Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

used unless authorized and documented with the IAO. 

(OSX1026GEN0186:  CAT II) The SA will ensure that NFS clients will mount file systems 

with the nosuid and nosgid options set. 

(OSX1026GEN0177:  CAT II) The SA will ensure that if NFS is running, NFS port 

monitoring is enabled. 

(OSX1026GEN0180:  CAT II) The SA will ensure that NFS files will not be exported to a 

foreign domain (outside the local area network) without justification documented with the 

IAO, IAM, and NSO. 

5.3  Samba 

Samba is a technology to allow file and printer sharing between Mac OS X and Microsoft 

Windows operating systems.  Mac OS X systems use TCP/IP as their networking protocol, while 

Windows uses Session Message Block (SMB).  Windows systems share files by using the 

Common Internet File System (CIFS), which uses SMB and the Network Basic Input Output 

System (NetBIOS) interface to share network resources.  Samba was created to make a UNIX  

systems in this case Mac OS X appear to be a Windows system on a network, allowing it to 

become part of a Windows domain.  This allows for easy sharing of files, directories, and 

printers. 

Samba is actually a package of programs.  The smdb daemon provides file and printer sharing, 

while the nmdb daemon provides NetBIOS name resolution and service browser support.  

Several utilities allow for FTP like access, mounting and unmounting of shared directories, and 

checking status of the smb server.  Samba also includes an administration tool called the Samba 

Web Administration Tool (SWAT) that provides a GUI to configure the /etc/smb.conf file 

through a web browser.  When sharing network files and printers, access can be granted in two 

different ways.  In share mode one password is set for each shared resource, and any user that 

knows the password can access it.  In user mode each user has their own individual password, 

which is stored in the smbpasswd file (which is in the /etc directory by default, but may be 

placed elsewhere as determined by the smb.conf configuration). 

While Samba provides a service that may be necessary, it does so with some risk.  SWAT runs as 

a Linux service on port 901 by default, and requires a root logon to be accessed.  If SWAT is to 

be used to administer Samba, it will be redirected through ssh to encrypt the root logon and the 

following configuration information.  The /etc/smb.conf file will be owned by root, have a group 

of root, and have permissions of 644, or more restrictive.  The smbpasswd file will be owned by 

root, have a group of root, and have permissions of 644, or more restrictive.  The /etc/smb.conf 

file will be configured to allow access only to machines on the local network, require the user 

access mode, password encryption, and have shares defined with guest set to No. 

48

UNCLASSIFIED