The U.S. Government loves Microsoft Windows. During my so far 25-year career as a security (ahem) professional, I have spent roughly 18 of those years working in one form or another for Uncle Sam. Of those 18 years, about 12 of them have been in front of a computer of some kind. As a tech, I was given a WANG terminal (connected to some big mainframe) that was only really good for receiving and sending email and making badly formatted documents.
In 1995 I got fed up with the bureaucracy of the particular office I was working for and accepted a position with a security integration company outside of government. My first job with this independent company? Designing, implementing, programming, and integrating the various Intrusion detection, Access control, and CCTV assets of a large government agency. Almost every job I had with this company involved US Government Agencies, with the exception of what was then called the MCI Sports Arena in downtown Washington D.C., and a chip plant in Northern Virginia.
In 1998, my former co-worker (Also a tech, but was a Navy Seabee as well) who had moved up to management offered me job back at the same office I had worked at before, but as an Engineer. I no longer had to deal with the idiots I had worked with before. I now had a whole NEW bunch of idiots to deal with. Also, the WANG terminals I had dealt with previously were gone. I had something that resembled a real computer at my desk. Of course it running Windows NT and Office 97. OK, I can work with this. It wasn’t too bad and I never had to deal with most of the headaches of managing a large PC network. I kept duplicates of all my files not only on the network, but also on my local drive as well. This meant when the network went down (which happened frequently), I could continue to work off my files on my computer’s hard drive.
Flash forward about 4 years and now they have me on an XP based computer that loads from the central server and cannot boot on its own. The local drive is locked down to the point that I can only make rudimentary changes and I can’t even save documents to my computer’s drive. Kind of makes me miss those old WANG terminals. But perhaps I’m going off on a tangent.
Now for something completely different.
The U.S. Government almost exclusively uses Microsoft Windows in one form or another. However, they do acknowledge the existence of other operating systems and that not everyone is as enamored of Windows as they seem to be. Case in point; the National Security Agency. They have created a document that explains in words and pictures (for the benefit of people like me I’m sure) how to secure an Apple Macintosh computer running OS/X 10.3.x. This is a PDF file of roughly 109 pages. Its awe-inspiring name? The “Apple Mac OS X v10.3.x “Panther” Security Configuration Guide”! It was compiled by the Systems and Network Attack Center otherwise known as (I’m not kidding) SNAC.
I did not know about this document until I saw it listed in another web site, but once I knew of its genuineness (don’t you love thesauruses?), I just had to have it. You can find it for yourself at “http://www.nsa.gov/snac/os/applemac/osx_client_final_v.1.pdf “. It goes into great detail on how to completely secure OS X. It explains OS X’s default security as well as its UNIX roots. How to use smart cards for log-in. Well, that’s not completely true. They refer back to Apple for a study guide.
They also talk about what applications to allow for installation. Apparently the boys over at NSA don’t see the value of fun apps like iTunes, iMovie, and iPhoto. These are not recommended for installation since they have Internet connectivity features that introduce additional security risk. That’s right out of the book. Not surprisingly, they also do not recommend installing Microsoft’s Internet Explorer. Gee, no security risk there ya think? Other no-nos include iSync (external devices), Additional Speech Voices, most of the Font’s packages, Language Translation, and X-11. After this, it seems you are left with AppleWorks, Safari, and the Tony Hawk demo (Nanosaur is also to not be installed since it promotes the evolution theory).
Downloading updates as well is more complicated. While they seem to trust Apple for providing the updates, they don’t recommend doing it directly to the computer to be updated. The NSA says to use a specifically designated computer to upload the updates, have them verified, place them on some external media, and then use that to update the various machines as needed.
They also go into how to configure your Mac safely. This includes removing registration information, and system preferences (to include network and Internet settings and FileVault). The NSA is apparently not fond of wireless. They list as aberrations both Airport and Bluetooth as big doom-laden mistakes.
Besides disabling wireless features, the built-in microphones should be turned off as well. I understand this completely. After all if anyone is going to bug your house, it should be done by the pros at the NSA!
I must admit that I don’t know a lot about networking large systems. I don’t know I.T. from Cousin Itt
While I think the NSA has overdone it slightly from the home user’s point of view, there is a lot of good info here and I recommend that anyone interested in making their Mac more secure, download and read this. Besides paying me, it’s the best use of your tax dollars I’ve seen in a long time.