Welcome to Leopard Leopard Welcome to

How to get started

www.apple.com/support
Apple Inc. 2007 Apple Inc. All rights reserved. Apple, the Apple logo, Boot Camp, Expos, FireWire, iCal, iPhoto, Keynote, Mac, and Mac OS are trademarks of Apple Inc., registered in the U.S. and other countries. Aperture, Cover Flow, Finder, iPhone, Leopard, Safari, and Spotlight are trademarks of Apple Inc. AppleCare is a service mark of Apple Inc., registered in the U.S. and other countries.Mac is a service mark of Apple Inc. Other product and company names mentioned herein may be trademarks of their respective companies. Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation. Because Apple frequently releases new versions and updates to its software, images shown in this book may be different from what you see on your screen.

Install Leopard

To upgrade to Mac OS X Leopard, insert your installation disc and double-click Install Mac OS X. Then click Restart. Your computer restarts, and the Mac OS X Installer opens.

Install Leopard

Select a destination
Select your startup disk or the volume that has the version of Mac OS X you want to upgrade.
Select a volume. You may not be able to install Leopard on some volumes.
Look here for important information about the installation.
Click Options if you want to select a different type of installation.
For additional information, see the Instructions folder on your installation disc.

Install Leopard

Begin installation
When youre ready, click Install to begin installing Mac OS X Leopard. When the installation is finished, your computer will restart.
Click Customize if you want to change whats installed.

Meet Leopard

www.apple.com/macosx

Desktop

From the menu to the Dock, Leopard introduces a great new look and Stacksa brand-new way to stay organized.

Desktop

Stacks
Stacks provide a convenient way to get to your documents. Folders already in the Dock become stacks automatically. To create a stack, drag a folder of documents to the Dock.
When you click a stack, the items appear in a grid or a fan above the icon.

Desktop

The Downloads stack
The Dock includes a Documents stack and a Downloads stack. Items you download in Safari, Mail, or iChat always go to the Downloads stack so that you can find them quickly.
The latest download appears here.
Click the Downloads stack to see items youve downloaded.

10 Desktop

Customization
Stacks appear as a fan or a grid automatically based on the number of items in the stack. You can specify which style you want to use and change the stacks sort order.
To customize a stack, position the pointer over the stack icon and then hold down the mouse button until a menu appears.

Desktop 11

Finder
See your files in Cover Flow and browse through them quickly.

12 Finder

Cover Flow
Cover Flow lets you see your movies, presentations, PDF files, and more in large-size previews as you flip through them.
Click this button for Cover Flow.
Move the pointer over an item to play a movie or see the pages of a document, for example. Drag the slider to thumb through your documents.

Finder 13

Sidebar
The Finder sidebar makes it easy to get to folders on your computer, shared computers on your network, and your saved searches.
Shared computers available on your network automatically appear here.
Commonly used searches are included in the sidebar, and you can add your own searches.

14 Finder

Spotlight
In a Finder window or the menu bar, use Spotlight to search for items on your computer. If you use the same search often, save it in the Search For section of the sidebar.
Type your search in the search field. Click Save to add a Smart Folder to the sidebar.
See your search results in Cover Flow.

Finder 15

Shared computers
Shared computers on your network automatically appear in the sidebar so that you can quickly find the documents they contain.
Search for documents on shared computers.
Get immediate access to the Public folder on any shared computer.

16 Finder

Screen sharing
Use screen sharing to get to the desktop of shared computers on your network. You can monitor use, change settings, and much more from your computer.
Select the computer and then click Share Screen.

To see the toolbar, choose View > Show Toolbar.
Youll see the desktop of the other computer in a window.
To use all of your screen, click the Full-screen button. Finder 17

Sharing

You can share your files, your website, your screen, and much more with other computers on your network. To start, open System Preferences and then click Sharing.
Click the Add (+) button to select users and groups who can share your files.
Click the Add (+) button to select any folder you want to share.

18 Finder

Back to My Mac
With your.Mac membership, an Internet connection, and Back to My Mac and sharing services turned on, you can access any of your computers from anywhere on the Internet.
Back to My Mac is on automatically.
Back to My Mac computers appear in the sidebar.

Finder 19

Quick Look
See stunning previews of movies, PDF files, presentations, spreadsheets, and more without opening an application.

20 Quick Look

View documents
You can use Quick Look in the Finder, Time Machine, and Mail. To view an item in Quick Look, select it and then press the Space bar.
Click the Quick Look button in the Finder window toolbar.
Click here for a full-screen preview.

Quick Look 21

Browse contents
When you view the documents in Quick Look, you can flip through each page of your document or view each slide of a Keynote presentation.
Each slide of a Keynote presentation appears here.

22 Quick Look

Show collections
You can use Quick Look to view several items at once. To automatically scan through the items, click the Play button.
Click a picture in the index sheet to view it.
Click the Index Sheet button to view all the items.
Click the Camera button to add a photo to iPhoto.

Quick Look 23

Time Machine
Automatically back up your Mac. If youre missing a document, travel back in time to recover it.

24 Time Machine

Turn on Time Machine
To start using Time Machine, just connect a FireWire or USB disk to your computer, and then click Use as Backup Disk in the dialog that appears.
When you turn on Time Machine, it backs up your computer to the disk youve selected.

Time Machine 25

Recover files
Easily find a missing document by seeing how your desktop looked in the past. Time Machine does a backup each hour of the current day, and then saves daily backups.

Click to create a note or to-do item.
To create a to-do item, select text in the note and click To Do.
Click to set options for the to-do item. Items automatically appear in iCal.
See your notes and to-do items in the Reminders section of the sidebar.

34 Mail

Data detection
You can turn dates in your email messages into iCal events. You can add names, phone numbers, and addresses to your contacts. You can even map addresses in Safari.
Move the pointer over the date, name, or address, and then click the triangle to choose an action.

Mail 35

Make your chats more fun using video effects such as backdrops. Show off your work with iChat theater.

36 iChat

Video backdrops
Use video backdrops with your chats to be anywhere in the world. iChat includes movies and still photos that you can use, or you can add your own.
Select a video backdrop and then step out of the picture for a moment.
Click Effects to select a video effect.
Add your own movies or pictures to use as a video backdrop.

iChat 37

Effects
While youre in a video chat, you can select video effects to make your chats fun and interesting.
Click the effect in the center for the original view.
Click any effect to use it.

38 iChat

iChat theater
To show photos, movies, or presentations in a video chat, start the chat and then drag the file or files you want to show to the chat window.
See how your presentation looks to your buddy.
Control your presentation using this window.

iChat 39

iChat screen sharing
Screen sharing lets you take control of a buddys computer to show how to do something, rather than just explain it.
Click to switch screens. To copy a document to this computer, drag it here.
Select a buddy with video chat capability, and then click the Screen Sharing button.

40 iChat

Tabbed chats
Use tabbed chats if you have a lot of chats. To do so, open the Messages pane of iChat preferences, and then select Collect chats into a single window.
Click a chat to return to it.
See the latest reply from your buddy.

iChat 41

Presence
If you have more than one.Mac, AIM, Jabber, or Google Talk account, you can log into all of them at the same time in iChat.
Use an animated GIF as your buddy picture.
Choose Invisible if you want to see whos available, but not be seen yourself.

42 iChat

SMS messaging
Exchange SMS messages from iChat with a buddy using a mobile phone, such as iPhone. Choose File > Send SMS, and then enter your buddys phone number.
This buddy can receive SMS messages.
Note: SMS messaging is available only with U.S. mobile phones. iChat 43

Dashboard

Create your own widget from any part of a webpage and see updates to it in Dashboard.

44 Dashboard

Web clip
To create a widget, open a webpage in Safari and choose File > Open in Dashboard. Safari automatically selects parts of the page as you move the pointer over the page.
Go to the webpage in Safari and click this button.
When youve selected the part you want, click Add.
Drag the selection rectangle over the information and click. You can then resize the selection.

Dashboard 45

Safari
The most elegant web browser is even easier to use with dynamic tabbed browsing and other new features.

46 Safari

Tabbed browsing
Now you can drag tabs to arrange them or pull them out into a new window. To merge open windows into a single tabbed window, choose Window > Merge All Windows.
Drag a tab out of the window to put it in a separate window. Drag tabs to rearrange the order theyre in. To switch between tabs, press Command-Shift-Right bracket ( ] ) or Command-Shift-Left bracket ( [ ).

Safari 47

To search for text in a webpage, choose Edit > Find > Find, and then type your search. To make it easier to see what youre looking for, Safari highlights all the results.
Click these arrows to highlight individual occurrences.
Safari highlights the results in the webpage so that theyre easy to locate.

48 Safari

PDF viewing
You can view PDF files in the Safari window. Youll find new controls that make it easier to work with these files.
Open the PDF file in Preview or save it in your Downloads stack.
To see the controls, move the pointer to the bottom of the Safari window.

Safari 49

Parental Controls
Give yourself peace of mind. Manage the time your children spend on the computer and what they do there.

50 Parental Controls

Time limits
Manage when your children use the computer by setting time limits for weekdays, weekends, and nights.
Specify how many hours a day your child may use the computer.
Specify the hours during which your child may not use the computer on school nights and weekends.

Parental Controls 51

Front Row
Enjoy your digital entertainment on your Mac from anywhere in the room. Grab a seat and your remote, and start the show.

60 Front Row

Apple Remote
To open Front Row, click Menu on your Apple Remote. Click Volume Up and Volume Down to highlight items. Click Play to select an item. Click Menu to return to the previous menu.
Select what you want to watch.
Use your Apple Remote to sit back and enjoy the show.

Front Row 61

Photo gallery
Turn your Mac into a gallery for your favorite photos. With Front Row, you can show your photos in iPhoto, Photo Booth, and Aperture.
Click to view shared photos on your network. Choose the photo album or iPhoto Event you want to show.

62 Front Row

Shared media
From Front Row, you can view digital entertainment shared from other computers on your network.
Select how you want Front Row to display your photos.

Front Row 63

Boot Camp
To use a Windows application on your Mac, install Boot Camp and your copy of Windows. Then youre ready to go.

64 Boot Camp

Install Boot Camp
Open Boot Camp Setup Assistant (in the Utilities folder in the Applications folder) and print the Boot Camp Installation & Setup Guide. Then create a partition for Windows.
Print this document to follow the instructions while installing Windows. Drag the divider to set the size of the Windows partition.
If you installed a beta version of Boot Camp, you only need to install the new Windows drivers by switching to Windows and inserting the Leopard installation disc.

Boot Camp 65

Install Windows
Insert your Windows XP or Windows Vista installation disc and click Start Installation.
Install the Windows drivers when you finish installing and setting up Windows.
Click when youre ready to install Windows on your Mac.

66 Boot Camp

Switch systems
In Mac OS X, open Startup Disk preferences to select your Windows partition. In Windows, open the Boot Camp Control Panel and then click Startup Disk.
Select your Windows partition and then click Restart.
Select your Mac OS X startup disk and then click Restart.

Boot Camp 67

Here if you need us
Learning more, service, and support
Online resources For online service and support information, visit www.apple.com/support. Choose your country from the pop-up menu. You can search for the latest software updates and manuals, find answers using the AppleCare Knowledge Base, or get help from Apples discussion forums. Onscreen help You can often find answers to your questions, as well as instructions and problemsolving information by using the Help menu in some applications. Choose Help from the Finder Help menu, type a few words in the search field, and then press Return. System profiler Use System Profiler to retrieve information about your computer. System Profiler indicates the hardware and software installed on your computer, the serial number and operating system version, the amount of memory installed, and how much battery power remains. To open System Profiler, choose Apple (K) > About This Mac from the menu bar, and then click the More Info button.

70 Apple Support

AppleCare service and support information
Your Mac OS X product comes with 90 days of complimentary telephone support. AppleCare telephone support representatives can help you open and install applications and solve basic problems. Consult the table below, and then call the support center nearest you. Have the date of purchase and your Apple computer serial number ready when you call. Note: Telephone feesmay apply. You can extend your coverage by purchasing the AppleCare Protection Plan. For more information about the AppleCare Protection Plan, visit the AppleCare Products and Services website at www.apple.com/support/products. For additional information about contacting Apple Support, visit www.apple.com/ contact/phone_contacts.html. (Telephone numbers are subject to change.) Technical Support Numbers
United States Canada (English) Canada (French) Mexico Australia New Zealand United Kingdom 1-800-1-800-263-3394 1-800-263-3394 01-800-277-5322 (61) 133-622 00800-7666-7666 (44) 0753 www.apple.com/support www.apple.com/ca/support www.apple.com/ca/fr/support www.apple.com/mx/support www.apple.com/au/support www.apple.com/nz/support www.apple.com/uk/support

Apple Support 71

SOFTWARE LICENSE AGREEMENT FOR MAC OS X

APPLE INC.

Single Use and Family Pack License for use on Apple-labeled Systems
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (LICENSE) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THE LICENSE, YOU MAY RETURN THE APPLE SOFTWARE TO THE PLACE WHERE YOU OBTAINED IT FOR A REFUND. IF THE APPLE SOFTWARE WAS ACCESSED ELECTRONICALLY, CLICK DISAGREE/ DECLINE FOR APPLE SOFTWARE INCLUDED WITH YOUR PURCHASE OF HARDWARE, YOU MUST RETURN THE. ENTIRE HARDWARE/SOFTWARE PACKAGE IN ORDER TO OBTAIN A REFUND. IMPORTANT NOTE: This software may be used to reproduce, modify, publish and distribute materials. It is licensed to you only for reproduction, modification, publication and distribution of non-copyrighted materials, materials in which you own the copyright, or materials you are authorized or legally permitted to reproduce, modify, publish or distribute. If you are uncertain about your right to copy, modify, publish or distribute any material, you should contact your legal advisor. 1. General. The software (including Boot ROM code), documentation and any fonts accompanying this License whether preinstalled on Apple-labeled hardware, on disk, in read only memory, on any other media or in any other form (collectively the Apple Software) are licensed, not sold, to you by Apple Inc. (Apple) for use only under the terms of this License, and Apple reserves all rights not expressly granted to you. The rights granted herein are limited to Apples and its licensors intellectual property rights in the Apple Software as licensed hereunder and do not include any other patents or intellectual property rights. You own the media on which the Apple Software is recorded but Apple and/or Apples licensor(s) retain ownership of the Apple Software itself. The terms of this License will govern any software upgrades provided by Apple that replace and/or supplement the original Apple Software product, unless such upgrade is accompanied by a separate license in which case the terms of that license will govern. Title and intellectual property rights in and to any content displayed by or accessed through the Apple Software belongs to the respective content owner. Such content may be protected by copyright or other intellectual property laws and treaties, and may be subject to terms of use of the third party providing such content. This License does not grant you any rights to use such content nor does it guarantee that such content will continue to be available to you. 2. Permitted License Uses and Restrictions. A. Single Use. This License allows you to install, use and run one (1) copy of the Apple Software on a single Apple-labeled computer at a time. You agree not to install, use or run the Apple Software on any non-Apple-

labeled computer, or to enable others to do so. This License does not allow the Apple Software to exist on more than one computer at a time, and you may not make the Apple Software available over a network where it could be used by multiple computers at the same time. B. Family Pack. If you have purchased a Mac OS X Family Pack, this License allows you to install and use one (1) copy of the Apple Software on up to a maximum of five (5) Apple-labeled computers at a time as long as those computers are located in the same household and used by persons who occupy that same household. By household we mean a person or persons who share the same housing unit such as a home, apartment, mobile home or condominium, but shall also extend to student members who are primary residents of that household but residing at a separate on-campus location. The Family Pack License does not extend to business or commercial users. C. You may make one copy of the Apple Software (excluding the Boot ROM code and other Apple firmware that is embedded or otherwise contained in Apple-labeled hardware) in machine-readable form for backup purposes only; provided that the backup copy must include all copyright or other proprietary notices contained on the original. Apple Boot ROM code and firmware is provided only for use on Apple-labeled hardware and you may not copy, modify or redistribute the Apple Boot ROM code or firmware, or any portions thereof. D. Certain components of the Apple Software, and third party open source programs included with the Apple Software, have been or may be made available by Apple on its Open Source web site (http://www. opensource.apple.com/) (collectively the Open-Sourced Components). You may modify or replace only these Open-Sourced Components; provided that: (i) the resultant modified Apple Software is used, in place of the unmodified Apple Software, on a single Apple-labeled computer; and (ii) you otherwise comply with the terms of this License and any applicable licensing terms governing use of the Open-Sourced Components. Apple is not obligated to provide any updates, maintenance, warranty, technical or other support, or services for the resultant modified Apple Software. You expressly acknowledge that if failure or damage to Apple hardware results from modification of the OpenSourced Components of the Apple Software, such failure or damage is excluded from the terms of the Apple hardware warranty. E. Apple has provided, as part of the Apple Software package, access to certain third party software as a convenience. To the extent that the Apple Software contains third party software, Apple has no express or implied obligation to provide any technical or other support for such software. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. F. Except as and only to the extent permitted by applicable licensing terms governing use of the Open-Sourced Components, or by applicable law, you may not copy, decompile, reverse engineer, disassemble, modify, or create derivative works of the Apple Software or any part thereof. THE APPLE SOFTWARE IS NOT INTENDED

FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL SYSTEMS, LIFE SUPPORT MACHINES OR OTHER EQUIPMENT IN WHICH THE FAILURE OF THE APPLE SOFTWARE COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE. G. If you use Setup/Migration Assistant to transfer software from one Apple-labeled computer to another Apple-labeled computer, please remember that continued use of the original copy of the software may be prohibited once a copy has been transferred to another computer, unless you already have a licensed copy of such software on both computers. You should check the relevant software license agreements for applicable terms and conditions. 3. Transfer. You may not rent, lease, lend, redistribute or sublicense the Apple Software. Subject to the restrictions set forth below, you may, however, make a one-time permanent transfer of all of your license rights to the Apple Software (in its original form as provided by Apple) to another party, provided that: (a) the transfer must include all of the Apple Software, including all its component parts (excluding Apple Boot ROM code and firmware), original media, printed materials and this License; (b) you do not retain any copies of the Apple Software, full or partial, including copies stored on a computer or other storage device; and (c) the party receiving the Apple Software reads and agrees to accept the terms and conditions of this License. You may not rent, lease, lend, redistribute, sublicense or transfer any Apple Software that has been modified or replaced under Section 2D above. All components of the Apple Software are provided as part of a bundle and may not be separated from the bundle and distributed as standalone applications. Apple Software provided with a particular Apple-labeled hardware product may not run on other models of Apple-labeled hardware. Updates: If an Apple Software update completely replaces (full install) a previously licensed version of the Apple Software, you may not use both versions of the Apple Software at the same time nor may you transfer them separately. NFR (Not for Resale) and Evaluation Copies: Notwithstanding other sections of this License, Apple Software labeled or otherwise provided to you on a promotional or not-for-resale basis may only be used for demonstration, testing and evaluation purposes and may not be resold or transferred. Apple System Restore Copies: Restore CDs or DVDs that may accompany an Apple hardware bundle, or are otherwise provided by Apple in connection with an Apple hardware bundle, contain a copy of the Apple Software that is to be used for diagnostic and restorative purposes only. These CDs and DVDs may be resold or transferred only as part of the Apple hardware bundle. Academic Copies: If the Apple Software package has an academic label or if you acquired the Apple Software at an academic discount, you must be an Eligible Educational End User to use the Apple Software. Eligible Educational End Users means students, faculty, staff and administration attending and/or working at an educational institutional facility (i.e., college campus, public or private K-12 schools).

4. Consent to Use of Data. You agree that Apple and its subsidiaries may collect and use technical and related information, including but not limited to technical information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Apple Software, and to verify compliance with the terms of this License. Apple may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you. 5. Termination. This License is effective until terminated. Your rights under this License will terminate automatically without notice from Apple if you fail to comply with any term(s) of this License. Upon the termination of this License, you shall cease all use of the Apple Software and destroy all copies, full or partial, of the Apple Software. 6. Limited Warranty on Media. Apple warrants the media on which the Apple Software is recorded and delivered by Apple to be free from defects in materials and workmanship under normal use for a period of ninety (90) days from the date of original retail purchase. Your exclusive remedy under this Section shall be, at Apples option, a refund of the purchase price of the product containing the Apple Software or replacement of the Apple Software which is returned to Apple or an Apple authorized representative with a copy of the receipt. THIS LIMITED WARRANTY AND ANY IMPLIED WARRANTIES ON THE MEDIA INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, OF SATISFACTORY QUALITY, AND OF FITNESS FOR A PARTICULAR PURPOSE, ARE LIMITED IN DURATION TO NINETY (90) DAYS FROM THE DATE OF ORIGINAL RETAIL PURCHASE. SOME JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THE LIMITED WARRANTY SET FORTH HEREIN IS THE ONLY WARRANTY MADE TO YOU AND IS PROVIDED IN LIEU OF ANY OTHER WARRANTIES (IF ANY) CREATED BY ANY DOCUMENTATION, PACKAGING OR OTHERWISE. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY BY JURISDICTION. 7. Disclaimer of Warranties. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE APPLE SOFTWARE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. EXCEPT FOR THE LIMITED WARRANTY ON MEDIA SET FORTH ABOVE AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE APPLE SOFTWARE AND ANY SERVICES PERFORMED OR PROVIDED BY THE APPLE SOFTWARE (SERVICES) ARE PROVIDED AS IS WITH ALL FAULTS AND WITHOUT , WARRANTY OF ANY KIND, AND APPLE AND APPLES LICENSORS (COLLECTIVELY REFERRED TO AS APPLE FOR THE PURPOSES OF SECTIONS 7 and 8) HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE APPLE SOFTWARE AND ANY SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. APPLE DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE APPLE SOFTWARE, THAT THE FUNCTIONS CONTAINED IN, OR SERVICES PERFORMED

8. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL APPLE BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE APPLE SOFTWARE, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. In no event shall Apples total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of fifty dollars ($50.00). The foregoing limitations will apply even if the above stated remedy fails of its essential purpose. 9. Digital Certificates. General. The Apple Software contains functionality that allows it to accept digital certificates either issued from Apple or from third parties. YOU ARE SOLELY RESPONSIBLE FOR DECIDING WHETHER OR NOT TO RELY ON A CERTIFICATE WHETHER ISSUED BY APPLE OR A THIRD PARTY. YOUR USE OF DIGITAL CERTIFICATES IS AT YOUR SOLE RISK. APPLE MAKES NO WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, AS TO MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE, ACCURACY, SECURITY, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO DIGITAL CERTIFICATES. You agree that (a) you will not falsify or misuse any certificate; (b) you will use Digital Certificates for legal purposes only and in accordance with any applicable Certificate Policy, Certificate Practice Statement or other Certificate Authority business practice disclosures; (c) you are solely responsible for preventing any unauthorized user from making use of your Digital Certificates; and (d) you will revoke any certificate that you have reason to believe has been compromised. Use of Digital Certificates in iChat. The Apple Software allows you to encrypt your iChat communications. This feature uses digital certificates to verify that the iChat is coming from the iChat screen name that appears in the iChat window and to encrypt and decrypt the chat. It does not verify the identity of the person using that screen name. Apple does not guarantee that there will be no hacking or intrusions into the chat. YOUR USE OF THIS FEATURE IN CONNECTION WITH ICHAT IS AT YOUR SOLE RISK. APPLE MAKES NO WARRANTIES OR REPRESENTATIONS, EXPRESS OR IMPLIED, AS TO MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE, ACCURACY, SECURITY, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS WITH RESPECT TO THE USE OF DIGITAL CERTIFICATES AND/OR ENCRYPTION IN ICHAT. By using the Apple Software, you agree that (a) you will take no action that interferes with the normal operation of digital certificates or encryption used in an iChat session or otherwise falsify the digital certificate used to validate a screen name; (b) you will use the encrypted iChat function solely for legal purposes; (c) you are solely responsible for preventing any unauthorized user from having access to any certificate or private key stored on your computer; and (d) you will revoke any certificate that you have reason to believe is compromised. Apples Certificate Policy and Certificate Practice Statements

for such free software under the terms of the GPL or LGPL, as the case may be, without charge except for the cost of media, shipping, and handling, upon written request to Apple. The GPL/LGPL software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of the GPL and LGPL is included with the Apple Software. C. The Apple Software includes certain software licensed under the IBM Public License Version 1.0 (IPL) or the Common Public License Version 1.0 (CPL). A copy of the source code for the IPL and CPL licensed software may be found in Apples Open Source repository. See Apples Open Source web site (http://www.opensource.apple. com/) for information on how to obtain the source code. THE IPL AND CPL SOFTWARE IS PROVIDED ON AN AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NEITHER APPLE, IBM NOR ANY OTHER CONTRIBUTOR TO THE IPL AND CPL SOFTWARE SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE IPL AND CPL SOFTWARE OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. D. MPEG-2 Notice. To the extent that the Apple Software contains MPEG-2 functionality, the following provision applies: ANY USE OF THIS PRODUCT OTHER THAN CONSUMER PERSONAL USE IN ANY MANNER THAT COMPLIES WITH THE MPEG-2 STANDARD FOR ENCODING VIDEO INFORMATION FOR PACKAGED MEDIA IS EXPRESSLY PROHIBITED WITHOUT A LICENSE UNDER APPLICABLE PATENTS IN THE MPEG-2 PATENT PORTFOLIO, WHICH LICENSE IS AVAILABLE FROM MPEG LA, L.L.C, 250 STEELE STREET, SUITE 300, DENVER, COLORADO 80206. E. Use of MPEG-4. This product is licensed under the MPEG-4 Systems Patent Portfolio License for encoding in compliance with the MPEG-4 Systems Standard, except that an additional license and payment of royalties are necessary for encoding in connection with (i) data stored or replicated in physical media which is paid for on a title by title basis and/or (ii) data which is paid for on a title by title basis and is transmitted to an end user for permanent storage and/or use. Such additional license may be obtained from MPEG LA, LLC. See http://www. mpegla.com for additional details. This product is licensed under the MPEG-4 Visual Patent Portfolio License for the personal and non-commercial use of a consumer for (i) encoding video in compliance with the MPEG-4 Visual Standard (MPEG-4 Video) and/ or (ii) decoding MPEG-4 video that was encoded by a consumer engaged in a personal and non-commercial activity and/or was obtained from a video provider licensed by MPEG LA to provide MPEG-4 video. No license is granted or shall be implied for any other use. Additional information including that relating to promotional, internal and commercial uses and licensing

may be obtained from MPEG LA, LLC. See http: //www.mpegla.com. For answers to frequently asked questions regarding use fees under the MPEG LA Visual Patent Portfolio License see www.apple.com/mpeg4 or www. apple.com/quicktime/products/qt/faq.html. F. H.264/AVC Notice. To the extent that the Apple Software contains AVC encoding and/or decoding functionality, commercial use of H.264/AVC requires additional licensing and the following provision applies: THE AVC FUNCTIONALITY IN THIS PRODUCT IS LICENSED HEREIN ONLY FOR THE PERSONAL AND NONCOMMERCIAL USE OF A CONSUMER TO (i) ENCODE VIDEO IN COMPLIANCE WITH THE AVC STANDARD (AVC VIDEO) AND/OR (ii) DECODE AVC VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL AND NON-COMMERCIAL ACTIVITY AND/OR AVC VIDEO THAT WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. INFORMATION REGARDING OTHER USES AND LICENSES MAY BE OBTAINED FROM MPEG LA L.L.C. SEE HTTP://WWW.MPEGLA.COM. G. AMR Notice. The Adaptive Multi-Rate (AMR) encoding and decoding functionality in this product is not licensed to perform cellular voice calls, or for use in any telephony products built on the QuickTime architecture for the Windows platform. The AMR encoding and decoding functionality in this product is also not licensed for use in a cellular communications infrastructure including: base stations, base station controllers/radio network controllers, switching centers, and gateways to and from the public switched network. H. FAA Notice. Aircraft Situation Display and National Airspace System Status Information data (collectively Flight Data) displayed through the Apple Software is generated by the Federal Aviation Administration. You agree not to redistribute Flight Data without the prior written consent of the FAA. The FAA and Apple disclaim all warranties, expressed or implied (including the implied warranties of merchantability and fitness for a particular purpose), regarding the use and accuracy of the Flight Data. You agree that the FAA and Apple shall not be liable, either collectively or individually, for any loss, damage, claim, liability, expense, or penalty, or for any indirect, special, secondary, incidental, or consequential damages deriving from the use of the Flight Data. The Apple Software is not sponsored or endorsed by the FAA. The FAA is not responsible for technical or system problems, and you should not contact the FAA regarding such problems or regarding operational traffic flow issues. I. Use of Adobe Color Profiles. You may use the Adobe Color Profile software included with the Apple Software pursuant to this License, but Adobe is under no obligation to provide any support for the Color Profiles hereunder, including upgrades or future versions of the Profiles or other items. In addition to the provisions of Sections 7 and 8 above, IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY DAMAGES, CLAIMS OR COSTS WHATSOEVER. The Adobe Color Profile software distributed with the Apple Software is also available for download from Adobe at www.adobe.com. EA0390 Rev. 8-14-07

Viewing PDF Guides on Screen
While reading the PDF version of a guide onscreen: Show bookmarks to see the guides outline, and click a bookmark to jump to the corresponding section. Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs. Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser.

Printing PDF Guides

If you want to print a guide, you can take these steps to save paper and ink: Save ink or toner by not printing the cover page. Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white. Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your printer supports two-sided (duplex) printing, select one of the Two-Sided options. Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If youre using Mac OS X v10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.) You may want to enlarge the printed pages even if you dont print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has CDsize pages).
Getting Documentation Updates
Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.
To view new onscreen help topics for a server application, make sure your server or administrator computer is connected to the Internet and click Latest help topics or Staying current in the main help page for the application. To download the latest guides in PDF format, go to the Mac OS X Server documentation website: www.apple.com/server/documentation An RSS feed listing the latest updates to Mac OS X Server documentation and onscreen help is available. To view the feed use an RSS reader application, such as Safari or Mail: feed://helposx.apple.com/rss/leopard/serverdocupdates.xml
Getting Additional Information
For more information, consult these resources: Read Me documentsimportant updates and special information. Look for them on the server discs. Mac OS X Server website (www.apple.com/server/macosx)gateway to extensive product and technology information. Mac OS X Server Support website (www.apple.com/support/macosxserver)access to hundreds of articles from Apples support organization. Apple Discussions website (discussions.apple.com)a way to share questions, knowledge, and advice with other administrators. Apple Mailing Lists website (www.lists.apple.com)subscribe to mailing lists so you can communicate with other administrators using email. Apple Customer Training website (train.apple.com)instructor-led and self-paced courses for honing your server administration skills. Apple Certification Programs website (train.apple.com/certification/)in-depth certification programs designed to create a high level of competency among Macintosh service technicians, help desk personnel, technical coordinators, system administrators, and other professional users. Apple Product Security Mailing Lists website (lists.apple.com/mailman/listinfo/securityannounce)mailing lists for communicating by email with other administrators about security notifications and announcements. Open Source website (developer.apple.com/opensource/)access to Darwin open source code, developer information, and FAQs. Apple Product Security website (www.apple.com/support/security/)access to security information and resources, including security updates and notifications.

> setenv security-mode full
5 Restart the computer and enable Open Firmware settings with the following command:

> reset-all

The login window should appear after restarting.
To test your settings, attempt to start up in single-user mode. Restart the computer while holding down the Command and S keys. If the login window appears, your Open Firmware settings are set correctly.
Using Command-Line Tools for Secure Startup
You can also configure Open Firmware or EFI from the command line by using the nvram tool. However, only the security-mode environment variable can be securely set. You can set the security mode to one of the following values: None: This is the default value of security-mode and provides no security to your computers Open Firmware. Command: This value requires a password if changes are made to Open Firmware or a user attempts to start up from an alternate volume or device. Full: This value requires a password to start up or restart your computer. It also requires a password to make changes to Open Firmware. For example, to set the security-mode to full you would use the following command:
$ sudo nvram setsecurity-mode=Full
Do not set the security-password variable with nvram because the password is visible when viewing the environment variable list. The nvram tool requires system administrator or root access to set environment variables. To securely set the password for EFI, use the Firmware Password Utility. From the Command Line:
# Securing Global System Settings # ------------------------------------------------------------------------# Configuring Open Firmware Settings # ---------------------------------# Secure startup by setting security-mode. Replace $mode-value with # command or full. nvram security-mode=$mode-value # Verify security-mode setting. nvram -p

Intel-Based Systems

Intel-based computers use EFI to control low-level hardware. EFI is similar to BIOS on an x86 PC and is the hardware base layer for Mac OS X computers with Intel-based processors. By protecting it from unauthorized access you can prevent attackers from gaining access to your computer.
Intel-based and PowerPC-based computers can use the Firmware Password Utility to password protect the hardware layer. For information on using the Firmware Password Utility, see Using the Firmware Password Utility on page 52.
Configuring Access Warnings
You can use a login window or Terminal access warning to provide notice of a computers ownership, to warn against unauthorized access, or to remind authorized users of their consent to monitoring.

2 Disable automatic actions when inserting media by choosing Ignore for each pop-up menu. From the Command Line:
# Securing CDs & DVDs Preferences # ----------------------------# Disable blank CD automatic action. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.cd.appeared -dict action 1 # Disable music CD automatic action. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.music.appeared -dict action 1 # Disable picture CD automatic action. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.cd.picture.appeared -dict action 1 # Disable blank DVD automatic action. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.blank.dvd.appeared -dict action 1 # Disable video DVD automatic action. defaults write /Library/Preferences/com.apple.digihub com.apple.digihub.dvd.video.appeared -dict action 1
Securing Date & Time Preferences
Correct date and time settings are required for authentication protocols, like Kerberos. Incorrect date and time settings can cause security issues.
You can use Date & Time preferences (shown below) to set the date and time based on a Network Time Protocol (NTP) server. If you require automatic date and time, use a trusted, internal NTP server.
To securely configure Date & Time preferences: 1 Open Date & Time preferences. 2 In the Date & Time pane, enter a secure and trusted NTP server in the Set date & time automatically field. 3 Click the Time Zone button. A screen similar to the following appears:
4 Choose a time zone. From the Command Line:
# Securing Date & Time Preferences # ----------------------------# Set the NTP server. cat >> /etc/ntp.conf << END server time.apple.com END # Set the date and time. systemsetup -settimezone $Time_Zone
Securing Desktop & Screen Saver Preferences
You can use Desktop & Screen Saver preferences (shown below) to configure a password-protected screen saver to prevent unauthorized users from accessing unattended computers.
You can use several authentication methods to unlock the screen saver, including digital tokens, smart cards, and biometric readers. You should also set a short inactivity interval to decrease the amount of time the unattended computer is unlocked. For information about requiring authentication for screen savers, see Securing Security Preferences on page 107.

Modifying ACL Permissions
You can set ACL permission for files. The chmod command enables an administrator to grant read, write, and execute privileges to specific users regarding a single file. To set ACL permissions for a file: 1 Allow specific users to access specific files. For example, to allow Anne Johnson permission to read the file secret.txt, enter the following in Terminal:
$ chmod +a ajohnson allow read secret.txt
2 Allow specific groups of users to access specific files. For example, to allow the engineers group permission to delete the file secret.txt, enter the following in Terminal:
$ chmod +a engineers allow delete secret.txt
3 Deny access privileges to specific files. For example, to prevent Tom Clark from modifying the file secret.txt, enter the following in Terminal:
$ chmod +a tclark deny write secret.txt
4 View and validate the ACL modifications with the ls command:
$ ls -le secret.txt -rw------- 1 ajohnson admin 43008 Apr secret.txt 0: ajohnson allow read 1: tclark deny write 2: engineers allow delete
For more information, enter man chmod in a Terminal window.
Setting Global File Permissions
Every file or folder has POSIX permissions associated with it. When you create a file or folder, the umask setting determines these POSIX permissions. The umask value is subtracted from the maximum permissions value (777) to determine the default permission value of a newly created file or folder. For example, a umask of 022 results in a default permission of 755. The default umask setting 022 (in octal) removes group and other write permissions. Group members and other users can read and run these files or folders. Changing the umask setting to 027 enables group members to read files and folders and prevents others from accessing the files and folders. If you want to be the only user to access your files and folders, set the umask setting to 077. To change the globally defined umask setting, change the NSUmask setting. You must be logged in as a user who can use sudo to perform these operations and you must use the decimal equivalent, not an octal number.

If you want to protect file or folders on portable media or a network volume, you must create an encrypted disk image on the portable media or network volume. You can then mount these encrypted disk images, which protect data transmitted over the network using AES-256 encryption. When using this method, you must only mount the encrypted disk image from one computer at a time to prevent irreparable corruption to the image content. For information about encrypting specific files or folders for transfer from your network home folder, see Encrypting Portable Files on page 134. When you set up FileVault, you create a master password. If you forget your login password, you can use your master password to recover encrypted data. If you forget your login password and your master password, you cannot recover your data. Because of this, consider sealing your master password in an envelope and storing it in a secure location. You can use Password Assistant to help create a complex master password that cannot be easily compromised. For information, see Using Passwords on page 70. Enabling FileVault copies data from your home folder into an encrypted home folder. After copying, FileVault erases the unencrypted data. By default FileVault insecurely erases the unencrypted data, but if you enable secure erase, your unencrypted data is securely erased.

Overview of FileVault

Mac OS X v10.5 extends the unlocking of FileVault to Smart Cards, which provides the most secure practice for protecting FileVault accounts. Accounts protected by FileVault support authentication using a passphrase or a Smart Card. With Smart Card authentication, the AES-256 symmetric Data key (DK) used to encrypt the users data is unwrapped using a private (encryption) key on the Smart Card. The data written to or read from disk is encrypted and decrypted on the fly during access. FileVault encrypts the Data Key (DK) using the User Key (UK1), which can be generated from your passphrase or from the public key on your Smart Card. FileVault separately encrypts the Data Key using the FileVault Master Key (MK). The architectural design of FileVault makes it possible for the MK and UK1 to encrypt and decrypt files. Providing strong encryption protects user data at rest while ensuring access management by IT staff. The easiest method for centralized management of FileVault on a client computer is to use Mac OS X Server v10.5 and WorkGroup Manager to enforce the use of FileVault and the proper identity.

Managing FileVault

You can set a FileVault master keychain to decrypt an account that uses FileVault to encrypt data. Then if users forget their FileVault account password (which they use to decrypt encrypted data), you can use the FileVault master keychain to decrypt the data. To create the FileVault master keychain: 1 Open System Preferences. 2 Click Security, then click FileVault. 3 Click Master Password and set a master password. Select a strong password and consider splitting the password into at least two components (first half and second half ). You can use Password Assistant to ensure that the quality of the password is strong. To avoid having one person know the full password, have separate security administrators keep each password component. This prevents a single person from unlocking (decrypting) a FileVault account. For more information about Password Assistant, see Using Passwords on page 70. This creates a keychain called FileVaultMaster.keychain in /Library/Keychains/. The FileVault master keychain contains a FileVault recovery key (self-signed root certificate) and a FileVault master password key (private key). 4 Delete the certificate named FileVaultMaster.cer in the same location as the FileVaultMaster.keychain. FileVaultMaster.cer is only used for importing the certificate into the keychain. This is only a certificate and does not contain the private key, so there is no security concern about someone gaining access to this certificate. 5 Make a copy of FileVaultMaster.keychain and put it in a secure place. 6 Delete the private key from FileVaultMaster.keychain created on the computer to modify the keychain. This ensures that even if someone unlocks the FileVault master keychain they cannot decrypt the contents of a FileVault account because there is no FileVault master password private key available for decryption.

2 Restart the computer while holding down the C key. The computer starts up from the disc in the optical drive. 3 Proceed past the language selection step. 4 Choose Utilities > Disk Utility. 5 Select the partition you want to securely erase. Select a partition, not a drive. Partitions are contained in drives and are indented one level in the list on the left. 6 Click Erase, choose Mac OS Extended Journaled, and then click Security Options. Mac OS Extended disk formatting provides enhanced multiplatform interoperability. 7 Choose an erase option and click OK. 8 Click Erase. Securely erasing a partition can take time, depending on the size of the partition and the method you choose.
Using Command-Line Tools to Securely Erase Files
You can use the srm command in Terminal to securely erase files or folders. By using srm, you can remove each file or folder by overwriting, renaming, and truncating the file or folder before erasing it. This prevents other people from undeleting or recovering information about the file or folder. For example, srm supports simple methods, like overwriting data with a single pass of zeros, to more complex ones, like using a 7-pass or 35-pass erase. The srm command cannot remove a write-protected file owned by another user, regardless of the permissions of the directory containing the file. WARNING: Erasing files with srm is irreversible. Before securely erasing files, back up critical files you want to keep. To securely erase a folder named secret:

$ srm -r -s secret

The -r option removes the content of the directory and the -s option (simple) overwrites with a single random pass. For a more secure erase, use the -m (medium) option to perform a 7-pass erase of the file. The -s option overrides the -m option if both are present. If neither is specified, the 35-pass is used. For more information, see the srm man page.

Using Secure Empty Trash

Secure Empty Trash uses a 7-pass erase to securely erase files stored in the Trash. Depending on the size of the files being erased, securely emptying the Trash can take time to complete. WARNING: Using Secure Empty Trash is irreversible. Before securely erasing files, back up critical files you want to keep. To use Secure Empty Trash: 1 Open the Finder. 2 Choose Finder > Secure Empty Trash. 3 Click OK.
Using Disk Utility to Securely Erase Free Space
You can use Disk Utility to securely erase free space on partitions, using a zero-out erase, a 7-pass erase, or a 35-pass erase. To securely erase free space using Disk Utility: 1 Open Disk Utility (located in /Applications/Utilities/). 2 Select the partition to securely erase free space from. Select a partition, not a drive. Partitions are contained in drives and are indented one level in the list on the left. 3 Click Erase and then click Erase Free Space. 4 Choose an erase option and click Erase Free Space. Securely erasing free space can take time, depending on the amount of free space being erased and the method you choose. 5 Choose Disk Utility > Quit Disk Utility.

Protection from Unauthorized Applications
Applications not in the list that have been digitally signed by a CA trusted by the system (for the purpose of code signing) can to receive incoming connections. Every Apple application in Mac OS X v10.5 has been signed by Apple and can receive incoming connections. To deny a digitally signed application, add it to the list and then explicitly deny it. If you run an unsigned application not in the Application firewall list, you must allow or deny connections for the application using the dialog. If you choose Allow, Mac OS X v10.5 signs the application and adds it to the Application firewall list. If you choose Deny, Mac OS X v10.5 signs the application, adds it to the Application Firewall list, and denies the connection. Some applications check their own integrity when they are run without using codesigning. If the Application firewall recognizes the application, it does not sign the application instead, it displays the dialog every time the application runs. To prevent this dialog from appearing, upgrade to a version of the application that is signed by its developer. Some harmful applications can cause problems for your computer. Frequently, a harmful application tries to appear as an innocent document, such as a movie or graphic file. These applications, called trojans, are most often spread by Internet downloads and mail enclosures. Important: If you receive an application warning and you dont expect the file to be an application, dont open the file. Delete it from your computer. To protect your computer from harmful applications: Accept only applications from known and trusted sources. Run an antivirus program if you find suspicious files or applications, or if you notice unusual behavior on your computer. To reduce the amount of exposure to harmful applications or files, limit the number of administrator accounts you create. Consider creating a user account for your daily work and then use an administrator account only when you need to install software or administer accounts. If you enabled the root user and you dont need it, disable it.
Information Assurance with Services
Use this chapter to secure network and shared services.

Securing Local Services

Your Mac OS X v10.5 computer offers many services that can be quickly set up and configured. Although these services are helpful and easy to configure, they must be securely configured to prevent unauthorized users from accessing your computer. Most services can be securely configured by using strong passwords or by turning the services off when they are not in use.

$ ssh-keygen -t dsa

2 When prompted, enter a filename to save the keys in the users folder. 3 Enter a password followed by password verification (empty for no password). For example:
Generating public/private dsa key pair. Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in frog. Your public key has been saved in frog.pub. The key fingerprint is: 4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96 annejohnson1@mac.com
This creates two files. Your identification or private key is saved in one file (frog in our example) and your public key is saved in the other (frog.pub in our example). The key fingerprint, which is derived cryptographically from the public key value, is also displayed. This secures the public key, making it computationally infeasible for duplication. The location of the server SSH key is /etc/ssh_host_key.pub. Back up your key in case you need to reinstall your server software. If your server software is reinstalled, you can retain the server identity by putting the key back in its folder. 4 Copy the resulting public file, which contains the local computers public key, to the.ssh/ folder in the users home folder on the remote computer. The next time you log in to the remote computer from the local computer, you wont need to enter a password. If you are using an Open Directory user account and you have logged in using the account, you do not need to supply a password for SSH login. On Mac OS X Server computers, SSH uses Kerberos for single sign-on authentication with any user account that has an Open Directory password (but Kerberos must be running on the Open Directory server). For more information, see the Open Directory Administration guide.
Updating SSH Key Fingerprints
The first time you connect to a remote computer using SSH, the local computer prompts for permission to add the remote computers fingerprint (or encrypted public key) to a list of known remote computers. You might see a message like this:

Your computer can specify the type of authentication it requires, including password, Kerberos, or no authentication. If your computer connects to the Internet, require some form of authentication to avoid unknowingly connecting to a malicious controller. Malicious controllers can make agents run malicious software, create network connections, and possibly crash your computer. Similarly, clients or controllers that lack authentication might find their jobs (and sensitive data they contain) hijacked by malicious agents. Only connect to controllers that require authentication. Password authentication is a simple authentication solution that maintains the confidentiality of your password when validating the password supplied by the controller. After password authentication, communication with the controller is transmitted in clear text. If your connection uses Kerberos authentication, only the authentication with the controller is encrypted. From the Command Line:
# Xgrid Sharing # ----------------------------# Disable Xgrid Sharing. xgridctl controller stop xgridctl agent stop

Internet Sharing

Although Internet Sharing is a convenient way to share Internet access, enabling it is a security risk. Internet Sharing also violates many organizational security policies. Internet Sharing in Sharing preferences is preconfigured. Enabling Internet Sharing activates DHCP, NAT, and Firewall services, which are unconfigurable. A compromise to a single user node exposes the organizations network to attack. Internet Sharing is turned off by default and should remain off when it is not being used. This prevents unauthorized users from accessing your computer.
# Internet Sharing # ----------------------------# Disable Internet Sharing. defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT dict Enabled -int 0 launctl unload -w /System/Library/LaunchDaemons/\ com.apple.InternetSharing.plist
If you are in an environment where you need to share your Internet connection using AirPort, use the AirPort options to secure AirPort and prevent access to your computer from unauthorized users. When configuring AirPort options to secure Internet Sharing, choose a channel from the channel pop-up menu and enable encryption using WEP. Use a strong password for the connection, use Password Assistant to help you create a strong password, and set the WEP key length to 128 bit. When you finish sharing your Internet connection, turn the service off.

Chapter 13 Advanced Security Management
When a program asks for a right, Authorization Services executes the following algorithm: 1 It searches the policy database for a right specification whose key exactly matches the right name. 2 If that fails, it searches the policy database for a wildcard right specification whose key matches the right name. If multiple right specifications are present, it uses the one with the longest key. 3 If that fails, it uses the default right specification. After it has found the relevant right specification, Authorization Services evaluates the specification to decide whether to grant the right. In some cases this is easy. For example, in the extract from the policy database above, config.add. is always granted. In other cases it can be more complex. For example, setting the DVD region requires that you enter an administrator password.

The Rules Dictionary

A rule consists of a set of attributes. Rules are preconfigured when Mac OS X Server is installed, but applications can change them at any time. Rules are contained in the Rules dictionary. The following table describes the attributes defined for rules.
Rule attribute key Generic rule value Description The key is the name of a rule. A key uses the same naming conventions as a right. The Security Server uses a rules key to match the rule with a right. Wildcard keys end with a period (.). The generic rule has an empty key value. Rights that do not match a specific rule use the generic rule. admin true The user must authenticate as a member of this group. This attribute can be set to any one group. If this is set to true, the Security Server marks the credentials used to gain this right as shared. The Security Server can use any shared credentials to authorize this right. For maximum security, set sharing to false so credentials stored by the Security Server for one application cannot be used by another application. The credential used by this rule expires in the specified number of seconds. For maximum security where the user must authenticate every time, set the timeout to 0. For minimum security, remove the timeout attribute so the user authenticates only once per session.

group shared

timeout
There are specific rules in the policy database for Mac OS X applications. There is also a generic rule in the policy database that the Security Server uses for any right that doesnt have a specific rule.
Managing Authorization Rights
Managing authorization rights involves creating and modifying right and rule values.
Creating an Authorization Right
To authorize a user for specific rights, you must create an authorization right to the rights dictionary. Each right consists of the following: The name of the right A value that contains optional data pertaining to the right The byte length of the value field Optional flags The right always matches the generic rule unless a new rule is added to the policy database.

Too many log messages will fill storage space on the logging system, rendering further logging impossible. Log files can indicate suspicious activity only if a baseline of normal activity is established and if the logs are monitored for such activity. The following instructions assume a remote log server exists on the network. To enable remote logging: 1 Open /etc/syslog.conf as root. 2 Add the following line to the top of the file, replacing your.log.server with the name or IP address of the log server, and keeping all other lines intact:

*.* @your.log.server

3 Exit, saving changes. 4 Send a hangup signal to syslogd to make it reload the configuration file:
$ sudo killall HUP syslogd

Auditing System Activity

Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and the methods used for successful and failed access attempts. Mac OS X includes a suite of auditing tools to manage, refine, and view auditing logs. You install these tools from the installation disc. For information about these auditing tools, see the Common Criteria Configuration and Administration guide, available at www.apple.com/support/security/commoncriteria/.

Security Auditing

Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and methods used for successful and failed access attempts. The audit subsystem allows authorized administrators to create, read, and delete audit information. The audit subsystem creates a log of auditable events and allows the administrator to read audit information from the records in a manner suitable for interpretation. The default location for these files is the /var/audit/ folder. The audit subsystem is controlled by the audit utility located in the /usr/sbin/ folder. This utility transitions the system in and out of audit operation. The default configuration of the audit mechanism is controlled by a set of configuration files in the /etc/security/ folder.
If auditing is enabled, the /etc/rc startup script starts the audit daemon at system startup. All features of the daemon are controlled by the audit utility and the audit_control file.
Installing Auditing Tools
The Common Criteria Tools disk image (.dmg) file contains the installer for auditing tools. This disk image file is available from the Common Criteria webpage located at www.apple.com/support/security/commoncriteria/. After downloading the Common Criteria Tools disk image file, copy it to a removable disk, such as a CD-R disc, FireWire disk, or USB disk. To install the Common Criteria Tools software: 1 Insert the disk that contains the Common Criteria Tools disk image file and open the file to mount the volume containing the tools Installer. 2 Double-click the CommonCriteriaTools.pkg installer file. 3 Click Continue, then proceed through the installation by following the onscreen instructions. 4 When prompted to authenticate, enter the user name and password of the administrator account.

Intrusion Detection Systems
An intrusion detection system (IDS) monitors user activity and examines data received through the network. You are notified of suspicious activity, and in many cases the suspicious activity is automatically prevented. There are two types of intrusion detection systems: Host-based intrusion detection systems (HIDS). A HIDS monitors operating system activity on specific computers, but not network traffic. If an intruder repeats attempts to guess a login password, this can cause a HIDS alert. Network-based intrusion detection systems (NIDS). A NIDS examines network packets and compares them to a database of known attack patterns. For more information, see Intrusion Protection Using Open Source Tools (www.apple.com/itpro/articles/intrusionprotection/index2.html).

Security Checklist

Use the checklist in this appendix to follow the steps required to secure Mac OS X.
This appendix contains checklists of action items found throughout this guide, ordered by chapter. You can customize these checklists to suit your needs. For example, you can mark the completion status of action items in the Completed? column. If you deviate from the suggested action item, use the Notes column to justify or clarify your deviation.
Installation Action Items
For details, see Chapter 2, Installing Mac OS X, on page 29.
Action Item Securely erase the Mac OS X partition before installation Install Mac OS X using Mac OS Extended disk formatting Do not install unnecessary packages Do not transfer confidential information in Setup Assistant Do not connect to the Internet Create administrator accounts with difficult-to-guess names Create complex passwords for administrator accounts Do not enter a password-related hint; instead, enter help desk contact information Enter correct time settings Completed? Notes

Appendix

Action Item Use an internal Software Update server Update system software using verified packages Repair disk permissions after installing software or software updates

Completed?

Hardware Action Items

# Securing Startup Disk Preferences # ----------------------------# Set startup disk. systemsetup -setstartupdisk $path # Securing Time Machine Preferences # ----------------------------# Enable Time Machine. defaults write /Library/Preferences/com.apple.TimeMachine AutoBackup 1 # Securing System Swap and Hibernation Storage # ----------------------------# Enable secure virtual memory. defaults write /Library/Preferences/com.apple.virtualMemory \ UseEncryptedSwap -bool YES # ------------------------------------------------------------------# Information Assurance with Services # ------------------------------------------------------------------# DVD or CD Sharing # ------------------------# Disable DVD or CD Sharing. service com.apple.ODSAgent stop # Screen Sharing (VNC) # ------------------------# Disable Screen Sharing. srm /Library/Preferences/com.apple.ScreenSharing.launchd # Disable File Sharing services. # ------------------------# Disable FTP. launctl unload -w /System/Library/LaunchDaemons/ftp.plist
# Disable SMB. defaults delete /Library/Preferences/SystemConfiguration/ \ com.apple.smb.server EnabledServices launctl unload -w /System/Library/LaunchDaemons/nmbd.plist launctl unload -w /System/Library/LaunchDaemons/smbd.plist # Disable AFP. launctl unload -w /System/Library/LaunchDaemons/ \ com.apple.AppleFileServer.plist # Web Sharing # ----------------------------# Disable Web Sharing service. launctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist # Remote Login (SSH) # ----------------------------# Disable Remote Login. service ssh stop # Remote Management (ARD) # ----------------------------# Disable Remote Management. /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/\ Resources/kickstart -deactivate -stop # Remote Apple Events (RAE) # ----------------------------# Disable Remote Apple Events. launchctl unload -w /System/Library/LaunchDaemons/eppc.plist # Xgrid Sharing # ----------------------------# Disable Xgrid Sharing. xgridctl controller stop xgridctl agent stop # Internet Sharing # ----------------------------# Disable Internet Sharing. defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT dict Enabled -int 0 launctl unload -w /System/Library/LaunchDaemons/\ com.apple.InternetSharing.plist # Bluetooth Sharing # ----------------------------# Disable Bluetooth Sharing. defaults -currentHost write com.apple.bluetooth PrefKeyServicesEnabled 0
This glossary defines terms and spells out abbreviations you may encounter while working with online help or the various reference manuals for Mac OS X Server. References to terms defined elsewhere in the glossary appear in italics. access control A method of controlling which computers can access a network or network services. ACE Access Control Entry. An entry within the ACL that controls access rights. See ACL. ACL Access Control List. A list, maintained by a system, that defines the rights of users and groups to access resources on the system. administrator A user with server or directory domain administration privileges. Administrators are always members of the predefined admin group. administrator computer A Mac OS X computer onto which youve installed the server administration applications from the Mac OS X Server Admin CD. AFP Apple Filing Protocol. A client/server protocol used by Apple file service to share files and network services. AFP uses TCP/IP and other protocols to support communication between computers on a network. authentication The process of proving a users identity, typically by validating a user name and password. Usually authentication occurs before an authorization process determines the users level of access to a resource. For example, file service authorizes full access to folders and files that an authenticated user owns. authentication authority attribute A value that identifies the password validation scheme specified for a user and provides additional information as required. authorization The process by which a service determines whether it should grant a user access to a resource and how much access the service should allow the user to have. Usually authorization occurs after an authentication process proves the users identity. For example, file service authorizes full access to folders and files that an authenticated user owns.