Mac (insecurity): How to secure Macs in business

As Macs make their way into the enterprise, IT needs to address these six security flaws before disaster strikes

Security flaw No. 3: Everybody's an administrator (or not)

Apple has a binary attitude when it comes to modifying system settings, gaining access at the command line to its Unix underpinnings, and installing software: You're either an administrator -- or you're not.

For home users and small businesses, the distinction is probably enough. An unprivileged or normal user can be restricted via parental controls and typically can't create user accounts, enable file-sharing services, or install certain kinds of software. For that, an administrative-flagged account is needed.

But with administrator privilege set, a user can turn on features through switches in System Preferences, such as enabling Samba -- "the Mac version is typically three to six months out of date," Mogull says -- or using the Terminal application to activate any of the thousands of Unix daemons and servers that ship as part of a stock Mac OS X system.

"It's hard to enable those things on Windows," says Thomas Ptacek, a principal consultant at security firm Matasano Chargen, noting that even when such settings are available in Windows, the settings are typically obscure or complicated enough to deter average users. By contrast, a single click might be enough in Mac OS X.

Solution: Limit administrative accounts to users that require them.

Security flaw No. 4: Naive use of Back to My Mac

Mac OS X includes one special service that sounds alarming at first glance -- and can be a real security hole in unmanaged environments. Back to My Mac, a remote access system built into Mac OS X 10.5, requires both a MobileMe account (formerly .Mac) from Apple and administrator privileges. Back to My Mac operates like the GoToMyPC familiar to Windows administrators, although it's less insistent about working around intentional blockades.

While Apple uses IPv6 tunnels, IPsec encryption, and Kerberos tickets to secure connections, starting up such a connection from anywhere on the Internet requires just the password to someone's MobileMe account. With that password, all computers with Back to My Mac enabled can have their files examined or screens remotely controlled.

In a managed enterprise, security experts don't believe that Back to My Mac creates any real risk, despite its feature set. "No enterprise is going to allow something like Back to My Mac unless it's running through a VPN tunnel," Mogull says, at which point it would conform to the enterprise's policy. If users are running Back to My Mac on their own, "it would mean that [IT] royally screwed up" the firewall, he adds.

Matasano Chargen's Ptacek says that Back to My Mac will eventually fall under the category of services that businesses ban their employees from using in the office. "Enterprise users are not allowed to use Gmail or Yahoo Mail," he notes, and Back to My Mac should be treated the same.

Solution: Confirm that Back to My Mac won't work in your environment. Establish a policy that bans its use.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Glenn Fleishman

InfoWorld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?