I'm computer savvy enough to be dangerous but can follow your instructions i. Once done with the instructions above, please give it a try again and keep us posted with the result. Thank you! I don't know which specific certificates are the 2 old DoD certs to remove, so that hasn't been done.
This redundancy shouldn't be a problem, correct? Previously, I only had them saved in the login keychain. Safari can't establish a secure connection to the server for "x certificate ". I've opened Centrify in Utilities and it shows Card Status: SCR Status: Authentication attempts remaining: This sometimes occurs when the server is busy. Wait for a few minutes and then try again. What is interesting is that I'm getting the same message whether the CAC reader is plugged in or not when trying to access these sites.
In layman terms, it seems as if the websites can't 'see' the CAC and certs even though they are quite visible on the computer itself??? I think there is a conflict between Keychain Access and WebKit networking: Not sure this is a Centrify or OS X issue. I believe it's easier for us to further investigate the issue with the proper log files.
Therefore, please help perform the following to provide us the Dignostic output: Of course not. Being able to join all those Macs to the AD domain is invaluable from that point of view. On the other hand, perhaps new hires are Mac experts and know nothing about PCs.
Re: macOS Sierra 10.12.2 DOD CAC Access Issues
In that situation, A computer needs to be purchased either way, so why not be able to get them a computer they are already proficient at and let them hit the ground running? Now for the good news. Once your Mac clients have been joined to your AD domain, other software services that rely on AD will be able to perform necessary functions for both security and convenience.
For example, with a Mac that is bound to an AD domain, the PortalGuard Desktop Client can be installed and your end users will be able to enjoy the same Self-service Password Reset and Recovery feature that Windows users appreciate. Check out this article for more details on the PG Desktop for Mac: Over the last ten years Larry has specialized in improving and growing the support process, previously and within PistolStar Inc. We used JAMF but didnot succeed. The items listed in Step 2 are nowhere to be found on the Mac OS version that I am using which is on a brand new iMac?
If nothing happens, download the GitHub extension for Visual Studio and try again. A system is only as secure as its administrator is capable of making it. There is no one single technology, software, nor technique to guarantee perfect computer security; a modern operating system and computer is very complex, and requires numerous incremental changes to meaningfully improve one's security and privacy posture. This guide is provided on an 'as is' basis without any warranties of any kind.
Only you are responsible if you break anything or get in any sort of trouble by following this guide. If you wish to make a correction or improvement, please send a pull request or open an issue. Create a threat model. The simplest way is to boot into Recovery Mode by holding Command and R keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the serial number and other identifying information over the network in plaintext, which may not be desired for privacy reasons. An alternative way to install macOS is to first download macOS Mojave from the App Store or elsewhere, and create a custom installable system image.
The macOS installation application is code signed , which should be verified to make sure you received a legitimate copy, using the pkgutil --check-signature or codesign -dvv commands. See Create a bootable installer for macOS , or run the utility without arguments to see how it works. To create a bootable USB installer , mount a USB drive, and erase and partition it, then use the createinstallmedia utility:.
If you want to build a Note The following instructions appear to work only on macOS versions before Find InstallESD. To determine which macOS versions and builds originally shipped with or are available for a Mac, see HT The installation will take a while, so be patient.
The file sierra. The image could be futher customized to include provisioned users, installed applications, preferences, for example. If you don't have another Mac, boot to a USB installer, with sierra. The Disk Utility application may also be used to erase the connected disk and restore sierra. Unless you have built the image with AutoDMG , or installed macOS to a second partition on the same Mac, you will need to create a recovery partition in order to use full disk encryption.
Download RecoveryHDUpdate. To install macOS as a virtual machine vm using VMware Fusion , follow the instructions above to create an image. You will not need to download and create a recovery partition manually. Customize any memory or CPU requirements and complete setup. The guest vm should boot into Recovery Mode by default. Note If the virtual machine does not boot due to a kernel panic, adjust the memory and process resource settings.
In the guest vm, type ifconfig grep inet - you should see a private address like On the host Mac, type ifconfig grep inet - you should see a private gateway address like From the host Mac, you should be able to ping From the guest VM, install the disk image to the volume over the local network using asr:. In the guest vm, select Startup Disk from the menubar top-left, select the hard drive and restart.
You may wish to disable the Network Adapter in VMware to configure the guest vm initially.
OS X Active Directory Integration – How to Bind a Mac to AD
Take and Restore from saved guest vm snapshots before and after attempting risky browsing, for example, or use a guest vm to install and operate questionable software. Note Before setting up macOS, consider disconnecting networking and configuring a firewall s first. When creating the first account, use a strong password without a hint.
If you enter your real name at the account setup process, be aware that your computer's name and local hostname will comprise that name e. A few words on the privacy implications of activating "Touch Bar" MacBook devices from your friendly anonymous security researcher:. Apple increasingly seems despite vague claims to the contrary increasingly interested in merging or "unifying" the two OSes, and there are constantly rumors of fundamental changes to macOS that make it far more like iOS than the macOS of old.
macos - Mac won’t display WiFi login box after upgrade to El Capitan - Ask Different
First boot activation not only initializes sepOS as discussed below, but sends metadata to Apple and carriers via Apple with cellular devices to activate the baseband and SIM. In activation processes after first boot, just as with first boot, a long list of highly sensitive metadata are sent hashed note hashing does not give you any privacy from Apple here since they link this exact metadata to payment information at purchase to Apple so it can return the personalized response required for secure boot to complete.
What is particularly worrying about this process is that it is a network-linked secure boot process where centralized external servers have the power to dictate what the device should boot. That the activation verification mechanism is designed specifically to rely on unique device identifiers that are associated with payment information at purchase and actively associated on a continuing basis by Apple for every Apple-hosted service that the device interacts with Apple ID-based services, softwareupdate, iMessage, FaceTime, etc.
The introduction of these coprocessors to Mac devices, while increasing security in many ways, brings with it all the issues with iOS discussed above, and means that running mac devices securely with complete user control, and without forced network interaction with the Apple mothership in highly sensitive corporate and other environments problematic and risky.
Given this author is unaware of the exact hardware configuration of the coprocessors, the following may be inaccurate. One could argue that these coprocessors increase security, and in many ways that is the case, but not the user's security against a malicious Apple. The lack of configurability is the key issue. Apple could have introduced secure boot and firmware protection without making it require network access, without making verification linked to device-unique IDs and without introducing an enormous amount of potentially exploitable code to protect against a much smaller, but highly exploitable codebase, while running on a coprocessor with a highly privileged position on the board which gives immense power to an adversary with manufacturer compliance for targeted attacks.
This is an ongoing concern and in the worst case scenario could potentially represent the end of macs as independent, end-user controllable and relatively secure systems appropriate for sensitive environments with strict network and security policies. The first user account is always an admin account.
Admin accounts are members of the admin group and have access to sudo , which allows them to usurp other accounts, in particular root, and gives them effective control over the system. Any program that the admin executes can potentially obtain the same access, making this a security risk. Utilities like sudo have weaknesses that can be exploited by concurrently running programs and many panes in System Preferences are unlocked by default pdf p. It is considered a best practice by Apple and others pdf p.
It is not strictly required to ever log into the admin account via the macOS login screen. The system will prompt for authentication when required and Terminal can do the rest. To that end, Apple provides some recommendations for hiding the admin account and its home directory. This can be an elegant solution to avoid having a visible 'ghost' account.
The admin account can also be removed from FileVault for additional hardening.
- utilizzare hard disk su mac e windows!
- OS X Active Directory Integration – The Process.
- Centrify Express.
Accounts can be created and managed in System Preferences. On settled systems, it is generally easier to create a second admin account and then demote the first account. This avoids data migration. Newly installed systems can also just add a standard account. Demoting an account can be done either from the the new admin account in System Preferences — the other account must be logged out — or by executing these commands it may not be necessary to execute both, see issue See also this post for more information about how macOS determines group membership.
FileVault provides full disk technically, full volume encryption on macOS. FileVault encryption protects data at rest and hardens but not always prevents someone with physical access from stealing data or tampering with your Mac. With much of the cryptographic operations happening efficiently in hardware , the performance penalty for FileVault is not noticeable.
Like all cryptosystems, the security of FileVault greatly depends on the quality of the pseudo random number generator PRNG. The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel. Turning on FileVault in System Preferences after installing macOS, rather than creating an encrypted partition for the installation first, is more secure , because more PRNG entropy is available then.
This can be done by simply using the Mac for a little while before activating FileVault. It may also be possible to increase entropy with an external source, like OneRNG. See Entropy and Random Number Generators and Fun with encryption and randomness for more information. If you can remember the password, there's no reason to save the recovery key. However, all encrypted data will be lost forever if without either the password or recovery key. To learn about how FileVault works, see the paper Infiltrate the Vault: Optional Enforce system hibernation and evict FileVault keys from memory instead of traditional sleep to memory:.
All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. If you choose to evict FileVault keys in standby mode, you should also modify your standby and power nap settings.
Otherwise, your machine may wake while in standby mode and then power off due to the absence of the FileVault key. See issue for more information. These settings can be changed with:. Cold Boot Attacks on Encryption Keys pdf. Setting a firmware password prevents a Mac from starting up from any device other than the startup disk.
It may also be set to be required on each boot. This may be useful for mitigating some attacks which require physical access to hardware. See How to set a firmware password on your Mac for official documentation. This feature can be helpful if your laptop is lost or stolen , protects against Direct Memory Access DMA attacks which can read your FileVault passwords and inject kernel modules such as pcileech , as the only way to reset the firmware password is through an Apple Store, or by using an SPI programmer , such as Bus Pirate or other flash IC programmer.
The firmware password will activate at next boot. To validate the password, hold Alt during boot - you should be prompted to enter the password. The firmware password can also be managed with the firmwarepasswd utility while booted into the OS. For example, to prompt for the firmware password when attempting to boot from a different volume:. Note, a firmware password may be bypassed by a determined attacker or Apple, with physical access to the computer.
See this blog post for more information. Built-in, basic firewall which blocks incoming connections only. This firewall does not have the ability to monitor, nor block outgoing connections. Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using stealth mode. This makes it more difficult for attackers to find your computer.
To prevent built-in software as well as code-signed, downloaded software from being whitelisted automatically:. Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in macOS are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app.
If you choose "Allow", macOS signs the application and automatically adds it to the firewall list. If you choose "Deny", macOS adds it to the list but denies incoming connections intended for this app. After interacting with socketfilterfw , restart the process by sending a line hangup signal:. These programs are capable of monitoring and blocking incoming and outgoing network connections. However, they may require the use of a closed source kernel extension. It is worth noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities pdf , but they are still worth having - just don't expect absolute protection.
However, some malware actually deletes itself and doesn't execute if Little Snitch, or other security software, is installed. A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with pfctl and various configuration files.
There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address. Add the following into a file called pf. Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a NAT on a secure home network. It is possible to use the pf firewall to block network access to entire ranges of network addresses, for example to a whole organization:. Services on macOS are managed by launchd. See launchd. You can also run KnockKnock that shows more information about startup items.
Look at the Program or ProgramArguments section to see which binary is run, in this case apsd. To find more information about that, look at the man page with man apsd. Note Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first. Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use single user mode to fix it. Use Console and Activity Monitor applications if you notice your Mac heating up, feeling sluggish, or generally misbehaving, as it may have resulted from your tinkering.
Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository. See also cirrusj. Disable Spotlight Suggestions in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple. Also disable Bing Web Searches in the Spotlight preferences to avoid your search queries being sent to Microsoft.
See fix-macosx. If you've upgraded to OS X For comparison to Windows 10, see https: Note If you have not already installed Xcode or Command Line Tools, use xcode-select --install to download and install them, or check Apple's developer site. Install Homebrew:. Remember to periodically run brew update and brew upgrade on trusted and secure networks to download and install software updates. According to Homebrew's Anonymous Aggregate User Behaviour Analytics , Homebrew gathers anonymous aggregate user behaviour analytics and reporting these to Google Analytics.
Use the hosts file to block known malware, advertising or otherwise unwanted domains. There are many lists of domains available online which you can paste in, just make sure each line starts with 0 , 0. For hosts lists, see someonewhocares. Append a list of hosts with the tee command and confirm only non-routable addresses or comments were added:.
Install dnscrypt from Homebrew and follow the instructions to configure and start dnscrypt-proxy:. If using in combination with Dnsmasq, find the file homebrew. By default, dnscrypt-proxy runs on localhost If you would like to change these settings, you will have to edit the configuration file e. See the Sample configuration file for dnscrypt-proxy for the options. Note Applications and programs may resolve DNS using their own provided servers. If dnscrypt-proxy is used, it is possible to disable all other, non-dnscrypt DNS traffic with the following pf rules:.
Among other features, dnsmasq is able to cache replies, prevent upstreaming queries for unqualified names, and block entire TLDs. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded from IANA website. Edit the file and examine all the options. Install and start the program sudo is required to bind to privileged port See issue 24 for more information. When macOS connects to new networks, it checks for Internet connectivity and may launch a Captive Portal assistant utility application.
An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser by navigating to a non-secure HTTP page and accepting a redirect to the captive portal login interface after disabling any custom proxy or DNS settings.
Disable certificate authorities through Keychain Access by marking them as Never Trust and closing the window:. It doesn't support TLS 1. Apple's version of OpenSSL may also have patches which may surprise you.