-tictech message:
Dear Folks,
Last year I posted a concern to Tic-Tech regarding security problems we
found with the first versions of OSX. We did a very extensive re-working of
the normal OSX environment to produce a secure kiosk version of OSX. (
http://hale.ssd.k12.wa.us/~tonyh/osx-secure.html ). This has proven to be
very successful in terms of functionality and security. However it is no
longer necessary.
A formatted version of the rest of this letter is available on our website
for those who have html capability at:
http://hale.ssd.k12.wa.us/~tonyh/secure_jag.htm
The following in plain text:
With OS 10.2 (Jaguar), Apple has introduced over 150 new changes to its OS
including much easier browsing of Windows networks.
http://www.apple.com/macosx/ In addition, they have addressed all of our
security concerns and provided an environment that is simple, pleasing, and
very secure. I wish the other computers I use could be made as secure as the
resulting system Apple has provided. The reason I like this so much is that
it offers what I always consider to be the "brass ring" of desktop security:
disallowing execution of all applications except those that are explicitly
allowed. This is accomplished using a "multiple users" type application as
is found in OS9. It is also a bit like a simplified version of FoolProof for
people familiar with that application.
In addition, all OSX systems provide the kind of admin vs user permissions
to administer the machine (or not!) that one finds in other multiple user
operating systems such as Windows 2K, UNIX, Linux etc.
We secure our Jaguar Macs by doing these two simple processes:
1) Secure the OS using the CAPABILITIES button as described below.
2) Secure the openfirmware password as described below.
Securing the OS:
Open the System Preferences and choose Accounts in the lower left corner
Select the user by name
Click on the CAPABILITIES button
At the very top of the resulting dialog box, notice the option to use the
SIMPLIFIED FINDER. This results in an "At Ease" kind of environment where
all file browsing is prohibited and only applications explicitly allowed
below are available to launch in a series of windows. The hard drive does
not appear on the desktop. Going to the full finder is allowed only by
entering the administrator's password.
Under find the section entitled: THIS USER CAN
Uncheck these boxes:
REMOVE ITEMS FROM DOCK
OPEN ALL SYSTEM PREFERENCES
then check:
USE ONLY THESE APPLICATIONS.
In the area below this, carefully check only those items that you wish to
have students run. Be sure that console and terminal applications are not
checked.
Securing the Openfirmware:
* From OSX, reboot the computer while holding down COMMAND-OPTION-O-F.
* You will be given a white screen with a prompt like this >
* Type:
password yourpassword
where "yourpassword" is some password of your choosing.
* Then type:
setenv security-mode command
* and then finally type:
reset-all
If you do not do these open firmware procedures in the prescribed order or
if you reset your open firmware before giving it a password, it may
corrupt your password file and lock yourself out of ever being able to set
an open firmware password. See
http://www.securemac.com/openfirmwarepasswordprotection.php
for disclaimer and information.
Tony Hand
tghand@seattleschools.org
Technology Coordinator
Nathan Hale High School
Seattle School District
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://www.earthdaybags.org/tictech/
This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 06:43:40 PDT