BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Closing the Password Security Loophole on Mac OS X 10.7

Post by Peter McCalister September 30, 2011

More and more Macs are cropping up in enterprise IT environments. Studies have shown as much as 94.7% growth in the “very large business” category. It’s no secret that Apple has been on a tear in the consumer markets, and the enterprise market is not far behind.

But what about the security concerns presented by Macs in the enterprise? A password security hole was discovered in Mac OS X 10.7 Lion where a user’s password can be changed without knowing the current password, and without restarting the system. This obviously opens up the system to insider threats–and presents a glaring compliance concern for organizations responsible to adhere to SOX and PCI regulations. When a user leaves his desk, anyone that knows this process could jump on the machine and change the password to anything they wish.

So what can IT administrators do to mitigate this loophole? Certainly Mac users want to and will use the latest version of Mac OS X that’s available. It’s an easy upgrade from the App store. So keeping users on Snow Leopard or earlier versions of OS X isn’t an option. Here are two simple solutions.

1. Don’t have users login with their local accounts. Instead, require that user authentication is done using Microsoft Active Directory, where users login using a centrally-managed account. This in itself is a prime solution to the security loophole, as the loophole only affects local accounts. A free and easy tool for AD authentication on Macs is Powerbroker Identity Services – Open Edition. This tool installs in < 5 minutes and will have users logging in with their AD credentials.
2. Set a screensaver lock to come on the system after a designated amount of time. It’s a common best practice to lock your machine when you leave your desk–but let’s be honest–how many of us really do this? IT administrators usually set screensaver locks to come on after 10-15 minutes using group policy through Active Directory on their Windows machines. Using PowerBroker Identity Services – Enterprise Edition allows IT admins to extend those same group policies to Mac OS X, Linux, and UNIX machines.

The growth of Macs in the enterprise is an exciting prospect. From an IT standpoint, make sure that you’re ready for the influx by having the tools on hand to manage them properly and keep insider threats to a minimum.

Leave a Reply

Additional articles

April VEF Participant Wins a Apple iPad mini

Every month we host our Vulnerability Expert Forum (VEF) webinar. This is a time where our experts share valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. It’s a quick way to get up to speed on current potential risks to your organization and a way to…

Post by Qui Cao April 24, 2014
smart rules manager for vulnerabilities - v2

A New Way of Looking at Vulnerabilities in Your Environment

Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

Post by Morey Haber April 23, 2014
Tags:
, , , , ,
smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
Tags:
, , , , , ,