Network News

X My Profile
View More Activity

How to Harden Your Mac

If you're a quasi-sophisticated Mac user and have been looking for advice on how to better safeguard your machine from hackers or local prying eyes, look no further: Apple has released a massive, 240-page guide that describes various methods for securing the operating system.


According to, the manual includes an overview of the Mac OS X's security architecture and advice on hardening the operating system against external attackers. It also includes information on locking down the system to protect against unauthorized access by people with physical access to the system.

Before you delve into this guide, you might want to familiarize yourself with Apple's "Terminal," the text-only command line interface for the Mac: The guide relies heavily on this tool, and Apple warns readers that only technically-adept users should use the guide.

By Brian Krebs  |  June 4, 2008; 11:15 AM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Beware of Error Messages At Bank Sites
Next: Software Update Prompts Nuclear Plant Shutdown


Ahem, Brian. I can predict the caterwauling from Mac users now: "Why should I 'harden' my system? No one attacks it 'cuz there are so few of them, etc., etc. ad absurdium."

Posted by: Pete from Arlington | June 4, 2008 12:17 PM | Report abuse


Poor Pete!

Posted by: umm.huh | June 4, 2008 12:36 PM | Report abuse

Hmm, and what would we have done if Microsoft had handled it this way? Apple is not a better company, nor does it have a better product it seems. It's just taken longer for the glaring issues to be noticed. The complacency days are over for Mac users.

Posted by: Dave | June 4, 2008 12:44 PM | Report abuse

What's this? The Jobs box might have security issues? I thought that only Microsoft boxes had security issues. Whuddathunk?

Posted by: Ivan Groznii | June 4, 2008 12:48 PM | Report abuse

Hm. My mom has a Mac, and she's not very tech savvy. She also doesn't want me "messing with" her computer, even if I want to do something that'll help keep it safe from harm. I don't see how this guide is going to help either her or me.

When's Apple going to come up out with some simpler programs to help Mac users who aren't used to taking steps to safeguard their machines? It looks like the bad guys have saturated the PC marketplace, and are now seeking new prey.

Posted by: Heron | June 4, 2008 3:22 PM | Report abuse

In starting to read the guide, it seems that this is more for network administrators and IT personnel than single end users or consumers. It is very comprehensive in describing the security protocols built into the current Mac OS and gives good history on the security principles that the OS is built on. It is not light reading. As a certified computer security professional, a longtime Mac user, and an Apple shareholder, I am very impressed with this type of publication and commend Apple for making it available to everyone.

Posted by: Eliot | June 4, 2008 5:17 PM | Report abuse

@Ivan Groznii

This is a person who is obviously misinformed, some little kid, or someone who actually believes Apple's commercials. Or all three. Don't you belond on

Anyways, I think this is fantastic. Although most people won't understand, it's a step forward. I've learned a few things from reading this. I actually first learned about this from Alex Eckelberry of the sunbeltblog. Props to you for posting it to the blog. Love your blog btw.

Posted by: SameStuffDifferentDay | June 4, 2008 11:39 PM | Report abuse

"Hm. My mom has a Mac, and she's not very tech savvy. She also doesn't want me "messing with" her computer, even if I want to do something that'll help keep it safe from harm. I don't see how this guide is going to help either her or me."

Heron: This is a configuration guide (as the Microsoft sycophants Pete, Dave, and Ivan apparently don't understand.)

You mother doesn't need to do all (or perhaps any) of these things, and anyone who's actually read the guide will see that it's more aimed at business users -- and at those who have more stringent security requirements than that.

By the looks of things this is an updating of the guide that Apple, in common with some other vendors, originally produced in collaboration with the NSA. The Tiger one has been down off Apple's site for some time, although it (and the Panther one) are still available at the NSA, who also have guides for other OSes.

As I say, not everything applies to all users. You won't, for example, have to concern yourself with hiding the Dock, so that anyone passing behind your mother will know what programs she owns. Neither will you probably won't want to read the guide to find out how to use Apple's built-in encryption tool (FileVault) on your mother's home area, against the day her laptop falls into the wrong hands. And nor, I suspect, will you want to find out how to disable sound input, in case someone has planted a bug in your mother's sitting room.

We don't all have as stringent security requirements as the NSA.

Read it, making use of anything that seems to fit your situation, and ignoring anything that doesn't.

Posted by: Mike | June 5, 2008 4:56 AM | Report abuse


So, when all is said and done, Apple drops a manual on your desk, says "you figure out what you need to do and good luck."

That doesn't really help the average user who has some concerns for the security of their online transactions.

Syncophant? Hardly. Merely underwhelmed by Apple's customer service in relation to what the propaganda is about PCs

Posted by: Dave | June 5, 2008 8:19 AM | Report abuse

Seriously? A 240 page guide that requires me to go into Terminal to protect my OS? I thought my new Mac was supposed to make my life easier and safer.

Posted by: switcher | June 5, 2008 9:59 AM | Report abuse

Mike, thanks for the clarifications. I thought maybe the manual was meant for the average home user who's worried about data security threats, not a business owner. I hadn't looked at the guide because I don't own a Mac--though my next computer may very well be one.

I hope, if data thieves start targeting home Mac users, Apple will be open about it, and help that population learn about how to protect their machines by providing them with straightforward information about what they can do.

I worry less about my mom's computer because it's a Mac. I know that Apple machines aren't totally invulnerable, though--especially when the people who sit in front of them aren't tech-savvy like you are.

Posted by: Heron | June 5, 2008 10:09 AM | Report abuse

@ Mike:
Watch out or you might get my synchphanti's in a twist! It's hell when your reaction is so predictable, ain't it?

Posted by: Pete from Arlington | June 5, 2008 12:06 PM | Report abuse

@ Mike:
Watch out or you might get my synchophanti's in a twist! It's hell when your reaction is so predictable, ain't it?

Posted by: Pete from Arlington | June 5, 2008 12:07 PM | Report abuse

Thanks for the info and the link. Found Panther, Tiger, and Leopard guides there. It will be good to have this information for the looming threat to the Mac community now that Macs are becoming more prevalent. I hope all Mac users take heed and use the information to forestall a mass infection of Macs like that that plagues PCs.

Posted by: snowbird2 | June 5, 2008 3:02 PM | Report abuse

Mike - great comments.

The rest of you are hardly worth addressing...

Posted by: Me | June 9, 2008 11:47 AM | Report abuse

re: mom using mac

set up firewall properly under sharing in system preferences and use the advanced settings button to> block UDP, enable logging and stealth mode options; use shields up test to see if it's working (s/be stealth)

make sure personal file sharing, and everything else is off, also under all three tabs in 'sharing prefs' except for the network time which goes to apple to set the correct time/clock. (assuming she is on hardwired broadband, not wifi)

make sure her modem does not have a bunch of open ports too - that's actually the best hard firewall strategy depending on the modem itself b/c apple firewall is not perfectly stealth it leaves some ports open for their outgoing calls (which is Little Snitch is valuable).

if i were you, i'd set up her network DNS servers using DNS forwarding thru opendns; they work in conjunction with phishtank to identify / warn / block blacklisted spoof phish sites

if you do nothing else after this step, do this: non-tech user security precaution solution: set up a non-admin password protected 'user account' for every day use: email and surfing as brian and rob recommend. [after set up passwords on user and admin account, DON'T forget to write down and save the passwords somewhere for your mom + email them to yourself for backup when she forgets, cuz you'll forget too!!!]

if you can get her to use firefox (which i actually hate to use on my mac cuz it's slow)... but netcraft has a toolbar for firefox that identifies high risk websites. Most of the problems come from clicking bad sites and downloading the wrong stuff, even on macs sometimes. BUT if you set up her DNS settings going thru open dns most bad sites, phishing urls, bad redirects will already be blacklisted and she'll get a warning page saying it's not a safe site.

Get, learn, and teach her how to use Little Snitch (identifies *most* outgoing extrusions not intrusions which is what the firewall takes care of (mostly); netbarrier will also identify both but its complicated and annoying if it's not set up correctly and often requires a lot of tweaking so i'd forgo it if she's really resistant to learning this stuff) and show her how to search the Little Snitch forum at for help on things that come up....LS has pretty good default settings.

set up some bookmarks to the apple discussion forums,, and macfixit forums, macworld & its forums, her how to search using google effectively and to bookmark the mac sites she finds that are helpful.

And, i would recommend 1Password for keeping/logging her

hope this helps.

she can learn more if she wants to, but do the first few things for sure!!!

Posted by: | June 10, 2008 5:03 AM | Report abuse

....sorry got cut off

also any mac user would benefit from using 1password for storing passwords on any/all sites that require passwords and emails (banks, forums, online groups/communities)
there were a coupla promo links that might still work for good discount like 40 or 50% off already cheap product with lots of features -- do a search for
there will be several to try

and make sure your mom knows that any site that asks for a password and info should be https

and she should get a gmail account specificly for using online forums and communities + make up a birthday to use on those community type sites, chats, bbs, forums (even washington post :-) nyt, etc. never give a way personally identifying info including real name, birthdate, address, phone, zip code -- that's why 1Password is so good -- it remembers most of that stuff for you [altho there are exceptions where it fails to save properly, including phbb forums and some flash password/user id forms]

anyway, create a standard 'alter ID profile, email, birthday, zip code" (maybe based on her favorite celebrity so it's easy to remember or look up and remember)-- for non-official type sites that have nothing to do with banking, credit cards, etc. find the easy to understand sites (including fbi) that teach straightforward info about phishing, spoofing why never to click links that come in emails or even other sites; she should go directly to those sites herself..... again httpS and the 'lock' icon in the upper right hand of safari, other places on other browsers ....blah blah blah... you know the drill.

camino's a pretty good browser for cookie control BTW. better than safari.

sayonara and good luck!

Posted by: | June 10, 2008 5:21 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company