In the wake of Apple’s most recent and embarassing blunder regarding the macOS High Sierra root login flaw, I felt it was a good time to revisit Apple Mac hardening guidelines that can help users and IT admins better secure Apple’s OS, to include macOS and OS X.
As I’m sure you’re aware by now, a recent release of Apple’s macOS High Sierra (10.13 and 10.13.1) embarassingly introduced a critical flaw that allowed any local user with physical access the ability to take over any Mac by logging in as root and no password. After the discovery, Apple released a workaround to help users reset the root password. Soon after that, the company provided a Security Update 2017-001 to patch the critical bug with version 10.13.2.
As bad as this bug was (and it was bad), users could have mitigated the risk by following NIST’s security guidelines to harden their Mac systems.
Back in December of last year, the National Institute of Standards and Technology (NIST) released their latest hardening guideline for securing Apple’s OS X (which still applies to newer versions of macOS). The latest guidance includes best practices and a checklist users and IT administrators can use to better secure and reduce the attack surface of Mac systems.
As most security and IT pros know, the more services and components that are running or exposed, the much higher the probability one of those configurations could be exposed to hackers. Why make it easier for them? Hardening guidelines or commonly referred to as a “baseline” is the process of configuring an operating system or technology platform securely to minimize the attack surface.
The baseline should include security settings that should be incorporated into each new platform prior to adding the system to the network. For example, a configuration baseline can include disabling insecure protocols (such as Telnet), setting a time sync service, resetting default account passwords (such as root), setting security log configurations, enforcing password requirements, and much more.
The NIST guideline, “SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist,” includes several good areas applicable to Mac OS X (and macOS), but also useful to many other operating systems as well.
I’ve summarized six security areas of the document for ease of reading to include cyber threats to endpoints, patching, backups, security configurations, handy configuration tools and useful resources for Mac OS security.
1) Cyber threats to endpoints
If you read our previous article “Cyber Threats to Endpoints,” you probably already know there are many different types of cyber threats that can compromise endpoints. These include primarily two types of cyber threats — local and remote. These threats are the drivers of why it’s important to harden your OS X and macOS (among other) systems.
Local threats: you want to prevent an attacker or unauthorized person from booting your system to removable media, for example, and bypassing your access controls and potentially read the contents of sensitive data stored on your laptop hard drive.
Mitigating controls include establishing a password on your system’s firmware, also known in Mac language as the Extensible Firmware Interface (EFI). Only authorized administrators should be allowed to make hardware configuration changes within the firmware such as allowing external media and boot parameters. Ensure screensaver enabled to lock screen after 15 minutes of activity.
Don’t forget that devices need to be physically secured — via “lock and key” or close to your person and not out of your site.
Remote threats: Remote threats can include the exploitation of network services, such as weak remote access protocols or insecure services that allow access without even authentication. The end result often results in data disclosure such as when a third party intercepts data or credentials over the network.
Malicious payloads are another huge common threat that come in many forms, such as “drive by” attacks — when your users surf malicious sites and become infected with malware hosted on a compromised website.
Phishing messages also often contain malicious files that can be opened or include links that redirect users to other nefarious sites. Ensure your users aren’t logging into your company systems with administrator rights. Only give those to your system administrators who need to manage your system fleet.
I won’t spend too much time on patching in general as you already know how important it is to patch and keep your system and applications up to date. Most malware and threats described in the previous section are designed to easily exploit vulnerabilities that already have known good patches.
As described in Security Week news article, Office vulnerabilities over a year old have been the most common of those used in recent cyber attacks. Unfortunately, this is too common of a story. Organizations need to continue to be vigilant in their patching as most hackers know people in general are lazy and the law of averages say there will be plenty of low-hanging fruit or future victims to take advantage of.
NIST also recommends organizations pay close attention to their backup strategy. To ensure availability to your systems and data, make sure your systems are backed up and sent to a secured and approved location. Backups should be further protected with strong password and be encrypted. Be mindful of unauthorized backup services (such as some cloud services) that should be restricted as part of your hardening baseline and documented in company policies and procedures.
4) Security Configurations
NIST provides an overview of security configuration best practices in the areas of hardware components, file system security, user accounts and groups, auditing, software restrictions, network services and application security.
I’ve summarized a number of the best practices from section six for ease of reading here (note a few highlighted in bold that could have helped mitigate risk of recent macOS flaw):
- Reduce hardware interfaces
- Use EFI passwords (but restrict physical access)
- Use FileVault 2.0 (for whole disk encryption used to encrypt senstive data)
- Properly sanitize storage media before disposal (e.g., use “secure erase”)
- Only use admin accounts for admin activities
- Disable root account and replace with separate admin accounts used by your admins
- Periodically review user accounts (and disable after 90 days of inactivity or upon user leaving company)
- Configure login screen to hide account names
- Keep “auto login” option disabled
- Enforce strong passwords (and reset default passwords)
- Use authenticate-enabled screen saver (active after 20 minutes of inactivity)
- Configure login banner to use your company’s policies
- Configure and monitor logs for unauthorized activity
- Configure firewalls and block undesired traffic
- Sync system clocks with accurate and approved time source
- Disable unneeded services (such as Bluetooth, Bonjour) if not needed
- Disable auto-launch feature on CD/DVD’s
- Restrict changes to system-wide settings to your admins (not normal users)
More specifics on above settings are also noted in supporting NIST Appendices and benchmarks as noted below.
5) Handy configuration tools
NIST also provides a nice summary of handy tools used for configuring, managing and monitoring security of OS X and macOS. Some examples include command line tools most UNIX administrators may already be familiar with to include “chgrp” (to change group ownership on files or directories), “chmod” (change filer permission bits such as Read, Write, Execute of files or directories) and “chown” (to modify owner and group owner of file or directories).
6) Useful security resources
Additional useful resources include the Center for Internet Security (CIS) benchmarks that “provides vendor-agnostic, consensus-based best practices to help organizations assess and improve their security.” CIS also includes automated configuration and assessment tools to help apply hardening baselines to your Mac systems.
NIST also recommends DISA STIGs, which we have handy links available on the Securezoo Standards web page as well.
Finally, NIST’s SP 800-179 OS X 10.10 Security project files to include publication, checklist and script guidance can be found on GitHub.
We hope these six takeaways can help better secure your macOS and help minimize the impact of vendor flaws (like the High Sierra root login debacle) and make it less likely for attackers to take advantage of.
Update: this article has been updated from orginal publication in December 28, 2016 to reflect recent events related to macOS security.