Wednesday, July 21, 2004

GeekStuff: Fully Leveraging Security Built-In OS X

In a related development on this blog entry about various layers of operating system security, it would appear net-security.org saved me the extra work of outlining ways to further secure a Mac running OS X. I'm glad 'cuz they obviously know their stuff, and I don't. heh.

I would invite Windows users of all flavors to post similar pointers to their favorite geek forums, or as replies to this post.

One thing the PDF doesn't appear to mention is Mac OS X's very interesting user access restrictions: Apple Menu --> System Preferences --> Accounts . From there you can either create an account to play around with, or select an existing account you're not logged into. Select Account --> Limitations Tab --> Check "This user can only use these applications:" box. We're talking here about defining a list of applications the user may launch. Combine that with making the user a non-administrator user who can only write to their home directory, and you have yourself a very powerful way to further limit the amount of damage that can be inflicted upon your Mac. If I was in charge of a School Computer Lab, or, say Corporate IT in an industry where computer usage is very-much restricted to a set of a few basic apps, I so would leverage the crap out of this feature. It is truly cool.

I'm all about use cases, so I created "user DZ", set those restrictions and set myself to do what an average luser would do: download and install LimeWire. Here's a screenshot of what happened 8). update: fixed the screenshot link

3 comments:

Anonymous said...

Dude, your screen cap .pdf is inaccessible. But this is a good enough ending anyways:

"so I created "user DZ", set those restrictions and set myself to do what an average luser would do: download and install LimeWire."

LOLOLOLOLOL

-megabob

Anonymous said...

But you can run applications from anywhere. They don't have to be necessarily in the applications folder. So it would still be usable.

Chris Holland said...

applications from anywhere. They don't have to be necessarily in the applications folder. So it would still be usable.
Yup you sure can run applications from anywhere, but this "whitelisting" feature really acts at the "process" level. It doesn't matter where the app lives, if it is not whitelisted, you won't be allowed to run it.