S 5.165 Deactivation of unnecessary Mac OS X network services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Unnecessary network services should be deactivated as they use system resources and may represent a point of attack. This requires administrator rights. If changes to the system services were made, these must be documented. Furthermore, it should be checked regularly that only services permissible under the security concept are activated and accessible via the network.

The available services are listed in the System Preferences under the menu item "Sharing". Usually, a client operating system should only offer a few services or no services at all in a network. Depending on the field of use, an individual decision must be made on the services that should remain activated.

Services used for management such as the "Apple Remote Desktop" (TCP port 5900), "remote login" (SSH access, TCP port 22) or network services of the anti-virus software must remain activated.

If a network does not use the "Bonjour" service, this service should also be deactivated as it uses system resources and represents a further point of attack.

The following commands are used to deactivate the Bonjour network service:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.

plist

sudo launchctl unload -w/System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.

plist

If the Internet protocol in version 6 (IPv6) is not used, it should also be deactivated. The means to deactivate IPv6 can be found in the System Preferences under "Network" at the further options of the corresponding network card.

If the operating system is updated, services could be reactivated accidentally. So, it should be checked after each update that the services are still deactivated.

Review questions:

© Federal Office for Information Security. All rights reserved.