Page 2
<<Back | Index | Next >>
Macintosh Security Basics - Presentation Notes

Configuring a File Sharing server

EFile Sharing Control Panel

• Owner Name
• Owner password (NOT BLANK!)
• Computer Name.

The IP address will be filled in automatically.

Default: Computer name will be “<name’s> Macintosh.” Change it.
Open the File Sharing Control Panel. Before you can start sharing files, you have to define an Owner Name, an Owner password (DON’T LEAVE IT BLANK!), and a Computer Name. The IP address will be filled in automatically.

By default, your computer name will be “<name’s> Macintosh.” I recommend that you change this, or don’t use your real name in the Owner box, because otherwise anyone surfing through the Chooser will be able to see that and know it’s your Mac. Never give potential attackers more information than you must. You can name your Mac pretty much anything you want, with or without spaces, but spaces are not recommended due to potential network incompatibility.


File Sharing control panel

 


Security Through Obscurity

If computer name is revealing, then login should be different

Don’t make it easy for attackers to gather info from public information.
If your computer’s name is something revealing about you (like “Joe Smith’s House of MP3s”) then perhaps your login should NOT be “joe” or “smith” or “jsmith” etc. If attackers can enumerate likely usernames or passwords from public information, like the computer name, then you’ve significantly decreased the amount of effort it will take for them to break in. Don’t give out clues.


Owner is Omnipotent

If FS is on, Owner can already log in and get to everything

No matter what you do with specific shared items, Owner can see it all.

Protect Owner’s login info!
Keep in mind that once you turn on File Sharing, anyone who can log in as Owner will be able to do anything to your data (including most of your system files -- enough to render your Mac un-bootable). This is true EVEN IF you do not explicitly share anything. If file sharing is turned on, Owner basically has remote “god” rights. Owner is a special account, the closest thing to root on MacOS, and the rest of the sharing privileges you specify are moot for the user logging in as owner. Protect this login and password!


File Sharing over TCP

You can allow FS over TCP/IP

Faster, but more revealing
• AFPoverTCP will show up on portscan

Routers and AppleTalk
• Now, more of the Internet can see your Mac

But, AppleTalk is clear text. Pro, con, pro, con, etc.
Now that file sharing is turned on, you can start tweaking. You can choose to allow File Sharing over IP -- this means that clients can connect to your Mac by its IP address, and use TCP/IP to transfer data. This is faster than AppleTalk and has the advantage of TCP’s connection integrity maintenance, but keep in mind that it also pulls the curtain aside a little more than plain old AppleTalk. Your Mac will now have AFPoverTCP services listening on TCP ports; this will show up on a portscan, and it’s a dead giveaway that your machine is a Mac.

Furthermore, most routers do not route AppleTalk, but they pretty much all route TCP. This is a double-edged sword; a user on the other side of your network’s router could theoretically (assuming the network admins don’t specifically filter out afpovertcp at the border) connect to your Mac. This is a nice idea for legitimate use, but it also opens you up to an even bigger pool of potential bad guys. If you use AppleTalk, then your machine is only visible to users on Dartmouth’s local network.

BUT the disadvantage to using AppleTalk is that your password will be sent clear-text.

So there’s always give-and-take with this. It depends on your configuration (do you have a firewall?) and what’s most important to you. For the sake of this example, I’m going to sacrifice password security in order to minimize my overall exposure to potential bad guys. This would not be the best choice for everyone.


Apps over the net and Program Linking

You can share apps such that a remote user can launch an app on the Mac server from another Mac. It runs over the network and displays on your local screen.

Nice idea, but…not really.
• Resource/network hog
• CRASH

Program Linking is an AppleScript thing. Scary.
If you share an application (or a folder containing an application), remote users can launch the app over the network to do stuff on their client Macs. In other words, I could be working in a lab and discover that someone deleted Microsoft Word off the computer I’m using. I need to use Word to write my paper. So I simply connect to my Mac and launch MY copy of Word over the net. It opens on my screen, and I can open and save files with it on my local lab Mac. This is a cute idea, but in my experience, it’s such a huge resource hog that it typically causes one or both Macs to crash. It’s also pretty unkind to other users on the network. And good luck if two of your users try to launch the same program simultaneously.

Program Linking (now known as Remote Apple Events) allows one Mac to send AppleScript commands (“Apple Events”) to applications on another Mac via AppleTalk or TCP/IP. For normal users (with passwords), they would need to login for each Event. But if you give Guests PL privs AND you enable PL for a given app, then anyone with a Mac could send Events to that app. You might ask, why would anyone do such a thing? Well, in my experience, new users who are trying to get File Sharing to work have a tendency to think “Jeez, I just want this to work, I’m gonna check EVERY BOX until it does.” And keep in mind that the Finder is scriptable -- this means that, if PL is enabled for the Finder, remote users could send Apple Events to the remote machine’s Finder telling it to, say, delete some System files. Or shut down the computer. Remember the LoJack story and what he was able to do with AppleScripts, then realize that someone could do all that without even loading a file onto the hard disk.


Recommended initial setup

Assume recommended initial setup:

• Computer name not too revealing
• Owner name not related to computer name
• Good strong password
• File Sharing enabled but not over TCP
• Program Linking NOT enabled

Test config from another machine.
If you are the only one who’s ever going to be using your Mac, and you trust yourself to have full privileges (i.e. Owner), then you’re done. You can test your setup by using another Mac to connect to yours; you should NOT be able to logon as “Guest” (which requires no password).


Other users

If you want to have other users or guests:

• First create their accounts/enable their access
• The Guest account already exists, and cannot have a password.

So, ANYTHING you make accessible to Guest will be accessible to ANYONE.
Now, if you want to have other users or guests connecting to your Mac, you must first create their accounts (in the cases of other named/passworded users) or enable their access (in the case of the Guest user).

The Guest account already exists, and cannot have a password. So keep in mind that ANYTHING you make accessible to Guest will be accessible to ANYONE who can connect to your Mac (in our case, anyone with a Mac at Dartmouth) with no password required.


Creating accounts

File Sharing Control Panel -> Users and Groups

Later on, specify which volumes/folders/files users can connect to

Right now, you’re defining the basics (what accounts exist, whether or not they can connect at all, etc.)
In the File Sharing Control Panel, click on the Users and Groups tab. This is where you can edit the privileges of an existing user (for example, if you wanted to enable Guests to connect, then double-click the Guest user, drop down the “Sharing” menu option, and click the appropriate boxes).

Later on, you will specify which volumes/folders/files users can connect to; right now, you’re defining the basics (can Guests connect at all, what are your users’ names and passwords, can they change their passwords, what groups do they belong to, etc.)


Users and Groups

Here, I have defined two users, joeblow and joeschmoe, in addition to the built-in owner and guest accounts.

I also have a group called my-users.
 


User Identity

This is the box you see when you create a new user. You must set an initial password.

Notice that you can choose whether or not to allow your users to change their passwords.

Another note: As an administrator, you can reset a user’s password, but you can’t see the old one.
 


User Sharing

From the popup menu in this window, select “Sharing” (instead of “Identity”) and this is where you can specify whether to allow the user to connect at all, and whether that user can make use of Program Linking (only applicable if you enabled PL in the initial setup.)
 


Groups

The group my-users contains both joeblow and joeschmoe. So if I want to share a folder to the two of them, but no one else, I can use this group. (This will be made more clear in a couple slides.)
 

<<Back | Index | Next >>