Laptop Security

a5y

It's me again, and I'm back with yet more questions!

One of the unusual things I've noticed about my new Macbook (well, it seems unusual to me anyways...) happens when I log off and shut down my laptop, and later turn it back on. I am not asked for a password to get access to my user account. This seems a little strange to me; I'm not sure I'm comfortable with it.

• Is there anyway of changing it so that it's not so easy for anyone to get access to it?

As it stands, my nosy brother of mine could turn it on, open camino and (because of Keychain) get into my YouTube or Last.fm accounts. Mostly this wouldn't be a problem as I don't just leave it lying around, but it still bothers me: to date I've only been asked for the password when changing a few user settings.

Indeed, I'd even like to have the contents of my laptop's hard disk encrypted so if the worst happens and my laptop is lost or stole at least my private information isn't compromised.

• Is it possible to have a large portion of the hard disk encrypted by default to contain confidential information?
• Would I be better off keeping stuff like that on a USB memory stick in an encrypted file, or would that be pointless since those things are insanely easy to lose?

I've read enough to know that there is no fool-proof way of protecting a laptop from unauthorized access (short of encasing it in cement, burying it and building a shopping center on top of it), and that a determined and skilled enough b*stard will ultimately get access to anything, but I'd like to know what steps I can take to make them work for it.

Oirthir

System Preferences > Security .

440Hz

What I would suggest, and think this should be used by anyone with a laptop really, is set up another user with basic privileges and limited access. I have my admin user and basic user. I have enabled fast switching so that when I am using my machine in the office for example I can quickly switch between user, and also the login screen when I need to. If I am leaving my machine unattended for a while I tend to switch to login screen. I have enabled access to certain applications for my basic user as well so I can work in that user mode and save my work if I am being really careful, but I can't think of many times that I have done this.

Its good practice for troubleshooting to have another user with different privileges anyway. I would strongly recommend this.

Oriel

System Prefs -> Accounts -> Login Options.
Untick "Automatically log in as:"

You will now be asked for a password to access the machine.

440Hz, personally, I think that's a weird suggestion, complete overkill and complicated.
Simply password protect your screen saver, and set a hotspot to easily activate it when you leave your computer.

SouperComputer

Oriel wrote:

440Hz, personally, I think that's a weird suggestion, complete overkill and complicated

Actually what he (She?) says is an extremely important security issue, especially with OS X. Keep in mind most POC (Proof Of Concept) exploits for Mac OS (And indeed other OS's) have been executed because the user logged in has privileged or admistrative privlidges. The fast user switching might comlicate things a little, but from a security standpoint it is not neccacary.

From a security standpoint you should NEVER use an administrative account unless you absolutely have to. Especially if you run OS X as most security exploits will take advantage of the fact that most users of the OS incorrectly use admin accounts as their user accounts under the added false guise that OS X cannot be compromised.

My 2c

Basically, You want ONE admin account that will ONLY be used for admin purposes (Installing software, updates etc etc) and then all user accounts as standard users.

This is a minimum security step.

ZENER

Everything recommended above . . . . and tin foil for your head . . . to be sure !!!:D

ZEN

440Hz

Oriel wrote:

440Hz, personally, I think that's a weird suggestion, complete overkill and complicated.
Simply password protect your screen saver, and set a hotspot to easily activate it when you leave your computer.

Obviously never worked in a Unix environment then. This is fairly standard practice for A LOT of Mac/Linux users.

Its not something I came up with, its a standard.

So tell the expert they are "weird" then.

READ:
http://developer.apple.com/internet/security/securityintro.html
- just as a first hit link.. there are MILLIONS of more out there for every type of users, not just 'web developer' as this article deals with. Its industry standard practice.

Security practices for all Mac OS X users

1. Accounts and users

Have several accounts for special purposes on your Mac OS X system. Be in control of all access to your system by other users, and don't use Guest access without a good reason.

Recommendations:

* By default, the account created when installing OS X is an Administrator account which has the equivalent of "root" access. It's not secure or necessary to use that account for routine work. While logged in as the administrator, use the "Accounts" System Preference tool to create a non-administrator user account and give it a different password. Then, use the user account for daily tasks.

I can keep going if you like...


Now... like to call my suggestion weird again?

SouperComputer

ZENER wrote:

Everything recommended above . . . . and tin foil for your head . . . to be sure !!!:D

ZEN

You make it sound like a lot is reccomended.

just setup a non-admin user. Simple. Do this and you'll be taking a basic precaution against the growing amount of exploits and general malicious activity that OS X is being subjected to.

No tin foil hat required.

440Hz

SouperComputer wrote:

Actually what he (She?)

She! Thanks heehee

babypink

Oriel wrote:

440Hz, personally, I think that's a weird suggestion, complete overkill and complicated.
Simply password protect your screen saver, and set a hotspot to easily activate it when you leave your computer.

she's absolutely right in her suggestion actually, for the reasons Souper highlighted. Simply password protecting your screensaver is simply not enough.

It really is best practise, particularly on *nix boxes, to have multiple accounts, only using the administrator account when needed. And don't go enabling root either...

As for the encryption.....in system preferences, go to Security and enable FileVault. This will encrypt the contents of your home folder. You'll see a performance hit as it decrypts the files on-the-fly as you access them. I've no idea what the hit will be on newer machine, but this will sort out your x-files paranoid leanings!!

Narcissus

If you set up a second account, will it have its own desktop/screensaver, hard drive space etc.?

babypink

yeah own desktop etc.....

as for HD space, it doesn't get its own exclusive allocation, what it does get is its own folder in the Users folder in the HD root, just like the admin account. Every new account gets a folder like that, containing documents movies music etc. Its this folder that filevault encrypts btw.

Oriel

But the OP is talking about somebody else physically accessing the computer - not a network/OS hack.

babypink

it still applies

440Hz

babypink wrote:

she's absolutely right in her suggestion actually

Cheers!

For those who don't think im crazy - I've lost track of how many Macs I have owned and I have done this for as long as I can remember. It is particularly good for people who bring their machines into common environments such as Universities/workplaces etc.

However, its uses are more than just security, as I said in my first post this is also useful for debugging. Often if a user has a problem with their system it can be down to user preferences etc and having an extra user with different priveleges/setup is a very important step in debugging difficult problems.

Up to the individual of course. Im just sharing what the experts say/do and I know it is perhaps the first step I perform when I setup any Mac system.

Oriel

But s/he's looking... to keep the pesky brother... out of his/her computer.
Not keep the Nazis out of Poland.

440Hz

Oriel no-one is forcing you to do this. Why do you have such an issue with the fact that it is considered good practice. Fine, if you don't think it is for you, but the fact is it is standard practice.

And like I said... it does not JUST have security benefits.

Oriel

I don't have an issue with anything other than the fact that the OP simply wanted to keep his/her brother or any casual user out of the machine, (the HD encryption, I didn't touch on) and then people start telling him/her to get ready for world war 3.
Like I said, it's overkill, for what the op wanted. I'm not saying it's bad practice all at.

SouperComputer

Like I said, it's overkill, for what the op wanted.

Wrong. Again, not using an administrative account for day-to-day use is a basic measure. There is nothing overkill about it. You will login with your password just as you would before. No biggie

Why bother? Because if the brother guesses or acquires the password somehow, he is also logged in as an admin user. I don't think I need to say anymore than that, suffice to say that it is a bad thing.

Oriel

SouperComputer wrote:

if the brother guesses or acquires the password

:rolleyes:

a5y

Oriel wrote:

But s/he's looking... to keep the pesky brother... out of his/her computer.
Not keep the Nazis out of Poland.

He!

Before this thread goes on I think I should take some responsibility on some of the ambiguity on the degree of security I want to have on my laptop. (As well as perhaps clearing up some ambiguity on my username )

As Oriel states, there is a big difference between some steps to prevent some meddling brother of mine and say stopping a programmer friend of mine from college whos idea of a prank reaches a lot further than hitting (ctrl+alt+splat+8) when I turn my back.

As it stands, I want to implement a higher level of security than I may have indicated in my original post (my bad; Oriel sorry about that!).

I'm a college student and in my two years I've seen alot of poster pleading about the same sad story: a thesis on a lost memory key, I'll fail my year if I don't get it back, etc etc. I've also seen an alarming tendency for students to show no respect whatsoever for hardware they don't own, and screw around with it simply because they can.

I didn't indicate any of this in the original post, which in hindsight would have indicated all I really wanted was what Oriel suggested, a few very simple & quick steps to make it that bit harder to deter a brother from being a pest.

As it stands though, I really need something closer to the prevent of an invasion of an Eastern European country by a well armed and aggressive military neighbour.

(Perhaps combined with making daily back ups on DVD of any new work I do )

SouperComputer

Oriel wrote:

:rolleyes:

Why rolleyes? I guess next you'll be telling me that people rarely guess or acquire other's passwords?

a5y wrote:

I didn't indicate any of this in the original post, which in hindsight would have indicated all I really wanted was what Oriel suggested, a few very simple & quick steps to make it that bit harder to deter a brother from being a pest.

Granted, in any case setting up a seperate user account will limit headaches in the long run. Killing two birds with one stone to speak.

a5y

SouperComputer wrote:

Why rolleyes? I guess next you'll be telling me that people rarely guess or acquire other's passwords?

Social engineering, look it up

Alright, everyone hang on and read what I posted before this blows up!

440Hz

a5y wrote:

I didn't indicate any of this in the original post, which in hindsight would have indicated all I really wanted was what Oriel suggested, a few very simple & quick steps to make it that bit harder to deter a brother from being a pest.

Well seeing as I suggested what I suggested before Oriel posted I shall stand by saying that in my opinion EVERY Mac user should adopt this habit, for all the reasons noted above and more. Even if you just wanted to deter a pesky sibling, it is still something you should have on your system!

a5y wrote:

Alright, everyone hang on and read what I posted before this blows up!

I'm keeping an eye! A few threads have been heading in the same direction lately, which is a pity. Everyone here always got on and everyone is very helpful to each other. It would be great to get back to that. Like I said though, keeping a watchful eye, as are other users I might add! Thanks for that too guys.

440Hz

btw a5y... I love your sig!! hilarious

Oriel

SouperComputer wrote:

Granted, in any case setting up a seperate user account will limit headaches in the long run. Killing two birds with one stone to speak.

Yes. But will do nothing to help the OP in this circumstance. Which is what I've been saying all along.

440Hz

Oriel wrote:

But will do nothing to help the OP in this circumstance.

Of course it will. It is just a higher level to what you suggest. With added benefits.

Oriel

FFS I give up. I'll leave you paranoid freaks to it.
OP, glad I could help.

440Hz

Oriel - everyone here is trying to be helpful to the OP. This is not a competition but it is going to be put people off posting suggestions if they just get shot down all the time by other posters. I am not saying there is anything wrong with your suggestion, I am merely pointing out why my suggestion is valid, in response to the points you have made.

oriel wrote:

FFS I give up. I'll leave you paranoid freaks to it.

That is totally uncalled for.

Everyone on here is helpful and friendly. Please don't change that.

NullZer0

The Ultimate in Laptop security!

http://www.youtube.com/watch?v=qP_M5DAxl_w

440Hz

hehe nice one.

SouperComputer

Apologies to the OP for the digression....

Oriel wrote:

FFS I give up. I'll leave you paranoid freaks to it.
OP, glad I could help.

LOL, actually its great that you have this attitude, its one of the reasons I make a lot of money fixing problems that could be prevented with one simple step