-tictech message:
Hi Kirk and TicTechers,
On Wed, 8 May 2002, Kirk Godtfredsen wrote:
> -tictech message:
>
> Tony,
>
> Why are you guys so worried about the Finder?
Well, maybe for no good reason. Fortunately, being based on UNIX, OSX has
lots of security built in.
I have managed to answer your nine word question however, in just eight
paragraphs! :)
I have been in an environment for a number of years now where some
very inventive and peristent people peck away at whatever systems we have
in place. When one person finds a hole, then suddenly, a large number of
students - often the ones you don't want to know about it -know about it.
We have had massive holes in our Windows lab for years where students have
downloaded all manner of potentially threatening software: keyloggers,
port scanners, password cracking software, sysadmin tools... Dummy
accounts have been made on the NT server, and keyloggers have been used to
cheat on tests. Students routinely have had access to the command line in
the Windows lab through security holes and they use it. We have also had
grades changed over our network via Timbuktu.
In addition, some of our systems are now vulnerable from the outside as
well as from the inside. All of this has caused me to tighten up on
things considerably.
My idea about security is usually two-fold. First, only allow access to
what is necessary in order for students to accomplish the tasks you want
them to be able to do. That would mean limiting browsing through the OS.
This covers up a myriad of potential holes that one might not be aware of.
It often causes the operating system to look cobbled and locked down... oh
well, I've learned to live with it. Second, only allow applications to
run that are explicitly stated. This way, if people do manage to get to
an executable even though you tried to block access to it, it won't run.
If I don't have the latter, then I really want a good version of the
former. FoolProof for the Mac does the best job of this I've seen. It
makes the OS actually look pretty normal while stopping things from
running. Multiple Users on Mac 9x is good too.
Protecting our network is another issue. I've always blocked access to
the Network Neighborhood in Windows 9x, and am happy to have the Go menu
gone from the finder for similar reasons. Sure, everything should be
password protected... but sometimes it isn't.
I would like our prototype of OSX to have a less cobbled look and to allow
at least some browsing of the file system. We're looking at code that
will allow some browsing but will only allow explicitly stated
applications to run. For now, having file browsing blocked from the
finder seems best and safest. It's not necessary.
I know there are other philosophies of security out there that may be
equally valid... this is just the one I've moved toward over the years.
*** tony
---------------------------
Tony Hand
tghand@seattleschools.org
Computer Systems Coordinator
Nathan Hale High School
Seattle School District
---------------------------
>
> Kirk
>
> On Monday, May 6, 2002, at 11:41 PM, Anthony Hand wrote:
>
> > -tictech message:
> >
> > Dear Folks,
> >
> > There has been some concern about security issues associated with the
> > use
> > of the Mac OSX operating system in our schools. We share some of these
> > concerns at Hale and have carefully secured our machines to operate on
> > OS9
> > only, pending release of additional security measures by Apple. However,
> > only a little study was required to realize that securing OSX was within
> > the reach of personnel who possess a basic background in UNIX and some
> > understanding of security issues. Furthermore, because almost all of
> > these
> > configurations are scriptable, easily securing OSX is potentially within
> > the reach of everyone...assuming someone provides a script, disk image
> > or
> > GUI installer.
> >
> > Our prototype completely restricts the command line, prohibits all
> > browsing of the harddrive, eliminates the the Finder's capabilities,
> > removes the ability to connect to other networked machines via the "Go"
> > menu, prohibits changes to global preferences, confines launching of
> > applications to the dock, and recopies the entire user environment on
> > each
> > login. This latter function allows the user to make some changes to
> > their
> > environment during their session without compromising the system for the
> > next user. All of this was done from the command line, and required no
> > additional software.
> >
> > Some of these restrictions are rather severe in my opinion and we hope
> > to
> > safely restore some of the capabilities which we've eliminated. But our
> > configuration does allow students to safely use OSX and experience
> > something of its "look and feel", take advantage of its stability, and
> > use
> > the new OSX applications.
> >
> > If you're interested, complete documentation for how this was done is
> > located at:
> >
> > http://hale.ssd.k12.wa.us/~tonyh/osx-secure.html
> >
> > *** tony
> >
> > ---------------------------
> > Tony Hand
> > tghand@seattleschools.org
> > Technology Coordinator
> > Nathan Hale High School
> > Seattle School District
> > ---------------------------
> >
> > -end tictech message. To join, leave, or visit
> > the message archive, go to tictech on the Web:
> > http://www.earthdaybags.org/tictech/
> >
> _____________
> Kirk Godtfredsen
> kirkg@apple.com
> 206-860-0714
>
> -end tictech message. To join, leave, or visit
> the message archive, go to tictech on the Web:
> http://www.earthdaybags.org/tictech/
>
>
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://www.earthdaybags.org/tictech/
This archive was generated by hypermail 2b29 : Wed May 08 2002 - 22:26:10 PDT