Protecting Your Mac against Local and Remote Threats - Beyond the Basics - Macs All-in-One For Dummies, 4th Edition (2014)

Macs All-in-One For Dummies, 4th Edition (2014)

Book III. Beyond the Basics

Chapter 2. Protecting Your Mac against Local and Remote Threats

In This Chapter

arrow Locking your Mac

arrow Adding passwords

arrow Encrypting your documents with FileVault

arrow Configuring Firewall and Privacy settings

arrow Adding other users to your Mac

One of the Mac’s advantages is that it seems to be a minor target of viruses — but that certainly doesn’t make it immune. With the worldwide connectivity of the Internet, everyone is vulnerable to everything, including malicious software (malware) and malicious people with above-average computer skills (hackers). Worse are those hackers who like to use e-mail and websites to steal your personal identity information, such as credit card accounts or Social Security numbers (phishing), or those who send out software masquerading as one thing but as soon as you open it, you discover it’s harmful (Trojan horses disseminating malware). Although threats over the Internet attract the most attention, your Mac is also vulnerable from mundane threats, such as thieves who may want to steal your computer.

No matter how much you know about computers, you can always become a victim if you’re not careful. Therefore this chapter looks at the different ways to protect your Mac from threats — physical and cyber, local and remote.

Locking Down Your Mac

Most people lock their cars and house doors when they’re away, and your Mac should be no exception to this practice. To protect your Mac physically, you can get a security cable that wraps around an immovable object (like that heavy rolltop desk you have in the den) and then attaches to your Mac. You can attach it by threading it through a handle or hole in your Macintosh case, or if you have a MacBook Pro, by connecting it to your Mac’s built-in security slot, which is a tiny slot that a security cable plugs into. If you have a MacBook Air, don’t bother searching because there is no security slot, but Maclocks makes an unobtrusive “security skin.”

Some companies that sell security cables are

· Belkin: www.belkin.com

· Kensington: www.kensington.com

· Maclocks: www.maclocks.com

· Targus: www.targus.com

· Tryten: www.tryten.com/categories/Mac-Computer-Locks

image Of course, security cables can be cut, although a security cable deters a thief who forgot his bolt cutters.

After protecting your Mac physically, you have other ways to lock down your Mac and keep other people out. Use a password to stop intruders from sneaking into your computer if you step away from your desk, encrypt the files, and use a software or hardware firewall, or both, to stop intruders from sneaking into your computer over the Internet.

image Anyone with enough time, determination, and skill can defeat passwords and firewalls. Security can only discourage and delay an intruder, but nothing can ever guarantee to stop one.

Using Passwords

Before you can ever use your Mac, you must configure it by creating an account name and password — an account on your Mac, not to be confused with your Apple ID. The Setup Wizard walks you through this when you turn on your Mac for the first time. If you’re the only person using your Mac, you’ll probably have just one account (although we encourage you to have two — one for admin and one for everyday use). If you disable automatic login, your password can keep others from using your Mac without your knowledge.

As a rule, your password should be difficult for someone to guess but easy for you to remember. Unfortunately, in practice, people often use simple — as in, lousy — passwords. To make your password difficult to guess but easy to remember, you should create a password that combines upper- and lowercase letters with numbers and/or symbols, such as OCHSa*co2010alum! (which abbreviates a phrase: in this case, Ocean City High School all-star class of 2010 Alumnus!). When you create your user accounts, take advantage of the Password Assistant to have your Mac create a password for you. Of course, it may be harder to remember but also harder to guess.

image One way to create passwords is to combine the first letters of the words in a phrase that you’ll never forget with the name of a dearly departed pet. By picking a memorable phrase or lyric, such as “I’m walkin’ on sunshine” and turning it into a nonsensical combination of letters, paired with the name of your long-gone pet hermit crab, Louise (Iw0sLou!se), you’ll easily remember your password, but others won’t easily guess it. Presumably, someone would have to know you very well to guess which phrase you use with which pet. Pairing these two things that are unique to you makes for a password that’s easy for you to remember but hard for someone to guess.

Changing your password

Many online banking and credit card services require you to change your password every so often, some as often as once a month, which certainly keeps password-generating apps popular. Although it’s a pain in the hindquarters, they have reason to require you to change — it increases security. To increase your file security, you should change the password on your Mac periodically, too. To change your password, follow these steps:

1. Choose image⇒System Preferences.

The System Preferences window appears.

2. Click the Users & Groups icon to open the Users & Groups preferences pane, as shown in Figure 2-1.

image If the lock icon in the lower-left corner of the preferences window is locked, you must unlock it to make changes to your Mac’s user account details. Click the lock icon, type your password in the dialog that appears, and then press Return to unlock your Mac’s user account details.

image

Figure 2-1: Users & Groups preferences let you change your user account details.

3. Click your username under Current User in the left pane (or another account name under Other Users that you want to modify).

If you haven’t created any additional users, you see only yourself listed.

4. Click the Change Password button.

A dialog appears, displaying text boxes for typing your old password and typing a new password twice to verify that you typed your new password correctly.

5. Enter your current password in the Old Password text box.

6. Enter your new password in the New Password text box.

If you want your Mac to evaluate your password or invent a password for you, click the key icon to the right of the New Password text box. The Password Assistant opens.

1. Choose the type of password you want from the Type pop-up menu. Manual lets you type in a password that you invent, and Password Assistant rates the security level of your password. The other five types offer various character combinations and security levels: Memorable; Letters & Numbers; Numbers Only; Random; or FIPS–181-compliant, which creates a password that meets federal standards.

2. Drag the Length slider to set how many characters you want your password to have. The password appears in the Suggestion field, and the Quality bar shows how secure it is: the higher the quality, the safer the password. A 26-character Memorable password is of highest quality (see Figure 2-2).

image

Figure 2-2: Let Password Assistant help you choose a password.

3. Click the Close button. The chosen suggestion is inserted as bullets in the New Password text box.

7. Enter your new password in the Verify text box.

8. Enter a descriptive phrase into the Password Hint text box.

image Adding a hint can help you remember your password, but it can also give an intruder a hint on what your password might be. Using our Iw0sLou!se example, you might use the phrase “favorite song crab.” The intruder would have to know you pretty darn well to figure out that one!

9. Click Change Password.

The password dialog disappears.

10. Click the Close button to close the Users & Groups preferences window.

Applying password protection

Normally, you need your password to log in to your account. As we mention earlier, we recommend creating an admin account that you use to make changes to your Mac, such as installing new software or changing certain settings, and a user account with a different username and password for your day-to-day Mac activities. The two account names and passwords should be different.

image Of course, after you log in to either account, anyone can use your Mac if you walk away and don’t log out. If you leave your Mac without logging out, your Mac will either go to sleep or display a screen saver. At this time, anyone could tap the keyboard and have full access to your Mac. To avoid this problem, you can password-protect your Mac when waking up from sleep or after displaying a screen saver.

For further protection, you can also password-protect your Mac from allowing an unauthorized person to make any changes to your Mac’s various System Preferences. By applying password protection to different parts of your Mac, you can increase the chances that you’ll be the only one to control your computer.

image If you’re the only person who has physical access to your Mac, you won’t have to worry about password protection, but if your Mac is in an area where others can access it easily, password protection can be one extra step in keeping your Mac private.

All the choices here are optional, but we recommend choosing those that best meet your needs. To password-protect different parts of your Mac, follow these steps:

1. Choose image⇒System Preferences.

The System Preferences window appears.

2. Click the Security & Privacy icon to open the Security & Privacy preferences pane.

image If the lock icon in the lower-left corner of the preferences window is locked, you must unlock it to make changes to your Mac’s user account details. Click the lock icon, type your password in the dialog that appears, and then press Return to unlock your Mac’s user account details.

3. Click the General tab.

The General preferences pane appears, as shown in Figure 2-3.

image

Figure 2-3: General Security & Privacy preferences let you choose different ways to password-protect your computer.

4. Select (or deselect) the Require Password <immediately> after Sleep or Screen Saver Begins check box.

You can also choose to require the password at an interval between 5 seconds and 4 hours after your Mac goes to sleep.

5. Set a screen-lock message.

1. Select the Show a Message When the Screen Is Locked check box.

2. Click the Set Lock Message button.

3. Type a message that will appear when your screen is locked, such as “Out to Lunch” or “Be Back at 2:30” or “Don’t Even Think About Touching My Mac.”

6. Select (or deselect) the Disable Automatic Login check box.

If this check box is selected, your Mac asks for a user name and/or password before logging in to your account. If it’s deselected, you don’t enter a password to log in.

7. Click one of the gatekeeper choices under Allow Apps Downloaded From:

· Mac App Store: Only apps from the App Store will be installed after being downloaded.

· Mac App Store and Identified Developers: Only apps from the App Store or signed with an Apple Developer ID will be installed after being downloaded.

· Anywhere: Downloads and installs any apps from any source, which opens you to risk from malware hackers.

image If you choose one of the first two choices and download apps from an unidentified source, when you try to install it, a warning tells you it’s from an unidentified and potentially malicious source. Control-click the app to override Gatekeeper and install the app despite the warning.

8. Click the Advanced button to select these two options:

· Require an Administrator Password to Access System-Wide Preferences: If this check box is selected, nobody can modify your Mac’s System Preferences (such as the one you’re adjusting right now!) without the proper password.

· Log Out after x Minutes of Inactivity: If selected, this option logs off your account after the fixed period of time you set, so anyone trying to access your computer will need your password to log in to and access your account.

Click OK after you make your choices.

9. Click the Close button of the Security & Privacy preferences window.

Encrypting Data with FileVault

Encryption physically scrambles your files so that even if people can access your files, they can’t open or edit them unless they know the correct password. When you use FileVault, your Mac encrypts your entire drive, which means everything on your Mac is secure. If you have multiple users on your Mac, you must enable them so each can sign in with his password.

FileVault uses an encryption algorithm called Advanced Encryption Standard (AES), which is the latest U.S. government standard for scrambling data that even national governments with supercomputers can’t crack — at least not in a realistic time frame.

Setting up FileVault

FileVault scrambles your files so that only your password (or the system’s Master Password) can unlock the files so you — or someone you trust and give the password to — can read them. When you type in a password, you can access your files and use them normally, but as soon as you close a file, FileVault scrambles it once more. FileVault works in the background; you never even see it working.

image FileVault uses your login password to encrypt your data. For added safety, FileVault creates a recovery key that can decrypt any encrypted files for all user accounts and the files for each account that you have stored on your Mac. If you forget your login password and your recovery key, your data will be encrypted forever with little hope of unscrambling and retrieving it again. You can opt to store your recovery password with Apple. If you lose it, you can retrieve it from Apple by giving the correct answers to three specific, pre-established questions.

To turn on FileVault, follow these steps:

1. Choose image⇒System Preferences and click the Security & Privacy icon.

The Security & Privacy preferences pane appears.

2. Click the FileVault tab to open the FileVault preferences pane, as shown in Figure 2-4.

If the lock in the lower-left corner of the FileVault preferences pane is locked, click it, enter your password when prompted, and then click Unlock.

image

Figure 2-4: The FileVault pane lets you turn on FileVault and set a password.

3. Click the Turn on FileVault button.

The recovery key appears, as shown in Figure 2-5.

If more than one person uses your Mac, a list of users appears. Click the Enable button next to the user(s) you want to give access to, enter the account password(s), click OK, and then click Continue.

image An enabled user who switches to his or her account must type in the password to access encrypted files. Users who forget their passwords will need the recovery key to gain access.

image

Figure 2-5: FileVault assigns a recovery key, which you use if you forget your password.

4. Write down your recovery key and then click Continue.

The recovery key changes if you turn FileVault off and then on again.

5. Choose whether to store your recovery key with Apple (see Figure 2-6):

· No: Select the Do Not Store the Recovery Key with Apple radio button.

· Yes: Select the Store the Recovery Key with Apple radio button.

Options for three questions appear, as shown in Figure 2-6. You must answer all three questions correctly for Apple to release your recovery key.

Select a question from each of the three pop-up menus, type the answers for the questions in the text boxes, and then click Continue.

6. In the dialog that opens, click the Restart button to begin the encryption process (or Cancel if you changed your mind).

Your Mac restarts and begins the encryption process. You can work while the encryption takes place. You can return to FileVault in System Preferences to check on the status.

image FileVault also works with external hard drives, so your data is safe wherever it’s stored.

image

Figure 2-6: Store your recovery key with Apple to protect against (your) memory loss.

Turning off FileVault

If you turned on FileVault and later change your mind, you can always turn it off:

1. Choose image⇒System Preferences and click the Security & Privacy icon.

2. Click the FileVault tab to open the FileVault preferences pane (refer to Figure 2-4).

When FileVault is turned on, the Turn Off FileVault button appears.

3. Click the Turn Off File Vault button, enter your login password, and then click OK.

A confirmation dialog appears, informing you that you’re about to turn off FileVault.

4. Click the Turn Off FileVault button.

image If you decide to sell or give your Mac to someone, you can use FileVault’s Instant Wipe function to completely clean your Mac’s drive. Technically, Instant Wipe eliminates the FileVault key, making the data inaccessible, and then overwrites the data with an illegible pattern.

Using Firewalls

Padlocks and FileVault protect your Mac against local threats, but when you connect your Mac to the Internet, you essentially open a door to remote threats. A highly technical person (such as a hacker) situated anywhere in the world could access your computer, copy or modify your files, or erase all your data. To keep out unwanted intruders, every computer needs a special program called a firewall.

A firewall simply blocks access to your computer, while still allowing you access to the Internet so you can browse websites or send and receive e-mail. Every Mac comes with a software firewall that can protect you whenever your Mac connects to the Internet.

image Many people use a special device — a router — to connect to the Internet. A router lets multiple computers use a single Internet connection, such as a high-speed broadband cable or DSL Internet connection. Routers include built-in hardware firewalls, and using one in combination with your Mac’s software firewall can provide your Mac with twice the protection. For more about how to configure your router’s firewall settings, refer to the router’s user guide or look for more information in the support section of the router manufacturer’s website.

Configuring the Mac firewall

Although the default setting for your Mac’s firewall should be adequate for most people, you may want to configure your firewall to block additional Internet features for added security. For example, most people will likely need to access e-mail and web pages, but if you never transfer files by using FTP (short for File Transfer Protocol), you can safely block this service.

image Don’t configure your firewall unless you’re sure that you know what you’re doing. Otherwise, you may weaken the firewall or lock programs from accessing the Internet and not know how to repair those problems.

To configure your Mac’s firewall, follow these steps:

1. Choose image⇒System Preferences and then click the Security & Privacy icon.

image If the lock icon in the lower-left corner of the preferences window is locked, you must unlock it to make changes to your Mac’s user account details. Click the lock icon, type your password in the dialog that appears, and then press Return to unlock your Mac’s user account details.

2. Click the Firewall tab.

The Firewall preferences pane appears.

3. Click the Turn On Firewall button to turn on your Mac’s firewall (if it isn’t already turned on).

4. Click the Firewall Options button to display the firewall’s custom settings, as shown in Figure 2-7.

The dialog that appears offers three check boxes.

In the center list box, you may see one or more sharing services you turned on by using the Sharing preferences pane (image⇒System Preferences⇒Sharing). Find out how to share in Book III, Chapter 4.

image

Figure 2-7: This preferences pane offers additional firewall security options.

5. Select (or deselect) the following check boxes:

· Block All Incoming Connections: Allows only essential communications for basic Internet and Mail access; also blocks sharing services, such as iTunes music sharing or Messages screen sharing. When you select this option, any services or applications listed in the pane disappear, replaced with a static warning that indicates all sharing services are being blocked.

· Automatically Allow Signed Software to Receive Incoming Connections: Allows typical commercial applications such as Microsoft Word to check for software updates and Safari to access the web.

· Enable Stealth Mode: Makes the firewall refuse to respond to any outside attempts to contact it and gather information based on its responses.

6. Continue to Step 8 if you want to make additional adjustments to your Mac’s firewall feature; otherwise, skip to Step 13.

7. (Optional) Click the Add (+) button to add applications that you want to allow or block from communicating over the Internet.

A dialog appears, listing the contents of the Applications folder.

8. Click a program that you want to allow to access the Internet, such as Dropbox or Skype.

9. Click Add.

Your chosen program appears under the Applications category.

10. (Optional) Click the pop-up button to the right of an application in the applications list and choose Allow Incoming Communications or Block Incoming Communications.

11. (Optional) To remove a program from the applications list, click the program name to select it and click the Delete (–) button below the program list.

12. Click OK.

image Beginning with Mac OS X 10.7 Lion, your Mac’s security was enhanced with two features:

· Advanced Space Layout Randomization (ASLR): Makes your applications more resistant to malicious attacks

· Sandboxing: Limits the types of operations an application can do, thereby making it difficult for a threat to take advantage of an application and, consequently, affect the whole operating system. Think of it as strengthening a potential weak link.

Buying a more robust firewall

Although the built-in Mac firewall blocks incoming connections well, it allows all outgoing connections — meaning that a malicious program you may inadvertently download could communicate via the Internet without your knowledge. To prevent this problem, you need a firewall that can block both incoming and outgoing connections.


Dealing with nasty malware and RATs

Two big threats exploit personal computers that aren’t protected by properly configured firewall preferences or properly configured router firewall settings. The first of these threats — malware — consists of programs that sneak onto your computer and then secretly connect to the Internet to do merely annoying (and offensive) things (retrieve pornographic ads that appear all over your screen) or do more serious things (infect your computer with a virus that can erase your personal data). Or, they can keep track of every keystroke you type on your computer, which in turn is transmitted to a snooping program on a malevolent person’s computer so the hacker can find out personal info such as credit card numbers, usernames, and passwords.

A second type of program that requires an outgoing Internet connection is a Remote Access Trojan (RAT). Malicious hackers often trick people into downloading and installing RATs on their computers. When installed, a RAT can connect to the Internet and allow the hacker to completely control the computer remotely over the Internet, including deleting or copying files, conducting attacks through this computer, or sending junk e-mail (spam) through this computer.

Although computer malware and RATs written and released by hackers typically target PCs running Windows, security experts agree that it’s only a matter of time before the same digital nastiness begins infecting Macs. To guard against potential viruses, spyware, and RATs, your Mac displays a dialog that alerts you when you run a program for the first time. This feature can alert you if a virus, spyware, or a RAT tries to infect a Mac. For further protection, consider purchasing a router with built-in firewall features, or installing an antivirus and antimalware program. (See the “Buying a more robust firewall” section for recommendations.)


image You should use only one software firewall at a time (although you can use one software firewall and a hardware firewall built into your router). If you use two or more software firewall programs, they may interfere with each other and cause your Mac to stop working correctly.

If you want a more robust firewall than the one that comes with the Mac (and the added security of antivirus and antimalware protection), consider one of the following:

· ClamXav 2: Available for free at www.clamxav.com

· Intego Mac Internet Security 2013: Costs between $40 and $60; available at www.intego.com

One problem with a firewall is that in the normal scheme of things, you never really know how well it’s working. To help you measure the effectiveness of your firewall, visit one of the following sites that will probe and test your computer, looking for the exact same vulnerabilities that hackers will look for:

· Audit My PC: www.auditmypc.com

· HackerWatch: www.hackerwatch.org/probe

· ShieldsUP!: https://www.grc.com/x/ne.dll?bh0bkyd2

· Symantec Security Check: http://security.symantec.com/sscv6/WelcomePage.asp

Because each firewall-testing website may test for different features, testing your Mac with two or more of these sites can help ensure that your Mac is as secure as possible.

Selecting Privacy Settings

If you belong to a social network such as Facebook or LinkedIn, you may know a little bit about privacy settings and how confusing they can be. Seems like everyone wants to know where you are and what you’re doing. Maybe that’s okay with you, maybe it’s not. Either way, you can set privacy settings on your Mac, too. Follow these steps:

1. Choose image⇒System Preferences and then click the Security & Privacy icon.

image If the lock icon in the lower-left corner of the preferences window is locked, you must unlock it to make changes to your preferences. Click the lock icon, type your password in the dialog that appears, and then press Return to unlock your preferences.

2. Click the Privacy tab.

The Privacy preferences pane appears, as shown in Figure 2-8.

image

Figure 2-8: The Privacy preferences let you choose which apps access data from your Mac or other apps.

3. Click each app in the list to allow other apps to access that app’s contents.

For example, click Contacts and then click the apps in the list on the right to give them access to Contacts. Each time an app requests access to information in another app, it will appear in the list for that app’s Privacy preferences.

Two other choices to consider in particular:

· Location Services: Select the Enable Location Services check box, as shown in Figure 2-9, to allow applications that use your location to access it — for example, Safari and Maps. You can selectively allow access only to certain applications or deselect the check box and prohibit access altogether.

image

Figure 2-9: Many apps use Location Services to complete their tasks.

· Diagnostics & Usage (scroll down the list of apps to find it): Select the Send Diagnostic & Usage Data to Apple check box if you want to send a message to Apple when you have a problem, such as Safari crashing, or to let your Mac send a message about how you’re using it from time to time. The information is sent anonymously, so you don’t have to worry about being spammed or anything.

4. Click the Close button.

Creating Multiple Accounts

Every Mac has at least one account that allows you to use your computer. However, if multiple people need to use your Mac, you probably don’t want to share the same account, which can be like trying to share the same pair of pants.

One problem with sharing the same account is that one person may change the screen saver or delete an app or file that someone else may want. To avoid people interfering with each other, you can divide your Mac into multiple accounts.

Essentially, having multiple accounts gives your Mac a split personality. Each account lets each person customize the same Mac while shielding other users from these changes. So, one account can display pink daffodils on the screen, and another account can display pictures of Mt. Rushmore.

image To access any account, you need to log in to that account. To exit an account, you need to log out. Although two users may be logged in at the same time, you see only one user’s Desktop, Finder, and setup.

Not only do separate accounts keep multiple users from accessing each other’s files, but creating multiple accounts also gives you the ability to restrict what other accounts can do. That means you — parents, for example — can block Internet access from an account, limit Internet access to specific times, or limit Internet access to specific websites. Such limits are Parental Controls.

Adding a new user account

To protect your files and settings, you should create a separate account for each person who uses your Mac. You can create four types of accounts:

· Administrator: Gives the user access to create, modify, and delete accounts. Typically, you have only one Administrator account; however, another user you trust implicitly, such as your partner, spouse, or job-share colleague may also have an Administrator account.

· Standard: Gives the user access to the computer and allows them to install programs or change their account settings, but doesn’t let the user create, modify, or delete accounts or change any locked System Preferences settings.

· Managed with Parental Controls: Gives the user restricted access to the computer based on the Parental Controls defined by an Administrator account.

· Sharing Only: Gives the user remote access to shared files but not the access to log in or change settings on your computer.

image Although each set of instructions begins with opening System Preferences and ends with closing System Preferences, you can open it once, go through each of the following sets of instructions, and then close System Preferences at the end.

You can set up a Managed with Parental Controls account from the Users & Groups System Preferences or directly from the Parental Controls System preferences. To set up a new user account, follow these steps:

1. Choose image⇒System Preferences and click the Users & Groups icon Users & Groups preferences pane (see Figure 2-10).

image

Figure 2-10: Manage all single accounts and groups from the Users & Groups preferences.

image If the lock icon in the lower-left corner of the preferences window is locked, you must unlock it to make changes to your Mac’s user account details. Click the lock icon, type your password in the dialog that appears, and then press Return to unlock your Mac’s user account details.

2. Click the Add (+) button in the lower-left corner (above the lock icon).

A New Account dialog appears.

3. Choose the type of account you want to set up from the New Account pop-up menu, as shown in Figure 2-11.

image

Figure 2-11: The New Account dialog lets you define your new account.

4. Enter the name of the person who’ll be using the account into the Full Name text box.

5. (Optional) In the Account Name text box, edit the short name that your Mac automatically creates.

6. Enter a password for this account into the Password text box.

If you click the key to the right of the password text box, your Mac will generate a random password that may be more difficult to guess but also harder to remember.

7. Re-enter the password you chose in Step 7 in the Verify text box.

8. (Optional) In the Password Hint text box, enter a descriptive phrase to help remind you of your password.

9. Click the Create User button.

The Users & Groups preferences pane displays the name of your new account.

10. (Optional) To assign an image to a user, follow these steps:

1. Click the image (the Picture well) above the name to reveal a selection of images you can assign to that user.

2. Click an image from the Defaults that are shown, click iCloud to choose a photo from Photo Stream, or click Camera to take a photo.

3. Click Edit to zoom or add a special effect to the image or photo.

4. When you have a photo you like, click the Done button to assign the photo to the user.

11. Click the Set button next to Apple ID to associate the correct Apple ID with this user.

The button will read Change if an existing Apple ID is already assigned.

12. Select one or more of the choices in the pane, as shown in Figure 2-12:

· Allow User to Reset Password Using Apple ID: The user can go into the User & Groups panel on his Mac to set up and change the user password by identifying himself with his Apple ID.

· Allow User to Administer This Computer: Change the account type to Administrator.

· Enable Parental Controls: Click the Open Parental Controls button to assign the limits you want to apply to this user.

13. Click the lock at the bottom of the window to prevent changes.

14. Click the Close button of the Users & Groups preferences window.

image Learn about Login Options later in this chapter, in the section “Enabling Fast User Switching.”

image

Figure 2-12: Associate the Apple ID and select options for new users.

Setting up a master password

If you have many user accounts set up on your Mac and each has a password, you should have a plan if someone forgets his password. By setting up a master password, the administrator of the Mac (probably you), can override any encrypting that the user may have set up and reset the password. To create a master password, follow these steps:

1. Choose image⇒System Preferences and click the Users & Groups icon to open the Users & Groups preferences pane (refer to Figure 2-10).

Click the lock icon and enter your password to unlock the Users & Groups System Preferences.

2. Click the Action button (it looks like a gear) at the bottom of the user list.

3. Choose Set Master Password.

A dialog opens, as shown in Figure 2-13.

4. Type in a password in the Master Password text box.

If you want help inventing a password, click the key to the right of the text field.

5. Retype the password in the Verify text box.

6. Type a hint to help you remember the Master Password.

7. Click OK.

8. Click the Close button of the Users & Groups preferences window.

image

Figure 2-13: Set a master password so the administrator can reset other users’ passwords.

Defining Parental Controls

You may want to use Parental Controls not only to protect your children from seeing things they may not be mature enough to see, but also to restrict what guest users can do with your Mac. You apply limits or restrictions to a Managed with Parental Controls account even if the person who accesses that account isn’t your child. You can place several types of restrictions on an account. Following are the categories of limits you find in the Parental Controls preferences:

· Apps: Limits the apps the user may use and offers an option to simplify the appearance of the Finder.

· Web: Limits which websites the account can access.

· People: Limits the account to sending and receiving e-mail and instant messages from a fixed list of approved people. You can also receive an e-mail when the user tries to exchange e-mail with a non-approved contact.

· Time Limits: Prevents someone from accessing the account at certain times or on certain days.

· Other: Select the associated check boxes to hide profanity, prevent modifications to the printers connected to the Mac, prevent saving data to a CD or DVD, or prevent changing the account password.

To apply Parental Controls to an account, follow these steps:

1. Choose image⇒System Preferences and then click the Users & Groups icon.

Click the lock icon and enter your password to unlock the Users & Groups System Preferences.

2. Click the Parental Controls button.

The Parental Controls preferences window opens.

3. Click the account to which you want to apply Parental Controls.

4. Click the Apps tab (if it isn’t already selected).

The Apps preferences pane appears, as shown in Figure 2-14. Choose from the following options:

image

Figure 2-14: Choose which applications the user can use.

· Use Simple Finder: Select this check box to create a Finder that’s easier for novice Mac users to work with.

· Limit Applications: Select this check box to restrict which apps the account can run. You can then do the following:

· Allow App Store Apps: From this menu, choose a specific age limit for the types of apps the App Store shows.

· Allowed Apps: Click the gray expansion triangle to the left of each Allowed Apps category to display a list of apps on your Mac for the selected category. Select or deselect the programs you want to allow or disallow the user from accessing.

Selecting or deselecting the check box for an entire application category, such as App Store or Utilities, gives you a single-click way to allow user access to all or none of the programs in that selected category. A dash in the check box means that some of the apps within that category are selected, and the user is allowed to use the checked apps.

· Prevent the Dock from Being Modified: Choose whether this user may modify the Dock; this option isn’t available if Use Simple Finder (earlier in this list) is enabled.

5. Click the Web tab to open the Web preferences pane, as shown in Figure 2-15.

image

Figure 2-15: Web preferences let you restrict what users can see.

Select one of the following radio buttons under the Website Restrictions section:

· Allow Unrestricted Access to Websites: Selecting this option allows users to access any website they want to visit.

· Try to Limit Access to Adult Websites Automatically: If you select this option, you can click the Customize button so that you can type the websites the account can always access and the websites that the account can never access.

In both cases, you must type the address you chose to allow or block. Although this option can attempt to block most adult websites automatically, you need to enter additional addresses for particular websites that slip past the adult website filter.

· Allow Access to Only These Websites: If you select this option, you can then specify which websites the user can access by clicking the “+” (plus-sign) button and adding websites you permit the user to visit. You can also remove websites you no longer want guest users to access by clicking the website in the list of allowed websites, and then clicking the “–” (minus sign) to remove the website.

image Click the Logs button if you want to see a list of the apps or websites this user has used or visited in the past or contacts with whom Messages have been exchanged.

6. Click the People tab.

The People preferences pane appears, as shown in Figure 2-16, and you can do the following:

· Game Center: Select or deselect the Game Center options to allow multiplayer games and/or adding friends.

· Limit Mail, Limit Messages: Select one or both and click the Add (+) button under the Allowed Contacts box to open the dialog that allows you to add specific names or groups, as shown in Figure 2-17.

image These controls don’t limit who the user can use FaceTime with, so if you’re concerned about that, don’t give access to the FaceTime app (refer to Step 4).

image

Figure 2-16: People preferences lets you restrict who the user can contact.

image

Figure 2-17: Specify contacts you want to let the user access.

3. Enter the first and last name of a person that you approve of into the First Name and Last Name text boxes.

4. Access your Contacts by clicking the triangle to the right of the Last Name field. Select multiple addresses by holding down the image key.

5. Enter an e-mail or IM address of the approved person in the Allowed Accounts text box.

6. Choose the account type (Email, AIM, or Jabber, for example) from the Allowed Accounts pop-up menu.

7. Select the Add Person to My Address Book check box, and the IM address and name of the approved person will be added to the Contacts app.

8. (Optional) Click the “+” button to specify another person and the associated e-mail or instant messaging chat account address.

9. Click Add.

The dialog closes, and the names appear in the Allowed Contacts list.

image If you want to remove someone from the Allowed Contacts list, click the name and press the Delete key or click the “–” button.

7. Click the Time Limits tab to open the Time Limits preferences pane, as shown in Figure 2-18, and choose from the following:

· Limit Weekday Use To: Select this Weekday Time Limits option and drag the slider to specify how much time the account can use your Mac.

· Limit Weekend Use To: Select this Weekend Time Limits option and drag the slider to specify how much time the account can use your Mac.

· School Nights and Weekend: Select one or both check boxes under the Bedtime category and set the start and end times of when you don’t want the account to use your Mac, such as between 9 p.m. and 9 a.m.

image The School Nights option defines Sunday–Thursday. The Weekend option defines Friday and Saturday; however, this option pays no mind to exceptions such as holidays, school vacations, snow days, and other potential non–school night calendar dates.

8. image

9. Figure 2-18: Time Limits preferences let you specify certain days or times the account can be used.

10. Click the Other tab to open the Other preferences pane.

Select the check boxes next to the limits you want to set. The effect each has is explained in the Other preferences window, as shown in Figure 2-19:

· Disable Built-In Camera

· Disable Dictation

· Hide Profanity in Dictionary

· Limit Printer Administration

· Disable Changing the Password

· Limit CD and DVD Burning

11. Click the lock button at the bottom left of the window, and then click the Close button to quit System Preferences.

image

Figure 2-19: The Other pane offers additional Parental Controls.

Monitoring a Managed with Parental Controls account

After you create a Managed with Parental Controls account, you can view what that user has been doing on your Mac by reviewing log files, which keep track of all the websites the user visited and tried to visit (blocked by the Mac Parental Controls), the programs the user ran, and the people the user contacted through iMessages or e-mail. To view these log files, follow these steps:

1. Choose image⇒System Preferences and then click the Parental Controls icon to open the Parental Controls preferences pane.

image If the lock icon in the lower-left corner of the preferences window is locked, click to unlock it, and then type your password in the dialog that appears. Press Return to unlock your Mac’s user account details.

2. Click the account icon in the list on the left whose log files you want to examine.

3. Click the Logs button at the bottom right of the window.

4. Choose a period from the Show Activity For pop-up menu, such as viewing everything the user did in the past week or month.

5. Choose Website/Application/Contact (depending on which log you want to view) or Date from the Group By pop-up menu.

6. Click Websites Visited, Websites Blocked, Applications, or Messages in the Log Collections list box to review the selected log, as shown in Figure 2-20.

Click the disclosure triangle to see more detail about the web pages within that website.

image Not all blocked websites are necessarily pornographic. Sometimes a blocked website could just be a blocked pop-up ad from an acceptable site, or an educational or reference site with keywords that trigger the block.

image

Figure 2-20: See who’s been doing what.

7. Click the Close button to quit System Preferences.

Activating a Sharing Only account

Your Mac comes with a pre-established Guest User account. This account lets friends or clients use your Mac temporarily, but nothing they do is saved on your Mac although it could be saved to a Shared file or to a remote storage site like Dropbox or an external hard or flash drive. By giving someone a Guest User desktop to use, your Desktop and everything you’ve so neatly organized doesn’t get poked around or messed up.

image Your Mac has only one Guest account because multiple users will access the same Guest account. To enable the Guest account, follow these steps:

1. Choose image⇒System Preferences, and then click the Users & Groups icon.

If the lock icon in the lower-left corner of the preferences window is locked, click to unlock it and then type your password in the dialog that appears. Press Return to unlock your Mac’s user account details.

2. Click the Guest User icon that appears in the list box on the left to open the Guest User dialog, as shown in Figure 2-21.

image

Figure 2-21: When you enable a Guest account, you can define additional options for how the Guest account works.

3. Select the Allow Guests to Log In to This Computer check box, which allows anyone to use your Mac’s Guest account without a password.

4. (Optional) Click the Open Parental Controls button if you want to specify which programs guests can use (or not use) and whether they can access the Internet.

Read about adjusting these settings in the earlier section, “Defining parental controls.”

5. (Optional) Select or deselect the Allow Guests to Connect to Shared Folders check box.

If this option is selected, a Guest account can read files created by other accounts and stored in a special shared folder or the other users’ Public folder.

6. Click the Close button of the Accounts preferences window.

Switching between accounts

The Mac offers several ways to switch between accounts. The most straightforward way is to log out of one account and then log in to a different account. A faster and more convenient way is to use Fast User Switching, which essentially lets you switch accounts without having to log out of one account first.

To log out of an account, simply choose image⇒Log Out (or press image+Shift+Q). After you log out, the login window appears, listing the names and user icons of all accounts. At this time, you can click a different account name to log in to that account.

Before you can log out, a confirmation dialog appears as shown in Figure 2-22. Your open files and apps will be closed before logging out. Select the Reopen Windows When Logging Back In check box so when you log in, your Mac looks just like how you left it when you logged out.

image

Figure 2-22: Confirm that you want to log out.

image Hold the Option key while logging out to avoid the confirmation dialog.

If you use Fast User Switching, you won’t have to bother with any of that because Fast User Switching gives the illusion of putting the currently active account in “suspended animation” mode while your Mac opens another account.

Enabling Fast User Switching

Before you can use Fast User Switching, you have to turn on this feature. Log in as Administrator and then follow these steps:

1. Choose image⇒System Preferences, and then click the Users & Groups icon.

If the lock icon in the lower-left corner of the preferences window is locked, click to unlock it and then type your password in the dialog that appears. Press Return to unlock your Mac’s user account details.

2. Click the Login Options icon at the bottom of the list of users on the left side of the pane to display the Login Options pane, as shown in Figure 2-23.

image

Figure 2-23: Login Options is where you can turn on Fast User Switching.

3. Select the Show Fast User Switching Menu As check box, open the pop-up menu, and choose how you want to display the Fast User Switching Menu: Full Name, Short Name, or Icon.

These options display what appears on the menulet. Full Name displays full account names, Short Name displays abbreviated account names, and Icon displays a generic icon that takes up the least amount of space in the menu bar.

4. Select other Login Options:

· Automatic Login: Leave this option Off or choose one user who will be automatically logged in when you restart your Mac, which is handy if you’re the only user and your Mac is always in a safe place.

· Display Login Window As: Choose List of Users (from which you click a user and then type in the password) or Name and Password (which requires you to enter both your user name and password).

· Show the Sleep, Restart, and Shut Down Buttons: Select this if you want to see these buttons on the login screen.

· Show Input Menu in Login Window: Allows users to choose the language they want to use when logging in.

· Show Password Hints: Users can click the question mark on the login screen to see a password hint, which you set up when you created the user account name and password.

· Use VoiceOver in the Login Window: Select this if you want VoiceOver to work during login. Learn more about VoiceOver in Book I, Chapter 6.

5. Click the Close button to close the Users & Groups preferences pane.

Changing accounts with Fast User Switching

When you enable Fast User Switching, the Fast User Switching menulet appears in the right side of the menu bar, as shown in Figure 2-24. The menulet displays the names of accounts you can choose.

image

Figure 2-24: The Fast User Switching menulet.

To switch to a different account at any time, follow these steps:

1. Click the Fast User Switching menulet on the right side of the menu bar and then click the account name you want to use.

2. Type the account password in the dialog that appears and press Return.

Your Mac switches you to your chosen account.

Deleting an account

After you create one or more accounts, you may want to delete an old or unused account. When you delete an account, your Mac gives you the option of retaining the account’s Home folder, which may contain important files. To delete an account, follow these steps:

1. Make sure that the account you want to delete is logged out and also that you’re logged in to your Administrator account.

2. Choose image⇒System Preferences, and then click the Users & Groups icon or click the Fast User Switching menulet and choose Users & Groups Preferences (refer to Figure 2-24).

If the lock icon in the lower-left corner of the preferences window is locked, click to unlock it, and then type your password in the dialog that appears. Press Return to unlock your Mac’s user account details.

3. Select the account you want to delete in the accounts list and then click the Delete Account (–) button in the lower-left corner of the list.

A confirmation dialog appears, asking whether you really want to delete this account and presenting options to save the Home folder of the account, as shown in Figure 2-25. Select one of the following radio buttons:

· Save the Home Folder in a Disk Image: Saves the home folder and its contents in a compressed disk image (DMG) file. This keeps the files compressed, so they take up less space on the hard drive than if you choose the next option (which does not compress the files contained in the Home folder). Choosing this option is like stuffing things in an attic to get them out of sight but still keeping them around in case you need them later.

· Don’t Change the Home Folder: Keeps the Home folder and its contents exactly as they are before you delete the account, so you can browse through the files contained within the folder at any time.

· Delete the Home Folder: Wipes out any files the user may have created in the account. Click the check box next to Erase Home Folder Securely to encrypt the files when they’re erased, making them irretrievable.

image

Figure 2-25: Do you really want to delete?

4. Click Delete User.

Your Mac deletes the specified account.

A Few Final Security Tips

We want to give you a few extra security tips to keep your Mac and your documents safe:

· Really take out the trash. From the Desktop, choose Finder⇒Secure Empty Trash when eliminating old files, especially if you have sensitive documents. This feature is more incinerator than simple trash can.

· Avoid suspicious websites. If you open a website and then a gazillion other pages open, quit Safari and re-open it. Then choose History⇒Clear History to wipe out any memory of the pages that you opened. Your Mac will screen downloads from Safari, Mail, and Messages and offers to move potential malicious files directly to the trash — usually a good idea.

· Mix it up. Resist the temptation to use the same password for everything. Use Password Assistant to generate passwords, and then track those passwords by using Keychain Access (choose Go⇒Utilities and click Keychain Access). See the section “Changing your password” at the beginning of this chapter to learn more about Password Assistant.

· Put junk in its place. If an e-mail arrives that seems to be from your bank or credit card provider, but the domain is @hotmail.com or @gmail.com or includes an overseas domain such as .es, don’t respond! Mark it as Junk, and move on. Sorry to disappoint, but they reallydidn’t find $14 million that belongs to you.

image Banks don’t send or ask for sensitive financial information via e-mail, maybe because they know that an ordinary e-mail message is about as secure as a postcard — as in, not secure.

image Barbara recently received an e-mail supposedly from Apple asking to sign in to her iCloud account to confirm information. Even the domain was @apple.com, but something didn’t look quite right. The misspellings in the web page that opened were a tip-off, and upon closer inspection, the logo and colors were very close but not exact. Hovering the pointer over the domain revealed the real, non-Apple URL and a quick search on the Internet revealed that fake Apple e-mail messages were in circulation!