S 2.478 Planning the use of Mac OS X

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, IT Security Officer

The proper and secure implementation of Mac OS X systems requires extensive planning. This safeguard describes technical software aspects allowing smooth project implementation. The hardware components used in a Mac-System are prescribed by Apple and therefore manageable. Regarding the processor, however, there is a major difference between the previously and the currently used Mac systems. In Snow Leopard (10.6) and higher versions, Mac OS X no longer supports PowerPC processors. An installation of Mac OS X 10.6 on older Apple computers without Intel-CPU is not possible. When changing from PowerPC-based Apple computers to Apple computers with Intel processors, it must be examined in advance if "universal" applications are involved, i.e. applications which can be executed both on PowerPC processors and on Intel processors.

When changing the platform from another operating system to Mac OS X, it must also be examined in advance if the same or equal applications are available for Mac OS X and if they are compatible with existing systems (for example a Lotus Domino-Server or Microsoft Exchange-Server). This does not only relate to applications directly operated on the client, but also to server-based applications with specific prerequisites. For example, certain web-based applications require ActiveX. ActiveX is not available under Mac OS X. Existing software which is not compatible with Mac OS X can be operated using a software virtualisation solution. However, this can only be seen as an emergency solution, since higher demands are placed on the hardware on the one hand and, on the other, it is far more complicated to operate an application in a virtualised environment.

In general, it should be checked if existing software licence contracts also cover Mac OS X systems. If this is not the case, it should be ensured in future licence contracts, if possible, that software that can be operated on different platforms or whose licence contracts allow the use on other platforms is selected.

When implementing Mac OS X systems, it must also be examined if existing external hardware such as printers, plotters, card readers or other necessary devices are compatible with Mac OS X and if corresponding device drivers are available. It must also be checked if the network logs used are supported by Mac OS X to be able to establish a connection between different IT systems. If, for example, the "Andrew File System" (AFS) log is used as distributed network file system, a suitable client for Mac OS X must be selected.

User concept

A user concept specifies with which rights the users can perform certain tasks. When planning the user concept, a distinction must be made between local and domain-wide user accounts. For both local and domain-wide user accounts, it must be ensured that the user rights are as restrictive as possible. Thus, the potential extent of damage is limited in the event of an intentional or accidental misuse of the user account. Under Mac OS X, an account with standard user rights must be set up for each user; this account should be used for routing daily work.

When the clients are integrated into a directory service under Mac OS X, M 5.15 General directory service should be considered. If it is a heterogeneous network with a Windows server used as basis of the directory service, S 5.16 Active Directory must also be taken into account.

Administration concept

Prior to the implementation of Mac OS X, an administration concept must be created if it is not yet available. There are basically two different accounts available for administration.

Mac OS X distinguishes between user and administrator accounts. A user who is logged in under a user account is not able to change any system settings, to install applications in generally accessible directories or to administer other user accounts. For administrators, however, the following options are available. If possible, the administrators should be assigned an account possessing only the privileges of a standard user to do their normal work. An account with administrative privileges should only be used when the standard privileges are inadequate. In Mac OS X, tasks requiring the extended rights of an administrator are marked with a small padlock symbol. When clicking on the padlock, the access date of the administrator are queried; afterwards, changes with administrative privileges are possible. After completing the corresponding tasks, the administrator should log out of the account with administrative privileges by clicking again on the symbol and resume working with the standard user account.

In addition to this, a special feature of Mac OS X is a root account that is deactivated in the default settings. The difference between administrator and root accounts is that an administrator account does not have an authorisation to delete information in important system folders. Thus, an administrator can make many changes to the system, but cannot cause the entire operating system to become completely unusable.

However, it is possible to activate and use the root account by means of an administrator account. The deactivation of the root account is thus only an incomplete protection against the unintentional deletion of system files.

Logging concept

To be able to detect attacks or irregularities, the logging options of the individual system should be activated and used. The safeguards S 4.106 Activation of system logging and S 4.25 Use of logging in Unix systems also apply to Mac OS X, as it is based on Unix. To be able to log in a useful manner, consideration should be given in advance as to which programs play an important role on the client under Mac OS X. All business-critical applications should be assigned the highest possible log level; thus, all warnings/notifications in particular can be logged. In the event of an incident, sufficient information is available for the elimination of errors. If a client is, for example, mainly used to send emails, any information on the email program should be sent to a central location and evaluated.

Data storage, data backup, and encryption

It is necessary to specify where user data will be stored (see S 2.138 Structured data storage). If all relevant data is stored on servers, the local hard disks of the client computer do not have to be encrypted. Thus, it is also possible to perform data backups centrally so that local data backups can also be dispensed with. If all relevant data is stored on servers, the local hard disks of the client computer do not have to be encrypted. In addition, it is thus possible to perform data backups centrally so that local data backups can also be dispensed with. However, this depends heavily on the local conditions. If, for example, special software that can only be put back into operation following an error requiring a high amount of work is used on a client, the data backup of the client should be performed at regular intervals. Additional information on the subject of data backups can be found in the safeguards S 6.146 Data backup and restoration of Mac OS X clients and S 6.32 Regular data backup as well as in the module S 1.4 Data backup policy.

If mobile computers are used, at least a temporary local data management is required. Thus, the storage of data on the client and its (cryptographic) protection must be planned accordingly (see S 4.29 Use of an encryption product for portable IT systems). If encrypting the user directory is sufficient, FileVault (see S 4.372 Use of FileVault under Mac OS X) can be used. If security-relevant data is stored outside the user drive, it should also be encrypted. Additional information on how to store or transport data securely can be found in S 4.379 Secure data management and transport under Mac OS X. In case of higher protection requirements, the protection achieved in this manner is generally not enough, so additional security applications must be used, for example, an encryption program that is able to encrypt the entire hard disk of the client.

Review questions:

© Federal Office for Information Security. All rights reserved.