Azure Introduction
Azure Pricing
Azure Threats
Unrestricted CIFS Access
More Info:
Ensure that no network security groups allow unrestricted inbound access on TCP port 445 (Common Internet File System – CIFS).
Risk Level
High
Address
Security
Compliance Standards
HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the “Unrestricted CIFS Access” misconfiguration in Azure, you can follow these steps:
- Login to the Azure portal (https://portal.azure.com/).
- Navigate to the storage account that has the misconfiguration.
- Click on the “Firewalls and virtual networks” tab from the left-hand menu.
- Under the “Allow access from” section, select “Selected networks”.
- In the “Selected networks” section, click on the “Add existing virtual network” button.
- Select the virtual network that is associated with the resource that needs access to the storage account.
- Click on the “Add” button.
- Under the “Allow trusted Microsoft services” section, select “Yes”.
- Click on the “Save” button to apply the changes.
By following these steps, you have restricted the access to the storage account to only the selected virtual network and allowed trusted Microsoft services to access it. This should remediate the “Unrestricted CIFS Access” misconfiguration.
To remediate unrestricted CIFS access in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI and connect to your Azure account.
-
Identify the storage account that has unrestricted CIFS access. You can do this by running the following command:
az storage account list --query "[?networkAcls.defaultAction=='Allow'].name"
This command will list all the storage accounts that have their default network access set to “Allow”.
-
Once you have identified the storage account, you can update its network access rules to restrict CIFS access. You can do this by running the following command:
az storage account update --name <storage-account-name> --resource-group <resource-group-name> --default-action Deny
Replace
<storage-account-name>
with the name of the storage account that you want to update and<resource-group-name>
with the name of the resource group that the storage account belongs to. -
After running the above command, you can verify that the update was successful by running the following command:
az storage account show --name <storage-account-name> --resource-group <resource-group-name> --query "networkAcls.defaultAction"
This command will return the default network access rule for the storage account. It should now be set to “Deny”.
By following these steps, you have successfully remediated unrestricted CIFS access in Azure using Azure CLI.
To remediate unrestricted CIFS access in AZURE using python, follow the below steps:
- Import the necessary libraries:
import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.storage import StorageManagementClient
- Set the subscription ID, resource group name, and storage account name:
subscription_id = 'your_subscription_id'
resource_group_name = 'your_resource_group_name'
storage_account_name = 'your_storage_account_name'
- Create a credential object to authenticate the programmatic access:
credential = DefaultAzureCredential()
- Create a storage management client object:
storage_client = StorageManagementClient(credential, subscription_id)
- Get the storage account properties:
storage_account = storage_client.storage_accounts.get_properties(resource_group_name, storage_account_name)
- Check if CIFS access is allowed:
if storage_account.network_rules is not None and storage_account.network_rules.default_action == 'Allow':
for ip_rule in storage_account.network_rules.ip_rules:
if ip_rule.action == 'Allow' and ip_rule.protocol == 'TCP' and ip_rule.port_range == '445':
print('Unrestricted CIFS access is allowed')
break
else:
print('No network rules found')
- If CIFS access is allowed, update the network rules to deny CIFS access:
if storage_account.network_rules is not None and storage_account.network_rules.default_action == 'Allow':
for ip_rule in storage_account.network_rules.ip_rules:
if ip_rule.action == 'Allow' and ip_rule.protocol == 'TCP' and ip_rule.port_range == '445':
ip_rule.action = 'Deny'
network_rules = storage_client.storage_accounts.update_network_rules(resource_group_name, storage_account_name, storage_account.network_rules)
print('CIFS access has been remediated')
break
else:
print('No network rules found')
These steps will remediate unrestricted CIFS access in Azure using Python.