S 4.378 Limiting access to programmes under Mac OS X

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The "Parental Controls" can be used to limit access to certain functions of the computer under Mac OS X. Although this function is named "Parental Controls", its can also be useful for public agencies or companies. These Parental Controls, available in the System Preferences, can be used to further limit user accounts. The access to programs can be further limited using the Parental Controls after removing all unneeded programs as described in S 4.371 Configuration of Mac OS X clients in the section "Removal of unneeded programs". This could also allow for more precise setting of limitations.

For example, access to certain user programs, websites or computer components can be limited for the users. This procedure is also suitable for blocking the "Utilities" directory as this contains programs for administration of the computer, delivering a deeper insight into the system. If only the access to certain websites or domains should be allowed, the menu item "Content" can be used to allow access to a domain such as "*.bund.de". Furthermore, it is possible to enable email communication only between partners specified in advance.

A list of authorised email and iChat communication partners can be created under the menu item "Mail & iChat". This setting prevents leaking of information via the Mail and iChat programs. However, it must be taken into account that HTTP web mailers can still be used to send emails to non-authorised persons. Currently it is not possible to modify the list of authorised communication partners using regular expressions. The login times for user accounts can be set under the menu item "Time Limits". For example, if it is assumed that the normal working hours are from 7 a.m. to 5 p.m., the authorised user login times should be similar to those working times..

Further available settings such as access to CD/DVD drive should be as restrictive as possible. However, it should be taken into account that excessive limitation may have an impairing and demotivating effect. That is why the Head of It and the IT Security Officer should identify in advance the restrictions to be implemented with certain clients. This should be well documented.

Central control of the client computers is also possible. If activating the option "Manage parental controls from another compute" under "Parental Controls" in "System Preferences", user accounts on remote computers can be limited using the Parental Controls. This requires the user name and the password of an administrator of the IT system to be controlled. These access data can be used to limit, from the administering IT system, the user rights on the controlled IT system as described above.

Review questions:

© Federal Office for Information Security. All rights reserved.