East Carolina University
 
Computing@ECU
Information Technology & Computing Services


purpleabout uspoliciessitemaphelp request
ITCS Title
Macintosh



These settings are based on the National Security Agency, CIS, Apple and ITCS recommendations.

System Preference

Image

Recommended Changes

 

Desktop & ScreenSaver


 

x6Desktop

Lion Desktop Settings

The University highly recommends the screen saver to turn on within 15 minutes or less and be password protected. If you are delayed from getting back to your workstation, your data will be protected from prying eyes.

You can also set hot corners to prevent someone who has unexpectedly walked in from viewing your screen.

Screensaver password protection is located in the Security preference panel.

 

Dock



Lion Dock Settings 
Automatically hide and show the dock can be turned on to prevent others from seeing the applications you have on your computer.

 

General


General 
If intruders gain access to your computer, they can use the recent items menu to quickly view what you've recently used. Setting recent items to "None"  provides some security against unsophisticated intruders.

 

Security > General



Lion Security General settings

Recommended Settings:

• Require password immediately after sleep or screen saver begins.

• Disable automatic login = checked

• Require an administrator password to access system preferences with lock icons = checked

• Log out after 60 minutes of inactivity = unchecked

• Show a message when the screen is locked = optional

• Automatically update safe downloads list = Checked

• Disable remote control infrared receiver = optional

 

 

Security > File Vault

Encrypts your home folder.

More from Apple....
Lion Security FileVault settings
The settings are personal preference. The password for this CANNOT be retrieved.
    
• Encrypts using government approved 128-bit (AES-128) encryption by putting your entire home folder into a bundle disk image.

• Does support 256-bit Advanced Encryption.

• Great for use on portable systems where physical security can't be guaranteed.

• Only protects data at rest which means only when a user is not logged in. This is useful if the computer is stolen. 

• If the password is lost, there is NO way to recover it.

• To use FileVault, you'll need to be able to double the size of your home directory. 

• Not recommended for use with Directory accounts as the passwords don't always sync.

• Does not protect files transferred over a network.

 

Security > Firewall


Lion Security Firewall
Turn Firewall On

 

Security > Firewall > Advanced


OS X 6Firewall Advanced
BEST OPTION
  • Block all incoming connections on and select which applications are allowed in through that preference pane.

NEXT BEST OPTION

  • Automatically allow signed software to receive incoming connections = On

 

Spotlight



x6 Spotlight Privacy

Place confidential folders in the Privacy area if you need to keep them on your hard drive. However, remember that anyone can remove them from the Privacy area. No authentication is required in this pane so someone can remove them and then do a search.

Consider disabling top-level folders that contain these folders like your Documents folder or ~/Library/Mail for apple mail contents.

By default, the entire system is available for searches so use the privacy area for protection.

 

CDs & DVDs


x6CDsDVDs

The default settings of the CDs & DVDs preference pane will automatically launch a program assigned within it. If the item contains any malicious actions, they will automatically be launched and the system compromised. Best practice is to set all actions to Ignore.

 

Displays


Lion Display System Prefs
Turn Show displays in menu bar on so there is easy access on portables to attached second monitors or projectors.

Use caution when enabling mirroring which might expose private data to others.

 

Energy Saver
 

Configure the computer so it only wakes when you physically access it. Do not set it to restart after a power failure.

 

MobileMe
x6 MobileMe

Should only be used for accounts that don't have access to critical data. Avoid enabling MobileMe for administrator or root user accounts. 

Leave all options blank.

 

Network
Snow Leopard Network Settings

 

 

Its recommended that you disable unused hardware devices in the list. From the list, select the device you don't use. Click the action button below the list and select "Make Service Inactive".

 

Sharing

 
Snow Leopard Sharing Settings

 

 

Turn all services off unless necessary.

 

Bluetooth
 x6Bluetooth
 

If you are not using Bluetooth, turn it off.

 

Date & Time


 Snow Leopard Date & Time

Snow Leopard Time Zone

 

 

Correct date and time settings are critical especially for those machines that are on the domain or user Kerberos. Incorrect date and times can cause security issues. Make sure "Set data and time automatically" is checked.

 

Startup Disk

 
Snow Leopard Startup Disk

 

 

Always have at least one item selected. If there is not something selected, sometimes your system will choose for you. A "?" might appear at startup while it searches for a bootable disk.

 

Users & Groups

 
Lion Users Groups

 

 

Turn all guest access off.