6.1.4 Ensure Guest Access to Shared Folders Is Disabled - AFP Sharing

Information

Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.

Rationale:

Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.

Impact:

Unauthorized users could access shared files on the system.

Solution

Perform the following to no longer allow guest user access to shared folders:
Graphical Method:

Open System Preferences

Select Users & Groups

Select Guest User

Uncheck Allow guests to connect to shared folders

Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest users:

$ sudo /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false

$ sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false




Profile Method:

Create or edit a configuration profile with the PayLoadType of com.apple.AppleFileServer

Add the key Forced

Set the key to the following:

<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>guestAccess</key>
<false/>
</dict>
</dict>
</array>

Create or edit a configuration profile with the PayLoadType of com.apple.smb.server

Add the key Forced

Set the key to the following:

<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AllowGuestAccess</key>
<false/>
</dict>
</dict>
</array>

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 37a19cefd65f63b49f1360f961da9dd5f2b35795b6222e1d0a4bc690dbbb1d24