15 easy fixes for Mac security risks

How safe is your Mac? Maybe not as safe as you think. Here are some quick ways to beef up its security.

1 2 3 4 5 6 7 8 9 Page 8
Page 8 of 9

Don't share anything you don't have to

Macs offer users a lot of ways to share information. The Sharing pane in Leopard's System Preferences offers 11 different choices (though one them, Xgrid computational cluster sharing, isn't likely to be used by the majority of people).

The list ranges from general file and printer sharing to remote log-in and control of your Mac using Leopard's screen sharing, Apple Remote Desktop, and secure shell (SSH) command-line access. Even personal Web site hosting (Internet sharing) and Bluetooth sharing are supported, as are Remote Apple Events, which allow applications on one Mac to trigger actions on another.

The simple advice here is "Don't enable any type of sharing you're not actively using." Every time you enable sharing of any service, it opens up an avenue for someone to remotely access and/or manipulate your Mac. This could mean accessing shared files or taking complete control of the computer. If you need to share something, then by all means do so -- but if not, keep everything as locked down as you can.

Another danger is the Back to My Mac service offered by Apple's MobileMe, which lets your MobileMe account automatically connect you to your Mac using file, printer or screen sharing over the Internet. This is a highly convenient feature, but not only does it rely on leaving sharing services running and open; it also relies on making those services accessible from the Internet at large. If your MobileMe account is compromised, then so is your entire Mac.

If you need to enable sharing, and chances are that you will at some point, do it in as restrictive a manner as possible. Virtually every sharing service offers at least minimal controls. In the case of DVD and CD sharing, you can opt to have your Mac ask you before allowing remote access. In the case of many services that are user-based, you can choose which users are allowed to access the service remotely.

Keep sharing locked down

Keep sharing locked down.

Click to view larger image.

Most importantly, in the case of file sharing, you can designate both which folders are shared and who has access to those folders. Even though the default setting is to allow all users access to the general Shared folder and to allow everyone access to the Public folder inside each user's home folder, you can add and remove specific folders from the list of those being shared. Share only what is needed, and limit access to as few users as possible.

Also, keep in mind that anyone connecting to a remote Mac using an administrative account will be able to mount not just the explicitly shared folders, but any connected hard drive. This is another reason to disable file sharing if it isn't needed and to be sure you use good password policies for admin users. (It's also a good reason to create administrative accounts with names other than "admin" or "administrator.")

On a final note about file sharing, Mac OS X supports file sharing with three different protocols: AFP (the native file-sharing protocol for Macs), SMB (the native protocol for Windows) and FTP. You can select which ones to enable using the Options button in the Sharing pane in System Preferences.

SMB must be enabled for individual users because it stores passwords in less secure form on your Mac (though it still encrypts their transmission over the network). FTP should be avoided because it offers no encryption whatsoever. Again, limit the protocols to those you need, and leave the others disabled.

1 2 3 4 5 6 7 8 9 Page 8
Page 8 of 9
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon