Shared computers available on your network automatically appear here.
Commonly used searches are included in the sidebar, and you can add your own searches.

14 Finder

Spotlight
In a Finder window or the menu bar, use Spotlight to search for items on your computer. If you use the same search often, save it in the Search For section of the sidebar.
Type your search in the search field. Click Save to add a Smart Folder to the sidebar.
See your search results in Cover Flow.

Finder 15

Shared computers
Shared computers on your network automatically appear in the sidebar so that you can quickly find the documents they contain.
Search for documents on shared computers.
Get immediate access to the Public folder on any shared computer.

16 Finder

Screen sharing
Use screen sharing to get to the desktop of shared computers on your network. You can monitor use, change settings, and much more from your computer.
Select the computer and then click Share Screen.
To see the toolbar, choose View > Show Toolbar.
Youll see the desktop of the other computer in a window.
To use all of your screen, click the Full-screen button. Finder 17

Sharing

You can share your files, your website, your screen, and much more with other computers on your network. To start, open System Preferences and then click Sharing.
Click the Add (+) button to select users and groups who can share your files.
Click the Add (+) button to select any folder you want to share.

18 Finder

Back to My Mac
With your.Mac membership, an Internet connection, and Back to My Mac and sharing services turned on, you can access any of your computers from anywhere on the Internet.
Back to My Mac is on automatically.
Back to My Mac computers appear in the sidebar.

Finder 19

Quick Look
See stunning previews of movies, PDF files, presentations, spreadsheets, and more without opening an application.

20 Quick Look

View documents
You can use Quick Look in the Finder, Time Machine, and Mail. To view an item in Quick Look, select it and then press the Space bar.
Click the Quick Look button in the Finder window toolbar.
Click here for a full-screen preview.

Quick Look 21

Browse contents
When you view the documents in Quick Look, you can flip through each page of your document or view each slide of a Keynote presentation.
Each slide of a Keynote presentation appears here.

22 Quick Look

Show collections
You can use Quick Look to view several items at once. To automatically scan through the items, click the Play button.
Click a picture in the index sheet to view it.

Click the Index Sheet button to view all the items.
Click the Camera button to add a photo to iPhoto.

Quick Look 23

Time Machine
Automatically back up your Mac. If youre missing a document, travel back in time to recover it.

24 Time Machine

Turn on Time Machine
To start using Time Machine, just connect a FireWire or USB disk to your computer, and then click Use as Backup Disk in the dialog that appears.
When you turn on Time Machine, it backs up your computer to the disk youve selected.

Time Machine 25

Recover files
Easily find a missing document by seeing how your desktop looked in the past. Time Machine does a backup each hour of the current day, and then saves daily backups.
Type in the search field to look for the document.
Click the back arrow to go back in time.
Use Quick Look to check a document before you restore it.
Browse items in your backup using Cover Flow.
When you find the document, select it and then click Restore.

26 Time Machine

Set Time Machine preferences
To set Time Machine options, open Time Machine preferences. You can select a different backup disk or specify folders or disks you dont want to include in your backups.
Click Options to select items you dont want to back up.

Time Machine 27

Spaces
Organize your work and play by grouping application windows into a space. Then quickly switch between your spaces.

28 Spaces

Arrange windows
Turn on spaces in Expos & Spaces preferences, and then press F8 to show your spaces. To organize your windows, drag them from the current space to a different space.
Drag windows you want to use together into the same space.

Spaces 29

Switch spaces
To switch between spaces, type Control + [an arrow key]. To go directly to a space, type Control + [a number key]. Arrange the order of spaces to suit your needs.
Drag spaces to rearrange their order.
Use keyboard shortcuts to quickly switch between spaces.

30 Spaces

Customize spaces
After you turn on spaces, you can add other spaces. You can also assign applications to each space so that the applications windows always open in the same space.
Add rows and columns to create the spaces you need.
Choose keyboard shortcuts that work best for you. Click the Add (+) button to assign applications to spaces.

Spaces 31

Use Apple-designed stationery to send gorgeous email messages complete with photos.

32 Mail

Click a chat to return to it.
See the latest reply from your buddy.

iChat 41

Presence
If you have more than one.Mac, AIM, Jabber, or Google Talk account, you can log into all of them at the same time in iChat.
Use an animated GIF as your buddy picture.
Choose Invisible if you want to see whos available, but not be seen yourself.

42 iChat

SMS messaging
Exchange SMS messages from iChat with a buddy using a mobile phone, such as iPhone. Choose File > Send SMS, and then enter your buddys phone number.
This buddy can receive SMS messages.
Note: SMS messaging is available only with U.S. mobile phones. iChat 43

Dashboard

Create your own widget from any part of a webpage and see updates to it in Dashboard.

44 Dashboard

Web clip
To create a widget, open a webpage in Safari and choose File > Open in Dashboard. Safari automatically selects parts of the page as you move the pointer over the page.
Go to the webpage in Safari and click this button.
When youve selected the part you want, click Add.
Drag the selection rectangle over the information and click. You can then resize the selection.

Dashboard 45

Safari
The most elegant web browser is even easier to use with dynamic tabbed browsing and other new features.

46 Safari

Tabbed browsing
Now you can drag tabs to arrange them or pull them out into a new window. To merge open windows into a single tabbed window, choose Window > Merge All Windows.
Drag a tab out of the window to put it in a separate window. Drag tabs to rearrange the order theyre in. To switch between tabs, press Command-Shift-Right bracket ( ] ) or Command-Shift-Left bracket ( [ ).

Safari 47

To search for text in a webpage, choose Edit > Find > Find, and then type your search. To make it easier to see what youre looking for, Safari highlights all the results.
Click these arrows to highlight individual occurrences.
Safari highlights the results in the webpage so that theyre easy to locate.

48 Safari

PDF viewing

You can view PDF files in the Safari window. Youll find new controls that make it easier to work with these files.
Open the PDF file in Preview or save it in your Downloads stack.
To see the controls, move the pointer to the bottom of the Safari window.

Safari 49

Parental Controls
Give yourself peace of mind. Manage the time your children spend on the computer and what they do there.

50 Parental Controls

Time limits
Manage when your children use the computer by setting time limits for weekdays, weekends, and nights.
Specify how many hours a day your child may use the computer.
Specify the hours during which your child may not use the computer on school nights and weekends.

Parental Controls 51

Content limits
To limit the websites your children may visit on the Internet, click Content and then select the level of restrictions you want to apply.
Select to try limiting access to adult websites. Click Customize if you want to specify websites your children may and may not visit. Select to allow your children access only to specific websites.

52 Parental Controls

Mail and iChat limits
Protect your children from strangers by specifying who they chat with and exchange email with.
Enter your email address to be notified if your children try to correspond with someone who isnt on the list. Click the Add (+) button to add an address.

Parental Controls 53

Use the Logs pane to check your childrens activity on the computer and the Internet.
Find out which websites your children have visited.

54 Parental Controls

Remote controls
Manage parental controls on your childs computer from your computer. When you turn on parental controls, select Manage parental controls from another computer.
Select your childs computer and log in; then select your childs user name.
Select this option on your childs computer.

Parental Controls 55

Photo Booth
Discover more ways to have fun with new types of snapshots. Video backdrops add to the possibilities.

56 Photo Booth

Be anywhere in the worldor out of this worldby using video backdrops when you take a snapshot.
Select a backdrop, and then step out of the picture for a moment.

Photo Booth 57

4-up snapshots
Now you can make a burst of four snapshots. You can export a 4-up snapshot as an animated GIF to use as your buddy picture in iChat.
When previewing a 4-up snapshot, click a frame to preview that frame and select how to use it.

Click the 4-up button.

58 Photo Booth

Movie clips

Make a movie of yourself using effects and backdrops. Use your movie as a video greeting complete with audio to send to your friends in an email message.
When you preview a movie, move the pointer over the image to control playback. Click the Movie Clip button.

Photo Booth 59

Front Row
Enjoy your digital entertainment on your Mac from anywhere in the room. Grab a seat and your remote, and start the show.

60 Front Row

Apple Remote
To open Front Row, click Menu on your Apple Remote. Click Volume Up and Volume Down to highlight items. Click Play to select an item. Click Menu to return to the previous menu.
Select what you want to watch.
Use your Apple Remote to sit back and enjoy the show.

Front Row 61

Photo gallery
Turn your Mac into a gallery for your favorite photos. With Front Row, you can show your photos in iPhoto, Photo Booth, and Aperture.
Click to view shared photos on your network. Choose the photo album or iPhoto Event you want to show.

62 Front Row

Shared media
From Front Row, you can view digital entertainment shared from other computers on your network.
Select how you want Front Row to display your photos.

Front Row 63

Boot Camp
To use a Windows application on your Mac, install Boot Camp and your copy of Windows. Then youre ready to go.

64 Boot Camp

Install Boot Camp
Open Boot Camp Setup Assistant (in the Utilities folder in the Applications folder) and print the Boot Camp Installation & Setup Guide. Then create a partition for Windows.
Print this document to follow the instructions while installing Windows. Drag the divider to set the size of the Windows partition.
If you installed a beta version of Boot Camp, you only need to install the new Windows drivers by switching to Windows and inserting the Leopard installation disc.

Boot Camp 65

Install Windows
Insert your Windows XP or Windows Vista installation disc and click Start Installation.
Install the Windows drivers when you finish installing and setting up Windows.

Click when youre ready to install Windows on your Mac.

66 Boot Camp

Switch systems
In Mac OS X, open Startup Disk preferences to select your Windows partition. In Windows, open the Boot Camp Control Panel and then click Startup Disk.
Select your Windows partition and then click Restart.
Select your Mac OS X startup disk and then click Restart.

Boot Camp 67

Here if you need us
Learning more, service, and support
Online resources For online service and support information, visit www.apple.com/support. Choose your country from the pop-up menu. You can search for the latest software updates and manuals, find answers using the AppleCare Knowledge Base, or get help from Apples discussion forums. Onscreen help You can often find answers to your questions, as well as instructions and problemsolving information by using the Help menu in some applications. Choose Help from the Finder Help menu, type a few words in the search field, and then press Return. System profiler Use System Profiler to retrieve information about your computer. System Profiler indicates the hardware and software installed on your computer, the serial number and operating system version, the amount of memory installed, and how much battery power remains. To open System Profiler, choose Apple (K) > About This Mac from the menu bar, and then click the More Info button.

70 Apple Support

AppleCare service and support information
Your Mac OS X product comes with 90 days of complimentary telephone support. AppleCare telephone support representatives can help you open and install applications and solve basic problems. Consult the table below, and then call the support center nearest you. Have the date of purchase and your Apple computer serial number ready when you call. Note: Telephone feesmay apply. You can extend your coverage by purchasing the AppleCare Protection Plan. For more information about the AppleCare Protection Plan, visit the AppleCare Products and Services website at www.apple.com/support/products. For additional information about contacting Apple Support, visit www.apple.com/ contact/phone_contacts.html. (Telephone numbers are subject to change.) Technical Support Numbers
United States Canada (English) Canada (French) Mexico Australia New Zealand United Kingdom 1-800-1-800-263-3394 1-800-263-3394 01-800-277-5322 (61) 133-622 00800-7666-7666 (44) 0753 www.apple.com/support www.apple.com/ca/support www.apple.com/ca/fr/support www.apple.com/mx/support www.apple.com/au/support www.apple.com/nz/support www.apple.com/uk/support

Apple Support 71

SOFTWARE LICENSE AGREEMENT FOR MAC OS X

APPLE INC.

Single Use and Family Pack License for use on Apple-labeled Systems
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (LICENSE) CAREFULLY BEFORE USING THE APPLE SOFTWARE. BY USING THE APPLE SOFTWARE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE, DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THE LICENSE, YOU MAY RETURN THE APPLE SOFTWARE TO THE PLACE WHERE YOU OBTAINED IT FOR A REFUND. IF THE APPLE SOFTWARE WAS ACCESSED ELECTRONICALLY, CLICK DISAGREE/ DECLINE FOR APPLE SOFTWARE INCLUDED WITH YOUR PURCHASE OF HARDWARE, YOU MUST RETURN THE. ENTIRE HARDWARE/SOFTWARE PACKAGE IN ORDER TO OBTAIN A REFUND. IMPORTANT NOTE: This software may be used to reproduce, modify, publish and distribute materials. It is licensed to you only for reproduction, modification, publication and distribution of non-copyrighted materials, materials in which you own the copyright, or materials you are authorized or legally permitted to reproduce, modify, publish or distribute. If you are uncertain about your right to copy, modify, publish or distribute any material, you should contact your legal advisor. 1. General. The software (including Boot ROM code), documentation and any fonts accompanying this License whether preinstalled on Apple-labeled hardware, on disk, in read only memory, on any other media or in any other form (collectively the Apple Software) are licensed, not sold, to you by Apple Inc. (Apple) for use only under the terms of this License, and Apple reserves all rights not expressly granted to you. The rights granted herein are limited to Apples and its licensors intellectual property rights in the Apple Software as licensed hereunder and do not include any other patents or intellectual property rights. You own the media on which the Apple Software is recorded but Apple and/or Apples licensor(s) retain ownership of the Apple Software itself. The terms of this License will govern any software upgrades provided by Apple that replace and/or supplement the original Apple Software product, unless such upgrade is accompanied by a separate license in which case the terms of that license will govern. Title and intellectual property rights in and to any content displayed by or accessed through the Apple Software belongs to the respective content owner. Such content may be protected by copyright or other intellectual property laws and treaties, and may be subject to terms of use of the third party providing such content. This License does not grant you any rights to use such content nor does it guarantee that such content will continue to be available to you. 2. Permitted License Uses and Restrictions. A. Single Use. This License allows you to install, use and run one (1) copy of the Apple Software on a single Apple-labeled computer at a time. You agree not to install, use or run the Apple Software on any non-Apple-

labeled computer, or to enable others to do so. This License does not allow the Apple Software to exist on more than one computer at a time, and you may not make the Apple Software available over a network where it could be used by multiple computers at the same time. B. Family Pack. If you have purchased a Mac OS X Family Pack, this License allows you to install and use one (1) copy of the Apple Software on up to a maximum of five (5) Apple-labeled computers at a time as long as those computers are located in the same household and used by persons who occupy that same household. By household we mean a person or persons who share the same housing unit such as a home, apartment, mobile home or condominium, but shall also extend to student members who are primary residents of that household but residing at a separate on-campus location. The Family Pack License does not extend to business or commercial users. C. You may make one copy of the Apple Software (excluding the Boot ROM code and other Apple firmware that is embedded or otherwise contained in Apple-labeled hardware) in machine-readable form for backup purposes only; provided that the backup copy must include all copyright or other proprietary notices contained on the original. Apple Boot ROM code and firmware is provided only for use on Apple-labeled hardware and you may not copy, modify or redistribute the Apple Boot ROM code or firmware, or any portions thereof. D. Certain components of the Apple Software, and third party open source programs included with the Apple Software, have been or may be made available by Apple on its Open Source web site (http://www. opensource.apple.com/) (collectively the Open-Sourced Components). You may modify or replace only these Open-Sourced Components; provided that: (i) the resultant modified Apple Software is used, in place of the unmodified Apple Software, on a single Apple-labeled computer; and (ii) you otherwise comply with the terms of this License and any applicable licensing terms governing use of the Open-Sourced Components. Apple is not obligated to provide any updates, maintenance, warranty, technical or other support, or services for the resultant modified Apple Software. You expressly acknowledge that if failure or damage to Apple hardware results from modification of the OpenSourced Components of the Apple Software, such failure or damage is excluded from the terms of the Apple hardware warranty. E. Apple has provided, as part of the Apple Software package, access to certain third party software as a convenience. To the extent that the Apple Software contains third party software, Apple has no express or implied obligation to provide any technical or other support for such software. Please contact the appropriate software vendor or manufacturer directly for technical support and customer service related to its software and products. F. Except as and only to the extent permitted by applicable licensing terms governing use of the Open-Sourced Components, or by applicable law, you may not copy, decompile, reverse engineer, disassemble, modify, or create derivative works of the Apple Software or any part thereof. THE APPLE SOFTWARE IS NOT INTENDED

FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL SYSTEMS, LIFE SUPPORT MACHINES OR OTHER EQUIPMENT IN WHICH THE FAILURE OF THE APPLE SOFTWARE COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE. G. If you use Setup/Migration Assistant to transfer software from one Apple-labeled computer to another Apple-labeled computer, please remember that continued use of the original copy of the software may be prohibited once a copy has been transferred to another computer, unless you already have a licensed copy of such software on both computers. You should check the relevant software license agreements for applicable terms and conditions. 3. Transfer. You may not rent, lease, lend, redistribute or sublicense the Apple Software. Subject to the restrictions set forth below, you may, however, make a one-time permanent transfer of all of your license rights to the Apple Software (in its original form as provided by Apple) to another party, provided that: (a) the transfer must include all of the Apple Software, including all its component parts (excluding Apple Boot ROM code and firmware), original media, printed materials and this License; (b) you do not retain any copies of the Apple Software, full or partial, including copies stored on a computer or other storage device; and (c) the party receiving the Apple Software reads and agrees to accept the terms and conditions of this License. You may not rent, lease, lend, redistribute, sublicense or transfer any Apple Software that has been modified or replaced under Section 2D above. All components of the Apple Software are provided as part of a bundle and may not be separated from the bundle and distributed as standalone applications. Apple Software provided with a particular Apple-labeled hardware product may not run on other models of Apple-labeled hardware. Updates: If an Apple Software update completely replaces (full install) a previously licensed version of the Apple Software, you may not use both versions of the Apple Software at the same time nor may you transfer them separately. NFR (Not for Resale) and Evaluation Copies: Notwithstanding other sections of this License, Apple Software labeled or otherwise provided to you on a promotional or not-for-resale basis may only be used for demonstration, testing and evaluation purposes and may not be resold or transferred. Apple System Restore Copies: Restore CDs or DVDs that may accompany an Apple hardware bundle, or are otherwise provided by Apple in connection with an Apple hardware bundle, contain a copy of the Apple Software that is to be used for diagnostic and restorative purposes only. These CDs and DVDs may be resold or transferred only as part of the Apple hardware bundle. Academic Copies: If the Apple Software package has an academic label or if you acquired the Apple Software at an academic discount, you must be an Eligible Educational End User to use the Apple Software. Eligible Educational End Users means students, faculty, staff and administration attending and/or working at an educational institutional facility (i.e., college campus, public or private K-12 schools).

4. Consent to Use of Data. You agree that Apple and its subsidiaries may collect and use technical and related information, including but not limited to technical information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Apple Software, and to verify compliance with the terms of this License. Apple may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you. 5. Termination. This License is effective until terminated. Your rights under this License will terminate automatically without notice from Apple if you fail to comply with any term(s) of this License. Upon the termination of this License, you shall cease all use of the Apple Software and destroy all copies, full or partial, of the Apple Software. 6. Limited Warranty on Media. Apple warrants the media on which the Apple Software is recorded and delivered by Apple to be free from defects in materials and workmanship under normal use for a period of ninety (90) days from the date of original retail purchase. Your exclusive remedy under this Section shall be, at Apples option, a refund of the purchase price of the product containing the Apple Software or replacement of the Apple Software which is returned to Apple or an Apple authorized representative with a copy of the receipt. THIS LIMITED WARRANTY AND ANY IMPLIED WARRANTIES ON THE MEDIA INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, OF SATISFACTORY QUALITY, AND OF FITNESS FOR A PARTICULAR PURPOSE, ARE LIMITED IN DURATION TO NINETY (90) DAYS FROM THE DATE OF ORIGINAL RETAIL PURCHASE. SOME JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THE LIMITED WARRANTY SET FORTH HEREIN IS THE ONLY WARRANTY MADE TO YOU AND IS PROVIDED IN LIEU OF ANY OTHER WARRANTIES (IF ANY) CREATED BY ANY DOCUMENTATION, PACKAGING OR OTHERWISE. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY BY JURISDICTION. 7. Disclaimer of Warranties. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE APPLE SOFTWARE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. EXCEPT FOR THE LIMITED WARRANTY ON MEDIA SET FORTH ABOVE AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE APPLE SOFTWARE AND ANY SERVICES PERFORMED OR PROVIDED BY THE APPLE SOFTWARE (SERVICES) ARE PROVIDED AS IS WITH ALL FAULTS AND WITHOUT , WARRANTY OF ANY KIND, AND APPLE AND APPLES LICENSORS (COLLECTIVELY REFERRED TO AS APPLE FOR THE PURPOSES OF SECTIONS 7 and 8) HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE APPLE SOFTWARE AND ANY SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. APPLE DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE APPLE SOFTWARE, THAT THE FUNCTIONS CONTAINED IN, OR SERVICES PERFORMED

OR PROVIDED BY, THE APPLE SOFTWARE WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE APPLE SOFTWARE OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, THAT THE APPLE SOFTWARE OR SERVICES WILL BE COMPATIBLE WITH THIRD PARTY SOFTWARE, OR THAT DEFECTS IN THE APPLE SOFTWARE OR SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE OR AN APPLE AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE APPLE SOFTWARE OR SERVICES PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU. The Apple Software automatically references, displays, links to, and provides web services related to, sites and information located worldwide throughout the Internet. Because Apple has no control over such sites and information, Apple makes no guarantees as to such sites and information, including but not limited to: (a) the accuracy, availability, sequence, completeness, currency, content, validity or quality of any such sites and information, or (b) whether an Apple search completed through the Apple Software may locate unintended or objectionable content. Because some of the content on the Internet consists of material that is adult-oriented or otherwise objectionable to some people or viewers under the age of 18, the results of any search or entering of a particular URL using the Apple Software may automatically and unintentionally generate links or references to objectionable material. By using the Apple Software, you acknowledge that Apple makes no representations or warranties with regard to any sites or information displayed by or accessed through the Apple Software, or any web services performed by the Apple Software in relation to such sites or information. Apple, its officers, affiliates and subsidiaries shall not, directly or indirectly, be liable, in any way, to you or any other person for the content you receive using the Apple Software or for any inaccuracies, errors in or omissions from the content. Financial information displayed by the Apple Software is for general informational purposes only and is not intended to be relied upon as investment advice. Before executing any securities transaction based upon information obtained through the Apple Software, you should consult with a financial professional. Neither Apple nor any of its content providers guarantees the accuracy, completeness, or timeliness of stock information appearing within the Apple Software. The Apple Software may be used to conduct automated translations. As automated translations are performed by software tools and do not involve any human intervention or verification, it is not advisable to rely upon such translations where absolute accuracy is required. Backup functions performed by the Apple Software are only carried out at certain times and are subject to hardware limitations such as drive storage capacity. Apple and its licensors reserve the right to change, suspend, remove, or disable access to any Services at any time without notice. In no event will Apple be liable for the removal of or disabling of access to any such Services. Apple may also impose limits on the use of or access to certain Services, in any case and without notice or liability.

may be found at: http://www.apple.com/certificateauthority. 10. Export Control. You may not use or otherwise export or reexport the Apple Product except as authorized by United States law and the laws of the jurisdiction in which the Apple Product was obtained. In particular, but without limitation, the Apple Product may not be exported or re-exported (a) into any U.S. embargoed countries or (b) to anyone on the U.S. Treasury Departments list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By using the Apple Product, you represent and warrant that you are not located in any such country or on any such list. 11. Government End Users. The Apple Software and related documentation are Commercial Items as that , term is defined at 48 C.F.R. 2.101, consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are used in 48 C.F.R. 12.212 or 48 C.F.R. 227.7202, as applicable. , Consistent with 48 C.F.R. 12.212 or 48 C.F.R. 227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under the copyright laws of the United States. 12. Controlling Law and Severability. This License will be governed by and construed in accordance with the laws of the State of California, as applied to agreements entered into and to be performed entirely within California between California residents. This License shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If for any reason a court of competent jurisdiction finds any provision, or portion thereof, to be unenforceable, the remainder of this License shall continue in full force and effect. 13. Complete Agreement; Governing Language. This License constitutes the entire agreement between the parties with respect to the use of the Apple Software licensed hereunder and supersedes all prior or contemporaneous understandings regarding such subject matter. No amendment to or modification of this License will be binding unless in writing and signed by Apple. Any translation of this License is done for local requirements and in the event of a dispute between the English and any non-English versions, the English version of this License shall govern. 14. Third Party Acknowledgements. A. Portions of the Apple Software utilize or include third party software and other copyrighted material. Acknowledgements, licensing terms and disclaimers for such material are contained in the online electronic documentation for the Apple Software, and your use of such material is governed by their respective terms. B. Certain software libraries and other third party software included with the Apple Software are free software and licensed under the terms of the GNU General Public License (GPL) or the GNU Library/Lesser General Public License (LGPL), as the case may be. You may obtain a complete machine-readable copy of the source code

for such free software under the terms of the GPL or LGPL, as the case may be, without charge except for the cost of media, shipping, and handling, upon written request to Apple. The GPL/LGPL software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. A copy of the GPL and LGPL is included with the Apple Software. C. The Apple Software includes certain software licensed under the IBM Public License Version 1.0 (IPL) or the Common Public License Version 1.0 (CPL). A copy of the source code for the IPL and CPL licensed software may be found in Apples Open Source repository. See Apples Open Source web site (http://www.opensource.apple. com/) for information on how to obtain the source code. THE IPL AND CPL SOFTWARE IS PROVIDED ON AN AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NEITHER APPLE, IBM NOR ANY OTHER CONTRIBUTOR TO THE IPL AND CPL SOFTWARE SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE IPL AND CPL SOFTWARE OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. D. MPEG-2 Notice. To the extent that the Apple Software contains MPEG-2 functionality, the following provision applies: ANY USE OF THIS PRODUCT OTHER THAN CONSUMER PERSONAL USE IN ANY MANNER THAT COMPLIES WITH THE MPEG-2 STANDARD FOR ENCODING VIDEO INFORMATION FOR PACKAGED MEDIA IS EXPRESSLY PROHIBITED WITHOUT A LICENSE UNDER APPLICABLE PATENTS IN THE MPEG-2 PATENT PORTFOLIO, WHICH LICENSE IS AVAILABLE FROM MPEG LA, L.L.C, 250 STEELE STREET, SUITE 300, DENVER, COLORADO 80206. E. Use of MPEG-4. This product is licensed under the MPEG-4 Systems Patent Portfolio License for encoding in compliance with the MPEG-4 Systems Standard, except that an additional license and payment of royalties are necessary for encoding in connection with (i) data stored or replicated in physical media which is paid for on a title by title basis and/or (ii) data which is paid for on a title by title basis and is transmitted to an end user for permanent storage and/or use. Such additional license may be obtained from MPEG LA, LLC. See http://www. mpegla.com for additional details. This product is licensed under the MPEG-4 Visual Patent Portfolio License for the personal and non-commercial use of a consumer for (i) encoding video in compliance with the MPEG-4 Visual Standard (MPEG-4 Video) and/ or (ii) decoding MPEG-4 video that was encoded by a consumer engaged in a personal and non-commercial activity and/or was obtained from a video provider licensed by MPEG LA to provide MPEG-4 video. No license is granted or shall be implied for any other use. Additional information including that relating to promotional, internal and commercial uses and licensing

This guide. Getting Started and Installation & Setup Worksheet Command-Line Administration File Services Administration iCal Service Administration iChat Service Administration Mac OS X Security Configuration Mac OS X Server Security Configuration Mail Service Administration Network Services Administration Open Directory Administration Podcast Producer Administration Print Service Administration QuickTime Streaming and Broadcasting Administration Server Administration tells you how to: Install Mac OS X Server and set it up for the first time. Install, set up, and manage Mac OS X Server using UNIX commandline tools and configuration files. Share selected server volumes or folders among server clients using the AFP, NFS, FTP, and SMB protocols. Set up and manage iCal shared calendar service. Set up and manage iChat instant messaging service. Make Mac OS X computers (clients) more secure, as required by enterprise and government customers. Make Product Name and the computer its installed on more secure, as required by enterprise and government customers. Set up and manage IMAP, POP, and SMTP mail services on the server. Set up, configure, and administer DHCP, DNS, VPN, NTP, IP firewall, NAT, and RADIUS services on the server. Set up and manage directory and authentication services, and configure clients to access directory services. Set up and manage Podcast Producer service to record, process, and distribute podcasts. Host shared printers and manage their associated queues and print jobs. Capture and encode QuickTime content. Set up and manage QuickTime streaming service to deliver media streams live or on demand. Perform advanced installation and setup of server software, and manage options that apply to multiple services or to the server as a whole. Use NetBoot, NetInstall, and Software Update to automate the management of operating system and other software used by client computers. Use data and service settings from an earlier version of Mac OS X Server or Windows NT.
System Imaging and Software Update Administration Upgrading and Migrating
This guide. User Management Web Technologies Administration Xgrid Administration and High Performance Computing Mac OS X Server Glossary
tells you how to: Create and manage user accounts, groups, and computers. Set up managed preferences for Mac OS X clients. Set up and manage web technologies, including web, blog, webmail, wiki, MySQL, PHP, Ruby on Rails, and WebDAV. Set up and manage computational clusters of Xserve systems and Mac computers. Learn about terms used for server and storage products.
Viewing PDF Guides on Screen
While reading the PDF version of a guide onscreen: Show bookmarks to see the guides outline, and click a bookmark to jump to the corresponding section. Search for a word or phrase to see a list of places where it appears in the document. Click a listed place to see the page where it occurs. Click a cross-reference to jump to the referenced section. Click a web link to visit the website in your browser.

Chapter 2 Installing Mac OS X
9 In the Install Summary screen, click Customize and deselect packages you do not plan on using. Do not select the X11 package unless you use it. The X11 X Window system lets you run X11-based applications in Mac OS X. Although this might be useful, it also makes it harder to maintain a secure configuration. If you use X11, contact your network administrator to securely configure it in your environment. 10 Click Install.
Installing from the Network
There are several ways to deploy images from the network. When choosing a method, make sure you can do it securely. When retrieving the image over a network, make sure the network is isolated and can be trusted. For information about deploying images from a network, see Server Administration. In addition, verify the image to make sure it is correct. For more information about verifying images, see Verifying the Integrity of Software on page 37.
Restoring from Preconfigured Disk Images
One of the most efficient ways to deploy secure computers is to configure a model computer using security settings requested by your organization and then create a disk image to deploy the image on your computers. (For information about how to use Disk Utility to create disk images, see the System Imaging and Software Update Administration guide.) Thoroughly test the settings, making sure the computer meets the standards of your organization, and then create a disk image of the computer. You can then deploy this image to each computer, avoiding the need to manually configure each computer. You can use NetBoot or Apple Software Restore (ASR) to configure your computer from a network-based disk image: With NetBoot, you can install an image directly from the network. For information about how to use NetBoot, see the System Imaging and Software Update Administration Guide. With ASR, you can install an image deployed by an ASR server, or you can save that image to disk. By saving the image to disk, you can verify its validity before using it. If youre configuring multiple computers simultaneously, ASR can be much more efficient. For information about how to use ASR, enter man asr in a Terminal window.

Initial System Setup

After installing Mac OS X, the computer restarts and loads Setup Assistant, which you use to initialize your system.

Using Setup Assistant

Setup Assistant initially configures Mac OS X. You can use Setup Assistant to transfer information from other computers and send registration information to Apple. Setup Assistant configures the first account on the computer as an administrator account. Administrator accounts should only be used for administration. Users should use standard user accounts for day-to-day computer use. Note: Apple protects information submitted by Setup Assistant, but avoid entering information considered sensitive by your organization. To use Setup Assistant without providing confidential information: 1 Proceed to the Do You Already Own a Mac screen, select Do not transfer my information now, and click Continue. 2 Proceed to the Your Internet Connection step and click Different Network Setup. If you dont disable your network connection, an additional step, Enter Your Apple ID, appears. Dont enter values in the provided fields. The administrator account should only be used for administration, so theres no need for an Apple ID. 3 In Registration Information, press Command-Q and click Skip to bypass the remaining registration and setup process. When you bypass the remaining registration and setup process, you cant go back to change settings. Before bypassing, you might want to go back through the steps to remove sensitive information. After you enter information in the Your Internet Connection step, you cannot go back to that step to change your network settings. You can only change network settings after completing installation. If you enter registration information, an additional step, Register With Apple, appears later in the installation process. Select Register Later, but dont register with Apple.

Securing the Guest Account
The guest account is used to give a user temporary access to your computer. The guest account is disabled by default because it does not require a password to log in on the computer. If this account is enabled and is not securely configured, malicious users can gain access to your computer without the use of a password. If you enable the guest account, enable parental controls to limit what the user can do and disable guest account access to shared files and folders by deselecting the Allow guest to connect to shared folders checkbox. If you permit the guest account to access shared folders, an attacker can easily attempt to access shared folders without a password. When you finish with this account, disable it by deselecting the Allow guests to log into this computer. This prevents the guest user account from logging into the computer. For more information about parental controls, see Controlling Local Accounts with Parental Controls on page 62.
Securing Nonadministrator Accounts
There are two types of nonadministrator user accounts: Standard user accounts, which dont have administrator privileges and dont have parental controls limiting their actions. Managed user accounts, which dont have administrator privileges, but have active parental controls. Parental controls help deter unsophisticated users from performing malicious activities. They can also help prevent users from misusing their computer. Note: If your computer is connected to a network, a managed user can also be a user whose preferences and account information are managed through the network. When creating nonadministrator accounts, restrict the accounts so they can only use what is required. For example, if you plan to store data on your local computer, disable the ability to burn DVDs.
Controlling Local Accounts with Parental Controls
You can set limits for users by using Parental Control preferences. For example, you might not want to prevent users from being able to install or uninstall software, or you might want to restrict access to specific administrator tools or utilities. The preferences can be set according to your environment. The following screen shows Parental Controls that you can set to restrict accounts.

Using Smart Cards as Keychains
Mac OS X v10.5 integrates support for hardware-based smart cards as dynamic keychains where any application using keychains can access that smart card. Smart cards are dynamic keychains and are added to the top of the Keychain Access list. They are the first searched in the list. They can be treated as other keychains on the users computer, with the limitation of adding other secure objects. You cannot store passwords or other types of information on your smart card. A smart card can be thought of as a portable protected keychain. When you attach a supported smart card to your computer, it appears in Keychain Access. If multiple smart cards are attached to your computer, they will appear at the top of the keychain list alphabetically as separate keychains. You can manually unlock and change the PIN using Keychain Access. When changing the PIN on your smart card it is the same as changing the password on a regular keychain. In Keychain Access, select your smart card and unlock it by double-clicking it. If it is not unlocked, you are prompted to enter the password for the smart card, which is the same as the PIN. Enter the PIN and Keychain Access will bring up the PIN-protected data on that smart card. For more information, see the Smart Card Setup Guide at www.apple.com/server/ macosx/resources/.
Using Portable and Network-Based Keychains
If youre using a portable computer, consider storing your keychains on a portable drive, such as a USB flash memory drive. You can remove the portable drive from the portable computer and store it separately when the keychains are not in use. Anyone attempting to access data on the portable computer needs the portable computer, portable drive, and password for the keychain stored on the portable drive. This provides an extra layer of protection if the laptop is stolen or misplaced. To use a portable drive to store keychains, move your keychain files to the portable drive and configure Keychain Access to use the keychains on the portable drive. The default location for your keychain is ~/Library/Keychains/. However, you can store keychains in other locations. You can further protect portable keychains by storing them on biometric USB flash memory drives, or by storing portable drive contents in an encrypted file. For information, see Encrypting Portable Files on page 134. Check with your organization to see if they allow portable drives to store keychains. To set up a keychain for use from a portable drive: 1 Open Keychain Access. 2 If you do not see a list of keychains, click Show Keychains. 3 Choose Edit > Keychain List. 4 Note the location of the keychain you want to set up. The default location is ~/Library/Keychains/. 5 Click Cancel. 6 Select the keychain you want set up. 7 Choose File > Delete Keychain keychain_name. 8 Click Delete References. 9 Copy the keychain files from the previously noted location to the portable drive. 10 Move the keychain to the Trash and use Secure Empty Trash to securely erase the keychain file stored on the computer. For information, see Using Secure Empty Trash on page 139. 11 Open Finder and double-click the keychain file on your portable drive to add it to your keychain search list.

If you want to protect file or folders on portable media or a network volume, you must create an encrypted disk image on the portable media or network volume. You can then mount these encrypted disk images, which protect data transmitted over the network using AES-256 encryption. When using this method, you must only mount the encrypted disk image from one computer at a time to prevent irreparable corruption to the image content. For information about encrypting specific files or folders for transfer from your network home folder, see Encrypting Portable Files on page 134. When you set up FileVault, you create a master password. If you forget your login password, you can use your master password to recover encrypted data. If you forget your login password and your master password, you cannot recover your data. Because of this, consider sealing your master password in an envelope and storing it in a secure location. You can use Password Assistant to help create a complex master password that cannot be easily compromised. For information, see Using Passwords on page 70. Enabling FileVault copies data from your home folder into an encrypted home folder. After copying, FileVault erases the unencrypted data. By default FileVault insecurely erases the unencrypted data, but if you enable secure erase, your unencrypted data is securely erased.

Overview of FileVault

Mac OS X v10.5 extends the unlocking of FileVault to Smart Cards, which provides the most secure practice for protecting FileVault accounts. Accounts protected by FileVault support authentication using a passphrase or a Smart Card. With Smart Card authentication, the AES-256 symmetric Data key (DK) used to encrypt the users data is unwrapped using a private (encryption) key on the Smart Card. The data written to or read from disk is encrypted and decrypted on the fly during access. FileVault encrypts the Data Key (DK) using the User Key (UK1), which can be generated from your passphrase or from the public key on your Smart Card. FileVault separately encrypts the Data Key using the FileVault Master Key (MK). The architectural design of FileVault makes it possible for the MK and UK1 to encrypt and decrypt files. Providing strong encryption protects user data at rest while ensuring access management by IT staff. The easiest method for centralized management of FileVault on a client computer is to use Mac OS X Server v10.5 and WorkGroup Manager to enforce the use of FileVault and the proper identity.

Creating an Encrypted Disk Image
To encrypt and securely store data, you can create a read/write image or a sparse image: A read/write image consumes the space that was defined when the image was created. For example, if the maximum size of a read/write image is set to 10 GB, the image consumes 10 GB of space even if it contains only 2 GB of data. A sparse image consumes only the amount of space the data needs. For example, if the maximum size of a sparse image is 10 GB and the data is only 2 GB, the image consumes only 2 GB of space. If an unauthorized administrator might access your computer, creating an encrypted blank disk image is preferred to creating an encrypted disk image from existing data. Creating an encrypted image from existing data copies the data from an unprotected area to the encrypted image. If the data is sensitive, create the image before creating the documents. This creates the working copies, backups, or caches of files in encrypted storage from the start. Note: To prevent errors when a file system inside a sparse image has more free space than the volume holding the sparse image, HFS volumes inside sparse images report an amount of free space slightly less than the amount of free space on the volume the image resides on. To create an encrypted disk image: 1 Open Disk Utility. 2 Choose File > New > Blank Disk Image. 3 Enter a name for the image, and choose where to store it. 4 Choose the size of the image, by clicking the Size pop-up menu.
Make sure the size of the image is large enough for your needs. You cannot increase the size of an image after creating it. 5 Choose an encryption method by clicking the Encryption pop-up menu. AES-128 or AES-256 is a strong encryption format. 6 Choose a format by clicking the Format pop-up menu. Although there is some overhead, the sparse format allows the image to maintain a size proportional to its contents (up to its maximum size), which can save disk space. 7 Click Create. 8 Enter a password and verify it. You can access Password Assistant from this window. For more information, see Using Passwords on page 70. 9 Deselect Remember password (add to Keychain) and click OK.
Creating an Encrypted Disk Image from Existing Data
If you must maintain data confidentiality when transferring files from your computer but you dont need to encrypt files on your computer, create a disk image from existing data. Such situations include unavoidable plain text file transfers across a network, such as mail attachments or FTP, or copying to removable media, such as a CD or floppy disk. If you plan to add files to this image instead of creating an image from existing data, create an encrypted disk image and add your existing data to it. For information, see Creating an Encrypted Disk Image on page 134. To create an encrypted disk image from existing data: 1 Open Disk Utility. 2 Choose File > New > Disk Image from Folder. 3 Select a folder, and click Image. 4 Choose File > New > Blank Disk Image. 5 Enter a name for the image and choose where to store it. 6 Choose a format by clicking the Format pop-up menu. The compressed disk image format can help you save hard disk space by reducing your disk image size. 7 Choose an encryption method by clicking the Encryption pop-up menu. AES-128 or AES-256 provide strong encryption. 8 Click Save.

Chapter 9 Avoiding Multiple Simultaneous Account Access
Ensuring Data Integrity with Backups
Use this chapter to learn about secure ways of backing up data and preventing unauthorized access to backups.
Most organizations perform backups to protect data from being lost. However, many organizations dont consider that their backups can be compromised if not securely stored on media.
Understanding the Time Machine Architecture
Time Machine is based on the Mac OS X HFS+ file system. It tracks file changes and detects file system permissions and user access privileges. When Time Machine performs the initial backup, it copies the contents of your computer to your backup drive to protect the data from unauthorized uses. Every subsequent backup is an incremental backup, which copies only the files that have changed since the previous backup.
Deleting Permanently from Time Machine backups
You can permanently delete files or folders from your computer and Time Machine backups using Time Machine. This prevents any old sensitive data that you no longer need from being recovered. To permanently delete files or folders from Time Machine backups: 1 Delete the file or folder from your computer. 2 Open Time Machine. 3 Select the file for folder you want to permanently delete from Time Machine. 4 Click the Action pop-up menu and select Delete All Backups of File or Folder name. 5 When the warning message appears, click OK to permanently delete the file or folder. All backup copies of your file or folder are permanently deleted from your computer.
Storing Backups Inside Secure Storage
You can also perform backups of specific files or folders that contain sensitive data by placing your data in an encrypted disk image. This image can then be placed on any server that is backed up regularly and still maintain the integrity of your data because it is protected by encryption. For example, Mac users that are in a Windows Server environment can use this method of backing up to ensure that sensitive data is secure and regularly backed up. To securely encrypt and back up data: 1 Create a disk image. For more information about creating a disk image, see Encrypting Portable Files on page 134. 2 Mount the disk image. 3 Copy the files you want to back up onto the disk image. 4 Unmount the image and copy it to your backup media. If youre in a Windows Server environment, copy your image to a folder that is backed up by the Windows server. Your data will be encrypted and backed up.
Restoring Backups from Secure Storage
If you accidentally delete or lose a file, you can restore it from your encrypted backup media. To restore from your encrypted backup: 1 Access the media that contains your disk image backup. 2 Mount the disk image and, if prompted, enter your password for the image file. If the image is on a network, you dont need to copy it locally. It will securely mount across the network because the data is encrypted. 3 Copy the backup of the file you lost locally to your computer. 4 Unmount the disk image.

Securing the Back to My Mac (BTMM) Service
The new Back to My Mac (BTMM) feature in Mac OS X v10.5 gives you access to other computers over the Internet. BTMM requires you to have a.Mac account. BTMM uses your.Mac account to create a secure connection to the computer your are accessing over the Internet. Both computers must be must be signed into your.Mac account and have BTMM enabled. A new installation of Mac OS X v10.5 has BTMM enabled by default. However, the computer cannot be reached until sharing services are enabled in Sharing preferences. Note: You can only connect to computers using BTMM that are running Mac OS X v10.5 or later.
BTMM Service Architecture
To ensure that network connections between computers are secure over the Internet, BTMM uses a technology called IPSec to encrypt data. To provide secure and trusted authentication, BTMM uses Kerberos with digital certificates. Kerberos provides an additional convenience: it eliminates the need for you to enter your username and password each time you want to reach another computer in your BTMM network.

Securing BTMM Access

Computers in your BTMM network can discover and authenticate to configured sharing services. Consider the following to secure each computer in your BTMM network: Choose a strong password for your.Mac account. Anyone who knows your.Mac password can access all computers in your BTMM network. Therefore, it is important to choose a strong password and keep it safe. When creating your password, use Password Assistant to help you create a strong password. Consider who has physical access to your computers. Anyone who knows the login name and password of your computer can potentially access shared services on all other computers. Set a strong password for your Mac OS X user account in the Accounts pane of System Preferences. Before you disconnect from sharing a screen with a remote computer, lock the screen on the remote computer. To secure computers that are not part of your BTMM network: 1 Open the Security preferences. 2 Click the Require password to wake this computer from sleep or screen saver checkbox. 3 Close Security preferences, then close System Preferences. 4 Open Keychain Access (in Application/Utilities/). 5 From the Keychain Access menu, choose Preferences. 6 In the General pane, click the "Show Status in Menu Bar" checkbox.

$ scp ~/.ssh/id_dsa.pub username@ipaddress:~/.ssh/authorized_keys
Replace username with the name of a user on the server. Replace ipaddress_or_hostname with the IP address or host name of the server. This command copies the clients public key into the servers.ssh/ folder and renames the key to authorized_keys. 7 On the client, authenticate with the password of the user whose name you entered. 8 On the server, enter the following command and authenticate, if requested:
$ sudo pico /private/etc/sshd_config
This command loads the sshd_config file in the pico text editor. For information about how to use pico, enter man pico in a Terminal window. 9 On the server, edit the following lines, removing the # when replacing original values:
Default #PermitRootLogin yes #PasswordAuthentication yes #PermitEmptyPasswords no #PubKeyAuthentication yes #RSAAuthentication yes Replace with PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no PubKeyAuthentication yes RSAAuthentication no Notes Prevents logging in as root through SSH. Disables password authentication. Denies access to accounts without passwords. Enables key-based authentication. Disables RSA authentication. (Not needed for key-based authentication.) Disables Rhost authentication. (Not needed for key-based authentication.)
#RhostsRSAAuthentication no
RhostsRSAAuthentication no
#ChallengeResponseAuthentication yes #UsePAM yes #StrictModes yes
ChallengeResponseAuthentication Not needed for key-based no authentication. UsePAM no StrictModes yes Not needed for key-based authentication. Ensures that files and folders are adequately protected by the servers permissions scheme.
Default #LoginGraceTime 2m
Replace with LoginGraceTime 30
Notes Reduces the time allowed to authenticate to 30 seconds. Ensures that the server key is changed frequently. Requires that the server key is 1024 bits. Restricts OpenSSH so it only uses SSH2. You must add this line. Replace username with the name of the account you want to log in as.

#KeyRegenerationInterval 1h #ServerKeyBits 768 #Protocol 2,1
KeyRegenerationInterval 3600 ServerKeyBits 1024 Protocol 2 AllowUsers username
10 On the client, enter the following command:
11 Authenticate, if requested. 12 On the client, edit the following lines:
Default #PasswordAuthentication yes #RSAAuthentication yes Replace with PasswordAuthentication no RSAAuthentication no Notes Disables password authentication. Disables RSA authentication. (Not needed for key-based authentication.)
13 On the client, test the SSH connection by entering the following command:
Replace username with the name of a user on the server. Replace ipaddress_or_hostname with the IP address or host name of the server. When you connect to a host using the IP address, entries are created in the ssh_known_hosts file. If you connect to the same host using its host name, a separate entry is created in the ssh_known_host file because each connection is treated as a unique connection. If successful, you are prompted to enter your passphrase for the key.
Preventing Connection to Unauthorized Host Servers
You can prevent your computer from connecting to rogue SSH servers by modifying your /etc/ssh_known_hosts file. This file lists the servers you are allowed to connect to, including their domain names and their public keys. To prevent your computer from connecting to unauthorized servers: 1 If ~/.ssh/ doesnt exist, enter the following command:

$ mkdir ~/.ssh/

2 If ~/.ssh/known_hosts exists, enter the following command to remove it:

$ srm ~/.ssh/known_hosts

3 Use SSH to connect to every server you want to allow access to by entering the following command for each server:
Replace username with the name of a user on the server. Replace ipaddress_or_hostname with the IP address or host name of the server. When you connect to a host using the IP address, entries are created in the ssh_known_hosts file. If you connect to the same host using its host name, a separate entry is created in the ssh_known_hosts file because each connection is treated as a unique connection. 4 When you are asked to verify the servers public key fingerprint, enter yes if it matches the servers public key fingerprint. You can display the servers public key fingerprint by entering the following on the server:
5 Enter the following command:

Understanding the Policy Database
The policy database is a property list that consists of two dictionaries: The rights dictionary The rules dictionary

The Rights Dictionary

The rights dictionary contains a set of key/value pairs, called right specifications. The key is the right name and the value is information about the right, including a description of what the user must do to acquire the right. The following is an extract from the policy database installed on your system.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC.> <plist version="1.0"> <dict>. <key>rights</key> <dict>
<key></key> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>Matches otherwise unmatched rights (i.e., is a default).</ string> <key>rule</key> <string>default</string> </dict> <key>system.device.dvd.setregion.initial</key> <dict> <key>class</key> <string>user</string> <key>comment</key> <string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string> <key>group</key> <string>admin</string> <key>shared</key> <true/> </dict>. <key>config.add.</key> <dict> <key>class</key> <string>allow</string> <key>comment</key> <string>Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights.</string> </dict>.
In this extract from the policy database, there are three rights: The right specification with an empty key string is known as the default right specification. To obtain this right a user must satisfy the default rule which, by default on current versions of Mac OS X, is to prove that they are an administrator. system.device.dvd.setregion.initial controls whether the user is allowed to set the initial region code for the DVD drive. By default, a user must prove that they are an administrator (in group admin) to set the DVD region. config.add. is a wildcard right specification (it ends with a dot) that matches any right whose name starts with the config.add. characters. This right controls whether a user can add a right specification to the policy database. By default any user can add a right specification.

Log files are rotated by a launchd job, and the rotation occurs if the computer is on when the job is scheduled. By default, log rotation tasks are scheduled between midnight and 1 in the morning, to be as unobtrusive as possible to users. If the system will not be powered on at this time, adjust the settings in /etc/newsyslog.conf. For information about editing the /etc/newsyslog.conf file, issue the man command in a Terminal window.

newsyslog.conf

Remote System Logging
In addition to local logging, consider using remote logging. Local logs can be altered if the computer is compromised. When deciding whether to use remote logging, consider the following issues. If these issues outweigh the benefits of remote logging, dont use remote logging. The syslog process sends log messages in the clear, which could expose sensitive information.
Too many log messages will fill storage space on the logging system, rendering further logging impossible. Log files can indicate suspicious activity only if a baseline of normal activity is established and if the logs are monitored for such activity. The following instructions assume a remote log server exists on the network. To enable remote logging: 1 Open /etc/syslog.conf as root. 2 Add the following line to the top of the file, replacing your.log.server with the name or IP address of the log server, and keeping all other lines intact:

*.* @your.log.server

3 Exit, saving changes. 4 Send a hangup signal to syslogd to make it reload the configuration file:
$ sudo killall HUP syslogd

Auditing System Activity

Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and the methods used for successful and failed access attempts. Mac OS X includes a suite of auditing tools to manage, refine, and view auditing logs. You install these tools from the installation disc. For information about these auditing tools, see the Common Criteria Configuration and Administration guide, available at www.apple.com/support/security/commoncriteria/.

Security Auditing

Auditing is the capture and maintenance of information about security-related events. Auditing helps determine the causes and methods used for successful and failed access attempts. The audit subsystem allows authorized administrators to create, read, and delete audit information. The audit subsystem creates a log of auditable events and allows the administrator to read audit information from the records in a manner suitable for interpretation. The default location for these files is the /var/audit/ folder. The audit subsystem is controlled by the audit utility located in the /usr/sbin/ folder. This utility transitions the system in and out of audit operation. The default configuration of the audit mechanism is controlled by a set of configuration files in the /etc/security/ folder.

Open Directory 69 Open Firmware interface 52 Open Firmware password 2930, 5254, 120121 open source software 2021 owner permission 124
packages, file 38 Parental Controls 25, 6264, 101103 Password Assistant 7071, 86 passwords authentication setup 7071, 148149 changing 8587 command-line tools 54 firmware 2930, 5254, 120121 keychain 75 master FileVault 131134 Startup Disk preferences 120121 tokens 73 vs. key-based authentication 178 PDFs, encrypted 136 permissions access 20 disk 3739 folders 129130 manipulating 126 overview 123129 user 174 viewing 124 physical access, securing 41 physical computers hardware security 41 PKI (public key infrastructure) 22, 147, 157, 178 See also certificates plug-ins 155 policy database 191194
portable computers FileVault 130 keychains 79 mobile accounts 68 portable files, encrypting 134136 portable keychains 79 POSIX (Portable Operating System Interface) 38, 124129 PPTP (Point-to-Point Tunneling Protocol) 162 preferences accounts 8587 appearance 8889 Bluetooth wireless 8990, 189190 CDs 90, 172 cookies 155 DVDs 90, 172 fax 104106 overview 8182 QuickTime 106107 screen saver 9394 See also managed preferences speech recognition 116 time 9193 Print & Fax preferences 104106 Printer Sharing 175 privacy option, iChat service 158 private browsing 150 private key 178 privileges, administrator 167168 privileges vs. permissions 37 protocols. See specific protocols proxy settings 156 public key cryptography 198199 public key infrastructure. See PKI pwpolicy command 73
Quarantine 25 QuickTime cache 106 QuickTime preferences 106107
read/write disk images 134 recent items list 8889 Remote Apple Events 186 remote images in email 148 Remote Login 176185 remote server login 187 remote system logging 201202 removable media FileVault limitations 130, 134 rights dictionary 191193 right specifications 191193 root permissions 51, 6566 rules dictionary 193
Safari preferences 150, 152156 sandboxing 24 screen saver preferences 9394, 108 Screen Sharing 173 searching preferences 118120 Secure Empty Trash command 139 Secure iChat certificate 157 secure notes 74 Secure Sockets Layer. See SSL Secure Transport 22 security 141142, 143, 159 security architecture overview 2023 security-mode environment variable 54 security-password environment variable 54 Security preferences 107110, 163 Server Message Block/Common Internet File System. See SMB servers authentication 151152 fingerprints 177, 184185 securing connections 180 server-side authentication 151 Setup Assistant 32 SHA-1 digest 37 shared resources printers 104, 106 user accounts 60 share points 173174 Sharing preferences 112113, 163, 177, 186190 Simple Finder 63 single sign-on (SSO) authentication 7172 See also Kerberos single-user mode 51 sleep mode, securing 9697, 108 smart cards 2627, 72 SMB (Server Message block) 173174 software, networking 147166 Software Update service 33, 3436, 114 Sound preferences 115 sparse images 134 speech recognition preferences 116 Spotlight preferences 118120 srm command 138 SSH (secure shell host) 176185 ssh command 176185 SSL (Secure Sockets Layer) 22, 147, 157 standard user accounts 59 startup, securing 5152 Startup Disk preferences 120121 stealth mode 165 sudo tool 6568, 167168 su tool 66 swap file 108 synchronization 8385, 154 syslogd configuration file 200 system administrator (root) account 6568