Control: 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares
Description
Ensure that SMB file shares are configured to use the latest supported SMB protocol version. Keeping the SMB protocol updated helps mitigate risks associated with older SMB versions, which may contain vulnerabilities and lack essential security controls.
Using the latest supported SMB protocol version enhances the security of SMB file shares by preventing the exploitation of known vulnerabilities in outdated SMB versions.
Remediation
From Azure Portal
- Go to
Storage accounts. - Click the name of a storage account.
- Under
Data storage, clickFile shares. - Under
File share settings, click the link next toSecurity. - If
Profileis set toMaximum compatibility, click the drop-down menu and selectMaximum securityorCustom. - If selecting
Custom, underSMB protocol versions, uncheck the boxes next toSMB 2.1andSMB 3.0. - Click
Save. - Repeat steps 1-7 for each storage account requiring remediation.
From Azure CLI
For each storage account requiring remediation, run the following command to set the SMB protocol version:
az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --versions SMB3.1.1From PowerShell
For each storage account requiring remediation, run the following command to set the SMB protocol version:
Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -SmbProtocolVersion SMB3.1.1Default Value
By default, all SMB versions are allowed.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_10_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_10_1_2 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;