Skip to content

Commit

Permalink
Add docs, fix revert code, recommend
Browse files Browse the repository at this point in the history 
- Fixes revert code (instead of adding opposite value to be default OS
  state).
- Adds missing documentation
- Recommend on strtict
- Simplify names
  • Loading branch information
@undergroundwires
undergroundwires committed Jan 12, 2025
1 parent d810841 commit e6ebd09
Showing 1 changed file with 187 additions and 9 deletions.
196 changes: 187 additions & 9 deletions src/application/collections/macos.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1595,22 +1595,200 @@ actions:
revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay'
-
category: Disable guest accounts
docs:
docs: |- # TODO: Docc these too, explain concepts
- https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823
- https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615
However, consider that you may want to keep Guest access on as it can be useful when managed right.
The Guest User feature on macOS provides a way for individuals to use a shared or publicly
accessible device without a personal account [2].
Though it allows individuals to access the device without authentication, it ensures that they
do not access private data and the digital workspace of an existing user account [2].
In an IT organization, enabling guest accounts on Mac computers provides a secure and
temporary access solution,
allowing individuals to use the system without compromising sensitive company data
contained on the device [2].
The guest user may access shared folders on a Mac without logging in with a password [2].
They may use apps like Safari but are limited from other functionalities like accessing the
encrypted disk or creating files (if FileVault is turned on) [2]
Also, the guest user cannot change the user or computer settings [2].
Any files they create are stored in a temporary folder that is deleted upon guest log-out [2].
[2]: https://www.hexnode.com/mobile-device-management/help/script-to-enable-guest-user-on-mac/
children:
-
name: Disable guest sign-in from login screen
code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES
-
name: Disable guest access to file shares over SMB
recommend: strict #TODO: Or standard?
docs: |- # TODO: No rsearch done
TODO: https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25
This script disables..
It prevents guest accounts [5].
This script improves your privacy by..
The guest account allows users access to the system without having to create an account or password [1].
Guest users are unable to make setting changes, cannot remotely login to the system and all created files,
caches, and passwords are deleted upon logging out [1].
Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance
and possibly using privilege escalation attacks to take control of the system [1].
A guest user can use that access to find out additional information about the system and might
be able to use privilege escalation vulnerabilities to establish greater access [1].
By default, the guest account is enabled for access to sharing services, but
is not allowed to log in to the computer [1] [4].
Having guest account login is considered a security vulnerability [4].
The Guest account, a special managed account, is considered a security vulnerability in most situations
because it has no password associated with it [4].
Once an attacker has gained guest-level access, the attacker can try to elevate privileges to further
exploit a system [4].
It should be disabled unless there is a clearly demonstrated need to use a Guest account [4].
Note that when a guest logs out of a macOS system, the guest's environment is destroyed and reinitialized [4].
However, consider that you may want to keep Guest access on as it can be useful when managed right.
The Guest User feature on macOS provides a way for individuals to use a shared or publicly
accessible device without a personal account [2].
Though it allows individuals to access the device without authentication, it ensures that they
do not access private data and the digital workspace of an existing user account [2].
In an IT organization, enabling guest accounts on Mac computers provides a secure and
temporary access solution,
allowing individuals to use the system without compromising sensitive company data
contained on the device [2].
The guest user may access shared folders on a Mac without logging in with a password [2].
They may use apps like Safari but are limited from other functionalities like accessing the
encrypted disk or creating files (if FileVault is turned on) [2]
Also, the guest user cannot change the user or computer settings [2].
Any files they create are stored in a temporary folder that is deleted upon guest log-out [2].
Keep in mind that The Users & Groups System Preferences pane is buggy in macOS 10.10 and 10.11
(and probably other versions) [3]. It does not accurately report whether the Guest account is enabled
in part or full. Instead of clicking and guessing, it's easier to just run this script and be done with it [3].
It's also recommended by CIS (Center of ..) [1].
It's recommended for security by NIST Special Publication (SP) 800-179 [5].
### Technical Details
It configures `/Library/Preferences/com.apple.loginwindow!GuestEnabled` [1] [2] [3] [4] [5].
By default this configuration does not exist.
It means that the guest account is not allowed to log in to the computer [1].
[1]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392
[2]: https://www.hexnode.com/mobile-device-management/help/script-to-enable-guest-user-on-mac/
[3]: https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25
[4]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9
[5]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf
code: sudo defaults write '/Library/Preferences/com.apple.loginwindow' 'GuestEnabled' -bool NO
revertCode: |- # Does not exist by default since macOS Sonoma 14.5
sudo defaults delete '/Library/Preferences/com.apple.loginwindow' 'GuestEnabled'
# TODO: defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool FALSE
# TODO: dscl . create /Users/MANAGEMENTACCOUNTNAME IsHidden 1
# TODO: sysadminctl -guestAccount off, https://apple.stackexchange.com/questions/346088/enable-guest-user-in-10-14-x-via-the-command-line-without-a-mdm
# TODO: https://forums.macrumors.com/threads/other-user-on-log-in-screen.1994407/post-23390436
# TODO: sudo fdesetup remove -user Guest , https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25
-
name: Disable guest file sharing over SMB
recommend: strict #TODO: Or standard?
docs: |- # TODO: GitHub not searched, otherwise research done
This script disables..
By default, the guest account is enabled for access to sharing services [8] [9].
It prevents guest access to shared folders over SMB protocol [1] [7].
This script improves your privacy by..
Allowing guests to connect to shared folders enables users to access selected shared folders and
their contents from different computers on a network [2].
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly
use privilege escalation attacks to take control of the system [2].
Potential impact: Unauthorized users could access shared files on the system [2].
On Mac, You can share files and folders with others on your network [6].
You can share your entire Mac with everyone or allow specific users access to only certain folders [6].
This script disables ability to share files with everyone using SMB.
This script impacts only SMB sharing [2].
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is
known as Microsoft SMB Protocol [4].
The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to
files and to request services from server programs in a computer network [5].
SMB is typically used to share files with Windows computers from Mac computers [3].
It's recommended for security by NIST Special Publication (SP) 800-179 [1] [7].
It's also recommended by CIS (Center of ..) [2].
> **Caution:** Explain potential side-effects/impacts for non tech savvy in single sentence.
### Technical Details
It configures ` /Library/Preferences/SystemConfiguration/com.apple.smb.server!AllowGuestAccess` [1] [7].
By default this configuration does not exist.
[1]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf
[2]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:29019b6e758d6bc1d21c263c6dd92899
[3]: https://www.apple.com/server/docs/File_Services_TB_v10.4.pdf
[4]: https://learn.microsoft.com/en-gb/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview?redirectedfrom=MSDN
[5]: https://learn.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview
[6]: https://support.apple.com/en-gb/guide/mac-help/mh17131/mac
[7]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-179.pdf
[8]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392
[9]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9
code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES
revertCode: |- # Does not exist by default since macOS Sonoma 14.5
sudo defaults delete '/Library/Preferences/SystemConfiguration/com.apple.smb.server' 'AllowGuestAccess'
-
name: Disable guest access to file shares over AF
code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO
revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES
name: Disable anonymous file sharing over AFP
recommend: strict
docs: |- # TODO: GitHub not searched, otherwise research done
This script disables..
By default, the guest account is enabled for access to sharing services [5] [7].
It prevents guest access to shared folders over AFP protocol [1] [4].
This script improves your privacy by..
Allowing guests to connect to shared folders enables users to access selected shared folders and
their contents from different computers on a network [2].
Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly
use privilege escalation attacks to take control of the system [2].
Potential impact: Unauthorized users could access shared files on the system [2].
On Mac, You can share files and folders with others on your network [6].
You can share your entire Mac with everyone or allow specific users access to only certain folders [6].
This script disables ability to share files with everyone using AFP.
This script impacts only AFP sharing [2].
The Apple Filing Protocol (AFP) remains the richest protocol for Mac file services [3].
It allows any Mac system to access shared folders on the server, whether over the
preferred TCP/IP protocol for Mac OS X clients or the legacy AppleTalk protocol for
Mac OS 9 and Mac OS 8 clients [3].
It's recommended for security by NIST Special Publication (SP) 800-179 [1] [4].
It's also recommended by CIS (Center of ..) [2].
> **Caution:** Explain potential side-effects/impacts for non tech savvy in single sentence.
### Technical Details
It configures ` /Library/Preferences/com.apple.AppleFileServer!guestAccess` [1] [4].
By default this configuration does not exist.
[1]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf
[2]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:29019b6e758d6bc1d21c263c6dd92899
[3]: https://www.apple.com/server/docs/File_Services_TB_v10.4.pdf
[4]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-179.pdf
[5]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392
[6]: https://support.apple.com/en-gb/guide/mac-help/mh17131/mac
[7]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9
code: sudo defaults write '/Library/Preferences/com.apple.AppleFileServer' 'guestAccess' -bool NO
revertCode: |- # Does not exist by default since macOS Sonoma 14.5
sudo defaults delete '/Library/Preferences/com.apple.AppleFileServer' 'guestAccess'
# TODO: Run killall -HUP AppleFileServer after? https://cdn2.qualys.com/docs/release-notes/qualys-api-rti.pdf
# TODO: https://events.ccc.de/congress/2004/fahrplan/files/95-macosx-insecurity-paper.pdf
# TODO: https://www.cnet.com/tech/computing/tutorial-preferences-files-the-complete-story-part-iv/
# TODO: Check archive for http://www.princeton.edu/~psg/unix/osx/osxsecurity.html
-
category: Disable unauthorized connections
children:
Expand Down

0 comments on commit e6ebd09

Please sign in to comment.