Profile Applicability:

Level 1

Description:

Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access (port 445) can expose data to unauthorized users, leading to security risks. It is essential to restrict CIFS access to trusted networks to prevent unauthorized access and data breaches.

Rationale:

Allowing unrestricted CIFS access can lead to:

  • Unauthorized data exposure to the public internet.

  • Increased attack surface, making resources vulnerable to brute-force attacks, ransomware, or unauthorized access.

  • Potential compliance violations with regulations such as SOC 2, HIPAA, PCI DSS, and CIS Benchmark standards.

Restricting CIFS access to trusted IP ranges (e.g., corporate VPNs, on-premises networks) enhances security and reduces unauthorized access risks.

Impact:

  • Misconfigured CIFS security settings may allow unauthorized access, leading to data breaches.

  • Restricting CIFS may require additional configurations to allow legitimate access for corporate or remote users.

  • Blocking CIFS from untrusted networks enhances security but may require alternative secure file-sharing mechanisms.

Default Value:

  • AWS Security Groups do not allow CIFS (port 445) by default.

  • Administrators must explicitly configure security groups to allow CIFS traffic.

Pre-Requisites:

  1. AWS CLI Installed (for command-line audit and remediation).

  2. IAM Permissions Required:

    • ec2:DescribeSecurityGroups (for auditing).

    • ec2:RevokeSecurityGroupIngress (for remediation).

    • ec2:AuthorizeSecurityGroupIngress (for updating security groups).

  3. Access to AWS Management Console with permissions to modify Security Groups.

  4. List of trusted CIDR ranges (corporate VPN, on-premises networks) to allow CIFS access.

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to the EC2 Dashboard: AWS EC2 Console.

  3. In the left panel, select Security Groups under Network & Security.

  4. Identify Security Groups associated with instances or resources using CIFS.

  5. Review the inbound rules for each security group to check if they allow:

    • Port 445 (CIFS).

    • Source of 0.0.0.0/0 or ::/0.

  6. Document any non-compliant rules that allow unrestricted CIFS access.

Implementation Steps:
Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to the EC2 Dashboard: AWS EC2 Console.



  3. In the left panel, select Security Groups under Network & Security.


  4. Identify Security Groups allowing unrestricted ingress on port 445 (CIFS).

  5. Select the Security Group, then Edit Inbound Rules.


  6. Locate the rule allowing unrestricted access (0.0.0.0/0 or ::/0) on port 445.

  7. Modify the rule to restrict access to a trusted CIDR range (e.g., corporate VPN, on-premises network).

  8. Click Save.


Backout Plan:

If legitimate users are blocked from CIFS:

  1. Re-add Security Group rules to allow CIFS access from necessary sources.

    aws ec2 authorize-security-group-ingress --region <region-name> --group-id <security-group-id> --protocol tcp --port 445 --cidr <previously-allowed-cidr>

  2. Verify CIFS connectivity from trusted networks.

  3. Monitor AWS Security Hub for alerts on unauthorized CIFS access attempts.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement and manage firewalls with a default-deny rule.

CIS v7

9.4

Apply host-based firewalls or port filtering.