Also, keep in mind that anyone connecting to a remote Mac using an administrative account will be able to mount not just the explicitly shared folders, but any connected hard drive. This is another reason to disable file sharing if it isn't needed and to be sure you use good password policies for admin users. (It's also a good reason to create administrative accounts with names other than "admin" or "administrator.")
On a final note about file sharing, Mac OS X supports file sharing with three different protocols: AFP (the native file-sharing protocol for Macs), SMB (the native protocol for Windows) and FTP. You can select which ones to enable using the Options button in the Sharing pane in System Preferences.
SMB must be enabled for individual users because it stores passwords in less secure form on your Mac (though it still encrypts their transmission over the network). FTP should be avoided because it offers no encryption whatsoever. Again, limit the protocols to those you need, and leave the others disabled.
Disable Bonjour
Bonjour is Apple's zero-configuration networking system that allows Macs ( and PCs and iPhones) to automatically broadcast resources they are sharing over a network and to discover resources shared by other devices. Bonjour can be used for file sharing, printing (many printers ship with Bonjour built in), sharing of iTunes libraries, instant messaging without the use of an IM service, and many other things.
Since Bonjour works by your Mac broadcasting its presence and its available shared resources, it can easily alert malicious users not only to its location, but also to vectors that can be used to target it for attack. Most applications that support Bonjour also allow you to disable Bonjour broadcasting, though you may need to dig around in their Preferences to find the option.
As with sharing services, if you don't need Bonjour for an application, turn it off. If you want to see which applications on your Mac are actively advertising themselves using Bonjour, check out the open-source Bonjour Browser, which lists the various Bonjour services actively running at any one time. You can use this to determine which applications to disable Bonjour support in. (One of the most common is iTunes, which uses Bonjour to share libraries, locate/sync to Apple TVs, and remotely control Apple's Remote application for the iPhone and iPod Touch.)
You can even go a step further from the command line, where you can disable Bonjour as a whole. Ali Karbassi provides instructions on his blog.
Keep your software up to date
The most important security option available to Mac users is keeping software up to date. This applies to Mac OS X itself, Apple-branded applications and any third-party apps on your system. Maintaining an up-to-date operating system and application set means that publicly known vulnerabilities are more likely to have been patched in the software on your system.
The Mac's built-in Software Update feature checks for updates to OS X and Apple applications on a weekly basis by default, and it notifies you when updates are available -- which lets you choose whether to download and install them all immediately or to wait until a later time.
You can also choose to check monthly or daily, or disable automatic checking altogether (not recommended), using the Startup Disk pane in System Preferences. Another option is to have critical updates such as security updates downloaded automatically; you'll be informed when the download has been completed and is ready for installation.
The Software Update pane also lets you check for updates at any time (which can also be done via the Apple menu) and view a list of updates that have been installed on your Mac.
Most third-party apps include an option to check for updates each time they are launched. This should be left enabled because updates often improve performance, stability and security. VersionTracker Pro ($30 for up to three Macs) and the free App Update Dashboard widget are two utilities that can help ensure that all applications on your Mac are up to date.
Additional resources
Although this article covers the most common ways in which Macs are left vulnerable, it is by no means a complete guide to Mac security. More information is available from the following sources:
- Corsaire Ltd.'s "Securing Mac OS X Leopard" white paper (download PDF)
- Apple's Mac OS X Security Configuration Guides
- Home PC Firewall Guide's Macintosh Security Guide
- Intego's Mac Security Blog
- Macworld's Mac Security SuperGuide ($9.99 for PDF)
Ryan Faasis a frequent Computerworld contributor specializing in Mac and multiplatform network issues. You can find more information about him at RyanFaas.com.
This story, "15 easy fixes for Mac security risks" was originally published by Computerworld.