BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Closing the Password Security Loophole on Mac OS X 10.7

Posted September 30, 2011    Peter McCalister

More and more Macs are cropping up in enterprise IT environments. Studies have shown as much as 94.7% growth in the “very large business” category. It’s no secret that Apple has been on a tear in the consumer markets, and the enterprise market is not far behind.

But what about the security concerns presented by Macs in the enterprise? A password security hole was discovered in Mac OS X 10.7 Lion where a user’s password can be changed without knowing the current password, and without restarting the system. This obviously opens up the system to insider threats–and presents a glaring compliance concern for organizations responsible to adhere to SOX and PCI regulations. When a user leaves his desk, anyone that knows this process could jump on the machine and change the password to anything they wish.

So what can IT administrators do to mitigate this loophole? Certainly Mac users want to and will use the latest version of Mac OS X that’s available. It’s an easy upgrade from the App store. So keeping users on Snow Leopard or earlier versions of OS X isn’t an option. Here are two simple solutions.

1. Don’t have users login with their local accounts. Instead, require that user authentication is done using Microsoft Active Directory, where users login using a centrally-managed account. This in itself is a prime solution to the security loophole, as the loophole only affects local accounts. A free and easy tool for AD authentication on Macs is Powerbroker Identity Services – Open Edition. This tool installs in < 5 minutes and will have users logging in with their AD credentials.
2. Set a screensaver lock to come on the system after a designated amount of time. It’s a common best practice to lock your machine when you leave your desk–but let’s be honest–how many of us really do this? IT administrators usually set screensaver locks to come on after 10-15 minutes using group policy through Active Directory on their Windows machines. Using PowerBroker Identity Services – Enterprise Edition allows IT admins to extend those same group policies to Mac OS X, Linux, and UNIX machines.

The growth of Macs in the enterprise is an exciting prospect. From an IT standpoint, make sure that you’re ready for the influx by having the tools on hand to manage them properly and keep insider threats to a minimum.

Leave a Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,