Description
Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.
Rationaleβ
AES-256-GCM encryption enhances the security of data transmitted over SMB channels by safeguarding it from unauthorized interception and tampering.
Impactβ
Using the AES-256-GCM SMB channel encryption may impact client compatibility.
Auditβ
This policy flags an Azure Storage File as INCOMPLIANT if Protocol Settings Channel Encryption is empty or includes AES-128-CCM or AES-128-GCM.
Default Valueβ
By default, the following SMB channel encryption algorithms are allowed:
- AES-128-CCM
- AES-128-GCM
- AES-256-GCM
Referencesβ
- https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares
- https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings
- https://learn.microsoft.com/en-us/cli/azure/storage/account/file-service-properties
- https://learn.microsoft.com/en-us/powershell/module/az.storage/get-azstoragefileserviceproperty
- https://learn.microsoft.com/en-us/powershell/module/az.storage/update-azstoragefileserviceproperty