BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Closing the Password Security Loophole on Mac OS X 10.7

Posted September 30, 2011    Peter McCalister

More and more Macs are cropping up in enterprise IT environments. Studies have shown as much as 94.7% growth in the “very large business” category. It’s no secret that Apple has been on a tear in the consumer markets, and the enterprise market is not far behind.

But what about the security concerns presented by Macs in the enterprise? A password security hole was discovered in Mac OS X 10.7 Lion where a user’s password can be changed without knowing the current password, and without restarting the system. This obviously opens up the system to insider threats–and presents a glaring compliance concern for organizations responsible to adhere to SOX and PCI regulations. When a user leaves his desk, anyone that knows this process could jump on the machine and change the password to anything they wish.

So what can IT administrators do to mitigate this loophole? Certainly Mac users want to and will use the latest version of Mac OS X that’s available. It’s an easy upgrade from the App store. So keeping users on Snow Leopard or earlier versions of OS X isn’t an option. Here are two simple solutions.

1. Don’t have users login with their local accounts. Instead, require that user authentication is done using Microsoft Active Directory, where users login using a centrally-managed account. This in itself is a prime solution to the security loophole, as the loophole only affects local accounts. A free and easy tool for AD authentication on Macs is Powerbroker Identity Services – Open Edition. This tool installs in < 5 minutes and will have users logging in with their AD credentials.
2. Set a screensaver lock to come on the system after a designated amount of time. It’s a common best practice to lock your machine when you leave your desk–but let’s be honest–how many of us really do this? IT administrators usually set screensaver locks to come on after 10-15 minutes using group policy through Active Directory on their Windows machines. Using PowerBroker Identity Services – Enterprise Edition allows IT admins to extend those same group policies to Mac OS X, Linux, and UNIX machines.

The growth of Macs in the enterprise is an exciting prospect. From an IT standpoint, make sure that you’re ready for the influx by having the tools on hand to manage them properly and keep insider threats to a minimum.

Leave a Reply

Additional articles

dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,
webinar_ondemand

On Demand Webinar – A Security Expert’s Guide: The Windows Events You Should be Tracking and Why

Posted March 23, 2015    Lindsay Marsh

On-Demand Webinar – Windows Security Expert and MCSE, Russell Smith, discusses the Windows Events you should be tracking right now and why. He will also show you how to set up Event Log subscriptions so you have better monitoring across your Windows environments.

Tags:
, ,