6.1.4 Disable 'Allow guests to connect to shared folders' - SMB Sharing

Information

Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.

Rationale:

Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.

Impact:

Unauthorized users could access shared files on the system.

Solution

Perform the following to implement the prescribed state:

Open System Preferences

Select Users & Groups

Select Guest User

Uncheck Allow guests to connect to shared folders

Alternatively:
For AFP sharing:
Run the following command in Terminal:

sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool no

For SMB sharing:
Run the following command in Terminal:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool no

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: Unix

Control ID: 1d2658aff18b77da533bd1042cdf03ae8192a99b19e2adfe9b63af1a9adaa0ba