Mac X-Server Security Questions...

["Brad Berson" <brad.berson () bytebrothers org>]

So here's where I'm coming from... I've been doing PC stuff for twenty
years.  I program, I know networking, applications, know Windows inside
and out, and am fairly conversant in security matters from a Windows POV
and in general, I think.  For several years PCs have been such a huge
target that folks in the Mac world have gotten a little too comfortable.
Only now in the past month I've personally seen two instances of
completely unprotected OS-X boxes getting almost totally compromised.

The boxes in question have since been rebuilt and put behind firewalls,
and post-mortem forensics are a bit light because the folks who do the
Mac work in my organisation went into "oh $#!+" mode, but now I'm
interested in learning this environment and figuring out how to permit
access while protecting the system.

As for what happened, the account database was definitely compromised,
and fairly secure passwords were discovered.  My initial worry was that
Samba would have some NetBIOS -like hole that permitted account
enumeration but so far I've seen no supporting evidence, so I'm assuming
the account list was compromised through one of many vulnerabilities in
OS-X and its accompanying layered packages.  The scary part is that in
once instance, a freshly rebuilt box, patched and up to date, went back
on-line without a firewall and was compromised again in about an hour.
So we might have had a zero-day issue just to make things more
entertaining.  So behind closed ports it stays, at least for now.

Now in the PC world nobody in their right mind leaves Windows' file
sharing ports open to the Internet, yet in the Mac world it seems like
people leave AFP (and Samba) widely accessible.  I find this
exceptionally scary.  Then when you tell the folks how scary that is,
they recoil in horror at the idea of having any obstacle in their way to
point and click heaven.  So what do we do?  VPN?  What sort of solutions
are there?  And is there anything special I need to know about OS-X in
terms of unusual vulnerabilities from an architecture standpoint?  (BSD
heritage, I know).

Thanks for any input.

-Brad

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------