Neon3214

Q: Safest' secure way to configure a Mac?

Whats the best way to secure/configure a Mac "without installing any additional security software" (Yes Mac's don't need it so no need to explain) using inbuilt features of El Capitan. A simple step by step guide would be helpful to all readers. e.g.. Account settings, firewall, gate keeper and other measures ?

iMac, OS X El Capitan (10.11.4)

Posted on May 30, 2016 6:13 PM

Close

Q: Safest' secure way to configure a Mac?

  • All replies
  • Helpful answers

Page 1 Next
  • by Barney-15E,

    Barney-15E Barney-15E May 30, 2016 6:24 PM in response to Neon3214
    Level 8 (49,737 points)
    Mac OS X
    May 30, 2016 6:24 PM in response to Neon3214

    1) Leave everything configured as default

     

    Some other things to consider.

    Use a Standard Account, but really that only protects you from yourself. If you are running as admin as your only account, create another to make the admin account, then demote your own to Standard.

     

    If you have a router between you and the internet, you don't need the application firewall in OS X. The router acts as a firewall. Now if you have your router configured to pass traffic through your router to your Mac (Port Forwarding or DMZ), then turning on the Firewall may be helpful. You don't have a notebook, but for completeness I'll add that the Firewall may be useful when you connect to a public network, and you have sharing services enabled, and you don't want to go through each one and disable it while on the public network.

     

    When downloading software, only use the developer's website or the App Store. I imagine a developer could start bundling crapware to make an extra buck, but I think they would be quickly identified on the internet and all downloads of their software would cease.

     

    Ok, that wasn't really the "safest" way. For that,

    1) Unplug the ethernet cable

    2) Disable WiFi

  • by blackdogaudio,

    blackdogaudio blackdogaudio May 30, 2016 6:26 PM in response to Neon3214
    Level 3 (675 points)
    Mac OS X
    May 30, 2016 6:26 PM in response to Neon3214

    A supplement to Barney's excellent advise (Click on Passwords, Updates and Security on the left and drill through each subsection):

     

    http://help.apple.com/machelp/mac/10.11/#/

  • by BobTheFisherman,

    BobTheFisherman BobTheFisherman May 31, 2016 7:21 AM in response to Neon3214
    Level 6 (15,252 points)
    May 31, 2016 7:21 AM in response to Neon3214
  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT May 31, 2016 8:28 AM in response to Neon3214
    Level 5 (6,958 points)
    Mac OS X
    May 31, 2016 8:28 AM in response to Neon3214

    Apple recommends you keep your computer up-to-date with OS X patches and securities updates as they become available. For Mac this is the safest secure way to configure a mac outside of the common sense to know the email from the UN Ambassador nephew asking for a loan in order to split the riches of the safe deposit box should go to junk mail without reading it.

  • by Eric Root,Solvedanswer

    Eric Root Eric Root May 31, 2016 11:01 AM in response to Neon3214
    Level 9 (69,891 points)
    iTunes
    May 31, 2016 11:01 AM in response to Neon3214

    You can also consider encrypting your data using FileVault.

     

    FileVault 2 - About

  • by appreciate,

    appreciate May 31, 2016 12:23 PM in response to Neon3214
    Level 4 (1,276 points)
    Mac OS X
    May 31, 2016 12:23 PM in response to Neon3214

    First of all secure your network .In your service provider modem enable a strong password , and firewall and keep the settings as automatic , secondly the air port express settings should be absolutely correct that a strong password must be enabled, keep wireless security as WPA2 personal AES , router mode must be off bridge mode , all lights in air port express must be always green .Your network name should be hidden .

    observe your base station if any other device hardware added .

     

    In system preferences : security and privacy > general > require password must be always immediately , lock the screen , gatekeeper must be enabled , enable file vault , in firewall > block all incoming connection + enable stealth mode , in privacy disable location services.

     

    In sharing options if you are the single user of system disable all options on LHS i.e. screen sharing ...... enable access for only these users . open the padlock and see the settings inside it . try to disable them also .

    In network settings : use location as automatic , try google DNS servers 8.8.8.8 , 8.8.4.4

     

    Enable firmware password ( update firmware password ) there is possibility attackers  attack remotely on firmware  , use private browsing , don't click on suspicious links in mails or on internet use command info . and also please update that are appearing in app store .

     

    Make a habit of observing your home library , hidden library if any malware is sitting there try to remove it manually .

     

    Do not download unidentified third party app - can cause spinning multi coloured  beach ball  , any anti virus .

     

    Also in safari preferences settings : general > safari opens with a new private window , remove history items after one day , file download location : ask for each download , uncheck open safe files after download .

     

    Autofill : check all options , passwords : can check auto fill , search : check all options , security : check all options in allow WEBGL when visiting other web sites > allow it , in plugins allow share point browser  plugin .  in privacy : cookies and website data > allow from websites i visit  , website use of location services > deny without prompting  , website tracking > ask websites not to track me .

     

    Notifications : uncheck > allow websites to ask permissions to send push notifications ,

    Extensions : keep it off always , check the box : automatically update extensions from the safari extensions gallery .

    advanced : enable > press tab to highlight each item on webpage , internet plug - ins > stop plug ins to save power . rest all options are unchecked .

     

    Google has formed a link to find any malware,  trojans in sites .how to find out if a website is legitimate .

    type http://google.com/safebrowsing/diagnostic?site=    in url bar then type the desired website link next to it , there should not be any space between two links . if any trojan is there google will give an report how many trojans are there etc .

    or can directly type google safe browsing in url you will find out the way . lot of knowledgable matter is  there to be read in it .

     

    Keep your mac healthy and clean . try not to download third party app , any antivirus .

  • by babowa,

    babowa babowa May 31, 2016 12:36 PM in response to appreciate
    Level 7 (31,893 points)
    iPad
    May 31, 2016 12:36 PM in response to appreciate

    Your link works really well:

     

    Screen Shot 2016-05-31 at 12.35.31 PM.png

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT May 31, 2016 12:51 PM in response to babowa
    Level 5 (6,958 points)
    Mac OS X
    May 31, 2016 12:51 PM in response to babowa

    in defense of that link it requires a domain after the "="

    http://google.com/safebrowsing/diagnostic?site=www.apple.com

    or whatever you want to check.

  • by babowa,

    babowa babowa May 31, 2016 1:16 PM in response to JimmyCMPIT
    Level 7 (31,893 points)
    iPad
    May 31, 2016 1:16 PM in response to JimmyCMPIT

    Missed that, thanks.

  • by appreciate,

    appreciate May 31, 2016 2:55 PM in response to babowa
    Level 4 (1,276 points)
    Mac OS X
    May 31, 2016 2:55 PM in response to babowa

    This method is just to find out trojans in suspicious sites not for genuine sites . In URL bar we have to  type first  the the safe browsing link , then type desired web site link and click on enter.

    note : There must not be any space between the two links .

  • by Király,

    Király Király May 31, 2016 4:29 PM in response to Neon3214
    Level 6 (9,807 points)
    May 31, 2016 4:29 PM in response to Neon3214

    Nobody mentioned making and keeping good backups.

     

    While we might not think of backing up as security-related thing, it absolutely is. If, despite your best intentions. your Mac becomes compromised by ransomware or some other attack, erasing it and restoring your data from backup could be necessary.

  • by dialabrain,

    dialabrain dialabrain May 31, 2016 4:37 PM in response to Barney-15E
    Level 5 (5,890 points)
    Mac App Store
    May 31, 2016 4:37 PM in response to Barney-15E

    Barney-15E wrote:

     

    Ok, that wasn't really the "safest" way. For that,

    1) Unplug the ethernet cable

    2) Disable WiFi

    just to add…

    3) Don't unpack your computer at all.

     

     

  • by Neon3214,

    Neon3214 Neon3214 May 31, 2016 11:52 PM in response to Neon3214
    Level 1 (16 points)
    Mac OS X
    May 31, 2016 11:52 PM in response to Neon3214

    The answer I was looking for was from the start - First time starting a New Mac for a new user (sorry I didn't make that clear)

    Simple step by step guide and or with links for others to be able to read through 

     

    How to:

    • Creating a Standard account from the admin account
    • Turning on the firewall and in stealth mode (regardless of a router been used or not)
    • Turn on Gate Keeper
    • Turn on File Fault
    • Allow Apps to download from App store 'only'
    • Update Apps and other security features automatically in system preferences
    • Simple Changes to make in Safari
    • Explanation on what not to install on a Mac
    • How to protect oneself from social engineering (email links ect)


    No jargan or unnecessary silly stuff so other newbies can sample read and follow easily

     

    thanks

  • by Barney-15E,

    Barney-15E Barney-15E Jun 1, 2016 5:55 AM in response to Neon3214
    Level 8 (49,737 points)
    Mac OS X
    Jun 1, 2016 5:55 AM in response to Neon3214
    • Creating a Standard account from the admin account

    Mostly protects you from yourself, not from any threats. However, it is a good practice which may be effective against future threats.

    • Turning on the firewall and in stealth mode (regardless of a router been used or not)

    Unnecessary and may causes problems that are difficult to identify--especially for "newbies."

    • Turn on Gate Keeper

    Enabled by default.

    • Turn on File Fault

    Enabled by default on notebooks during the startup manager. Unnecessary for most people, but certainly the "safest" until you forget the password.

    • Allow Apps to download from App store 'only'

    Unnecessary. Defaults are sufficient. And, this is essentially a duplicate since it is GateKeeper. It certainly would be simpler for a certified developer to go rogue, but it isn't out of the realm of possibility that they could do it through the App Store, too. Limiting software to the App Store may be "safer," but it also restricts you from using some very good software, or provides only crippled versions.

    • Update Apps and other security features automatically in system preferences

    This may be bad advice for someone who uses their Mac for their livelihood. Updates may cause third-party applications to stop working. In that environment, updates must be screened on a non-production system to ensure they do not interfere with workflow, and to find workarounds if necessary. A "safe" system that cannot be used for production of wealth isn't particularly useful.

    • Simple Changes to make in Safari

    The defaults are sufficient. You'd have to go into specifics on individual web plug-ins, but I suppose setting them all to Block would be "safest." Not sure how useful that would be. Ask would be fairly safe, but generally when asked a lot, people just get in the habit of allowing without reading.

    As to specific Internet Plug-ins, not installing Flash Player would be "safest" and would have the additional benefit of making your browsing experience better.

    • Explanation on what not to install on a Mac
    • How to protect oneself from social engineering (email links ect)

    In some cases, these are essentially the same as much of the things to not install are "sold" to people using social engineering.

     

    You should install programs that help you get your work done and do the things you want to do with your computer.

    You do not need to install things that "help" your computer such as things that purport to Optimize, Protect, Clean, Monitor, Purge, Uninstall, or otherwise Maintain your Mac. They are completely unnecessary on any computer, especially a Mac. They will always cause problems, not fix or prevent anything. There are some tools that can be used on a case-by-case basis which provide some of those functions when absolutely needed.

     

    There is absolutely nothing that can "scan" your computer over the internet unless you install software that allows that functionality. So, any time you get something that claims you have an infection or problem on your computer is a scam.

     

    No company will send you an email indicating necessity to update your account or it will be locked, deleted, or otherwise impaired. Even if you are absolutely certain the email came legitimately, never use the links in the email (short of a password reset link that you specifically requested). Just go directly to the company website and log in normally. If there is an actual problem, you can resolve it from there.

     

    You will never get the Prince of Nairobi's treasure. Any offer that sounds too good to be true is false.

    Social Engineering has worked long before the internet was even considered. It's called a "con." The con-men (and women) now have better access to their "marks." Many people have been bilked out of their life savings through social engineering, mostly preying on the elderly, but anyone is susceptible.

     

    Other than that, this topic is too broad for a checklist. Here is some links (from the User Tips sections):

    Viruses, Trojans, Malware - and other aspects of Internet Security

    How to install adware

    Phony "tech support" / "ransomware" popups and web pages

    Effective defenses against malware and other threats

    Linc Davis has a very good list, but he has never created a User Tip from it, so it is not easily found.

Page 1 Next