Information Computing and Technology Services

Lion - Recommended System Preferences

These settings are based on the National Security Agency, CIS, Apple and ITCS recommendations.

System Preference

|            Image           |

   Click photo to enlarge image.

Recommended Changes

Desktop & ScreenSaver



Lion Desktop Settings

The University highly recommends the screen saver to turn on within 15 minutes or less and be password protected. If you are delayed from getting back to your workstation, your data will be protected from prying eyes.

You can also set hot corners to prevent someone who has unexpectedly walked in from viewing your screen.

Screensaver password protection is located in the Security preference panel.



Lion Dock Settings 

Automatically hide and show the dock can be turned on to prevent others from seeing the applications you have on your computer.




If intruders gain access to your computer, they can use the recent items menu to quickly view what you've recently used. Setting recent items to "None"  provides some security against unsophisticated intruders.


Security > General

Lion Security General settings

Recommended Settings:

• Require password immediately after sleep or screen saver begins.

• Disable automatic login = checked

• Require an administrator password to access system preferences with lock icons = checked

• Log out after 60 minutes of inactivity = unchecked

• Show a message when the screen is locked = optional

• Automatically update safe downloads list = Checked

• Disable remote control infrared receiver = optional



Security > File Vault

Encrypts your home folder.

More from Apple....

Lion Security FileVault settings
The settings are personal preference. The password for this CANNOT be retrieved.

• Encrypts using government approved 128-bit (AES-128) encryption by putting your entire home folder into a bundle disk image.

• Does support 256-bit Advanced Encryption.

• Great for use on portable systems where physical security can't be guaranteed.

• Only protects data at rest which means only when a user is not logged in. This is useful if the computer is stolen. 

• If the password is lost, there is NO way to recover it.

• To use FileVault, you'll need to be able to double the size of your home directory. 

• Not recommended for use with Directory accounts as the passwords don't always sync.

• Does not protect files transferred over a network.


Security > Firewall

Lion Security Firewall
Turn Firewall On


Security > Firewall > Advanced

OS X 6Firewall Advanced
  • Block all incoming connections on and select which applications are allowed in through that preference pane.


  • Automatically allow signed software to receive incoming connections = On



x6 Spotlight Privacy

Place confidential folders in the Privacy area if you need to keep them on your hard drive. However, remember that anyone can remove them from the Privacy area. No authentication is required in this pane so someone can remove them and then do a search.

Consider disabling top-level folders that contain these folders like your Documents folder or ~/Library/Mail for apple mail contents.

By default, the entire system is available for searches so use the privacy area for protection.


CDs & DVDs


The default settings of the CDs & DVDs preference pane will automatically launch a program assigned within it. If the item contains any malicious actions, they will automatically be launched and the system compromised. Best practice is to set all actions to Ignore.



Lion Display System Prefs
Turn Show displays in menu bar on so there is easy access on portables to attached second monitors or projectors.

Use caution when enabling mirroring which might expose private data to others.


Energy Saver


Configure the computer so it only wakes when you physically access it. Do not set it to restart after a power failure.



x6 MobileMe

Should only be used for accounts that don't have access to critical data. Avoid enabling MobileMe for administrator or root user accounts. 

Leave all options blank.



Snow Leopard Network Settings



Its recommended that you disable unused hardware devices in the list. From the list, select the device you don't use. Click the action button below the list and select "Make Service Inactive".




Snow Leopard Sharing Settings



Turn all services off unless necessary.




If you are not using Bluetooth, turn it off.


Date & Time

 Snow Leopard Date & Time

Snow Leopard Time Zone



Correct date and time settings are critical especially for those machines that are on the domain or user Kerberos. Incorrect date and times can cause security issues. Make sure "Set data and time automatically" is checked.


Startup Disk


Snow Leopard Startup Disk



Always have at least one item selected. If there is not something selected, sometimes your system will choose for you. A "?" might appear at startup while it searches for a bootable disk.


Users & Groups


Lion Users Groups



Turn all guest access off.



Contact Us

ITCS Admin - 252.328.9000
IT Help Desk - 252.328.9866
IT Help Desk - 800.340.7081
Classroom Tech - 252.328.9830
ITCS Leadership - 252.328.9000

Need Help?