Disable File Sharing

What the SMB file sharing disabler does

This Automox Worklet™ disables the SMB file sharing service on macOS endpoints by unloading the com.apple.smbd LaunchDaemon. The Worklet inspects the system LaunchDaemon state with launchctl print-disabled system, counts occurrences of the "com.apple.smbd" => true marker, and only acts when the service is currently enabled.

Endpoints that already have SMB disabled exit cleanly with no change, so the policy is safe to schedule on a recurring cadence across a mixed fleet. The remediation phase calls launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist, which stops smbd immediately and writes the disabled flag to the system override database so the service stays off across reboots.

Why disable SMB file sharing on macOS endpoints

SMB file sharing on a Mac workstation exposes any explicitly shared paths to anyone with valid credentials on the local network. The smbd LaunchDaemon listens on TCP 445 by default, which has been the entry point for EternalBlue, WannaCry, and a long line of authenticated and unauthenticated SMB exploits.

Mac workstations that double as ad-hoc file servers also tend to drift out of credential-rotation and access-review policies, so stolen credentials translate directly into read access on whatever paths the user has shared. CIS Benchmark control 2.3.3.6 and NIST 800-53 CM-7 (Least Functionality) both call for SMB file sharing to be disabled on endpoints that are not designated file servers.

This Worklet unloads com.apple.smbd on every Mac in scope so TCP 445 closes immediately. Idempotent state checks keep repeat runs cheap on endpoints that are already hardened, and any Mac where an end user re-enables File Sharing from System Settings reverts at the next evaluation pass.

How SMB file sharing disablement works

1. Evaluation phase: The Worklet runs launchctl print-disabled system and counts occurrences of "com.apple.smbd" => true. A count of zero means the smbd daemon is currently active, so the script reports "File Sharing is enabled" and exits 1 to trigger remediation. A non-zero count means the service is already disabled, the script reports "File Sharing is disabled" and exits 0, and Automox marks the endpoint compliant.

2. Remediation phase: The Worklet calls launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist. The -w flag persists the disabled state in the launchd override database (/var/db/com.apple.xpc.launchd/disabled.plist), so the daemon stays off across reboots until an administrator deliberately re-enables it. Re-running the policy finds the daemon disabled and exits 0 with no further action, so the Worklet is idempotent and safe on a recurring schedule.

SMB file sharing disablement requirements

• macOS endpoint with the Automox agent installed and running as root (the default agent context)

• Workstation or server hardware; this Worklet is supported on both Mac WORKSTATION and SERVER device types

• No production dependency on macOS-hosted SMB shares from this endpoint (confirm before rollout if any workgroup relies on peer-to-peer SMB sharing)

• Awareness that com.apple.AppleFileServer (AFP) and FTP are separate services; disable them with companion Worklets if they are also a concern in your environment

• FixNow compatible, so the Worklet can be executed on demand against a single endpoint or a saved group during incident response

Expected SMB service state after remediation

After the Worklet completes, com.apple.smbd is unloaded and flagged disabled in the launchd override database. launchctl print-disabled system shows "com.apple.smbd" => true, System Settings > General > Sharing displays File Sharing as off, and any client attempting to mount the endpoint with smb://hostname receives a connection refused on TCP 445.

Validate the change by running sudo launchctl print system/com.apple.smbd on the endpoint; the daemon should report as not loaded. From a peer machine, run nc -vz <endpoint-ip> 445 and the connection should fail immediately. For audit evidence, capture the launchctl print-disabled output along with the timestamp of the Automox policy run; both pin the endpoint to a known hardened state. Failures from launchctl unload surface in the Automox activity feed rather than going silent.