How To

NSA Offers Tips for Hardening Macs – But There’s a Catch

Posted on by

There is a document floating around with tips written by the NSA for making Macs more secure, which is being met with equal amounts of head-scratching and approval. First of all, and here’s the catch, it only contains tips for hardening Mac OS X 10.5 (Leopard), which begs the question: How concerned about security are people running a 6 year old version of the OS? If for some reason you are compelled to run an antiquated operating system, it certainly couldn’t hurt to use these tips to tighten your system up a bit. Beyond that, it brings up some salient points that can be summed up with general rules.

Principle of Least Privilege


In short, it’s good security policy to deny access or turn things off if there’s no need for it, because each extraneous moving part is another thing that could be used against you. There are several tips anyone can do, and a few things that are for the more tech-savvy. Either way, you can find more specifics in the document, which may vary in usefulness if you’re running a more recent version of OS X.

  • Put a piece of opaque tape over your webcam if you’re not using it.
  • Turn off network interfaces (e.g. Bluetooth, WiFi, Airport, IPv6) in System Preferences if or when you’re not using them.
  • Don’t use your admin account unless there’s some specific need for admin-level access.
  • Deselect “Allow guests to connect to shared folders” in System Preferences.
  • Secure Users’ Home Folder Permissions. (This is one of those advanced tips)
  • Turn off services in LaunchDaemons and LaunchAgents if you’re not using them. (Consider this an advanced tip too)

Turn Off Automatic Access


Apple does a lot of things to make your life easier, but also might make it easier to shoot yourself in the foot security-wise (or allow someone else to!). Undoing these things is generally best left to folks who are more technically adept, but there are a couple of items that mere mortals can safely do.

  • Set your Firmware Password. (Advanced)
  • Disable Setuid and Setgid Binaries. (Advanced)
  • Disable “Open Safe Files After Downloading” in Safari’s Preference menu.
  • Disable Automatic Login in System Preferences

Turn On Security Features


Okay, this one is more obvious. If your software provides a way for you to make your setup more secure, do it. These are all easy things you can do to increase your security.

  • Turn on FileVault in System Preferences
  • Turn on the Firewall in System Preferences
  • Enable Software Update in System Preferences

If you’re not too weirded out about taking security tips from a government agency that may be rifling through your digital drawers, there are some interesting tips to be had. (That said, none of the NSA’s tips are going to stop them from getting your metadata.) If you’re looking for more ways to secure your Mac, here’s our take on setting up your machine securely.

photo credit: kikuyumoja via photopin cc