NSA Security Recommendations Part 1

securityThe United States National Security Agency has published a pamphlet titled Hardening Tips for the Default Installation of Mac OS X 10.5 “Leopard” (title links to document).  I consider many of these tips to be no-brainers, some to be best practices, and the rest have variable value depending on your organization’s requirements.  This article is the first of a series in which I’ll examine each of these tips, how to automate their implementation, and discuss any caveats for each.

Note: The NSA document, and therefore this series of articles, refer specifically to Mac OS X version 10.5 (Leopard). The ideas and techniques should transfer to 10.6 (Snow Leopard), but be sure to test carefully before putting into production. I will discuss any changes required to implement each recommendation in 10.6.

 

Don’t Surf or Read Mail using Admin Account

This falls into the “no-brainer” category.  I firmly believe that in an organization where the end user does not own his or her computer, there is no reason for that user to have administrative rights on the system.  For every so-called valid reason to grant administrative permission that I have encountered, there is a workaround that can give the user the ability to do their job without granting admin rights.  If you find yourself fighting against an organizational culture that wants admin rights for end users, you can counter with this statement:

 

“If end users have administrative rights, no IT group can make any guarantees or reliably satisfy any SLA regarding the performance, security or continued operability of the systems in question.”

 

Put simply, if unqualified people can mess with the works, then all bets are off.

 

Not being a technical procedure, this concept holds true for Snow Leopard, all other versions of Mac OS X and for any other OS as well.
If you believe you have a valid reason to grant administrative privileges to end users or your organization is forcing you to grant those privileges for a particular reason or reasons, please leave a comment. I’ll do my best to describe a solution to the given problem without granting administrative rights.

One thought on “NSA Security Recommendations Part 1”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s