• The Random Blog
• Mac Tips & Tricks
  • Quicktips
  • 10.5: Spaces
  • Mac OS X Filesystem
  • Basic Security
  • Spotlight
  • The Finder
  • The Dock
  • Drag & Drop
  • Application Prefs
  • System Prefs PT 2
  • System Prefs PT 1
• Articles
• Photos
• Movies

Internet randombob.net

---

Keep up with the Apple:
Macworld
Mac News Network
Mac Fix It
Apple Insider
Mac OS X hints
Roughly Drafted
MacMinute
Think Secret

---

Friday, October 19, 2007

Basic Security
Computing for many is a necessary evil, and for others can be a pleasure. Whatever side of the fence you fall on, it’s only prudent to follow some basic safety & security precautions. I won’t say that I am a security expert, as I’m far from it and even I do things that some security experts would balk at – such as the fact that I don’t run anti-virus software – but I do try to follow some simple guidelines to keep my computer safe from inside & outside forces.


Passwords and you
Each account that is created has to have a unique password assigned to it. Keeping this password between you and you is preferable. Your password needs to be secure, but you need to be able to remember it, too. Don’t go for the obvious ones, such as birthdays or grandkids. Think of something that is easy to remember yet difficult to guess. Keeping your password safe ensures that your information belongs solely to you. We’ve all played the old game “Telephone” before. Passwords are like that game. Just because you give your password to ONLY your wife to print that one document she wanted to print, doesn’t mean that she’s the only one that will know it. Somewhere along the lines, she’ll give it to someone else so that they can print the document to, then the next thing you know, Earl from down the street has your password and wants to log on to check your email. It happens just about that way, so make sure you are not falling victim!


CREATING A NEW PASSWORD
If for whatever reason your password becomes suspect, you can change it freely. Simply go to the system preferences (as described here) and navigate to “Accounts.” Select your account & go to “Change Password.” Do this as often as necessary, but I do recommend trying to make it as not necessary as possible; don’t share your password!


Your Computer, your Accounts
Many people find that they’re the only one that use their computer; for them, the term “Personal Computer” couldn’t be more precise. However, just because you’re the only one on the computer doesn’t mean that there’s no need for multiple accounts.

By default, the first account you make is an Administrator Account, which has certain privileges that average Joe’s don’t need and would be safer to avoid on a day-to-day basis. Let’s look at why having two accounts on a single-user computer isn’t a half-bad idea.


ADMIN ACCOUNTS
The Administrator is assumed by the computer to be the “smart one,” the one that knows the computer best and has an idea of what could be potentially hazardous and what is mundane. Since this person would obviously know not to trash the whole OS folder unless they had good reason, the system won’t bother to stop them from doing so. In fact, it won’t stop them from doing a lot of things that would cause irreparable harm to the system.

The system assumes that the Admin has a good grasp of what programs could be malicious and which are safe to run. For this reason, only the Admin user can add & remove programs from the Applications Folder. This is a safety for a number of reasons. Let’s say for example that you have a computer with 3 users. There’s you, you’re friend John whom is trustworthy, and your roommate Josh who is a little click-happy and on occasion gets carried away trying new things before without checking to see if they’re safe. Well, if Josh were on a Non-Admin account, if he were to download a malicious program from the internet that he heard about through a strange email and wanted to try, he would be unable to put it in the Applications Folder. He could download it, he could even run it, but it would be confined to his own user folder, and thus any damage done would not spread to your or your friend John’s files & folders.

But who’s to say that you know for sure what files are safe to manipulate and which are not? What if you don’t want to take that chance? Or, what if you simply would like a layer of warning before the system completes an action that you may have accidentally invoked that would be damaging, say, like throwing your whole System OS folder into the trash? Wouldn’t be nice if while you were swatting that fly that kept tickling your ear and you accidentally dragged it to the trash can, the system would instead ask that you OK the maneuver & get the Administrator’s permission before proceeding?

The beauty of the Admin account is that no one has to actively be the admin user every time they log in. You can create an Admin User and leave it for the most part unused, logging in and providing the password on the rare occasions you really do need some of the added privileges provided to that account. This is why, even on a one-user computer, there should still be at least two accounts: one admin account, and one day-to-day account.

But you’re on an Admin account now you say, right? You don’t want to lose all the preferences & other fine things you’ve saved up over this time and try to copy all that over to a new account? You don’t have to; you can easily create a new account and make that account the admin account, and drop the status of your personal account to “non-admin” status. Here’s how:


CREATING A NEW ADMIN ACCOUNT

• Open System Preferences and navigate to Accounts.

• Click the “+” symbol to add a new account (if it’s greyed out, click the lock icon first and enter your password to unlock the system preference).

• Name the new account anything you like, perhaps something like ‘My Admin’.

• Under the Password Tab, click “Allow user to Administer this computer.”

• Now select your account from the list, and in the same Password Tab, deselect the administration option.

• Done.

This is also the tab you’d access to create other accounts for other users of the machine.


BENEFITS & ANNOYANCES OF USING A NON-ADMIN ACCOUNT
Now that you’re on a non-admin account, some things will be different. For instance, you can no longer add and delete programs from the aforementioned Applications Folder willy-nilly. Now when you try, a dialog box will come up, asking you to enter the Admin User’s “Short Name” and password to complete the operation. This is a great safety net! If you ever accidentally try to trash something or modify something that you were unaware would cause irreparable harm, you now have an added level of security – from yourself! The system will alert you by bringing up the dialog box every time you try to perform such an operation, as it’s basically been instructed that this user is only allowed to perform operations that have no bearing on the actual running of the system; you can use the system, you just can’t modify it.

But what if you do need to modify it? What if you do need to trash an application or add a new one? Well then it’s a minor annoyance. You’ll have to OK the operation by either entering the Admin User information when prompted, or simply log in to the Admin Account to do the specified action. For instance, certain maintenance tools (such as Disk Utility) and commands (such as periodic maintenance tasks) will not run from the non-admin accounts. So on the occasion you need to use these tools – if ever – simply log in to the account by clicking on the Apple in the upper-left corner & selecting “Log Out…” to be taken back to the log in screen, where you can select the Admin Account.


The “Security” tab of System Preferences
If there is more than one user on a computer, there are some options within the Security Tab of the system preferences that need addressing. First on the list is the option to “Require password to wake this computer from sleep or screen saver.” Check this box. This makes it so that if you leave your computer long enough for it to go to sleep or the screen saver comes on, it will not allow access to anyone that stops by and takes a look; only you with your password will be able to get back on.

The checkbox underneath that one is also important, and probably more so. What good would it be trying to keep people from seeing your stuff by requiring a password to deactivate the screen saver if they could just turn it off and turn it on and have free access? Make sure you check the option to Disable automatic Login. This is a must. This forces the computer to have whomever sits down and turns it on have to choose an account to sign into, and then enter the appropriate password (which as we learned above, only you should know).

The following preference may not need to be enabled depending on your level of paranoia, but it’s a good idea to have it checked if there’s a chance that your computer would be left on and people might walk by and sit down at it. Require Password to unlock each secure system preference disallows anyone with physical access to your machine, that may even be on your login by some freak accident (such as you left for coffee and forgot to log out), from changing secure parameters of your system, such as your all-important password! You remember that lock icon that I referenced earlier? I also mentioned it here. Basically, that lock signals whether or not a preference pane can be modified. If it’s in the “Locked” position, you have to enter the admin name & password to access it. Great for those times when you go to the bathroom and some pals want to play a practical joke on you and attempt to change your settings. Joke’s on them, right?!

You may also want to set up your system to log out of whatever account is active by selecting “Log out after xx minutes of inactivity.” While not necessary, especially if you have a screensaver set to activate anyway, it is a good way to keep others who may casually pass by from having unrestricted access to your machine. It will force the computer to log out and return to the main login screen after the time you set.


Basic Security Concepts: User Folders
Each user has their own folder to call their own. Their folders lie underneath the System & Applications Folder in the system hierarchy, so that each user has access to the Operating System and the applications. From there, their user folder is their sandbox, basically. Just about everything you do will be contained within this folder. Your documents will be saved wherever you specify within it. This is a great safety precaution, in that if there were to be a user that attracted a malicious piece of software or tried to do something radically stupid, their mistake would not extend beyond their own user folder, This means that each user’s folder is safe from the actions of other users. Therefore, you can rest easy that the project you worked on and saved to your “Documents Folder” in your account is not going to be accessed & deleted as a gag, provided you keep others out of your account (see “Passwords” & “Admin Accounts” above).

You can quickly verify this by trying to access another user’s folder through the Finder. Once you navigate there, you’ll see that each folder – with the exception of the “Public” and “Drop-Box” folders, for obvious reasons – has a “Do Not Enter” symbol in the lower-right corner, letting you know that you don’t have access:

And if you attempt to click on it, this is all you’ll see:

End
Setting up the basic security is the hard part, however it still only takes but a few minutes. The benefits far outweigh the potential costs in the end, tough. Once it’s set up, there’s really nothing else to worry about, outside of the occasional need to enter the Admin name & password.

A lot of the benefits of the modern computer are rendered useless without at least some of the mentioned precautions being taken. And there’s other great ways you can put these tools to use for you. Create a “guest” account with a simple password that you can give out (like ‘guest’), then anyone that needs to use your computer can do so without you having to worry whether or not they’ll change any settings – your settings are safely locked to your account and free from potential change.