Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares

Description

Ensure that SMB file shares are configured to use the latest supported SMB protocol version. Keeping the SMB protocol updated helps mitigate risks associated with older SMB versions, which may contain vulnerabilities and lack essential security controls.

Using the latest supported SMB protocol version enhances the security of SMB file shares by preventing the exploitation of known vulnerabilities in outdated SMB versions.

Remediation

From Azure Portal

  1. Go to Storage accounts.
  2. Click the name of a storage account.
  3. Under Data storage, click File shares.
  4. Under File share settings, click the link next to Security.
  5. If Profile is set to Maximum compatibility, click the drop-down menu and select Maximum security or Custom.
  6. If selecting Custom, under SMB protocol versions, uncheck the boxes next to SMB 2.1 and SMB 3.0.
  7. Click Save.
  8. Repeat steps 1-7 for each storage account requiring remediation.

From Azure CLI

For each storage account requiring remediation, run the following command to set the SMB protocol version:

az storage account file-service-properties update --resource-group <resource-group> --account-name <storage-account> --versions SMB3.1.1

From PowerShell

For each storage account requiring remediation, run the following command to set the SMB protocol version:

Update-AzStorageFileServiceProperty -ResourceGroupName <resource-group> -StorageAccountName <storage-account> -SmbProtocolVersion SMB3.1.1

Default Value

By default, all SMB versions are allowed.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_10_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_10_1_2 --share

SQL

This control uses a named query:

select
  sa.id as resource,
  case
    when f -> 'properties' -> 'protocolSettings' -> 'smb' ->> 'versions' = 'SMB3.1.1;' then 'ok'
    else 'alarm'
  end as status,
  case
    when f -> 'properties' -> 'protocolSettings' -> 'smb' ->> 'versions' = 'SMB3.1.1;' then sa.name || ' file share SMB protocol version set to SMB 3.1.1.'
    else sa.name || ' file share SMB protocol version not set to SMB 3.1.1.'
  end as reason
  
  , sa.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_storage_account as sa
  cross join lateral jsonb_array_elements(file_services) as f
  left join azure_subscription sub on sub.subscription_id = sa.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 10.1.2
cis_level = 1
cis_section_id = 10.1
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/Storage