🛡️ Azure Storage File Shares SMB Channel Encryption is not set to AES-256-GCM or higher🟢

• Contextual name: 🛡️ File Shares SMB Channel Encryption is not set to AES-256-GCM or higher🟢
• ID: /ce/ca/azure/storage/smb-channel-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: BEST_PRACTICE
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Storage File
  • 🔌 Azure Storage File - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Implement SMB channel encryption with AES-256-GCM for SMB file shares to ensure data confidentiality and integrity in transit. This method offers strong protection against eavesdropping and man-in-the-middle attacks, safeguarding sensitive information.

Rationale

AES-256-GCM encryption enhances the security of data transmitted over SMB channels by safeguarding it from unauthorized interception and tampering.

Impact

Using the AES-256-GCM SMB channel encryption may impact client compatibility.

Audit

This policy flags an Azure Storage File as INCOMPLIANT if Protocol Settings Channel Encryption is empty or includes AES-128-CCM or AES-128-GCM.

Default Value

By default, the following SMB channel encryption algorithms are allowed:

• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

References

1. https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares
2. https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol?tabs=azure-portal#smb-security-settings

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage accounts.
2. Click the name of a storage account.
3. Under Data storage, click File shares.
4. Under File share settings, click the link next to Security.
5. If Profile is set to Maximum compatibility, click the drop-down menu and select Maximum security or Custom.
6. If selecting Custom, under SMB channel encryption, uncheck the boxes next to AES-128-CCM and AES-128-GCM.
7. Click Save.
8. Repeat steps 1-7 for each storage account requiring remediation.

From Azure CLI

For each storage account requiring remediation, run the following command to set the SMB channel encryption:

az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --channel-encryption AES-256-GCM

From PowerShell

For each storage account requiring remediation, run the following command to set the SMB channel encryption:

Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -SmbChannelEncryption AES-256-GCM

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v4.0.0 → 💼 10.1.3 Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			42		no data