E-Book, Englisch, 648 Seiten
Edge / Barker / Hunter Enterprise Mac Security: Mac OS X Snow Leopard
2. ed
ISBN: 978-1-4302-2731-1
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, 648 Seiten
ISBN: 978-1-4302-2731-1
Verlag: Apress
Format: PDF
Kopierschutz: 1 - PDF Watermark
A common misconception in the Mac community is that Mac's operating system is more secure than others. While this might be true in certain cases, security on the Mac is still a crucial issue. When sharing is enabled or remote control applications are installed, Mac OS X faces a variety of security threats. Enterprise Mac Security: Mac OS X Snow Leopard is a definitive, expert-driven update of the popular, slash-dotted first edition and was written in part as a companion to the SANS Institute course for Mac OS X. It contains detailed Mac OS X security information, and walkthroughs on securing systems, including the new Snow Leopard operating system. Using the SANS Institute course as a sister, this book caters to both the beginning home user and the seasoned security professional not accustomed to the Mac, establishing best practices for Mac OS X for a wide audience. The authors of this book are seasoned Mac and security professionals, having built many of the largest network infrastructures for Apple and spoken at both DEFCON and Black Hat on OS X security.
Charles Edge has been working with Apple products since he was a child. Professionally, Charles started with the Mac OS and Apple server offerings in 1999 after years working with various flavors of Unix. Charles began his consulting career working with Support Technologies and Andersen Consulting. In 2000, he found a new home at 318, Inc., a consulting firm in Santa Monica, California which is now the largest Mac consultancy in the country. At 318, Charles leads a team of over 40 engineers and has worked with network architecture, security and storage for various vertical and horizontal markets. Charles has spoken at a variety of conferences including DefCon, BlackHat, LinuxWorld, MacWorld and the WorldWide Developers Conference. Charles' first book, Mac Tiger Server Little Black Book, can be purchased through Paraglyph Press. Charles recently hung up his surfboard and moved to Minneapolis, Minnesota, with his wife, Lisa. Charles can be contacted at krypted@mac.com.
Autoren/Hrsg.
Weitere Infos & Material
1;Title Page;1
2;Copyright Page;2
3;Contents at a Glance;4
4;Table of Contents;5
5;About the Authors;15
6;About the Technical Reviewer;16
7;Acknowledgments;17
8;Introduction;18
8.1;Security Beginnings: Policies;18
8.2;A Word About Network Images;19
8.3;Risk Management;19
8.4;How This Book Is Organized;20
8.4.1;Part 1: The Big Picture;20
8.4.2;Part 2: Securing the Ecosystem;21
8.4.3;Part 3: Securing the Network;21
8.4.4;Part 4: Securely Sharing Resources;22
8.4.5;Part 5: Securing the Workplace;22
8.4.6;Appendixes;23
9;Part I The Big Picture;24
10;Chapter 1 Security Quick-Start;25
10.1;Securing the Mac OS X Defaults;25
10.2;Customizing System Preferences;26
10.3;Accounts;26
10.4;Login Options;28
10.4.1;Passwords;29
10.4.2;Administrators;30
10.5;Security Preferences;31
10.6;General;31
10.7;FileVault;33
10.8;Firewall;35
10.9;Software Update;36
10.10;Bluetooth Security;38
10.11;Printer Security;40
10.12;Sharing Services;42
10.13;Securely Erasing Disks;43
10.14;Using Secure Empty Trash;45
10.15;Using Encrypted Disk Images;46
10.16;Securing Your Keychains;47
10.17;Best Practices;49
11;Chapter 2 Services, Daemons, and Processes;50
11.1;Introduction to Services, Daemons, and Processes;50
11.2;Viewing What’s Currently Running;52
11.2.1;The Activity Monitor;52
11.2.2;The ps Command;56
11.2.3;The top Output;57
11.2.4;Viewing Which Daemons Are Running;59
11.2.5;Viewing Which Services Are Available;60
11.3;Stopping Services, Daemons, and Processes;61
11.3.1;Stopping Processes;62
11.4;Stopping Daemons;64
11.5;Types of launchd Services;65
11.6;GUI Tools for Managing launchd;65
11.7;Changing What Runs At Login;66
11.8;Validating the Authenticity of Applications and Services;67
11.9;Summary;68
12;Chapter 3 Securing User Accounts;69
12.1;Introducing Identification, Authentication, and Authorization;69
12.2;Managing User Accounts;70
12.2.1;Introducing the Account Types;71
12.2.2;Adding Users to Groups;73
12.2.3;Enabling the Superuser Account;74
12.2.4;Setting Up Parental Controls;76
12.2.5;Managing the Rules Put in Place;82
12.3;Advanced Settings in System Preferences;84
12.4;Working with Local Directory Services;85
12.4.1;Creating a Second Local Directory Node;88
12.4.2;External Accounts;88
12.5;Restricting Access with the Command Line: sudoers;89
12.6;Securing Mount Points;94
12.7;SUID Applications: Getting into the Nitty-Gritty;95
12.8;Creating Files with Permissions;97
12.9;Summary;98
13;Chapter 4 File System Permissions;99
13.1;Mac OS File Permissions: A Brief History of Time;100
13.2;POSIX Permissions;101
13.2.1;Modes in Detail;102
13.2.2;Inheritance;104
13.2.3;The Sticky Bit;107
13.2.4;The suid/sguid Bits;107
13.2.5;POSIX in Practice;108
13.3;Access Control Lists;111
13.3.1;Access Control Entries;111
13.3.1.1;Administration;111
13.3.1.2;Read Permissions;112
13.3.1.3;Write Permissions;112
13.3.1.4;Inheritance;113
13.3.2;Effective Permissions;114
13.3.3;ACLs in Practice;115
13.4;Administering Permissions;117
13.5;Using the Finder to Manage Permissions;123
13.6;Using chown and chmod to Manage Permissions;124
13.7;The Hard Link Dilemma;127
13.8;Using mtree to Audit File system Permissions;129
13.9;Summary;131
14;Chapter 5 Reviewing Logs and Monitoring;132
14.1;What Exactly Gets Logged?;132
14.2;Using Console;134
14.2.1;Viewing Logs;134
14.2.2;Marking Logs;135
14.2.3;Searching Logs;136
14.3;Finding Logs;137
14.3.1;Secure.log: Security Information 101;138
14.3.2;appfirewall.log;139
14.4;Reviewing User-Specific Logs;140
14.5;Reviewing Command-Line Logs;142
14.6;Reviewing Library Logs;143
14.7;Breaking Down Maintenance Logs;143
14.7.1;daily.out;145
14.7.2;Yasu;146
14.7.3;Weekly.out;147
14.7.4;Monthly.out;148
14.8;What to Worry About;148
14.9;Virtual Machine and Bootcamp Logs;149
14.9.1;Event Viewer;149
14.9.2;Task Manager;150
14.9.3;Performance Alerts;151
14.10;Review Regularly, Review Often;152
14.10.1;Accountability;152
14.10.2;Incident Response;153
14.11;Summary;154
15;Part II Securing the Ecosystem;155
16;Chapter 6 Application Signing and Sandbox;156
16.1;Application Signing;156
16.1.1;Application Authentication;158
16.1.2;Application Integrity;160
16.1.3;Signature Enforcement in OS X;161
16.1.3.1;Keychain Access;162
16.1.3.2;The OS X Application Firewall;164
16.1.3.3;Client Management – MCX and Parental Controls;166
16.1.4;Signing and Verifying Applications;170
16.2;Sandbox;173
16.2.1;Sandbox Profiles;175
16.2.2;The Anatomy of a Profile;178
16.2.3;Sandbox Profiles in Action;183
16.2.3.1;Using Sandbox to Secure User Shells;183
16.2.3.1.1;base.sb;184
16.2.3.1.2;shell.sb;187
16.2.3.1.3;sbshell;188
16.2.3.2;Carbon Copy Cloner;189
16.2.3.3;Securely Automating Remote rsync;191
16.2.3.4;BIND;194
16.2.4;The Seatbelt Framework;195
16.3;Summary;197
17;Chapter 7 Securing Web Browsers and E-mail;199
17.1;A Quick Note About Passwords;200
17.2;Securing Your Web Browser;201
17.2.1;Securing Safari;201
17.2.1.1;Setting the Safari Security Preferences;202
17.2.1.2;Privacy and Safari;204
17.2.1.3;Network Administrators Configuring Safari’s Security Preferences;205
17.2.2;Securing Firefox;205
17.2.2.1;Privacy and Firefox;206
17.2.2.2;Master Passwords in Firefox;208
17.3;Securely Configuring Mail;212
17.3.1;Using SSL;212
17.3.2;Securing Entourage;215
17.4;Fighting Spam;218
17.4.1;Anatomy of Spam;218
17.4.1.1;Filtering Apple Mail for Spam;219
17.4.1.2;Filtering with Entourage;220
17.4.1.3;Using White Listing in Entourage;221
17.5;Desktop Solutions for Securing E-mail;223
17.5.1;Using PGP to Encrypt Mail Messages;223
17.5.2;GPG Tools;223
17.6;Using Mail Server-Based Solutions for Spam and Viruses;223
17.6.1;Kerio;224
17.6.2;Mac OS X Server’s Antispam Tools;226
17.6.3;CommuniGate Pro;227
17.7;Outsourcing Your Spam and Virus Filtering;228
17.8;Summary;228
18;Chapter 8 Malware Security: Combating Viruses, Worms, and Root Kits;229
18.1;Classifying Threats;229
18.1.1;The Real Threat of Malware on the Mac;232
18.1.2;Script Malware Attacks;233
18.1.3;Socially Engineered Malware;234
18.2;Using Antivirus Software;234
18.2.1;Built Into Mac OS X;235
18.2.2;Antivirus Software Woes;235
18.2.3;McAfee VirusScan;236
18.2.4;Norton AntiVirus;236
18.2.5;ClamXav;237
18.2.6;Sophos Anti-Virus;242
18.2.7;Best Practices for Combating Malware;243
18.3;Other Forms of Malware;244
18.3.1;Adware;244
18.3.2;Spyware;244
18.3.2.1;MacScan;245
18.3.3;Root Kits;246
18.4;Summary;248
19;Chapter 9 Encrypting Files and Volumes;249
19.1;Using the Keychain to Secure Sensitive Data;250
19.1.1;The Login Keychain;250
19.1.2;Creating Secure Notes and Passwords;253
19.1.3;Managing Multiple Keychains;256
19.2;Using Disk Images as Encrypted Data Stores;259
19.2.1;Creating Encrypted Disk Images;261
19.2.2;Interfacing with Disk Images from the Command Line;267
19.3;Encrypting User Data Using FileVault;273
19.3.1;Enabling FileVault for a User;276
19.3.2;The FileVault Master Password;279
19.3.3;Limitations of Sparse Images and Reclaiming Space;280
19.4;Full Disk Encryption;282
19.4.1;Check Point;283
19.4.2;PGP Encryption;285
19.4.3;TrueCrypt;286
19.4.4;WinMagic SecureDoc;287
19.5;Summary;288
20;Part III Network Traffic;290
21;Chapter 10 Securing Network Traffic;291
21.1;Understanding TCP/IP;291
21.2;Types of Networks;294
21.2.1;Peer-to-Peer;294
21.2.2;Considerations when Configuring Peer-to-Peer Networks;295
21.2.3;Client-Server Networks;296
21.3;Understanding Routing;297
21.3.1;Packets;297
21.3.1.1;Gateways;297
21.3.1.2;Routers;298
21.3.1.3;Firewalls;299
21.4;Port Management;299
21.5;DMZ and Subnets;300
21.6;Spoofing;301
21.7;Stateful Packet Inspection;301
21.8;Data Packet Encryption;302
21.9;Understanding Switches and Hubs;302
21.9.1;Managed Switches;303
21.10;Restricting Network Services;305
21.11;Security Through 802.1x;306
21.12;Proxy Servers;307
21.12.1;Squid;308
21.13;Summary;311
22;Chapter 11 Setting Up the Mac OS X Firewall;312
22.1;Introducing Network Services;313
22.2;Controlling Services;314
22.3;Configuring the Firewall;317
22.3.1;Working with the Firewall in Leopard and Snow Leopard;317
22.4;Setting Advanced Features;320
22.4.1;Blocking Incoming Connections;320
22.4.2;Allowing Signed Software to Receive Incoming Connections;321
22.4.3;Going Stealthy;322
22.5;Testing the Firewall;323
22.6;Configuring the Application Layer Firewall from the Command Line;325
22.7;Using Mac OS X to Protect Other Computers;326
22.7.1;Enabling Internet Sharing;326
22.7.1.1;Configuring Clients;327
22.7.1.2;Dangers of Internet Sharing;327
22.8;Working from the Command Line;328
22.8.1;Getting More Granular Firewall Control;328
22.8.2;Using ipfw;330
22.8.2.1;Inspecting ipfw Rules;331
22.8.2.2;ipfwloggerd;333
22.8.2.3;/etc/ipfilter/ipfw.conf;333
22.8.3;Using Dummynet;334
22.8.3.1;Creating Pipes;334
22.8.3.2;Pipe Masks;335
22.8.3.3;Queues;336
22.9;Summary;337
23;Chapter 12 Securing a Wireless Network;338
23.1;Wireless Network Essentials;338
23.2;Introducing the Apple AirPort;340
23.3;Configuring Older AirPorts;341
23.3.1;AirPort Utility;343
23.3.2;Configuring the Current AirPorts;343
23.3.3;Limiting the DHCP Scope;346
23.3.4;Hardware Filtering;347
23.3.5;AirPort Logging;349
23.3.6;Hiding a Wireless Network;350
23.3.7;Base Station Features in the AirPort Utility;351
23.3.8;The AirPort Express;352
23.3.9;Wireless Security on Client Computers;352
23.4;Securing Computer-to-Computer Networks;353
23.5;Wireless Topologies;354
23.6;Wireless Hacking Tools;355
23.6.1;KisMAC;355
23.6.2;Detecting Rogue Access Points;356
23.6.3;iStumbler and Mac Stumbler;357
23.6.4;MacStumbler;359
23.6.5;Ettercap;360
23.6.6;EtherPeek;360
23.7;Cracking WEP Keys;360
23.8;Cracking WPA-PSK;361
23.9;General Safeguards Against Cracking Wireless Networks;362
23.10;Summary;363
24;Part IV Sharing;364
25;Chapter 13 File Services;365
25.1;The Risks in File Sharing;365
25.2;Peer-to-Peer vs. Client-Server Environments;366
25.3;File Security Fundamentals;366
25.3.1;LKDC;367
25.3.2;Using POSIX Permissions;367
25.3.3;Getting More out of Permissions with Access Control Lists;368
25.4;Sharing Protocols: Which One Is for You?;369
25.4.1;Apple Filing Protocol;369
25.4.2;Setting Sharing Options;371
25.4.3;Samba;371
25.4.3.1;The SMB.conf File;373
25.4.4;Using Apple AirPort to Share Files;374
25.4.5;Third-Party Problem Solver: DAVE;378
25.4.6;FTP;384
25.5;Permission Models;386
25.6;Summary;387
26;Chapter 14 Web Site Security;388
26.1;Securing Your Web Server;388
26.1.1;Introducing the httpd Daemon;389
26.1.2;Removing the Default Files;390
26.1.3;Changing the Location of Logs;390
26.1.4;Restricting Apache Access;391
26.1.5;Run on a Nonstandard Port;391
26.1.6;Use a Proxy Server;392
26.1.7;Disable CGI;392
26.1.8;Disable Unnecessary Services in Apache;392
26.2;PHP and Security;393
26.2.1;Securing PHP;393
26.2.2;Tightening PHP with Input Validation;394
26.3;Taming Scripts;395
26.3.1;Securing Your Perl Scripts;395
26.4;Securing robots.txt;397
26.4.1;Blocking Hosts Based on robots.txt;397
26.5;Protecting Directories;398
26.5.1;Customizing Error Codes;399
26.5.2;Using .htaccess to Control Access to a Directory;400
26.6;Tightening Security with TLS;402
26.7;Implementing Digital Certificates;402
26.8;Protecting the Privacy of Your Information;403
26.8.1;Protecting from Google?;404
26.8.2;Enumerating a Web Server;405
26.9;Securing Files on Your Web Server;406
26.9.1;Disabling Directory Listings;407
26.9.2;Uploading Files Securely;408
26.10;Code Injection Attacks;408
26.10.1;SQL Injection;408
26.10.2;Cross Site Scripting;408
26.10.3;Protecting from Code Injection Attacks;409
26.11;Summary;409
27;Chapter 15 Remote Connectivity;411
27.1;Remote Management Applications;412
27.1.1;Apple Remote Desktop;412
27.1.2;Screen Sharing;412
27.1.2.1;Enabling Screen Sharing;413
27.1.3;Implementing Back to My Mac;414
27.1.4;Configuring Remote Management;415
27.1.4.1;Enabling Remote Management;415
27.2;Using Timbuktu Pro;418
27.2.1;Installing Timbuktu Pro;418
27.2.2;Adding New Users;419
27.2.3;Testing the New Account;420
27.3;Using Secure Shell;422
27.3.1;Enabling SSH;422
27.3.2;Further Securing SSH;423
27.4;Using a VPN;424
27.4.1;Connecting to Your Office VPN;424
27.4.2;Setting Up L2TP;425
27.4.3;Setting Up PPTP;426
27.4.4;Connecting to a Cisco VPN;427
27.4.5;PPP + SSH = VPN;429
27.4.5.1;Setting Up the VPN account;429
27.4.5.2;Setting Up SSH;430
27.4.5.3;Setting Up PPP;431
27.4.5.4;Configuring Routing;432
27.4.5.5;Disconnecting;432
27.5;Summary;432
28;Chapter 16 Server Security;433
28.1;Limiting Access to Services;433
28.2;The Root User;435
28.3;Foundations of a Directory Service;435
28.3.1;Defining LDAP;435
28.3.2;Kerberos;436
28.3.2.1;Kerberos Deconstructed;436
28.4;Configuring and Managing Open Directory;438
28.4.1;Securing LDAP: Enabling SSL;441
28.4.2;Securing Open Directory Accounts by Enabling Password Policies;442
28.4.3;Securing Open Directory Using Binding Policies;445
28.4.4;Securing Authentication with PasswordServer;447
28.4.5;Securing LDAP by Preventing Anonymous Binding;449
28.4.6;Securely Binding Clients to Open Directory;451
28.4.7;Further Securing LDAP: Implementing Custom LDAP ACLs;454
28.4.8;Creating Open Directory Users and Groups;454
28.4.9;Securing Kerberos from the Command Line;458
28.4.10;Managed Preferences;459
28.4.11;Securing Managed Preferences;461
28.4.12;Providing Directory Services for Windows Clients;463
28.4.13;Active Directory Integration;464
28.4.13.1;Using the AD-Plugin;465
28.4.13.2;Setting Up Network Homes with Active Directory Clients;466
28.4.13.3;Using the AD-Plugin from the Command Line;467
28.4.13.4;Integrating Open Directory with Active Directory: Dual Directory;468
28.5;Web Server Security in Mac OS X Server;469
28.5.1;Using Realms;469
28.5.2;SSL Certs on Web Servers;471
28.6;File Sharing Security in OS X Server;473
28.6.1;A Word About File Size;475
28.6.2;Securing NFS;475
28.6.3;AFP;476
28.6.3.1;AFP Authentication Options;477
28.6.3.2;Kerberized AFP;478
28.6.3.3;AFP Logging;479
28.6.4;SMB;480
28.6.5;FTP;481
28.7;Wireless Security on OS X Server Using RADIUS;481
28.8;DNS Best Practices;483
28.9;SSL;484
28.9.1;Reimporting Certificates;485
28.10;SSH;485
28.11;Server Admin from the Command Line;487
28.12;iChat Server;487
28.13;Securing the Mail Server;488
28.13.1;Limiting the Protocols on Your Server;489
28.14;Proxying Services;490
28.15;Summary;491
29;PartV Securing the Workplace;492
30;Chapter 17 Network Scanning, Intrusion Detection, and Intrusion Prevention Tools;493
30.1;Scanning Techniques;493
30.1.1;Fingerprinting;494
30.1.2;Enumeration;496
30.1.3;Vulnerability and Port Scanning;497
30.1.3.1;nmap;497
30.1.3.2;Running a SYN/Stealth Scan;499
30.1.3.3;Other nmap Scans;500
30.2;Intrusion Detection and Prevention;500
30.2.1;Host Intrusion Detection System;501
30.2.1.1;Tripwire;501
30.2.1.2;Tripwire Installation;501
30.2.2;Network Intrusion Detection;502
30.2.2.1;Snort from the Command Line;502
30.2.2.2;Honeypots;504
30.3;Security Auditing on the Mac;505
30.3.1;Nessus;505
30.3.1.1;Installing Nessus;505
30.3.1.2;Running a Scan;508
30.3.2;Metasploit;509
30.3.3;SAINT;511
30.3.3.1;Installation;511
30.4;Summary;512
31;Chapter 18 Backup and Fault Tolerance;513
31.1;Time Machine;514
31.1.1;Restoring Files from Time Machine;518
31.1.2;Using a Network Volume for Time Machine;519
31.2;SuperDuper;520
31.3;Backing Up to MobileMe;521
31.4;Retrospect;525
31.4.1;Configuring a Backup;527
31.4.2;Grooming Scripts;533
31.4.3;Utility Scripts;535
31.4.4;Checking Your Retrospect Backups;536
31.5;Using Tape Libraries;538
31.6;Backup vs. Fault Tolerance;539
31.6.1;Fault-Tolerant Scenarios;539
31.6.2;Round-Robin DNS;540
31.6.3;Load-Balancing Devices;541
31.6.4;Cold Sites;541
31.6.5;Hot Sites;542
31.7;Backing up Services;542
31.8;Summary;543
32;Chapter 19 Forensics;545
32.1;Incident Response;546
32.2;MacForensicsLab;547
32.2.1;Installing MacForensicsLab;547
32.2.2;Using MacForensicsLab;552
32.2.3;Image Acquisition;554
32.2.4;Analysis;556
32.2.5;Salvage;559
32.2.6;Performing an Audit;562
32.2.7;Reviewing the Case;562
32.2.8;Reporting;563
32.3;Other GUI Tools for Forensic Analysis;564
32.4;Forensically Acquiring Disk Images;565
32.5;Tools for Safari;565
32.6;Command-Line Tools for Forensic Analysis;566
32.7;Summary;566
33;Appendix A Xsan Security;567
33.1;Metadata;568
33.2;Fibre Channel;569
33.3;Affinities;569
33.4;Permissions;569
33.5;Quotas;570
33.6;Other SAN Solutions;570
34;Appendix B InfoSec Acceptable Use Policy;571
34.1;1.0 Overview;571
34.2;2.0 Purpose;571
34.3;3.0 Scope;572
34.4;4.0 Policy;572
34.4.1;4.1 General Use and Ownership;572
34.4.2;4.2 Security and Proprietary Information;573
34.4.3;4.3 Unacceptable Use;574
34.4.3.1;System and Network Activities;574
34.4.3.2;Email and Communications Activities;575
34.4.4;4.4 Blogging;576
34.5;5.0 Enforcement;577
34.6;6.0 Definitions;577
34.6.1;Term Definition;577
34.7;7.0 Revision History;577
35;Appendix C CDSA;578
36;Appendix D Introduction to Cryptography;580
37;Index;584
