39386: Why does a security scan indicate that Acronis Files Connect guest access is enabled?

use Google Translate

Last update: Thu, 2017-07-13 09:46

Acronis Files Connect (formerly ExtremeZ-IP) allows guest access to be enabled or disabled. As of ExtremZ-IP 6.0.4, it is disabled by default.

When guest access is disabled, some security scanning software, such as QualsysGuard, may still report that guest access is enabled.

This an artifact of the way that Acronis Files Connect must respond to AFP connection requests from the Mac, not an actual security risk.

Detailed technical information is provided below:

Acronis Files Connect will always broadcast that guest access is available. However, it will not actually allow guest access unless the following two conditions are met:

  1. "Allow Guests to Connect" is enabled (Acronis Files Connect Administrator > Settings > File Server > Login Methods)
  2. Guest Access is enable on the server itself. See http://support.grouplogic.com/?p=1540

The first packet that a Mac sends in an AFP connection is a request for the server's capabilities (FPGetSrvrInfo). One of the many items that can be specified is what User Authentication Methods (UAMs) are supported on the server. Because of an issue with the Mac implementation of AutoFS, a Mac will not attempt to login with a real user account if the Guest UAM is not in the FPGetSrvrInfo reply. To work around that Mac issue, Acronis Files Connect will always put the Guest UAM in the list.

This doesn't really matter though because if a user tries to login with that UAM, Acronis Files Connect will send an access denied reply. In fact, regardless of what is in the FPGetSrvrInfo UAM list, AFP clients can theoretically attempt to log into an AFP server with any UAM they want. For example, even if the Mac grays out the Guest checkbox in the UI, it does not stop a Mac from attempting to connect with it from the command line. From a security perspective, what matters is that guests are prevented from logging in, which is what Acronis Files Connect will properly do.