Description:
The SMB Protocol Version setting for Azure File Shares defines the version of the Server Message Block (SMB) protocol used for communication between the client and the storage account. Configuring the protocol version to SMB 3.1.1 or higher ensures that secure, modern encryption and authentication features are used for accessing file shares, including improved security and performance features.
Rationale:
SMB 3.1.1 is the latest version of the SMB protocol, providing enhanced security features such as stronger encryption and improved signing. It also supports better performance and efficiency, particularly in environments with high demands for file sharing. Ensuring that only SMB 3.1.1 or higher is used prevents the use of older, less secure versions of SMB (such as SMB 1.0 or 2.0) which are vulnerable to attacks. Enforcing this configuration aligns with security best practices and helps meet compliance requirements such as SOC 2, HIPAA, and GDPR.
Impact:
Enforcing SMB 3.1.1 ensures that only the most secure and efficient protocol version is used for accessing Azure File Shares. However, older clients or applications that do not support SMB 3.1.1 may experience connectivity issues. It is important to verify that all clients interacting with the storage account can support this protocol version.
Default Value:
By default, SMB 3.0 is the minimum version supported by Azure File Shares. SMB 3.1.1 must be explicitly configured for enhanced security.
Pre-requisites:
Azure account: Ensure you have appropriate permissions to configure SMB settings on Azure File Shares.
Azure Storage Account with SMB File Shares: Ensure the storage account and SMB file shares exist.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to modify SMB file share settings.
Supported SMB Protocol Versions: Ensure that the storage account supports SMB 3.0 or higher.
Remediation:
Audit:
To check if the SMB protocol version is set to SMB 3.1.1 or higher for your Azure File Shares:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Azure Storage Account.
Check SMB protocol settings:
In the Settings section, click on File shares.
Choose a file share and go to the Configuration tab.
Verify that the SMB protocol version is set to SMB 3.1.1 or higher.
Automated Implementation:
To ensure SMB protocol version is set to SMB 3.1.1 or higher for all Azure File Shares, you can use Azure Policy.
Create a custom Azure Policy to enforce SMB 3.1.1 or higher:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure SMB Protocol Version is Set to SMB 3.1.1 or Higher for File Shares",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that SMB protocol version is set to SMB 3.1.1 or higher for all Azure File Shares.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"policyRule": {
"if": {
"field": "Microsoft.Storage/storageAccounts/fileServices.protocolSettings.smbProtocol",
"notEquals": "SMB3_1_1"
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that SMB 3.1.1 or higher is enforced across all Azure File Shares.
Backout Plan:
To revert the SMB protocol version setting:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Storage Account.
Go to File Share settings:
In the Settings section, click on File shares and select the file share.
Change SMB Protocol Version:
Modify the SMB protocol version setting to SMB 3.0 or lower if needed.
If the setting was enforced via Azure Policy, modify or remove the policy to allow a different protocol version.