2.4.9 Ensure Remote Management Is Disabled

Information

Remote Management is the client portion of Apple Remote Desktop (ARD). Remote Management can be used by remote administrators to view the current screen, install software, report on, and generally manage client Macs.

The screen sharing options in Remote Management are identical to those in the Screen Sharing section. In fact, only one of the two can be configured. If Remote Management is used, refer to the Screen Sharing section above on issues regard screen sharing.

Remote Management should only be enabled when a Directory is in place to manage the accounts with access. Computers will be available on port 5900 on a macOS System and could accept connections from untrusted hosts depending on the configuration, which is a major concern for mobile systems. As with other sharing options, an open port even for authorized management functions can be attacked, and both unauthorized access and Denial-of-Service vulnerabilities could be exploited. If remote management is required, the pf firewall should restrict access only to known, trusted management consoles. Remote management should not be used across the Internet without the use of a VPN tunnel.

Rationale:

Remote Management should only be enabled on trusted networks with strong user controls present in a Directory system. Mobile devices without strict controls are vulnerable to exploit and monitoring.

Impact:

Many organizations utilize ARD for client management.

Solution

Graphical Method:
Perform the following steps to disable Remote Management:

Open System Preferences

Select Sharing

Set Remote Management to disabled

Terminal Method:
Run the following command to disable Remote Management:

$ /usr/bin/sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop

Starting...
Removed preference to start ARD after reboot.
Done.

Additional Information:

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -help

See Also

https://workbench.cisecurity.org/files/4176