Authors: Adam Gray cism

Services Access

The following blanket recommendation applies to any network service, including those not listed here:

• 
  Disable any network service that is not used.
  

Follow the checklists below for any services that must be enabled. If a service is enabled and there are no user access controls then it is possible to control many of the services by clicking on the servers name under the SERVERS list, clicking on the Settings icon in the toolbar and then clicking on the Access tab. Here you can configure Service Access Control Lists (SACLs) by using the Allow Only Users and Groups Below: to specify which users can access each service, by service. Services with SACLs include AFP, Blog, FTP, iCal, iChat, Login Window (similar to the log on locally option in Windows), Mail, Podcast Producer, QuickTime Streaming, RADIUS, SMB, SSH, VPN and Xgrid.

Additionally, you can granularly configure which users have access to administer or monitor each service using the Server Admin tools. This allows you to have a layered approach to administer the server services. To do so:

• 
  Open Server Admin and click on the name of the server in the SERVERS list that you would like to configure administrative access to.
  
• 
  Click on Settings in the Toolbar.
  
• 
  Click on the Access tab.
  
• 
  Click on the Administrators sub-tab.
  
• 
  Click on the For Services Selected Below radio button.
  
• 
  Click on the Service for which you would like to configure.
  
• 
  Click on the + icon below the list.
  
• 
  Drag the user or group to allow administration for (or specifically restrict administration for.
  
• 
  Select Administer or Monitor in the list to determine what level of access a user has
  

Network Services

The SERVERS pane on the left side of the Server Admin window contains an expandable list of computers with their installed network services. The remainder of the window is dedicated to information and configurable options for the selected computer or service. Items in the toolbar along the top of the screen allow you to get an Overview of the service, view Logs, list Connections, view Graphs of usage statistics, or configure service-specific Settings. Some services may not have all of these items in the toolbar, or may have other service-specific items, such as . The actions on the checklists below are made by selecting the Settings icon in the toolbar and then selecting one of the upper tabs as indicated.
There’s not room in this document to review all of the possible settings for every service, but we call attention to security-specific steps you can take. If you are running a service, then you should review the documentation for how to secure that service by the open source project for which the service is based (eg – Apache documentation for the web service or Samba documentation for the Windows service).
AFP

The Apple File Protocol (AFP) service allows clients to mount shared folders from the server. By default, file servers advertise themselves using Bonjour and AppleTalk to appear in the Finder on every other computer on the same network. The number of users accessing AFP is unlimited by default, no logging is performed, and idle users remain connected indefinitely.

These default settings are not as secure as they should be.

• 
  On the General tab, consider disabling Bonjour registration if you will be using IP or DNS for users to access the server.
  
• 
  On the Access tab, use Kerberos authentication if possible. Disable Guest access and the option to Enable administrator to masquerade as any registered user, which allows administrators to authenticate into any user account using any administrator password. Limit Client and Guest connections to a small but reasonable number for your service, say 100 or 500 according to the size of your deployment.
  
• 
  Enable the access and error logs on the Logging tab.
  
• 
  On the Idle Users tab, consider disconnecting idle users after 10 minutes, and uncheck all the exceptions when possible.
  

Note: It is also important to consider the fact that AFP does not log the paths of files accessed, only relative paths on file access. This makes file auditing difficult for directories and does not provide an administrator or forensic investigator with a very comprehensive audit trail of access. One item that helps here is that the AFP service does log access to “.” files which can help enumerate the actions of users as they traverse the shared portion of your file system and logs the IP address and user name used to login. Therefore you can triangulate who logged in and what they accessed unless you are using the Enable administrator to masquerade as any registered user.

DNS

The DNS service allows other computers to use your server to look up hostnames.

• 
  On DNS servers, limit zone transfers and limit recursion to hosts needing each under the Settings icon in the toolbar.
  

Firewall

OS X Server offers a more robust graphical interface for maintaining the firewall than client versions of OS X. As always, customizing the ipfw.conf file is available for more granular access control than what is available in the graphical interface. To configure your settings, click on Settings in the toolbar.

• 
  On the Address Groups tab, configure all the address groups you will use rather than hard-coding addresses into your ruleset. This technique will help keep your ruleset to be more easily maintainable.
  
• 
  On the Services tab, you can specify which protocols you want to allow for each of your address groups. You can also add your own services.
  
• 
  Using the Logging tab you can specify which type of events to be logged, as well as the maximum size of the ipfw log.
  
• 
  On the Advanced tab, you can add rules almost exactly as they would appear in the ipfw ruleset. You can also use the Advanced tab to enable Stealth Mode for UDP, TCP or both.
  

Here are some suggestions on building a firewall ruleset:

• 
  Use a default-deny policy. That is, only allow that which you absolutely need.
  
• 
  Apply policies in both directions. For example, block incoming TCP port 25 if you’re not running a public mail server, but also block outgoing TCP port 25 if the server doesn’t need to send mail.
  
• 
  When applying a ruleset to an existing server, test it first. Add a logging rule that allows all traffic at the end of your ruleset but before any default-deny rule. For example, on the Advanced tab, click the + button to add a rule. Set Action to Allow. Set Protocol to Other… and type all. Set Service to Other…. Check Log all packets matching this rule. Set source and destination addresses to Other… and type any. Set Interface to Other… and type any. When you enable the firewall, all your services should continue to work, but you’ll get a log of all the packets your rulesetwould have blocked if it weren’t for your logging default-allow rule. You can remove that rule once you’re sure of your ruleset.
  

Note: Dummynet can be used to throttle bandwidth for specified rules. This addition to ipfw can be a good method of mitigating the use of Denial of Service attacks against services running on your server.

FTP

In Leopard, FTP is a Kerberized service in Mac OS X or Mac OS X Server.:

• 
  Using the General tab, set the Authentication tab to Kerberos authentication. Do not enable anonymous access. Additionally, set a maximum number of authenticated users here.
  
• 
  Using the Advanced tab, set Authenticated Users See in such a way that users see only data they need to access. You can use the NFSHomeDirectory attribute for a user account to manually configure the specific folder a given user can access when you have users able to “see” Home Directory Only.
  
• 
  On the Logging tab, check all the boxes to enable complete logging.
  

Even with the addition of Kerberos, FTP is not terribly secure. When possible, use WebDAV or another alternative . If you need to use FTP then consider an alternative to the default FTP server in Mac OS X such as Wu-FTP or Rumpus, a popular FTP application which jails all users by default or implement FTP jails.

iCal

The iCal service is new in Mac OS X 10.5. iCal relies on CalDAV to provide calendars to client systems. To secure the iCal Server, open Server Admin and click on iCal for the server you are securing and then click on the Settings icon:

• 
  Limit Attachment Size to accommodate your workflow.
  
• 
  Enable User Quotas when appropriate.
  
• 
  Set the Authentication to Kerberos when available.
  
• 
  Enable SSL and use a good certificate.
  

Additionally, in Workgroup Manager, you should only enable iCal for users that need it.

iChat

The iChat service is based on the open source jabber package. iChat Server is used to allow users to chat with one another using jabber compliant software.

• 
  Set the Authentication to Kerberos when available.
  
• 
  Choose an SSL certificate.
  
• 
  Disable Server to Server Federation unless it’s being used for your environment.
  

Mail

The Mail service provides network mailbox storage (POP and IMAP) and mail transport (SMTP). Mail can be further secured by the use of the following:

• 
  On the General tab, disable any of the services (POP, IMAP, and SMTP) that are not used. If the server is only meant to send mail, uncheck Allow incoming mail.
  
• 
  On the Relay tab, restrict the hosts and networks that are allowed to relay and configure any Realtime Blacklist Servers (RBLs) if your organization uses them.
  
• 
  On the Filters tab, enable the scanning of mail for viruses and daily updates of the virus database. Also, consider enabling scanning for spam, which is performed by spamassasin.
  
• 
  Using the Quotas tab restrict the size of incoming messages.
  
• 
  On the Mailing Lists tab, leave mailing lists disabled if they are unused.
  
• 
  Configure cryptographically secure authentication methods (Kerberos or CRAM-MD5) using the Advanced tab. Disable Clear authentication. Require SSL for SMTP, IMAP, and POP if possible.
  

Note: When restricting access for hosts allowed to relay through an OS X mail server make sure not to allow the firewall to relay or you could be opening all systems outside of your environment.

MySQL

Prior to Mac OS X 10.5 MySQL was administered in a stand-alone application. In 10.5, MySQL has been moved into Server Admin. Many of the security-centric aspects of MySQL should be managed in the my.cnf file or using MySQL tools. However, there are a couple of things you can do to further secure your database deployment using Server Admin.

• 
  Disable network connections unless the database actually needs to be accessed from hosts other than the server.
  

NetBoot

NetBoot allows Mac-based devices to boot using system software off a network share.On the Filters tab, check Enable NetBoot/DHCP filtering and provide a list of allowed clients.

• 
  Set the Log Detail Level to High on the Logging tab.
  

Note: NetBoot uses the TFTP protocol by default. TFTP is a very weak protocol from a security perspective.

NFS

NFS is a file-sharing protocol. Classically, it provides no cryptographic authentication or encryption and authenticates users based on IP addresses rather than a username and password. This makes it susceptible to a variety of attacks. However, in Mac OS X 10.5 NFS is secured using Kerberos. However, in most cases you may still choose to disable NFS.

• 
  Disable NFS.
  

But if you must use NFS then consider deploying one of the following options for each sharepoint in Workgroup Manager:

• 
  Map Root User to Nobody
  

Open Directory

Open Directory allows a Mac OS X computer to receive information about users accounts and policies from a master server. This is similar to other directory services in other operating systems such as Microsoft’s Active Directory. If policies will be used to control various aspects of the desktop interface then Open Directory will be needed.
Open Directory maintains the Kerberos KDC (Key Distribution Center) for Open Directory environments. By moving into a Kerberized environment it is possible to reduce the passwords being sent over the network. This allows for more secure communication and only one password to be used in an environment. When operating in a Kerberized environment, it is possible to use many different services, such as email, websites, AFP and QuickTime after only entering the one password required to login to the environment.
Another advantage to Open Directory is the strong password policies that can be deployed when using Open Directory. This includes requiring strong passwords and password lockout policies.
To further secure Open Directory beyond the default configuration:

• 
  On an Open Directory server, limit the number of results that can be returned via LDAP on the Protocols tab. Also, enable Secure Sockets Layer (SSL) for LDAP, selecting a secure SSL certificate.
  
• 
  On the Policy tab, configure the Passwords sub-tab to match your site policy.
  
• 
  On the Bindings sub-tab of the Policy tab, check all the options under Security when possible.
  
• 
  On the Security sub-tab of the Policy tab, disable LAN Manager hashes and any other hashes you don’t use. Under Recoverable Authentication Methods, disable all the methods you don’t need.
  
• 
  Using the slapd.conf file, impose stringent Access Control Lists using standard LDAP ACL configurations.
  

QuickTime Streaming

Using QuickTime Streaming Server (QTSS) it is possible to host QuickTime content and stream it to clients. QTSS can also accept incoming MP3 broadcasts, broadcasts from QuickTime Broadcaster and perform many other functions. Some of these functions open additional network ports and should be disabled if unused. To do so:

• 
  On the General tab, set Maximum connections and Maximum throughput to appropriate values based on the abilities of your server and network connection.
  
• 
  On the Access tab, set a strong MP3 Broadcast Password. Unless you use them, disable incoming broadcasts and home directory streaming, and leave Enable web-based administration unchecked. If you choose to enable incoming broadcasts or web-based administration, set strong passphrases for each.
  
• 
  Leave both the error log and access log enabled on the Logging tab.
  

RADIUS

RADIUS (Remote Authentication Dial In User Service) is a protocol that can be used to control access to network resources. When you are using VPN or WPA2 Enterprise for your wireless environment, RADIUS should be enabled to further secure them. Additionally, RADIUS can be leveraged to provide secure sign on for other, third party services such as the CommuniGate Pro Mail Server.
VPN

The VPN service allows you to create a secure tunnel endpoint on your server. PPTP is the most common type of VPN made available in OS X Server environments. When possible it is a good idea to restrict VPN access to L2TP clients as they use a more secure tunneling method. To do so:

• 
  If possible, enable L2TP with Kerberos authentication, and disable PPTP.
  
• 
  When using L2TP, prefer certificate authentication over shared secret or use RADIUS authentication with PPP.
  
• 
  Use the Client Information tab to restrict what client systems have access to.
  
• 
  On the Logging tab, leave Verbose logging enabled.
  

Web

OS X Server comes with an Apache-based web server built in. As with any web server, it’s vital to enable it only if you need it and configure it with security in mind. Due to the feature rich nature of Apache it is vulnerable to a variety of attacks ranging from cross-site scripting attacks to getting turned into a phishing server. To secure the default Apache server using Server Admin:

• 
  Configure the General tab using values appropriate for the capabilities of your server and network connection. Apache’s Performance Notes page (http://httpd.apache.org/docs/1.3/misc/perf-tuning.html) gives some advice on setting these values.
  
• 
  Under the MIME Types tab disable any file types unused in your environment.
  
• 
  Using the Proxy tab, configure a proxy to sit between the web server and client systems when possible.
  
• 
  On the Modules tab, disable all modules that aren’t used. For maximum security, start with all modules disabled, then enable them one by one until your web site starts working again or research which are required and disable those that are not.
  
• 
  Click on the Web Services tab and set an attachment maximum.
  
• 
  Under the Sites icon in the toolbar, select each site in turn and click the edit button below (it has a pencil icon). Using the Security tab enable SSL for all sites where SSL is appropriate. On the Options tab, disable every option that isn’t needed. On the Security tab, enable SSL unless there is no consequence to an attacker eavesdropping on or modifying web transactions in either direction. Using the Realms tab, set a password for sites that should be password protected. Using the Web Services tab, disable, webmail, wiki, web calendar, mailing list web archive and blog unless you are using these.
  

Many of the Apache modules that you might use will have their own specific security concerns. Read up on the developers site for each module used in order to maximize the security of these modules.

Note: In Mac OS X Server 10.4, Server Admin had a service item specifically for Application Server services. These items have been moved to
SMB (formerly Windows)

The Windows service in Mac OS X and Mac OS X Server has been renamed to SMB in 10.5 to accurately reflect the open source software for which it is based. SMB uses Samba as the back-end engine to provide file sharing services to Windows clients. Mac OS X Server can be a member of a Windows domain using SMB to allow administrators to further leverage Mac OS X Server in their enterprise.

Configure Mac OS X systems to adhere to the same local policies you have in place for native Windows domain members. This is not to say that you would want to configure each server to have policies enforced by an Active Directory server (which could cause Active Directory binding to break). To control access to the SMB service of Mac OS X:

• 
  On the Access tab, uncheck Allow Guest access. Limit client connections to a reasonable number based on your server’s capabilities. Uncheck the insecure authentication methods NTLM and LAN Manager.
  
• 
  On the Logging tab, set Log Detail to at least Medium.
  

It is also possible to configure more granular security using the smb.conf file. For more information on configuring the Samba configuration file, please see:

Xgrid

Xgrid provides powerful mathematical processing by the use of grid-based computing. Using the Xgrid services it is possible to build large super-computer type environments. This is currently mostly used in academic environments but is gaining popularity in graphical environments as well. To maintain a high level of security when working with Xgrid:

• 
  If you are using Xgrid, consider using Kerberos authentication when possible for all aspects of Xgrid.
  

Note: Many of the default open source packages included in Mac OS X are outdated and can be updated manually. Doing so can (and probably will) break the GUI controls that can be used in Server Admin. However, this will help to make the server more secure.

Note: When configuring shares in Server Admin remember that SMB, AFP and FTP are all enabled by default. For each share that you create only the required protocols should be enabled.

Password Maintenance

Having strong passwords, and changing those passwords regularly, is paramount for having a secure system. Fortunately, OS X provides tools for system administrators to enforce strong password policies, and tools for users to help them manage strong passwords
First, let's configure the system to enforce a password policy. To do this, you would use the pwpolicy command from the Terminal application. You need to open the Terminal application and perform a

• 
  man pwpolicy
  

… to fully understand all the features of the command. This command

• 
  sudopwpolicy -a -setglobalpolicy "minChars=8 maxFailedLoginAttempts=6 maxMinutesUntilChangePassword=129600 usingHistory=5 requiresAlpha=1 requiresNumeric=1"
  

… for example, will set a minimum length for passwords to 8 characters, an account will be locked after 6 failed login attempts, passwords will have to be changed every 90 days (129,600 minutes), you can't reuse the last 5 passwords, and your passwords have to have at least 1 number and 1 letter in them. Unfortunately, you can't require upper or lower case letters, or special characters. Also, it would seem that features change, depending on whether you are running OS X server or not. Some features require a password server. You can also change settings for a specific user as well with the “-u ” and “-setpolicy” options.

A lot of users struggle with creating a password that they can remember that also meets password security requirements. OS X’ password assistant is designed to help. To get to the password assistant,

• 
  Go to System Preferences
  
• 
  Click on Accounts to get to Account Preferences
  
• 
  Select your account on the left and click the “change password” button on the right.
  
• 
  Click the key icon button to the right of the New Password field
  

From there you can choose different options to help you create a secure yet memorable password.
As a final note; a good security goal is to make passwords as long and complex as possible, without having users resort to writing them down, or taking other insecure shortcuts.

Safe Password Storage

Ideally, all passwords should be remembered. However, at times it may be better to use more secure passwords that might be difficult to remember. This can result in writing passwords down to assist in remembering them. For example, when concerned about a remote intrusion over a network, you might choose to store a physical copy of the password somewhere that you consider to be safe from a physical access standpoint. Generally speaking, it is better to create a password that can be remembered, even if it's a little bit weaker, and then changed or rotated more frequently when concerned about the strength of the password.

References

• 
  http://research.corsaire.com/whitepapers/080818-securing-mac-os-x-leopard.pdf A Corsaire White Paper: Security Mac OS X
  
• 
  http://www.apple.com/support/security/commoncriteria/ The Common Criteria Configuration and Administration Guide
  
• 
  http://images.apple.com/server/macosx/docs/Leopard_Security_Config_20080530.pdf The Official Leopard Security Guide From Apple
  
• 
  http://www.apress.com/book/view/9781590599891 Foundations of Mac OS X Leopard Security from Apress.
  

Appendix A