The macOS system must be configured to disable SMB File Sharing unless it is required.

STIG ID: APPL-13-002001  |  SRG: SRG-OS-000095-GPOS-00049 |  Severity: medium |  CCI: CCI-000381 |  Vulnerability Id: V-257185

Vulnerability Discussion

File sharing is usually nonessential and must be disabled if not required. Enabling any service increases the attack surface for an intruder. By disabling unnecessary services, the attack surface is minimized.

Check

Verify the macOS system is configured to disable the SMB File Sharing service with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep com.apple.smbd

"com.apple.smbd" => disabled

If the results are not "com.apple.smbd => disabled" or SMB file sharing has not been documented with the ISSO as an operational requirement, this is a finding.

Fix

Configure the macOS system to disable the SMB File Sharing service with the following command:

/usr/bin/sudo /bin/launchctl disable system/com.apple.smbd

The system may need to be restarted for the update to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.