15-Step Setup Checklist for Mac OS X Notebooks

Here at Urban Insight we offer developers the choice of Windows, Mac or Linux as their primary development environment. Increasingly, team members are choosing Mac notebooks. Securing a Mac notebook is a trade-off between ensuring good security, and enabling the functionality required by developers. Here's our 15-step checklist for setting up Mac OS X notebooks.

It's worth noting that the primary users of these machines are typically power users, who require administrative access to their own machines to install and manage a range of software applications. Of course, individual users will have different needs, but our goal in creating our own customized 15-Step Setup Checklist for Mac OS X notebooks -- which can typically be completed on a new machine in about 2 hours -- is to improve the default security and recoverability of a Mac Notebook used by a developer.

1. Update Mac OS X

• Install the most current version of the MacOS by running Software Update. (Apple > Software Update)
• Verify system Software Update is set to check and download updates weekly. (System Preferences > Software Update)

2. Setup an Admin Account

We setup an standard administrative user account and with administrative rights on the machine, in addition to the developer's account. This ensures that a company system administrator will always be able to access the machine for system administration. The admin account password is complex and unique for each machine, but follows a standard methodology so that a system administrator can create the customized admin password based on known information about the machine.

3. Setup User Account with a Strong Password

When creating the user's account, select a strong password that is at least eight characters and includes a combination of upper and lower case characters, numbers and special characters, such as the +, * and & characters. If it's possible to do so, assign the user the least permissions possible. For example, if the user doesn't require an administrative account, use the "standard" user setting.

4. Disable Automatic Login

This setting requires a user to login to gain access to the system. (System Preferences > Accounts > Login Options)

5. Require Password After Inactivity

This setting helps to ensure a machine will default to a secure state if a developer leaves a machine logged in. We set the machine to require a password after 15 minutes of inactivity (System Preferences > Security > General). If the user has a screen saver configured, we configure the machine to require a password 5 seconds after sleep or screen saver begins.

6. Enable Firewall

Mac OS X includes firewall software that can be used to block unwanted network connections to your computer when you are using your computer in a public location, such as a coffee shop. Verify that the Mac OSX firewall is enabled. (System Preferences > Security > Firewall)

7. Set A Firmware Password

The firware password helps to prevent starting or accessing the machine from an external disk without a password. We set all machines to use a common password for ease of administration. Instructions on setting this are provided by Apple.

8. Optional: Configure root

"root" is a special user in Unix operating systems that has complete access to all areas of the filesystem. By default, the root account is disabled in the OS X client. This is an appropriate setting: An attacker cannot guess the root password, since none exists. Mac OS X provides the sudo command to perform tasks that must be completed by root. We recommend leaving the root account disabled. However, if the root account must be enabled (usually to configure the system), we recommend disabling the account after performing the required task. Instructions on enabling and disabling the root account are provided by Apple.

9. Setup Time Machine

We setup each machine with a 2TB external drive in the office as a Time Machine backup. This ensure that we have regular backups, and empowers the developer to easily recover local working files, or recover from a failed hard drive. (System Preferences > Time Machine)

10. Setup Cloud Backup

As a secondary backup option, we use Mozy -- an online (cloud-based) backup service that enables machines to perform backups at a scheduled time over the Internet. Since team members may work remotely at times, using a cloud backup option enables us to be sure that developers are backed up at all times. We use a combination of MozyPro and Mozy Home services, depending on the needs of the user, and the machine being backed up. We use Mozy to just backup the user's home directory, and not the whole machine.

11. Install Lojack for Laptops

Computrace LoJack for Laptops is a software-based theft recovery and data security service. If a machine is stolen or lost, we can signal the machine to remotely delete any company data from the machine. LoJack claims that in the event of a theft, their service can locate, and recover stolen computers. While that would be a nice benefit, our primary goal using this software is simply to be able to delete working files from a missing notebook.

12. Set A Browser Master Password

Most modern browsers enable you to use a master password to secure the saved passwords you save in your web browser. This way, even if a malicious user gets access to your machine, it will be that much harder for the user to easily access all your saved passwords. (Firefox > Preferences > Privacy > Use a master password).

13. Configure DropBox

DropBox is online file synchronization service that uses cloud storage to enable users to store and share files and folders between each other and among multiple computers. For developers, who may work with multiple systems, both at work and at home, DropBox can be a convenient way to easily and securely share files among multiple computers that may not be on the same network and mobile devices, such as the iPhone or Android phones. Conveniently DropBox is available for Windows, MacOS and Linux. When used with a TrueCrypt encrypted partition (below), it's also a good way to transfer sensitive files between computers -- much better than entrusting them to a USB device that can be easily misplaced.

14. Create a TrueCrypt Encrypted Partition

Our company security policy requires that any confidential files be stored on our local internal office network. However, for any working files that may contain sensitive information, these files can be stored in an encrypted state. We use TrueCrypt, a free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. TrueCrypt creates a virtual encrypted disk within a file and mounts it as a real disk. We use TrueCrypt to create an encrypted 100MB - 2GB file on each user's machine that can be used to store sensitive files. We find that TrueCrypt is suitable for small encrypted volumes, but may not be efficient for large volumes. If you synchronize your encrypted volume between multiple machines, know that Dropbox is going to re-transfer the whole volume even if the actual change inside the volume is minor. Keeping the encrypted file smaller in size ensures that it can also easily be backed up by Mozy Backup and Time Machine when the contents of the file changes. If your users carry USB drives, TrueCrypt is an excellent solution for securing these devices also.

15. Optional: Install an Antivirus Client

This is a controversial recommendation. Many long-time Mac users argue that antivirus software is not necessary due to the lack of viruses distributed on the Mac. Until recently, this argument was bolstered by the lack of a reasonable antivirus client that didn't slow down Mac OSX. However, with the release of the beta version of NOD32 for Mac, we're trying out this antivirus software on a few machines. We already use NOD32 on our Windows machines.

Need More?

If you really need to secure your notebook, you'll want to do much more than these 16 steps. Here are some great additional resources if you need to go all-out:

• SANS Institute Mac OS X Security Checklist
• Apple Mac OS X Security Configuration Guides