The purpose of this guide is to provide an overview of Mac OS X v10.3.x Ã¢??PantherÃ¢?ï¿½ operating system security and recommendations for configuring the security features. This guide provides recommended settings to secure systems using this operating system, and points out problems that could cause security concerns in systems using this operating system.
This document consists of six chapters and two appendices:
Chapter 1, Ã¢??Scope of Guidance,Ã¢?ï¿½ contains an overview of the type of system for which this guidance is intended.
Chapter 2, Ã¢??Introduction to Mac OS X Security,Ã¢?ï¿½ contains a brief overview of some of the key security features found in the Mac OS X operating system.
Chapter 3, Ã¢??Initial InstallationÃ¢?ï¿½ contains step-by-step guidance for installing a new Mac OS X system.
Chapter 4, Ã¢??Configuring System Settings,Ã¢?ï¿½ contains information on how to securely configure a Mac OS X system once it has been installed.
Chapter 5, Ã¢??Configuring User Accounts,Ã¢?ï¿½ contains guidance on how
to create new user accounts, how to give an account administrative access, how to limit account capabilities, how to configure each type of account to
make it secure, and information that should be passed on to users about using their accounts securely.
Chapter 6, Ã¢??Future Guidance,Ã¢?ï¿½ contains information about topics that were not covered in this guidance, but which are slated for future guidance.
Appendix A, Ã¢??Encrypting Files and Folders,Ã¢?ï¿½ gives instructions on two additional ways to encrypt files under Mac OS X that may provide additional security for information that is to be transferred via removable
media (e.g. CD) or network.
Appendix B, Ã¢??References,Ã¢?ï¿½ contains a list of resources used in creating this guide. Many of these resources are valuable sources of additional
information about Mac OS X in general, including many features not discussed in this guidance.
Appendix C, Ã¢??Additional Resources,Ã¢?ï¿½ contains a list of references that, though not used in preparation of this guide, may be of interest to the reader.
Guidance in this document is geared towards a locally-administered Mac OS X v10.3.x system. Guidance contained here may not be applicable to Mac OS X Server or to a Mac OS X network.
Some instructions within this guidance are complex, and deviation could result in serious adverse effects on the system and its security. Modification of these instructions should only be performed by experienced Mac OS X administrators, and followed by thorough testing.
This document is intended for anyone managing a locally -administered Apple Mac OS X v10.3.x system. It is assumed that anyone using this guidance will have some experience using Mac OS X, and understands the basics of the Mac OS X user interface.
- Specialized Security-Limited Functionality (SSLF)
The security configuration guide has been extensively tested with Mac OS X v10.3.3 with Mac OS Update 10.3.4 and security updates Security Update 2004-05-24 and Security Update 2004-06-07 in a lab environment and operational environment.
Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment.
This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment.
Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns.
The security changes described in this document only apply to Apple Mac OS X v. 10.3.x Ã¢??PantherÃ¢?ï¿½ and should not be applied to any other Mac OS versions or operating systems.
Unless expressly stated otherwise to comply with license requirements or copyrights owned by others, information presented on NSA.gov is considered public information and may be distributed or copied. Use of appropriate byline/phone/image credit is requested. In accordance with 50 USC 402, no one may use without permission from NSA/CSS the words 'National Security Agency', the initials, or seal of the National Security Agency in connection with any commercial activity or in a manner intended to convey the impression that such use is approved, endorsed, or authorized by the National Security Agency.
Version 1.1 - 2004-10-15
Updated status to Archive - 10/24/18
NIST checklist record last modified on 10/24/2018