2.4.8 Disable File Sharing - SMB

Information

Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)

Two common ways to share files using File Sharing are:

Apple File Protocol (AFP) AFP automatically uses encrypted logins, so this method of sharing files is fairly secure. The entire hard disk is shared to administrator user accounts. Individual home folders are shared to their respective user accounts. Users' 'Public' folders (and the 'Drop Box' folder inside) are shared to any user account that has sharing access to the computer (i.e. anyone in the 'staff' group, including the guest account if it is enabled).

Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.

Rationale:

By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.

Impact:

File Sharing can be used to share documents with other users but hardened servers should be used rather than user endpoints. Turning on file sharing increases the visibility and attack surface of a system unnecessarily.

Solution

Perform the following to implement the prescribed state:

Run the following command in Terminal to turn off AFP from the command line:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist

Run the following command in Terminal to turn off SMB sharing from the CLI:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Unix

Control ID: 582778fe3f16a97a018e5f500a4cef45a055c5b68f3ccfb6d9524b826e845d4a