2.3.3.3 Ensure File Sharing Is Disabled

Information

File sharing from a user workstation creates additional risks, such as:

- Open ports are created that can be probed and attacked
- Passwords are attached to user accounts for access that may be exposed and endanger other parts of the organizational environment, including directory accounts
- Increased complexity makes security more difficult and may expose additional attack vectors

Apple's File Sharing uses the Server Message Block (SMB) protocol to share to other computers that can mount SMB shares. This includes other macOS computers.

Apple warns that SMB sharing stored passwords is less secure, and anyone with system access can gain access to the password for that account. When sharing with SMB, each user accessing the Mac must have SMB enabled. Storing passwords, especially copies of valid directory passwords, decreases security for the directory account and should not be used.

By disabling File Sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.

Solution

Graphical Method:

Perform the following steps to disable File Sharing:

- Open System Settings
- Select General
- Select Sharing
- Set File Sharing to disabled

Terminal Method:

Run the following command to disable File Sharing:

$ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd

Impact:

File Sharing can be used to share documents with other users, but hardened servers should be used rather than user endpoints. Turning on File Sharing increases the visibility and attack surface of a system unnecessarily.

See Also

https://workbench.cisecurity.org/benchmarks/15551