Apple mac os x 10.4 Handbuch
50
Chapter 4
Securing Accounts
Configuring Active Directory Access
Connecting to an Active Directory server is not as secure as connecting to an Open
Directory server that has all of its security settings enabled. For example, you cannot
receive directory services from an Active Directory server that enables digitally signing
or encrypting all packets.
Directory server that has all of its security settings enabled. For example, you cannot
receive directory services from an Active Directory server that enables digitally signing
or encrypting all packets.
Mac OS X supports mutual authentication with Active Directory servers. Kerberos is a
ticket-based system that enables mutual authentication. The server must identify itself
by providing a ticket to your computer. This prevents your computer from connecting
to rogue servers. Mutual authentication automatically occurs when you bind to Active
Directory servers.
ticket-based system that enables mutual authentication. The server must identify itself
by providing a ticket to your computer. This prevents your computer from connecting
to rogue servers. Mutual authentication automatically occurs when you bind to Active
Directory servers.
If you’re connecting to an Active Directory server with Highly Secure (HISEC) templates
enabled, you can use third-party tools to further secure your Active Directory
connection.
enabled, you can use third-party tools to further secure your Active Directory
connection.
When you configure Active Directory access, the settings you choose are generally
dictated by the Active Directory server’s settings. Check with your network
administrator to make sure your settings match your network’s required settings.
However, the “Allow administration by” setting can cause security issues because it
allows any member of those groups to have administrator privileges on your computer.
Additionally, you should only connect to trusted networks.
dictated by the Active Directory server’s settings. Check with your network
administrator to make sure your settings match your network’s required settings.
However, the “Allow administration by” setting can cause security issues because it
allows any member of those groups to have administrator privileges on your computer.
Additionally, you should only connect to trusted networks.
For more information about using Directory Access to connect to Active Directory
servers, see the Open Directory administration guide.
servers, see the Open Directory administration guide.
Using Strong Authentication
Authentication is the process of verifying the identity of a local or network user.
Mac OS X supports local and network-based authentication to ensure that only users
with valid authentication credentials can access the computer’s data, applications, and
network services.
Mac OS X supports local and network-based authentication to ensure that only users
with valid authentication credentials can access the computer’s data, applications, and
network services.
Passwords can be required to log in, to wake the computer from sleep or from a screen
saver, to install applications, or to change system settings. Mac OS X also supports
emerging authentication methods, such as smart cards, digital tokens, and biometric
readers.
saver, to install applications, or to change system settings. Mac OS X also supports
emerging authentication methods, such as smart cards, digital tokens, and biometric
readers.
Strong authentication is created by using combinations of the following three
authentication dimensions:
authentication dimensions:
 What the user knows, such as a password or PIN number
 What the user has, such as SecurID card, smart card, or drivers license
 what the user is, such as a fingerprint, retina, or DNA
 What the user has, such as SecurID card, smart card, or drivers license
 what the user is, such as a fingerprint, retina, or DNA