Absortio

Email → Summary → Bookmark → Email

Add New Weekly Statistics About
← Back to list
Previous Next

Hardening macOS

https://www.bejarano.io/hardening-macos/ Jun 24, 2022 18:25

Extracto

Quick and easy guide for securing macOS systems, for both laymen and security enthusiasts. Last updated for Monterey (12.3).

Contenido

The easy stuff

Everyone can do these, no technical knowledge required.


  1. Install a fresh copy of macOS
    Why? It’s best to start clean, to avoid previous misconfiguration.
    How? Follow this Apple Support guide. This step cannot be undone.

  2. Perform the inital configuration until you can use the system.

  3. Enable automatic software updates
    Why? So that your system has the latest software patches installed.
    How? Go to System Preferences > Software Update > Advanced, check all.

  4. Enable screen saver after inactivity
    Why? To avoid unauthorized third-party access.
    How? Go to System Preferences > Desktop & Screen Saver > Screen Saver, check “Show screen saver after 20 minutes”.

  5. Enable password-protected sleep
    Why? To avoid unauthorized third-party access.
    How? Go to System Preferences > Security & Privacy > General, check “Require password 5 seconds after sleep or screen saver begins”.

  6. Forbid unsigned software
    Why? To prevent potentially malicious software from running.
    How? Go to System Preferences > Security & Privacy > General, select “Allow apps downloaded from App Store and identified developers” at most.

  7. Disable guest user access
    Why? To avoid unauthorized third-party access.
    How? Go to System Preferences > Users & Groups > Guest User, uncheck all.

  8. Enable disk encryption
    Why? To prevent unauthorized third-party access to your data.
    How? Go to System Preferences > Security & Privacy > FileVault, if disabled, click “Turn On FileVault” and follow the procedure.

  9. Enable the inbound network firewall
    Why? To reduce the exposure to network-based attacks.
    How? Go to System Preferences > Security & Privacy > Firewall, if disabled, click “Turn On Firewall”.

  10. Disable network services
    Why? To reduce the exposure to network-based attacks.
    How? Go to System Preferences > Sharing, uncheck all.

  11. Disable unnecessary application access
    Why? To mitigate the potential impact of malicious software.
    How? Go to System Preferences > Security & Privacy > Privacy > Camera, uncheck all unnecessary access. Repeat these steps for Microphone, Input Monitoring, Full Disk Access and Screen Recording access as well.

  12. Require password to change system-wide preferences
    Why? To ensure only authorized users can change critical security settings.
    How? Go to System Preferences > Security & Privacy > Advanced…, check “Require an administrator password to access system-wide preferences”.

  13. Prevent Safari from opening downloads automatically
    Why? So that you know what you’re double-clicking on.
    How? Go to Safari > Preferences > General, uncheck “Open safe files after downloading”.

  14. Show all filename extensions
    Why? So that you know what you’re double-clicking on.
    How? Go to Finder > Preferences > Advanced, check “Show all filename extensions”.

  15. Disable radios when unused
    Why? To reduce the exposure to wireless-based attacks.
    How? When unused, disable Wi-Fi and/or Bluetooth.

The advanced stuff

For the security enthusiast, who wants to go the extra mile.


  1. Use a password manager
    Why? To avoid reusing passwords and to facilitate two-factor authentication.
    How? Choose one that suits your needs. I like 1Password.

  2. Enable Terminal secure keyboard entry
    Why? To prevent other apps from snooping on what you type.
    How? Go to Terminal.app > Menu bar > Terminal, click “Secure Keyboard Entry”.

  3. Reconsider the risks of browser extensions
    Why? Browser extensions such as adblockers or grammar checkers require full read-write access to everything you do on the web. Yes, this includes your passwords. This is not malicious per se, but is the reward worth the risk?
    How? Go through your browser’s installed extensions and assess their value to you, and whether the risk trade-off is worth it or not.

  4. Run an outbound network firewall
    Why? For visibility and control about the traffic leaving your system.
    How? Install Little Snitch (paid) or LuLu (open-source).

  5. Block malicious domain names
    Why? To mitigate potential DNS poisoning.
    How? Install StevenBlack’s /etc/hosts file (or mine).

  6. Enable binary whitelisting
    Why? To completely prevent unauthorized software from running.
    How? Install and configure Google’s Santa.

The serious stuff

Security specialists surely know more about macOS security than me, so I won’t make any specific recommendations.

I will instead link to trusted authorities on the subject:

That’s it?

No.

Security is an ongoing task. You must actively look out for newly discovered vulnerabilities and educate yourself on how to protect your system from them.

Some generic (but useful) rules are:

  • Keep your software up-to-date.

  • Prevent unattended physical access to your devices.

  • Don’t reuse passwords and enable two-factor authentication.

  • Back your data up regularly.

  • Stay vigilant. Most attacks these days don’t target the system, they target the user. They target you.