On 1/18/07 11:05 AM, "Dave Schroeder" <das (at) doit.wisc (dot) edu [email concealed]> wrote:

> Of course, Apple's answer would be to use managed client or OD and
> enforce password policy.
>
> Um, not going to work. Probably a good 90% of the over ten thousand
> Mac OS X machines on this campus will NEVER be "managed", in that sense.
>
> Mac OS X should be actively denying clear attacks (e.g., via the
> firewall), provide an interface to see and manage this functionality,
> and come with much stronger default configurations for services like
> ssh.
>
> We try to protect desktop environments with network level managed and
> delegated firewall controls and other practices (given how
> decentralized we are, IT-wise, the network is pretty much the ONLY
> thing central IT controls), but layered security is always the best
> model anyway. The host-based security could definitely be beefed up
> on Mac OS X from a network/external perspective, to say nothing about
> the general security of pieces of the OS from a desktop usage
> perspective.

I think that ultimately, if more policies are part of the MCX management
schema, the more beneficial it will be to run MCX in whatever directory
service is used. That should translate into more push to deploy directories
and use MCX.

I have a host of individual feature requests for policies I'd like to see
managed at the directory level, and which could also obviate the need for
sys admin scripting and/or management of config files:

* sshd_config
* Default AirPort networks
* 802.1X
* Certificates
* Password policies on local users, and all admin users
* /etc/authorization rights
* Keychain policies, and equivalent to pwpolicy for its passphrases
* New Password Assistant profiles

Some others that might be useful and help with security policy enforcement:

* Screen saver (authentication lock)
* FileVault
* sudoers
* Sharing services
* Firewall rules
* /etc/hostconfig
* Network Locations
* Launchd tasks

--
Jeremy

[ reply ]