Mac OS X v10.5 and later: About Back to My Mac security
Summary
Back to My Mac is a feature in Mac OS X v10.5 and later that makes it easy to automatically connect to your other computers over the Internet. Once you've signed into MobileMe on your computer and enabled Back to My Mac, you may securely reach other computers via the Internet. The other computer(s) also must be signed into the same MobileMe account, be using Mac OS X v10.5 or later, and have Back to My Mac enabled on them.
After completing a new installation of Mac OS X v10.5 or later, Back to My Mac is enabled by default, however, the computer cannot be reached until sharing services (such as File Sharing or Screen Sharing) have been enabled in Sharing preferences (in System Preferences).
To ensure network connections between your computers are secure over the Internet, Back to My Mac uses a technology called IPSec to encrypt data. To provide secure and trusted authentication, Back to My Mac uses Kerberos with Digital Certificates. Kerberos provides an additional convenience; it eliminates the need for you to enter your username and password each time you wish to reach another computer in your Back to My Mac network. To learn more about Kerberos, see this article.
Products Affected
Mac OS X 10.5, Mac OS X 10.6, Back to My Mac, MobileMe
Security tips for using Back to My Mac
Since computers in a Back to My Mac network can automatically discover and authenticate to configured sharing services, it's important to consider the security of each computer which joins your Back to My Mac network.
- Choose a good password for your MobileMe account. Anyone who knows your MobileMe password can access all the computers in your Back to My Mac network, therefore it is very important to choose a strong password and keep it safe.
- Consider who has physical access to each of your computers. Anyone who knows the login name and password of your computer could potentially access shared services on all of the others. Therefore, just as with your MobileMe password, you should set a good password for your Mac OS X user account in the Accounts pane of System Preferences.
- Before you disconnect from sharing a screen with a remote computer, you should lock the screen on that remote computer (see below).
- You should follow these recommendations for all computers in your Back to My Mac network:
- Enable (check) "Require password to wake this computer from sleep or screen saver" in the Security preferences (in System Preferences).
- Enable the Keychain Access menu extra via Keychain Access:
- Open Keychain Access (in Application/Utilities/).
- Choose Preferences from the Keychain Access menu.
- Enable (check the option) "Show Menu in Status Bar". A small padlock icon will appear in the menu bar.
- Click the padlock menu and choose Lock Screen when you will be away from the computer.
- Disable automatic login for user accounts with a MobileMe account that's signed-in.
Removing a computer from Back to My Mac
To prevent a computer from being part of your Back to My Mac network at any time, click the "Stop" button in the Back to My Mac tab of MobileMe preferences in System Preferences. Additionally, you can click on "Sign Out" in the MobileMe "Account" tab to log out of the MobileMe service completely on that computer.
About routers and firewalls
Your network setup may involve routers, firewalls or a combination of both.
Your Mac may connect to the Internet through a router or wireless base station, which must support either NAT-PMP or the UPnP port mapping protocol. Some router devices may support NAT-PMP or UPnP, but it may not be enabled by default. To learn more, click here. ("UPnP" is a certification mark of the UPnP Implementers Corporation.)
To learn more about configuring a third-party router or wireless base station, consult the documentation that was supplied with your device. To learn which may be compatible with Back to My Mac, click here.
If you use a firewall, you may need to modify the configuration to permit Back to My Mac to function correctly. In some corporate (or managed) network environments, you may need to consult your system administrator.
When signing into MobileMe and enabling Back to My Mac, TCP port 443 is used. For connections between machines, Back to My Mac typically uses UDP port 4500. To learn more about network ports commonly used by Apple products, click here. By default, the appropriate ports for Back to My Mac are already enabled in Mac OS X v10.5 and later.
To learn more about the Application Firewall, click here.