Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Safe and sound: securing Mountain Lion

Neal Wise | April 18, 2013
Let’s have a look at what basic steps we’d recommend to secure a Mountain Lion installation. These are similar to what we’ve done in the past with Lion, Snow Leopard and so on, but subtle changes to System Preferences may have added, removed or relocated some of the security controls we previously considered.

Next, you'll be prompted with a recovery key to be used in the event that you forget your password. Save this somewhere sensible and print out a copy.

We're not fans of providing the recovery to Apple, but we like making up silly (but memorable!) answers to the password reset questions you get if you do send it to Apple.

Once you reboot, FileVault is active and begins encrypting your storage volume in the background. Note you'll choose from the users you authorised before.

So, other than needing to provide a FileVault user's password at boot time, it pretty much runs in the background. FileVault does use the Mac's CPU to encrypt the data so you may notice some slower disk access when writing data. Users with SSDs will probably not notice FileVault in operation.

FIREWALL

The next option in Security & Privacy is the OS X native firewall. OS X Mountain Lion's firewall is off by default. So if you've never specifically turned it on you should probably do so now. Once enabled, the firewall permits you to specify some options by selecting 'Firewall Options'.

Building blocks. Mountain Lion's firewall can be tweaked to disable or enable access of services from your Mac to others on the network.

'Block all incoming connections' is pretty good at reducing your Mac to basic network communication only. Any services presented from your Mac, including file sharing and media shared from

iTunes or iPhoto, will not be available to others on the network if 'Block all incoming connections' is enabled. You can still connect to remote websites, file sharing, etc. If you aren't sharing data from your Mac you should consider using this setting.

Keep in mind that enabling this firewall mode disables 'Automatically allow signed software to receive incoming connections' and enables 'Enable stealth mode'.

The second setting, 'Automatically allow signed software to receive incoming connections', is enabled by default. This setting trusts incoming connections to signed software that you're running on your Mac.

Apple signs its products - like iTunes - with a digital signature. This firewall setting would permit remote devices/systems to connect to iTunes library sharing on your Mac but wouldn't permit other, unsigned software to receive network connections.

The final setting 'Enable stealth mode' disables your Mac responding to ICMP echo request/reply packets (ie, ICMP Ping packets). This will disable easy 'presence detection' of your Mac when connected to a network. Devices in the same local area network as your Mac will still be able to identify the existence of your Mac using ARP information (physical address to IP address details).

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.