1.8 Ensure Computer Name Does Not Contain PII or Protected Organizational Information

Information

If the computer is used in an organization that assigns host names, it is a good idea to change the computer name to the host name. This is more of a best practice than a security measure. If the host name and the computer name are the same, computer support may be able to track problems down more easily.

For organizations or for users that self-administer their own computers, it is important to not use sensitive or personal information in computer names. The name of a computer that uses untrusted networks will be exposed at a minimum to the responsible network team of that network. While I may not care if the computer name of Ron Colvin's MacBook Pro is visible on a Hooters WiFi network, other uses may not feel the same way.

Examples of possibly inappropriate content in computer names include:

User directory account names

Computer directory account names where machine accounts exist

Contact phone numbers

Physical locations of offices or residences

Personal information that can be augmented with Facebook data to assist social engineering attacks

Standard naming patterns avoid collisions and mitigate risk for computer users.

With mobile devices, using DHCP IP tracking has serious drawbacks; hostname or computer name tracking makes much more sense for those organizations that can implement it. If the computer is using different names for the 'Computer Name' DNS and Directory environments, it can be difficult to manage Macs in an Enterprise asset inventory.

Rationale:

Part of IT security is having visibility into all of the devices for which an organization is responsible. Without a complete inventory, it is impossible to ensure all security controls are met on all organizational devices.

Default macOS naming deconfliction controls can create issues for appropriate management and tracking as well as privacy exposure. By default, the name of a macOS computer is derived from the first user created. If the user has multiple computers or an image is used without an appropriate name change, there will be multiple computers with names derived from the same user for discovery deconfliction. How many 'Ron Colvin's MacBook Pro' should there be, and are any missing?

Local network auto renaming to avoid collisions also allows for the enumeration of local computer names. Computers should not be named after their users, especially on untrusted networks. For social engineering purposes, the computer name should not provide a full name of the user or an identifiable name that might be used to assist in targeted user attacks.

A documented plan to better enable a complete device inventory without exposing user or organizational information is part of mature security.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set the computer name:

Open System Preferences

Select Sharing

Set Computer Name to your organization's parameters

See Also

https://workbench.cisecurity.org/files/4178