Mac OS X Tiger, Securing Your Mac Against Unwanted Physical Access
Although, Mac OS X’s UNIX base renders it naturally immune to most virus and spyware attacks, there are still some simple steps that need to be implemented against, human access. From unwanted snoops or nosey parkers who happen to come across your unattended Mac. Truth be told, a Mac fresh out of the box is relatively undefended against such tomfoolery and some basic steps need to be taken.
Although, this article is more cogent for Mac portable owners (owing to its greater exposure to potential snoops and nosey parkers) but the principles explained can be applied to any Macs. What follows are simple steps that a Mac user can take to secure their Mac against snoops who try to access or hack into your Mac through physical acccess.
This article details how to:
- implement a screensaver password
- secure a user account
- secure your Mac against unauthorised startup access
Implementing A Screensaver Password
This feature prevents unauthorised access when a Mac is left idle for a period of time. Implementing this feature, requires anyone attempting to access your Mac to key the username and password of the active user account before they can gain access to your system.
2 features need to be implemented before this can effect:
- a screensaver and;
- the password requirement upon active screensaver mode
Activating A Screensaver
We have to first launch the System Preferences. There are a variety of ways to do this but the easiest and fastest is by clicking the Apple logo, situated at the leftmost corner of your menu bar (top left hand corner of your screen). This will give you a drop down menu where you can click on System Preferences to gain access to your Mac’s environment setting panes.
Choose the Desktop & Screensaver pane and select the screensaver of your choice. For variety, you may check the ‘Use random screensaver’ checkbox that will guarantee a different screensaver every time. If you’re feeling adventurous, you can surf over to Apple’s Download pages and source out other screensavers available for download.
n the Screensaver pane, you can click and drag the ‘Start screen saver’ slider to set the idle time before the desired screensaver takes over the display. You may also click on the Options button, for some screensavers, to customise the manner which the screensaver reacts when in action.
‘Hot corners’ refer to the 4 corners of your screen. When set, moving your mouse pointer to the designated corner will prompt the preset action. You can also set screensaver activation to a particular Hot Corner by click on the ‘Hot Corners’ button in the Screensaver pane. This is particularly useful if you would like to be able to activate a screensaver on demand.
Activating the screensaver password
Right. Now, that you’ve implemented a screensaver and set its activation time, the last thing to do is to require a password to take the system out of its screensaver mode. To do this you need to access the Security pane in your System Preferences.
Clicking on the checkbox, “Require password to wake this computer from sleep or screen saver” will finish the process. In addition, it will also require a password to bring the computer out from sleep mode as well.
Note: requiring a password assumes that a user password exists for the affected user. If there isn’t currently a user password, you should set one for the affected accounts.
Secure a user account
The Mac OS X operating system is designed to function as a multi-user environment. That means that more than one user can access the computer, with their privileges and data protected by the operating system. Such an environment provides us the privilege of protecting user accounts from unsecure login. By default, Mac OS X is set up for easy access to cater to the general populous. This short guide explains additional features that can make unauthorised access a little more difficult to the prospective snoop.
When you first startup your Mac OS X, there’s usually only a single administrative user. In such a circumstance, Mac OS X sets up the computer to boot into the single user environment by default. Without requiring a password login.
To circumvent this, you must first disable the ‘automatic login’ feature that can be found in the Security pane of your System Preferences.
To disable automatic login, click the ‘Disable automatic login’ checkbox within the Security pane.
One of the most frequently overlooked options within the Accounts pane is the ‘Login Options’. You can access this by clicking on the ‘Login Options’ activation area within the Accounts pane.
Within the Login Options pane, you may switch on ‘Name and password’ in the Mac OS X login panel when your computer first starts up. By default, this is set to ‘List of users’ which provides prospective snoops one of the 2 elements that make up a user’s account access authorisation – the username. This leaves the prospective snoop with only the task of guessing the password. Activating the ‘Name and password’ option requires each user to key in their username and password to access the user account. Overall, providing greater security.
For greater security, other options within the Login Options can also be disabled, e.g. ‘Show password hints’ and ‘Show the Restart, Sleep and Shut Down buttons’.
For non-English speaking users, an interesting feature can also be enabled within the Login Options pane – ‘Show Input menu in login window’. Enabling this option allows the use of non-English language usernames at the login panel. This of course, has to be supplemented by creating user accounts that are also in a language other than English to begin with. Indirectly, providing an additional layer of security against only English-speaking snoops.
Fast User switching is also enabled/disabled within the Login Options pane.
Secure your Mac against unauthorised startup access
All Macs respond to modifier keys on startup. Using the combination of modifier keys allows a snoop to make your Mac behave as an external hard drive by putting it into Target Disk Mode. Which is extremely dangerous because in this mode, permission structures are disregarded, giving a snoop absolute access to all your data.
To prevent this, an Open Firmware password can be implemented on your Mac requiriing a password to be keyed in or disabled, before modifier keys can be used at startup. This is described in greater detail in our earlier article regarding Open Firmware Passwords — Power On Protection.
A point to note, improper implementation of Open Firmware passwords may render your computer unusable. Please implement with caution.
On older PowerPC-based Macs Open Firmware is applied but Extended Interface Firmware (EFI) is used in the latest Intel-based Macs. This makes accessing Open Firmware password more difficult on Intel-based Macs nevertheless, Open Firmware password protection can be accessed on both platforms, using the appropriate version of Open Firmware application from Apple.