Mac OS Hardening Security Tips to Protect Your Privacy

When you get a new computer, setting it up is rarely a breeze, but if you’re privacy focused, things get even more complex. Mac security settings can be especially challenging to configure, as all kinds of activities are kept hidden behind the scenes. If you’re setting up a new machine or upgrading to the latest version of OS X, it’s never a bad idea to check your privacy settings.

There are many ways you can lose data, and each is a reason to regularly back up your files. Furthermore, downloading files and exchanging files with others is fraught with risks, and the number of threats targeting Macs continues to rise. Whether or not you use a personal computer or a public computer, there are plenty of actions you can take to improve your security and privacy. Here are 15 Mac-hardening security tips to lock down your Mac and your data.

Lock Down Access to Your Mac

1. Create a standard account (non-admin) for everyday activities

When setting up a new Mac, the OS X setup assistant asks you for your name, a user name and a password, and uses this information to set up your first user account. Since there has to be at least one user with administrative privileges on your Mac, that first account is an administrator account. While this is useful — you can install software, and perform other actions, after entering your password — it can also be risky.

An administrator may make mistakes, and they can change or delete any file. They can also install any software, which may be a risk, if the software is malicious. Standard users, however, have limited access rights on a Mac. They can use, change, and create files in their home folder, access folders on shared volumes if the permissions allow it, change settings to non-secure preferences in System Preferences, and install some software (if it doesn’t need install items in the System or Library folders). While standard accounts are more limited, it can be useful to use for daily work, just to be safe.

Log into that second account, and use it for your everyday activities, and to store your personal files. Whenever an administrator’s password is required, type the admin user name, and the appropriate password. While this will lead to more password requests than if you were working under an admin account, each of these requests should raise a red flag and make you think whether you should be entering your password.

While using a standard account is not full blown protection from malware, it does protect from some types of malware, and can provide a warning that something is going on. It can also prevent you from blundering by deleting files that you didn’t mean to erase. So using two accounts is a tiny bit of hassle that is worth trying out to save you from potential disasters.

2. Disable automatic login

When you first set up a new Mac, or when you do a clean installation of a new version of OS X, you create a user account, and that account is set, by default, to log in automatically at startup. This isn’t a problem when you’re at home, but if you use a laptop and travel, this is a serious risk. This automatic login means that anyone who finds your Mac only need to start it up to have access to your files.

You can change this, and tell OS X to display a login screen on boot. To do this, go to the Users & Groups pane of System Preferences, and click on Login Options; you’ll see a menu that lets you choose which user logs in automatically at startup, or you can choose Off from this menu to turn off automatic login. Another way to change this is in the Security & Privacy preferences. In System Preferences, click on the General tab, and you’ll see an option to Disable Automatic Login.

3. Uninstall the standalone Flash Player

Lately, many security folks have been calling for the death of Flash Player — and for good reasons. Adobe Flash is riddled with vulnerabilities, and requires constant software updates to patch new flaws. If you don’t need to use Flash Player, you should uninstall it. There are two ways you can do this: use the Adobe Flash Uninstaller, or remove it manually. To do this manually, follow these instructions from Adobe’s uninstall guide.

4. Use a password manager to help cope with phishing attacks

We routinely recommend that all Mac users create secure passwords; it’s important to create complex, unique passwords so they’re more difficult to crack. Unfortunately, the more complicated your passwords, the easier they are to forget. There’s a lot to love about password managers, including not having to remember so many unique passwords. Take a look at our list of 8 password manager options for Mac and iOS, and see which one works best for you.

5. Run a two-way firewall (outbound/inbound protection)

Apple’s built-in firewall offers inbound network protection. But did you know inbound firewalls only protect against certain kinds of attacks? With the increasing frequency of new malware and targeted attacks, the best defense is implementing multiple layers of protection. If there is unknown malware on your machine, you want to be able to prevent it from connecting to the Internet — only firewall with outbound protection offer this security. Outbound firewall protection is arguably the most important component of two-way firewall software, at least from an anti-malware perspective. Outbound firewalls are remarkably good at alerting you about a piece of software that you know full well you downloaded, but didn’t think would be connecting to the Internet. Two-way firewall like  offer real protection, because they combat inbound threats and can prevent malicious programs on your machine from calling out to the Internet; in turn, this provides locks down access to your machine while preventing data from leaking out.

Check Your OS X Settings

1. Enable full disk encryption

A sound security strategy is to encrypt important data files and folders for an additional layer of protection. This way, if your Mac is stolen, they thieves won’t get access to your private data. Apple’s FileVault full disk encryption has been around for some time and it’s a great idea to turn this on. FileVault encrypts your entire hard drive using XTS-AES 128, a secure encryption algorithm. The reason why you should enable this feature on your Macs and MacBooks is if your hard drive isn’t fully encrypted, anyone who manages to steal your computer can access any data on it. With FileVault enabled, as soon as your Mac is shut down, its entire drive is encrypted and locked up. Only when an authorized user turns the Mac on and logs in are the drive’s contents unlocked. (Yet another reason why it’s a good idea not to have an obvious password.) To enable FileVault, first make sure you have logged into OS X with an administrator’s account, and go to System Preferences > Security & Privacy > FileVault. Once there, press Turn on FileVault.

2. Disable Spotlight Suggestions 

OS X Yosemite has a revamped version of Spotlight, which can serve up suggestions from the Internet. However, if you aren’t careful to change its default settings, OS X Yosemite’s Spotlight can leak your private information back to Apple. And that information may not just be shared with Apple itself, but also third party providers such as Microsoft’s Bing search engine. For these reasons, you may choose not to use Spotlight web search and, fortunately, if you don’t like the feature — you can turn it off.

Open System Preferences and choose Spotlight. Now deselect Spotlight Suggestions, Bing web searches and anything else that doesn’t suit you. Now, before you relax and pat yourself on the back, you’re not quite done. You have stopped Spotlight from sharing your search queries, but you haven’t stopped OS X’s default browser from doing the same trick. To stop Safari sharing the same information, go to Safari > Preferences > Search, and then disable “Include Spotlight Suggestions.”

What if you’re an iPhone or iPad owner? Disabling this feature is a similar process. Simply go to Settings > General > Spotlight Search, and then disable Spotlight Suggestions, Bing Web Results, or anything else that you don’t want or need.

3. Audit your Security & Privacy settings

How comfortable are you with sharing your physical location with different apps? Do you even know which apps are receiving details of where you are? A quick visit into OS X Yosemite’s System Preferences can reveal all. To update these settings, you need to click on Security & Privacy and choose the Privacy tab. Once there, you can choose Location Services and view whether they are enabled and, if so, which apps can access your location. To make changes to these settings, you may need to unlock the padlock by entering an administrator password.

4. Check for software updates often

Regardless of whether or not you believe malware is a problem on Macs, it’s not the only threat you should be concerned about. As we’ve explained before on The Mac Security Blog, there are multiple ways in which malicious attackers can target your Mac, and this raises the importance of employing a layered approach to security. For these reasons, it’s important to keep your software up-to-date to thwart new security threats.

Mac OS X has a built-in software update tool, called — you guess it — Software Update. You can access this by clicking on the Apple menu in the menu bar. When you launch this program, it will check Apple’s servers to see if any Apple software updates are available. It’s a good idea to to run “Software Update” and patch your Mac promptly when security updates are available.

5. Don’t leave your computer unlocked and unattended, there’s a good chance it won’t be there when you get back

Lock your computer when unattended to keep prying eyes from snagging your information when you are not looking. A valuable trick I learned is to set up screen saver hot corners, so whenever I step away from my Mac I can quickly lock it before I go. To do this, go to System Preferences > Desktop & Screen Saver, and choose “Hot Corners…” You can select one, two, or multiple corners that — when you hover your mouse over — it will start the screen saver, requiring your password to unlock the system.