blog.bejarano.io

Hardening macOS

Update (Mon, 8 Oct 2018): some extra advice has been added about automatic updates, sharing and privacy settings, the guest user account, fixing a particular misconfiguration of ssh-agent and the "Further reading" section at the end.

Update (Tue, 2 Oct 2018): some minor updates have been made based on general feedback, thanks to everyone that collaborated. Do not hesitate to contact me if you find anything else that should be modified.

Why?

  1. There are bad guys out there, who want to steal your data, your money, your identity, your time... Those bad guys come from very different backgrounds, some are known as criminals, others as governments or ad companies.

  2. Your device is not secure, and never will be. I'm not going to lie to you, this guide ain't no silver bullet, there's no such thing as a completely secure system. That said, you can make it a lot harder for the bad guys to steal what's yours, that's what this guide is made for.

Warning: if your threat model is a state-sponsored agency, you are better off without macOS, see OpenBSD.

Disclaimer: some of this steps might mildly detriment user experience, security is always a convenience trade-off. Some of the steps may require extra research, always follow trusted sources.

How?

Install a fresh copy of macOS

Note: this step is optional, but highly recommended, it's best to start off with a clean system to avoid possible misconfiguration.

  1. Boot into Recovery Mode (hold command + R during boot)

  2. (Optional) Go to the Utilities > Firmware Password Utility and consider setting up a firmware password to protect your data should it be lost or stolen

  3. Format the boot drive and install macOS from scratch (Warning: this step will permanently delete the contents of the boot drive)

First boot

  1. Clear the NVRAM (hold command + P + R during boot)

  2. Create an administrator user account with a strong password and no hint. This user is for administration purposes only.

  3. Go to System Preferences > Users & Groups and create an unprivileged user account for day-to-day use, it is considered best practice by Apple itself

  4. Go to System Preferences > Users & Groups > Guest User and uncheck Allow guests to log in to this computer

  5. Go to System Preferences > Software Update and consider enabling automatic updates (if you are not comfortable enabling this, consider at least turning on security updates by going into Advanced... and checking Install system data files and security updates)

  6. Go to System Preferences > Security & Privacy > General and set Require password after sleep to immediately or 5 seconds

  7. Go to System Preferences > Security & Privacy > General and set Allow apps downloaded from to App Store or App Store and identified developers

  8. Go to System Preferences > Security & Privacy > Firewall and turn on the firewall

  9. Go to System Preferences > Security & Privacy > Firewall > Firewall Options... and check Block all incoming connections

  10. Go to System Preferences > Security & Privacy > Privacy > Location and uncheck Enable Location Services

  11. Go to System Preferences > Security & Privacy > Privacy > Analytics and uncheck Share Mac Analytics

  12. Go to System Preferences > Sharing and anonymize the computer's name, this name can be see by those connected to the same network as yours

  13. Go to System Preferences > Sharing and turn off every service (turn on only when using it and disable afterwards)

  14. Go to System Preferences > Network > Advanced > DNS, add two entries to DNS Servers for 1.1.1.1 and 1.0.0.1 and remove any other server

  15. Go to System Preferences > Spotlight > Search Results and uncheck Spotlight Suggestions and Allow Spotlight Suggestions in Look up

  16. Go to System Preferences > General and uncheck Allow Handoff between this Mac and your iCloud devices

  17. Go to System Preferences > Bluetooth and turn off Bluetooth (turn on only when using it and disable afterwards)

  18. Go to Finder > Preferences > Advanced and check Show all filename extensions

  19. Disable Captive Portal (use your browser instead): $ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false

  20. Disable Crash Reporter: $ sudo defaults write com.apple.CrashReporter DialogType none

  21. Block malicious domain names using the /etc/hosts file (see StevenBlack/hosts)

  22. Consider running an outbound firewall such as Little Snitch (proprietary, full-featured) or LuLu (open-source, very basic)

  23. Consider doing binary whitelisting with google/santa

  24. Go to System Preferences > Security & Privacy > FileVault and turn on FileVault (note: may take some time)

  25. Secure FileVault when on sleep: $ sudo sh -c 'pmset -a destroyfvkeyonstandby 1; pmset -a hibernatemode 25; pmset -a powernap 0; pmset -a standby 0; pmset -a standbydelay 0; pmset -a autopoweroff 0'

  26. If you plan on using ssh with ssh-agent, add a safe timeout parameter to ssh-agent to protect your credentials: # make a copy of com.openssh.ssh-agent.plist:
    $ sudo cp -p /System/Library/LaunchAgents/com.openssh.ssh-agent.plist /Library/LaunchAgents/local.com.openssh.ssh-agent.plist

    # add the lines in bold to the new file:
    <key>ProgramArguments</key>
    <array>
      <string>/usr/bin/ssh-agent</string>
      <string>-l</string>
      <string>-t</string>
      <string>8h</string>
    </array>

    # apply the changes:
    $ sudo launchctl unload -w /System/Library/LaunchAgents/com.openssh.ssh-agent.plist
    $ sudo launchctl load /Library/LaunchAgents/local.com.openssh.ssh-agent.plist

  27. Reboot and log back in as the unprivileged user

Second boot (user)

  1. Go to System Preferences > Security & Privacy > Privacy > Contacts/Calendars/Reminders/Photos and remove any apps that shouldn't have access to any of those folders, if any

  2. Go to System Preferences > Security & Privacy > Privacy > Camera/Microphone and remove any app you don't want to have access to the camera or microphone, if any

  3. Go to System Preferences > Security & Privacy > Privacy > Full Disk Access and remove any app you don't want to have full-disk access, if any

  4. Go to System Preferences > Security & Privacy > Privacy > Advertising, check Limit Ad Tracking and click Reset Advertising Identifier

  5. Carefully assess and install a web browser. Regardless of your browser...

    • ...block third-party cookies
    • ...disable DNS preloading
    • ...disable Flash support
    • ...install an ad blocker
    • ...enable Do Not Track
    • ...opt-out of telemetry
    • ...consider using a privacy-respecting search engine in lieu of Google
    • ...consider a whitelist approach to JavaScript execution

    Note: if using Safari, go to Safari > Preferences > Search and uncheck "Include Safari Suggestions" and to Safari > Preferences > General and uncheck "Open "safe" files after downloading"

  6. Consider tunneling your traffic through a VPN when connected to untrusted networks (see ThatOnePrivacyGuy's VPN comparison or roll your own)

  7. Consider using a privacy-respecting email service provider (see ThatOnePrivacyGuy's email comparison or roll your own)

  8. Consider setting up PGP/GPG encryption for email regardless of your email service provider

That's it?

No.

Again, you don't have a "100% secure system", you are just a lot harder to screw with than everyone else in the city.

Keep in mind that securing a system is not a one-time job, you must actively backup your data, patch your system, look out for new vulnerabilities... Some general best practices are:

  1. Keep your system up-to-date, both macOS and installed software

  2. Prevent unattended physical access to the device from anyone but yourself

  3. Encrypt sensitive data on rest and on transit

  4. Backup your data, multiple, encrypted (of course) copies of your data in different physical locations

  5. Keep your guard up, you are your system's last line of defense

Further reading

If you are interested in macOS security you may enjoy:

I'll try to keep this guide upgraded to keep up with modern threats and new macOS releases.