Locking down parental controls

Once set up, the parental controls and permissions restrictions for an account in OS X should be fairly secure for a booted and running system. Despite this, a number of parents are running into problems where their kids are cleverly getting around the parental restrictions. Here are the ways they are doing this, and how to best combat them.

The computer's security systems can be overcome through one built-in vulnerability: the ability to boot off of an OS X installation DVD and change the administrative password. If someone has an alternative boot device for the computer, then they can access the internal hard drive's contents will full root privileges and change settings as they please. Oddly, Apple provides the means for doing exactly this on the provided OS X installation DVD.

If a child is getting around the parental controls, they are probably booting off the installation DVD, resetting the administrative password with the "Password Reset..." utility that's in the "Utilities" menu on the DVD, and then logging in as an admin account and changing the parental controls settings.

Granted when these situations involve kids they may benefit from a stiff exercise in parenting, but from a technical standpoint the computer's security systems can be overcome by various means for locking the ability to boot from alternative devices.

Alternate boot options and preventing their use

Booting from an external device requires you to provide firmware boot arguments so the system initially looks for the specified device for a boot volume. This can be done by using the "Startup Disk" system preferences (requires administrative access), or by restarting the computer and holding one of several key combinations:

options -- the boot menu
C -- the optical drive
N -- Netboot
options-command-shift-delete -- bypass the main boot drive

Even booting into Target Disk mode (holding "T" at boot) can allow the drive to be mounted on another computer where the "reset password" utility can then be used.

Since all of these options are commands that are passed to the firmware when the system is started up, the way to prevent them from working is to lock the firmware. Apple provides a firmware password utility that will do this, which is available on the OS X installation DVD. When enabled, the password will prevent any firmware settings changes, even at bootup. This will prevent kids and others from using an install DVD to bypass parental controls; however, with it enabled you will not be able to reset the PRAM, boot into Safe Mode, or specify an alternate boot disk.

Checking for and setting the firmware password

To check if your Mac has a firmware password already set, reboot the system and hold the options key down. If you see a boot menu with available boot volumes, then you do not have a firmware password set; however, if you see a lock with a space for a password, then the firmware password is set.

To enable the firmware password, boot to the installation DVD (insert it and reboot with the "C" key held) and select your language. Then from the "Utilities" menu select "Firmware Password Utility" and follow the instructions. Once you supply a password the firmware will be locked.

Resetting the Firmware password

Once the firmware password is set, the computer should be locked; however, there are a couple of ways to reset the password. The first is to use the password utility again and either turn it off or change the password. The second is to have physical access to the system and change the hardware configuration of the system, the easiest being to remove a RAM module. Changing the hardware configuration will remove the password and require you to set it up again, and the only way to prevent this is to physically lock the computer down.

On Apple's pro desktops, the case can be locked from the back using the latch mechanism and a variety of locking devices. For other systems the locks may not be as straightforward. Recent MacBooks with bottom case latches will not allow for access to the interior while a kensington lock is attached, but other systems may not have such locking mechanisms. Regardless of how it is done, locking the case is the only way to prevent a firmware password from being reset. There are a variety of options out there, but each will depend on the specific model of Mac you own.

Questions? Comments? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.