Mac security - help requested.
vbe...@vax1.umkc.edu
I am in need of some information for Mac. I work in a lab where, there
are a lot of users using the macs ( Mac LC II ) and I need to make sure that
the people using the m/cs do not delete other's files or application programs
either accidentally or otherwise. I need to do this because a lot of users we
have are novices to computers / macs and I need to make sure that they do not
have certain privilages (like deleting etc) so that they can't delete or move
application programs.
I am posting this message to a bunch of news groups as I am not sure which news
group deals with this kind of stuff. So kindly excuse my ignorance if this
message appears in the wrong news group.
I will appreciate any help in this regard what ever might be the possible
solution like installing security software, or some hard ware upgrade or card
to be installed etc etc....
Thanks a lot in advance.
Vijayakumar R Bekkem.
Bryan Wu
> I am in need of some information for Mac. I work in a lab where, there
>are a lot of users using the macs ( Mac LC II ) and I need to make sure that
>the people using the m/cs do not delete other's files or application programs
>either accidentally or otherwise. I need to do this because a lot of users we
>have are novices to computers / macs and I need to make sure that they do not
>have certain privilages (like deleting etc) so that they can't delete or move
>application programs.
How about going in with ResEdit and changing the Finder's menus so that
"Empty Trash" is no longer available?
Bryan
oak
>How about going in with ResEdit and changing the Finder's menus so that
>"Empty Trash" is no longer available?
I am not trying to flame you or anything - but that is a really bad
temporary solution to a much more permanate problem.
What if someone wants to delete their own files or folders? What are
you going to do? set up one mac for deleting stuff from you own
disks?? This seems extremely inefficient when there are probably a
million other more efficient ways to take care of this security
problem.
The ability to delete one's own files and folders is essential to a
functional computing environment.
-rachel
can...@yale.edu
Michael Hurd
best one that I can think of for your situation (although I have never used
it personally) is called "At Ease". It allows novice users to access
applications, etc. but not do anything dangerous. This utility is being
offered free with an upgrade to System 7.1 by several software vendors
(MacWarehouse comes to mind).
Hope this helps!
- Mike Hurd
Roy Smith
> There are several programs out there to provide security for the mac. The
> best one that I can think of for your situation (although I have never
> used it personally) is called "At Ease". It allows novice users to access
> applications, etc. but not do anything dangerous.
The original poster needed something to prevent users from deleting
each other's files. At Ease doesn't do anything toward that end, although
it does prevent people from mucking with applications and the system folder
(it is used on all the public Macintoshes here).
It sounds to me like what you need to do is one of two things.
Either force users to keep their files on floppies (which is what they do
here) or get a file server, with each user having their own login.
Personally, I think the file server is a much better way to go, although it
obviously requires an investment in hardware and software(*). The other
problem is that file servers don't seem to interace well with At Ease, since
you don't have access to the desktop to unmount volumes when you are done
with them.
(*) You'll probably have to buy AppleShare server software, which is
not cheap. System 7 comes with a server built-in, but it's not recommended
to be used as a general-purpose file server in a high-load situation for
performance reasons. I've never actually done any real comparisons between
the System 7 file sharing and AS 3.0, however, so for all I know it may work
fine. In fact, our server (AS 3.0 on a IIci with about 4 GBytes of disk
scattered over 3 drives, plus a CD-ROM and DAT drive on 2 SCSI buses) seems
to be limited by disk I/O more than anything else. It's not clear that
different server software would make much difference. Well, let me put it
another way. It's not clear that less sophisticated software could make it
much worse. I think it's painfully obvious that better software could make
it much faster by making better use of asynchronous I/O.
--
Roy Smith <r...@nyu.edu>
Hippocrates Project, Department of Microbiology, Coles 202
NYU School of Medicine, 550 First Avenue, New York, NY 10016
"This never happened to Bart Simpson."
Vilkata TDK
> (*) You'll probably have to buy AppleShare server software, which is
>not cheap. System 7 comes with a server built-in, but it's not recommended
>to be used as a general-purpose file server in a high-load situation for
>performance reasons. I've never actually done any real comparisons between
>the System 7 file sharing and AS 3.0, however, so for all I know it may work
>fine. In fact, our server (AS 3.0 on a IIci with about 4 GBytes of disk
>scattered over 3 drives, plus a CD-ROM and DAT drive on 2 SCSI buses) seems
>to be limited by disk I/O more than anything else. It's not clear that
>different server software would make much difference. Well, let me put it
>another way. It's not clear that less sophisticated software could make it
>much worse. I think it's painfully obvious that better software could make
>it much faster by making better use of asynchronous I/O.
I have System 7.1. I was wondering if there's a way to set it up on a single
Mac. Naturally, I can make it think I'm on an AppleTalk net (with no other
nodes, I guess!) with the chooser.
What I'm interested in is the one they use in the Mac writing labs here at
ISU. It's the one that puts belts on the icons of the folders that you don't
have access to, among other things. I remember the sharing setup (control
panel) screen, so I think it's the same thing, but if it's not, I'd like to
know what it is.
Thanks!
email preferred
dsb...@iastate.edu
--
Vilkata TDK dsb...@iastate.edu
YIKES!
Andrew Geweke
(Vilkata TDK) wrote:
>
> In <1vr5ut$j...@calvin.NYU.EDU> r...@mchip00.med.nyu.edu (Roy Smith) writes:
> > (*) You'll probably have to buy AppleShare server software, which is
> >scattered over 3 drives, plus a CD-ROM and DAT drive on 2 SCSI buses) seems
> >to be limited by disk I/O more than anything else. It's not clear that
> >different server software would make much difference. Well, let me put it
> >another way. It's not clear that less sophisticated software could make it
> >much worse. I think it's painfully obvious that better software could make
> >it much faster by making better use of asynchronous I/O.
>
> I have System 7.1. I was wondering if there's a way to set it up on a single
> Mac. Naturally, I can make it think I'm on an AppleTalk net (with no other
> nodes, I guess!) with the chooser.
>
> What I'm interested in is the one they use in the Mac writing labs here at
> ISU. It's the one that puts belts on the icons of the folders that you don't
> have access to, among other things. I remember the sharing setup (control
> panel) screen, so I think it's the same thing, but if it's not, I'd like to
> know what it is.
Okay. Let's see. For some reason (typo?) the University of Minnesota
Microcomputer department seems to be selling AppleShare Pro 1.0 for
$14.50. This seems 50-100X lower than I've seen it other places, so
who knows?
The "belts" on the folders ARE AppleShare. Personal File Sharing in
System 7.x is like AppleShare w/o the complex privileges, the speed,
and the versatility. Setting up AppleShare *requires* a dedicated,
locked-away server. No, you can't do it on a single Mac -- anyone
with access to the server can run the AppleShare Admin app and do
anything they damn well want to.
At Ease is useful, IMHO, only for small children. More sophisticated
people (I'm talking only junior-high age here -- I've seen it happen
a *lot*) can bypass it. Start up with a system floppy. After you do
this, you can turn it off or even change the password. Deep weeds here,
people.
Personally, I "administer" a few drastically under-funded and mis-
managed labs. (I only make things work; I don't decide the software &
hardware layouts.) I've managed to set up a system of disk partitions
that is absolutely unbeatable. Set up a partition with the system folder
and your applications on it, then lock it. Set up another blank one
that's freely accessible -- just tell everyone not to expect stuff put
there to stay intact for very long.
I've unfortunately failed to find a easy-to-use, 100% (or 99.9999%)
effective security solution yet. At Ease ranks at about 20%.
-----------------------------------------------------------------------
"Run Away!" ! "On ne voit bien qu'avel le coeur. L'essentiel
-- Monty Python ! est invisible aux yeux."
! -- Antoine de Saint-Exupery, Le Petit Prince
Dave Nebinger
do...@tfsquad.mn.org (Andrew Geweke) wrote:
>
> Personally, I "administer" a few drastically under-funded and mis-
> managed labs. (I only make things work; I don't decide the software &
> hardware layouts.) I've managed to set up a system of disk partitions
> that is absolutely unbeatable. Set up a partition with the system folder
> and your applications on it, then lock it. Set up another blank one
> that's freely accessible -- just tell everyone not to expect stuff put
> there to stay intact for very long.
>
I wouldn't say your system is *absolutely* unbeatable. It is the
most secure for any user who is not a _________*. A mac user who wants
to circumvent your stuff will.
Our labs used to have the same thing. The software they used to set
up the partitions had two flaws:
1. The partitions were actually invisible, locked files on the hard
drive. Anyone with resedit could make them visible, unlock them, then
delete them.
2. They used the MacTools (version 1.something) Partition DA. This
was great, but since MacTools has been a commercially available package
anyone could get the partioning software. And with turnover rates being
what they were, the partitions were never given a password to keep people
from modifying them. (And if they were, you could copy the files out of
the partition to be modified, use resedit to delete the old one, create a
new partion with your *own* password, put the files back and you were in
like Flynn.
No system is fool-proof. The method above is difficult for normal users
but is simple to an advanced user.
As far as Appleshare goes, there are ways to circumvent that, though
not so direct. (Wait for someone who has server permissions to say, go
to the bathroom, fix the server options to log in automatically with the
system entering the password. Take a copy of the AppleShare prep file.
As long as that user's account is valid and he doesn't change his password,
you have access). We've also heard of people writing inits to capture
appleshare names and passwords, saving them to a file that they can pick
up later. And we also had an incident of someone giving out their password
to someone they *thought* was working on the net and needed the password
to ensure they could still log on.
I administer a mac network. I set things up to be as secure as possible.
But I don't try to convince myself that my network is totally secure, or
even "absolutely unbeatable". There hasn't been a method that is 70%
secure. There are too many loop-holes, some of which I mentioned, others
that I haven't. Anyone who *really* wants access to things they don't
have access to will find a way to do so.
> I've unfortunately failed to find a easy-to-use, 100% (or 99.9999%)
> effective security solution yet. At Ease ranks at about 20%.
>
As far as At Ease goes, I agree with Antoine. It is only good for
children.
> -----------------------------------------------------------------------
> "Run Away!" ! "On ne voit bien qu'avel le coeur. L'essentiel
> -- Monty Python ! est invisible aux yeux."
> ! -- Antoine de Saint-Exupery, Le Petit Prince
Dave Nebinger dne...@andy.bgsu.edu
Biology Network Manager dne...@opie.bgsu.edu
Bowling Green State University
Bowling Green, OH 43403
* INSERT YOUR OWN WORD HERE!!! I was thinking of using HACKER, but then
the old hacker vs. cracker argument gets started up again, and we are all
tired of seeing that one!