TickYouOff
Sign in
Back
🔒

macOS 15 STIG

Medium 17 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

A practical checklist to apply core security hardening for Apple macOS 15 based on DISA STIG guidance. Ideal for system administrators and privacy-conscious users who need to configure encryption, updates, access controls, and system protections to meet baseline security requirements.

Source: https://ncp.nist.gov/checklist/1257

Progress
0 / 17
  1. Enable FileVault full-disk encryption — Encrypt the startup disk to protect data at rest.
  2. Store FileVault recovery key in a secure location — Save recovery key to a company KMS or trusted password manager.
  3. Enable the macOS firewall — Turn on the built-in firewall to block unsolicited inbound traffic.
  4. Set firewall to stealth mode — Hide the Mac from unsolicited network probes.
  5. Disable automatic login — Require user credentials at boot to prevent local access.
  6. Require password immediately after sleep or screen saver — Set to require password on wake or screensaver activation.
  7. Configure a strong password policy — Enforce minimum 12 chars, complexity, and account lockout.
  8. Enable automatic system software updates — Turn on automatic checking and downloading of updates.
  9. Enable automatic installation of critical security updates — Allow the system to install security patches without manual steps.
  10. Verify macOS version and apply latest security patches — Confirm current build and install any outstanding updates.
  11. Review remote access and remote management settings — Decide whether Remote Login, Remote Management, or screen sharing are necessary.
  12. If remote access required, configure SSH to key-only and limit users — Disable password auth and restrict allowed users/groups.
  13. Verify System Integrity Protection (SIP) is enabled — Ensure SIP is active to protect core OS components.
  14. Disable Guest user accounts and shared guest access — Turn off Guest in Users & Groups and revoke guest sharing permissions.
  15. Disable AirDrop, Bluetooth, and other wireless services when unused — Turn off radios to reduce attack surface when not required.
  16. Configure system time synchronization to trusted NTP servers — Use approved NTP servers to ensure accurate logs and cert validity.
  17. Enable Gatekeeper and require app notarization — Allow only apps from identified developers and notarized software.
Sign in to save
📝 My Notes