BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Closing the Password Security Loophole on Mac OS X 10.7

Posted September 30, 2011    Peter McCalister

More and more Macs are cropping up in enterprise IT environments. Studies have shown as much as 94.7% growth in the “very large business” category. It’s no secret that Apple has been on a tear in the consumer markets, and the enterprise market is not far behind.

But what about the security concerns presented by Macs in the enterprise? A password security hole was discovered in Mac OS X 10.7 Lion where a user’s password can be changed without knowing the current password, and without restarting the system. This obviously opens up the system to insider threats–and presents a glaring compliance concern for organizations responsible to adhere to SOX and PCI regulations. When a user leaves his desk, anyone that knows this process could jump on the machine and change the password to anything they wish.

So what can IT administrators do to mitigate this loophole? Certainly Mac users want to and will use the latest version of Mac OS X that’s available. It’s an easy upgrade from the App store. So keeping users on Snow Leopard or earlier versions of OS X isn’t an option. Here are two simple solutions.

1. Don’t have users login with their local accounts. Instead, require that user authentication is done using Microsoft Active Directory, where users login using a centrally-managed account. This in itself is a prime solution to the security loophole, as the loophole only affects local accounts. A free and easy tool for AD authentication on Macs is Powerbroker Identity Services – Open Edition. This tool installs in < 5 minutes and will have users logging in with their AD credentials.
2. Set a screensaver lock to come on the system after a designated amount of time. It’s a common best practice to lock your machine when you leave your desk–but let’s be honest–how many of us really do this? IT administrators usually set screensaver locks to come on after 10-15 minutes using group policy through Active Directory on their Windows machines. Using PowerBroker Identity Services – Enterprise Edition allows IT admins to extend those same group policies to Mac OS X, Linux, and UNIX machines.

The growth of Macs in the enterprise is an exciting prospect. From an IT standpoint, make sure that you’re ready for the influx by having the tools on hand to manage them properly and keep insider threats to a minimum.

Leave a Reply

Additional articles

ovum-research

New Analyst SWOT Assessment Identifies Key Strengths of PowerBroker

Posted November 24, 2014    Scott Lang

Following on the heels of the Gartner PAM market guide and Frost & Sullivan review of Password Safe comes a new analyst review of our BeyondInsight and PowerBroker platforms, a SWOT assessment of BeyondTrust written by Ovum. Ovum’s honest and thorough review of BeyondTrust indicates that we are delivering, “…an integrated, one-stop approach to PAM….

Tags:
, , ,

Patented Windows privilege management brings you unmatched benefits

Posted November 24, 2014    Scott Lang

We are pleased to announce that BeyondTrust has been granted a new U.S. Patent (No. 8,850,549) for privilege management, validating our approach to helping our customers achieve least privilege in Windows environments. The methods and systems that we employ for controlling access to resources and privileges per process are unique to BeyondTrust PowerBroker for Windows….

Tags:
6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,