Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

5.  TRUST RELATIONSHIPS 

In the early days of computer use, all information necessary for an application was contained on 

storage media physically attached to the computer system on which the application executed.  

With the advent of networks and network technologies, many computer applications were 

designed to communicate with other computers to share information and to store data centrally.  

Initial communication protocols for sharing information did not consider checking the authority 

(I&A) for a request for data or command execution.  Today, computer information must be 

guarded to assure privacy and accuracy.  This guarding is handled by assorted encryption 

schemes and protocols that establish trust relationships between two or more computers.  

Communication protocols also ensure end to end data integrity. 

5.1  Network Information Service (NIS) 

Network Information Service (NIS) is a database system that provides a mechanism for sharing 

network objects and resources.  It provides a uniform storage and retrieval method for 

network wide information in a transport protocol and media independent fashion. 

By running NIS, the System Administrator can distribute administrative databases called maps 

among a variety of servers (master, slaves, and clients), and update those databases from a 

centralized location in an automatic and reliable fashion to ensure that all clients share the same 

information in a consistent manner throughout the network.  NIS stores information about 

machine names and addresses, users, the network, and network services.  This collection of 

network information is referred to as the NIS namespace. 

NIS addresses administration requirements of client/server computing networks common in the 

1980s.  Client/server networks were limited to no more than a few hundred clients and a small 

number of multipurpose servers.  The clients and servers were spread across a few remote sites.  

Users were considered sophisticated and trusted so security was not a primary concern.  The 

networks needed infrequent updates.  NIS can only be updated by transferring an entire map to a 

slave or client.  NIS uses no authentication between computers on a network.  This poses a 

serious threat to security.  NIS maps will be secured in such a way that a malicious user cannot 

easily obtain them.  The best way to do this is to make the NIS domain name hard to guess.  NIS 

can be easily misconfigured and contains several well known vulnerabilities, making it difficult 

to secure systems using NIS.  For that reason and others, NIS should not be used. 

NIS will be removed from Mac OS X workstations.   

(OSX1026SYS0011: CAT II) The SA will ensure that NIS is removed from all Mac OS X 

workstations. 

5.2  Network File System (NFS) 

Network File System (NFS) allows clients to access filesystems located on remote servers as 

though the filesystems were resident on the clients.  This allows a filesystem to be stored in one 

common location and securely exported to many clients at once instead of replicating it across 

many systems.  NFS has the capability to enforce security policies for exported/shared 

filesystems.  A security concern is presented with NFS because filesystems are physically 

46

UNCLASSIFIED