Apple 10.6 manual Password Guidelines

ÂÂ Do not use administrator (UNIX “admin” group) accounts for daily use.

Restrict the use of administration privileges by keeping the admin login and password separate from daily use.

ÂÂ Back up critical data on the system regularly, with a copy stored at a secure off-site location.

Backup media is of little use in recovery if it is destroyed with the computer during a fire. Test your backup and recovery contingency plans to ensure that recovery actually works.

ÂÂ Review system audit logs regularly and investigate unusual traffic. ÂÂ Disable services that are not required on your system.

A vulnerability that occurs in any service on your system can compromise the entire system. In some cases, the default configuration (out of the box) of a system leads to exploitable vulnerabilities in services that were enabled implicitly.

Turning on a service opens up a port that users can access your system from. Although enabling Firewall service helps avoid unauthorized access, an inactive service port remains a vulnerability that an attacker might exploit.

ÂÂ Enable Firewall service on servers, especially at the network frontier and DMZ.

Your server’s firewall is the first line of defense against unauthorized access. For more information, see the onscreen help or Mac OS X Server Resources website at www.apple.com/server/macosx/resources/. Consider also a third-party hardware firewall as an additional line of defense if your server is highly prone to attack.

ÂÂ If needed, install a local firewall on critical or sensitive servers.

Implementing a local firewall protects the system from an attack that might originate within the organization’s network or from the Internet.

ÂÂ For additional protection, implement a local Virtual Private Network (VPN) that provides a secure encrypted tunnel for communication between a client computer and your server application. Some network devices provide a combination of functions: firewall, intrusion detection, and VPN.

ÂÂ Administer servers remotely.

Manage your servers remotely using applications like Server Admin, Server Monitor, RAID Admin, and Apple Remote Desktop. Minimizing physical access to the systems reduces the possibility of mischief.

Password Guidelines

Many applications and services require that you create passwords to authenticate. Mac OS X includes applications that help create complex passwords (using Password Assistant), and securely store your passwords (using Keychain Access).