2

I was going through some literature on managing OS X laptops and asked someone some questions about usage scenarios when using the MacBooks. I asked someone more knowledgeable than I about whether it was possible for my Mac to be taken over if I were visiting another site for a conference or if I went on a wifi network at a local coffee house with policies from an OS X Server with workgroup manager (either legit for the site or someone running a version of OS X Server on hardware they have hidden somewhere on the network), which apparently could be set up to do things like limit my access to Finder or impose other neat whiz-bang management features.

He said that it is indeed possible for it to happen as it would be assigned via the DHCP server and the OS X server would assume my Mac is a guest and could hand out restrictions and apparently my Mac will happily accept them without notifying me or giving me an option, unlike Windows which I believe would need to be joined to a domain before it becomes "managed" by Active Directory.

So my question is as network admins and sysadmins with users traveling with MacBooks, is there a way to reasonably protect your users from having their machines hijacked without resorting to just turning off networking all the time? Or isn't this much of a security hazard? What threat does this pose to the road warriors in your businesses?

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87

1 Answers1

0

Your friend is potentially correct:

If your Mac is set to bind to get its directory search path automatically then it can bind to a DHCP supplied LDAP server. The danger here is that root is root, the MacBook doesn't realise that it's not the root account from its "home" LDAP directory and happily treats it as if it were.

If you set the directory search path to custom then it only binds to LDAP servers you have specified and totally avoids the problem.

Also as you mention, if you have no need of LDAP - for instance if you authenticate against a Windows AD domain or just have a local account you can uncheck the LDAP v3 box.

See chapter 2 of the OpenDirectory Admin guide for more info.

Jon Rhoades
  • 4,987
  • 3
  • 31
  • 48
  • So I can prevent it from happening by using the directory utility to get rid of binding to any LDAP directory that's not the local MacBook? – Bart Silverstrim Apr 15 '10 at 10:15
  • Which is...duh...what you just said. I just have to figure out how to point it just to the local system's LDAP directory...I'll have to search the link you supplied... – Bart Silverstrim Apr 15 '10 at 10:16
  • I set the directory utility to search local in the search policy and now only have "BSD Flat File and NIS" and "Local" set in Services, unchecking LDAP3 and Active Directory. Hopefully that'll mitigate the threat of having control unknowingly stolen. – Bart Silverstrim Apr 15 '10 at 10:26
  • Yes, just having local - which you can't get rid of anyway - will protect you. Of course it only works if you don't need to bind to a LDAP server. – Jon Rhoades Apr 15 '10 at 13:20
  • Hopefully that mitigates the management-without-permission thing. I'd hate to have to troubleshoot my own laptop and finding out it's because of "stuck" management settings after being on another network during a conference or hotel stay. And hwo kn – Bart Silverstrim Apr 15 '10 at 22:32