U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Apple Mac OS X v10.3.x Panther Security Configuration Guide Version 1.1 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
Apple Mac OS X 10.3 cpe:/o:apple:mac_os_x:10.3 (View CVEs)

Checklist Highlights

Checklist Name:
Apple Mac OS X v10.3.x Panther Security Configuration Guide
Checklist ID:
Version 1.1
Review Status:
Governmental Authority: National Security Agency
Original Publication Date:

Checklist Summary:

The purpose of this guide is to provide an overview of Mac OS X v10.3.x â??Pantherâ?� operating system security and recommendations for configuring the security features. This guide provides recommended settings to secure systems using this operating system, and points out problems that could cause security concerns in systems using this operating system. This document consists of six chapters and two appendices: Chapter 1, â??Scope of Guidance,â?� contains an overview of the type of system for which this guidance is intended. Chapter 2, â??Introduction to Mac OS X Security,â?� contains a brief overview of some of the key security features found in the Mac OS X operating system. Chapter 3, â??Initial Installationâ?� contains step-by-step guidance for installing a new Mac OS X system. Chapter 4, â??Configuring System Settings,â?� contains information on how to securely configure a Mac OS X system once it has been installed. Chapter 5, â??Configuring User Accounts,â?� contains guidance on how to create new user accounts, how to give an account administrative access, how to limit account capabilities, how to configure each type of account to make it secure, and information that should be passed on to users about using their accounts securely. Chapter 6, â??Future Guidance,â?� contains information about topics that were not covered in this guidance, but which are slated for future guidance. Appendix A, â??Encrypting Files and Folders,â?� gives instructions on two additional ways to encrypt files under Mac OS X that may provide additional security for information that is to be transferred via removable media (e.g. CD) or network. Appendix B, â??References,â?� contains a list of resources used in creating this guide. Many of these resources are valuable sources of additional information about Mac OS X in general, including many features not discussed in this guidance. Appendix C, â??Additional Resources,â?� contains a list of references that, though not used in preparation of this guide, may be of interest to the reader.

Checklist Role:

  • Desktop or Mobile Client

Known Issues:

Guidance in this document is geared towards a locally-administered Mac OS X v10.3.x system. Guidance contained here may not be applicable to Mac OS X Server or to a Mac OS X network. Some instructions within this guidance are complex, and deviation could result in serious adverse effects on the system and its security. Modification of these instructions should only be performed by experienced Mac OS X administrators, and followed by thorough testing.

Target Audience:

This document is intended for anyone managing a locally -administered Apple Mac OS X v10.3.x system. It is assumed that anyone using this guidance will have some experience using Mac OS X, and understands the basics of the Mac OS X user interface.

Target Operational Environment:

  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

The security configuration guide has been extensively tested with Mac OS X v10.3.3 with Mac OS Update 10.3.4 and security updates Security Update 2004-05-24 and Security Update 2004-06-07 in a lab environment and operational environment.

Regulatory Compliance:

Not provided.


The following list contains suggestions for successfully using the Apple Mac OS X Security Configuration Guide: Read the guide in its entirety. Subsequent sections can build on information and recommendations discussed in prior sections. This guidance should always be tested in a non-operational environment before deployment. This non-operational environment should simulate the architecture where the system will be deployed as much as possible. This guidance is intended primarily for a locally-administered Mac OS X system. Much of the guidance may still be applicable even for a Mac OS X system being managed by another server. If the system being configured will be centrally managed by another system, the guidance given here should be followed as closely as possible within that context, but some guidance may not be applicable. Any deviations from this guidance should be evaluated to determine what security risk that deviation may introduce, and measures should be taken to monitor or mitigate those risks. The organizations responsible for this guide include: Systems and Network Attack Center (SNAC), and National Security Agency (NSA)


Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Apple Mac OS X v. 10.3.x â??Pantherâ?� and should not be applied to any other Mac OS versions or operating systems.

Product Support:

Not provided.

Point of Contact:



Not provided.


Unless expressly stated otherwise to comply with license requirements or copyrights owned by others, information presented on NSA.gov is considered public information and may be distributed or copied. Use of appropriate byline/phone/image credit is requested. In accordance with 50 USC 402, no one may use without permission from NSA/CSS the words 'National Security Agency', the initials, or seal of the National Security Agency in connection with any commercial activity or in a manner intended to convey the impression that such use is approved, endorsed, or authorized by the National Security Agency.

Change History:

Version 1.1 - 2004-10-15
Updated status to Archive - 10/24/18


URL Description


Reference URL Description

NIST checklist record last modified on 10/24/2018