Lion - Recommended System Preferences

Share MyLinks

Mac Resources

In this section

Lion - Recommended System Preferences

These settings are based on the National Security Agency, CIS, Apple and ITCS recommendations.

System Preference	Image	Recommended Changes

Desktop & ScreenSaver		The University highly recommends the screen saver to turn on within 15 minutes or less and be password protected. If you are delayed from getting back to your workstation, your data will be protected from prying eyes. You can also set hot corners to prevent someone who has unexpectedly walked in from viewing your screen. Screensaver password protection is located in the Security preference panel.

Dock		Automatically hide and show the dock can be turned on to prevent others from seeing the applications you have on your computer.

General		If intruders gain access to your computer, they can use the recent items menu to quickly view what you've recently used. Setting recent items to "None" provides some security against unsophisticated intruders.

Security > General		Recommended Settings: • Require password immediately after sleep or screen saver begins. • Disable automatic login = checked • Require an administrator password to access system preferences with lock icons = checked • Log out after 60 minutes of inactivity = unchecked • Show a message when the screen is locked = optional • Automatically update safe downloads list = Checked • Disable remote control infrared receiver = optional

Security > File Vault Encrypts your home folder. More from Apple....		The settings are personal preference. The password for this CANNOT be retrieved. • Encrypts using government approved 128-bit (AES-128) encryption by putting your entire home folder into a bundle disk image. • Does support 256-bit Advanced Encryption. • Great for use on portable systems where physical security can't be guaranteed. • Only protects data at rest which means only when a user is not logged in. This is useful if the computer is stolen. • If the password is lost, there is NO way to recover it. • To use FileVault, you'll need to be able to double the size of your home directory. • Not recommended for use with Directory accounts as the passwords don't always sync. • Does not protect files transferred over a network.

Security > Firewall		Turn Firewall On

Security > Firewall > Advanced		BEST OPTION Block all incoming connections on and select which applications are allowed in through that preference pane. NEXT BEST OPTION Automatically allow signed software to receive incoming connections = On

Spotlight		Place confidential folders in the Privacy area if you need to keep them on your hard drive. However, remember that anyone can remove them from the Privacy area. No authentication is required in this pane so someone can remove them and then do a search. Consider disabling top-level folders that contain these folders like your Documents folder or ~/Library/Mail for apple mail contents. By default, the entire system is available for searches so use the privacy area for protection.

CDs & DVDs		The default settings of the CDs & DVDs preference pane will automatically launch a program assigned within it. If the item contains any malicious actions, they will automatically be launched and the system compromised. Best practice is to set all actions to Ignore.

Displays		Turn Show displays in menu bar on so there is easy access on portables to attached second monitors or projectors. Use caution when enabling mirroring which might expose private data to others.

Energy Saver		Configure the computer so it only wakes when you physically access it. Do not set it to restart after a power failure.

MobileMe		Should only be used for accounts that don't have access to critical data. Avoid enabling MobileMe for administrator or root user accounts. Leave all options blank.

Network		Its recommended that you disable unused hardware devices in the list. From the list, select the device you don't use. Click the action button below the list and select "Make Service Inactive".

Sharing		Turn all services off unless necessary.

Bluetooth		If you are not using Bluetooth, turn it off.

Date & Time		Correct date and time settings are critical especially for those machines that are on the domain or user Kerberos. Incorrect date and times can cause security issues. Make sure "Set data and time automatically" is checked.

Startup Disk		Always have at least one item selected. If there is not something selected, sometimes your system will choose for you. A "?" might appear at startup while it searches for a bootable disk.

Users & Groups		Turn all guest access off.