Scribd Logo
Upload

Welcome to Scribd!

  • 218 views

    macOS Security Checklist

    Uploaded by

    nicolepetrescu
    The document discusses implementing security recommendations from the Center for Internet Security benchmark for macOS. It covers topics like software updates, system preferences, iCloud settings, logging and auditing, network configuration, user accounts, and how Jamf Pro can help organizations address these recommendations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    macOS Security Checklist

    Uploaded by

    nicolepetrescu
    218 views8 pages
    The document discusses implementing security recommendations from the Center for Internet Security benchmark for macOS. It covers topics like software updates, system preferences, iCloud settings, logging and auditing, network configuration, user accounts, and how Jamf Pro can help organizations address these recommendations.

    Original Description:

    macOS Security Checklist

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses implementing security recommendations from the Center for Internet Security benchmark for macOS. It covers topics like software updates, system preferences, iCloud settings, logging and auditing, network configuration, user accounts, and how Jamf Pro can help organizations address these recommendations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    218 views8 pages

    macOS Security Checklist

    Uploaded by

    nicolepetrescu
    The document discusses implementing security recommendations from the Center for Internet Security benchmark for macOS. It covers topics like software updates, system preferences, iCloud settings, logging and auditing, network configuration, user accounts, and how Jamf Pro can help organizations address these recommendations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 8
    At a glance
    Powered by AI
    The document discusses how the Casper Suite can be used to implement the security recommendations of the Center for Internet Security (CIS) Benchmark for macOS.

    The CIS Benchmark was created through a consensus review process involving security experts. It undergoes phases of review to incorporate community feedback.

    The document covers categories like updates/patches, system preferences, user accounts, network configuration, system access, and additional considerations.

    WHITE PAPER

    macOS Security Checklist:

    implementing the Center for Internet Security Benchmark for macOS

    Recommendations for
    securing macOS

    The Center for Internet Security (CIS) benchmark for


    macOS is widely regarded as a comprehensive checklist
    for organizations to follow to secure their Macs. This white
    paper from JAMF Softwarethe Apple Management
    Expertswill show you how to implement the independent
    organizations recommendations.

    To see how Jamf Pro can facilitate


    personalized learning in your environment,
    visit: www.jamf.com
    JSS

    WHAT IS THE CASPER SUITE? WHAT IS THE JSS? WHAT IS A POLICY?

    The Casper Suite is a set of The JAMF Software Server (JSS) is the A Policy is the main tool used to
    administrative tools to help you management server component to the implement changes to
    manage your Apple devices. suite and runs on a Mac, Windows, or a client Mac. The JSS sends
    Linux server. commands to an agent on the Mac.

    WHO IS THE CIS?

    The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization
    focused on enhancing the cybersecurity readiness and response of public and
    private sector entities.

    HOW THE CIS BENCHMARK WAS CREATED

    The CIS Benchmark was created using a consensus review process comprised
    of subject matter experts. Consensus participants provide perspective from a
    diverse set of backgrounds including consulting, software development, audit
    and compliance, security research, operations, government, and legal.

    Each CIS benchmark undergoes two phases of consensus review. The first
    phase occurs during initial benchmark development. During this phase, subject
    matter experts convene to discuss, create, and test working drafts of the
    benchmark. This discussion occurs until consensus has been reached on
    benchmark recommendations. The second phase begins after the benchmark
    has been published. During this phase, all feedback provided by the Internet
    community is reviewed by the consensus team for incorporation in the benchmark.
    If you are interested in participating in the consensus process, please visit
    https://community.cisecurity.org.
    CATEGORIES OF SECURITY FOR macOS

    UPDATES & PATCHES SYSTEM PREFERENCES iCLOUD LOGGING & AUDITING

    NETWORK CONFIGURATION USER ACCOUNTS ACCESS & AUTHENTICATION OTHER CONSIDERATIONS

    Installing Updates, Patches, and Security Software

    The Casper Suite enables you to keep your OS and Applications up to date by packaging
    and deploying updates to your client Macs remotely. You can even report on which
    machines have been updated and which are still pending.

    CIS Recommendations:
    Verify OS and apps are up to date via a Software Update tool
    Enable Auto Update in App Store
    Enable Auto Security Updates

    Features in the Casper Suite:


    Patch Management in the Casper Suite allows you to keep Mac macOS up to date
    A custom Software Update Server lets you whitelist approved updates to your Macs
    Run a Policy to enable Auto-Update via App Store
    Run a Policy to check for updates on a client Mac
    System Preferences

    The Casper Suite helps you configure System Preferences to meet your organizations security
    needs. Common settings such as passwords and screen saver can easily be turned on remotely and
    en masse to ensure restricted physical access to Macs. Advanced settings such as disabling SSH or
    file sharing can also be set to make your Mac secure against remote attacks.

    CIS Recommendations:

    Bluetooth: Energy Saver:


    Disable Bluetooth Disable wake for network access
    Disable Bluetooth Discoverable Mode Disable sleeping the computer when
    connected to power
    Date & Time:
    Enable set time and date automatically Security & Privacy:
    Desktop & S creen Saver: Enable FileValut 2
    Set screen saver to 20 minutes or less Enable Gatekeeper
    Enable hot corner to start screen saver Enable Firewall
    Set Display Sleep to a value larger than Enable Firewall Stealth Mode
    Screen Saver Review Application Firewall rules
    (http://support.apple.com/en-us/HT201642)
    Sharing:
    Disable Remote Apple Events in Sharing Other:
    Disable Internet Sharing iCloud (see section below)
    Disable Screen Sharing Enable Secure Keyboard entry in terminal.app
    Disable Printer Sharing Java 6 is not the default Java runtime
    Disable Remote Login (SSH) Use Secure Empty Trash
    Disable DVD or CD Sharing
    Disable Bluetooth Sharing
    Disable File Sharing
    Disable Remote Management (ARD)

    Features in the Casper Suite:


    All of the above System Preferences can be set via a JSS Policy and/or Configuration Profile
    FileVault 2 can be enabled and keys escrowed in the JSSs inventory
    Screen Saver and Password Settings can be set
    Sharing Settings can be set
    Security & Privacy settings can be set
    Policy to disable Java can be deployed
    iCloud and Other Cloud Services

    The Casper Suite helps implement your organizations iCloud strategy by giving IT
    admins the ability to either block or enable the cloud-based service.

    CIS Recommendations:
    Apples iCloud is just one of many cloud based solutions being used for data
    synchronization across multiple platforms and it should be controlled consistently with other
    cloud services in your environment. Work with your employees and configure the access to
    best enable data protection for you mission.

    Features in the Casper Suite:


    iCloud can be disabled via a Configuration Profile and/or JSS Policy
    If iCloud is not allowed, iCloud Drive can be removed from Finder

    Logging and Auditing

    The Casper Suite can help IT admins keep track of the logs that macOS generates and
    centralizes them in one place. Admins can also run advanced reports on those logs
    to look for any potential security issues.

    CIS Recommendations:
    Configure asl.conf Enable security auditing

    Retain system.log for 90 or more days Configure Security Auditing Flags

    Retain appfirewall.log for 90 or more days Enable remote logging for Macs on trusted
    networks
    Retail auth.log for 90 or more days
    Retain install.log for 1yr or more

    Features in the Casper Suite:


    iCloud can be disabled via a Configuration Profile and/or JSS Policy
    If iCloud is not allowed, iCloud Drive can be removed from Finder
    Network Configurations

    The Casper Suite makes rolling out network configurations easy for IT admins by distributing Wi-Fi,
    VPN, and even DNS settings. The Casper Suite also ensures some of the legacy server components
    of macOS are disabled so users are not accidentally opening up ports they dont know about.

    CIS Recommendations:
    Ensure Wi-Fi status is in the menu bar Ensure ftp server is not running
    Ensure NFS server is not running
    Create network specific locations
    Ensure http server is not running (Apache)

    Features in the Casper Suite:


    iCloud can be disabled via a Configuration Profile and/or JSS Policy
    If iCloud is not allowed, iCloud Drive can be removed from Finder

    User Accounts and Environment

    The Casper Suite helps an organization manage local accounts on a Macallowing the creation
    of admin or standard users. The JAMF binary that lives on client machines creates a hidden
    management account that has admin rights to execute commands and create new users.
    Policies can be created to further secure the login screen and disable the guest account.

    CIS Recommendations:
    Display login window as name and password only Disable allow guests to connect to shared folders

    Disable show password hints Turn on filename extensions

    D
     isable guest account Disable the automatic run of safe files in Safari
    for different purposes

    Features in the Casper Suite:


    Login window can be configured via Configuration Profile
    Guest account can be disabled via JSS Policy
    User accounts can be created via Setup Assistant and DEP or imaging
    Accounts created can either be Standard or Admin, based on needs
    System Access, Authentication, and Authorization

    The Casper Suite helps set file permissions, manage keychain access, and set strong password
    polices for users. By creating a configuration profile or JSS policy, you can remotely enable system
    access settings to create a more secure Mac.

    CIS Recommendations: Require an admin password to access


    systemwide preferences
    Secure Home Folder (deny read permissions
    to other home folders) Disable ability to login to another users active
    and locked session
    Repair permissions regularly
    Complex passwords (contains numbers,
    Check system-wide applications for letters, and symbols)
    permissions
    Set minimum password length
    Check System folder for world writable files
    Configure account lockout threshold
    Check Library folder for world writable files
    Create a custom message for the Login Screen
    Reduce the sudo timeout period
    Create a login window banner
    Automatically lock the login keychain for
    inactivity Disable password hints
    Ensure login keychain is locked when the Disable Fast User Switching
    computer sleeps Secure individual keychain items
    Ensure OCSP & CRL certificate checking Create specialized keychains for different
    Do not enable the root account purposes
    Disable automatic login
    Require a password to wake the computer
    from sleep

    Features in the Casper Suite:


    Folder permissions can be set via a script in a JSS Policy
    Repair permissions command can be triggered via Self Service or run automatically
    Reports can be created to scan for files in System and Library for bad permissions
    Password policies enabled via Configuration Profile
    Login window and banner can be added via JSS Policy
    Additional Considerations

    The Casper Suite helps IT admins customize additional security settings by setting an EFI password,
    disabling Wi-Fi in hyper-secure environments, and more. You can also use the JSS to rename your
    Macs so inventory is easier. Additionally, the Casper Suite allows you to inventory the software assets
    your organization has and keep track of licenses.

    CIS Recommendations:
    Consider disabling Wi-Fi and only use ethernet Automatic actions for optical media
    Cover iSight cameras Disable App Store automatic downloads on
    other Macs
    Logically name your computers
    Set an EFI password
    Inventory your software
    Put a firewall in place Apple ID password resetss

    Features in the Casper Suite:


    Wi-Fi can be disabled via profile
    Computer naming can be automated via setting in the JSS
    Software inventory and license tracking in the JSS
    EFI passwords can be set via a policy and/or imaging

    Conclusion

    The Casper Suite makes it easy to implement and follow the independent
    organization Center for Internet Securitys Apple macOS benchmarks.

    www.jamf.com
    To learn more about how Jamf Pro can make an impact

    2016 Jamf, LLC. All rights reserved.


    on your Mac and iOS management, visit jamf.com.

    You might also like