MacZealots.com

• Tutorials
• Reviews
• Articles
• Contribute
• About
• Home

This is the first in a series on Mac OS X security. The purpose of the series is to modify and create settings such that your personal data is completely protected every second of the day, and how to accomplish that with tools built into Mac OS X.

### Physical Security

First and foremost, the security of the actual computer is vital to the protection of its data. If the Mac is a desktop, make sure to lock the computer to the desk or table with a cable lock from a company such as Kensington or Targus. Both companies sell ideal solutions for securing your desktop to a surface. There are even more laptop solutions, especially since mobile security is an essential accessory to have. Every Mac comes with a security slot directly connected to the internal frame of the computer; these security solutions are specifically built for this slot. For a long time, Apple actually calls the slot the "Kensington security slot" because of Kensington's early involvement with security solutions for the Mac.

Besides securing the case itself, it's also a wise idea to prevent unauthorized users from opening the case. On all Mac towers starting with the Blue & White G3, there is a security bar that, when extended and secured with a padlock, will prevent anyone from opening the case itself. Some Power Macs prior to this model have similar features. On PowerBooks and iBooks, there is less in terms of security from the case itself, aside from the general pain to take anything out in the first place. Because of their very mobile nature, extra care should be taken to make sure that if they are not locked up, they are never left out of sight.

Even in situations where your computer IS left out of sight at times (an office or server room, for example), precautions should be made to ensure that there is limited access to the room. This can be accomplished with a different lockset and/or limited distribution of the door's key. Locking the door to the hardware's room will ensure that no unauthorized guests have the change to pilfer your Mac. As extra precaution in case theft happens, make sure that you have the model and serial number of every CPU, monitor, switch, mouse, and tablet. This will make it easier for the insurance companies and the police.

In summary, it's common sense that if someone really, really wants your Mac, they'll get it; what we're doing here is making it much, much harder to accomplish.

Open Firmware

Description
When someone finds that they can't get into the computer via normal means, Open Firmware is a popular 2nd choice. If you haven't used it already, Open Firmware provides a wide variety of alternate means of booting and accessing your Mac. Starting with Open Firmware version 4.1.7, Apple has included the ability to enable an Open Firmware password, which locks out or restricts every feature that Open Firmware provides. While this is a powerful deterrent against unauthorized users, it's especially effective in a lab environment, where the computers are publicly accessible. Before we implement it, though, it's important to fully understand what Open Firmare is, as well as the effects of enabling the password.

It's easy to check your firmware version. Simply open Apple System Profiler (10.0-10.2) or System Profiler (10.3+), either via the Apple menu (About This Mac > More Info...) or by opening it in /Applications/Utilities. The layout of ASP changed dramatically from 10.2 to 10.3, but on both versions the version will be displayed on the opening screen.

Open Firmware can be likened to a BIOS on a PC, where a password can be required for startup or to change system settings. In some ways Open Firmware is very similar to a PC's BIOS. Open Firmware provides an interface to change low-level settings on your Mac, such as the boot volume and system-level firmware commands. Open Firmware's Startup Manager is arguably the most commonly used feature of the tool; holding down "option" while booting presents a GUI allowing you to select any available volume as the startup volume. In the wrong hands, however, this can provide a quick way for someone to access the contents of your hard drive.

Open Firmware Password
Now that we're more familiar with the purpose and job of Open Firmware, let's talk about enabling the Open Firmware password. Enabling it essentially halts or restricts every user function of Open Firmware, providing another level of security between you and unauthorized users. Since you know the password, you can disable it if you need to use any of the features that Open Fimrware provides, but keeping the password enabled whenever possible will give you the greatest amount of security. Here's what enabling the Open Firmware password changes:

• Users cannot use a snag key on startup (N for NetBoot, C for a CD, and T for Target Disk Mode (act as a FireWire hard drive)
• Users cannot invoke verbose mode (command-V) or single-user mode (cmd-S) at startup
• Users cannot perform PRAM resets (command-option-P-R)
• Invoking the Open Firmware command prompt (command-option-O-F) requires the Open Firmware password
• Invoking the Open Firmware Startup Manager (option) requires the Open Firmware password

Open Firmware Password Caveats
Although the Open Firmware password would seem to seal an artight hole in terms of OS X security, there are some caveats to using it.

By changing the amount of RAM in the machine, the Open Firmware settings will be reset and the password will be disabled. This comes back to the importance of physically securing the door latches and the machines themselves, so that criminals have no chance to unseat the RAM. Note that simply changing the slots the RAM is seated in will not have the same effect; you must actually chance the amount of RAM installed to reset the Open Firmware password.

It would be wise to consider how limited users' access to OS 9 should be. Once in OS 9, every file in OS X is visible and can be deleted if you are not careful. Security experts recommend not allowing dual-booting, or only allowing a small, trusted group of people to boot into OS 9; this will help to reduce the chances that a critical file or folder has been deleted.

Another more serious threat is the weakness of the Open Firmware password. As secure as it may seem, the encryption for the Open Firmware password is incredibly weak, and there are multiple applications that exist that can easily extract the Open Firmware password from a running machine, using either Mac OS 9 or OS X.

Implementation
While not the easiest way, setting the Open Firmware password by booting into Open Firmware is probably the fastest and most flexible way to enable and disable it. Apple also has a software application called, appropriately, Open Firmware Password. This program gets the job done, but is not as flexible as the command line.

1. Boot into Open Firmware by restarting your Mac and holding down command-option-O-F. The Open Firmware welcome text will show up and you will be presented with a text prompt.
2. To enable the password, simply type password. When prompted, type the password, and then verify it. Hit enter again, and the password is now enabled and set.
3. Next, you need to set the security level of Open Firmware. There are 3 levels - 0 (or "none"), 1 (or "command"), and 2 ("full"). Level 0 is the factory default - a password is never asked for, no matter what function or snag keys (N, T, C, cmd-opt-O-F, etc.) are depressed. Level 1 ("command") is the most common Open Firmware password setting. This will enforce the restrictions as stated above, but not interfere with a normal startup. Level 2 ("full") is the most involved setting. It will apply the security restrictions found in level 1, and in addition, the Open Firmware password is required every time you start up or reboot the computer. To set the security level, enter one of the three strings, depending on what level of security you desire:
   • setenv security-mode none (for level 0)
   • setenv security-mode command (for level 1)
   • setenc security-mode full (for level 2)
4. After setting that, enter reset-all and hit enter to restart the computer.

NOTE: There are settings in which each level of security is appropriate. In a school lab, for example, requiring the password with every restart is rediculous, as their reboot frequency is higher than most users. Someone's personal laptop, however, might be the perfect candidate for level 2 security. If the laptop was ever stolen and the computer was booted, nothing would be possible without that password.

In future weeks we will continue to show how you can make your Mac completely secure, all with Apple's own tools. We will discuss application-level security, network security, file encryption, FileVault, and other subjects.

Matt Willmore is a founding partner of MacZealots.com. Matt is also a Resident Assistant at Owen Hall and does Mac support at ECN, and is active in PUMUG. He can be reached at .

Donations

Love MacZealots.com?

Your donations help us keep our site running, while allowing us to continue providing fresh and creative content.

Consider making a contribution today.

Syndication

Yeah, we've got feeds — and lots of 'em!

Articles
Reviews
Tutorials

Everything (Combined)

What's an XML/RSS feed? We tell you that too. Learn more

Hosted by (mt) Media Temple™. Powered by Movable Type. Developed in partnership with Second Gear LLC.
© Copyright 2003-2010 MacZealots.com, All Rights Reserved. ISSN: 1936-024X
Valid XHTML | CSS XML Site Map | Back to Top
Last modified: 01 September 2007.

Second Gear LLC > Mac OS X Development and Developers > iPhone Development and Developers > Ruby on Rails Development and Developers

Wedding Photographer, Lafayette, Indiana - Wedding Photography, West Lafayette, IN & Purdue University Apostrophe Studios Ryan J. Bonnell Winamac, Indiana 46996 Lafayatte, Indiana Orchid Society