diff --git a/src/application/collections/macos.yaml b/src/application/collections/macos.yaml index b3efa876..04e9cb08 100644 --- a/src/application/collections/macos.yaml +++ b/src/application/collections/macos.yaml @@ -1595,22 +1595,200 @@ actions: revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' - category: Disable guest accounts - docs: + docs: |- # TODO: Docc these too, explain concepts - https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823 - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615 + + + However, consider that you may want to keep Guest access on as it can be useful when managed right. + The Guest User feature on macOS provides a way for individuals to use a shared or publicly + accessible device without a personal account [2]. + Though it allows individuals to access the device without authentication, it ensures that they + do not access private data and the digital workspace of an existing user account [2]. + In an IT organization, enabling guest accounts on Mac computers provides a secure and + temporary access solution, + allowing individuals to use the system without compromising sensitive company data + contained on the device [2]. + The guest user may access shared folders on a Mac without logging in with a password [2]. + They may use apps like Safari but are limited from other functionalities like accessing the + encrypted disk or creating files (if FileVault is turned on) [2] + Also, the guest user cannot change the user or computer settings [2]. + Any files they create are stored in a temporary folder that is deleted upon guest log-out [2]. + + [2]: https://www.hexnode.com/mobile-device-management/help/script-to-enable-guest-user-on-mac/ + children: - name: Disable guest sign-in from login screen - code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO - revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES - - - name: Disable guest access to file shares over SMB + recommend: strict #TODO: Or standard? + docs: |- # TODO: No rsearch done + TODO: https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25 + + This script disables.. + It prevents guest accounts [5]. + + This script improves your privacy by.. + The guest account allows users access to the system without having to create an account or password [1]. + Guest users are unable to make setting changes, cannot remotely login to the system and all created files, + caches, and passwords are deleted upon logging out [1]. + Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance + and possibly using privilege escalation attacks to take control of the system [1]. + A guest user can use that access to find out additional information about the system and might + be able to use privilege escalation vulnerabilities to establish greater access [1]. + + By default, the guest account is enabled for access to sharing services, but + is not allowed to log in to the computer [1] [4]. + + Having guest account login is considered a security vulnerability [4]. + The Guest account, a special managed account, is considered a security vulnerability in most situations + because it has no password associated with it [4]. + Once an attacker has gained guest-level access, the attacker can try to elevate privileges to further + exploit a system [4]. + It should be disabled unless there is a clearly demonstrated need to use a Guest account [4]. + Note that when a guest logs out of a macOS system, the guest's environment is destroyed and reinitialized [4]. + + However, consider that you may want to keep Guest access on as it can be useful when managed right. + The Guest User feature on macOS provides a way for individuals to use a shared or publicly + accessible device without a personal account [2]. + Though it allows individuals to access the device without authentication, it ensures that they + do not access private data and the digital workspace of an existing user account [2]. + In an IT organization, enabling guest accounts on Mac computers provides a secure and + temporary access solution, + allowing individuals to use the system without compromising sensitive company data + contained on the device [2]. + The guest user may access shared folders on a Mac without logging in with a password [2]. + They may use apps like Safari but are limited from other functionalities like accessing the + encrypted disk or creating files (if FileVault is turned on) [2] + Also, the guest user cannot change the user or computer settings [2]. + Any files they create are stored in a temporary folder that is deleted upon guest log-out [2]. + + Keep in mind that The Users & Groups System Preferences pane is buggy in macOS 10.10 and 10.11 + (and probably other versions) [3]. It does not accurately report whether the Guest account is enabled + in part or full. Instead of clicking and guessing, it's easier to just run this script and be done with it [3]. + + + + It's also recommended by CIS (Center of ..) [1]. + It's recommended for security by NIST Special Publication (SP) 800-179 [5]. + + ### Technical Details + + It configures `/Library/Preferences/com.apple.loginwindow!GuestEnabled` [1] [2] [3] [4] [5]. + By default this configuration does not exist. + It means that the guest account is not allowed to log in to the computer [1]. + + [1]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392 + [2]: https://www.hexnode.com/mobile-device-management/help/script-to-enable-guest-user-on-mac/ + [3]: https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25 + [4]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9 + [5]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf + code: sudo defaults write '/Library/Preferences/com.apple.loginwindow' 'GuestEnabled' -bool NO + revertCode: |- # Does not exist by default since macOS Sonoma 14.5 + sudo defaults delete '/Library/Preferences/com.apple.loginwindow' 'GuestEnabled' + # TODO: defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool FALSE + # TODO: dscl . create /Users/MANAGEMENTACCOUNTNAME IsHidden 1 + # TODO: sysadminctl -guestAccount off, https://apple.stackexchange.com/questions/346088/enable-guest-user-in-10-14-x-via-the-command-line-without-a-mdm + # TODO: https://forums.macrumors.com/threads/other-user-on-log-in-screen.1994407/post-23390436 + # TODO: sudo fdesetup remove -user Guest , https://gist.github.com/justinpawela/8a924f36f86bac2b563bf6832eefff25 + - + name: Disable guest file sharing over SMB + recommend: strict #TODO: Or standard? + docs: |- # TODO: GitHub not searched, otherwise research done + This script disables.. + + By default, the guest account is enabled for access to sharing services [8] [9]. + It prevents guest access to shared folders over SMB protocol [1] [7]. + + This script improves your privacy by.. + Allowing guests to connect to shared folders enables users to access selected shared folders and + their contents from different computers on a network [2]. + Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly + use privilege escalation attacks to take control of the system [2]. + Potential impact: Unauthorized users could access shared files on the system [2]. + + On Mac, You can share files and folders with others on your network [6]. + You can share your entire Mac with everyone or allow specific users access to only certain folders [6]. + This script disables ability to share files with everyone using SMB. + + This script impacts only SMB sharing [2]. + The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is + known as Microsoft SMB Protocol [4]. + The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to + files and to request services from server programs in a computer network [5]. + SMB is typically used to share files with Windows computers from Mac computers [3]. + + It's recommended for security by NIST Special Publication (SP) 800-179 [1] [7]. + It's also recommended by CIS (Center of ..) [2]. + + > **Caution:** Explain potential side-effects/impacts for non tech savvy in single sentence. + + ### Technical Details + + It configures ` /Library/Preferences/SystemConfiguration/com.apple.smb.server!AllowGuestAccess` [1] [7]. + By default this configuration does not exist. + + [1]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf + [2]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:29019b6e758d6bc1d21c263c6dd92899 + [3]: https://www.apple.com/server/docs/File_Services_TB_v10.4.pdf + [4]: https://learn.microsoft.com/en-gb/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview?redirectedfrom=MSDN + [5]: https://learn.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview + [6]: https://support.apple.com/en-gb/guide/mac-help/mh17131/mac + [7]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-179.pdf + [8]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392 + [9]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9 code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO - revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES + revertCode: |- # Does not exist by default since macOS Sonoma 14.5 + sudo defaults delete '/Library/Preferences/SystemConfiguration/com.apple.smb.server' 'AllowGuestAccess' - - name: Disable guest access to file shares over AF - code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO - revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES + name: Disable anonymous file sharing over AFP + recommend: strict + docs: |- # TODO: GitHub not searched, otherwise research done + This script disables.. + + By default, the guest account is enabled for access to sharing services [5] [7]. + It prevents guest access to shared folders over AFP protocol [1] [4]. + + This script improves your privacy by.. + Allowing guests to connect to shared folders enables users to access selected shared folders and + their contents from different computers on a network [2]. + Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly + use privilege escalation attacks to take control of the system [2]. + Potential impact: Unauthorized users could access shared files on the system [2]. + + On Mac, You can share files and folders with others on your network [6]. + You can share your entire Mac with everyone or allow specific users access to only certain folders [6]. + This script disables ability to share files with everyone using AFP. + + This script impacts only AFP sharing [2]. + The Apple Filing Protocol (AFP) remains the richest protocol for Mac file services [3]. + It allows any Mac system to access shared folders on the server, whether over the + preferred TCP/IP protocol for Mac OS X clients or the legacy AppleTalk protocol for + Mac OS 9 and Mac OS 8 clients [3]. + + It's recommended for security by NIST Special Publication (SP) 800-179 [1] [4]. + It's also recommended by CIS (Center of ..) [2]. + + > **Caution:** Explain potential side-effects/impacts for non tech savvy in single sentence. + + ### Technical Details + + It configures ` /Library/Preferences/com.apple.AppleFileServer!guestAccess` [1] [4]. + By default this configuration does not exist. + + [1]: https://www.researchgate.net/profile/Karen-Scarfone/publication/329972894_NIST_Special_Publication_800-179_Guide_to_Securing_Apple_OS_X_1010_Systems_for_IT_Professionals_A_NIST_Security_Configuration_Checklist/links/5c26914c458515a4c7fecfa5/NIST-Special-Publication-800-179-Guide-to-Securing-Apple-OS-X-1010-Systems-for-IT-Professionals-A-NIST-Security-Configuration-Checklist.pdf + [2]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:29019b6e758d6bc1d21c263c6dd92899 + [3]: https://www.apple.com/server/docs/File_Services_TB_v10.4.pdf + [4]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-179.pdf + [5]: https://www.tenable.com/audits/items/CIS_Apple_macOS_11_v1.1.0_L1.audit:153219403c9d852b574cc5ef59902392 + [6]: https://support.apple.com/en-gb/guide/mac-help/mh17131/mac + [7]: https://www.scaprepo.com/view.jsp?id=CCE-50057-9 + code: sudo defaults write '/Library/Preferences/com.apple.AppleFileServer' 'guestAccess' -bool NO + revertCode: |- # Does not exist by default since macOS Sonoma 14.5 + sudo defaults delete '/Library/Preferences/com.apple.AppleFileServer' 'guestAccess' + # TODO: Run killall -HUP AppleFileServer after? https://cdn2.qualys.com/docs/release-notes/qualys-api-rti.pdf + # TODO: https://events.ccc.de/congress/2004/fahrplan/files/95-macosx-insecurity-paper.pdf + # TODO: https://www.cnet.com/tech/computing/tutorial-preferences-files-the-complete-story-part-iv/ + # TODO: Check archive for http://www.princeton.edu/~psg/unix/osx/osxsecurity.html - category: Disable unauthorized connections children: