Mac Security Best Practices

Mac Security Best Practices

Mac security --you’ve probably heard the old conventional wisdom that “macOS is more secure than Windows”. We’re not going to argue that point one way or the other in this article. But, there are still ways for bad guys to do bad things to Macs -- and things that you can do to protect against them.

If you’re coming from the Windows world, and you only have a handful of Macs in your organization, you might not know about some of the security features already built in to MacOS. Knowing how to configure these features will help keep your network secure -- Mac or Windows.

  1. Disable the Guest account

Oddly enough, on a fresh system installation, MacOS enables the guest user account by default. Though Apple claims that it cannot access anything important, it’s best to go ahead and disable it.

Open System Preferences > Users & Groups. Click the lock and enter and admin password. Then click Guest User, and uncheck “Allow guests to log on to this computer”.

Mac security

  1. Enable FileVault Disk Encryption

If some of your users are toting MacBooks around, it’s only a matter of time until one gets misplaced or stolen -- along with any sensitive data that might be on its hard drive.

The best way to prevent any confidential information from falling into the wrong hands is to enable FileVault. FileVault is MacOS’s built-in full-disk encryption solution. Once enabled, that’s it -- it automatically encrypts everything that hits the Mac’s hard drive. And it’s transparent to the user. The only thing she will notice is that she needs to enter her user account password before the computer will boot.

To enable FileVault, have the primary user log in, and then open System Preferences > Security & Privacy > FileVault. Click the padlock and enter an administrator password, and then click “Turn on FileVault”...

Mac Security

(If more than one user is configured on this Mac, a prompt to enter a password unlocks the disk at startup.)

Then you’ll be asked how you would like to store the recovery key. For a company-owned device, it might be better to skip iCloud, and store the recovery key somewhere safe and secure.

mac security

After you create the recovery key, the Mac will start encrypting the disk in the background, as long as it’s awake and connected to AC power. When that's done, the disk is fully protected.

  1. Don’t Use Administrator Accounts for Everyday Use

You may already be familiar with the principle of least-user access, or LUA. In short, it means don’t use a user account that has more privileges than you need right now. For client workstations, this generally involves not running as a local administrator. This makes it harder for malware to gain elevated privileges on the system and install itself.

On a Mac, most users in non-technical roles will not notice that they don’t have admin rights. And for developers or sysadmins who do need more privileges, supplying them with a secondary administrative account is just good security practice.

To configure a secondary administrative account, open System Preferences > Users & Groups, and click the lock to unlock the pane. Next, click the Plus (+) button to add a user. Change New Account: to “Administrator”, and enter the account details.

mac security

Then, log on the the computer with the new account, and open Users & Groups again. Unlock the pane, select the original user account, and uncheck “Allow this user to administer the computer”. After a reboot, log back in with the original account, using the 2nd account credentials whenever prompted (for example, to unlock System Preferences panes).

 mac security

  1. Understand App Security

Just like on Windows, there are plenty of applications out there for Macs that have security vulnerabilities, or even malicious code lurking in them. To curtail that, Macs now only have two options when it comes to running software: Apps from the App Store, or apps from “identified developers” -- developers who sign their code with an Apple certificate.

But, this doesn’t mean that you can’t run unsigned apps, though there is another hoop to jump through to make sure you’re really sure that you want to run it. To run an unsigned app, simply right-click it in Finder, and select Open. If you’re not an admin, you’ll be prompted for admin credentials to allow the app. But, from then on, any user will be able to open that app.

These are just a few tips to help Windows administrators secure and understand the Macs in their environment. Stay tuned for our next article. We’ll look into some settings that will help your Macs “play nice” in your Windows domain.