| 1. | Maintain good physical security. |
| 2. | Use only strong passwords, and change them regularly. |
| 3. | Configure the built-in firewall software to block access to all ports you are not using. (Choose the Sharing pane in System Preferences.) |
| 4. | Give as few people admin (root) access as is practical. |
| 5. | Change all admin passwords at least once every three months. |
| 6. | If the machine provides any services (such as Post Office Protocol [POP], Internet Mail Access Protocol [IMAP], or File Transfer Protocol [FTP]) that use unencrypted passwords, set up special shells for the users of those services so that they cannot log in to a standard shell. This defends against password-sniffing attacks by preventing a sniffed user name and password from being used to log in to a regular shell. |
| 7. | Do not allow Telnet access (it uses an unencrypted connection to provide shell access, so everything sent in the connection, including passwords, is susceptible to interception by bad people). |
| 8. | Only run servers you actually need. For example, do not run an e-mail server unless you need to. |
| 9. | Keep your software ( especially servers) up-to-date. |
| 10. | Monitor the Computer Emergency Response Team Web site (www.cert.org) or e-mail lists. |
| 11. | Periodically search your system for setuid root files. |
| 12. | Create MD5 checksums of all files in /etc and in each of the directories in your PATH . Save these on a CD-ROM, and run an md5sum check against the list every month. |