When you get a new computer, setting it up is rarely a breeze, but if you're privacy focused, things get even more complex. Mac security settings can be especially challenging to configure, as all kinds of activities are kept hidden behind the scenes. If you're setting up a new machine or upgrading to the latest version of OS X, it's never a bad idea to check your privacy settings.
There are many ways you can lose data, and each is a reason to regularly back up your files. Furthermore, downloading files and exchanging files with others is fraught with risks, and the number of threats targeting Macs continues to rise. Whether or not you use a personal computer or a public computer, there are plenty of actions you can take to improve your security and privacy. Here are 15 Mac-hardening security tips to lock down your Mac and your data.
Lock Down Access to Your Mac
1. Create a standard account (non-admin) for everyday activities
When setting up a new Mac, the OS X setup assistant asks you for your name, a user name and a password, and uses this information to set up your first user account. Since there has to be at least one user with administrative privileges on your Mac, that first account is an administrator account. While this is useful — you can install software, and perform other actions, after entering your password — it can also be risky.
An administrator may make mistakes, and they can change or delete any file. They can also install any software, which may be a risk, if the software is malicious. Standard users, however, have limited access rights on a Mac. They can use, change, and create files in their home folder, access folders on shared volumes if the permissions allow it, change settings to non-secure preferences in System Preferences, and install some software (if it doesn't need install items in the System or Library folders). While standard accounts are more limited, it can be useful to use for daily work, just to be safe.
Log into that second account, and use it for your everyday activities, and to store your personal files. Whenever an administrator's password is required, type the admin user name, and the appropriate password. While this will lead to more password requests than if you were working under an admin account, each of these requests should raise a red flag and make you think whether you should be entering your password.
While using a standard account is not full blown protection from malware, it does protect from some types of malware, and can provide a warning that something is going on. It can also prevent you from blundering by deleting files that you didn't mean to erase. So using two accounts is a tiny bit of hassle that is worth trying out to save you from potential disasters.
2. Disable automatic login
When you first set up a new Mac, or when you do a clean installation of a new version of OS X, you create a user account, and that account is set, by default, to log in automatically at startup. This isn't a problem when you're at home, but if you use a laptop and travel, this is a serious risk. This automatic login means that anyone who finds your Mac only need to start it up to have access to your files.
You can change this, and tell OS X to display a login screen on boot. To do this, go to the Users & Groups pane of System Preferences, and click on Login Options; you'll see a menu that lets you choose which user logs in automatically at startup, or you can choose Off from this menu to turn off automatic login. Another way to change this is in the Security & Privacy preferences. In System Preferences, click on the General tab, and you'll see an option to Disable Automatic Login.
3. Uninstall the standalone Flash Player
Lately, many security folks have been calling for the death of Flash Player — and for good reasons. Adobe Flash is riddled with vulnerabilities, and requires constant software updates to patch new flaws. If you don't need to use Flash Player, you should uninstall it. There are two ways you can do this: use the Adobe Flash Uninstaller, or remove it manually. To do this manually, follow these instructions from Adobe's uninstall guide.
4. Use a password manager to help cope with phishing attacks
We routinely recommend that all Mac users create secure passwords; it's important to create complex, unique passwords so they're more difficult to crack. Unfortunately, the more complicated your passwords, the easier they are to forget. There's a lot to love about password managers, including not having to remember so many unique passwords. Take a look at our list of 8 password manager options for Mac and iOS, and see which one works best for you.
5. Run a two-way firewall (outbound/inbound protection)
Apple's built-in firewall offers inbound network protection. But did you know inbound firewalls only protect against certain kinds of attacks? With the increasing frequency of new malware and targeted attacks, the best defense is implementing multiple layers of protection. If there is unknown malware on your machine, you want to be able to prevent it from connecting to the Internet — only firewall with outbound protection offer this security. Outbound firewall protection is arguably the most important component of two-way firewall software, at least from an anti-malware perspective. Outbound firewalls are remarkably good at alerting you about a piece of software that you know full well you downloaded, but didn't think would be connecting to the Internet. Two-way firewall like Intego NetBarrier offer real protection, because they combat inbound threats and can prevent malicious programs on your machine from calling out to the Internet; in turn, this provides locks down access to your machine while preventing data from leaking out.
Check Your OS X Settings
1. Enable full disk encryption
A sound security strategy is to encrypt important data files and folders for an additional layer of protection. This way, if your Mac is stolen, they thieves won't get access to your private data. Apple's FileVault full disk encryption has been around for some time and it's a great idea to turn this on. FileVault encrypts your entire hard drive using XTS-AES 128, a secure encryption algorithm. The reason why you should enable this feature on your Macs and MacBooks is if your hard drive isn't fully encrypted, anyone who manages to steal your computer can access any data on it. With FileVault enabled, as soon as your Mac is shut down, its entire drive is encrypted and locked up. Only when an authorized user turns the Mac on and logs in are the drive's contents unlocked. (Yet another reason why it's a good idea not to have an obvious password.) To enable FileVault, first make sure you have logged into OS X with an administrator's account, and go to System Preferences > Security & Privacy > FileVault. Once there, press Turn on FileVault.
2. Disable Spotlight Suggestions
OS X Yosemite has a revamped version of Spotlight, which can serve up suggestions from the Internet. However, if you aren't careful to change its default settings, OS X Yosemite's Spotlight can leak your private information back to Apple. And that information may not just be shared with Apple itself, but also third party providers such as Microsoft's Bing search engine. For these reasons, you may choose not to use Spotlight web search and, fortunately, if you don't like the feature — you can turn it off.
Open System Preferences and choose Spotlight. Now deselect Spotlight Suggestions, Bing web searches and anything else that doesn't suit you. Now, before you relax and pat yourself on the back, you're not quite done. You have stopped Spotlight from sharing your search queries, but you haven't stopped OS X's default browser from doing the same trick. To stop Safari sharing the same information, go to Safari > Preferences > Search, and then disable "Include Spotlight Suggestions."
What if you're an iPhone or iPad owner? Disabling this feature is a similar process. Simply go to Settings > General > Spotlight Search, and then disable Spotlight Suggestions, Bing Web Results, or anything else that you don't want or need.
3. Audit your Security & Privacy settings
How comfortable are you with sharing your physical location with different apps? Do you even know which apps are receiving details of where you are? A quick visit into OS X Yosemite's System Preferences can reveal all. To update these settings, you need to click on Security & Privacy and choose the Privacy tab. Once there, you can choose Location Services and view whether they are enabled and, if so, which apps can access your location. To make changes to these settings, you may need to unlock the padlock by entering an administrator password.
4. Check for software updates often
Regardless of whether or not you believe malware is a problem on Macs, it's not the only threat you should be concerned about. As we've explained before on The Mac Security Blog, there are multiple ways in which malicious attackers can target your Mac, and this raises the importance of employing a layered approach to security. For these reasons, it's important to keep your software up-to-date to thwart new security threats.
Mac OS X has a built-in software update tool, called — you guess it — Software Update. You can access this by clicking on the Apple menu in the menu bar. When you launch this program, it will check Apple's servers to see if any Apple software updates are available. It's a good idea to to run "Software Update" and patch your Mac promptly when security updates are available.
5. Don't leave your computer unlocked and unattended, there's a good chance it won't be there when you get back
Lock your computer when unattended to keep prying eyes from snagging your information when you are not looking. A valuable trick I learned is to set up screen saver hot corners, so whenever I step away from my Mac I can quickly lock it before I go. To do this, go to System Preferences > Desktop & Screen Saver, and choose "Hot Corners..." You can select one, two, or multiple corners that — when you hover your mouse over — it will start the screen saver, requiring your password to unlock the system.
Protect Your Mac and Your Data
1. Install a Tracker App as insurance in case your Mac or mobile device is stolen
It's a good form of device and data insurance to find and install a Tracker app to help you locate your Mac or smartphone should it ever go missing. We listed a number of Apple device tracker apps on our blog, but there a bunch of additional options you can also try. Some these apps even add functionality, so that their program is useful in instances outside of losing your gadget. Take a look and give one a try!
2. Install Mac antivirus software
Most universities recommend that their students install antivirus software, in part because of the vast number of people using their computer labs, swapping data files, and a wide range of other online activities students take part in. Downloading files and exchanging files with others is fraught with risks. Wherever there are a large number of computer users concentrated in a small area — such as in a university or large company — who feel safe exchanging files with each other, security is only as strong as the weakest link.
3. Use VPN software
If you absolutely must go shopping online and only have access to public Wi-Fi, such an at an airport, a coffee shop, or some other location on a free, public Wi-Fi network, consider using VPN software. Virtual Private Networks (VPN) encrypt all data from your computer or mobile device, protecting your Mac from people sniffing the network, attempting to grab data to look for user names, passwords, credit card numbers, and more.
4. Avoid illegal file sharing
Installing pirated software, know by the rather nerdy name of warez, is not only illegal, but it also puts personal information at risk. Warez are a popular way for malware authors to spread their wares, as many people still believe they can get something for free without realizing the potential consequences. Most people don't realize that one way to reveal the contents of a computer to others is by downloading pirated software from peer-to-peer sites. By using peer-to-peer sites, you are inadvertently exposing your information to everyone else who uses the site. Worse, you can accidentally infect your friend's computers with malware if you live in the same household (using the same network) by installing pirated software. You can maintain a level of privacy by avoiding peer-to-peer sites.
5. Establish a backup solution
By starting your Time Machine backups, you can have a very basic snapshot of your Mac to return to in case disaster strikes. The best backup is one that you have in multiple locations. Syncing can be a part of a good backup strategy, as can using Time Machine to restore your operating system to an earlier state. But it's also important to be sure you have another copy of important data (or a close of your whole system) on an external hard drive where you can store your important files. Intego Personal Backup schedules automatic backups for quick and easy recovery from unfortunate incidents life theft, data corruption, or natural disasters. You can synchronize files between two Macs, so that each machine has the latest, most updated files, as well as create a bootable backup in case you're having system problems and can't access your files.
These are all good security rules to adhere to, ensuring you don’t fall victim to the next big threat. There are no "perfect remedies" to protect your Mac and your privacy, but with these tips you will make it much more difficult for attackers to access your machine. Take heed and your Mac should be both secure and keep your information private.