Introduction:
As part of our ongoing commitment to maintaining a strong security posture and protecting the privacy of our employees, customers and company data, we have prepared this guideline to assist you in securely using and deploying MacOS OSX systems. This document covers essential hardening measures that should be applied to all MacOS OSX installations.
General Security Best Practices
- Keep your software up to date:
- Regularly check for and install system and application updates, as these often contain security patches.
- Enable automatic updates where possible to ensure timely installation.
- Use strong, unique passwords:
- Use a combination of uppercase and lowercase letters, numbers, and symbols.
- Use a reputable password manager to store your passwords securely.
- Enable two-factor authentication (2FA):
- Where available, enable 2FA for all accounts to add an additional layer of security.
- Limit administrative privileges:
- Grant administrative privileges only to users who require them for their job function.
- Regularly review and update administrative access.
- Educate employees on phishing and social engineering attacks:
- Provide regular training to help employees identify and avoid falling victim to these types of attacks.
System Configuration and Hardening
- Enable FileVault 2:
- Encrypt the entire system drive using FileVault 2 to protect data at rest.
- Store the recovery key securely and separately from the device.
- Enable Firewall:
- Use the built-in firewall to block all incoming connections, except those required for essential services.
- Regularly review and update firewall rules.
- Disable unnecessary services and features:
- Disable services such as remote login, file sharing, and Bluetooth if they are not required.
- Remove any applications that are not needed for business purposes.
- Configure secure system settings:
- Enable automatic screen lock after a period of inactivity.
- Disable automatic login.
- Enable Gatekeeper to only allow installation of trusted applications.
- Use endpoint protection software:
- Install and regularly update reputable anti-malware software to protect against known threats.
- Monitor system logs:
- Regularly review system logs for unusual activity or signs of compromise.
- Enable centralized logging for better visibility and easier analysis.
Network Security
- Use VPN for remote access:
- Always use a secure, company-provided VPN when connecting to corporate resources from an untrusted network.
- Secure Wi-Fi connections:
- Use WPA3 encryption and strong, unique passwords for all Wi-Fi networks.
- Regularly update Wi-Fi access point firmware to ensure security vulnerabilities are patched.
- Segregate networks:
- Separate sensitive systems and data from general access networks.
- Implement network access controls to restrict unauthorized access.
Incident Response
- Establish an incident response plan:
- Develop a clear plan for handling security incidents, including roles, responsibilities, and communication channels.
- Regularly review and update the incident response plan.
- Conduct regular security assessments:
- Perform regular security assessments to identify and remediate vulnerabilities.
By following these guidelines and maintaining a strong focus on security, we can minimize the risk of cyber threats and protect the privacy of our employees and company data. Always remain vigilant and report any suspicious activity or security concerns to the Information Security Team immediately.