Hardening macOS

Published Sep 29, 2018 by Ricard Bejarano

This guide is about security, not privacy.

Additionally, security measures that heavily compromise usability were not included.

This guide aims to produce above-average secure systems, without giving up features.

Last updated for macOS Ventura (14.0).

The easy stuff

Everyone can do these, no technical knowledge required.

  1. Install a fresh copy of macOS
    Why? It’s best to start clean, to avoid previous misconfiguration.
    How? Follow this Apple Support guide (Intel-based, Apple silicon).

  2. Perform the inital configuration until you can use the system.

  3. Enable automatic software updates
    Why? So that your system has the latest software patches installed.
    How? Go to System Settings > General > Software Update > Automatic updates, check all.

  4. Enable lock screen after inactivity
    Why? To prevent unauthorized access.
    How? Go to System Settings > Lock Screen, set “Turn display off when inactive” to 20 minutes or less, and “Require password after screen saver begins or display is turned off” to after 5 seconds or less.

  5. Forbid unsigned software
    Why? To prevent potentially malicious software from running.
    How? Go to System Settings > Privacy & Security > Security, set “Allow applications downloaded from App Store and identified developers” at most.

  6. Enable disk encryption
    Why? To prevent unauthorized access to your data.
    How? Go to System Settings > Privacy & Security > Security > FileVault, if disabled, click “Turn On…” and follow the procedure.

  7. Enable the inbound network firewall
    Why? To reduce exposure to network-based attacks.
    How? Go to System Settings > Network > Firewall, enable it and consider “Block all incoming connections”, though it could degrade user experience.

  8. Disable guest user access
    Why? To prevent unauthorized access.
    How? Go to System Settings > Users & Groups > Guest User, uncheck all.

  9. Disable network services
    Why? To reduce exposure to network-based attacks.
    How? Go to System Settings > General > Sharing, uncheck all unused services.

  10. Disable unnecessary application access
    Why? To limit the potential impact of malicious software.
    How? Go to System Settings > Privacy & Security > Privacy > Camera, uncheck all unnecessary access. Repeat this for all other privileges.

  11. Prevent Safari from opening downloads automatically
    Why? So that you know what you’re double-clicking on.
    How? Go to Safari > Settings > General, disable “Open ‘safe’ files after downloading”.

  12. Show all filename extensions
    Why? So that you know what you’re double-clicking on.
    How? Go to Finder > Settings > Advanced, check “Show all filename extensions”.

  13. Disable radios when unused
    Why? To reduce the exposure to wireless-based attacks.
    How? When unused, disable Wi-Fi and/or Bluetooth.

  14. Use a password manager
    Why? To avoid reusing passwords and to facilitate two-factor authentication.
    How? Choose one that suits your needs. I like 1Password.

The advanced stuff

For the security enthusiast, who wants to go the extra mile.

  1. Perform your daily tasks with a non-admin user
    Why? By default, the user created during installation has admin privileges. This significantly exacerbates the impact if compromised.
    How? Create a non-admin user account and use it when you don’t need admin privileges. This is considered advanced as it’s considerably inconvenient.

  2. Reconsider the risks of browser extensions
    Why? Browser extensions such as adblockers or grammar checkers require full read-write access to everything you do on the web. Yes, this includes your passwords. This is not malicious per se, but is the reward worth the risk?
    How? Go through your browser’s installed extensions and assess their value to you, and whether the risk trade-off is worth it or not. I like to have them installed but only allow them access to certain websites or on demand.

  3. Run an outbound network firewall
    Why? For visibility and control about the traffic leaving your system.
    How? Install Little Snitch (paid) or LuLu (open-source).

  4. Block malicious domain names
    Why? To mitigate potential DNS poisoning.
    How? Install StevenBlack’s /etc/hosts file (or my own).

  5. Enable Terminal secure keyboard entry
    Why? To prevent other apps from snooping on what you type.
    How? Go to Terminal.app > Menu bar > Terminal, click “Secure Keyboard Entry”.

  6. Enable binary allowlisting
    Why? To completely prevent unauthorized software from running.
    How? Install and configure Google’s Santa.

The serious stuff

Security specialists surely know more about macOS security than me, so I won’t make any specific recommendations.

I will instead refer you to trusted authorities on the subject:

That’s it?


Security is an ongoing task. You must actively look out for newly discovered vulnerabilities and educate yourself on how to protect yourself from them.

Some generic (but useful) rules are:

Be safe!

Thanks for dropping by!

Did you find what you were looking for?
Let me know if you didn't.

Have a great day!