Keeping Your Mac Safe: Local Access

Keeping Your Mac Safe: Local Access

As I mentioned earlier in the chapter, an effective firewall can't stop someone from walking up to your Mac and trying to access it. In order to truly have a secure computer, you also need to secure it from local access. You can take several approaches to local security, including preventing startup, enabling auto-logout, and locking the screen when you step away from the computer. I'll talk about each of these approaches here.

Note 

Although home computers aren't as susceptible to local "hacking" as those used in office environments, you may still find some of these techniques useful, especially if you keep sensitive data on your home computer, or if you have children that you don't want using the computer unsupervised.

Securing Startup: Open Firmware Password Protection

You may recall that I talked about Open Firmware in Chapter 3. As part of your Mac's BootROM, it loads at the beginning of the startup process, which means that Open Firmware controls all access to your Mac. By enabling Open Firmware Password Protection, your Mac can only be booted (this includes a startup after a restart) by someone who knows the Open Firmware password, or can be restricted to only boot using the startup volume selected by an admin user the last time it was booted (i.e., someone can't reboot your Mac and change startup volumes to circumvent security). In addition, all other startup options listed in Chapter 3 (single-user mode, booting from a CD, safe boot, target disk mode, etc.) are disabled to prevent a malicious user from using them to gain access to your computer.

Warning 

Before enabling Open Firmware Password Protection, make sure your Mac is compatible with this feature and has the latest version of Open Firmware installed. You can find a list of compatible Macs and firmware updates at http://docs.info.apple.com/article.html?artnum=106482. In addition, DO NOT update your Mac's firmware with Open Firmware Password Protection enabled, or you risk not being able to boot your computer! If you need to update firmware, disable Password Protection first.

Enabling Open Firmware Password Protection

User Level:

admin

Affects:

computer

Terminal:

no

There are actually two ways to enable Open Firmware Password Protection. The easiest way is to download Apple's Open Firmware Password utility, available at http://docs.info.apple.com/article.html?artnum=120095. After you launch the utility, click Change. Check the box next to "Require password to change Open Firmware settings", and click OK. You'll be asked to authenticate using an admin username and password, and then you'll be told that your settings were successfully saved. Enabling Password Protection this way provides the "command" level of Open Firmware protection, which means it only disallows startup commands. It still allows users to restart the computer and boot up again.

For an additional level of security not provided via Apple's utility, you can enable "full" Open Firmware protection, which not only disallows startup commands, but also disallows startup itself unless you provide the correct Open Firmware password. However, to enable full protection, you need to restart your Mac and invoke Open Firmware at startup:

  1. Restart or start your Mac, holding down command+option+O+F. This will bring up the Open Firmware prompt.

  2. At the prompt, type password <RETURN>.

  3. When prompted, enter the password you wish to use and then press return. Enter it again for verification, and press return again.

  4. At the next prompt, type setenv security-mode full <RETURN>. This enables "full" Open Firmware protection.

  5. Type reset-all <RETURN> to restart your Mac. As your computer restarts, you'll of course be required to provide your Open Firmware password.

Tip 

If Open Firmware Password Protection is active and you need to temporarily use a different startup disk at startup, hold down the option key as if you were invoking the Startup Manager. Enter your Open Firmware password, and the Startup Manager will appear.

Disabling Open Firmware Password Protection

User Level:

admin

Affects:

computer

Terminal:

no

If you want to disable Open Firmware Password Protection permanently, or if you just need to disable it temporarily in order to reset your Mac's PRAM, use single-user mode, or access other startup options, you have two options. The first is to launch the Open Firmware Password utility, uncheck the "Require password" box, and then click OK. Once you provide an admin username and password, the Open Firmware password will be removed.

You can also disable protection by booting into Open Firmware:

  1. Restart your Mac and hold down command+option+O+F until you see the Open Firmware prompt.

  2. Type setenv security-mode none <RETURN>.

  3. Type the existing password and press return.

  4. Type reset-all <RETURN> to restart.

Password protection will now be disabled. To enable it again, use the procedure described in the previous section.

Recovering from a Forgotten Open Firmware Password

User Level:

anyone with hardware access

Affects:

computer

Terminal:

no

Open Firmware Password Protection is the most secure method of local protection you can use on your Mac without buying third-party security software (and it's even better than some of those). The downside to this is that if you lose your Open Firmware password, you could be in trouble! However, in the event this ever happens, there is a "back door" to gain access to your Mac.

  1. Open your computer's case to expose the RAM slots.

  2. Add or remove some of your RAM—you basically need to change the total amount of RAM in your computer—and then close your computer up again. (If you only have one DIMM (RAM module), you'll need to add RAM, since you won't be able to remove any.)

  3. Boot your computer holding down command+option+P+R until you hear three (3) chimes. This resets your computer's PRAM three times.

  4. Release the keys and allow your computer to startup normally.

The Open Firmware password is now disabled. You can shutdown your computer and restore its RAM to the previous amount. Of course, you'll notice that the above procedure does not require any password or admin account. Anyone with access to your Mac's RAM slots can do it, which is why if you have a desktop Mac, you should use the lock slot to keep others from opening it up (especially if your Mac is in a public location). If you have a Power-Book or iBook, you're especially susceptible to this trick, since you can't lock the RAM slots.

Note 

There was also a Classic application called FWSucker (http://www.securemac.com/openfirmwarepasswordprotection.php#fwsucker) that could extract your Open Firmware password from NVRAM (a bit of low-level memory where the Open Firmware password is stored). However, this utility does not appear to work in the Classic Environment.

Auto-Logout: Log Users Out Automatically

User Level:

admin or normal

Affects:

computer or individual user

Terminal:

no

If your biggest security problem is that you (or others) forget to log out after using the computer, you can take advantage of one of OS X's built-in features—the screen saver—to automatically log users out. The freeware screen saver module LogOut (http://homepage.mac.com/swannman/FileSharing1.html) works just like any other screen saver module, but instead of dimming the display or filling the screen with interesting graphics after a period of inactivity, it (ungracefully) logs the current user out and returns the Mac to the login screen. This may not be the best solution for a computer used by only one or two people (see the next section for another approach), but in a lab setting, LogOut can be extremely valuable.

To install LogOut, drop the LogOut.saver screen saver module into /Library/Screen Savers (for all users) or ~/Library/Screen Savers (for a specific user). Open the Screen Effects pane of System Preferences, choose LogOut as your screen effect, and then in the Activation tab choose the amount of inactivity until the screen effect starts. For example, if you set the Screen Effects preferences to start effects after 20 minutes, LogOut will automatically log the current user out after 20 minutes of inactivity. (Be sure you make it long enough to allow for normal pauses in work, otherwise you or other users will probably be extremely frustrated by premature logouts!) I recommend against assigning any Hot Corners when using this module, as a stray mouse movement might log users out accidentally.

Warning 

Be aware that LogOut performs an ungraceful logout, meaning that applications are quit immediately without prompting the user to save open documents. However, if your main concern is security, this is probably less of an issue than leaving an account logged in.

Locking the Screen Temporarily

If you want to prevent access to your account, but don't want to log out (e.g., if you're just stepping away from your computer), your best bet is to lock the screen. OS X includes a screen lock, accessible via Screen Effects and the Keychain menu extra.

Locking the Screen via Screen Effects

User Level:

any

Affects:

individual user

Terminal:

no

I covered Screen Effects' password feature in Chapter 2, but here's a recap. In the Activation tab of Screen Effects preferences, if you select "Use my user account password," you'll be required to provide your account password when exiting the screen saver. This is a good feature for keeping your computer somewhat secure when you step away—after a set amount of inactivity (also set in the Activation tab), the screen saver will kick in, providing password protection with it.

To make this feature a bit more effective, you should choose a Hot Corner (in the corresponding tab of Screen Effects preferences). With a Hot Corner active, when you are about to step away from your computer, just drag the cursor into that corner and the screen saver/password protection will immediately activate.

Locking the Screen via the Keychain Menu Extra

User Level:

any

Affects:

individual user

Terminal:

no

The problem with using Screen Effects to lock your screen is that if you don't set a Hot Corner, there is a delay (set by you in Screen Effect preferences) between when you stop working and when the screen saver starts; on the other hand, if you enable a Hot Corner, it's easy to hit that corner with the mouse unintentionally, locking your screen. A better solution, in my opinion, is to use the Keychain menu extra. The Keychain menu extra's main purpose is to allow you to access your Keychain, but it also allows you to lock the screen immediately. (I'll talk about OS X's Keychain, and the Keychain Access application, in a bit.)

You can enable the Keychain menu extra by launching the Keychain Access application, located in /Applications/Utilities. Choose View Show Status in Menu Bar and the menu extra will be added to the menu bar (it will look like a small padlock); it will remain there even after you quit Keychain Access. To lock your screen, simply choose Lock Screen from the new menu; whatever screen effect you've chosen in Screen Effects preferences will be started, but to stop the screen effect and get back to work you need to enter your account password—even if your Screen Effects settings do not have a password enabled.

Tip 

Although locking the screen via the Keychain menu extra functions just like enabling a Screen Effects password, the two are actually independent; you can use Screen Effects as a screen saver without the lock, but can still gain the benefit of the lock when you want it.



 
ASPTreeView.com
 
Evaluation has ЦШВЪexpired.
Info...