-tictech message:
Dear Folks,
... a rather long document discussing details of how we are securing our
OSX-enabled Macs. Read to your level of interest.
=========================================================================
It has become abundantly clear to me during our levy computer
rollout just how much the Macintosh computer has to offer schools in terms
of ease of administration, multimedia (iMovie - wow), stability and
security.
However, the new Macs coming into our schools have both OS 9.2 and OSX
installed and this can present security challenges.
I'd like to share some of our explorations at Hale in securing this new
environment. People are invited to share their experiences as well.
First, an Apple official informed me today that OSX will have a better
security profile for schools by this Spring when beta versions of
something like the Multiple Users option will be available for OSX. The
final release is scheduled for Fall.
THE RUB
While previous versions of the Mac OS can be easily secured with Multiple
Users, FoolProof, or other 3rd party apps, with OSX we have no way of
preventing users from downloading applications from the Internet or
copying them from CDs. These applications could be inappropriate games or
hacker exploits which provide privileged access to the operating system,
allowing a user to alter or destroy portions of the OS. We are also still
learning where OSX may allow users to make other unwanted changes.
Because we are uncertain of security in OSX, our current (temporary)
strategy is to secure OS 9.2 with Fool Proof and to prevent users from
accessing OSX altogether. Fortunately, this is quite easy and consists of
these three steps:
1) Secure OS 9.2
1) Password protect OSX
2) Password protect the Open Firmware
[see details below]
We are aware that if we don't set these passwords, our students may, at
which time they will administer our machines instead of us!
SOME SPECIFICS
There are several ways users can get to OSX from OS 9.2:
1) Boot from a CD (hold down c while booting the computer)
2) Change the startup disk in the control panels.
3) Hold down x while booting the computer
Setting the control panel startup disk option can be locked down via Fool
Proof. The other two methods bypass software security.
Once in OSX, users may reboot while holding down COMMAND-s to boot into
single user mode and will receive a root prompt. This gives wide ranging
access to the operating system.
Users may also boot into Open Firmware by rebooting the computer while
holding down the key combination: COMMAND-OPTION-O-F. Once at the open
firmware command prompt, users may initiate various kinds mayhem.
Our experiments suggest that the three steps outlined above will solve all
the issues mentioned here - except that pressing x will still get users to
OSX. But if OSX is password protected they will be immediately be
confronted with a password dialogue box and their fun will end abruptly.
The x key option to boot into OSX from 9.2 is apparently a "feature" of
9.2. I have heard that installing 9.1 will eliminate this option but do
not have confirmation yet.
THE DETAILS
1) SECURE OS 9.2 w FoolProof
2) PASSWORD PROTECT OSX:
* Make an account in OSX by going to System Preferences : Users. Make the
account an administrative account from the password tab.
* Go to System Preferences : Login and and uncheck the "automatically
login" prompt. This will force a password at bootup.
*A good option is to make a second, backup account which can also
administer the computer.
* Do not give the passwords to anyone.
3) PASSWORD PROTECT OPEN FIRMWARE:
* From OSX, reboot the computer while holding down COMMAND-OPTION-O-F.
* You will be given a white screen with a prompt like this >
*Type:
password yourpassword
where "yourpassword" is some password of your choosing.
* Then type:
setenv security-mode command
* and then finally type:
reset-all
If you do not do these open firmware procedures in the prescribed order or
if you reset your open firmware before giving it a password, it may
corrupt your password file and lock yourself out of ever being able to set
an open firmware password. See
http://www.securemac.com/openfirmwarepasswordprotection.php
for disclaimer and information.
At this point, booting while holding COMMAND-S in OSX will not give a root
prompt, changing startup disks in the control panel should ask for the
open firmware password, as should booting from a CD.
SECURING OSX?
For advanced users, here are some beginning thoughts on securing OSX:
1) Set users' (not admin) shells to /dev/null in netinfo
2) Move the terminal and netinfo applications into a restricted folder in
the the admin directory with execute privileges denied to ordinary users
3) Do not enable root in netinfo (not enabled by default).
4) Remove users' (not admin) execute privileges from Stuffit Expander,
gzip and any other unzipping utility on the computer (so if users download
something, they can't unpack it).
We are considering umask options (a system-wide permission-setting
command) which would deny users execute privileges for any software they
download or install, but this is potentially risky and we have not made
enough progress on this yet to report anything.
The Mac continues to inspire the loyalty and affection of many, and a
number of us at Hale are looking forward to exploring the opportunities
available from OSX.
*** tony
============================
Tony Hand
tghand@seattleschools.org
Computer Systems Coordinator
Nathan Hale High School
Seattle School District
===========================
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://fp.seattleschools.org/fpclass/tic-tech/
This archive was generated by hypermail 2b29 : Fri Feb 08 2002 - 06:19:11 PST