📝 Azure Storage File Shares SMB Protocol Version is not set to SMB 3.1.1 or higher 🟢

• Contextual name: 📝 File Shares SMB Protocol Version is not set to SMB 3.1.1 or higher 🟢
• ID: /ce/ca/azure/storage/snb-protocol-version
• Located in: 📁 Azure Storage

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: BEST_PRACTICE
• Policy Category:
  • SECURITY
  • RELIABILITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 Azure Storage File
  • 🔌 Azure Storage File - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that SMB file shares are configured to use the latest supported SMB protocol version. Keeping the SMB protocol updated helps mitigate risks associated with older SMB versions, which may contain vulnerabilities and lack essential security controls.

Rationale

Using the latest supported SMB protocol version enhances the security of SMB file shares by preventing the exploitation of known vulnerabilities in outdated SMB versions.

Impact

Using the latest SMB protocol version may impact client compatibility.

Audit

This policy flags an Azure Storage File as INCOMPLIANT if Protocol Settings SMB Versions is empty or includes SMB2.1 or SMB3.0.

Default Value

By default, all SMB versions are allowed.

References

1. https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-files#recommendations-for-smb-file-shares
2. https://learn.microsoft.com/en-us/azure/storage/files/files-smb-protocol#smb-security-settings
3. https://learn.microsoft.com/en-us/cli/azure/storage/account/file-service-properties

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Storage accounts.
2. Click the name of a storage account.
3. Under Data storage, click File shares.
4. Under File share settings, click the link next to Security.
5. If Profile is set to Maximum compatibility, click the drop-down menu and select Maximum security or Custom.
6. If selecting Custom, under SMB protocol versions, uncheck the boxes next to SMB 2.1 and SMB 3.0.
7. Click Save.
8. Repeat steps 1-7 for each storage account requiring remediation.

From Azure CLI

For each storage account requiring remediation, run the following command to set the SMB protocol version:

az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --versions SMB3.1.1

From PowerShell

For each storage account requiring remediation, run the following command to set the SMB protocol version:

Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -SmbProtocolVersion SMB3.1.1

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v4.0.0 → 💼 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares (Automated)			1
💼 Cloudaware Framework → 💼 Infrastructure Modernization			12
💼 Cloudaware Framework → 💼 Threat Protection			27