Manualshelf

Setup guide

ManualsBrandsApple ManualsComputer equipmentMac OS X Panther
11121314151617181920
UNCLASSIFIED
Chapter
1
UNCLASSIFIED
1
Chapter 1 -
Scope of Guidance
Scope of Guidance
Apple’s Mac OS X operating system is very versatile, and can be used not only as a
client workstation, but also to manage entire networks of machines and users. Apple
offers two versions of the operating system: Mac OS X and Mac OS X Server.
The two products offer many of the same administration and configuration features.
The server version provides additional tools designed to assist the administrator in
managing networks of computers and users, to include other environments such as
Windows and other UNIX-based systems. The default configuration for Mac OS X
Server is not as “locked-down” from a security standpoint as Mac OS X. This is by
design, since a server being used to administer an entire network will typically need
more services available.
The goal of this guidance is to provide instruction on securing a locally-administered
Mac OS X system, including the management of user accounts on that system. The
guidance concentrates on providing the information needed to configure and use a
single Mac OS X system in a secure manner. This does not preclude addressing
some networking issues; this guidance will address those networking issues that
would most commonly be needed by a locally-administered Mac OS X system that
will occasionally or regularly connect to either the Internet or a local area network.
This configuration guidance may not be valid if the machine is managed by other
systems, Mac OS X or otherwise. Although the guidance may be valid by itself,
implementing some of the recommendations might result in interoperability
problems between the system and any server managing it.
Guidance in this document is geared
towards a locally-administered Mac OS X
system. Guidance contained here may
not be applicable to Mac OS X Server or
to a Mac OS X network.
Additionally, the guidance in this document is geared towards allowing the user to
change his password. As there is currently no way in a Mac OS X standalone system
of enforcing strong passwords or of forcing the user to periodically change his
password, this could result in passwords on a system never being changed, and being
easily guessable. This is especially true for locally-administered laptops, which will
likely have little administrative oversight. If the risk from a user’s password never
being changed is greater than the difficulties and risks introduced by not allowing a
user to change his password, each user should be restricted from changing his
password. Restricting a user's ability to change his password causes the system to
require an administrator's password used to change a user password. For this
solution, the administrator should regularly schedule password changes with each