× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Re: Enforcing CIS Apple OSX 10.11 Benchmark with Centrify

Enforcing CIS Apple OSX 10.11 Benchmark with Centrify

By Centrify Advisor II ‎12-14-2016 02:02 PM

Center for Internet Security (CIS) Security Benchmarks are consensus-based security configuration guides both developed and accepted by government, business, industry, and academia. The benchmarks are used by organizations worldwide to help meet compliance requirements for FISMA, PCI, HIPAA and more. The CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. Centrify enables the ability to manage these security settings on the Mac through Active Directory Group Policies

 

Note: Be sure to test and review the settings before deploying into production. Some settings may interfere with normal operations.

 

1.2 Enable Auto Update

See instructions 

 

1.3 Enable app update installs

See instructions

 

1.4 Enable system data files and security update install

See instructions

 

1.5 Enable OS X update installs

See instructions

 

2.2.1 Enable "Set time and date automatically"

Centrify will automatically configure the Mac to use your domain controller for the NTP service when the Mac is bound to AD through the Centrify agent.

 

2.3.1 Set an inactivity interval of 20 minutes or less for the screen saver

See instructions

 

2.3.3 Verify Display Sleep is set to a value larger than the Screen Saver

See instructions

 

2.4.1 Disable Remote Apple Events

See instructions

 

2.4.2 Disable Internet Sharing

See instructions

 

2.4.4 Disable Printer Sharing

See instructions

 

2.4.5 Disable Remote Login

See instructions

 

2.4.8 Disable File Sharing

See instructions

 

2.4.9 Disable Remote Management

See instructions

 

2.5.1 Disable "Wake for network access"

See instructions

 

2.5.2 Disable sleeping the computer when connected to power

See instructions

 

2.6.1 Enable FileVault

See instructions

 

2.6.2 Enable Gatekeeper

See instructions

 

2.6.3 Enable Firewall

See instructions

 

2.6.4 Enable Firewall Stealth Mode

See instructions

 

2.7.1 iCloud configuration

See instructions

 

2.7.2 iCloud keychain

See instructions

 

2.7.3 iCloud Drive

See instructions

 

4.3 Create network specific locations

See instructions

 

4.4 Ensure http server is not running

See instructions

 

4.5 Ensure ftp server is not running

See instructions

 

5.2.1 Configure account lockout threshold

The domain account lockout threshold policy will apply when the Mac is bound to Active Directory.

 

5.2.2 Set a minimum password length

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.3 Complex passwords must contain an Alphabetic Character

Domain password policies will apply when the Mac is bound to Active Directory. 

 

5.2.4 Complex passwords must contain a Numeric Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.5 Complex passwords must contain a Special Character

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.6 Complex passwords must uppercase and lowercase letters

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.7 Password Age

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.2.8 Password History

Domain password policies will apply when the Mac is bound to Active Directory.

 

5.6 Enable OCSP and CRL certificate checking

See instructions

 

5.8 Disable automatic login

See instructions

 

5.9 Require a password to wake the computer from sleep or screen saver

See instructions

 

5.10 Require an administrator password to access system-wide preferences

See instructions

 

5.12 Create a custom message for the Login Screen

See instructions

 

5.13 Create a Login window banner

See instructions

 

5.14 Do not enter a password-related hint

See instructions

 

5.15 Disable Fast User Switching

Fast User Switching is disabled by default, but the setting can be managed by Centrify through group policy. To learn more see instructions.

 

5.16 Secure individual keychains and items

See instructions

 

5.19 Install an approved TokenD for smartcard authentication

A TokenD module is automatically installed with the Centrify Mac Agent. See instructions for configuring smart card authentication.

 

6.1.1 Display login window as name and password

See instructions

 

6.1.2 Disable "Show password hints"

See instructions

Comments
By Centrify Advisor II
on ‎12-14-2016 02:10 PM

Benchmarks for 10.12 are now available from Center for Internet Security. We will post an update for the new benchmarks.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel