S 4.374 Access protection of user accounts under Mac OS X
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
On a client under Mac OS X, the settings of the user accounts must be adapted to increase system security. For example, the password hint could be used by unauthorised persons to obtain information on the password. These modifications can be made in the system settings under "User".
The protection of a user account against unauthorised access depends heavily on the password used; therefore, it is necessary to use a strong password. For this purpose, the recommendations in S 4.376 Specifying password policies under Mac OS X must be implemented. Another important prerequisite for a secure user account is the deactivation of password hints by means of which an attacker can obtain important information on the password. As the information provided in the hint corresponds to the actual password in the worst case, this function should be deactivated. If a password hint is still used, it is absolutely necessary to sensitise all users to this potential threat. In addition, the login window should not be displayed in the form of a list of all users, since an attacker thus receives all information on the users existing in the system. Then, he only needs the corresponding passwords to gain unauthorised access to the system. In any case, logging in on the system should not take place automatically in general, but should only be possible by entering the user name and password.
As an alternative, these restrictions can be implemented for the currently logged in users by means of the command line:
# No password hint
defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -int 0
# Query of name and password in the login window, no display of the name list
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool yes
# Deactivation of reboot, sleep mode and shutdown
defaults write /Library/Preferences/com.apple.loginwindow PowerOffDisable -bool yes
The above settings should be checked after each system update.
Review questions:
- Is the automatic login deactivated under Mac OS X?
- Was a complex user account password selected under Mac OS X?
- Were the password hints under Mac OS X deactivated for the user account or the users sensitised accordingly?