ebook img

Mac OS X Server Security Configuration For Version 10.5 Leopard Second Edition PDF

2009·5.4 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Mac OS X Server Security Configuration For Version 10.5 Leopard Second Edition

Mac OS X Server Security Configuration For Version 10.5 Leopard Second Edition K Apple Inc. Adobe and PostScript are trademarks of Adobe Systems ' 2009 Apple Inc. All rights reserved. Incorporated. The owner or authorized user of a valid copy of The Bluetoothfi word mark and logos are registered Mac OS X software may reproduce this publication for trademarks owned by Bluetooth SIG, Inc. and any use of the purpose of learning to use such software. No part of such marks by Apple is under license. this publication may be reproduced or transmitted for Intel, Intel Core, and Xeon are trademarks of Intel Corp. commercial purposes, such as selling copies of this in the U.S. and other countries. publication or for providing paid-for support services. Java(cid:153) and all Java-based trademarks and logos are Every effort has been made to ensure that the trademarks or registered trademarks of Sun information in this manual is accurate. Apple is not Microsystems, Inc. in the U.S. and other countries. responsible for printing or clerical errors. PowerPC(cid:153) and the PowerPC logo(cid:153) are trademarks of Apple International Business Machines Corporation, used 1 Infinite Loop under license therefrom. Cupertino, CA 95014 408-996-1010 UNIX is a registered trademark of The Open Group. www.apple.com X Window System is a trademark of the Massachusetts The Apple logo is a trademark of Apple Inc., registered Institute of Technology in the U.S. and other countries. Use of the (cid:147)keyboard(cid:148) Apple logo (Option-Shift-K) for commercial purposes This product includes software developed by the without the prior written consent of Apple may University of California, Berkeley, FreeBSD, Inc., The constitute trademark infringement and unfair NetBSD Foundation, Inc., and their respective competition in violation of federal and state laws. contributors. Apple, the Apple logo, AirPort, AppleScript, AppleShare, Other company and product names mentioned herein AppleTalk, Bonjour, Boot Camp, ColorSync, ExposØ, are trademarks of their respective companies. Mention FileVault, FireWire, iCal, iChat, iMac, iSight, iTunes, of third-party products is for informational purposes Keychain, Leopard, Mac, Mac Book, Macintosh, Mac OS, only and constitutes neither an endorsement nor a QuickTime, Safari, Xgrid, Xsan, and Xserve are recommendation. Apple assumes no responsibility with trademarks of Apple Inc., registered in the U.S. and other regard to the performance or use of these products. countries. 019-1386/2009-10-01 Apple Remote Desktop, Finder, MacBook Air, QuickTime Broadcaster, Spotlight, and Time Machine are trademarks of Apple Inc. MobileMe is a service mark of Apple Inc., registered in the U.S. and other countries. Contents 2 Preface 18 About This Guide 18 Target Audience 18 What(cid:146)s New in Leopard Server 19 What(cid:146)s in This Guide 21 Using This Guide 22 Using Onscreen Help 22 Leopard Server Administration Guides 24 Viewing PDF Guides on Screen 24 Printing PDF Guides 24 Getting Documentation Updates 25 Getting Additional Information 25 Acknowledgments Chapter 1 26 Introduction to Leopard Server Security Architecture 27 Security Architectural Overview 27 UNIX Infrastructure 27 Access Permissions 28 Security Framework 28 Layered Security Defense 29 Credential Management 29 Network Security 29 Public Key Infrastructure (PKI) 30 Authorization Versus Authentication 30 Security Features in Leopard Server 30 Mandatory Access Controls 31 Sandboxing 32 Managed Preferences 32 Quarantine Applications 32 Application-Based Firewall 33 Signed Applications 33 Smart Card Unlock of FileVault and Encrypted Storage 34 Sharing and Collaboration Services 34 Enhanced Encrypted Disk Image Cryptography 3 35 Enhanced VPN Compatibility and Integration 35 Improved Secure Connectivity Chapter 2 36 Installing Leopard Server 36 System Installation Overview 37 Disabling the Firmware Password 37 Preparing an Administrator Computer 38 The Server Installation Disc 38 Setting Up Network Services 39 Connecting to the Directory During Installation 39 Installing Server Software on a Networked Computer 39 Starting Up for Installation 39 Before Starting Up 40 Remotely Accessing the Install DVD 41 Starting Up from the Install DVD 42 Starting Up from an Alternate Partition 46 Starting Up from a NetBoot Environment 47 Preparing Disks for Installing Leopard Server 54 Identifying Remote Servers When Installing Leopard Server 55 Installing Server Software Interactively 55 Installing Locally from the Installation Disc 57 Installing Remotely with Server Assistant 58 Installing Remotely with VNC 59 Installing Server Software from an Image 59 Using the installer Command-Line Tool to Install Server Software 62 Installing Multiple Servers 63 Upgrading a Computer from Leopard to Leopard Server 63 How to Keep Current 63 Using Interactive Server Setup 66 Setting Up a Local Server Interactively 67 Setting Up a Remote Server Interactively 68 Setting Up Multiple Remote Servers Interactively in a Batch 69 Updating System Software 70 Updating from an Internal Software Update Server 71 Updating from Internet-Based Software Update Servers 71 Updating Manually from Installer Packages 72 Verifying the Integrity of Software 72 Repairing Disk Permissions 73 Kinds of Permissions 73 POSIX Permissions Overview 73 ACL Permissions Overview 74 Using Disk Utility to Repair Disk Permissions 4 Contents Chapter 3 75 Protecting System Hardware 75 Protecting Hardware 76 Preventing Wireless Eavesdropping 76 Understanding Wireless Security Challenges 77 OS Components 77 Removing Wi-Fi Hardware 78 Removing Bluetooth Support Software 79 Removing IR Support Software 80 Preventing Unauthorized Recording 80 Removing Audio Recording Support 81 Removing Video Recording Support Software 82 Preventing Data Port Access 82 Securing USB Hardware 83 Removing FireWire Support Software 84 System Hardware Modifications 84 Authorized AppleCare Certified Technicians Chapter 4 86 Securing Global System Settings 86 Securing System Startup 87 PowerPC-Based Systems 87 Using the Firmware Password Utility 88 Configuring Open Firmware Settings 89 Using Command-Line Tools for Secure Startup 89 Intel-Based Systems 90 Configuring Access Warnings 90 Enabling Access Warnings for the Login Window 91 AuthPlugin Architecture 92 The BannerSample Project 93 Enabling Access Warnings for the Command Line Chapter 5 94 Securing Local Server Accounts 94 Types of User Accounts 95 Guidelines for Securing Accounts 95 Defining User IDs 96 Securing the Guest Account 97 Securing Nonadministrator Accounts 97 Securing Administrator Accounts 98 Securing the Directory Domain Administrator Account 98 Securing the System Administrator Account 99 Restricting sudo Usage 100 Understanding Directory Domains 101 Understanding Network Services, Authentication, and Contacts 102 Configuring LDAPv3 Access Contents 5 102 Configuring Active Directory Access 103 Using Strong Authentication 103 Using Password Assistant to Generate or Analyze Passwords 104 Using Kerberos 105 Using Smart Cards 105 Using Tokens 106 Using Biometrics 106 Setting Global Password Policies 107 Storing Credentials in Keychains 108 Using the Default User Keychain 108 Creating Additional Keychains 110 Securing Keychains and Their Items 111 Using Smart Cards as Keychains 111 Using Portable and Network Keychains Chapter 6 112 Securing System Preferences 112 System Preferences Overview 114 Securing MobileMe Preferences 116 Securing Accounts Preferences 119 Securing Appearance Preferences 120 Securing Bluetooth Preferences 121 Securing CDs & DVDs Preferences 123 Securing Date & Time Preferences 125 Securing Desktop & Screen Saver Preferences 127 Securing Display Preferences 127 Securing Dock Preferences 128 Securing Energy Saver Preferences 130 Securing ExposØ & Spaces Preferences 131 Securing International Preferences 132 Securing Keyboard & Mouse Preferences 132 Securing Network Preferences 133 Disabling Unused Hardware Devices 133 Disabling IPv6 135 Securing Print & Fax Preferences 137 Securing QuickTime Preferences 138 Securing Security Preferences 139 Securing Sharing Preferences 141 Securing Software Update Preferences 142 Securing Sound Preferences 143 Securing Speech Preferences 145 Securing Spotlight Preferences 147 Securing Startup Disk Preferences 149 Securing Time Machine Preferences 6 Contents 150 Securing Universal Access Preferences Chapter 7 151 Securing Data and Using Encryption 151 Permissions 151 Setting POSIX Permissions 152 Viewing POSIX Permissions 153 Interpreting POSIX Permissions 154 Modifying POSIX Permissions 154 Setting File and Folder Flags 154 Viewing Flags 154 Modifying Flags 155 Setting ACL Permissions 156 Enabling ACL Permissions 156 Modifying ACL Permissions 157 Changing Global Umask for Stricter Default Permissions 158 Restricting Setuid Programs 161 Securing User Home Folders 162 Encrypting Home Folders 163 Overview of FileVault 164 Managing FileVault 164 Managing the FileVault Master Keychain 166 Encrypting Portable Files 166 Creating an Encrypted Disk Image 167 Creating an Encrypted Disk Image from Existing Data 168 Creating Encrypted PDFs 169 Securely Erasing Data 169 Configuring Finder to Always Securely Erase 170 Using Disk Utility to Securely Erase a Disk or Partition 170 Using Command-Line Tools to Securely Erase Files 171 Using Secure Empty Trash 171 Using Disk Utility to Securely Erase Free Space 172 Using Command-Line Tools to Securely Erase Free Space Chapter 8 174 Securing System Swap and Hibernation Storage 174 System Swap File Overview 175 Encrypting System Swap Chapter 9 176 Avoiding Simultaneous Local Account Access 176 Fast User Switching 176 Shared User Accounts Chapter 10 177 Ensuring Data Integrity with Backups 177 The Time Machine Architecture 177 Deleting Permanently from Time Machine Backups Contents 7 178 Storing Backups Inside Secure Storage 178 Restoring Backups from Secure Storage Chapter 11 179 Securing Accounts and Share Points 179 Open Directory and Active Directory 180 Configuring Share Points 180 Disabling Share Points 181 Restricting Access to a Share Point 183 AFP Share Points 183 SMB Share Points 183 FTP Share Points 183 NFS Share Points 185 Controlling Network Views 185 Securing Accounts 185 Configuring User Accounts 187 Configuring Group Accounts 188 Configuring Computer Groups Chapter 12 189 Managing Certificates 189 Understanding Public Key Infrastructure 190 Public and Private Keys 190 Certificates 191 CAs 191 Identities 191 Self-Signed Certificates 191 Obtaining Certificates 192 Using Certificate Manager 193 Requesting a Certificate from a CA 194 Creating a Self-Signed Certificate 194 Importing a Certificate 195 Managing Certificates 195 Editing a Certificate 195 Deleting a Certificate 196 Renewing an Expiring Certificate 196 Creating a CA 196 Creating a CA Using Certificate Assistant 198 Creating a CA from the Command Line 199 Create a Certificate for Someone Else 199 Storing the CA Private Key 199 Creating Folders and Files for SSL 200 Distributing a CA Public Certificate to Clients 8 Contents Chapter 13 201 Setting General Protocols and Access to Services 201 Setting General Protocols 201 Configuring NTP 202 Disabling SNMP 202 Enabling SSH 203 Remote Management (ARD) 203 Restricting Access to Specific Users 204 Remote Apple Events (RAE) 204 Restricting Access to Specific Users 205 Setting the Server(cid:146)s Host Name 205 Setting the Date and Time 205 Setting Up Certificates 205 Setting Service Access Control Lists Chapter 14 207 Securing Remote Access Services 207 Securing Remote Login (SSH) 208 Configuring Secure Shell 209 Modifying the SSH Configuration File 209 Generating Key Pairs for Key-Based SSH Connections 211 Updating SSH Key Fingerprints 212 Controlling Access to SSH 212 SSH Man-in-the-Middle Attacks 213 Transferring Files Using SFTP 213 Securing VPN Service 214 VPN and Security 215 Configuring L2TP/IPSec Settings 216 Configuring PPTP Settings 217 Authentication Method 218 Using VPN Service with Users in a Third-Party LDAP Domain 218 Offering SecurID Authentication with VPN Service 219 Encrypting Observe and Control Network Data 219 Encrypting Network Data During File Copy and Package Installations 220 Remote Apple Events (RAE) 220 Restricting Access to Specific Users Chapter 15 221 Securing Network and Host Access Services 221 Using IPv6 Protocol 222 IPv6-Enabled Services 222 Securing DHCP Service 223 Disabling Unnecessary DHCP Services 223 Configuring DHCP Services 224 Assigning Static IP Addresses Using DHCP 225 Securing DNS Service Contents 9 226 Understanding BIND 226 Turning Off Zone Transfers 227 Disabling Recursion 227 Understanding DNS Security 228 DNS Cache Poisoning 228 Server Mining 229 DNS Service Profiling 229 Denial of Service (DoS) 230 Service Piggybacking 230 ARP Spoofing 231 Securing Firewall Service 231 Planning Firewall Setup 232 Starting Firewall Service 232 Creating an IP Address Group 233 Creating Firewall Service Rules 234 Creating Advanced Firewall Rules 235 Enabling Stealth Mode 236 Viewing the Firewall Service Log 237 Securing NAT Service 238 Configuring NAT Service 239 Configuring Port Forwarding 240 Securing Bonjour Service Chapter 16 242 Securing Collaboration Services 242 Securing iCal Service 243 Disabling iCal Services 243 Securely Configuring iCal Service 244 Viewing iCal Service Logs 245 Securing iChat Service 245 Disabling iChat Service 245 Securely Configuring iChat Service 249 Viewing iChat Service Logs 249 Securing Wiki Service 249 Disabling Web Service 250 Securely Configuring Wiki Services 250 Viewing Wiki Service Logs 250 Securing Podcast Producer Service 251 Disabling Podcast Producer Service 251 Securely Configuring Podcast Producer Service 252 Viewing Podcast Producer Service Logs Chapter 17 253 Securing Mail Service 253 Disabling Mail Service 10 Contents

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.