Information
Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.
Rationale:
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.
Impact:
Unauthorized users could access shared files on the system.
Solution
Perform the following to no longer allow guest user access to shared folders:
Graphical Method:
Open System Preferences
Select Users & Groups
Select Guest User
Uncheck Allow guests to connect to shared folders
Terminal Method:
Run the following commands to verify that shared folders are not accessible to guest users:
$ sudo /usr/bin/defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false
$ sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false
Profile Method:
Create or edit a configuration profile with the PayLoadType of com.apple.AppleFileServer
Add the key Forced
Set the key to the following:
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>guestAccess</key>
<false/>
</dict>
</dict>
</array>
Create or edit a configuration profile with the PayLoadType of com.apple.smb.server
Add the key Forced
Set the key to the following:
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AllowGuestAccess</key>
<false/>
</dict>
</dict>
</array>