Transcription
Apple SecurityChecklist CompanionA practical guide for automating security standardsin the Apple Enterprise with the Casper SuiteJune 2010
JAMF Software, LLC 2010 JAMF Software, LLC. All Rights Reserved.JAMF Software has made all efforts to ensure that this guide isaccurate.JAMF Software301 4th Ave S Suite 1075Minneapolis, MN 55415-1039(612) 605-6625JAMF Software, the JAMF Software logo, the Casper Suite, CasperAdmin, Casper Imaging, Casper Remote, Casper VNC, Composer, theJAMF Software Server (JSS), JSS Mobile, JSS Set Up Utility, JAMFVNC,Recon and Recon for PC are all trademarks of JAMF Software, LLCregistered in the US.Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk,Bonjour, Boot Camp, ColorSync, Exposé, FileVault, FireWire, iCal, iChat,iMac, iSight, iTunes, Keychain, Leopard, Mac, Mac Book, Macintosh,Mac OS,QuickTime, Safari, Xgrid, Xsan, and Xserve are trademarks ofApple Inc., registered in the U.S. and other countries.
ContentsIntroduction44456Target AudienceHow to use this guideAcknowledgementsRegulatory Compliance FrameworksUseful Links on Security ConcernASC Guide789101113141517Installing Mac OS XProtecting System HardwareSecuring Global System SettingsSecuring AccountsSecuring System PreferencesSecuring Data Using EncryptionInformation Assurance with ApplicationsInformation Assurance with ServicesAdvanced Security ManagementAppendix A18202124252931Meeting Sarbanes-Oxley ObjectivesRole Based Administrator AccessSoftware RestrictionCasperVNC SecurityChange Local Administrator Account PasswordEnforce Screen Saver SettingsProtocol Security3
IntroductionTarget AudienceThe Apple Security Checklist Companion (ASCC) is intended for ITpractitioners engaged in governance, compliance and security relatedto Macintosh OS X computers.How to Use This GuideThe ASCC is a companion document to be used in conjunctionwith Mac OS X Security Configuration Guide For Version 10.6 (SnowLeopard) published in May of 2010. Please download a copy from thelink found below and become familiar with the security guidelines setforth by Apple with contributions made by the NSA, NIST and DISA.Using Apple’s guidelines as the authoritative source for securitystandards on Mac OS X, the ASCC provides you with an index of how toautomate compliance with these standards using the Casper Suite.AcknowledgementsJAMF Software would like to thank Apple Computer for not onlypublishing the security guide, but for the guidance they have providedregarding security on the platform. Additionally, we’d like to thankthe security experts from our customer community for the insightsthat they have lent us as we have grown our understanding in thisincreasingly critical area for the Mac OS.4
Regulatory Compliance FrameworksThe increased need for security automation is driven by organizationslooking to provide a more secure computing environment as well asbeing driven by regulatory mandates.For government institutions, the current iteration of the FederalDesktop Core Configuration (FDCC) does not include Mac OScomputers. For those in the public sector, Sarbanes-Oxleyrequirements are not clearly articulated for Apple hardware, leavingthe responsible system administrator at a loss for how to complyspecifically when administering Apple hardware.This companion document follows the Apple guide in providinga “How to automate.” the What and the Why provided by Apple.As standards continue to emerge, this document will be updatedto reflect the evolving landscape of security on Mac OS platform.Appendix A looks more in depth at Sarbanes-Oxley controls andsupercedes the document titled “Security and Casper.”5
Useful Links onSecurity ConcernsMac OS X Security Configuration /Mac OS X v10.6 (Snow Leopard)Mac OS X Security Configuration GuideMac OS X Server Security Configuration GuideMac OS X v10.5 (Leopard)Mac OS X Security Configuration GuideMac OS X Server Security Configuration GuideMac OS X v10.4 (Tiger)Mac OS X Security Configuration GuideMac OS X Server Security Configuration GuideMac OS X v10.3 (Panther)Client Security Configuration GuideServer Security Configuration Guide* There are additional links found within each of these guides. Asa matter of practicality, this document is based on the Mac OS Xv10.6 (Snow Leopard) security guide and the links found on pages 15and 16 provide a wealth of information from Apple and USGovernment agencies and should be pursued as part of any inquiryinto securing Mac OS client machines.6
Installing Mac OS XFor hardening security on Mac OS X systems and maintaining thatsecurity Apple provides the Mac OS X Security Configuration guide asa source of instructions and recommendations. By using The CasperSuite your chosen security configuration can be implemented andmaintained throughout the life cycle of your managed Macs. Thisdocument, which is based off of the Apple Security Checklist (ASC) thatis included in the Mac OS X Security Configuration guide, details thedeployable objects and the Casper Suite deployment mechanisms thatcan be used to implement Apple’s recommended security actions.Installation Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismSecurely erase the Mac OS X partitionbefore installation31ScriptCasper ImagingInstall Mac OS X using Mac OSExtended disk formatting32OS ImageCasper ImagingDo not install unnecessary packages31OS ImageCasper ImagingDo not transfer confidentialinformation in Setup Assistant33OS ImageCasper ImagingDo not connect to the Internet31OS Image, Stand AloneJSSCasper Imaging and JSS on asecure network or FireWire driveCreate administrator accounts withdifficult-to-guess names34Script, DMGCasper Imaging, Casper Remote,PolicyCreate complex passwords foradministrator accounts34N/AAll Casper Suite products havesupport for complex passwords.Do not enter a password-relatedhint; instead, enter help desk contactinformation34Script, ManagedPreferenceCasper Remote, PolicyCasper Remote, Policy33,91Script, DMGCasper Imaging, Casper Remote,PolicyEnter correct time settings and setNTP time server35,75Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,Policy, JSSTurn off Auto-login35OS Image, *ManagedPreferenceCasper Imaging, JSSUse an internal Software Updateserver36Setting, *ManagedPreferenceJSSUpdate system software usingverified packages38Software UpdateServer PKG, DMG HTTPDownloadsCasper Imaging, Casper Remote,PolicyRepair disk permissions afterinstalling software or softwareupdates40SettingCasper Imaging, Casper Remote,Policy7
Protecting System HardwareWhen hardening Mac OS X desktop systems after installation, protectyour system hardware with the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Hardware Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismRestrict access to rooms that havecomputers43N/AN/AStore computers in locked or securecontainers when not in use43N/AN/ADisable Wi-Fi Support Software45Script-CompleteRemoval, *ManagedPreference-DisableOnlyCasper Imaging, Casper Remote,Policy, Resource KitDisable Bluetooth Support Software46Script, *ManagedPreference (DisabledOnly)Casper Imaging, Casper Remote,Policy, Resource KitDisable Audio Recording SupportSoftware48ScriptCasper Imaging, Casper Remote,PolicyDisable Video Recording SupportSoftware49ScriptCasper Imaging, Casper Remote,PolicyDisable USB Support Software51ScriptCasper Imaging, Casper Remote,Policy, Resource KitDisable FireWire Support Software52ScriptCasper Imaging, Casper Remote,Policy8
Securing Global SystemSettingsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Global System Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismRequire an EFI password54DMG, OS Image, ScriptCasper Imaging, Casper Remote,PolicyCreate an access warning for thelogin window57DMG, OS Image, Script,*Managed PreferenceCasper Imaging, Casper Remote,PolicyCreate an access warning for thecommand line60DMG, OS Image, ScriptCasper Imaging, Casper Remote,Policy9
Securing AccountsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.System Preferences Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismLog in with administrator privileges63N/AN/AEnable MobileMe only for useraccounts without access to criticaldata64Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure MobileMepreferences64Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Accountspreferences67Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Appearancepreferences70Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicyChange the number of recent itemsdisplayed71Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Appearancepreferences72Script, DMGCasper Imaging, Casper Remote,PolicySecurely configure CD & DVDpreferences73Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Date & Timepreferences75Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Desktop & ScreenSaver preferences77Script, UserEnvironment Package,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Displaypreferences79Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Dock preferences79Script, UserEnvironment Package,Unix Command,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Energy Saverpreferences80Script, Resource Kit,*Managed PreferenceCasper Imaging, Casper Remote,PolicyConfigure Exposé & SpacesPreferences83Script, Unix CommandCasper Imaging, Casper Remote,Policy10
Securing System PreferencesWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.System Preferences Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismSecurely configure Keyboard84Script, Unix Command,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Mousepreferences84Script, Unix Command,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Print & Faxpreferences96Script, UserEnvironment PackageCasper Imaging, Casper Remote,PolicySecurely configure Networkpreferences85Script, UserEnvironment Package,Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Parental Controlpreferences93DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Securitypreferences99Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Sharingpreferences105Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Software Updatepreferences107Script, Policy,JSS Setting, UserEnvironment Package,Unix CommandCasper Imaging, Casper Remote,Policy, JSS SettingSecurely configure Soundpreferences109Script, UserEnvironment PackageCasper Imaging, Casper Remote,PolicySecurely configure Speechpreferences110Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Spotlightpreferences111Script, Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Startup Diskpreferences114Script, Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Time Machinepreferences115Script, Unix Command,*Managed PreferenceCasper Imaging, Casper Remote,Policy11
Account Configuration Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismCreate an administrator accountand a standard account for eachadministrator124JSS Setting, QuickAdd,ScriptCasper Imaging, Casper RemoteCreate a standard or managedaccount for each nonadministrator124QuickAdd, ScriptCasper Imaging, Casper Remote,PolicySet parental controls for managedaccounts121Script, DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicyRestrict sudo users to access requiredcommands126Script, DMGCasper Imaging, Casper Remote,PolicySecurely configure LDAPv3 access129Script, DMGCasper Imaging, Casper Remote,PolicySecurely configure Active Directoryaccess129Script, DMGCasper Imaging, Casper Remote,PolicyUse Password Assistant to generatecomplex passwords130SettingCasper Remote, PolicyAuthenticate using a smart card,token, or biometric device132DMGCasper Imaging, Casper Remote,PolicySet a strong password policy134Script, Unix CommandCasper Imaging, Casper Remote,PolicySecure the login keychain135Script, Unix CommandCasper Imaging, Casper Remote,PolicySecure keychain items137Script, Unix CommandCasper Imaging, Casper Remote,PolicyCreate keychains for specializedpurposes136Script, Unix CommandCasper Imaging, Casper Remote,PolicyUse a portable drive to storekeychains139DMGCasper Imaging, Casper Remote,Policy12
Securing Data UsingEncryptionWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Encryption (DAR) Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismAssign POSIX access permissionsbased on user categories144Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,PolicyReview and modify folder flags146Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,PolicyRestrict permissions on User HomeFolders152Script, Unix CommandCasper Imaging, Casper Remote,PolicyStrip setuid bits from some programs149Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,Policy13
Information Assurancewith ApplicationsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Application Configuration Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismConfigure Mail using SSL166Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyDisable the Preview Pane for MailMessages168ScriptApple recommends moving theseparator bar to minimize thepreview pane. Is this MCX-able?Disable Auto-Fill175DMG, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyBlock Pop-ups176DMG, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyOnly Allow Cookies from Visited Sites177DMG, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyDisable opening safe files in Safari177DMG, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyVerify certificate validity171ScriptCasper Imaging, Casper Remote,PolicyRequest MobileMe identity certificate180ScriptCasper Imaging, Casper Remote,PolicySecure iChat communications178Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyCreate a strong password for iTunes181N/AN/ASecure remote access using VPN192DMG, Script,*Managed PreferenceCasper Imaging, Casper Remote,PolicyTurn firewall protection on183Script, Resource Kit,Managed PreferenceCasper Imaging, Casper Remote,Policy14
Information Assurancewith ServicesWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Services Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismConfigure IPFW2 firewall187OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicyImplement IPFW ruleset189OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicyEnable firewall logging188,103OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicyImplement inclusive ruleset189OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicySet ruleset to permit services190OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicySet more restrictive ruleset190OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicyConfiguring System to load IPFWruleset192OS Image, Package,ScriptCasper Imaging, Casper Remote,PolicyBonjour194ScriptCasper Imaging, Casper Remote,PolicySecure BTMM access throughSecurity Preferences (Back To MyMac)198Script, UserEnvironment Package,Managed PreferenceCasper Imaging, Casper Remote,PolicySet up screen sharing through VNCwith password protection200Script, DMGCasper Imaging, Casper Remote,PolicyDisable Screen Sharing whenpossible200OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable File Sharing when possible201OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Printer Sharing whenpossible204OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Scanner Sharing whenpossible204OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Web Sharing when possible204OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Remote Login when possible205OS Image, ScriptCasper Imaging, Casper Remote,PolicyEstablish key-based SSH connections207ScriptCasper Imaging, Casper Remote,Policy15
Services Action Items Cont.Action ItemASCPageDeployable ObjectDeployment MechanismConfigure ARD to manage remotetasks215Script, Built In FeatureCasper Imaging, Casper Remote,PolicyDisable Remote Management whenpossible216OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Remote Apple Events whenpossible216OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Xgrid Sharing when possible217OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Internet Sharing whenpossible219OS Image, ScriptCasper Imaging, Casper Remote,PolicyDisable Bluetooth Sharing whenpossible220OS Image, ScriptCasper Imaging, Casper Remote,Policy16
Advanced SecurityManagementWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Advance Management Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismCreate an authorization right to thedictionary to authorize users225Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyCreate a digital signature232ScriptCasper Imaging, Casper Remote,PolicyEnable security auditing237ScriptCasper Imaging, Casper Remote,PolicyConfigure security auditing222,238ScriptCasper Imaging, Casper Remote,PolicyGenerate auditing reports222,237ScriptCasper Imaging, Casper Remote,PolicyEnable local logging235Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyEnable remote logging220,236Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyInstall a file integrity checking tool216,232DMGCasper Imaging, Casper Remote,PolicyCreate a baseline configuration forfile integrity checking216,231OS ImageN/AInstall an antivirus tool222,239DMGCasper Imaging, Casper Remote,PolicyConfigure the antivirus tool toautomatically download virusdefinition files222,239DMG, ManagedPreferenceCasper Imaging, Casper Remote,Policy*Available as a template in the JSS17
Appendix A - MeetingSarbanes-Oxley ObjectivesThere are seven Control Objectives that relate to desktop managementunder Sarbanes-Oxley requirements that are met through the CasperSuite.They are: Grant the appropriate level of access in order to provideadministrators functionality appropriate to their role. Log the actions of each individual administrator. Ensure that no illegal or unauthorized software can be run oncorporate assets by excluding applications from execution. Allow remote administrators to observe or control a computer in away that is secure and audited. Rapidly change access credentials for remote computers Ensure that desktop screen savers activate after a set amount oftime and require a password to unlock. Ensure that data transmission is encrypted.18
Appendix A - MeetingSarbanes-Oxley ObjectivesWhile most system administrators governed by Sarbanes-Oxley arefluent in the terminology of the framework, a brief explanation ofcontrols is provided below.Automated Controls are performed by computers and are binaryin nature; they always function as designed and are not subject tointermittent error or human intervention.Access Controls define the appropriate access for different users andgrant them rights and privileges to sensitive information.Control Objectives define the desired state and are used to measurethe success or failure of a policy or procedure.Corrective Controls are aimed at restoring the system to its expectedstate.Detective Controls detect when an unwanted event occurs as aresult of human factors as well as en vironmental and security issues;we need detective controls to alert us when an unwanted eventtranspires.Preventative Controls are aimed at avoiding unwanted situations.19
Role Based AdministratorAccessControl Objectives Grant the appropriate level of access in order to provideadministrators functionality appropriate to their role. Log the actions of each individual administrator.Within the Casper Suite, individuals can be added to the system toperform the tasks for which they are responsible (see fig. 1).fig. 120
Role Based AdministratorAccessGrant All PrivilegesRevoke All PrivilegesJSS - Home Tab PrivilegesJSS - Settings Tab Inventory PrivilegesManage Inventory PreferencesManage Peripheral TypesThese users can be added viaLDAP and assigned appropriateprivileges (see fig. 2).Change PasswordJSS - Inventory Tab PrivilegesView Inventory TabPerform Advanced SearchesSave Advanced SearchesView Saved SearchesManage Removable MAC AddressManage Custom ReportsManage Saved SearchesManage Licensed SoftwareManage Supressed Inventory ItemsRecon PrivilegesAdd Computers ManuallyAdd HardwareView Details on Inventory ItemsAdd Computers RemotelyView License Serial NumbersQuickAdd PackagesDownload Files Attached to Inventory ItemsView Computer LogsCasper Admin PrivilegesEdit Inventory ItemsUse Casper AdminEdit Autorun DataSave with Casper AdminDelete Inventory ItemsJSS - Management Tab PrivilegesCasper Imaging PrivilegesUse Casper ImagingView Management TabCustomize a ConfigurationManage PoliciesStore Autorun DataManage PreStagesCreate Local AccountsManage Restricted SoftwareBind to Active Directory LocallyManage Smart Computer GroupsSet Open Firmware LocallyManage Static Computer GroupsModify Network Settings LocallyManage Management PreferencesSet ARD Fields LocallyManage Self Service PreferencesUse Advanced Options LocallyManage Scheduled TasksCasper Remote PrivilegesManage Directory BindingsManage Distribution PointsUse Casper RemoteManage Software Update ServersInstall/Uninstall Software RemotelyManage NetBoot ServersRun Scripts RemotelyMap Printers RemotelyJSS - Logs Tab PrivilegesAdd Dock Items RemotelyView Logs TabManage Local User Accounts RemotelyFlush Policy HistoriesChange Casper’s SSH Accounts RemotelyJSS - Settings Tab PrivilegesBind to Active Directory RemotelySet Open Firmware/EFI Passwords RemotelyView Settings TabReboot Computers RemotelyManage JSS AccountsPerform Maintenance Tasks RemotelyManage LDAP ServersSearch for Files/Processes RemotelyManage Buildings and DepartmentsManage Network SegmentsManage General JSS SettingsObserve Remote ComputersView Database/Web Application HealthObserve Remote Computers Without Asking atLogin WindowFlush Database LogsMass Edit Locations/ServersMass Edit Warrantiesfig. 2VNC PrivilegesObserve Remote Computers Without AskingControl Remote ComputersMass Edit Autorun DataControl Remote Computers Without Asking atLogin WindowMass Add SSH AccountsControl Remote Computers Without AskingMass Edit SSH Accounts21
Role Based AdministratorAccessWhen an individual administrator logs into any of the Casper Suiteapplications, his actions are logged in the database. The exampleprovided below illustrates a sample log listing which users controlled aparticular desktop computer (see fig. 3). Creating users and assigningtheir rights falls under Access Control; the logging of events allows fora Procedure that audits the veracity of the Control.fig. 322
Software RestrictionControl Objectives Ensure that no illegal or unauthorized software can be run oncorporate assets by blacklisting applications.Ensuring that software that violates computer usage polices, suchas Peer to Peer file sharing applications, are controlled requires theidentification and removal of software that is out of scope, andnotification about these activities to end user and management.In the case of software restriction (see fig. 4), the Casper Suite offersthe following: Detection of software by the process that loads into RandomAccess Memory (RAM), which is a Detective Control. Quitting and removing the offending Application, which is aPreventative Control Notification to end user and system administrators allows for aProcedure that enforces the Control.fig. 423
CasperVNC SecurityControl Objectives Allow remote administrators to observe or control a computer in away that is secure and audited.Casper VNC tunnels connections through SSL, which is an AccessControl on data transmission from source to host. The VNC serveris launched on demand when trying to control or observe a remoteclient, then quit when the administrator quits the Application. ThisPreventative Control ensures that only authorized Administrators canaccess machines during an active session and eliminates concernsabout passive reception from intrusion.Every connection and all remote control, including VNC, are loggedcentrally in a database as illustrated in fig. 3 above.With the introduction of Version 6 of the Casper Suite, there is now theadditional capability of sending all administrator actions to a CMDB/syslog server by specifying the directory, hostname and port of theserver (see fig. 5).fig. 524
Change Local AdministratorAccount PasswordControl Objectives Rapidly change Administrator account access on all computers.Utilizing the remote features in either the Casper Remote application(see fig. 6) or via a policy (see fig. 7,8,9) the password used to accessthe remote computers can be updated immediately for the computersthat are online and will poll for missing computers until they arefound. This Access Control ensures that any security breach involving acompromised administrator can be resolved within minutes.fig. 625
Change Local AdministratorAccount PasswordTo change local administrator accounts via a policy, first determinethe trigger (start up, login, logout, shut down, time of day, timedfrequency, etc.), activation date and execution frequency.fig. 726
Change Local AdministratorAccount PasswordThe next step is to assign computers or groups, in this case we areapplying the policy to all computers.fig. 827
Change Local AdministratorAccount PasswordThe last step is to set the command to reset the admin password. Inthis case we are resetting both the local admin account as well as theaccount used by the Casper Suite.fig. 928
Enforce Screen SaverSettingsControl Objectives Ensure that desktop screen savers activate after a set amount oftime and require a password to unlock.The Composer application is used to extract system settings (plistentries) from a machine (see fig. 10) that has the proper time activationand security settings that enforces Access Control of the OperatingSystem.fig. 1029
Enforce Screen SaverSettingsThese settings can be remotely distributed to target machines (seefig. 11) and then reinforced on any system event or custom timing viaa Policy or Managed Preference (see fig. 12). The Policy or ManagedPreference is used to ensure that the Access Control is enforced in areasonably persistent manner.fig. 11fig. 1230
Protocol SecurityControl Objectives Ensure that data transmission is encrypted.The central component of the Casper Suite, the JAMF Software Server(JSS), communicates with the other applications using industrystandard SSL encryption that allows for a single point of management.While this list addresses many of the primary Controls thatSarbanes-Oxley governs concerning Desktop Management, it is byno means exhaustive. In the absence of clear definitions or standardsof conduct, the above solutions meet specific objectives thatdemonstrate a company’s willingness to abide by the spirit of the law.The Increasing Importance of IT sys/article.php/3402561September 1, 2004By George SpaffordIT Control Objectives for Sarbanes-Oxley: The Role of IT in the Designand Implementation of Internal Control Over Financial Reporting, 2ndEditionIT Governance Institute3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USA31
The Apple Security Checklist Companion (ASCC) is intended for IT practitioners engaged in governance, compliance and security related to Macintosh OS X computers. How to Use This Guide The ASCC is a companion document to be used in conjunction with Mac OS X Security Configuration Guide For Version 10.6 (Snow Leopard) published in May of 2010.
