Storage account allows only the latest SMB protocol version for file shares
storage_smb_protocol_version_is_latest
Azure Storage file shares (SMB) are configured to allow only the latest SMB protocol version, blocking legacy SMB versions at the storage account level
Risk
Allowing legacy SMB versions enables protocol downgrade and weak cipher negotiation, reducing confidentiality and integrity. Adversaries can intercept or alter traffic, bypass strong signing/encryption, and exploit known flaws for lateral movement or credential replay
prowler azure --checks storage_smb_protocol_version_is_latest
Recommendation
Restrict SMB to the newest version (e.g., SMB 3.1.1) and disable older versions. Enforce encryption in transit and prefer Kerberos over NTLM. Validate client compatibility, apply least privilege on shares, and monitor access to maintain defense in depth
Remediation
az storage account file-service-properties update --resource-group <RESOURCE_GROUP> --account-name <STORAGE_ACCOUNT_NAME> --versions SMB3.1.1
- In the Azure portal, go to Storage accounts and open your storage account
- Navigate to Data storage > File shares
- Under File share settings, select Security
- Choose Profile: Custom, then under SMB protocol versions select only SMB 3.1.1
- Click Save
Source Code
Resource Type
microsoft.storage/storageaccounts