Disable AFP and SMB guest access on macOS endpoints to block anonymous connections to shared folders
This Automox Worklet™ disables guest access to AFP (Apple Filing Protocol) and SMB (Server Message Block) shared folders on macOS endpoints. The Worklet writes the system preference keys that control anonymous connections, so anyone reaching the endpoint over the network must present valid credentials before any share contents are returned.
The evaluation reads guestAccess from /Library/Preferences/com.apple.AppleFileServer and AllowGuestAccess from /Library/Preferences/SystemConfiguration/com.apple.smb.server. If either value is 1, the endpoint is flagged. The remediation runs defaults write against both domains with -bool false, so AFP and SMB are corrected in a single pass without restarting the file sharing service.
Authenticated sharing keeps working. Local accounts, directory accounts, and Sharing Only users with explicit ACLs continue to mount their shares as before. Only the unauthenticated, identity-less path through the guest account is closed.
Guest access to AFP and SMB lets any host on the same subnet enumerate share names, read world-readable files, and probe permission boundaries without ever generating an authentication record. The exposure is most acute on macOS Servers and shared workstations in mixed environments, where an enabled guest path turns a single misconfigured share into a quiet reconnaissance channel. CIS macOS Benchmark control 2.4.1 and successor controls call out guest sharing as a level 1 finding, and macOS Server hardening guidance from Apple recommends the same setting.
This Worklet writes guestAccess=false to /Library/Preferences/com.apple.AppleFileServer.plist and AllowGuestAccess=false to /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist on every Mac in scope, so the next guest mount attempt is refused. Guest sharing flips back on with a checkbox in System Settings, an MDM profile drift, or a Migration Assistant restore. Any of those paths surfaces in the activity log on the next evaluation and reverts to the hardened baseline.
Evaluation phase: The Worklet runs defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess and defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess. If either key returns 1, the script writes "Guest access is enabled. Moving to remediation..." to stdout and exits 1. If both keys are 0 (or absent and interpreted as 0), it exits 0 and the endpoint is reported compliant.
Remediation phase: The Worklet runs defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool false and defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool false. Both writes apply to the system preference domain and take effect on the next connection attempt without restarting smbd or AppleFileServer.
macOS endpoint (workstation or server) under Automox management, with the Automox agent running as root
Write access to /Library/Preferences/com.apple.AppleFileServer.plist and /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist (the default agent context already meets this)
File sharing may be enabled or disabled at the time of the run; the Worklet only adjusts the guest access keys and does not toggle the sharing service itself
If an MDM profile sets com.apple.smb.server AllowGuestAccess through configuration profiles, the MDM value will reassert after this Worklet runs; pair this Worklet with an MDM cleanup or remove the conflicting profile
Compatible with FixNow for one-shot remediation when a CIS audit or incident response flags an endpoint with guest sharing still enabled
After remediation, defaults read /Library/Preferences/com.apple.AppleFileServer guestAccess returns 0 and defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess returns 0. In System Settings > General > Sharing > File Sharing > Options, the two checkboxes for "Share files and folders using SMB" and "Share files and folders using AFP" no longer offer the guest account as an allowed user. Clients attempting to mount a share with the Guest radio button receive an authentication failure rather than an opportunistic read of share contents.
Validate by running sharing -l on the endpoint to confirm the configured shares are still listed, then attempting smbclient -L //<endpoint-hostname> -U guest from a peer host on the network. The guest connection should be rejected with NT_STATUS_ACCESS_DENIED. For audit evidence, capture the output of both defaults read commands alongside the Automox policy run identifier and exit code 0, which together demonstrate the endpoint reached the desired state. Subsequent policy runs report compliance without applying remediation again, because the evaluation finds both keys already set to 0.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in