Profile Applicability

  • Level 1

Description:

Common Internet File System (CIFS) is a protocol used to provide shared access to files, printers, and serial ports over a network. CIFS can expose sensitive resources if not configured correctly, especially when accessed from untrusted networks. To minimize the risk of unauthorized access to resources, it is essential to ensure that CIFS access is restricted to trusted networks only. This can be done by configuring access control lists (ACLs), security groups, or firewalls to only allow trusted IP addresses or address ranges to access CIFS services.

Restricting CIFS access to trusted networks helps ensure that sensitive data is not exposed to unauthorized parties and reduces the risk of data breaches or attacks on the CIFS service.

Rationale:

Restricting CIFS access to trusted networks provides the following benefits:

  • Security: Limits access to sensitive resources by ensuring only trusted networks can communicate with CIFS services.

  • Reduced exposure: Minimizes the attack surface by blocking access from untrusted or public networks.

  • Compliance: Helps meet security best practices and regulatory requirements that mandate controlled access to shared resources.

  • Data protection: Protects data integrity and confidentiality by ensuring that only authorized users or systems can access shared resources.

Without proper access restrictions, CIFS services may be exposed to unauthorized access from the public internet or untrusted networks, increasing the risk of data exposure and security breaches.

Impact:

Failure to restrict CIFS access to trusted networks can result in:

  • Unauthorized access to sensitive resources via CIFS from untrusted networks.

  • Data breaches or data exfiltration due to misconfigured access.

  • Increased security risk as attackers could exploit open CIFS ports to gain access to shared files or printers.

  • Non-compliance with security best practices and regulations requiring controlled access to shared services.

By ensuring that CIFS access is restricted to trusted networks, the organization minimizes the risk of unauthorized access and maintains a more secure environment.

Default Value:

By default, CIFS may be accessible from any network if not explicitly restricted through security configurations, such as firewall rules, security groups, or ACLs. Proper configuration is needed to restrict access to trusted networks.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

    • ec2:DescribeNetworkInterfaces

  • Access to network configurations, such as security groups or ACLs, to modify access restrictions for CIFS

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the EC2 Console.

  2. In the Security Groups section, check the inbound rules for the security group associated with the EC2 instance running CIFS.

  3. Ensure that only trusted IP addresses or address ranges are allowed to access CIFS ports (typically port 445 for SMB/CIFS).

  4. Modify the inbound rules to restrict access from any source other than trusted networks.

Using AWS CLI :

To check if CIFS ports (445) are open to the public:

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?ToPort==`445`]].GroupName" --output table


To check the current inbound rules:

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?FromPort==`445`]]" --output table
Implementation Plan:

Using AWS Console:

  1. Modify security group rules to restrict CIFS access:

    • Go to the EC2 Console.

    • Under Security Groups, select the security group associated with the CIFS service.

    • Modify the Inbound rules to ensure that only trusted IP ranges are allowed to access port 445 (CIFS).

    • Remove any rules that allow access from 0.0.0.0/0 or ::/0, which expose the service to the entire internet.

  2. Verify the changes:

    • After modifying the rules, confirm that only trusted IP addresses or ranges are allowed to access CIFS services.

Using AWS CLI:

  1. Revoke public access to CIFS ports:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0

  1. Restrict access to CIFS services to trusted IP ranges:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr <trusted-ip-range>/32

  1. Verify the security group configuration:

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?ToPort==`445`]]" --output table

Backout Plan:

Using AWS Console:

  1. If restricting access causes connectivity issues:

    • Go to the EC2 Console.

    • Revert the changes to the inbound rules, allowing access from 0.0.0.0/0 or ::/0 temporarily if needed for troubleshooting.

    • Ensure only the required network or IP address ranges are allowed to access CIFS services.

  2. Review security group settings to ensure that only necessary services are exposed to trusted networks.

Using AWS CLI:

  1. Restore public access temporarily:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0

  1. Revert back to restricting access once issues are resolved:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr <trusted-ip-range>/32

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services