To provide deep protection, Mac OS X Server security is built on layers of defense. Various methods safeguard the system by authorizing whether a user or computer has the right to perform a restricted operation, and authenticating (that is, verifying) the identity of an account or service.
These system-level methods of security complement the network-level methods. Features for securing access to resources exist at all system levels, from hardware and the operating system to services and networks. Several subsystems, such as services that are running and the file system, comprise system-level methods and offer additional ways to control end users.
These various system-level security methods include the following:
P Hardware A firmware password (also known as an OpenFirmware password) application helps prevent people who access your hardware from gaining root-level access to your computer files.
– Secure authentication protocols Kerberos and public-key encryption secure the authentication process.
– Secure networking A firewall, along with digital certificates and encryption, help protect resources and communication.
– Secure applications Encryption in Keychain and FileVault helps prevent intruders from using your applications and viewing data on your computer.
– Operating system Portable Operating System Interface (POSIX) permissions and access control lists (ACLs) help secure access to files.
About Authentication and Authorization
Authentication and authorization, while similar, handle two separate aspects of the security model.
Authentication is the process of verifying the identity of an account or service. You are accustomed to authenticating at the login window when the computer first boots. Sometimes, though, applications and operating system components carry out their own authentication. An account is authorized in some manner using credentials most commonly, a user name and password pair. However, there are other methods for authenticating accounts, including digital keys and two-factor authentication, such as using “smart cards.” This book covers only passwords and keys. For information on two-factor authentication and Mac OS X–compatible solutions, see http://www.cryptocard.com. Authorization is the process by which an entity, such as a user or a computer, obtains the right to perform a restricted operation. Authorization can also refer to the right itself, for example, an account authorized to run a certain program. Authorization typically involves first authenticating the entity and then determining its permissions.