2.8 Disable 'Wake for network access' and 'Power Nap' - wake

Information

These two features allow the computer to take action when the user is not present and the computer is in energy saving mode. These tools require FileVault to remain unlocked and fully rejoin known networks. These macOS features are meant to allow the computer to resume activity as needed regardless of physical security controls.

Wake for network access This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals.

Power Nap Power Nap allows the system to stay in low power mode, especially while on battery power and periodically connect to previously named networks with stored credentials for user applications to phone home and get updates. This capability requires FileVault to remain unlocked and the use of previously joined networks to be risk accepted based on the SSID without user input

Rationale:

Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access.




Impact:

Management programs like Apple Remote Desktop Administrator use wake-on-LAN to connect with computers. If turned off, such management programs will not be able to wake a computer over the LAN. If the wake-on-LAN feature is needed, do not turn off this feature.

Power Nap exists for unattended user application updates like email and social media clients. if the computer must always be updated with the latest client information it can be left on, plugged in and the display dimmed. If AC power is not available the use case correlates with possibly compromised physical and logical security. The user should be able to decrypt FileVault and have the applications download what is required when the computer is actively used.

The control to prevent computer sleep has been retired for this version of the Benchmark. Forcing the computer to stay on and use energy in case a management push is needed is contrary to most current management processes. Only keep computers unslept if after hours pushes are required on closed LANs.

Solution

Perform the following disable Wake for network access or Power Nap:
Graphical Method:

Open System Preferences

Select Energy Saver

Uncheck Wake for network access

Uncheck Enable Power Nap

Terminal Method:
Run the following command to disable Wake for network access:

$ sudo pmset -a womp 0

Run the following command to disable Power Nap:

$ sudo pmset -a powernap 0

Additional Information:

man pmset

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11, CSCv6|3.1

Plugin: Unix

Control ID: 46cc09f5b39839a3550de7f16a0f45434d70f37eae5e194aaf81cea9712de115