Should one change any settings beyond the default settings on a iMac and in Safari for extra security?

RS1250 wrote:

It is being used in a private home for personal use for several persons, and we just want to make it as safe as possible with all the security threats at the moment.

Should we make any settings beyond the default settings on the Mac and Safari for extra security?

You should make sure all remote access to the computer is disabled. Look in Settings => Sharing and disable all items there.

Make sure your router has a firewall active. Make sure your Mac has its firewall active. Make sure you Mac is 100% up to date in MacOS updates. You can set that to stay up to date automatically. Make sure all Microsoft products and Adobe products are kept up to date, automatically if that is an option.

Go to Safari, Settings, Notifications and remove all and/or turn all off to "disable." Do the same for any other browsers. Make sure all users except the owner (you?) are not administrator users.

In Settings, make sure that password is required immediately when the screen saver activates and when the screen blanks. Set the timing interval to be immediate for the password to be required (this is set in the Energy saver setting and in Security and Privacy Settings).

I believe most of the above are the defaults but check to be sure.

People worry a lot about airplane safety. But in fact, the much bigger threat to passenger safety is riding to the airport in an automobile. Similarly on computers, people worry about computer security because they read about things. But computers are typically configured to be very secure and safe: the biggest threat to security on a computer is not the computer settings, it is the behavior of the users. If they click on things they should not or visit web sites they should not, or believe emails they should not, or open attachments they should not, those are much bigger threats to security than the settings on the Mac. Which is why you should make most users standard, not administrator users. And you need to train them to not believe everything they see while on the internet. Explain to them not to click on links, but instead to manually enter a company's website address when they want to go to it. For instance, don't click on a link in an email that says "Microsoft web site" but instead enter directly the address for a Microsoft web site (or for any other company).

The above will make your Mac very secure.

For your router and local network, make sure that the password is long and complex to access your WiFi or network. You can also change that password periodically.

Are you worried about some non-user trying to get access? If so, you can make sure that your users are using very long and complex passwords. And make sure that your home is locked and physically secure.

RS1250 wrote:

Make sure your router has a firewall active. Make sure your Mac has its firewall active. Make sure you Mac is 100% up to date in MacOS updates. You can set that to stay up to date automatically. Make sure all Microsoft products and Adobe products are kept up to date, automatically if that is an option.

How do i check and do that?

Go to Safari, Settings, Notifications and remove all and/or turn all off to "disable." Do the same for any other browsers.

Can this be right, and why?

Kurt Lang provided some more information.

To verify the router has not had its firewall modified or changed (anyone with access to the router can do that, so it is best to verify than assume it is all set up right), you would go to your router settings and check. Your router manufacturer web site has instructions, or if the router comes from your internet provider, check with them. Each router has different ways to access these settings.

For Mac system updates, go to Settings, Software Update, and configure them appropriately.

For Microsoft products, open a program such as MS-Word and under Help menu Check for Updates. You can configure automatic updates there.

For Adobe products, open a program (Adobe Acrobat Reader e.g.) and under Help ... Check for Updates.

For Safari and other browsers, I agree with Kurt, there is no good reason a website should be pushing notifications to you. It can be a problem if any are allowed to because those notifications can be configured to include images of Apple logos and Apple Software icons so it looks like an official notification. Some spoofers include these images along with "click here to update security" or something like that but clicking leads one to third party web sites or worse. So just eliminating the notifications prevents these problems.

I forgot to mention one other important thing. Do not disable System Integrity Protection (SIP) on a Mac. If you don't know what SIP is or how to disable it, then no problem as it is on by default in Ventura and it is actually somewhat involved for most users to disable it. It prevents execution of unauthorized code on your Mac.

In which setting can i find if the SIP is on?

Open Terminal in the /Applications/Utilities folder. Type in:

csrutil status

Press the Enter key. It should return:

System Integrity Protection status: enabled.

You can't disable SIP while booted to a user account in the desktop GUI. You have to go quite a bit out of your way to do that. So I wouldn't worry about it.

What are the default settings in Safari-settings-websites: browser, autoplay, page zoom, camera, microphone, screen sharing, location, downloads, notifications and popups? (wonder since i have changed them)

The only one of those that has any type of security concern is screen sharing. And by default, all sharing settings are off.

* Don't install browser extensions unless you understand their purpose:

* Go to the Safari menu > Preferences... > Extensions. If you see any Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone.

* No Safari Extensions are required for normal operation.

As a basic answer, no browser needs an extension to operate. But there are also plenty of extensions that are helpful. In Safari, I have the 1Password and Ka-Block! extensions installed.

My site passwords and long, obnoxious and theoretically unbreakable. For anyone trying to remotely break into any of my accounts, it would take over a trillion years for anyone to brute force hit one correctly. Using 1Password allows me to fill those in with a click instead of trying to type them in. A strong password to open 1Password itself (which I do need to type in) keeps anyone else out of my site passwords.

Ka-Block! is just an ad blocker. It's in the App Store, free, and works well. Web sites load much faster when your browser isn't wasting time downloading and displaying tons of ads.

* Don't install any Profiles unless your Mac is owned or controlled by your employer, school, or similar institution:

* Profiles are commonly installed by institutions to ensure their Macs conform to their requirements.

* To determine if a Profile is installed on your Mac, open  (Apple menu) > System Preferences... > General.

* If you see Profile pane and you have no explanation for its presence, you may have been deceived into installing it. Remove it by selecting it and clicking the [—] (minus) button.

Correct. User profiles have specific control uses the typical user does not need. Unless you know it was put there by the entity who actually owns the computer (not you), such as your employer, school, etc., you should never see one. In the unlikely event one does somehow appear on your personal computer, assume it's malicious and remove it.

* Don't install Java or Flash unless you are certain that you need it:

* Java, a non-Apple product, remains a potential vector for malware. If you are required to use Java, be mindful of that possibility.

* Java can be disabled in System Preferences.

* Despite its name JavaScript is unrelated to Java. No malware can infect your Mac through JavaScript. It's OK to leave it enabled.

* Adobe Flash Player and all support for it is gone. If you see an offer to upgrade Flash, it's an obvious scam. Ignore it.

The only safe place to get Java is directly from Oracle. That version is for running Java apps in a browser. Virtually no one uses this anymore, or builds a web site that requires it. Any site that still does is one you shouldn't visit. Their webmaster is way behind the times. This is the same version you would disable in the System Preferences. But you shouldn't install it to start with.

JavaScript does things you see every day in your browser, like rollovers. Actually, it can do quite a bit. But it's all for looks to make sites more visually engaging.

Any crook still throwing out a popup on a site you come across that insists you download and install Flash directly from them isn't just living in the past, they're just plain stupid. Ignore idiots.

Here's some food for thought:

First, there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac.  This documents describe what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community and Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support.  

There are no known viruses, i.e. self propagating, for Macs.  There are, however, adware and malware which require the user to install although unwittingly most of the time thru sneaky links, etc.   

Anti Virus developers try to group all types as viruses into their ad campaigns of fear.  They do a poor job of the detecting and isolating the adware and malware.  Since there are no viruses these apps use up a lot of system resources searching for what is non-existent and adversely affect system and app performance.

There is one app, Malwarebytes, which was developed by a long time contributor to these forums and a highly respected member of the computer security community, that is designed solely to seek out adware and known malware and remove it.  The free version is more than adequate for most users.  

Also, unless you're using a true VPN tunnel, such as between you and your employer's, school's or bank's servers, they aprovide false secutiry from a privacy standpoint.  Read these two articles: Public VPN's are anything but private and Former Malware Distributor Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites. 

You're at home so have control over who has access to the computer. Each person should have their own login Account with user name and password and Apple ID. If you're behind a good router with strong security, i.e. WPA2 Personal, your are protected from anyone hacking into your Mac from outside.

Old Toad wrote:

You're at home so have control over who has access to the computer. Each person should have their own login Account with user name and password and Apple ID.

Just to add to this, you may want to leave the other macOS user accounts you create as Standard users (default when creating a new user macOS account) so that the other users cannot make system wide configuration changes and to prevent them from accessing some restricted areas like other user accounts. Only change them to "admin" or Administrators only if necessary and only if you trust them to not to weaken your security or perform any other nefarious actions. Any macOS user account you create which you allow to "Administer this Mac" will have the same ability to re-configure the Mac and access all areas of the drive as your main admin user account.

If you want to look …

System Settings > General > Sharing

They should all be off.

Virtually every router sold has a firewall built in, and is active by default.

Since your Mac (and any other device in your home is using that router), there is no need whatsoever to turn the OS firewall on. It will literally have nothing to do since the router is already providing that function.

For Safari, steve626 is referring to this:

Open Safari's preferences. Click on the Websites tab and then scroll down to Notifications. Clear any entries in the right hand window. You might find something similar in the Pop-up Windows heading below that. Block any you don't recognize.

Then if you want, uncheck the box below as shown here.

I personally can't think of any reason why I would ever want any website to push notices to me.

Just for funsies, if you want to see how good your passwords are, try this site:

https://www.passwordmonster.com/

I put in a newly generated password of sjWnb2b6yCwsi3hAAMu9yG1w

It would take someone 8 thousand trillion trillion years to break it. Longer if I had put in any special characters.

There are more than a few sites like this, and the results of how long they think it would take to break can vary pretty widely. But it's also common knowledge that long, random passwords are the hardest to break. Anything with phrases in it, like poodle, airplane, etc. are much easier as crooks use password hacking apps that try millions of common words.

On this same site, poodleairplane would only take 87.64 seconds to break.

But this also assumes a person can keep trying one password attempt after another indefinitely. There's almost nowhere you can do this anymore. You get five failed attempts (sometimes only three) and then the account gets locked.

RS1250,

How much Security do you what for this computer when started from the Off Position ?

To really Lock Down the computer from even booting up the the Operating System >>

Set a firmware password on your Mac

Before considering the above option, really suggest you read all the details

Excerpt from above

If you forgot your firmware password

If you can't remember your firmware password, schedule an in-person service appointment with an Apple Store or Apple Authorized Service Provider. Bring your Mac to the appointment, and bring your original receipt or invoice as proof of purchase.

In general - macOS is as secure as needed with the Default Setting enabled.

You can use FileVault to encrypt the Drive

Intro to FileVault - Apple Support (CA)

Then and from a Respected Contributor

The The Built in Security  is all that is required.

Then and again from a Respect Contributor

Phony "tech support" / "ransomware" popup… - Apple Community

Added and only if your are believe your are a High Value Target

About Apple threat notifications and protecting against state-sponsored attacks - Apple Support

Lastly and not a intended to be flippant idea

Stay Off the Internet unless absolutely required

The Internet used to be an ok place.

But as it has become more used by everyone.

So have the Bad Actors tricking you or offering " The Pie In the Sky " & " Too good to be true offers " you have to be educated on what is " true and verifiable " from more than 1 source is required by the User ( you )

Above statement reflects my person opinion and not Apples'

Welcome 🇨🇦

Since we do not own what is broken and needing fixing >>

Then have a few suggestions ;

1 - Get Support Choose a product and we’ll find you the best solution.Start now and open an Apple Support Ticket as they are Apple Employees to deal will these types of issues . 

2 - Have the computer evaluated by the Professionals who have the Special Hardware Software and Expertise to diagnose the issue and offer possible solutions

3 - Make an Appointment at the Apple Genius Bar and have them evaluate the computer

It (SIP) prevents execution of unauthorized code on your Mac.

Not quite. Per Apple's description:

System Integrity Protection is a security technology designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.

SIP exists solely to protect the OS, the apps installed with the OS, and their support files. It does nothing to stop the user from running unauthorized code. Downloading and running/installing back doors, key loggers, adware, ransomware are just some of the things the OS can't stop the user from doing.

Disabling and Enabling System Integrity Protection | Apple Developer Documentation

"System Integrity Protection (SIP) in macOS protects the entire system by preventing the execution of unauthorized code. The system automatically authorizes apps that the user downloads from the App Store. The system also authorizes apps that a developer notarizes and distributes directly to users. The system prevents the launching of all other apps by default."

I think we are basically saying the same thing in different ways ... In any case, most users should leave it on.