With all due respect, no one throws an OEM Mac or PC on the desk of a user & walks away. Anything out of the box is inherently insecure & its our job to make it secure. Apple just hasn't offered sysadmins the proper tools to make their lives easy.
As kitchen countertop "PC's", Macs are great, so long as you don't have to worry about supporting the damn thing in the enterprise. With a few key strokes anyone can walk up to a Mac & boot the system into single user mode & act as root. (granted you can enforce firmware protection but think of the time when your users actually need to boot to CD or bootcamp or non-OsX parititon) Or, without editing the plist you can walk up to any Macs with password protected screensaver on, enter the admin pswd & boom there's the user's desktop at your disposal. This cannot be done on Windows without logging off the current user. Not mentioning trying to manage fw settings centrally for a thousand of these beasties...not fun. Have we forgotten how long did it took Apple to issue a patch for something as fundamental as the DNS exploit ? http://www.kb.cert.org/vuls/id/800113 Does Apple even have any decent offering when it ceoms to enterprise-grade products such as Sharepoint/Unified Communication/Directory svces/Messaging? Is there such a thing as OsX iscsi initiator for the SMB folks who may want to make use of OsX server platform but utilize inexpensive storage options? No. I love my Mac, and I'd probably recommend a Mac to everyone in my family, but do I love supporting them ? No. On 9/7/10 5:27 PM, "Matthew W. Ross" <[email protected]> wrote: > If you eliminate the non-os applications, what's the security situation look > like on each platform? > > Until Vista, the default setup for any user was to make them an Administrator. > Mac and Linux people could not understand this behavior. Thank goodness > Microsoft fixed that. > > Windows doesn't come with a PDF reader, and Mac OS X has Preview. Apple is > somewhat good about releasing fixes for it's OS vulnerabilities, but it has > also been known to be slow on responding on some items. > > Mac OS X has Java built in, which Windows does not. Another vector for attack. > > Browser vulnerabilities abound on both sides. I would argue that anything that > uses ActiveX is inherently less secure than something that doesn't. But then > again, I hate a standards platform (The Web) using any platform specific > implementation (such as ActiveX). > > Does Windows have any kind of Remote Administration (ala psexec.exe) turned on > by default? Mac OS X has SSH disabled by default. > > Then, between the two... which one is more secure? I don't know. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: John Aldrich > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Tue, 07 Sep 2010 > 12:15:16 -0700 > Subject: RE: Mac and Windows mix > > >> Not to start a flame war or anything, but I was under the impression that >> Mac OS/X was significantly *more* secure than a comparable Windows machine, >> due to the *nix security model? Asking for information here, trying to >> learn, not trying to start a Mac Vs. Windows thread (there are enough of >> those, that I don't need to start one! <G>) >> >> >> >> John-AldrichPerception_2 >> >> >> >> From: Holstrom, Don [mailto:[email protected]] >> Sent: Tuesday, September 07, 2010 2:57 PM >> To: NT System Admin Issues >> Subject: RE: Mac and Windows mix >> >> >> >> We have about a dozen Macs here at the Museum. I give them each dual monitor >> set-ups, with Parallels and Windows with Microsoft Office so they can >> Outlook to their e-mail. So far, Mac doesn't really have a good >> Rendezvous/Outlook set-up, although OWA is very good and getting better. As >> I stroll by, I see that each Mac user keeps Office up on one monitor, so >> that Outlook is always open. Each of the Macs can already connect to our PC >> servers where they keep all their files. I give Remote Desktop access to >> those who either PC or Mac from the outside. >> >> >> >> Way too many security openings for Macs, this would not be good with a very >> secure network. >> >> >> >> From: Jeff Steward [mailto:[email protected]] >> Sent: Tuesday, September 07, 2010 2:34 PM >> To: NT System Admin Issues >> Subject: Re: Mac and Windows mix >> >> >> >> Don't knock yourself out here Matt, I'm just curious how one manages these >> issues in a mixed environment. I have one Mac user who works part time so >> we set him up with a Remote Desktop client and he works in a Terminal Server >> session. >> >> >> >> Regards, >> >> >> >> Jeff Steward >> >> On Tue, Sep 7, 2010 at 2:26 PM, Matthew W. Ross <[email protected]> >> wrote: >> >> Apple Remote Desktop is more akin to the Windows Management MMC, MS Remote >> Desktop and the SysInternals Power Tools rolled into one package. Open >> Directory is more akin to Group Policy. >> >> >> >> I will see what I can find out about those regulations. >> >> >> >> --Matt Ross >> >> Ephrata School District >> >> >> On Sep 7, 2010, at 11:21 AM, "Jeff Steward" <[email protected]> wrote: >> >> HIPAA >> >> SOX >> >> MA 201 CMR 17.00 >> >> >> >> To varying degrees they all boil down to: >> >> >> >> We define a security policy that meets the regulatory requirements and base >> configurations to meet that policy and then report regularly on performance >> to standards. I see from one of your follow-up posts that Apple Remote >> Desktop is akin to Group Policy. >> >> >> >> -Jeff Steward >> >> On Tue, Sep 7, 2010 at 1:31 PM, Matthew W. Ross <[email protected]> >> wrote: >> >> Can you be more specific? What standards are you needing to be compliant to? >> An example regulation would help me answer your question. >> >> >> >> --Matt Ross >> >> Ephrata School District >> >> >> On Sep 7, 2010, at 10:26 AM, "Jeff Steward" <[email protected]> wrote: >> >> A school environment is not the same as a public company environment. >> Compliance to <insert your favorite standard here> and reporting on said >> compliance or non-trivial issues for public companies or private companies >> subject to other regulations. There are a wealth of tools for managing >> these issues in a Windows environment, can the same be said of the Mac >> environment? >> >> >> >> -Jeff Steward >> >> On Tue, Sep 7, 2010 at 12:53 PM, Matthew W. Ross <[email protected]> >> wrote: >> >> Macs are not the burden you make them sound to be. >> >> Integrating a Mac into a windows network is never going to be painless; the >> two systems are inherently different. If what you want is a Windows >> experience from your Mac, install Windows. >> >> Now not everybody likes MacOS X, but the same can be said for Windows. >> Insert the problem of subjective preference here. >> >> Personally, I love working on my iMac, and managing the other Macs in our >> district is very easy if you use the provided Apple tools: Mac OS X server, >> Open Directory, and Apple Remote Desktop. >> >> Then again, I hate how a Mac _can_ cost 2x as much as a comparable PC. I do >> like that software upgrades are cheaper for Mac, but I don't like how apple >> drops support for anything that is not the current generation or the >> previous one. If you're 2 generations back, you're out of luck. >> >> What can a Mac do that a PC Can't? Nothing. But I would argue that >> competition is one of the pillars of innovation. Without Mac OS X competing >> against Windows, what would Windows look like today? >> >> >> --Matt Ross >> Ephrata School District >> >> >> >> ----- Original Message ----- >> From: James Hill >> [mailto:[email protected]] >> To: NT System Admin Issues >> >> [mailto:[email protected]] >> Sent: Sun, 05 Sep 2010 >> 19:28:49 -0700 >> Subject: RE: Mac and Windows mix >> >> >>> We have pretty much eliminated all of the Mac's here. >>> >>> We didn't have 3rd party products to manage them so they always required >> so >>> much manual interaction. Any global change we made we could easily >> automate >>> with PC's thanks to group policy etc but it was always a manual change for >>> the Mac's. >>> >>> They really aren't a corporate product imo. You only have to look to >> Apple >>> for a corporate grade management solution to realise that it doesn't >> exist. >>> >>> They do indeed need patching (http://support.apple.com/kb/HT1222) and >> there >>> is AV products for them. Symantec has one for example. Personally I >> think >>> the day is coming when someone will write a decent bit of malware/virus >> for >>> them and 99% plus will get caught out by it. There is a very misguided >>> opinion amongst the Apple community that they are safe. Apple's false >>> advertising only strengthens this. The facts are that Mac's are more >>> vulnerable than the PC world http://www.crn.com/security/226200083 >>> >>> More importantly, what is the need for the Mac's in the first place? For >> us >>> they were only sued for Adobe CS, which runs just fine on PC's. In fact >>> these days Adobe is more behind the PC world than the Mac. For example, >>> 64bit Photoshop was first on PC, had to wait for CS5 for Mac to get it. >> >>> That's without going into the Flash debate :) >> >>> >>> >>> >>> >>> >>> From: David Lum [mailto:[email protected]] >>> Sent: Saturday, 4 September 2010 6:07 AM >>> To: NT System Admin Issues >>> Subject: Mac and Windows mix >>> >>> I would like to hear from those of you who have a mixed Windows/Mac >>> environments: How do you handle management of the diverse environment? >>> Presumably with Mac's there is no patching or AV. Can you use GPO's on >> them >>> in any fashion (wondering if there's some add-in to allow equivalency). >>> David Lum // SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to >> >>> >> [email protected]<mailto:[email protected] >> re.com> >> >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
