Apple Filing Protocol (AFP) Guest Access Enabled

By: Richard Glaser, University of Utah - Revised: 2010-03-10 richard

What is the threat?

Apple Filing Protocol (AFP) provides "guest access" to selected files. Anyone can connect to this machine and access these files without providing a password. This function is usually intended for accessing users' DropBoxes in order to upload files.

 If sensitive files are on this guest accessible file sharing, unauthorized users can download them, resulting in confidential information leaks.

How to fix this Vulnerability?

To fix this vulnerability you have multiple options like removing everyone access to sharepoints or disabling guest access on Mac OS X client & server.

Mac OS X Client
Use the following command to remove guest access on Mac OS X 10.5/10.6 client...

defaults write /Library/Preferences/ guestAccess -bool false

Then you stop and start File Sharing for it to use the new configuration.

System Prefs

Next, to test if this configuration change work try to connect to the Mac OS X client you made this modification and you should notice that the dialog doesn't give you a guest login option.

login w/o guest

If you didn't make the above modification and turn on file sharing you might see the guest login option.

Login with Guest Access