Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for SMB Protocol Version

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: StorageAccounts-032

To improve security, enhance performance, and provide access to the latest SMB features, ensure that your Microsoft Azure File Shares are configured with the latest SMB protocol version (i.e., SMB 3.1.1).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Using the latest supported SMB protocol version for your Microsoft Azure File Shares (i.e., SMB 3.1.1) enhances the security of File Shares by preventing the exploitation of known vulnerabilities in outdated Server Message Block (SMB) versions.

Audit

To determine if your Azure File Shares are configured with the latest SMB protocol version, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Storage account for Value, then choose Apply to list the Azure Storage accounts available in the selected subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Data storage, choose File shares to access the configuration settings available for Azure File Shares in the selected Storage account.

07 In the File share settings section, click on the Security attribute value (i.e., security profile link) and check the SMB protocol versions list to determine the SMB version(s) enabled for your Azure File Shares. If SMB 3.1.1 is not the only SMB protocol version enabled, the File Shares within the selected Azure Storage account are using outdated and potentially vulnerable SMB protocol versions.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account list command (Windows/macOS/Linux) with custom output filters to describe the identifier (name) of each storage account provisioned in the selected subscription: 

az storage account list
	--query '[*].name'

05 The command output should return the requested storage account names: 

[
	"project5storageaccount",
	"cloudaistorageaccount"
]

06 Run storage account file-service-properties show command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to examine as the identifier parameter and custom output filters to describe the SMB protocol version(s) enabled for the Azure File Shares within the selected Storage account: 

az storage account file-service-properties show
	--account-name project5storageaccount
	--query '{SMBVersions:protocolSettings.smb.versions}'

07 The command output should return the SMB protocol version(s) enabled for your File Shares: 

{
	"SMBVersions": "SMB2.1;SMB3.0;SMB3.1.1;"
}

If the storage account file-service-properties show command output returns null for the "SMBVersions" property, the security profile is set for maximum compatibility, therefore, SMB 3.1.1 is not the only SMB protocol version enabled for your File Shares. If the command output does not return only SMB3.1.1 for "SMBVersions", as shown in the example above, SMB 3.1.1 is not the only SMB protocol version enabled for your File Shares. As a result, the File Shares in the selected Azure Storage account are using outdated and potentially vulnerable SMB protocol versions.

08 Repeat steps no. 6 and 7 for each Azure Storage account provisioned in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Azure File Shares are configured with the latest SMB protocol version (i.e., SMB 3.1.1), perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Storage account for Value, then choose Apply to list the Azure Storage accounts available in the selected subscription.

05 Click on the name (link) of the Azure Storage account that you want to examine.

06 In the resource navigation panel, under Data storage, choose File shares to access the configuration settings available for Azure File Shares in the selected Storage account.

07 In the File share settings section, click on the Security attribute value (i.e., security profile link), and perform the following actions:

  1. If Profile is set to Maximum compatibility, set the Profile to Maximum security or Custom. If you selected Custom, ensure that SMB 3.1.1 is the only SMB version selected from the SMB protocol versions list.
  2. If Profile is set to Custom, ensure that SMB 3.1.1 is the only SMB version selected from the SMB protocol versions list.
  3. Choose Save to apply the configuration changes. This will enable the latest SMB protocol version only (i.e., SMB 3.1.1) for the File Shares in the selected Azure Storage account.

08 Repeat steps no. 5 – 7 for each Azure Storage account available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run storage account file-service-properties update command (Windows/macOS/Linux) with the name of the Azure Storage account that you want to configure as the identifier parameter, to enable the latest SMB protocol version only (i.e., SMB 3.1.1) for the File Shares in the selected Storage account: 

az storage account file-service-properties update
	--account-name project5storageaccount
	--versions SMB3.1.1

05 The command output should return the configuration information available for the modified resource: 

{
	"cors": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/project5storageaccount/fileServices/default",
	"name": "default",
	"protocolSettings": {
		"smb": {
			"authenticationMethods": "NTLMv2;Kerberos;",
			"channelEncryption": "AES-128-CCM;AES-128-GCM;AES-256-GCM;",
			"kerberosTicketEncryption": "RC4-HMAC;AES-256;",
			"multichannel": null,
			"versions": "SMB3.1.1"
		}
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"shareDeleteRetentionPolicy": {
		"allowPermanentDelete": null,
		"days": null,
		"enabled": false
	},
	"sku": null,
	"type": "Microsoft.Storage/storageAccounts/fileServices"
}

06 Repeat steps no. 4 and 5 for each Azure Storage account provisioned in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date May 8, 2025

Related StorageAccounts rules