BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Closing the Password Security Loophole on Mac OS X 10.7

Posted September 30, 2011    Peter McCalister

More and more Macs are cropping up in enterprise IT environments. Studies have shown as much as 94.7% growth in the “very large business” category. It’s no secret that Apple has been on a tear in the consumer markets, and the enterprise market is not far behind.

But what about the security concerns presented by Macs in the enterprise? A password security hole was discovered in Mac OS X 10.7 Lion where a user’s password can be changed without knowing the current password, and without restarting the system. This obviously opens up the system to insider threats–and presents a glaring compliance concern for organizations responsible to adhere to SOX and PCI regulations. When a user leaves his desk, anyone that knows this process could jump on the machine and change the password to anything they wish.

So what can IT administrators do to mitigate this loophole? Certainly Mac users want to and will use the latest version of Mac OS X that’s available. It’s an easy upgrade from the App store. So keeping users on Snow Leopard or earlier versions of OS X isn’t an option. Here are two simple solutions.

1. Don’t have users login with their local accounts. Instead, require that user authentication is done using Microsoft Active Directory, where users login using a centrally-managed account. This in itself is a prime solution to the security loophole, as the loophole only affects local accounts. A free and easy tool for AD authentication on Macs is Powerbroker Identity Services – Open Edition. This tool installs in < 5 minutes and will have users logging in with their AD credentials.
2. Set a screensaver lock to come on the system after a designated amount of time. It’s a common best practice to lock your machine when you leave your desk–but let’s be honest–how many of us really do this? IT administrators usually set screensaver locks to come on after 10-15 minutes using group policy through Active Directory on their Windows machines. Using PowerBroker Identity Services – Enterprise Edition allows IT admins to extend those same group policies to Mac OS X, Linux, and UNIX machines.

The growth of Macs in the enterprise is an exciting prospect. From an IT standpoint, make sure that you’re ready for the influx by having the tools on hand to manage them properly and keep insider threats to a minimum.

Leave a Reply

Additional articles

pbps-customer-campaign-image

Are you changing your passwords as often as the weather changes?

Posted April 20, 2015    Scott Lang

There is one thing that should change more frequently than the weather: Your privileged passwords. Why? If you’re like more than 25% of companies out there, then your current IT environment contains unmanaged accounts putting you at risk of data breaches and compliance violations, and you don’t have a process to control those accounts.

Tags:
, , , ,
webinar1

On Demand Webinar: Advanced Windows Tracing

Posted April 17, 2015    BeyondTrust Software

Webinar: Security MVP, Paula Januszkiewicz, shows Windows administrators how to be more aware of what happens whenever somebody does something within the system.

Tags:
, ,
5

The Delicate Art of Remote Checks – A Glance Into MS15-034

Posted April 15, 2015    Bill Finlayson

Remote vulnerability detection – using ms15-034 as an example.

Tags:
, ,