Q: Safest' secure way to configure a Mac?

1) Leave everything configured as default

Some other things to consider.

Use a Standard Account, but really that only protects you from yourself. If you are running as admin as your only account, create another to make the admin account, then demote your own to Standard.

If you have a router between you and the internet, you don't need the application firewall in OS X. The router acts as a firewall. Now if you have your router configured to pass traffic through your router to your Mac (Port Forwarding or DMZ), then turning on the Firewall may be helpful. You don't have a notebook, but for completeness I'll add that the Firewall may be useful when you connect to a public network, and you have sharing services enabled, and you don't want to go through each one and disable it while on the public network.

When downloading software, only use the developer's website or the App Store. I imagine a developer could start bundling crapware to make an extra buck, but I think they would be quickly identified on the internet and all downloads of their software would cease.

Ok, that wasn't really the "safest" way. For that,

1) Unplug the ethernet cable

2) Disable WiFi

A supplement to Barney's excellent advise (Click on Passwords, Updates and Security on the left and drill through each subsection):

http://help.apple.com/machelp/mac/10.11/#/

Effective defenses against malware and other threats

Apple recommends you keep your computer up-to-date with OS X patches and securities updates as they become available. For Mac this is the safest secure way to configure a mac outside of the common sense to know the email from the UN Ambassador nephew asking for a loan in order to split the riches of the safe deposit box should go to junk mail without reading it.

You can also consider encrypting your data using FileVault.

FileVault 2 - About

First of all secure your network .In your service provider modem enable a strong password , and firewall and keep the settings as automatic , secondly the air port express settings should be absolutely correct that a strong password must be enabled, keep wireless security as WPA2 personal AES , router mode must be off bridge mode , all lights in air port express must be always green .Your network name should be hidden .

observe your base station if any other device hardware added .

In system preferences : security and privacy > general > require password must be always immediately , lock the screen , gatekeeper must be enabled , enable file vault , in firewall > block all incoming connection + enable stealth mode , in privacy disable location services.

In sharing options if you are the single user of system disable all options on LHS i.e. screen sharing ...... enable access for only these users . open the padlock and see the settings inside it . try to disable them also .

In network settings : use location as automatic , try google DNS servers 8.8.8.8 , 8.8.4.4

Enable firmware password ( update firmware password ) there is possibility attackers  attack remotely on firmware  , use private browsing , don't click on suspicious links in mails or on internet use command info . and also please update that are appearing in app store .

Make a habit of observing your home library , hidden library if any malware is sitting there try to remove it manually .

Do not download unidentified third party app - can cause spinning multi coloured  beach ball  , any anti virus .

Also in safari preferences settings : general > safari opens with a new private window , remove history items after one day , file download location : ask for each download , uncheck open safe files after download .

Autofill : check all options , passwords : can check auto fill , search : check all options , security : check all options in allow WEBGL when visiting other web sites > allow it , in plugins allow share point browser  plugin .  in privacy : cookies and website data > allow from websites i visit  , website use of location services > deny without prompting  , website tracking > ask websites not to track me .

Notifications : uncheck > allow websites to ask permissions to send push notifications ,

Extensions : keep it off always , check the box : automatically update extensions from the safari extensions gallery .

advanced : enable > press tab to highlight each item on webpage , internet plug - ins > stop plug ins to save power . rest all options are unchecked .

Google has formed a link to find any malware,  trojans in sites .how to find out if a website is legitimate .

type http://google.com/safebrowsing/diagnostic?site=    in url bar then type the desired website link next to it , there should not be any space between two links . if any trojan is there google will give an report how many trojans are there etc .

or can directly type google safe browsing in url you will find out the way . lot of knowledgable matter is  there to be read in it .

Keep your mac healthy and clean . try not to download third party app , any antivirus .

Your link works really well:

in defense of that link it requires a domain after the "="

http://google.com/safebrowsing/diagnostic?site=www.apple.com

or whatever you want to check.

Missed that, thanks.

This method is just to find out trojans in suspicious sites not for genuine sites . In URL bar we have to  type first  the the safe browsing link , then type desired web site link and click on enter.

note : There must not be any space between the two links .

Nobody mentioned making and keeping good backups.

While we might not think of backing up as security-related thing, it absolutely is. If, despite your best intentions. your Mac becomes compromised by ransomware or some other attack, erasing it and restoring your data from backup could be necessary.

Barney-15E wrote:

 

Ok, that wasn't really the "safest" way. For that,

1) Unplug the ethernet cable

2) Disable WiFi

just to add…

3) Don't unpack your computer at all.

• Creating a Standard account from the admin account

Mostly protects you from yourself, not from any threats. However, it is a good practice which may be effective against future threats.

• Turning on the firewall and in stealth mode (regardless of a router been used or not)

Unnecessary and may causes problems that are difficult to identify--especially for "newbies."

• Turn on Gate Keeper

Enabled by default.

• Turn on File Fault

Enabled by default on notebooks during the startup manager. Unnecessary for most people, but certainly the "safest" until you forget the password.

• Allow Apps to download from App store 'only'

Unnecessary. Defaults are sufficient. And, this is essentially a duplicate since it is GateKeeper. It certainly would be simpler for a certified developer to go rogue, but it isn't out of the realm of possibility that they could do it through the App Store, too. Limiting software to the App Store may be "safer," but it also restricts you from using some very good software, or provides only crippled versions.

• Update Apps and other security features automatically in system preferences

This may be bad advice for someone who uses their Mac for their livelihood. Updates may cause third-party applications to stop working. In that environment, updates must be screened on a non-production system to ensure they do not interfere with workflow, and to find workarounds if necessary. A "safe" system that cannot be used for production of wealth isn't particularly useful.

• Simple Changes to make in Safari

The defaults are sufficient. You'd have to go into specifics on individual web plug-ins, but I suppose setting them all to Block would be "safest." Not sure how useful that would be. Ask would be fairly safe, but generally when asked a lot, people just get in the habit of allowing without reading.

As to specific Internet Plug-ins, not installing Flash Player would be "safest" and would have the additional benefit of making your browsing experience better.

• Explanation on what not to install on a Mac
• How to protect oneself from social engineering (email links ect)

In some cases, these are essentially the same as much of the things to not install are "sold" to people using social engineering.

You should install programs that help you get your work done and do the things you want to do with your computer.

You do not need to install things that "help" your computer such as things that purport to Optimize, Protect, Clean, Monitor, Purge, Uninstall, or otherwise Maintain your Mac. They are completely unnecessary on any computer, especially a Mac. They will always cause problems, not fix or prevent anything. There are some tools that can be used on a case-by-case basis which provide some of those functions when absolutely needed.

There is absolutely nothing that can "scan" your computer over the internet unless you install software that allows that functionality. So, any time you get something that claims you have an infection or problem on your computer is a scam.

No company will send you an email indicating necessity to update your account or it will be locked, deleted, or otherwise impaired. Even if you are absolutely certain the email came legitimately, never use the links in the email (short of a password reset link that you specifically requested). Just go directly to the company website and log in normally. If there is an actual problem, you can resolve it from there.

You will never get the Prince of Nairobi's treasure. Any offer that sounds too good to be true is false.

Social Engineering has worked long before the internet was even considered. It's called a "con." The con-men (and women) now have better access to their "marks." Many people have been bilked out of their life savings through social engineering, mostly preying on the elderly, but anyone is susceptible.

Other than that, this topic is too broad for a checklist. Here is some links (from the User Tips sections):

Viruses, Trojans, Malware - and other aspects of Internet Security

How to install adware

Phony "tech support" / "ransomware" popups and web pages

Effective defenses against malware and other threats

Linc Davis has a very good list, but he has never created a User Tip from it, so it is not easily found.