Macintosh security concerns
Last revision July 1, 2014
These notes apply to supported versions of the Mac OS X operating system on Macintosh computers. As of the date of this note, only versions 10.6 ("Snow Leopard"), 10.7 ("Lion"), 10.8 ("Mountain Lion"), and 10.9 ("Mavericks") are supported in the School of Earth Sciences.
Networking
By default, Mac OS X functions solely as a client on the network. That is, you can initiate connections outward to other computers and network services, but your Mac ignores all outside attempts to connect to it. This default condition is very secure against hacker probes.
You can enable various network services on your Mac in the Sharing preference pane. These services allow you or others to connect to your Mac for various purposes. Before enabling any service, first select the Firewall tab in the Security preference pane and check the box labelled Set access for specific services and applications. Then, as you enable services, they will be automatically added to the authorized list. All other connection attempts will be rejected.
Also consider these recommendations and restrictions imposed by the Earth Sciences network firewall rules before enabling any service on your Mac.
Service | Recommended? | Firewall restrictions |
Internet Sharing | FORBIDDEN! Never enable this "service". This is not file sharing! "Internet Sharing" turns your Mac into a router that tries to force all other computers on the network to send their traffic through your computer! (It becomes a DHCP server and NAT bridge). | |
File Sharing |
Apple's standard AFP protocol for file sharing among Macintosh computers
is reasonably secure,
if all accounts on your Mac have strong passwords!
Best to share specific folders, not entire disk.
Make sure "No Access" is selected for "Everyone" to prevent
random guest access.
Never share using FTP (under Options tab) - it sends password over the network in clear text! Only share using SMB if you need to connect from Windows PCs - in that case, disable the Guest Account (under Options tab). SMB is inherently less secure than AFP. |
Earth Sciences firewall allows AFP connections from the entire campus network (use VPN if off-campus). Connections to FTP or SMB are only allowed from the local Earth Sciences network. |
Printer Sharing | Not recommended. Only use to share USB printers attached directly to your Mac. Never attempt to share a printer that is already connected to the network - that will force all traffic to that printer to go through your Mac! | Earth Sciences firewall allows printing connections from the entire campus network (use VPN if off-campus). |
Remote Login | This allows ssh (remote command line login) and sftp/scp (remote file transfer) connections to your Mac. Safe to use if all accounts on your Mac have strong passwords! All ssh connections are fully encrypted. To reduce hacker probes, specify which users are allowed to connect. | Earth Sciences firewall allows ssh connections from the entire campus network (use VPN if off-campus). |
Remote Management | Also called Apple Remote Desktop. This allows full remote control of your Mac from another Mac, as if you were seated in front of the monitor. Reasonably secure. You can limit actions for specific users with the Options tab. | Earth Sciences firewall allows remote desktop connections from the entire campus network (use VPN if off-campus). |
Web Sharing | Turns your Mac into a web server using the Apache system. Not recommended. Introduces numerous security issues. Use the hosting services provided by the School's professionally managed pangea web server instead. | Earth Sciences firewall will not allow web traffic to your Mac. It will only be seen by other computers on Earth Sciences network. |
Kerberos
Install and run the Kerberos Configuration Utility from the Essential Stanford Software website to properly configure the Mac's built-in kerberos authentication system to work at Stanford. This allows authenticated single-signon to many Stanford and Earth Sciences services.
Backup and file integrity
No computer is perfect and all computers will eventually fail. Additionally, malware or user error can cause deletion of important files. For that reason, we strongly recommend backing up important files on your computer such as research data, Ph.D. thesis work, or drafts of professional articles.
The Energy Resources Engineering department provides backed up file storage on its servers for all its faculty, staff, and students.
Faculty and staff in other Earth Sciences departments and programs can use the HelpSU web form to request that their primary workstation be backed up on the School's CrashPlan Pro backup server.
Students in any Earth Sciences department or program can use their home share on the sesfs.stanford.edu file server to keep copies of important work. The default 10 Gigabyte disk quota for home shares can be increased upon request of the student's faculty advisor.