S 5.167 Secure remote access under Mac OS X

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Mac OS X version Panther (10.3) and higher include the network service Apple Remote Desktop for remote maintenance. The server component is based on the Virtual Network Computing (VNC) protocol and is able to communicate with each VNC client irrespective of operating system and manufacturer.

However, the client component has only been integrated into the operating system as "Screen Sharing" with Mac OS X version Leopard (10.5) and higher. If the screen sharing is activated at "Sharing" under System Preferences, every person with the corresponding access rights may access the IT system under Mac OS X. To increase security, the option "VNC viewers may control screen with password" should be activated, and trivial passwords should be avoided (see S 2.11 Provisions governing the use of passwords). Furthermore, the screen sharing must only be accessible for selected user groups.

Under Mac OS X Leopard (10.5) and higher, the encrypted transfer of remote control data via VNC is supported; this should also be activated. When choosing the settings for screen sharing on clients, the option "Encrypt all network data" should be selected to not only encrypt passwords and keyboard entries, but also the whole data transfer.

If the VNC software does not support encrypted data transfer or if an older Mac OS X operating system is used, it is recommended to use an SSH tunnel or a VPN for secure data transfer.

Review questions:

• Is a password always required for screen sharing of Mac OS X?
• Has the access to the screen sharing of Mac OS X only been authorised for certain user groups?