Hardening macOS

Published Sep 29, 2018 by Ricard Bejarano

The easy stuff

Everyone can do these, no technical knowledge required.

1. Install a fresh copy of macOS
   Why? It’s best to start clean, to avoid previous misconfiguration.
   How? Follow this Apple Support guide (Intel-based, Apple silicon).

2. Perform the inital configuration until you can use the system.

3. Enable automatic software updates
   Why? So that your system has the latest software patches installed.
   How? Go to System Settings > General > Software Update > Automatic updates, check all.

4. Enable lock screen after inactivity
   Why? To prevent unauthorized access.
   How? Go to System Settings > Lock Screen, set “Turn display off when inactive” to 20 minutes or less, and “Require password after screen saver begins or display is turned off” to after 5 seconds or less.

5. Forbid unsigned software
   Why? To prevent potentially malicious software from running.
   How? Go to System Settings > Privacy & Security > Security, set “Allow applications downloaded from App Store and identified developers” at most.

6. Enable disk encryption
   Why? To prevent unauthorized access to your data.
   How? Go to System Settings > Privacy & Security > Security > FileVault, if disabled, click “Turn On…” and follow the procedure.

7. Enable the inbound network firewall
   Why? To reduce exposure to network-based attacks.
   How? Go to System Settings > Network > Firewall, enable it and consider “Block all incoming connections”, though it could degrade user experience.

8. Disable guest user access
   Why? To prevent unauthorized access.
   How? Go to System Settings > Users & Groups > Guest User, uncheck all.

9. Disable network services
   Why? To reduce exposure to network-based attacks.
   How? Go to System Settings > General > Sharing, uncheck all unused services.

10. Disable unnecessary application access
    Why? To limit the potential impact of malicious software.
    How? Go to System Settings > Privacy & Security > Privacy > Camera, uncheck all unnecessary access. Repeat this for all other privileges.

11. Prevent Safari from opening downloads automatically
    Why? So that you know what you’re double-clicking on.
    How? Go to Safari > Settings > General, disable “Open ‘safe’ files after downloading”.

12. Show all filename extensions
    Why? So that you know what you’re double-clicking on.
    How? Go to Finder > Settings > Advanced, check “Show all filename extensions”.

13. Disable radios when unused
    Why? To reduce the exposure to wireless-based attacks.
    How? When unused, disable Wi-Fi and/or Bluetooth.

14. Use a password manager
    Why? To avoid reusing passwords and to facilitate two-factor authentication.
    How? Choose one that suits your needs. I like 1Password.

The advanced stuff

For the security enthusiast, who wants to go the extra mile.

15. Perform your daily tasks with a non-admin user
    Why? By default, the user created during installation has admin privileges. This significantly exacerbates the impact if compromised.
    How? Create a non-admin user account and use it when you don’t need admin privileges. This is considered advanced as it’s considerably inconvenient.

16. Reconsider the risks of browser extensions
    Why? Browser extensions such as adblockers or grammar checkers require full read-write access to everything you do on the web. Yes, this includes your passwords. This is not malicious per se, but is the reward worth the risk?
    How? Go through your browser’s installed extensions and assess their value to you, and whether the risk trade-off is worth it or not. I like to have them installed but only allow them access to certain websites or on demand.

17. Run an outbound network firewall
    Why? For visibility and control about the traffic leaving your system.
    How? Install Little Snitch (paid) or LuLu (open-source).

18. Block malicious domain names
    Why? To mitigate potential DNS poisoning.
    How? Install StevenBlack’s /etc/hosts file (or my own).

19. Enable Terminal secure keyboard entry
    Why? To prevent other apps from snooping on what you type.
    How? Go to Terminal.app > Menu bar > Terminal, click “Secure Keyboard Entry”.

20. Enable binary allowlisting
    Why? To completely prevent unauthorized software from running.
    How? Install and configure Google’s Santa.

The serious stuff

Security specialists surely know more about macOS security than me, so I won’t make any specific recommendations.

I will instead refer you to trusted authorities on the subject:

• Apple macOS User Guide

• Apple Platform Security documentation

• CIS Benchmarks for macOS

• drduh’s macOS Security and Privacy Guide

That’s it?

No.

Security is an ongoing task. You must actively look out for newly discovered vulnerabilities and educate yourself on how to protect yourself from them.

Some generic (but useful) rules are:

• Keep your software up-to-date.

• Prevent unattended physical access to your devices.

• Don’t reuse passwords and enable two-factor authentication.

• Back your data up regularly.

• Stay vigilant. Most attacks these days don’t target the system, they target the user: they target you.

Be safe!