Tip: Beef up default system security in OS X

For any Mac, new or current, you can do several things to easily increase the security of your system. Apple has several options and system settings for enhancing security, most of which are available if you browse through the system preferences, but there are also other settings and practices that can help increase security.

1. Use a standard account

While there are convenience benefits to running in an Administrator account, doing so also increases the chances of inadvertently changing system files and settings. There is also a small risk of malicious programs taking advantage of an open administrative account to gain access to other users' files or system files. The drawback to using a standard user account is that you will have to authenticate more when performing some tasks such as changing system settings.

2. Consider using FileVault

Apple has an option to encrypt user accounts in a secure disk image file that is loaded and mounted at log-in. This is a convenient way to ensure all user-related files and settings are kept secure so nobody can access them; however, it does come with a small risk that disk image corruption could prevent log-in. However, if you regularly back up your system with Time Machine, you should be able to easily recover the home folder disk image in the event of a problem.

3. Enable options in the "Security" system preferences

Apple's one-stop shop for most security settings is the aptly named "Security" system preferences. In here you can set the option to prevent automatic log-in, and also change how the log-in window behaves (showing or hiding usernames) which can be useful if other people have access to your computer. The security preferences also have the option to encrypt virtual memory, which ensures the system page file does not contain any information that can easily be read by malware or hackers. Enabling this offers no difference in performance, and only increases security. Disabling location services and the remote IR receiver can also increase security; however, this may affect some applications that are dependent on your location, such as time zones and calendars (though this should only be relevant for laptops).

Lastly, in the Security preferences be sure to turn on the Firewall, and enable stealth mode. The preferred option from a security standpoint is to block all but the essential options. However, if you do not do this, then at least keep the firewall enabled so access can be managed through the program list. Do regularly check the list and remove applications that you do not use frequently. If you are unsure about a program, just remove it and the system will ask you about what to do the next time it needs to access the internet.

4. Disable Guest account access

By default, OS X has a guest account enabled for sharing only, which allows for public access to your "Public" folder. If you are on a network, people can copy items to your computer without logging in by accessing your "Drop Box" folder, which can be seen as a risk by some people. You can easily prevent this by going to the "Accounts" system preferences, selecting "Guest Account" (you may have to authenticate first), and then uncheck the options to allow guests to access shared folders and/or log in.

5. Set Firmware Password

While you can change passwords and set your account to use FileVault, if someone accesses your system with an OS X installation DVD they can reset the administrator password and gain access to your system. Apple provides this functionality for troubleshooting purposes; however, it can be used for malicious purposes as well. To combat this, you can set a firmware password so the system cannot be booted from the optical drive at all, or from other external sources without entering the password. This password can only be reset by changing the hardware configuration (such as removing or adding RAM), which can be prevented by locking the system down.

Read more on setting a firmware password here: http://support.apple.com/kb/HT1352

6. if you don't use it, turn it off

Apple supplies a number of connectivity and sharing options in OS X, which can be useful but if you do not use them then there is no need to keep them active. Go to the system preferences and turn off Bluetooth and your Airport Wi-Fi connection if you are not using them. They can easily be enabled by using the provided menu-extras in OS X (enabled in the respective system preferences for each setting). Additionally, turn off the computer's IR receiver in the security system preferences.

Go to the "Sharing" system preferences and uncheck the services from the list that you do not need or use. Keep in mind though, that some of these services may be useful for troubleshooting your computer so while you may not need them, having them enabled is another safeguard. These ones specifically are "Screen Sharing" and "Remote Login," but only have them enabled if you know how to use them.

7. Lock your keychains

Keeping your keychain open is convenient, but once open it also allows your full set of passwords to be available by the system. To counter this, you can easily lock your keychain using the keychain access menu-extra. This can be enabled in the "Keychain Access" program's preferences, and will display as a small lock in the menu bar where you can manage the keychains, and also lock the screen when you are away.

8. Use Encrypted Disk Images

Storing items in the user account under the various directory categories Apple has designated (documents, movies, music, etc) is an easy way to ensure all of your items are kept secured by system permissions; however, there may be times when you will want to store items on network servers or external disks. Using Disk Utility to create an encrypted disk image in which to store your files is quite handy, but is only useful if you are planning on accessing the files from Macs. If you need to use a PC, then you will not be able to open the disk images. Additionally, this will also come with a noticeable performance hit, since files will be encrypted as they are moved to the image.

Questions? Comments? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.