UNCLASSIFIED Report Number: I331-003R-2005 Apple Mac OS X Server v10.3.x “Panther” Security Configuration Guide Systems and Network Attack Center (SNAC) National Security Agency 9800 Savage Rd. Ft.
UNCLASSIFIED Warnings • • • • Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.
UNCLASSIFIED Trademark Information Apple, Macintosh, Mac OS X, and “Panther” are either registered trademarks or trademarks of the Apple Computer Corporation in the U.S.A. and other countries. All other names are registered trademarks or trademarks of their respective companies.
UNCLASSIFIED Table of Contents Warnings..............................................................................................ii Trademark Information .......................................................................iii Table of Contents.................................................................................. iv Introduction.......................................................................................... 1 Getting the Most from this Guide ......................................
UNCLASSIFIED 3.9 Logon Warning Banners ..................................................................................23 3.10 Auditing and Log File Configuration .............................................................24 3.10.1 Configuring syslogd .................................................................................24 3.10.2 Local Logging ..........................................................................................25 3.10.3 Remote Logging ....................................
UNCLASSIFIED 4.9.2 Configure OpenSSH..................................................................................47 4.10 Exporting File Systems.................................................................................. 48 4.10.1 Disable File Sharing ................................................................................49 4.10.2 Choosing a File Sharing Protocol ...........................................................49 4.10.3 Configuring the File Sharing Protocols ...................
UNCLASSIFIED Introduction The purpose of this guide is to provide an overview of Mac OS X Server v10.3 operating system security and recommendations for configuring its security features. This guide tries to provide recommendations for many different roles a Mac OS X Server system can assume in a network. This guide is intended for administrators of Apple Mac OS X Server v10.3.
UNCLASSIFIED Scope of Guidance Apple’s Mac OS X operating system is very versatile and can be used not only as a client workstation, but also to manage and serve entire networks of machines and users. Apple offers two versions of the operating system: Mac OS X and Mac OS X Server. The two products offer many of the same administration and configuration features.
UNCLASSIFIED 1. Introduction to Mac OS X Server Security Mac OS X Server combines the GUI-based, user-friendly features of the Macintosh operating system with the underlying foundation of a BSD Unix system. This chapter provides an overview of features in Mac OS X Server that can be used to enhance security in a networked environment. Mac OS X Server 10.3.x has the same basic architecture as Mac OS X, but adds a number of tools to facilitate administration of multiple machines, services, and users.
UNCLASSIFIED 1.2 Centralized Client Settings Management Although system preferences on Mac OS X client systems can be set individually by an administrator, these settings should be centrally managed by Mac OS X Server whenever possible. Centralizing client system preferences enhances security by enforcing the most secure settings on all systems.
UNCLASSIFIED 2. Network Architecture Careful planning that incorporates security concerns must precede deployment of Mac OS X Server in any network architecture. Apple’s Mac OS X Server Administrative guides at http://www.apple.com/server/documentation provide worksheets to assist in this process. Providing adequate isolation of the site network from the outside world and properly separating functions for the computers within the site network are basic security goals in designing a network. 2.
UNCLASSIFIED should be as restrictive as possible. Only administrative users should be able to log directly onto a directory server. Examples of directory services are: Apple’s LDAPbased Open Directory Server included with Mac OS X Server, Microsoft’s Active Directory, and Sun’s NIS/NIS+. A typical network also includes servers for network services such as e-mail, file sharing, logging, and web. To the maximum extent possible, each network service should be hosted on a separate server.
3. Basic Installation and Configuration Although secure configuration of an existing Mac OS X Server installation is possible, securely configuring a fresh installation is much simpler. This may not always be practical, but it is the recommended way to configure Mac OS X Server. If this guide is being used to configure a previously installed server, the Installation section of this chapter, which discusses installing a new machine from CD, will not apply for the most part.
The installation process will destroy all information on the hard drive. If any information on the system should be retained, it should be backed up before beginning this installation. When backing up and restoring any information, the following guidelines should be used: • Only user files and data should be saved and later restored; restoring system settings or previous accounts may change the system configuration specified in this guidance.
• Erase and format the drive using either the Mac OS Extended (Journaled) or the Mac OS Extended (Case-sensitive/Journaled) option. • Quit Disk Utility when finished. 2. When the installation program asks for the destination volume, select the drive or partition where Server is to be installed. If this drive or partition was formatted in step 1 above, continue the installation.
11. For now, the “Set directory usage” setting on the Directory Usage screen should be set to Standalone Server to simplify the installation process. The type of directory usage depends on the role of the server being installed. The directory usage will be fully set up later in the guidance. 12. On the Services screen, do not enable any services yet. The services that should be enabled depend on the role of the server being installed. Each service should be configured carefully before activation. 13.
Updates can be downloaded from http://www.apple.com/support/downloads using a machine designated specifically for downloading and verifying updates, and should be copied to a disk for installation. The download should be done separately so that file integrity can be verified before the updates are installed. Administrators should note that updates provided through the Software Update utility might sometimes appear earlier than the standalone updates.
3.5 Configuring System Preferences Basic system configuration follows the installation of the operating system and its updates. All system configuration guidance given in this chapter should be performed from an administrator’s account. The System Preferences program provides a graphical interface for controlling many of the system security features.
3.5.3 Bluetooth The Bluetooth panel in the System Preferences program facilitates configuration of that wireless communications standard, used by devices such as wireless keyboards, wireless mice, and cellular phones. This panel will not appear on machines not equipped with Bluetooth hardware support. If this icon does not appear in the System Preferences panel of the machine being configured, skip to the next section.
4. Uncheck the checkbox in front of the Wake when the modem detects a ring option to disable it. 5. Uncheck the checkbox in front of the Wake for Ethernet network administrator access option to disable it. 6. Uncheck the checkbox in front of the Allow power button to sleep the computer option to disable it. 7. Uncheck the checkbox in front of the Restart automatically if the computer “freezes" option to disable it.
3.5.7 Network AirPort and Bluetooth wireless connectivity options should be turned off. They will only be present in the panel if supporting hardware is installed on the system. To configure the network settings: 1. Open the Network panel in System Preferences. 2. Pull down the Show menu and select Network Status. 3. For each active interface in the status list, double-click the interface entry to edit it, click on “Configure IPv6…,” and make sure the selection for “Configure IPv6:” is set to “Off.
• Remote Apple Events: This service enables the machine to respond to Apple events from other computers, which may present security risks. Configuring this capability is out of scope for this guide and it should remain disabled. 3.5.9 Accounts The Accounts option in System Preferences allows administrators to create and configure local user accounts. On a Mac OS X Server system, the only accounts configured here should be for the system administrators. To edit Accounts settings: 1.
3.5.11 Software Update Software updates should not be performed automatically. All update downloads should be conducted on a machine other than the one being configured. The Software Update feature should be configured as follows: 1. Open System Preferences and click on the Software Update icon. 2. Uncheck the box in front of Check for updates. 3.
b. Uncheck the box for “Cache last user logon for offline operation” unless it is required. c. Uncheck the box for “Authenticate in multiple domains” unless it is required. d. When the entry is complete, click OK to close the dialog box and return to the main window. 6. Click the Authentication tab. a. In the Search: pop-up menu, select Custom path. b. Click the Add… button to bring up a dialog box. c. Add only the directories necessary. 7. Click Apply. 3.
should be changed. Second, any necessary modifications to the root account should be performed. 3.8.1 Restricting Administrator’s Home Folder Permissions The permissions on the home folder of the just-created administrator account allow any user who logs into the system to browse its contents. To change the permissions on the administrator’s home folder, issue the following command in a Terminal window, where is the name of the account.
has been set for root. (Which of these appear as the value for passwd depends upon how the root account was enabled.) 8. Type a single asterisk (“*”), replacing the current value of the passwd property. 9. Click the lock icon in the lower left corner of the NetInfo Manager window to re-lock the window. 10. When the Confirm Modification dialog box appears, select Update this copy. 11. Quit the NetInfo Manager application. There is a timeout value associated with the sudo command.
3.8.3 Securing Single-User Boot On Apple systems running Mac OS X, Open Firmware is the software executed immediately after the computer is powered on. This boot firmware is analogous to the BIOS on an x86-based PC. To prevent users from obtaining root access by booting into single user mode or booting from alternate disks, the Open Firmware settings should be altered. For desktop systems, the Open Firmware security mode should be set to command. To configure the Open Firmware settings: 1.
Open Firmware protection can be violated if the user has physical access to the machine; If the user changes the physical memory configuration of the machine and then resets the PRAM 3 times (holding down -option-P-R during boot,) the Open Firmware password will be disabled. An Open Firmware password will provide some protection although it can be reset if a user has physical access to the machine and can change the physical memory configuration of the machine.
openssl passwd -salt A hash of the password will be displayed after executing the command. 4. Type or paste the password hash where the asterisk was deleted in step 2. 5. Exit, saving changes. 3.9 Logon Warning Banners A logon banner can be used to provide notice of the system’s ownership, give legal warning to unauthorized users, and remind authorized users of their consent to monitoring. The text displayed in the logon banner should be determined by site policy.
To provide a logon warning banner to users logging into remote services on the system: 1. Open the file /etc/motd as an administrator. 2. Enter the warning banner that has been approved. 3. Exit, saving changes. The warning banner should appear for the next person logging into a remote service. 3.10 Auditing and Log File Configuration Apple includes a graphical program, Console, to view and maintain log files. Console is found in the /Applications/Utilities folder.
mail.emerg /var/log/mail.log The facility and priority are separated by only a period, and these are separated from the action by one or more tabs. Wildcards (“*”) may also be used in the configuration file. The following example line logs all messages of any facility or priority to the file /var/log/all.log: *.* /var/log/all.log 3.10.2 Local Logging The default configuration in /etc/syslog.conf is appropriate for a Mac OS X Server system if a remote log server is not available.
#Minute 15 Hour 12 DayOf Month * Month * DayOf Week 2 User root Command periodic weekly 3.10.3 Remote Logging Using remote logging in addition to local logging is strongly recommended for any server system because local logs can easily be altered if the system is compromised. Several security issues must also be considered when making the decision to use remote logging. First, the syslog process sends log messages in the clear, which could expose sensitive information.
to meet site security policy. Consult operational policy to determine if this method is adequate. 1. Open the folder /System/Library/Extensions. 2. To remove AirPort support, drag the following files to the Trash: AppleAirPort.kext AppleAirPort2.kext AppleAirPortFW.kext 3. To remove support for Bluetooth, drag the following files to the Trash: IOBluetoothFamily.kext IOBluetoothHIDDriver.kext 4.
root access is required to do these steps, and incorrectly entering a folder name could result in removal of the Mac OS X operating system or all Mac OS X applications. Note that the files listed below may not appear on all systems. Following the instructions below will disable Classic Mode and no users will be able to run Mac OS 9 applications. To remove Mac OS 9 and Mac OS 9 applications and files, do the following as an administrator: 1.
placed correctly, the Applications folder could be deleted. 11. Restart the system.
4. Securing Network Services Mac OS X Server includes software packages to provide many network services, many of which are based on open-source projects. Although Apple provides configuration tools, completely and securely configuring many of these packages demands familiarization with their project documentation. 4.1 Securing the DNS Service Mac OS X Server includes an installation of BIND 9.2 (Berkeley Internet Name Daemon) for use as domain name server software.
3. Click the Settings tab. 4. Uncheck the boxes for “Zone transfers” and “Recursion.” 5. Click Save. If your site requires recursion, we recommend allowing recursive queries only from trusted clients and not from any external networks. Zone transfers, if needed, should be set up so that they only occur between trusted servers. This requires manually editing the BIND configuration files, which is covered in the references.
1. Open Server Admin. 2. Click the name of the server you’re configuring. 3. Click the Advanced Tab under Settings. 4. Uncheck the boxes for “Enable NTP,” “Enable SNMP,” and “Enable Macintosh Manager” unless they are required. 4.3 DHCP Service Mac OS X Server includes dynamic host configuration protocol (DHCP) server software, which allows it to distribute IP addresses, LDAP server information, and DNS server information to clients. Using DHCP is not recommended.
11. Click the back arrow on the top right, and repeat from step 4 for any other subnets. 12. Click Save. 4.4 Enabling the Secure Sockets Layer The Secure Sockets Layer (SSL) is a protocol that allows encrypted network communications, providing protection to data such as e-mail and web transactions. Mac OS X includes SSL support and using SSL is recommended whenever possible. The SSL implementation shipped with Mac OS X is an open-source project called OpenSSL (http://www.openssl.org).
steps for doing this vary by vendor but are outlined in the “Setting up SSL” section of Apple’s “Mac OS X Server Web Technologies Administration” manual. Once the certificates have been obtained, configuration of the services is the same whether they were purchased from a vendor or signed by your own CA. If you are setting up an internal network and only need to encrypt local traffic, set up a CA to sign SSL certificates for the internal network. The next sections describe this process.
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt When prompted, enter a strong passphrase for the key, as well as these fields: Country Name: Organizational Unit: State or Province Name: Common Name: Locality Name (city): Email Address: Organization Name: These fields should be filled out as accurately as possible, but those that don't apply may be left blank. At least one field must be filled in. This creates a self-signed certificate called ca.crt, using the keys in ca.
When prompted, enter a strong, unique passphrase to protect the web server key pair. Next, generate a Certificate Signing Request (CSR) for the CA: sudo openssl req -new -key webserver.key -out webserver.csr Enter the passphrase for the web server key pair and then fill out the following fields as completely as possible: Country Name: Organizational Unit: State or Province Name: Common Name: Locality Name (city): Email Address: Organization Name: The Common Name field is critically important.
Now create the CSR with the mail server key: sudo openssl req -new -key mailserver.key -out mailserver.csr Fill out the following fields as completely as possible: Country Name: Organizational Unit: State or Province Name: Common Name: Locality Name (city): Email Address: Organization Name: The Common Name field is critically important. It must match the domain name of the mail server exactly or the certificate will not work. Sign mailserver.csr as follows: openssl ca -in mailserver.
Leave the challenge password and an optional company name blank. Sign the ldapserver.csr request: sudo openssl ca -in ldapserver.csr -out ldapserver.crt When prompted, enter the CA passphrase to continue and complete the process. The certificate files needed to enable SSL on the LDAP server are now in the /usr/share/certs directory. As described in the “Securing Open Directory Service” section, some of these files will need to be moved to the LDAP server. 4.4.
4.5.1 Configure Role The Open Directory service can act in one of four different roles: Standalone Server, Open Directory Master, Connected to a Directory System, and Open Directory Replica. A Mac OS X Server system that does not participate in a directory domain (and only authenticates users using its own local directory) should have its role set to Standalone Server so that it does not engage in unnecessary network communications.
certificates as discussed in “Creating an SSL Certificate for LDAP Services,” this can be accomplished as follows: a. Copy the files ldapserver.crt, ldapserver.key, and ca.crt from the CA to the /System/Library/OpenSSL/certs directory on the LDAP server. Use a removable medium such as a CD or USB Flash memory; do not copy the files over the network. b. Enter the location for the ldapserver.crt file in the “SSL Certificate” field. c. Enter the location for the ldapserver.key file in the “SSL Key” field. d.
not intended to be a web server. Second, secure web administration demands scrutiny of some basic configuration settings. Third, SSL encryption should be used to encrypt any sensitive web traffic. Securely configuring all features of the Apache Web Server is beyond the scope of this document. Apple’s “Mac OS X Server Web Technologies Administration” manual provides an introduction to basic web services on Mac OS X and security issues involved. The Apache project web page (http://www.apache.
4.6.
4. Do the same thing for the server.key file and the ca.crt file, next to the Key File and CA File entries, respectively. 5. In Server Admin, click on the Options tab, and make sure the Performance Cache is disabled for this SSL site. The Performance Cache may cause problems with the SSL authentication. 6. Click Save. The web server should now accept SSL connections on the port specified. 4.
4.7.2 Configure SSL Support If any e-mail services are required, their communications should be protected by SSL. Enabling SSL for incoming (IMAP and POP) and outgoing (SMTP) mail service will encrypt communications between the mail server and its clients, protecting clients from eavesdroppers on the local network. 4.7.2.1 Install Mail Server Certificates If you’re running an outgoing mail service and have decided to act as your own CA as described in “Enabling Secure Sockets Layer,” copy the mailserver.
Mail clients must be set up to use SSL connections. Configuring an active mail server in the manner described will cause a loss of service until the clients are reconfigured. Setting the “Use” option for a small period of time to allow clients to switch before "Require" is set may help them avoid a denial of service. 4.7.3 Configure Authentication Support Authentication support will protect users’ passwords as they travel across the network.
3. To update Postfix to use the new alias, issue the command: newaliases 4.7.5 Disable the SMTP Banner The SMTP banner provides information about the mail server software running on the system that could be useful to an attacker. To remove this information and replace it with a warning banner: 1. Open /etc/postfix/main.cf in a text editor. 2. Make sure any lines beginning with smtpd_banner are commented out, and add the following line: smtpd_banner = “Unauthorized use is prohibited.” 4.
or match a single host like this: -a 192.168.1.23/32 It is also possible to specify hostnames or domain names instead of IP addresses, but this is not recommended. To configure Mac OS X Server as a log server that accepts log messages from other systems on the network: 1. Open /etc/rc and locate the line that reads: /usr/sbin/syslogd -s -m 0 2. Replacing the address after -a with your site’s network, change the line to: I/usr/sbin/syslogd –n -a 192.168.1.0/24 The –n option disables DNS lookups. 3.
also accessible at /etc/sshd_config because /etc is a symbolic link to /private/etc). To implement recommended settings: 1. Open /private/etc/sshd_config. 2. Locate the “Authentication” section. 3. To disable root login via SSH (forcing the administrator to use su or sudo to obtain root privileges), change the PermitRootLogin line to: PermitRootLogin no 4.
System (NFS), Microsoft Windows’ Server Message Block (SMB), and File Transfer Protocol (FTP). Each of these protocols is appropriate for certain situations. 4.10.1 Disable File Sharing File sharing services should be disabled unless it is necessary for the system to share files stored on it. To disable file sharing services: 1. Open Workgroup Manager and connect to the server you’re configuring. 2.
server and client is not at risk for eavesdropping. Generally, use of SMB is not recommended. NFS is a common file sharing protocol for UNIX computers. NFS does not perform authentication of its clients; it grants access based on client IP address and file permissions. Using NFS can be appropriate if the client computer administration and the network are trusted. Generally, use of NFS is not recommended. FTP should generally not be used for file sharing.
Permissions on share points set as user home directories are particularly important. By default, users’ home directories are set to allow any other user to read its contents. To restrict a user’s home directory to allow only that user (i.e. the owner) to read its contents, issue the command: sudo chmod 700 /Users/ If necessary, an argument of 750 would allow other members of the group owning the folder to read and search its contents.
18. Under Error Log, select “Archive every X days.” according to site policy or operational need. 19. Click the Idle Users tab at the top of the pane. The following Idle Users settings are suggested, but can be overridden by any operational need: 20. Set the frequency • Uncheck the box for “Allow clients to sleep X hours.” • Check the box “Disconnect idle users after X minutes” and enter a value into the text field to mitigate risk from a system accidentally left unattended.
10. Change the Detail: to at least medium in order to capture authentication failures. 11. Click the Advanced tab. 12. Under Services, uncheck Workgroup Master Browser and Domain Master Browser unless these services are operationally required. 13. Select Off for WINS registration. 4.10.3.5 Configuring the FTP Server If authentication of users is possible, the SFTP portion of the SSH protocol should be used instead of the FTP server to securely transmit files to and from the server.
13. Check the box for "Show Banner Message" and enter a banner message in accordance with site policy. Do not reveal any software information, such as operating system type or version, in the banner. 14. Click on the Logging tab. 15. Check all boxes on this screen. Even though authenticated users will not be allowed to log in, their attempts should be logged in order to take corrective action. 16. Click on the Advanced tab. 17. Set "Authenticated users see:" to FTP Root and Share Points.
4. Select the Protocols tab. 5. In the pop-up menu in the window pane, select NFS Export Settings. Given that the item is to be exported via NFS, “Export this item and its contents” should be checked. 6. Make sure that the Computer list is as restrictive as possible. Exporting only a particular list of clients is recommended. To do this, select “Client” from the pop-up menu and then click “Add” to add each IP addresses.
4.11.1 Configure the IP Firewall Settings To configure the Firewall Service locally: 1. Open Server Admin. 2. Click Firewall in the list for the server you’re logged into. 3. Click Settings. 4. Click on the “any” item in the IP Address Group column to show services available to any other host, which will appear in the right column.
10. Keeping the Server Admin program open, add the following lines to /etc/ipfilter/ipfw.conf (substituting $MY_IP, $TIME_SERVER, and $DNS_SERVER appropriately): add 02000 allow ip from $MY_IP to any out #this allows our system to send packets out add 03000 allow icmp from any to any #allow icmp messages (e.g.
5. User and Client Management Mac OS X Server’s Workgroup Manager program allows administrators to enforce system settings on a user, group or computer level. Apple’s “Mac OS X Server User Management for version 10.3.3 or later” manual provides detailed instructions on this process, including the important planning stages.
days that would indicate the user no longer needs the account. Check the box for “after _ failed attempts” and enter 3 or whatever is required by site policy. Check the box for Minimum password length and enter 12 in the text field. Check the box for “Allow the user to change the password.” Check the box for “Require a change at next login” to force the user to select a password at his first login to replace whatever password the administrator initially assigned.
these preferences at all levels is recommended in case one level is accidentally left unset. Preferences must be applied to each computer list, group account, and user account, although applying preference settings to multiple computers, groups, or accounts is possible. Preferences can be set for Applications, Classic, Dock, Energy Saver, Finder, Internet, Login, Media Access, Mobile Accounts, Printing, System Preferences, and Universal Access.
Uncheck the box for “User may press Shift to keep items from opening” to prevent users from disabling any automatic launches. Click the Login Options tab. Click the “Always” radio button in the “Manage these settings” list. For “Display Login Window as:” select “Name and password text fields.” Uncheck the box for “Show Restart Button in the Login Window.” Uncheck the box for “Show Shut Down Button in the Login Window.” Uncheck the box for “Show password hint after 3 attempts to enter a password.
Check the boxes for Appearance, Dock, Exposé, Security, Keyboard & Mouse, and Universal Access. Desktop & Screen Saver should remain unchecked in order to enforce automatic activation of the screen saver, although this also prevents changing the Desktop picture.
6. References 1. Mac OS X Maximum Security; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2003 2. Mac OS X Panther Unleashed; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2004 3. Inside Mac OS X, “System Overview,” Apple Computer, Inc., 2001-2002 4. Firewalls and Internet Security. William R. Cheswick and Steven M. Bellovin. Addison-Wesley, 1994. 5. “Apple Federal Smart Card Package Installation and Setup Guide;” Apple Computer, Inc.; 2003 6.
