Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
12345678910
UNCLASSIFIED
UNCLASSIFIED
3
1. Introduction to Mac OS X Server
Security
Mac OS X Server combines the GUI-based, user-friendly features of the Macintosh
operating system with the underlying foundation of a BSD Unix system. This
chapter provides an overview of features in Mac OS X Server that can be used to
enhance security in a networked environment.
Mac OS X Server 10.3.x has the same basic architecture as Mac OS X, but adds a
number of tools to facilitate administration of multiple machines, services, and
users. Mac OS X Server also includes additional network services. For an overview
of the security features common to both systems, see the NSA “Apple Mac OS X
v10.3.x Panther Security Configuration Guide.” For a more complete discussion of
features in Mac OS X Server, please see Apple’s “Getting Started with Mac OS X
Server 10.3.”
1.1 Centralized User Account Management
Mac OS X Server provides a way for administrators to centrally manage user
accounts and other user information. Accounts no longer have to be maintained on
individual clients, greatly simplifying account management. Storing user account
information on a physically secure server dedicated to that purpose also brings
security benefits.
Open Directory is the name of the directory service through which a server and its
clients handle this user account information. Open Directory can perform user
authentication using several different methods, including protocols native to the
Windows environment and existing NetInfo directories. However, it is based on
Open Directory LDAP, which provides LDAPv3 directories. The Open Directory
framework can also provide cross-platform communication with Active Directory
servers, BSD configuration files, Sun Microsystems NIS files, and other LDAPv3
servers. Secure Sockets Layer (SSL) support is available for LDAPv3
communications. Additionally, Open Directory can enforce password policies, such
as setting a password length and making passwords expire periodically.
Open Directory can be configured to perform user authentication using Kerberos v5.
This can be accomplished using pre-existing Kerberos environments, or Mac OS X
Server can be used to establish a Key Distribution Center (KDC). Using Kerberos for
user authentication gives the user single sign-on capability when accessing services
that support Kerberos authentication.