out-of-box setup - university at buffalo...out-of-box setup basic configuration and best practices...
TRANSCRIPT
Out-of-Box Setup
Basic Configuration and Best Practices
Tuesday, August 09, 2011
Security and Best Practices
• The Mac OS X application firewall is turned *off* out of the box. It
can be turned on from Preferences->Security->Firewall.
• For added security, click advanced and “Enable stealth mode”.
This will do things like disable ICMP responses.
• Mac OS X also ships with a packet filter firewall. This can be
configured through the command line interface or through third
party tools.
• http://www.hanynet.com/waterroof/
• http://www.obdev.at/products/index.html
Security and Best Practices
• Other useful setting in the Security tab include:
• Screen saver passwords
• Auto logout
• Secure virtual memory
• File system encryption with FileVault
Security and Best Practices • Install an Antivirus program and set it to update and scan on a
scheduled basis.
• UB offers Symantec EndPoint Protection (free of charge) at
http://ubit.buffalo.edu/software/mac/antivirus/.
• The EIS page usually hosts a more updated versions, available
to IT staff members: http://eis.buffalo.edu/download/secure/
• Can be managed through central SEP.
Security and Best Practices
• Verify Automatic updates. Mac OS X like any other OS releases
regular patches. Out of the box, Mac OS X is setup to check
weekly for updates which should be sufficient.
• Preferences->Software Update.
• The update interval can be changed if you wish.
• Some third party applications must be updated manually.
Security and Best Practices
• Disable the Guest Account.
• Preferences->Accounts.
• Select the Guest Account from the list of accounts and ensure
the “Allow guests to log in to this computer” and the “Allow
guests to connect to shared folders” is unchecked.
Security and Best Practices
• Securing Safari
• From Safari -> Preferences
• General
• Be sure Open “safe” files after downloading option is
deselected.
• Remove Download list items Automatically.
• Disable all AutoFill options.
• Security
• disable the java and plugins web content.
• Make sure the “Ask before sending a non-secure form to a
secure website” option is enabled.
• Privacy
• Block from third parties and advertisers
Backups • Time Machine
• located in the System Preferences -> Time Machine
• This can be used to schedule nightly backups of files and will
Store an entire image of your machine.
• Restore files and folders is done using “Spotlight”.
• Like any backup software it is important to back your data up to
an external location such as a USB, Firewire or Time Capsule
device.
Backups • iCloud
• iCloud is Apple‟s new cloud service, which stores music, photos,
apps, calendars, and documents and wirelessly pushes them to
devices.
• iCloud will integrate with apps, so everything happens
automatically. iCloud will be free for iOS 5 and OS X Lion users.
• UBFS
• UBFS space is a file storage location that can be accessed from
different platforms. This can be thought of as stable and
secured storage, co-located and backed up nightly.
• UBFS space uses the same space as the cybrary labs so you can
move files to your S: drive.
• See: http://ubit.buffalo.edu/ubfs/
Backups • UBFS (Cont‟d)
• WebDAV
• From the Finder menu you can go to: Go->Connect to Server.
• In the Server field enter https://ubfs-
mac.buffalo.edu/ubfs/myfiles/j/d/jdoe
• Authenticate with active directory credentials such as
“ad\UBITName”.
Backups • UBFS (Cont‟d)
• Third parts applications such as “fetch” or “cyberduck” available
from:
• http://ubit.buffalo.edu/software/mac/index.php
• You should be connecting the programs to:
• Server: ubunix.buffalo.edu
• Login: your UBIT name
• Password: UBIT password
• Port 22 (if needed)
• if off campus use the UBVPN client
Accounts • Account tasks can be handled from System Preferences ->
Accounts.
• Accounts can be added by clicking the „+‟ button.
• When adding a new user exercise caution when creating the
“Account name” (AKA the short name). This will be the
primary ID and is difficult to change. As a best practice you
may want to keep all short names consistent with UBIT names.
• The account type (Administrator Vs Standard) is specified in the
“New Account” field.
• Selecting the “Group” type will create a new user group.
• Accounts can also be added using the FreeBSD style
/etc/passwd style mechanisms.
Accounts • Use the “Login Items” tab to add items that will be launched upon
user login.
• This is a good way to mount file shares automatically.
• The “Login Options” sections provides:
• A way to turn automatic logins off (recommended).
• A way to change the login Window from a user list to a login
field (may be preferable in a lab or kiosk setting).
• Enable or disable fast user switching.
• Attach to a Network Account service such as Active Directory or
Open directory.
• Click the “Join” button and then enter the name of your server or
domain.
Accounts • Mac OS X AD integration will allow:
• Authentication against central AD accounts (single sign on).
• All password polices are enforced.
• Mapping of home directories (not profiles) for faculty and staff
account objects.
• Mac OS X AD integration does not provide client management
options similar to GPOs in Windows.*
• Use the Directory Utility to adjust advanced features such as:
• Home directory settings
• Shell settings
• AD attribute mappings
• Authentication options
• Administrative options
• System Preferences-Accounts->Login Options->Edit
Applications to Install
• An exhaustive list of applications to install will vary greatly from one
department to the next. But here is a good start:
• Anti Virus Software, UB provides SEP
• http://ubit.buffalo.edu/software/mac/antivirus/
• An SFTP program such as cyberduck or Fetch
• http://ubit.buffalo.edu/software/mac/cyberduck.php
• http://ubit.buffalo.edu/software/mac/fetch/
• Browser Video Plugins such as Flip4Mac and Silverlight
• http://www.telestream.net/flip4mac-wmv/overview.htm
• http://www.microsoft.com/getsilverlight/Get-
Started/Install/Default.aspx
• http://get.adobe.com/flashplayer/
Applications to Install
• Microsoft Office 2011
• http://ubit.buffalo.edu/software/mac/office2011.php
• An alternate email reader such as Thunderbird or Outlook
• http://www.mozilla.org/en-US/thunderbird/
• Virtualization Software to run Windows Apps
• http://www.virtualbox.org/ -- free
• http://www.parallels.com/
• http://www.vmware.com/products/fusion/overview.html
• PDF Software. Mac OS X can view and generate PDFs out of the box.
• http://get.adobe.com/reader
• VPN Software to connect securely to on campus resources.
• http://ubit.buffalo.edu/software/mac/vpn/
• Only needed for off campus or laptop devices.
Applications to Install
• Remote Connection software
• VNC and SSH software is installed out of the box
• SSH is accessible through terminal
• VNC is accessible from Finder -> Go -> Connect to Server
• Windows Remote Desktop
• http://www.microsoft.com/mac/downloads?pid=Mactopia_RD
C&fid=68346E0D-44D3-4065-99BB-B664B27EE1F0#viewer
• Apple Remote Desktop
• http://www.apple.com/remotedesktop/
• An alternate web browser such as Firefox or Chrome
• http://www.mozilla.com/en-US/firefox/new/
• http://www.google.com/chrome/
• http://www.opera.com/
Remote Management Tools • Remote Management tools can be access from Preferences
-> Sharing
• Remote Login will enable the ssh protocol
• Remote Management will enable VNC connections and
management from Apple Remote Desktop
Printers • Printer functionality supported by Mac OS X includes:
• Local printers connected via USB
• Nearby networked printers shared through Bonjour
• IP networked printers
• IPP
• LPD
• HP Jet Direct
• Printers shares through print servers
• Common Unix Print System (CUPS)
• Windows printer shares (CIFS)
• Apple's Software Update will automatically provide you
with third-party printer software and updates.
Basic Networking
• Basic Networking settings can be found in: Preferences -> Network.
• Like any other OS, connections can be configured manually or
with DHCP supplying some (or all) parameters.
• If DHCP is providing you an address starting with “169…”
there may be some type of problem with DHCP
communication.
• Airport connections can be turned on or off.
• Set the Service order to: Ethernet, Airport, Firewire, Bluetooth
• When using your wireless airport connection on campus,
UB_Secure is the preferred wireless network to use as it
encrypts data being transmitted.
• http://ubit.buffalo.edu/ubwireless/mac-ubsecure.php
Bluetooth
• If not needed, turn Bluetooth off.
• Deselect “On” and “Discoverable”.
Accessing File and Network Shares
• File and Network Shares can be provided in the following ways:
• Automatically
• Supplied by a directory service
• Supplied as a login item
• Manually
• From the Finder menu you can go to: “Go->Connect to Server”.
• Addresses are entered in the form of <protocol>://<fully
qualified domain name>/<folder location>
• Protocols include:
• smb:// -- used to attach to Windows shares
• nfs:// -- used to attach to unix or linux shares
• vnc:// -- although technically not a share, this will bring
you into a vnc screen sharing session.
• https:// -- used to attach to webdav shares
Accessing File and Network Shares
• File and Network Shares (Cont‟d)
• Example:
• Note in this example that the share being connected to needs
additional user authentication information.
• When connecting to a share on a UBAD server, user credentials
must be prefixed with “ad\” or “itorg\”.
• Once a share is mounted, it can then be added as a login item.
References • Firewall:
• http://docs.info.apple.com/article.html?path=Mac/10.6/en/8154.html
• Printing:
• http://support.apple.com/kb/ht3771
• Updates:
• http://support.apple.com/kb/HT1338?viewlocale=en_US
• Safari:
• http://www.us-cert.gov/reading_room/securing_browser/#Safari
• http://www.brighthub.com/computing/mac-platform/articles/2952.aspx
• Time Machine:
• http://support.apple.com/kb/HT1427
• iCloud ( Fall 2011):
• http://www.apple.com/icloud/what-is.html
• UBFS:
• http://ubit.buffalo.edu/ubfs/
• UB Mac OS X Software:
• http://ubit.buffalo.edu/software/mac/index.php
• UBSecure Setup:
• http://ubit.buffalo.edu/ubwireless/mac-ubsecure.php