALL admins on OS X are capable of gaining root access via sudo. ANY admin is capable or browsing through the files and folders of any other user. It is easiest accomplished through the command line ( ‘sudo tcsh’ as an admin, and now you’re root…), but I am sure there is a way to do it through the GUI ( perhaps by quitting the finder, then running it again as root?) Tricks like this are the reason you only give administrator status to those who need it… :)

6 Paolo remarks:
#6) On January 11, 2006 1:49 PM

I find quite annoing to use FUS to lock the screen. I prefer to use the screen saver password. I know that, this way, the unlock dialog will display my username but I accept the risk. To allow fast screensaver activation, it is possible to add “Keychain Access” status icon in the macosx menu bar. This option is in the tab “General” of “Keychain Access” preferences. I have used this in both Panther and Tiger. Regards.

7 Jossue remarks:
#7) On February 7, 2006 2:04 PM

can some one helpme please?
I had a mac computer from a firend, he passaway last week and i dont know the admin password i have just a limited account that can’t add or remove programes or create account, can some one tellme how to recover tha admistrator password . i will apprecaite it