Updated Startup Script for Disabling Unnecessary Services on a Mac
Hunting down more things to disable on a Mac
One of my posts on OS and IoT Security, Network Security, and Apple Mac Security
Free Content on Jobs in Cybersecurity | Sign up for the Email List
I was able to find some additional things to disable on a Mac to reduce unwanted network traffic so I spent some additional time digging around today. I’ll try to get back to my AWS posts after this for those who are waiting. Just had to figure this one out.
I added all the things I found to the start up script I wrote about earlier.
If you want to know what most of these things are the names are usually obvious, but you can also find some of these things on the CIS Benchmarks for mac. However, I my script is a bit different than what is proposed there. I haven’t fully tested this yet so do your own testing and make sure it turns off things you want and expect for the correct users.
In some cases I left off a user name and I haven’t checked the settings yet to make sure that still does what I want. I am hopeful that makes the change global, but perhaps you need to add the specific user name to affect that user. Which is a pain if you have to run these commands for every possible user on the system. For some of them it seems like you do.
The script works fine (well it runs at least) except for one command.
Turning Remote AppleEvents on or off requires Full Disk Access Privileges.
I found this explanation:
Sys Prefs>Security & Privacy>Privacy tab>Full Disk Access.
OK but do I really want to give the Terminal full disk access? Hmm.
This doesn’t sound good:
https://lapcatsoftware.com/articles/FullDiskAccess.html
That seems to enable nastiness we don’t want to allow by giving applications full disk access by way of the terminal. Perhaps it’s been fixed since that blog post but but full disk access for terminal feels risky.
So I turned full disk access off again. But what’s odd is that after running the script once with full disk access on, then disabling access, and restarting the terminal my script now runs fine.
Even after disabling all of that, I still have some traffic on port 5353. It’s not gone, but seems to be less.
Alright let’s run this command to see what’s sending network packets:
nettop -PI see mDNSResponder which has been the source of 5353 traffic in the past.
Yes. I next run this command to see the UDP trafic and here we see that mDNSResponder is the culprit.
nettop -m udp
Well I found this method of turning of the mDNS multicast but I’m already doing this in my script.
Apparently that command doesn’t work.
Hmm. This doesn’t sound good. Multicast DNS (mDNS) a Penetration Tester’s best fried. 😊
Well. I give up for now.
I blocked 5353 using my host-based firewall for now.
Here’s the script:
#2nd Sight Lab Mac Start Up Script to Disable Unneccessary Services
#Change the Username and network devices below to your own
#See related blog posts found here:
#diable ipv6 on a mac
#https://medium.com/cloud-security/disabling-ipv6-on-a-mac-fce45a19885a
#mac networking and related posts at the bottom
#https://medium.com/cloud-security/apple-macintosh-network-traffic-2b172d084fd
echo "Running Mac OS Startup Script found at /Users/Shared/2sl-startup-config.sh"
echo "Disable SMB"
/usr/bin/sudo /bin/launchctl disable system/com.apple.smbd
echo "Disable IPv6"
networksetup -setv6off "Your device (see ipv6 post)"
networksetup -setv6off "Your device (see ipv6 post)"
echo "Turn off sharing discoverability"
sudo defaults write com.apple.sharingd DiscoverableMode "Off"
echo "Disable muticast DNSResponder advertisements"
sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool true
echo "Disable air drop"
sudo defaults write com.apple.NetworkBrowser DisableAirDrop -bool true
echo "Disable AirplayReceiver"
sudo /usr/bin/defaults -currentHost write com.apple.controlcenter.plist AirplayRecieverEnabled -bool false
echo "Turn off ODS Agent"
sudo /bin/launchctl disable system/com.apple.ODSAgent
echo "Turn off Screensharing"
sudo /bin/launchctl disable system/com.apple.screensharing
echo "Turn off printer sharing"
sudo /usr/sbin/cupsctl --no-share-printers
echo "Turn remote login off"
echo "yes" | sudo /usr/sbin/systemsetup -setremotelogin off
echo "Turn remote management off"
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop
echo "Turn off remote apple events"
sudo /usr/sbin/systemsetup -setremoteappleevents off
echo "Disable Internet sharing (via a NAT apparently)"
sudo /usr/bin/defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict Enabled -int 0
echo "Disable asset cache manager"
sudo /usr/bin/AssetCacheManagerUtil deactivate
echo "Disable home sharing"
sudo /usr/bin/defaults write com.apple.amp.mediasharingd home-sharing-enabled -int 0
echo "Disable bluetooth"
sudo /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool false
echo "Disable assistant"
sudo /usr/bin/defaults write com.apple.assistant.support.plist 'Assistant Enabled' -bool false
echo "Disable Siri"
sudo /usr/bin/defaults write com.apple.Siri.plist LockscreenEnabled -bool false
sudo /usr/bin/defaults write com.apple.Siri.plist StatusMenuVisible -bool false
sudo /usr/bin/defaults write com.apple.Siri.plist TypeToSiriEnabled -bool false
sudo /usr/bin/defaults write com.apple.Siri.plist VoiceTriggerUserEnabled -bool false
echo "Disable diagnostic mesages history list for Apple support"
sudo /usr/bin/defaults write /Library/ApplicationSupport/CrashReporter/DiagnosticMessagesHistory.plist AutoSubmit -bool false
sudo /usr/bin/defaults write /Library/ApplicationSupport/CrashReporter/DiagnosticMessagesHistory.plist ThirdPartyDataSubmit -bool false
sudo /bin/chmod 644 /Library/ApplicationSupport/CrashReporter/DiagnosticMessagesHistory.plist
sudo /usr/bin/chgrp admin /Library/ApplicationSupport/CrashReporter/DiagnosticMessagesHistory.plist
echo "Opt out of Siri data sharing"
sudo /usr/bin/defaults write /Users/<username>/Library/Preferences/com.apple.assistant.support "Siri Data Sharing Opt-In Status" -int 2
echo "Limit ad tracking"
/usr/bin/sudo -u <username> /usr/bin/defaults write /Users/<username>/Library/Preferences/com.apple.Adlib.plist allowApplePersonalizedAdvertising -bool false
All the related posts are at the bottom of this one.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
The best way to support this blog is to sign up for the email list and clap for stories you like. If you are interested in IANS Decision Support services so you can schedule security consulting calls with myself and other IANS faculty, please reach out on LinkedIn via the link below. Thank you!
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight LabLike this story? Use the options below to help me write more!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ Threads: @teriradichel
❤️ Bluesky: @teriradichel
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
via LinkedIn: Teri Radichel
❤️ Schedule a consulting call with me through IANS ResearchMy Cybersecurity Book: Cybersecurity for Executives in the Age of Cloud
