Study after study is showing the growth of Macs in the enterprise. At its core Mac is just another flavor of Unix and the bad guys don’t care what your users are running. More over, I would propose that your Mac users tend to be among the most desirable targets at your organization – not because they use a Mac – but because critical knowledge workers and decisions makers – the folks with access to your most critical information and resources – often prefer Macs and have the organizational clout to justify a more expensive endpoint or to simply buy their own.
So it's time to pay attention to Mac OS X security – in particular least privilege. By default users run with root authority. You might as well forget everything else you do in terms of endpoint security if your end-users are running with full, uncontrolled root access.
Apple agrees. Note this excerpt from the Mac Developer Library which recommends you to “log in as an administrator only when performing the rare tasks that require admin privileges. Because the default setting for OS X is to make the computer's owner an administrator, you should encourage your users to create a separate non-admin login and to use that for their everyday work. In addition, if possible, you should not require admin privileges to install your software.”
If that sounds like déjà vu then you have probably had to deal with very similar challenge in Windows. Obviously it’s impractical to expect users to follow time consuming and intrusive least privilege procedures on their own. It just won’t happen.
The traditional way to implement least privilege on UNIX is with sudo but sudo is targeted at the command line based UNIX sysadmin not an end user of a GUI based system like a Mac. So even though OS X supports sudo its applicability to this problem is very limited at best.
In this webinar Randy Franklin Smith explores the issues and features in OS X related to least privilege. He'll show the steps Apple has taken so far to help you prevent end-users from running with root authority without breaking the “it just works” Apple experience they expect or hindering their productivity. And you'll learn what operations in OS X really require admin authority such as:
- manipulating file permissions, ownership
- creating, reading, updating, or deleting system and user files
- opening privileged ports (those with port numbers less than 1024) for TCP and UDP connections
- opening raw sockets
- managing processes
- reading the contents of virtual memory
- changing system settings
- loading kernel extensions
And you'll see what breaks when you try to run an end-user as a non-root account and what your options are to fix their experience.
Beyond just controlling root access there is the need to control what applications users can open and what areas of the system they can modify. Not to mention the need for visibility and auditing on how Mac endpoints are being used.
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.
