Biggest Mac Mistakes
by The Guy Who Was In Craig Neidorf's Spanish Class And Had No Idea
As an IS/IT contractor, I know that folks take the simplicity of the Macintosh interface for granted and underestimate the curiosity of the Mac users. A nosey user can come along and mess things up nicely.
This article discusses basic ways a Macintosh network can be attacked or compromised. The three open doors that I see on networks are File Sharing, Retrospect Remote, and AppleTalk Remote Access.
File Sharing
To access a shared device, Mac users on a network access an AppleShare Server or a desktop computer with File Sharing activated by selecting the Chooser under the Apple Menu, then selecting the AppleShare icon, then choosing a zone, and then double-clicking on a shared device.
A screen with fields requiring a username and password for registered users comes up. If the user enters a valid name and password, then access is gained to whatever directories or drives are available to that registered user. If guest access is enabled, then users can select the radio button next to Guest without entering a username and password, and click O.K., giving them access to whatever has been assigned to Guest users.
To share a computer (not using the AppleShare Server, but the AppleShare that comes with every Macintosh system), the following is done. On the computer to be shared, users go to Sharing Setup in the Control Panels folder and enter Owner Name, Macintosh Name, and Password in appropriate fields.
Next they click the Start button next to the words File Sharing. If there is no password or username, the computer will notify the user that this is a bad idea.
Users then select the drive icon or folders to be shared with the mouse, then choose Sharing from the File menu and click on the check box with Share This Item And Its Contents. The entire hard drive or folder can be made available to users in varying degrees by using check boxes for See Folders, See Files, and Make Changes next to the words Owner, User/Group, and Everyone.
If a user wants to set up access to a computer for multiple users, then the user goes to the Users & Groups control panel. There will be a blockhead icon there for the Owner and one for Guest. By going to New User under the File menu, other blockheads can be created for different users with different passwords.
Where the Mistakes Are Made With File Sharing
I work at an advertising agency with thirty zones that connect offices in more than a dozen cities across the country. There are nearly 100 Macintosh computers wide open on the WAN because of one reason: files haring is poorly configured. I have worked at companies with world-wide WANs (more than 30 offices and 4,000 users - if you read the MacWEEK 200, you might know who I'm talking about), and they are no better than the lone zone rinky-dink production shops. In fact, the larger the WAN, the harder it is to monitor file sharing and the more likely there are gaping access holes.
1.) Guest access is turned on. When turning on files haring, the user opens the Guest blockhead in the Users & Groups control panel and selects the check box for Allow Guests To Connect thinking that without this, no users can connect to the computer. In truth, this allows anybody to log on as guest to any shared item where "Everyone" is assigned the privileges See Folders, See Files, and Make Changes.
2.) User shares the entire drive instead of certain folders. User selects the hard drive icon with the mouse, then chooses Sharing from the File menu and clicks on the check box with Share This Item And Its Contents. A user may compound the problem by selecting the check box for Make All Currently Enclosed Folders Like This One which, after a warning, will change already specified privileges for folders inside the drive. Unless separate privileges are assigned for the folders contained within the hard drive, all of the folders within will be available to users. The user needs to make sure they select the correct Owner or User/Group for each folder to allow only certain users to access certain folders. In order to share a folder within a hard drive, but not the hard drive itself, the hard drive icon need not be shared at all. Just share the folders within the drive.
3.) User leaves password blank and uses the same words for Owner Name and Macintosh Name. The Owner Name and Macintosh Name should not be the same in the Sharing Setup control panel. If they are, an unauthorized visitor can type the device name (which shows up in the Chooser) as the username and leave the password blank to check each computer on the WAN one by one to see if the password is blank. If it is, the unauthorized visitor has complete access to the shared items. A variation on this is when the machine name is Joe Blow's IIsi. The logical username is, of course, Joe Blow. Even better, the password name is often Joe Blow, or joe blow (Mac passwords are case sensitive, but usernames are not), or joe, or blow, or one of several other variations on the theme.
Retrospect Remote
Retrospect Remote is the de facto standard in network backup software for the Macintosh.
A control panel is installed (called Remote) on each machine that allows the server to access the drive. At shutdown, the Retrospect control panel throws up another screen that says "Now waiting for backup..." and has Shutdown and Restart buttons. A screen saver will kick in a few seconds after this window comes up. The control panel allows files to be read from and copied to the start-up drive or any attached readable and/or writable devices.
The control panel is configured from the Retrospect backup server by selecting Configure, then Remotes, and then Network. In the Network window you can select different zones and see available Retrospect Remote indicators next to machine names. These indicators come in three types: Not Activated, Not Logged In, and Responding. If you double-click on a Not Activated device, the server will check with the device and try to allow you to configure the control panel, which includes entering an activator code, password, and selecting drives attached to the device for backup.
If you double-click on a Not Logged In device, the server will attempt to connect you to the device. It may ask for a security code. If it does not, you will be allowed to change configurations and the server from then on will recognize the device as responding. If you double-click on Responding, you may be asked for a security code, or if none is required, you will be allowed to change the configuration.
Where the Mistakes Are Made With Retrospect Remote
1.) Not putting a password in the configuration. In the 30 zones available here, you can access the entire hard drives of some 20 computers because their Remote control panels have not been assigned passwords. That includes more than five servers. As long as you have a Retrospect Remote server you can configure the Remote control panel and any Remote control panel that allows you access means that you can back up any attached storage devices to DAT (or whatever media you use). Backups can be restored to any computer, not just the one the data was backed up from.
2.) Not activating Remote control panels. An unauthorized person could find unactivated control panels, enter an activator code, backup the hard drive to DAT, and then in the Network remote configuration, deactivate the control panel when finished. This would more or less restore the control panel to its virgin state. There is access to about five computers in this state.
3.) Makes owner and hard drive names available on network. By using the Retrospect Remote server, a user can look at all of the owner names of any computer with the Remote control panel, even without knowing the security code. Because these owner names may not be the same as the machine names listed in the Chooser, they can be used to try the file sharing entrances explained above: owner name with blank password, owner name with machine name as password, vice versa, etc. Listings in the server's Network remote configuration that you do have access to will also allow you to see the name of the startup drive and any other attached drives. These names are also fodder for username and password guessing.
AppleTalk Remote Access (ARA)
AppleTalk Remote Access allows a Macintosh to dial into an AppleTalk network. It gives the user access to servers, email, printers, and any other network functions the same as if the user was in the office connected via Ethernet.
Where the Mistake Is Made With ARA
A company has to go out of their way to allow ARA to access the network. At least one version of ARA allows users to save their passwords in the configuration file. You might be surprised at how many users prefer to save their password and take the chance rather than have to enter the password every time they log onto the network. That means that if you can get an ARA configuration document with the saved password, then you can access the network at will; the document already contains the username and phone number, so all the secrets are out and nothing more is required.
PowerBooks, as an example, are especially susceptible to the saved config file and the other methods described in this article for the simple reason that they are probably the most stolen computer in America by percentage.
Programs That Give You an Edge Over Nosey Parkers
I have found these two programs to be useful in monitoring security on my network.
Network Security Guard 3.1, www.mrmac.com) for demo version. Lacks elegance and looks, but is effective. Does bulk password throwing at any shared drive on the network. Checks for the file sharing weaknesses mentioned above, uses dictionaries, lists files available, lists suspicious configurations available on a network. Saves everything in reports. Serious program for protecting yourself from attacks, but can also be used against you. When used it hogs all available processing power, so a dedicated Mac is good. You will want to run it during the day when computers are turned on and the network is at its most active.
LookOut! by Pace Bonner & Jeff Amfahr, PB Computing, distributed by Trik, Inc. at 800-466-TRIK, www.pbcomputing.com. Part of the Nok Nok package of AppleShare monitoring and control software. This control panel indicates in the Chooser next to the machine names whether guest access is enabled and what kind of file sharing is enabled. Makes checking each listing for guest access much faster, particularly on a large network.