From: Pugh, David
Sent: Tuesday, May 20, 2003 5:18 PM
To: lsa-dev-osx@umich.edu
Subject: [MacOSX - Security] Meeting Minutes

Mac OS X Security
May 20, 2003
Meeting Minutes

Attending:
	Dave Pugh (dpugh)
	Suleman Diwan (suledwan)
	Chris Brenner (cbrenner)
	Jim Jeffries (jwj)
	Jeff Kopmanis (kopmanis)
        Phil Holland (hollandp)

PREFERENCES
-----------
Screen effects:
  - how is a password checked for unlocking?  
    Phil: it just calls the login window program and authenticates the same way.  Phil will check

Sharing:
  - Services
      How to hide: remove lines in a plist file (an upgrade would overwrite this) - would need to periodically rehide it to keep this from happening
      File sharing is now encrypted (auth and xfer) in OS X
      Only ADVANTAGE of FTP service is providing anonymous capabilities and currently shipped ftpd doesn't have anonymous access compiled in.
      Personal File Sharing: DISABLED but VISIBLE
      Windows File Sharing: DISABLED but VISIBLE
      Personal Web Sharing: DISABLED but VISIBLE
      Remote Login: ENABLED
      FTP Access: HIDE - provide a package to re-enable it (still to decide - if user can do it themself, vs IT/DSA having to run it)  
      Remote Apple Events: DISABLED but VISIBLE
      Printer Sharing: DISABLED but VISIBLE
   - Preferences->Sharing->Internet - leave it alone
  - Firewall
    - outbound ports (and replies to outbound traffic) are all open by default
    - inbound ports to open:
      - NOT X - we should require users to use SSH to tunnel it - need to
        set the ssh_config default to always enable it.
      - SSH (will be enabled when service is activated)
      - AFS (7001?)
      - NetOctopus (what ports?) - restrict it to netoctopus servers only?
    - Anything more specific than what the GUI provides (subnets, etc)
Show restart & shutdown buttons? (on login screen) - LEAVE IT ON - hiding them provides little
  added security and would encourage people to do unclean shutdowns
Never show password hints? - DISABLE, but don't bother hiding the option

LOGIN/LOGOUT
------------
Need kx509 certificate support for single sign on - Phil brought up security
  concerns:  can someone get to wolverine_access/coursetools as a 
  professor without typing in a password if they have access to the machine?
  Not really any more dangerous than kerberos, which is widely accepted.

ACCOUNTS
--------
Do we need a genuine root account? answer: NO - just use a remote network admin account(s)

MISC
----
put a wrapper around telnet/ftp that warns the user that their password is going to go in the clear

THINGS TO PONDER
----------------
Concerned about the "single user mode root vulnerability"?
  - options include openfirmware password, inserting a custom
    script into the rc startup file(s) to ask for a password,
    and possibly changing 'secure' to 'insecure' in /etc/ttys