Companies big and small, administrators of school and university networks, heads of affluent households are likely to find a few interesting ideas in today’s 3rd edition of our “Best from Apple” series: Protecting the Computer. Whether we’re looking at one computer shared among several users, or multiple machines loaned out to employees, there often come times when it becomes necessary to restrict the amount of damage a given user is allowed to inflict to a computer system. Unix users have for decades had these principles ingrained in their daily computing habits. It is no coincidence they’re a core part of Mac OS X’s heritage.
Restricting a User from Tampering with the System
Upon the initial creation of the system’s Administrator user, it’s always a good idea to create a non-administrator user, who will be the day-to-day operator of the system. To do this, go to the Apple Menu –> System Preferences –> Accounts. Click the “+” icon at the bottom-left. Fill-in the typical user credential information. Then click the “Security” tab. At the bottom, be sure the “Allow user to administer this computer” option is unchecked. Back to the left, in the column that lists current users, click “Login Options” with the little “Home” icon. Look for the “Automatically log in as:” line. Ensure the option is checked. Select your newly-created non-administrator (aka “Standard”) user from the pull-down menu.
A “Standard User” is only allowed to write data to the Home directory. Copying files outside of the Home directory, or modifying the overall system in any way will always require Administrator credentials.
While this offers a decent first line of defense preventing a user from tampering with the system, it doesn’t prevent a user from running just about any application they can download from the confines of their home directory, such as, say, file-swapping applications, or just about any other time and bandwidth wasters we can think of.
This is where my next favorite little feature of Mac OS X Panther comes in:
Restricting which Applications a User Can Run
The Limitations tab from the same “Accounts” Control Panel is very fun to play with. It allows you to define which applications a Standard User may or may not run through the “Some Limits” selector. The “Simple Finder” selector helps define an even more restricted Kiosk-like user interface. Click back on “No Limits” to remove any of those restrictions.
If I was administering networked Windows machines on which users always find creative ways to run programs they should not be running, properly-configured Mac OS X machines would offer a very appealing alternative. Just for kicks, here’s a screenshot of what happened when I downloaded LimeWire for OS X from my Restricted, Standard User account, and tried running it from my home directory.
Preparing a Customized System. Deploying the System onto Multiple Machines
One of my favorite OS X software authors, Bombich Software has created a few insanely useful GUI applications that offer friendly interfaces to features built into Mac OS X: Carbon Copy Cloner and Netrestore. CCC lets you create a snapshot of any system onto another mirror hard drive, disk image, or netrestore set. NetRestore is great for lab deployment of a “Master System”. They’ve got extenstive documentation covering surrounding topics.
In the “Accounts” Control Panel, one might consider enabling “fast user switching” from “Login Options” at the bottom-left. It enables multiple users to be logged into Mac OS X. Apple has nicely worked out usability issues surrounding requiring Administrator credentials for given tasks. Even when logged-in as a Standard User in Mac OS X Panther, I always find it possible to perform Administrative tasks: When dragging a new application to the system-wide “Applications” folder, the “Access Denied” dialog box, offers me an “Authenticate …” button, giving me the opportunity to enter Administrator credentials. It comes-in very handy and allows me to rarely have to switch to my Admin User: