Snow Leopard - Recommended System Preferences

Share MyLinks

Mac Resources

In this section

Snow Leopard - Recommended System Preferences

These settings are based on the CIS, Apple and ITCS recommendations.

System Preference	Image	Recommended Changes

Appearance Changes highlight colors, scroll bar placement and number of recent items in the Recent Items list. The settings are personal preference.		If intruders gain access to your computer, they can use the recent items menu to quickly view what you've recently used. Setting recent items to "None" provides some security against unsophisticated intruders.

Desktop & ScreenSaver Sets your desktop background, screensaver images and hot corners.		The University highly recommends the screen saver to turn on within 15 minutes or less and be password protected. If you are delayed from getting back to your workstation, your data will be protected from prying eyes. You can also set hot corners to prevent someone who has unexpectedly walked in from viewing your screen. Screensaver password protection is located in the Security preference panel.

Dock Sets size, magnifications, position on screen, and effects.		Automatically hide and show the dock can be turned on to prevent others from seeing the applications you have on your computer.

Exposé & Spaces Sets hot corners, expose and Dashboard options.		Turn off everything except for the bottom right corner which will have a password set in the Security preferences.

Language & Text Sets language order, text substitution and input sources.		The settings are personal preference.

Security > File Vault Encrypts your home folder. More from Apple....		The settings are personal preference. The password for this CANNOT be retrieved. Encrypts using government approved 128-bit (AES-128) encryption by putting your entire home folder into a bundle disk image. Does support 256-bit Advanced Encryption. Great for use on portable systems where physical security can't be guaranteed. Only protects data at rest which means only when a user is not logged in. This is useful if the computer is stolen. If the password is lost, there is NO way to recover it. To use FileVault, you'll need to be able to double the size of your home directory. Not recommended for use with Directory accounts as the passwords don't always sync. Does not protect files transferred over a network.

Security > Firewall Prevents unauthorized programs from accessing your computer.		Turn Firewall On

Security > Firewall > Advanced Fine tunes the firewall.		BEST OPTION Block all incoming connections on and select which applications are allowed in through that preference pane. NEXT BEST OPTION Automatically allow signed software to receive incoming connections = On

Spotlight Built-in search engine. It searches the name, meta-information associated with the file and the contents of that file. Location on the hard drive is not an issue. If you have confidential files, you need to properly set access permissions on folders containing those files. By default, the entire system is available for searches.		Place confidential folders in the Privacy area if you need to keep them on your hard drive. However, remember that anyone can remove them from the Privacy area. No authentication is required in this pane so someone can remove them and then do a search. Consider disabling top-level folders that contain these folders like your Documents folder or ~/Library/Mail for apple mail contents.

CDs & DVDs Tells the Finder what to do when CDs/DVDs are mounted.		The default settings of the CDs & DVDs preference pane will automatically launch a program assigned within it. If the item contains any malicious actions, they will automatically be launched and the system compromised. Best practice is to set all actions to Ignore.

Displays Monitor or laptop display settings.		Turn Show displays in menu bar on so there is easy access on portables to attached second monitors or projectors. Use caution when enabling mirroring which might expose private data to others.

Energy Saver Battery or Power Adapter settings.		Configure the computer so it only wakes when you physically access it. Do not set it to restart after a power failure.

MobileMe A suite of tools to help synchronize data when you're away from your computer.		Should only be used for accounts that don't have access to critical data. Avoid enabling MobileMe for administrator or root user accounts. Leave all options blank.

Network Ethernet, Wireless and VPN settings		Its recommended that you disable unused hardware devices in the list. From the list, select the device you don't use. Click the action button below the list and select "Make Service Inactive".

Sharing File sharing, screen sharing, etc
Bluetooth Used to set up wireless keyboards, mice etc.		If you are not using Bluetooth, turn it off.

Accounts Account password, setup, etc		Modify login options to provide as little information as possible. Disable automatic login. Require that you enter the name and password instead of clicking on a name. Don't use password hints. Disable Restart, Sleep and shut down buttons so someone can't restart the computer without pressing the power button or logging on. Disable fast user switching - it allows multiple users to be simultaneously logged in which means its difficult to track user actions and also allows users to run malicious apps in the background while another user is using the computer. When some external volumes are mounted under another user's account, they grant access to all users and ignore access permissions. Avoid accounts shared by multiple users. Individual accounts maintain accountability. If a shared account is compromised, its hard to track down the offender.

Date & Time Account password, setup, etc		Correct date and time settings are critical especially for those machines that are on the domain or user Kerberos. Incorrect date and times can cause security issues. Make sure "Set data and time automatically" is checked.

Startup Disk Sets which disk, partition or device your system boots from.		Always have at least one item selected. If there is not something selected, sometimes your system will choose for you. A "?" might appear at startup while it searches for a bootable disk.