PHRC

Mac Security (7.26.05)

For assistance with any of these settings, contact the Help Desk at 617-726-5085 and ask that your call be placed in the “research queue”

1. Go to Apple Menu->System Preferences->Security

- Check "Require password to wake this computer from sleep or screen saver."
- Check "Disable automatic login."

2. Ensure that the user has set a strong password.

- Go to System Preferences->Accounts
- Select the account the user typically uses (there may only be one account)
- Use the Info Sec. password assistant to create a password https://www.infosec.partners.org/pwgen.php
- Or, have the user enter their Partners logon and password as the password

3. Go to System Preferences->Desktop and Screensaver

- Under the Screen Saver tab, drag the "Start screen saver" slider to 10 minutes.

4. Go to System Preferences->Energy Saver

- Check "Put the display to sleep..." and move the slider to thirty minutes.

5. Go to System Preferences->Sharing

- In the Services tab, ensure that no extraneous services are enabled
- Personal File Sharing: Necessary to allow other Macs to connect to access the computer as a share.
- Windows Sharing: Provides the same service for Windows-based computers.
- Personal Web Sharing: Allows the user to host a website. This is rarely necessary.
- Remote Login: Disable this service. If the user uses and understands it, they may re-enable it.
- FTP Access: Disable this service in favor of Personal/Windows File Sharing, unless the user has another computer that must access the Macintosh, and cannot use AFS or SMB (unlikely.)
- Remote Apple Events: Disable this service. If the user uses and understands it, they may re-enable it.
- Printer Sharing: Disable this service unless the user is sharing a printer.

- The Firewall tab offers potentially excessive protection. If the user has applications which use the network on ports that cannot be opened in the Apple firewall, do not enable it. For example, AIM-based file transfer is occasionally used in lieu of AFS/SMB file sharing. If the user can be migrated to "orthodox" methods, enable the firewall, but know that it may cause unforeseen difficulty, and, given the low-risk environment for Macs in general, and within the Partners network, it is probably not necessary.

- In the Internet tab, "Stop" internet sharing. If the user is acting as a wireless base station, instruct the user that ad-hoc wireless of this type is not allowed, as the signal cannot be properly secured without a particular type of base station. If the user is acting as a wired router, explain that the policy on non-Partners hubs and routers is that they are not allowed, and must be reported to Network Security.