Safe and sound: securing Mountain Lion

Neal Wise
17 April, 2013
View more articles fromthe author

Since our last security feature in 2012, a lot has changed with OS X security. Apple has improved kernel-level security protections like Address Space Layout Randomisation (ASLR) and introduced a software signing mechanism in OS X Mountain Lion and OS X Lion similar to that used in iOS. Apple has also spent a significant part of the last year playing ‘Whac-A-Mole’ with your Java-based applications and web content to combat malicious software by changing Apple’s approach to supporting Java on OS X Lion and OS X Mountain Lion. In this feature, we’ll have a look at applying baseline security controls to your Mountain Lion-based Mac and we’ll have a look at the challenges in 2013 of using web-based Java Applets on your Mac.

Let’s have a look at what basic steps we’d recommend to secure a Mountain Lion installation. These are similar to what we’ve done in the past with Lion, Snow Leopard and so on, but subtle changes to System Preferences may have added, removed or relocated some of the security controls we previously considered.

Like most operating systems, OS X installations default to basic features and convenient use. In today’s world (and not just for those of us who are generally paranoid) default configurations of any technology – your computer, phone, internet TV, etc – should be carefully considered. Where possible, we’ll try to pick the strictest reasonable approach.


First, let’s think about you. Your Mac’s account password first: do you have one? Is your Mac set to ‘Automatic login’ as a user account when started up? In a world where we’re slowly becoming overwhelmed with passwords and PINs there are
a few that are really important to assign well – obviously we’re including your computer in that list.

Second, we need to ensure your login account on your Mac is relatively secure. Basically secure enough to discourage a ‘walk by’ opportunistic attack.

Multiplication malady. If you have multiple user accounts on your Mac, make sure they have all been assigned with secure passwords.

So if you’ll start System Preferences (Apple Menu > System Preferences) we can begin. Select ‘Users & Groups’ and then select Login Options. There are a few default options here we’ll want to change. Many of these options are great examples of trading the security of your Mac for convenience.

First, you should disable ‘Automatic login’ on your Mac if it’s enabled. This is to prevent access to your Mac without your permission in the event that your Mac is lost or stolen. This is disabled by default in recent releases but, in the past, it may have been enabled prior to an upgrade. We also typically set the login window to ‘Name and password’ to force a would-be attacker to have to guess a valid username, rather than clicking on user account pictures and having a guess at passwords.

With the ‘List of users’ option, you may have had the guest account enabled or an account created by an application (any MacPorts users?) or you may have other accounts available. In the case of multiple accounts, there may be one or more with weak passwords assigned.

So let’s talk about passwords. There’s lots of good advice on passwords out there. And there’s heaps of bad advice. And, worse, sometimes technology stores passwords weakly and this can lead to the compromise of even well-selected passwords.

Aim for something memorable with the usual recommendations for making the password complex: mixed upper/lower case letters, some numbers and symbols and 10+ characters if you can manage that.

So what about permitting use of your Apple ID to reset your Mac password? That’s been an option for a few releases of OS X. We’re reluctant to trust using an Apple ID for so many important things – iTunes with a credit card potentially associated with the account and iCloud email if you use it – as well as permitting you to use it to reset your account on your Mac.

Some quick tips: use a low-value iTunes pre-paid card with your iTunes account to prevent surprises and change your Apple ID password frequently (every 30, 45 or 90 days depending on your paranoia quotient).

It’s worth noting that if you have any accounts on you Mac with Parental Controls assigned, including using Simple Finder, there are certain Mountain Lion features that can’t be disabled, which may cause annoyances. These include disabling the availability of Mountain Lion Notifications to the managed users.


The primary place we can control most security features of Mountain Lion is in the Security & Privacy System Preference pane. From this System Preference we can specify security configuration for your Mac’s behaviour for locking the screen, encrypting your Mac’s hard drive or SSD, configuring the firewall and specifying privacy protections. Some of the configuration options – changing password and disabling automatic login for example – are a bit redundant since they’re also in the Users & Groups preference pane.

Immediate action. In the Security & Privacy System Preferences Pane, you can enable a password requirement to prevent unauthorised access to your Mac.

First, let’s look at the Advanced options. These options used to be on the first panel of Security & Privacy, but are a little more hidden. Probably because they’re not something you change often (but they are important). Select ‘Automatically update safe downloads list’ from the menu under the Advanced button of the Security & Privacy preference pane.

That keeps our friends XProtect.plist/XProtect. meta.plist (used by the OS X file quarantine function) up-to-date with Apple’s list of known malicious software. It also keeps track of the current versions of browser plug-ins known to be a source of security issues such as Oracle’s JavaAppletPlugin and Adobe’s Flash Player plugin.

We would also recommend selecting ‘Require an administrator password to access locked preferences’ if you share use of your Mac with family members who you don’t want changing the configuration of your Mac.

Under the General tab you’ll want your Mac to demand that users provide a password to unlock the screensaver or when you wake (or unsuspend) your Mac. By default, Mountain Lion requires a password to be provided immediately once the screen is locked. This is an effective way of ensuring your Mac isn’t accessed for unauthorised use. We do advise assigning a ‘return to base’ message to appear on the lock screen.

It’s worth it to us, for peace of mind, to offer a reward to have our Macs returned. Once applied, the warning message appears on both the lock screen and on system boot if you have FileVault enabled.


The next configuration option relates to Apple’s Gatekeeper trusted software initiative. Gatekeeper was introduced in OS X Lion 10.7.5 and OS X Mountain Lion and is really the combination of a few things. Mainly, the file quarantine inspection function is used with downloads in Safari, Mail, Messages and other applications, as well as being a digital signature system used for Apple’s registered developer program and the Mac App Store.

ID default. In default mode, all applications not signed with an Apple Developer ID will need to be manually approved by the user in order to run the software.

The next configuration option relates to Apple’s Gatekeeper trusted software initiative. Gatekeeper was introduced in OS X Lion 10.7.5 and OS X Mountain Lion and is really the combination of a few things. Mainly, the file quarantine inspection function is used with downloads in Safari, Mail, Messages and other applications, as well as being a digital signature system used for Apple’s registered developer program and the Mac App Store.

Registered developers can digitally sign their software using their Developer ID certificate. This digital certificate framework permits Apple and, indirectly, the end user to confirm that the application was signed by someone who has provided their contact and/or company details (and US$99) to Apple. Or that it was signed by someone with access to that key in some way.

The Mac App Store requires using these Developer ID certificates to sign submitted applications. The Mac App Store also requires following certain guidelines for applications, including requirements to access resources on your Mac. For example, iOS and OS X provide local device and profile managed configuration to specify use of device resources including cameras and microphones and device- based information (on your Mac or phone) using the device’s Address Book or Calendar data.

This configuration can be used to reduce the likelihood of unauthorised (i.e. not signed by a developer key) software being run on your Mac, but there are some limitations mostly relating to Mac software in use that pre-dates code-signing
of applications. So it tries to strike a balance by permitting the user to specify trusting software that isn’t signed with a Developer ID certificate.

You can choose to set this option to ‘Allow applications downloaded from the Mac App Store’.

This may be a good setting for simple functionality systems such as those we set up for our relatives using Safari, Mail and other standard applications. When this configuration is set, however, you may find that commonly used applications aren’t usable anymore.

The second mode, ‘Mac App Store and identified developers’, is the default mode set for Mountain Lion. Any application installed that isn’t signed with an Apple Developer ID will prompt the user to accept running the application. From that point on that particular application is trusted for execution.

Always be wary of applications asking you to authenticate as an administrator. You never know what they’re actually doing behind the scenes.

The final option permits trusting applications downloaded from anywhere. We’re not sure what the value in choosing this is other than if you download a lot of random applications and grow tired of accepting the dialogue box for running them. Maybe using the internet isn’t for you if you think this option is useful.

We’d recommend sticking with the ‘Mac App Store and identified developers’ setting. This will allow you to manually allow applications (via Control-click/ right-click and Open) as required.


In recovery. Keep a copy of your Mac's recovery key, in the event that you forget the FileVault password.

The next security feature we’ll have a look at is the FileVault whole disk encryption functionality introduced in OS X Lion. Technically, FileVault in Lion and Mountain Lion is different to the data encryption mechanism unveiled as FileVault in OS X Panther in 2003. The older technology called FileVault was useful for encrypting individual users’ home directories (and its concepts are still employed when you use Disk Utility to create encrypted volumes).

FileVault in Mountain Lion provides the ability to protect data on your Mac’s storage device from unauthorised access using ‘disk target mode’ or even when removed from your Mac. It does this by encrypting the data and utilising your account password as a passphrase for the encryption key(s) used to encrypt your Mac’s storage.

Once you’ve selected ‘Turn On FileVault’, you’ll be presented with a screen asking you to select users permitted to provide the FileVault password at boot up (and in some cases at waking your Mac).

Next, you’ll be prompted with a recovery key to be used in the event that you forget your password. Save this somewhere sensible and print out a copy.

We’re not fans of providing the recovery to Apple, but we like making up silly (but memorable!) answers to the password reset questions you get if you do send it to Apple.

Once you reboot, FileVault is active and begins encrypting your storage volume in the background. Note you’ll choose from the users you authorised before.

So, other than needing to provide a FileVault user’s password at boot time, it pretty much runs in the background. FileVault does use the Mac’s CPU to encrypt the data so you may notice some slower disk access when writing data. Users with SSDs will probably not notice FileVault in operation.


The next option in Security & Privacy is the OS X native firewall. OS X Mountain Lion’s firewall is off by default. So if you’ve never specifically turned it on you should probably do so now. Once enabled, the firewall permits you to specify some options by selecting ‘Firewall Options’.

Building blocks. Mountain Lion's firewall can be tweaked to disable or enable access of services from your Mac to others on the network.

‘Block all incoming connections’ is pretty good at reducing your Mac to basic network communication only. Any services presented from your Mac, including file sharing and media shared from

iTunes or iPhoto, will not be available to others on the network if ‘Block all incoming connections’ is enabled. You can still connect to remote websites, file sharing, etc. If you aren’t sharing data from your Mac you should consider using this setting.

Keep in mind that enabling this firewall mode disables ‘Automatically allow signed software to receive incoming connections’ and enables ‘Enable stealth mode’.

The second setting, ‘Automatically allow signed software to receive incoming connections’, is enabled by default. This setting trusts incoming connections to signed software that you’re running on your Mac.

Apple signs its products – like iTunes – with a digital signature. This firewall setting would permit remote devices/systems to connect to iTunes library sharing on your Mac but wouldn’t permit other, unsigned software to receive network connections.

The final setting ‘Enable stealth mode’ disables your Mac responding to ICMP echo request/reply packets (ie, ICMP Ping packets). This will disable easy ‘presence detection’ of your Mac when connected to a network. Devices in the same local area network as your Mac will still be able to identify the existence of your Mac using ARP information (physical address to IP address details).


The final pane in the Security & Privacy preference panel is Privacy. This pane contains configuration for permitting applications to access data and resources available to your Mac.

The first option is Location Services. As with iOS devices, Location Services uses resources available to your Mac to attempt to determine your location. This functionality has been used for several years on OS X at installation to determine your time zone.

Given that we all generally know what large geographic area we are in (and can select that ourselves) it’s pretty obvious that someone is noting – or attempting to note – where you are when you install or register your Mac. Still, like on the iPhone, Location Services is also used for the Find My device service – in this case Find My Mac. So, if you want that feature, you’ll have to leave it on.

The next option, Contacts, is also where you’ll control what applications are permitted access to your contact information used by the Contacts application.

This is something you should periodically review. Some applications – instant message applications, phone diallers, etc – may require access to your contact details to operate. Be wary of trusting this too much. One of the applications is One of our Dashboard widgets is used for printing mailing labels (and needs access to Contact data). But do all of our Dashboard widgets need this access?

This is also the same with a web browser. We may want to allow Location Services when using a maps website. We may not want to have that enabled all that time for any website to use.

The final option is Diagnostics & Usage. This isn’t very ‘Team Apple’ of us, but we never enable this option on either OS X or iOS. It’s mainly because when we review crash reports or other error output that our Macs want to send to Apple (or iTunes on behalf of our iPhones) we can see system information that we feel may be user identifiable.

It’s probably OK to share your diagnostic information with the vendor of your operating system. So you should make your own risk decision here. It’s just us being overly paranoid but, as ‘they’ say, it may not be paranoia… someone may be out to get you.

Neal Wise breaks technology for a living as managing director of Melbourne IT security consultancy

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Christopher Deeble says:

    Thanks for the walkthrough, Neal — an overdue review.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us