Apple Mac OS X Server Guide d'installation

UNCLASSIFIED UNCLASSIFIED Report Number: I331-003R-2005 Apple Mac OS X Server v10.3.x “Panther” Security Configuration Guide Systems and Network

UNCLASSIFIED UNCLASSIFIED 4 1.2 Centralized Client Settings Management Although system preferences on Mac OS X client systems can be set individuall

UNCLASSIFIED UNCLASSIFIED 5 2. Network Architecture Careful planning that incorporates security concerns must precede deployment of Mac OS X Serve

UNCLASSIFIED UNCLASSIFIED should be as restrictive as possible. Only administrative users should be able to log directly onto a directory server. Ex

3. Basic Installation and Configuration Although secure configuration of an existing Mac OS X Server installation is possible, securely configuring

The installation process will destroy all information on the hard drive. If any information on the system should be retained, it should be backed up

• Erase and format the drive using either the Mac OS Extended (Journaled) or the Mac OS Extended (Case-sensitive/Journaled) option. • Quit Disk Uti

11. For now, the “Set directory usage” setting on the Directory Usage screen should be set to Standalone Server to simplify the installation process

Updates can be downloaded from http://www.apple.com/support/downloads using a machine designated specifically for downloading and verifying updates,

UNCLASSIFIED 12 3.5 Configuring System Preferences Basic system configuration follows the installation of the operating system and its updates. All

3.5.3 Bluetooth The Bluetooth panel in the System Preferences program facilitates configuration of that wireless communications standard, used by de

UNCLASSIFIED UNCLASSIFIED ii Warnings • Do not attempt to implement any of the settings in this guide without first testing in a non-operational env

4. Uncheck the checkbox in front of the Wake when the modem detects a ring option to disable it. 5. Uncheck the checkbox in front of the Wake for E

3.5.7 Network AirPort and Bluetooth wireless connectivity options should be turned off. They will only be present in the panel if supporting hardwa

• Remote Apple Events: This service enables the machine to respond to Apple events from other computers, which may present security risks. Confi

3.5.11 Software Update Software updates should not be performed automatically. All update downloads should be conducted on a machine other than the

b. Uncheck the box for “Cache last user logon for offline operation” unless it is required. c. Uncheck the box for “Authenticate in multiple domain

should be changed. Second, any necessary modifications to the root account should be performed. 3.8.1 Restricting Administrator’s Home Folder Permi

has been set for root. (Which of these appear as the value for passwd depends upon how the root account was enabled.) 8. Type a single asterisk (“*

3.8.3 Securing Single-User Boot On Apple systems running Mac OS X, Open Firmware is the software executed immediately after the computer is powered

Open Firmware protection can be violated if the user has physical access to the machine; If the user changes the physical memory configuration of the

openssl passwd -salt <xx> <password> A hash of the password will be displayed after executing the command. 4. Type or paste the passwor

UNCLASSIFIED UNCLASSIFIED iii Trademark Information Apple, Macintosh, Mac OS X, and “Panther” are either registered trademarks or trademarks of the A

To provide a logon warning banner to users logging into remote services on the system: 1. Open the file /etc/motd as an administrator. 2. Enter the

mail.emerg /var/log/mail.log The facility and priority are separated by only a period, and these are separated from the action by one or more ta

DayOf DayOf #Minute Hour Month Month Week User Command 15 12 * * 2 root periodic weekly 3.10.3 Remote Logging Using remote logging in add

to meet site security policy. Consult operational policy to determine if this method is adequate. 1. Open the folder /System/Library/Extensions. 2.

root access is required to do these steps, and incorrectly entering a folder name could result in removal of the Mac OS X operating system or all Mac

placed correctly, the Applications folder could be deleted. 11. Restart the system. 29 UNCLASSIFIED

UNCLASSIFIED 30 4. Securing Network Services Mac OS X Server includes software packages to provide many network services, many of which are based on

3. Click the Settings tab. 4. Uncheck the boxes for “Zone transfers” and “Recursion.” 5. Click Save. If your site requires recursion, we recommend

1. Open Server Admin. 2. Click the name of the server you’re configuring. 3. Click the Advanced Tab under Settings. 4. Uncheck the boxes for “Ena

11. Click the back arrow on the top right, and repeat from step 4 for any other subnets. 12. Click Save. 4.4 Enabling the Secure Sockets Layer The

UNCLASSIFIED UNCLASSIFIED iv Table of Contents Warnings...

steps for doing this vary by vendor but are outlined in the “Setting up SSL” section of Apple’s “Mac OS X Server Web Technologies Administration” man

sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt When prompted, enter a strong passphrase for the key, as well as these fields: Countr

When prompted, enter a strong, unique passphrase to protect the web server key pair. Next, generate a Certificate Signing Request (CSR) for the CA:

Now create the CSR with the mail server key: sudo openssl req -new -key mailserver.key -out mailserver.csr Fill out the following fields as complet

Leave the challenge password and an optional company name blank. Sign the ldapserver.csr request: sudo openssl ca -in ldapserver.csr -out ldapser

4.5.1 Configure Role The Open Directory service can act in one of four different roles: Standalone Server, Open Directory Master, Connected to a Dir

certificates as discussed in “Creating an SSL Certificate for LDAP Services,” this can be accomplished as follows: a. Copy the files ldapserver.crt

not intended to be a web server. Second, secure web administration demands scrutiny of some basic configuration settings. Third, SSL encryption sho

4.6.3 Configuring SSL Support Using SSL to offer a secure communication channel to web visitors requires three separate files: • A signed server ce

4. Do the same thing for the server.key file and the ca.crt file, next to the Key File and CA File entries, respectively. 5. In Server Admin, click

UNCLASSIFIED UNCLASSIFIED v 3.9 Logon Warning Banners ...23 3.10 Audit

4.7.2 Configure SSL Support If any e-mail services are required, their communications should be protected by SSL. Enabling SSL for incoming (IMAP a

Mail clients must be set up to use SSL connections. Configuring an active mail server in the manner described will cause a loss of service until the

3. To update Postfix to use the new alias, issue the command: newaliases 4.7.5 Disable the SMTP Banner The SMTP banner provides information about

or match a single host like this: -a 192.168.1.23/32 It is also possible to specify hostnames or domain names instead of IP addresses, but this is

also accessible at /etc/sshd_config because /etc is a symbolic link to /private/etc). To implement recommended settings: 1. Open /private/etc/sshd_c

System (NFS), Microsoft Windows’ Server Message Block (SMB), and File Transfer Protocol (FTP). Each of these protocols is appropriate for certain si

server and client is not at risk for eavesdropping. Generally, use of SMB is not recommended. NFS is a common file sharing protocol for UNIX comput

Permissions on share points set as user home directories are particularly important. By default, users’ home directories are set to allow any other

18. Under Error Log, select “Archive every X days.” Set the frequency according to site policy or operational need. 19. Click the Idle Users tab

10. Change the Detail: to at least medium in order to capture authentication failures. 11. Click the Advanced tab. 12. Under Services, uncheck Wor

UNCLASSIFIED UNCLASSIFIED vi 4.9.2 Configure OpenSSH...47 4.10 Exporti

13. Check the box for "Show Banner Message" and enter a banner message in accordance with site policy. Do not reveal any software informa

4. Select the Protocols tab. 5. In the pop-up menu in the window pane, select NFS Export Settings. Given that the item is to be exported via NFS,

4.11.1 Configure the IP Firewall Settings To configure the Firewall Service locally: 1. Open Server Admin. 2. Click Firewall in the list for the

10. Keeping the Server Admin program open, add the following lines to /etc/ipfilter/ipfw.conf (substituting $MY_IP, $TIME_SERVER, and $DNS_SERVER ap

UNCLASSIFIED 58 5. User and Client Management Mac OS X Server’s Workgroup Manager program allows administrators to enforce system settings on a user

days that would indicate the user no longer needs the account. Check the box for “after _ failed attempts” and enter 3 or whatever is required by si

these preferences at all levels is recommended in case one level is accidentally left unset. Preferences must be applied to each computer list, grou

Uncheck the box for “User may press Shift to keep items from opening” to prevent users from disabling any automatic launches. Click the Login Options

Check the boxes for Appearance, Dock, Exposé, Security, Keyboard & Mouse, and Universal Access. Desktop & Screen Saver should remain uncheck

UNCLASSIFIED 63 6. References 1. Mac OS X Maximum Security; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2003 2. Mac OS X Panther Unleashe

UNCLASSIFIED UNCLASSIFIED 1 Introduction The purpose of this guide is to provide an overview of Mac OS X Server v10.3 operating system security and r

UNCLASSIFIED UNCLASSIFIED 2 Scope of Guidance Apple’s Mac OS X operating system is very versatile and can be used not only as a client workstation, b

UNCLASSIFIED UNCLASSIFIED 3 1. Introduction to Mac OS X Server Security Mac OS X Server combines the GUI-based, user-friendly features of the Macint