There are ways to make macOS run more secure.
0 Facebook x.com Reddit
There are several utilities you can use on your Mac to help protect it at startup. Here's how to use them to keep your Mac and data safe.
Computer security is an important topic in today's digital world, and most electronic devices are at risk to some degree.
Apple has made every effort to ensure the security of its platforms, but attackers can still hack into systems, steal data, and compromise Apple systems.
Always remember that perfect security does not exist.
The best thing you can do is minimize the attack surface on your device or system to make it as difficult as possible for an attacker to gain access to your systems.
From the very beginning, Apple made macOS very secure. It is one of the most secure operating systems in the world.
iOS and tvOS devices are even more secure because they can only download software from the Apple-curated App Store. That is, unless the devices' security is compromised using illegal hacking software.
Also keep in mind that, at least in the US, hacking a computer device is a violation of the Digital Millennium Copyright Act. This makes it a federal crime.
Startup vectors
One of the most vulnerable points for attack on a computing device is when the device first starts up.
Most computers, including smartphones and tablets, go through a process known as booting up when they turn on. During this process, the operating system has not yet loaded and there is very little software running on the device.
It is at this stage that an attacker can perform various attacks to bypass the OS. They can also install malicious software such as viruses, Trojan horses, and firmware that allow them to run their own code, or even damage the device.
In new iOS devices, Apple solves this problem using the Secure Enclave or the T2 Security chip.
Secure Enclave is a secure hardware area on a device that uses both hardware and encryption to protect the device.
For historical reasons, Macs are not as secure as iOS devices, so attackers can install software on older Macs that could compromise their security.
Later Macs with Intel processors include the T2 security chip to avoid these problems. Apple Silicon Macs based on M2 and later have Secure Enclave built-in.
The Mac storage device that contains the T2 chip is encrypted with keys tied to its hardware to provide an additional layer of security.
This means that it is difficult to recover lost or damaged files on a T2-based Mac. Any utility attempting to recover an encrypted storage volume must know how to use secure keys tied to the Mac hardware.
This is something that Apple doesn't publish documentation about for obvious reasons.
On Apple Silicon Mac computers, all volumes of the macOS startup disk are encrypted. Apple calls them signed system volumes.
Apple Silicon Macs will not execute system files on signed system volumes that do not have a valid Apple cryptographic signature.
This makes it difficult to tamper with macOS system files and allow them to run on Apple Silicon Macs.
The startup disk
However, one of the largest attack vectors on the Mac is the startup disk. The disk itself.
When your Mac starts up, it first loads a small piece of firmware, the boot ROM, to enable all of its internal systems. It then runs the firmware to initialize things like the display and networking.
Most of this code is contained in the Mac hardware itself.
The Mac's boot ROM is then passed on to two more pieces of firmware: LLB and iBoot.
iBoot is actually made up of two parts, and if the second part confirms that everything is fine, it looks for an internal or connected storage device to boot the macOS kernel.
Security issues may arise here.
Perhaps the biggest security risk during startup is that you can optionally connect additional storage devices to your Mac—through USB, Thunderbolt, or network ports.
Signed system volumes ensure that only valid versions of macOS can be loaded. But at this stage, there is still a possibility that attackers will introduce malicious code.
But always keep in mind that if your Mac's startup sequence is not secure, any attacker can simply plug an external device into it, reboot the Mac, and force it to boot into that device.
There are ways to password protect your startup drive and your Mac in general, which we'll talk about a little later.
Once downloaded to an external device, attackers can copy and steal files, inject malicious code into your Mac, and even use it as a remote terminal to wage cyber warfare over the Internet.
Trade secrets of many companies, including Apple, have been stolen by industrial spies by simply copying files to external devices.
Even the secrets of the Apple Car project were stolen in this way.
Securing your Mac
There are several ways to protect your Mac. Using Apple's built-in software, you can:
- Use the Startups Security Utility
- Use Secure Boot and External Boot
- Prevent booting from external devices
- Password-protect your Mac at startup.
- Limit login users and passwords.
- Password-protect one or more storage devices.
- Startup in safe mode. Mode
- Use lock mode
- Lock your Mac remotely using MDM
The Startup Security Utility is an app added by Apple to macOS starting with Mac computers that include the T2 Security chip and later models.
On Macs with or without a T2 chip, you can set a firmware password if your Mac supports it.
Firmware password stops the boot process and prompts the user for a password before loading the operating system.
Using the startup security utility, you can set a firmware password, enable secure boot, or enable/disable external boot. The last two options require a T2 chip.
To launch the Startup Security Utility on an Intel Mac, turn on your Mac and hold Command ()-R on your keyboard. This introduces macOS recovery.
macOS Recovery is a special application built into your Mac's firmware that provides access to parts of macOS such as the Installer, Disk Utility, Terminal, and the startup security utility.
When you hold down the Command()-R keys on your keyboard, the Mac's boot loader redirects the boot to macOS recovery mode instead of the copy of macOS on the startup disk.
Once you restore macOS, you won't be able to do anything other than launch one of the available programs, exit, or restart.
In macOS Recovery, enter your administrator password, then select Utilities->Startup Security Utility from the menu bar.
In the Startup Security Utility, you can set a firmware password, set the security level used during boot (secure boot), and specify whether to allow booting from external media (external boot).
The Full Security option in the startup security utility forces the Mac firmware to remotely check the installed version of macOS by contacting Apple servers.
Hence, you will need a network connection if you choose to install this option.
You can also turn off Secure Boot completely, allowing booting of any installed version of macOS.
Startup security utility.
Apple Silicon Mac
The process is slightly different on Apple Silicon Mac computers .
When booting your Apple Silicon Mac, press and hold the Mac's power button until the “Loading Startup Settings” message appears.
Click Options, then click Continue. Then select Startup Disk and click Next.
Enter your administrator password, then click Continue.
In the Recovery application, select Utilities->Startup Security Utility. Then select the system you want to use to set the security policy.
If FileVault is enabled on the selected storage volume, you must first unlock it by entering a password.
In the Security Policy section of the startup security utility, you have only two options: Full securityor Reduced security.
Full security allows you to run only your current version of macOS. This also requires a network connection.
Reduced security allows you to run any trusted signed version of macOS, as long as your Mac supports it.
In the Reduced Security section, you can also set options to allow and manage legacy kernel extensions if you want to allow them to run.
Once you've made all your settings, click OK, and then restart your Mac. The changes will not take effect until you restart your computer.
User login passwords
User login passwords pose another security risk.
By default, macOS Setup and Setup requires the user to enter a username and password when setting up the Mac for the first time.
But assuming that the user in question is an administrator, it is possible to completely disable user login in System Settings without requiring a password when the user logs in.
This is completely unsafe as the Mac will boot into the Finder once turned on without any intervention.
Therefore, you should always require passwords for all users.
In the System Settings->Users & GroupsYou can also enable “Automatically sign in as” and set up login as any user specified on the computer.
Automatically login as a panel in the Users & Groups panel
In the Users & You can also enable groups and guest users that do not require a login password.
If you are in an environment that uses Active Directory (AD) for user management, you can allow users to sign in by adding their AD credentials stored on the AD server (or Microsoft Entry ID cloud service).
You can also open the hidden Directory Utility app in macOS from this panel (in the Network Account Server panel).
Password-protected volumes
On macOS, you can also password protect individual storage volumes so that they cannot be mounted without the user entering a password.
This makes it much more difficult to access files on the volume if the user does not know the password.
However, keep in mind that to do this, you will need to first erase and encrypt the storage volume using Apple's Disk Utility app.
To do this, first back up the volume files for later restoration, then launch the Apple Disk Utility application in the /Applications/Utilities folder.
In Disk Utility, select the volume you want to encrypt, click Erasein the toolbar, enter the volume name, select GUID Partition Map and select the encrypted file system format from the pop-up menu.
Enter and verify the password for the encrypted volume, then click Select. Click Erase, then Done.
Disk Utility will erase the volume, encrypt it, and protect it with the password you enter.
The next time you restart your Mac or connect a device containing a volume to your Mac, you will be prompted to enter a password to mount it to the Finder desktop.
You can also encrypt volumes in any Finder window in the sidebar without erasing them by Control-clickingit and then choosing Encrypt in popup menu.
Booting in safe mode
macOS supports legacy kernel extensions (KEXT), which are software components that can extend the functionality of the macOS kernel using custom code.
In macOS 11 and later, Apple abandoned the use of KEXT in favor of system extensions, which are considered more secure and less prone to crashing macOS if code is executed incorrectly.
At boot time, macOS bundles all KEXTs into an auxiliary kernel collection (AuxKC) and then runs some of the firmware mentioned above.
Only after most of the firmware boot process is completed is AuxKC loaded into the kernel where KEXT is allowed to run.
Using Safe Mode in macOS, you can boot macOS, but exclude AuxKC to prevent KEXT from loading.
To boot your Mac into Safe Mode, boot into Recovery Mode as above. After selecting the storage volume you want to use, hold down the Shift key, and then continue with the steps listed above.
When your Mac reboots, it will boot macOS from the specified volume, but will tell iBoot not to load AuxKC.
Lockdown Mode
Lockdown mode “helps protect devices from extremely rare and sophisticated cyberattacks,” according to Apple. “
Blocking mode essentially limits the features available in macOS to reduce the attack surface (the ways attackers can break in).
Blocking mode is available in macOS Ventura and later versions
When Locked Mode is enabled, macOS does not support all the features that are available during normal operation. Locked Mode limits certain online activities, such as attachments in messages and FaceTime, some web technologies, device connections, and configuration profiles. .
For a complete list of Lockout Mode restrictions, see Apple's technical note
You can enable Lockout Mode in macOS in System Settings – >Privacy & ;Lock Mode.
MDM
Apple Mobile Device Management (MDM) technology allows Macintosh system administrators to remotely lock their Mac. Using MDM Servers
To use MDM to remotely lock a Mac, the Mac must be enrolled in MDM on the MDM server, and the administrator must set the MDM conditions under which the Mac will be locked.
After registration in MDM, remote blocking is controlled by the server and the server administrator.
MDM is used by administrators to remotely disable Apple devices that could become a threat to an organization's networks.
Security is a complex topic, and there are many ways to improve the security of your Mac computers.
In this article, we did not cover the security of FileVault, nor protection of the integrity of the Mac system, which we will discuss in the next article.
Follow AppleInsider on Google News.
