OS X Built-in Security (3) – Sharing

This is the third post in a series covering OS X’s built-in security settings. You can read the first post here and the second one here. The Sharing settings are important as wrong configuration can punch a serious hole in the security of your data and privacy. Open up the settings by going to System Preferences > Sharing.
Ideally there is not a single service enabled in this section. Every service that is enabled opens a port or protocol to the outside in which the Mac acknowledges incoming connections. With all services disabled the ports are closed and any requests are simply not acknowledged or at least met with a “noone home”. If you do need to have one or more of these services enabled, there is a big chance you don’t need them enabled 24/7 so disable a service as soon as you are done with it. Let’s cover the individual services.

DVD or CD Sharing – Introduced around the time of the first MacBook Air, this settings does exactly as you’d expect. Put a disc in your Mac and allow other users to access it on the network. As the information in the window mentions when you open it, information sent between the computers is not encrypted, so be careful. If you just want to install some software that came on a DVD on your other Mac then an unencrypted data transfer is no concern. However if the disc contains sensitive information of any kind (an MRI from the hospital or a backup of important documents for example) do not use this service. Instead transfer the data from the disc to a USB drive and plug that directly into the other Mac.

Screen Sharing – OS X has Screen Sharing built-in that allows you to view and control another Mac or have someone else connect to your Mac. For obvious reasons you do not want this service enabled unless you really have to. Be sure to click the “Computer Settings” button and inspect the options in the window that pops up. You want both options off especially the VNC option as that opens your computer up to a much broader range of systems that can interact with the service like Windows.

File Sharing – Allows you to give access to whatever shared folders you set by whomever has an account and access privileges. While you can carefully configure shared folders and privileges to make sure people do not have access to the wrong folders or your entire hard drive, keep in mind that regardless of the settings, your account has full access to the entire Mac as long as this service is enabled. If your name and password would be compromised, someone that is unauthorized and/or has malicious intent can connect to your Mac and see every bit of data on every drive in your Mac and connected to your Mac. So use this service with caution and consider using AirDrop as an alternative if you can.

Printer and Scanner Sharing – Depending on the printer and/or scanner used this can be a concern. I have read quite a few interesting articles and have seen some seminars where printers are exploited. This could be done because the printer’s software and security setup was poor by default and people rarely go through those settings to see if security can be improved. It is a small risk but a risk never the less. This goes for scanners too, someone can gain access, initiate a scan and see whatever is left on the scanner bed. While most of these exploits target all-in-one network devices that have printer/scanner/fax etc. built-in, in theory this can be done to an unsecured device you share on the network. Again, small risk, very small even but worth mentioning.

Remote Login – This allows users to connect to the Mac using ssh. If you need this service enabled, configure accounts instead of setting it to “Allow access for All users”.

Remote Management – Administrators that use Apple Remote Desktop will need this setting enabled. As with the above option, configure an account for each Remote Desktop user that needs access instead of allowing All users. Also click on the “Computer Settings” button and inspect the options in the window that pops up. Keep “Show Remote management status in menu bar” enabled if you want, this will show you if someone is monitoring your Mac (if that is enabled in the account) and i recommend keeping “Anyone may request permission to control screen” disabled. As i mentioned with Screen Sharing, enabling VNC can add to the risk so do not enable this unless you really have to.

Remote Apple Events – This enables interaction to your Mac from another Mac running AppleScripts. AppleScripts can perform a lot of tasks on OS X and if the script happens to be written by someone with malicious intent, having this service enabled can be a disaster. Whereas you can clearly see if someone is controlling your Mac through Screen Sharing or Remote Desktop, an event can perform it’s task without you knowing. Configure accounts instead of setting it to “Allow access for All users”.

Internet Sharing – Allows you to share your internet connection to one or multiple other computers. If you are connected to a router through Ethernet but you also have Wi-Fi built-in, you can create your own Wi-Fi network on the Mac and share the Ethernet connection. To anyone that connects to your shared Wi-Fi network, you are just a router. Make sure that those connecting to your shared internet are known and trusted.

Bluetooth Sharing – A nearly obsolete feature that i doubt you’ll ever need. If data has to be transferred to a bluetooth only device like an old cell phone you may need this but it is definitely not a setting you need to have enabled 24/7. When it comes to exchanging data with other Macs consider AirDrop as a much faster and secure alternative. For data exchanges between your Mac and an iPhone or iPad you will soon have AirDrop available in iOS 7 too.

Most of these services open your Mac up to the network so use them with caution and configure them properly.

Comments are welcome.