How To Secure A Mac

The process of increasing system security is called system hardening. Compared to Windows, the macOS is a more secure system out of the box simply because the threat landscape is smaller.

But, In the past, it was often assumed that mac’s wasn’t exposed to viruses and various types of online threats, but as of 2019, this is very untrue. Windows face a greater challenge though because they’re still used by around 80% of all desktop users.

The thing is, operating systems such as macOS X and Windows 10 are not built with security as a main priority, even though this is changing, user experience is still the main priority. 

This is why we must take a look at our security settings,

Let's get started,

Account separation

It’s a good practise to create two separate accounts. One administrator account with the highest privileges and one day-to-day account with lower privileges. This will create good security through separation and limit the possible damage if someone get access to your accounts, remotely or physically. The administrator account is only to be used for system changes and the day-to-day account will be your general usage account for everyday things such as browsing the web and so on. 

To create users, user passwords and manage privileges go to:

 -> System preferences -> Users and groups

  • Give the admin account administrator rights and do not on the day-to-day account.
  • Create unique passwords for each account that is at least 16 characters strong, no dictionary words. A super strong password would look like this ”eqWa-1kcL-Gn8b-T9as”.
  • Uncheck the option that allow users to create a new password using iCloud on both accounts.

Also, completely disable the guest account. 

Go to:
 -> System preferences -> Security & Privacy -> General

-> Check “Disable automatic login” and “require password immediately” after sleep or screen saver begins.

Hide Username From Login Screen

This is a great way of hardening access to your computer by removing your username and forces you to manually type it every time you log on to your computer. This command makes it significantly harder for anyone trying to access your computer because they must know both username and password. 

Open Terminal as found in /Applications/Utilities and enter:

sudo dscl . create /Users/hiddenuser IsHidden 1

(replace ”hiddenuser” with the name of the user account you want to hide)
Press enter and type administrator password.

To reverse this setting, go through the same process but enter this command:

sudo dscl . create /Users/hiddenuser IsHidden 0

Firmware Password

By setting a firmware password you will prevent anyone who don’t have access to your password from booting your computer using external devices such as USB drives. A firmware password prevents anyone from resetting your admin password using recovery terminal and essentially makes your computer useless for anyone stealing it.

1. Boot computer in Recovery Mode (hold command + R during boot)

2. Go to the Utilities -> Firmware Password Utility and choose a firmware password to protect your data, should it be lost or stolen.

FileVault Disc Encryption

Now that we have hardened access to your system by hiding usernames, strengthening passwords and adding firmware passwords it is time to add full disc encryption. This is the one that will absolutely make sure that your data is safe in case it gets stolen.

FileVault makes sure to add state of the art encryption to your hard disc, and protects it with a password.

Go to:
 -> System preferences -> Security & Privacy -> FileVault -> Turn On FileVault

Disc Utility File & Folder Encryption

This is an excellent way of adding ad extra layer of security by encrypting folders locally on your hard drive. If you have a folder filled with sensitive information, i strongly recommend this option.

Go to:
Finder -> Applications -> Disc Utility -> File -> New image -> Image from folder 

Choose AES-256 and read/write if you want to work with and access the folder and compressed if you want to store it somewhere or bring it on an external device such as a USB-drive.

Firewall (Inbound Firewall)

It is time to enable the macOS firewall. The built in firewall will monitor all inbound traffic and decide whether to allow or deny specific traffic based on a set of rules. 

To enable firewall, go to:

 -> System preferences -> Security & Privacy -> Firewall -> Turn On Firewall

Then, go to firewall options and enable “block all incoming connections”. I recommend starting with this setting, if you get any trouble when using programs, disable it and go through the list and allow or block on a software per software basis.

Little Snitch (Outbound Firewall)

Now, the built in macOS firewall will only monitor inbound traffic, any connections your computer tries to make with the outside world is not monitored. This means that if your computer is infected with malware, it is allowed to communicate freely. This is not good, so we need to find a way to monitor all outbound traffic as well.

My recommendation is a software called “Little Snitch”. It is specifically designed for macOS and allows for great control. In the beginning i recommend trying the “Silent mode” which minimises the amount of alerts that needs your decision. Your computer makes a lot of connections all the time, which quickly can become quite annoying.

Privacy Settings

These steps will assume that you’re looking for the highest level of privacy and some steps may affect the user experience.

Go to:
 -> System preferences -> Security & Privacy -> Privacy

-> Uncheck Enable Location Services
-> Uncheck all apps that may access your contacts, calendars, reminders, photos, and accessibility.
-> Uncheck all analytics options

Sharing Settings

Go to:
 -> System preferences -> Sharing -> Uncheck all options in the service list

Updating Software

Software updates are one of the most important things you can do to prevent attacks because weaknesses and vulnerabilities in software is one of the biggest ways a hacker can target you. This applies to all software. To update your operating system:

Go to:
 -> About This Mac -> Software update… -> Click update inside of Appstore or enable automatic updates:

Go to:
 -> System preferences -> Appstore
-> Check Automatically check for updates.
-> Check Download newly available updates in the background.
-> Check Install App updates.
-> Check Install macOS updates.
-> Check Install system data files and security updates.

Disable Recent Items

Recent items can be, and often are used, in forensic computer analysis. Disabling it, denies it as a potential source of information.

Go to:
 -> System preferences -> General
-> Set Recent items to “None”

Disable Spotlight Localisation & Suggestions

Both of these disable the sending of unnecessary information to Apple when using Spotlight.

Go to:
 -> System preferences -> Spotlight -> Search Results
-> Uncheck Spotlight Suggestions in the list.
-> Uncheck Allow Spotlight Suggestions in Look up.

While in Spotlight tab, click on Privacy and add any folder that you feel is important to preserve privacy within.

Browser

The browser is one of the biggest security risks on your computer. There are a lot of ways for a hacker to target you here. My immediate thought is that if you are concerned about security and privacy you should avoid using Safari entirely. For users that expect higher security and privacy results, i recommend Tor browser, more on that later. If you still want to use safari please follow this procedure:

Open Safari – Click Safari (Top left corner) -> Preferences -> Security
-> Check Warn when visiting a fraudulent website
-> Uncheck Enable JavaScript

Then go to Privacy:
-> Check Cross site tracking
-> Check Ask websites not to track me

Then go to Websites:
-> Go through the list and choose Deny, Block or Never on everything
-> Uncheck Adobe Flash Player
-> Set When visiting other websites to Never auto-play

Then go to Extensions:
-> Click More Extensions to download and install HTTPS Everywhere extension
-> Check Automatically update extensions 

Then go to Search:
-> Change search engine to DuckDuckGo
-> Uncheck Include search engine suggestions

Lastly, go to AutoFill:
-> Uncheck all options

Anti Virus

Anti-virus software provide a lot of good protection on various types of threats and i strongly recommend using one. They are no longer just protection against traditional viruses, but offer protection against malware, malicious code, phishing attempts, ransomware, intrusions but also online banking security and anti-theft protection. Anti virus provide a good first line of defence against threats that are already established.

Remember to always update the anti-virus and use automatic updates if available.

Check my resources page for recommendations.

Advanced Options

The following options offer higher security and privacy than previously mentioned and are specifically designed for security. As always, security comes at a cost which is ease of use. If you’re not very concerned about security and privacy some of these options may not be applicable on everyday usage because they are time consuming and slower.

Live Operating System

I strongly recommend that you try using a live operating system such as Tails. Tails is a live-operating system that can be put on a USB drive and be booted from there. It’s specifically designed to provide privacy and anonymity and it is much more secure than macOS and Windows. It uses Tor as its default browser and forces all internet traffic to go through the Tor network. 

Tails is configured to not use the computers hard disk and only uses the RAM memory for storage which is automatically emptied every time the computer shuts down, this ensures no traces are left on the computer that is used.

It also includes a lot of great tools such as HTTPS everywhere which forces secure encrypted browser communication, encrypted e-mail, encrypted messaging, secure file deletion, OnionShare for secure file sharing and much more. Always boot tails when engaging in activities that require anonymity.

By using Tails you will greatly reduce your online fingerprint and there by increasing security and anonymity.

Tor

The TOR browser is a hardened version of the Mozilla Firefox browser and is compatible with Windows, Mac OSX, Linux and Android. 

The Tor browser will send your data packets through three rounds of encryption before it even leaves your devices. Then it will be sent through a total of three randomly chosen relay servers around the world. No one of the relays will have access to the same information and to intercept your data you would need to have three encryption keys and access to three relays for monitoring of data.

The Tor browser therefor:
Prevents your ISP from knowing what sites you visit.
Prevents a site you visited from knowing who and where you are.
Prevents corporate tracking.
Helps circumventing censorship
Anonymises your traffic and online fingerprint

VPN

In a basic VPN network there’s a VPN client and a VPN server. The client is a software or app that you install locally on your computer and the server is placed somewhere in the world by the VPN service provider. The VPN client then establishes a secure and encrypted connection between the itself and the remote VPN server. All traffic between the client and the server is securely encrypted and then routed on to the internet.

This ensure two main things. Your true IP is hidden and your data is secured due to encryption.

A VPN client can be installed on your operating system, in your router or on a virtual machine.

Why Are VPN’s Useful?

Anonymised traffic

A VPN will provide a degree of anonymity. Your internet service provider can only see that you are connecting to the VPN server but wherever your traffic goes after that is made invisible to their eyes. Anyone else looking at your traffic such as hackers or trackers cannot intercept your traffic inside the VPN tunnel which protects you from many types of attacks.

Geographical restriction bypassing

Since your traffic is passing through the VPN tunnel before it is connected to the internet, your IP address seen by the internet will be given to you by the VPN server. By doing this, your real IP address is anonymised. This means that if you are physically located in China, but is connected via an U.S VPN server, the internet will see that you are connected from the U.S and therefor bypassing Chinese restrictions.

Secure Wi-Fi hotspot usage


When you connect to a public wi-fi you can never be sure of what is going on with that connection. It is a common practise by hackers to create fake wi-fi’s that can seem to be safe, when in fact it is not. By connecting to it you are making it very easy for them to intercept your traffic and stealing your data. Using a VPN will prevent this from being possible and even if you happen to connect to a rouge wi-fi – you are safe.

Canary Tokens

This is a nifty and powerful little software that allows you to place traps on your computer that automatically will alert you. You can, for example, create a text file that you name ”passwords” and fill with fake information, run that file through Canary Tokens which will trig it. Now, whenever anyone is trying to access that file, you will be alerted. Use your imagination and give the files intriguing names. Spread the files on your hard drive and don’t be afraid to place them where your most sensitive files are. The point is to find out if someone unauthorised have access to them so that to can take the actions needed from there.

Who’s On My Wi-Fi?

Download and install free software ”Who’s on my wi-fi”. This software will detect all devices connected to a network and alert you whenever a new connection is made. You can set your own devices as ”known” so that you’re not alerted every time your own devices connect.

To Sum Up

These steps will improve your computer security severely which means that a potential hacker most probably wont target you since there are millions of other users that haven’t thought of these steps that are easier to target. Good for you!

Leave a Reply

Your email address will not be published. Required fields are marked *