Hardening macOS

159 pointsby ricardbejaranoover 6 years ago

23 comments

I like the title and premise of the article, but a list of tips with no description makes this feel like the standard "Tweak Ur Registry" article. I know OP is the author so I'm not trying to be a jerk, but I think adding details would improve things.To give specific examples, it is totally unclear why the article recommends creating an unprivileged account (the default user account is already unprivileged without entering a password for anything and it is unclear how e.g. su admin -> sudo command is any more secure than sudo command). If someone has local access to the machine and the admin password, you're toast whether you are logged in as admin or as an unprivileged user. Is the risk malicious processes? Maybe there is some specific authentication procedure somewhere in MacOS where defaulting to an unprivileged user makes sense, but the site does not describe one.Another example: The article recommends going into Gatekeeper and making it less secure. The default option, I believe, is to only allow App Store programs to launch without complaining. So "only App Store and code signed apps" is actually the more convenient, LESS secure option. I do it immediately because I don't want to be stuck with the App Store, which is useless. But turning off a security feature for convenience isn't hardening.Later; on second boot, turn off apps that want access to Camera/Microphone/Full Disk. This seems straightforward enough and worth doing, except the first step in this list was to format your computer and if you've been following the steps thusfar, no apps have access to Camera, Microphone, or Full Disk. If I remember correctly, after installing new applications, they need to do a system API prompt to gain access to those things.And then the back half is mostly about replacing Google stuff with privacy-focused alternatives. Privacy and security aren't diametrically opposed, but they aren't the same thing either. Also, despite arguing to opt-out of Google things, the earlier "change your DNS" tip recommends using Google DNS. Also, while I use a VPN for certain use cases, recommending installing a commercial VPN places an enormous amount of trust in the VPN provider -- it's true that they probably have more incentive than Google to respect your privacy from a logging perspective, but from a security point of view, it would seem it would be way easier to compromise a small VPN provider and try to MITM some of their connections without detection than to do the same to a commercial ISP.So overall I think the article could use a title change to reflect that much of the advice is not MacOS-specific; fleshing out to make clear how some of the changes actually prevent against security threats; and more thought given to whether this is an article about privacy, security, or both, and thus whether readers should be given information about cases when the two might be at odds with each other.(You may have very good answers to all of these things, but adding them to the article would be more useful than replying with them here)

评论 #18101262 未加载

评论 #18101078 未加载

milesover 6 years ago

Thanks to the author for compiling and sharing this guide.Two of the recommendations have the potential to make your Mac less secure:1. > …install an ad blocker (I recommend uBlock Origin)While uBlock Origin has a great track record, it requires these permissions:* Access your data for all websites* Read and modify privacy settings* Access browser tabs* Access browser activity during navigationThat is a lot of exposure, especially if a bad actor managed to take over the extension, e.g.,In August 2017, the very popular and widely recommended Web Developer extension for Chrome was hijacked. The developer fell for a phishing attack, and the attacker uploaded a new version of the extension that inserted more advertisements into web pages. Over a million people who trusted the developer of this popular extension ended up getting the infected extension. As this is an extension for web developers, the attack could have been a lot worse—it doesn’t appear that the infected extension functioned as a keylogger, for example. <a href="https://www.howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/" rel="nofollow">https://www.howtogeek.com/188346/why-browser-extensions-can-...</a>2. > Consider tunneling your traffic through a VPN when connected to untrusted networks (I recommend rolling your own VPN server, or else I really like Mullvad, see ThatOnePrivacyGuy’s VPN comparison)Again, Mullvad appears to be one of the best VPN services, but connecting to third party VPNs creates new risks and may not provide the security you expected:Don't use VPN services. <a href="https://gist.github.com/joepie91/5a9909939e6ce7d09e29" rel="nofollow">https://gist.github.com/joepie91/5a9909939e6ce7d09e29</a> <a href="https://news.ycombinator.com/item?id=16371030" rel="nofollow">https://news.ycombinator.com/item?id=16371030</a>

评论 #18101226 未加载

评论 #18101150 未加载

Karunamonover 6 years ago

There are some issues here...2: Modifying system level settings, even with an admin account, requires re-authentication. Mac OS prompts for passwords more often than Vista-era UAC prompted for a go/nogo. What's the purpose of the second user account? An "admin" account os Mac OS is not equivalent to root.6: Strictly lowers your security since it means now native apps outside the store can run. Store apps have the highest requirements for sandboxing and other system level protections. This might be a usability step, but it has no place in a "hardening" article.9-10: Redundant - you'll be asked if you want to enable reporting and location services on first boot.11: You are never supposed to use different DNS providers between your primary and secondary, this can lead to hard-to-troubleshoot intermittent errors. Given the lack of recommending Chrome over Firefox, and the anti-Google stuff in the second step 4, and given Firefox's poor security history, it is strange that they recommend using Google DNS servers. Either way - use 1.0.0.1/1.1.1.1 or 8.8.8.8/8.8.4.4, don't mix them.13: Spotlight indexes belong to the user. There is literally no security gained by "blacklisting sensitive directories", as if your account is compromised, both your spotlight index and those 'sensitive directories' are.17: What security is gained by denying the ability of the OS to ask me if I trust a specific cert or not?

konartover 6 years ago

>Go to System Preferences > Security & Privacy > Firewall > Firewall Options… and check Block all incoming connectionsThanks, but no, I need this one.The whole guide is for people feeling paranoid.PS: I'm not trying to say you should not make your machine more secure, but blocking\locking "all the stuff" is not a sane option either.

评论 #18102075 未加载

评论 #18102337 未加载

mjleeover 6 years ago

I'd also consider adding a firmware password if you're at all worried about unattended physical access to your mac. It will prevent your OS/boot order from being tampered with, preventing a variety of attacks.Less important with T2 on the latest macs, but still worth considering.

no_wizardover 6 years ago

Very interesting! I’m reading it quite thoroughly so I don’t have any immediate thoughts but this did remind me of another similar guide in the spirit of things if you haven’t seen it:<a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide</a>Very good also if you liked this

评论 #18101352 未加载

zakkover 6 years ago

Thanks for the nice guide. I wouldn’t use Google DNS as a default though, they don’t have a good record when it comes to respecting privacy.

评论 #18101026 未加载

评论 #18101182 未加载

drtse4over 6 years ago

For those who want more: <a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide" rel="nofollow">https://github.com/drduh/macOS-Security-and-Privacy-Guide</a>

评论 #18101176 未加载

comboyover 6 years ago

Give me a good reason why defaults chosen by a macOS user would be more secure than those chosen by a security team working full time on developing the system.This article isn't even that bad if you are willing to make your system less practical, but even here you are potentially making your system less secure as suggested in some other comments.

评论 #18101899 未加载

评论 #18101532 未加载

评论 #18102044 未加载

评论 #18102550 未加载

评论 #18101127 未加载

评论 #18101788 未加载

评论 #18101708 未加载

weeksover 6 years ago

"I recommend rolling your own email server"This is actively harmful advice. Do not roll your own email. Use a well-known provider with a solid security track record.

评论 #18102831 未加载

TazeTSchnitzelover 6 years ago

Why disable the captive portal detection? Is macOS detecting MITMing for you bad?

评论 #18101154 未加载

opsrollerover 6 years ago

Or you know, you could just download the DOD profiles from their website.

评论 #18102056 未加载

doctorlessover 6 years ago

“Warning: if your threat model is a state-sponsored agency, you are better off without macOS, see OpenBSD.”While my excessively paranoid self is inclined to agree, I am curious as to the author’s reasoning here.

评论 #18102774 未加载

ravivyasover 6 years ago

That is a comprehensive list, which I know most normal folks could never do.More importantly, how secure are my parents on iOS devices vs the Mac for most of the vectors described here?

chris_wotover 6 years ago

This is great, but does anyone have a good in-depth reference for administering MacOS systems? I constantly have difficulties doing in-depth analysis and administration of MacOS systems, and that's really only because I just don't know where to go for good information.

评论 #18101276 未加载

ianlevesqueover 6 years ago

See also (slightly dated) <a href="https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-179.pdf" rel="nofollow">https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.s...</a>

chmarsover 6 years ago

Interesting: If I deny System Services location access for 'Setting Time Zone', my iMac 5K changes the color temperature …(Security & Privacy / Location Services / System Services / Details / Setting Time Zone)

评论 #18101543 未加载

评论 #18101522 未加载

teddyhover 6 years ago

The appearance of this is significant.For many years, I was annoyed whenever I saw one of these “hardening” or “securing” guides (for any platform), without knowing why. But I eventually figured it out: If you have to do extra steps to your system to “harden” it or otherwise secure it, it is either a toy system not meant for production use, or it is an old system which has ossified and needs hardening because of a lack of upstream updates and maintenance. And it annoyed me because you shouldn’t be running any such systems in production anyway – “hardening” such systems is not tenable in the long run.The fact that macOS has been neglected by Apple should not be news to anyone (earlier it was especially obvious for the Unix parts, but lately it has been all of it), but this is another sign of it.

评论 #18101162 未加载

评论 #18101191 未加载

评论 #18100988 未加载

winridover 6 years ago

Curious, what are some opinions of those "endpoint security" solutions that companies make engineers install on their laptops? Effective, intrusive? What's your experience.

评论 #18101267 未加载

mproudover 6 years ago

Oh come on. The article suggests disabling features altogether because of their possibility of becoming insecure? Then how about these things:• Don’t use any messenging apps.• Remove your email accounts.• Turn off Wi-Fi.

tom4000over 6 years ago

Recommending Google's and Cloudflare's DNS is not privacy friendly at all. Even when you use an VPN and push all your domain name requests to either or.

mvanbaakover 6 years ago

Please provide a list of 'defaults write' commands to do this. I got tired of clicking all this after the third bullet point

dlfharrisover 6 years ago

Is Brave browser not recommended for a reason?