Mac OS X 10.5: About Back to My Mac security
Summary
Back to My Mac (BTMM) is a new feature in Mac OS X 10.5 Leopard that makes it easy to automatically connect to your other computers over the Internet. Once you've signed into MobileMe on your computer and BTMM is enabled, you may securely reach other computers via the Internet (the other computer(s) also must be signed into the same MobileMe account, be using Mac OS X 10.5, and have Back to My Mac enabled on them).
After completing a new installation of Mac OS X 10.5, Back to My Mac is enabled by default, however, the computer cannot be reached until sharing services (such as File Sharing or Screen Sharing) have been enabled in Sharing preferences (in System Preferences).
To ensure network connections between your computers are secure over the Internet, BTMM uses a technology called IPSec to encrypt data. To provide secure and trusted authentication, BTMM uses Kerberos with Digital Certificates. Kerberos provides an additional convenience; it eliminates the need for you to enter your username and password each time you wish to reach another computer in your BTMM network. To learn more about Kerberos in Leopard, see this article.
Products Affected
MobileMe
Security tips for using Back to My Mac
Since computers in a Back to My Mac network can automatically discover and authenticate to configured sharing services, it's important to consider the security of each computer which joins your BTMM network.
- Choose a good password for your MobileMe account. Anyone who knows your MobileMe password can access all the computers in your BTMM network, therefore it is very important to choose a strong password and keep it safe.
- Consider who has physical access to each of your computers. Anyone who knows the login name and password of your computer could potentially access shared services on all of the others. Therefore, just as with your MobileMe password, you should set a good password for your Mac OS X user account in the Accounts pane of System Preferences.
- Before you disconnect from sharing a screen with a remote computer, you should lock the screen on that remote computer (see below).
- You should follow these recommendations for all computers in your BTMM network:
- Enable (check) "Require password to wake this computer from sleep or screen saver" in the Security preferences (in System Preferences).
- Enable the Keychain Access menu extra via Keychain Access:
- Open Keychain Access (in Application/Utilities/).
- Choose Preferences from the Keychain Access menu.
- Enable (check the option) "Show Menu in Status Bar". A small padlock icon will appear in the menu bar.
- Click the padlock menu and choose Lock Screen when you will be away from the computer.
- Disable automatic login for user accounts with a MobileMe account that's signed-in.
Removing a computer from Back to My Mac
To prevent a computer from being part of your Back to My Mac network at any time, you may click the "Stop" button on the Back to My Mac tab of MobileMe preferences in System Preferences. Additionally, you may click on "Sign Out" in the MobileMe "Account" tab to log out of the MobileMe service completely on that computer.
About routers and firewalls
Your network setup may involve routers, firewalls or a combination of both.
Your Mac may connect to the Internet through a router or wireless base station, which must support either NAT-PMP or the UPnP port mapping protocol. Some router devices may support NAT-PMP or UPnP, but it may not be enabled by default. To learn more, click here. ("UPnP" is a certification mark of the UPnP Implementers Corporation.)
To learn more about configuring a third-party router or wireless base station, consult the documentation that was supplied with your device. To learn which may be compatible with Back to My Mac, click here.
If you use a firewall, you may need to modify the configuration to permit BTMM to function correctly. In some corporate (or managed) network environments, you may need to consult your system administrator.
When signing into MobileMe and enabling BTMM, TCP port 443 is used. For connections between machines, BTMM typically uses UDP port 4500. To learn more about network ports commonly used by Apple products, click here. By default, the appropriate ports for BTMM are already enabled in Mac OS X Leopard.
To learn more about the Leopard Application Firewall, click here.