iCompaas Support

Profile Applicability:
 Level 1

Description:
 The SMB protocol version controls the security and features of Server Message Block (SMB) used for accessing Azure SMB file shares. Setting the SMB protocol version to 3.1.1 or higher ensures the use of modern, secure SMB features, including enhanced encryption, improved integrity, and protection against known vulnerabilities.

Rationale:
 SMB 3.1.1 provides advanced security mechanisms such as AES-128-GCM encryption and pre-authentication integrity checks, significantly improving protection of data in transit. Enforcing this version reduces risks from protocol-level attacks and ensures compliance with security best practices.

Impact:

• Pros:
  

  • Enhances data confidentiality and integrity during SMB file operations.
    

  • Mitigates vulnerabilities found in older SMB versions.
    

  • Supports compliance with modern security standards.
    

• Cons:
  

  • Older clients or legacy systems may face compatibility issues.
    

  • Requires client and server support for SMB 3.1.1 or higher.
    

Default Value:
 Azure SMB file shares support SMB 3.1.1 by default, but this should be verified and enforced.

Pre-requisites:

• Azure Storage Account with SMB file shares enabled.
  

• Client systems supporting SMB 3.1.1 or higher.
  

Remediation

Test Plan:

Using Azure Portal:

1. Go to https://portal.azure.com.
   

2. Navigate to the Storage Account with SMB file shares.
   

3. Under File Shares or Configuration, check SMB protocol settings.
   

4. Verify that SMB protocol version is set to SMB 3.1.1 or higher.
   

Using Azure CLI:

1. Check SMB protocol version on the storage account:
az storage account show --name <storage-account-name> --resource-group <resource-group> --query "azureFilesIdentityBasedAuthentication.smbServerVersion"

2. Confirm the output is SMB3.1.1 or higher.

Implementation Plan

Using Azure Portal:

1. In the storage account settings, update SMB protocol version to SMB 3.1.1 or higher if not already set.
   

2. Save and apply changes.
   

3. Test client connectivity to ensure compatibility.
   

Using Azure CLI:

1. Update SMB protocol version:

az storage account update --name <storage-account-name> --resource-group <resource-group> --set azureFilesIdentityBasedAuthentication.smbServerVersion=SMB3.1.1

2. Validate the setting is applied.

Backout Plan

Using Azure Portal:

1. Revert SMB protocol version to previous supported version if needed.
   

2. Inform users of compatibility considerations.
   

Using Azure CLI:

1. Reset SMB protocol version:

az storage account update --name <storage-account-name> --resource-group <resource-group> --set azureFilesIdentityBasedAuthentication.smbServerVersion=<previous-version>

References:

• Azure Files SMB Protocol
  

• SMB 3.1.1 Protocol Details