4.3 Create network specific locations

Information

The network location feature of the Mac is a very powerful tool to manage network security. By creating different network locations, a user can easily (and without administrative privileges) change the network settings on the Mac. By only using the network interfaces needed at any specific time, exposure to network attacks is limited.

A little understanding of how the Network System Preferences pane works is required.

Rationale:

Network locations allow the computer to have specific configurations ready for network access when required. Locations can be used to manage which network interfaces are available for specialized network access.

Impact:

Unneeded network interfaces increase the attack surface and could lead to a successful exploit.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following actions to create and edit multiple network locations as needed:

Open System Preferences

Select Network

Select Location

Select Edit Locations from the Locations popup menu

Select any unneeded network locations

Click the minus button for any unneeded locations

Select Done

Select any remaining network locations

Select any unneeded network interfaces

Select the minus button to remove them

Note: Delete the Automatic location for any device that does not use multiple network services set for DHCP or dynamic addressing. If network services like FireWire, VPN, AirPort or Ethernet are not used by a specific device class those services should be deleted.

Additional Information:

Deleting the Automatic location cannot be undone.

See Also

https://workbench.cisecurity.org/files/3421