Your Mac’s default settings may be violating your company’s security policy.
Macs comes with a built-in firewall tool that you can use to reduce the number of points open to attack by malicious actors. But the firewall has to be turned on by the user — by default, the firewall is set to off.
A firewall scans incoming network traffic. This tool gives you the ability to allow or deny connections to your Mac. Having a tool like this is another line of defense that is crucial for preventing attacks that occur primarily in the background. For example, accidentally clicking on a bad link can be averted by the firewall preventing that connection from occurring.
Also having a firewall may be part of your company’s security policy. If so they should have a dedicated plan for onboarding employees that includes training for securing their devices.
Given the current state of work, we are seeing more employees in a work from home situation making them all the more vulnerable to attack.
Here’s our step-by-step guide to turning on your Mac’s firewall:
- From the Apple menu: click System Preferences
- Then click on the Security & Privacy pane
- Click on the Firewall tab
- Click “Turn Firewall on”
- To make any changes afterward, you must click the lock icon in the bottom-left part of the screen. Depending on your settings you will have to enter your login in order to make changes to features/applications in the System Preferences.
Here’s how to access firewall configuration in macOS:
For more options click the ”Firewall Options” button.
Firewall options include:
Checkbox, “automatically allow built-in software to receive incoming connections“.
Checkbox, “automatically allow downloaded signed software’ to receive incoming connections“.
Checkbox, “enable stealth mode (which means the Mac won’t respond to or acknowledge attempts to access this computer from the network by test applications using ICMP, such as Ping)”.
Use the plus and minus buttons to add and remove applications from the firewall. When added, you can either allow or block traffic to them.
Company Security Policies on Using Firewalls
A firewall policy defines how your company’s firewalls should handle inbound and outbound network traffic. Your firewall information security policy or procedures may need to specify IP addresses or address ranges, protocols, applications, and content types.
To determine what you should include in your firewall policy, you should conduct a risk assessment to develop a list of the types of traffic your company needs and how those should be secured. That including which types of traffic can cross a firewall, under what circumstances.
If you need to comply with an information security framework, you will want to reference their documentation, such as the NIST guidelines on firewall policies.
Companies may also determine that all inbound and outbound traffic that isn’t expressly permitted by their firewall policy should be blocked. That traffic is not necessary for the company.
Simple steps like enabling firewalls can reduce the risk of a cyber attack.
Does your company have a firewall policy and provide instructions for macOS users to enable it?
What Is the macOS Application Firewall?
Since 2007, all Macs have come with a built-in application layer firewall that is capable of blocking incoming connections unless they have been explicitly permitted by the end-user.
Once enabled, if a previously unknown process attempts to accept incoming connections you will be prompted with an alert that looks like the following:
Why Should the macOS Firewall Be Enabled?
The macOS firewall comes disabled by default. This is because by default, Apple does not ship any high-risk services that listen for connections on the public internet.
That said, over time, most users (especially technical users like developers) do install software or use macOS features that can listen and respond to connections on public networks. We believe it is important to enable the firewall to block outsiders from making incoming connections to your device, which can undermine its security.
How to Programmatically Determine the macOS Firewall State
There are two methods you can use to programmatically determine the macOS Firewall state. The first approach utilizes built-in macOS CLI tools and the terminal, whereas the second approach uses the osquery open-source project.
Using the Terminal
- Open the Terminal
- Type the command /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate --getblockall --getallowsigned --getstealthmode
- The output is self-explanatory, and demonstrated below:
$ /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate --getblockall --getallowsigned --getstealthmode
Firewall is enabled. (State = 1) Block all DISABLED! Automatically allow signed built-in software ENABLED Automatically allow downloaded signed software ENABLED Stealth mode disabled
Using Osquery
You can also use an open-source tool like osquery to determine the status of the macOS Firewall.
allow_signed_enabled = 1 firewall_unload = 0 global_state = 1 logging_enabled = 1 logging_option = 0 stealth_enabled = 0 version = 1.6
Additionally, osquery is capable of enumerating the apps, processes, and services that have been allowed to pinhole through the firewall.
SELECT path FROM alf_exceptions WHERE path LIKE '/Applications/%';
+-----------------------------------------------------------------------+ | path | +-----------------------------------------------------------------------+ | /Applications/Sketch.app/ | | /Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/ | | /Applications/Tuple.app/ | +-----------------------------------------------------------------------+
Kolide’s endpoint agent includes osquery’s functionality and automatically stores all information about Remote Login and other macOS settings as part of its built-in Inventory. Using Kolide, you can easily enumerate all the devices with this feature enabled.
How to Programmatically Enable the macOS Firewall
While we generally don’t recommend forcing the firewall to be on for all users (more on that later), there are two approaches should you decide to remotely manage this setting.
With the Command Line
If you can run scripts across your Macs, you can use the aforementioned socketfilterfw utility to programmatically set the firewall state.
Here is an example of a script that includes our recommended configuration.
#!/bin/sh echo " Enable Firewall" sudo /usr/libexec/ApplicationFirewall/socketfilterfw \ --setblockall off \ --setallowsigned on \ --setallowsignedapp on \ --setloggingmode on \ --setstealthmode on \ --setglobalstate on
With Mobile Device Management (MDM)
If you use an MDM product like Apple Business Essentials, you can disable the entirety of the Sharing section in SystemPreferences with a .mobileconfig profile (using the payload below).
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "//www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>BlockAllIncoming</key> <true/> <key>EnableFirewall</key> <true/> <key>EnableLogging</key> <true/> <key>EnableStealthMode</key> <true/> <key>LoggingOption</key> <string>detail</string> <key>PayloadDescription</key> <string>Configures Firewall settings</string> <key>PayloadDisplayName</key> <string>Firewall</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.7666956F-AA94-4810-802A-32F99239FFB4.com.apple.security.firewall.DFA5361A-1AF9-4E14-B9EA-01A673545BEA</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.security.firewall</string> <key>PayloadUUID</key> <string>DFA5361A-1AF9-4E14-B9EA-01A673545BEA</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Enable Firewall and ensuring logging/stealth mode is also enabled</string> <key>PayloadDisplayName</key> <string>Enable Firewall</string> <key>PayloadIdentifier</key> <string>com.github.erikberglund.ProfileCreator.7666956F-AA94-4810-802A-32F99239FFB4</string> <key>PayloadOrganization</key> <string>Kolide</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>7666956F-AA94-4810-802A-32F99239FFB4</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
End User Impacts of Forcing the Firewall To Be Enabled
While these are both effective ways of enabling the firewall, they can create new and more nuanced problems. For example, developers are often concerned that the firewall may be causing connectivity issues with important services, like those which run inside Virtual Machines or Docker containers.
If you force the firewall to be enabled at all times you may prevent a software engineer from correctly troubleshooting a pressing issue, forcing them to work around the instructions (disabling the MDM) or using their personal devices.
This is why Kolide recommends an approach where end users are reminded (not forced) to turn on the firewall if they’ve left it off too long.
Automatically remediating this issue isn't necessarily the best way to go. Instead, consider following the Honest Security approach by reaching out to end-users who have devices that fail this check, and then giving them precise instructions on how to resolve the issue.
Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device experiences this problem. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.
Kolide
9:41
Failing Check: Require macOS Firewall is Enabled
Reason: macOS Firewall is Disabled
Why is this a Problem?
The Application Layer Firewall is the default firewall built into the macOS operating system. It controls and restricts network connections from a Mac based on the rules configured. A properly configured firewall is a critical component of a Mac's security and can protect your Mac from unwanted contact initiated by other computers when you're connected to the internet or a network. Additionally, enabling stealth mode makes it more difficult for your Mac to be hacked or infected with malware.
For more information, please consult the Official Apple Support Documentation: Block connections to your Mac with a firewall Use stealth mode to keep your Mac more secure
Required Action:
To turn on your macOS firewall:
- Click the Apple icon in the top left corner of your screen and then select System Preferences from the menu.
- In the System Preferences window, click the icon labeled Security & Privacy.
- In the Security & Privacy preference pane, click the tab at the top labeled Firewall.
- Unlock the preference pane by clicking the gold lock icon in the lower-left corner. When prompted, enter the administrator username and password.
- If the Firewall Options button is disabled, first click the button labeled Turn On Firewall or Start to enable the firewall.
- With the firewall enabled, click the button labeled Firewall Options.
- Select the checkbox labeled Enable stealth mode and then click the button labeled OK to enable stealth mode.
- Once finished, you may close the System Preferences window.
I've fixed it. Check again
Contact Admin for help