Detections
Analytics
2.4.8 Ensure File Sharing Is Disabled
Information
File sharing from a user workstation creates additional risks, such as:Open ports are created that can be probed and attacked
Passwords are attached to user accounts for access that may be exposed and endanger other parts of the organizational environment, including directory accounts
Increased complexity makes security more difficult and may expose additional attack vectors
Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)
Two common ways to share files using File Sharing are:
Apple File Protocol (AFP) AFP automatically uses encrypted logins, so this method of sharing files is fairly secure. The entire hard disk is shared to administrator user accounts. Individual home folders are shared to their respective user accounts. Users' 'Public' folders (and the 'Drop Box' folder inside) are shared to any user account that has sharing access to the computer (i.e. anyone in the 'staff' group, including the guest account if it is enabled).
Server Message Block (SMB), Common Internet File System (CIFS) When Windows (or possibly Linux) computers need to access file shared on a Mac, SMB/CIFS file sharing is commonly used. Apple warns that SMB sharing stores passwords is a less secure fashion than AFP sharing and anyone with system access can gain access to the password for that account. When sharing with SMB, each user that will access the Mac must have SMB enabled.
Apple warns that SMB sharing stored passwords is less secure, and anyone with system access can gain access to the password for that account. When sharing with SMB, each user accessing the Mac must have SMB enabled. Storing passwords, especially copies of valid directory passwords, decrease security for the directory account and should not be used.
Rationale:
By disabling File Sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced.
Impact:
File Sharing can be used to share documents with other users, but hardened servers should be used rather than user endpoints. Turning on File Sharing increases the visibility and attack surface of a system unnecessarily.
Solution
Graphical Method:Perform the following steps to disable File Sharing:
Open System Preferences
Select Sharing
Set File Sharing to disabled
Terminal Method:
Run the following command to disable File Sharing:
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.AppleFileServer
$ /usr/bin/sudo /bin/launchctl disable system/com.apple.smbd
See Also
Item Details
Audit Name: CIS Apple macOS 10.15 Catalina v3.0.0 L1
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-6(2), 800-53|AC-6(5), 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|4.3, CSCv7|5.1, CSCv7|9.2
Plugin: Unix
Control ID: f362141d0b88862558e62098c88ef498b34b2e08a7784ab51667e6ea8a347d2b