How To Harden Up Your Mac, Courtesy of the NSA



Amid all the talk of malware scares for Mac users recently, here’s a useful guide to Mac security basics, from the NSA of all people.

A PDF titled “Hardening tips for OS X Snow Leopard”, the file is free for anyone to grab. Here it is (direct PDF link).

It spells out a lot of simple steps you can take to “harden up” your Mac from security threats. Following them all won’t guarantee that your Mac is safe from every threat out there, but it will make life harder for the malware merchants.

Some of it is good old-fashioned common sense. Stuff like keeping your Mac’s software up-to-date, disabling automatic login, and unchecking Safari’s “Open ‘safe’ files after downloading” preference.

Other tips in the PDF might seem a little over-the-top, especially for ordinary folk. Stuff like disabling Bluetooth and Airport, for example. That’s going to make it tricky to reach Facebook. Remember, though, this is an NSA document for NSA people. You can’t blame them for being more paranoid than most of us.

The recent scares have been about “trojan horse” attacks, and the deal with trojans is that they rely on people’s weaknesses. They’re not taking advantage of holes in OS X, but of people just not thinking before they click.

If anything, that’s the lesson for everyone, not just Mac users: think before you click. Be wary of weird, unexpected, or too-good-to-be-true things that get waved under your nose by the internet. Don’t enter your password if asked for it unexpectedly, don’t enter personal info like passwords or credit card details anywhere unless you’re certain that you’re at the right place.

  • prof_peabody

    I would argue that the NSA is a bigger threat than any nefarious types out there.  Also, nothing you can do to your Mac will stop them reading your email and bugging your phone 24/7 regardless.  

  • martinberoiz

    Disabling Wifi and bluetooth? What about never turn it on? That surely will make your mac very secure… as well as useless.

  • AlterThending

    Perfect time to put it out too just when another OS X is about to release. Duh!

  • Diego

    I can confidently state that is untrue. If you refer to potential as opposed to intent then you might have a point but there are dozens of safeguards in place that make nefarious types much more dangerous. It’s possible you are either misguided or paranoid.

    And usually I agree with your posts on the various sites.

  • Ta

    Wow, this PDF seems unexpected and too-good-to-be-true!

  • ryu wink

    this is so freaking stupid. they treat os x users like morons. we know about this kind of things, because we are coming from windows. and the ones that installed that mac defender deserve it. how can one be that stupid?

    and i’m very inclined to think that this mac defender was developed by the antivirus companies, because they want us to buy a piece of software that does nothing on our macs.
    just like any bad news about the apple world, this is over-hiped.

    i’ve been using os x since 2007, without an antivirus on it, just the buid-in firewall, and never had a problem.

    there is only one solution for the stupid mac users: before installing an app that requires your password do this: give it a search on google and check the company.
    if that app is a maleware google will show it as one, and if the company is unknown and doesn’t have an official website, don’t install it. that’s it.

    don’t forget, malewares can’t do sh#t on our macs without our password, unlike windows.

  • tim71

    Some things are not practical to implement for “normal use” – if suid is removed from chpass, then non-root user cannot change user passwords, if it is removed from traceroute, then traceroute command will not work etc. OTOH some things can be good if additional security is needed, like disabling bonjour multicast advwerisements – although they can be blocked by firewall if needed. Safari-related things are good to be done before MacDefender or something alike has made its’ way through to your machine. Disabling unnecessary services – maybe too – I have no idea, what would I need postfix ot be running etc…

  • OS2toMAC

    My iMac is nowhere near useless, and I have neither Bluetooth, nor WiFi, enabled on it.  I have a wired keyboard/mouse and wired network connection.