GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Windows SMB Port Should Not Be Open
More Info:
Determines if TCP port 445 for Windows SMB over TCP is open to the public.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration “Windows SMB Port Should Not Be Open” for GCP using GCP console, follow the below steps:
-
Open the Google Cloud Console and select the project for which you want to remediate the misconfiguration.
-
Navigate to the Compute Engine section and select the VM instance that has the open Windows SMB port.
-
Click on the Edit button at the top of the page.
-
Scroll down to the Firewall section and click on “Add Firewall Rule”.
-
In the Name field, enter a name for the firewall rule.
-
In the Targets field, select “Specified target tags” and enter the tag that is associated with the VM instance.
-
In the Source filter field, select “IP ranges” and enter the IP range that you want to allow access to the Windows SMB port.
-
In the Protocols and ports field, select “Specified protocols and ports” and enter “tcp:445”.
-
Click on the “Create” button to create the firewall rule.
-
Once the firewall rule is created, click on the Save button to save the changes to the VM instance.
-
Verify that the Windows SMB port is no longer open by running a port scan on the VM instance.
By following the above steps, you can remediate the misconfiguration “Windows SMB Port Should Not Be Open” for GCP using GCP console.
To remediate the misconfiguration “Windows SMB Port Should Not Be Open” for GCP using GCP CLI, you can follow these steps:
-
Login to your GCP console using your credentials.
-
Open the Cloud Shell by clicking on the icon located on the top right corner of the console.
-
Run the following command to list all the instances in your project:
gcloud compute instances list
-
Identify the instance which has the open SMB port.
-
Run the following command to SSH into the instance:
gcloud compute ssh [INSTANCE_NAME]
- Once you are logged in to the instance, run the following command to check if the SMB port is open:
sudo netstat -tuln | grep 445
- If the SMB port is open, run the following command to stop the SMB service:
sudo systemctl stop smbd
- Run the following command to disable the SMB service from starting on boot:
sudo systemctl disable smbd
- Finally, run the following command to confirm that the SMB port is no longer open:
sudo netstat -tuln | grep 445
- Exit the SSH session by running the following command:
exit
By following these steps, you will have successfully remediated the misconfiguration “Windows SMB Port Should Not Be Open” for GCP using GCP CLI.
To remediate the misconfiguration “Windows SMB Port Should Not Be Open” on GCP using Python, you can follow the below steps:
-
Use the Google Cloud SDK to authenticate and authorize access to your GCP account.
-
Use the Python
google-cloud-computelibrary to create a new firewall rule that blocks the Windows SMB port (TCP port 445) on all instances in your GCP project. -
Here is the sample Python code to create a new firewall rule:
from google.cloud import compute_v1
# Create a compute client
compute_client = compute_v1.InstancesClient()
# Get the project ID and zone
project_id = 'your-project-id'
zone = 'us-central1-a'
# Define the firewall rule
firewall_rule = {
"name": "block-smb",
"direction": "INGRESS",
"priority": 1000,
"targetTags": ["windows"],
"allowed": [],
"denied": [
{
"IPProtocol": "tcp",
"ports": ["445"]
}
],
"sourceRanges": ["0.0.0.0/0"],
}
# Create the firewall rule
operation = compute_client.insert_firewall(project=project_id, firewall_resource=firewall_rule)
result = operation.result()
-
In the above code, replace
your-project-idwith your GCP project ID andus-central1-awith your preferred zone. -
The above code creates a new firewall rule named “block-smb” that blocks TCP port 445 on all instances with the tag “windows”. You can add this tag to your Windows instances to apply the firewall rule.
-
After running the above code, you should see a new firewall rule named “block-smb” in your GCP console.
-
Verify that the firewall rule is working as expected by testing the Windows SMB port from outside your GCP network.
By following the above steps, you can remediate the misconfiguration “Windows SMB Port Should Not Be Open” on GCP using Python.