The layers of Security and Protection within Mac OS X.

Mac OS X is designed to provide defence in depth against outside security threats with a series of protective measures and systems. These include authentication and access control systems, protection from network-borne threats, and runtime mechanisms such as library randomization and sandboxing.

Strong authentication
Authentication is the process of verifying the identity of a local or network user. Mac OS X supports local and network-based authentication to help ensure that only users with valid authentication credentials can access the computer’s data, applications, and network services.

Passwords can be required to log in, wake the system from sleep or a screen saver, install applications, or change system settings. In addition, Mac OS X supports emerging authentication methods such as smart cards.

Local single sign-on.
Mac OS X enables you to sign on just once, obtaining your single sign-on credentials from the system’s keychain for local authentication or from directory services for network authentication. This means that you can use one name and password combination for all privileges.

UNIX Pluggable Authentication Modules.
The Mac OS X security architecture supports Pluggable Authentication Modules (PAMs), enabling PAM-based UNIX®  applications to access its authentication mechanisms.

Offline authentication.
By securely caching network-based credentials, Mac OS X allows you to authenticate offine. So you can disconnect your notebook computer from your office network and work offline—at home or on the road—using the same user name and password.

Open Directory.
Mac OS X supports Open Directory 4, the latest version of Apple’s standards-based directory services architecture, for storing password enforcement policies and authentication credentials in a robust, central repository.

Built into Open Directory is an authentication server that uses Kerberos Key Distribution Center (KDC) to provide strong authentication with support for secure single sign-on.

Users need to authenticate only once, with a single user name and password pair, for access to a broad range of Kerberized network services.

For services that have not been Kerberized, the integrated SASL service automatically negotiates the strongest possible authentication protocol.

Kerberos.
Like previous versions of Mac OS X, Leopard integrates open source Kerberos KDC for secure access and collaboration to network resources. This robust, directory-based authentication mechanism enables single sign-on to all authorized systems and services.

Instead of authenticating to each service individually, you enter your password only once at login to prove your identity to the Kerberos authentication
authority or KDC.

In response, KDC issues strongly encrypted electronic “tickets,” which are used to assure all participating applications and services that you have been authenticated securely. Kerberized applications and services include NFSv3, Safari, SSH, SMB, Mail, Telnet, VPN client, and the AFP (Apple Filing Protocol) client.

Active Directory.
Mac OS X allows users to participate in Windows-managed networks, with a single home directory, on either a Mac or a Windows-based computer. Network administrators can set one authentication policy for all users, both Mac and Windows, that enables Mac OS X users to log in and authenticate to Microsoft’s proprietary Active Directory—without any specific changes needed to accommodate them.

As with most operating systems – connectivity to multiple network types (UNIX, Windows, Max, etc) are a mandatory requirement.

Mac OS X caters for all of these and more – out of the box.

Warm Regards,
Scott Malpass
Aquafruit Media.