How the NSA snoop-proofs its Macs

The NSA (the National Security Agency, or, as some people prefer, No Such Agency) has found itself in the spotlight lately, owing in large part to leaks from former contractor Edward Snowden. But although the agency has been in hot water because of who it has been spying on, snooping isn’t the agency’s only job. The NSA also plays an important role in helping the rest of the government secure its computers from outside attackers.

Back in 2010 the NSA published “Hardening Tips for Mac OS X 10.6 ‘Snow Leopard’” (PDF), a terse, two-page pamphlet recommending a series of security precautions. The agency hasn’t updated that pamphlet for more recent versions of OS X—so I thought I’d do so in the agency’s stead.

Practically speaking, these precautions would seriously degrade the Mac user experience for anyone who implemented all of them. So as I was updating the NSA's advice for OS X 10.8, I decided to add a little guidance as to how much pain some of these tips might cause you. I certainly don’t use all of these tricks myself. But they are still good to know.

(I’ll be referring to the pamphlet throughout, so you should download it before you go any further. Plus, one reminder: When changing some System Preferences items, you’ll need to click the lock icon in the lower-left corner and enter an administrator password.)

Don’t surf or read mail using an admin account

Email and websites are the primary ways attackers can compromise your Mac. If you check your mail or browse the Web while using an admin account, you’re reducing the number of hoops intruders need to jump through to control your Mac fully. It’s better to create a standard user account for day-to-day use, and log in as an admin only when absolutely necessary. Doing so is easy, and doesn’t really degrade your user experience.

Use software update

The NSA explains how to update software both automatically and manually, but you should stick with the automatic method. Go to System Preferences > Software Update and check Automatically check for updates, Download newly available updates in the background, and Install system data files and security updates. (That last one updates OS X’s malware blacklist, browser blacklist, and certain other files that protect you without changing your system.)

As of 10.8, updates now appear in the Mac App Store; you will see a Notification Center banner pop up when an update is available. You can no longer control the update schedule. (It’s weekly.)

Account settings

These items are now located under System Preferences > Users & Groups.

Disable automatic login and user lists: Open the Login Options section (at the bottom of the user list) and set Automatic login to Off. Then set Display login window as to Name and password. This arrangement forces you to log in to your computer, and forces anyone doing so to know your username, not just select it from a list.

Disable password hints: Still in the Login Options pane, uncheck Show password hints.

Disable guest account and sharing: Select the guest account and uncheck both Allow guests to log in to this computer and Allow guests to connect to shared folders. If you really do want to enable guests to log in, enable the account and check Enable parental controls. From there, click the Open Parental Controls button and check Limit Applications; you can then lock the guest into using merely a few apps, even just a Web browser. If you follow the advice later in this article and enable FileVault for encryption, guests will only be able to log in and use Safari, and they’ll never be able to see any of your data.

If you decide to enable the guest account, make sure it can't do much.

Disable Apple ID password reset: Back in the main Users & Groups pane, uncheck Allow user to reset password using Apple ID for all of your accounts. If you do maintain an admin account separate from your standard day-to-day one, it’s okay to disable this option for that admin account and keep it on for your standard one. If you didn’t have this option selected and if someone were to get your Apple ID, it would also give them access to your computer and the potential ability to lock you out. And yes, if you lose your password you may be locked out of your Mac, so…don’t.

Security settings

This pane is located in System Preferences > Security & Privacy, and Apple has made a ton of changes since the release of the NSA guide. Here are recommended settings, organized by tab.

General: Check Require password after sleep or screen saver begins and set it for immediately. Then check Disable automatic login. Next, enable Gatekeeper by selecting Mac App Store and identified developers in the ‘Allow applications downloaded from’ section; for even more security, choose Mac App Store. (You can still install other downloaded applications by Command-clicking them and selecting Open.) Finally, click the Advanced button and uncheck Automatically update safe downloads list, a list of apps Apple believes are safe. (When you’re the NSA, nothing is safe.)

You don't have to be a spy to want your Mac to require a password immediately upon waking from sleep.

FileVault: FileVault 2 is far better than the original FileVault, and I recommend it with one big caveat—you must keep really good backups. To enable it, click Turn On FileVault. Then select the user accounts you want to allow to log in to the computer when the disk is locked (this should be your admin account, your standard account, and any other users who might need to boot the Mac). Then be sure to write down the displayed recovery key. This is the only way to get back into your Mac if you forget your password. If you lose both your password and the recovery key, it’s game over for you and your Mac.

On the next screen, select Do not store the recovery key with Apple for the best security. Apple can’t read your key without your providing answers to a series of questions, but an attacker could potentially figure those answers out. Finally, click Restart on the last screen. Your Mac will start encrypting itself in the background after a reboot; you can still use it while it’s doing so.

Unsurprisingly, the NSA strongly favors firewalls.

Firewall: Click Turn On Firewall. Then open Firewall Options and check Block all incoming connections and Enable stealth mode, and uncheck Automatically allow signed software to receive incoming connections. Afterward, spend the rest of your day approving all the network connection requests.

Privacy: Open Location Services and uncheck Enable Location Services. Open Diagnostics & Usage and uncheck Send diagnostic and usage data to Apple.

iCloud

iCloud synchronization itself is a minor risk (unless you’re worried about your NSA coworker subpoenaing your email). But at least disable Back to My Mac and Find My Mac, lest someone be able to access or wipe your Mac if they gain access to your iCloud account.

Home-folder permissions

The command-line item that the NSA recommends locks a folder from other standard users, but not from administrator accounts; it still works.

Firmware password

The NSA’s instructions in the pamphlet no longer work. Instead, boot your Mac into the Recovery partition by pressing Command-R as your Mac is booting. Then select Utilities > Firmware Password Utility and set the password. You will need it whenever you boot into recovery mode or from an external drive.

Disable IPv6 and AirPort when not needed

In Mountain Lion, these options are still in System Preferences > Network, but other things have moved, and a few new options are available.

Your AirPort is now simply called ‘Wi-Fi’ on screen; you disable it by clicking the gear icon on the lower-left side and selecting Make Service Inactive, or by clicking the Turn Wi-Fi Off button when the service is selected. Then, open the Advanced options and uncheck Remember networks this computer has joined so that your Mac doesn’t search for known networks and leak information. You can also require administrator authorization to manage Wi-Fi connections.

To disable IPv6 for interfaces, open the Advanced options and set Configure IPv6 to Link-local only.

Unnecessary services

Warning: Following these bits of NSA advice will seriously alter the functionality of your Mac.

iSight no longer has a LaunchDaemon, but you can disable or enable it using this AppleScript. The service called com.apple.RemoteUI.plist is no longer used. The rest should work as listed.

The iSight Disabler script means you don't have to tape over the camera.

I’d be nervous about disabling system services that don’t present known risks, so I don’t have any to add to the NSA list.

Disable setuid and setgid binaries

Altering setuid and setgid is another suggestion you need to be extremely careful about, since following this advice will break functionality. The list the NSA guide provides is a good place to start, though, and you can always reverse your changes.

To get a proper list of all setuid binaries, update the suggested command lines to:

sudo find / -perm -04000 -ls

and

sudo find / -perm -02000 -ls

Those commands will produce a long list of applications, not all of which need root, wheel, or admin permissions. (All three are admin-level.) Since you aren’t regularly running as an admin user anymore, changing these items may break applications you use, but you can change them back. (I’m still trying to figure out why my outdated Logitech Harmony Remote application needs root privileges.)

Configure and use both firewalls

Apple still includes ipfw with OS X, but starting in 10.7 it moved to pf as the primary option when you want more than the default application firewall. Since pf has more features, you should switch to that; you can use Icefloor for a graphical front end with some recommended rules.

Disable Bluetooth and AirPort devices

Disabling Wi-Fi might be a bit more extreme than the average user would like.

The NSA obviously worries about wireless connections. The agency’s suggestions still work, but I’d recommend disabling Wi-Fi and Bluetooth in System Preferences instead. And, it goes without saying, but don’t try this step if you are using a Bluetooth keyboard and mouse.

Disable iSight and sound input

For your iSight, the best thing to do is just put some tape over it. (Plus, you already know how to disable it in software.) The NSA’s advice for audio still works, but if you follow it the NSA won’t be able listen to your conversations, so I’m sure the NSA wouldn’t want you to do that.

Safari

Under Safari > Preferences, you can still uncheck Open safe files after downloading. Then click the Security tab and uncheck Allow Java. For extra security, you can also uncheck Allow all other plug-ins, but then more sites may not work properly.

I’d also suggest that you uninstall Adobe Flash and download the Google Chrome browser. Chrome includes its own sandboxed Flash player, so you can use Flash-enabled sites with less risk.

Au revoir, Bonjour!

This tip still works just as the NSA suggests—and if you follow it, you no longer have to worry about anyone seeing your iTunes library when you connect to a hotel network.

Most of the NSA’s Snow Leopard security tips still work in Mountain Lion, but be very careful once you make changes outside System Preferences. Seriously, you have been warned.

Subscribe to the Apple @ Work Newsletter

Comments