How?
Install a fresh copy of macOS
Note: this step is optional, but highly recommended, it's best to start off with a clean system to avoid possible misconfiguration.
Boot into Recovery Mode (hold
command
+R
during boot)(Optional) Go to the Utilities > Firmware Password Utility and consider setting up a firmware password to protect your data should it be lost or stolen
Format the boot drive and install macOS from scratch (Warning: this step will permanently delete the contents of the boot drive)
First boot
Clear the NVRAM (hold
command
+P
+R
during boot) (skip if you set up a Firmware Password previously)Create an administrator user account with a strong password and no hint. This user is for administration purposes only.
Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself
Go to System Preferences > Users & Groups > Guest User and uncheck Allow guests to log in to this computer
Go to System Preferences > Software Update and consider enabling automatic updates (if you are not comfortable enabling this, consider at least turning on security updates by going into Advanced… and checking Install system data files and security updates)
Go to System Preferences > Security & Privacy > General and set Require password after sleep to immediately or 5 seconds
Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers
Go to System Preferences > Security & Privacy > Firewall and turn on the firewall
Go to System Preferences > Security & Privacy > Firewall > Firewall Options… and check Block all incoming connections
Go to System Preferences > Security & Privacy > Privacy > Location and uncheck Enable Location Services
Go to System Preferences > Security & Privacy > Privacy > Analytics and uncheck Share Mac Analytics
Go to System Preferences > Sharing and anonymize the computer's name, this name can be see by those connected to the same network as yours
Go to System Preferences > Sharing and turn off every service (turn on only when using it and disable afterwards)
Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for
1.1.1.1
and1.0.0.1
and remove any other serverGo to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions and Allow Spotlight Suggestions in Look up
Go to System Preferences > General and uncheck Allow Handoff between this Mac and your iCloud devices
Go to System Preferences > Bluetooth and turn off Bluetooth (turn on only when using it and disable afterwards)
Go to Finder > Preferences > Advanced and check Show all filename extensions
Disable Captive Portal (use your browser instead):
Disable Crash Reporter:
Block malicious domain names using the
/etc/hosts
file (see StevenBlack/hosts)Consider running an outbound firewall such as Little Snitch (proprietary, full-featured) or LuLu (open-source, very basic)
Consider doing binary whitelisting with google/santa
Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time)
Secure FileVault when on sleep:
If you plan on using ssh with ssh-agent, add a safe timeout parameter to ssh-agent to protect your credentials:
Edit
/etc/auto_master
asroot
and comment the line beginning with/net
(note: this is a workaround to an unpatched vulnerability)Reboot and log back in as the unprivileged user
Second boot (user)
Go to System Preferences > Security & Privacy > Privacy > Contacts/Calendars/Reminders/Photos and remove any apps that shouldn't have access to any of those folders, if any
Go to System Preferences > Security & Privacy > Privacy > Camera/Microphoneand remove any app you don't want to have access to the camera or microphone, if any
Go to System Preferences > Security & Privacy > Privacy > Full Disk Access and remove any app you don't want to have full-disk access, if any
Go to System Preferences > Security & Privacy > Privacy > Advertising, check Limit Ad Tracking and click Reset Advertising Identifier
Carefully assess and install a web browser. Regardless of your browser…
- …block third-party cookies
- …disable DNS preloading
- …disable Flash support
- …install an ad blocker
- …enable Do Not Track
- …opt-out of telemetry
- …consider using a privacy-respecting search engine in lieu of Google
- …consider a whitelist approach to JavaScript execution
Note: if using Safari, go to Safari > Preferences > Search and uncheck "Include Safari Suggestions" and to Safari > Preferences > General and uncheck "Open"safe" files after downloading"
Consider tunneling your traffic through a VPN when connected to untrusted networks (see ThatOnePrivacyGuy's VPN comparison or roll your own)
Consider using a privacy-respecting email service provider (see ThatOnePrivacyGuy's email comparison or roll your own)
Consider setting up PGP/GPG encryption for email regardless of your email service provider
That's it?
No.
Again, you don't have a "100% secure system", you are just a lot harder to screw with than everyone else in the city.
Keep in mind that securing a system is not a one-time job, you must actively backup your data, patch your system, look out for new vulnerabilities… Some general best practices are:
Keep your system up-to-date, both macOS and installed software
Prevent unattended physical access to the device from anyone but yourself
Encrypt sensitive data on rest and on transit
Backup your data, multiple, encrypted (of course) copies of your data in different physical locations
Keep your guard up, you are your system's last line of defense
Thursday, May 06, 2021
Hardening macOS - Ricard Bejarano
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment