You should make sure that in your /etc/apache2/users/username.conf you have the following:
<Directory "/Users/username/Sites/">
Options Indexes MultiViews FollowSymlinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
The FollowSymlinks and AllowOverride are essential here. While you are hinting at both in your question, maybe you did not configure these correctly in tandem.
Make sure in httpd.conf /private/etc/apache2/extra/httpd-userdir.conf is included as well. It is by default.
After any modifications, restart the web server for the changes to take effect.
If you are still having problems, maybe there is a problem with your actual rewrite rules. Were you using them in a .htaccess context before as well? Note that in a .htaccess, the rewrite rule regex is matched against a request URI without the leading slash and always relative to the directory where the .htaccess resides, whereas in a global httpd.conf the URI must match with a leading slash and is relative to the web root. Because assumedly you have your .htaccess in a subdirectory of ~/Sites, your rewrite rules might behave different from when the .htaccess resides in the web root of a (virtual) host.
To debug mod_rewrite you can enable rewrite logging. You should enable that in /etc/apache2/httpd.conf:
RewriteLogLevel 3
RewriteLog /path/to/rewrite.log
I have it on good authority that the Apple Security Guides take a long time to compile and produce, and publication trails the release of the operating system by some time. The same people working on that guide are also producing documentation for various security certifications and other purposes. Once the guide is released, it will be available at Mac OS X Security Configuration Guides
With Apple's recent decision to move to annual OS updates, I wonder if we'll ever see a current security guide again.
Though overkill for most computer users, the US National Security Agency also publishes hardening guides for Mac OS X and other operating systems. (They haven't published for Lion either, and their own guidelines are very likely an expansion of the procedures Apple recommends.)
When considering the NSA advice remember that security is always a balance between safety and usability and that most of us aren't protecting secrets of State. If you don't know why you're doing it, and have a good reason to believe you need to do it, don't! There are relatively few users who need to lock down this tightly, and the negative effect on usability, and in some cases functionality, can outweigh the benefits.
Best Answer
Correct. They're sadly slow to publish this info. Try this: http://www.mactech.com/articles/mactech/Vol.21/21.02/Security/index.html
Cheers!