Disable Plain FTP Deployment

Risk Level: Medium (should be achieved)

Rule ID: AppService-017

Ensure that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and helps you to comply with the industry standards and regulations.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Reliability

Operational
excellence

With FTP, the transmission of data between your web application and the FTP client is unencrypted, leaving your data vulnerable to being intercepted and read. By default, Azure App Services web applications can be deployed over plain FTP. If FTP is required for an essential deployment workflow, FTPS should be used instead, otherwise the FTP deployment should be disabled. Industry requirements such as PCI DSS, HIPAA, and others require data transfers to be fully encrypted. Enforcing FTPS-only deployment for your Azure App Services web applications, can guarantee that the encrypted traffic between the web application server and the FTP client can't be decrypted by malicious actors in case they are able to intercept packets sent across the FTP connection.

Audit

To determine the type of the FTP deployment configured for your Azure App Services web applications, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name (link) of the App Services application that you want to examine.

04 In the blade navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected application.

05 On the General settings panel, under Platform Settings, check the FTP state configuration setting. If the FTP state is set to All allowed, the default FTP deployment is not disabled for the selected Microsoft Azure App Services web application.

06 Repeat steps no. 3 – 5 for each Azure App Services application available within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) with custom query filters to list the ID of each App Services application deployed in the current Azure subscription:

az webapp list
  --query '[*].id'

02 The command output should return the requested application IDs:

[
  "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp",
  "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the App Services application that you want to examine as the identifier parameter and custom query filters to describe the FTP deployment state, configured for the selected application:

az webapp config show
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp"
  --query 'ftpsState'

04 The command output should return the requested feature state:

"AllAllowed"

If the webapp config show command output returns "AllAllowed", as shown in the example above, the default FTP deployment is not disabled for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application deployed in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To disable the default, non-compliant FTP deployment type configured for your Microsoft Azure App Services applications, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services application that you want to reconfigure.

05 On the General settings panel, under Platform Settings, select Disabled from the FTP state dropdown list to disable the default, non-compliant FTP deployment or select FTPS only to enforce FTPS-only secure deployment for the selected Microsoft Azure App Services application. Click Save to apply the configuration changes. IMPORTANT: Any deployment workflows that rely on FTP/FTPS rather than the WebDeploy or HTTPs endpoints may be affected if the FTP state is set to Disabled.

06 Repeat steps no. 3 – 5 for each Azure App Services application that you want to reconfigure in order to disable default FTP deployment, available in the current subscription.

07 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Services application that you want to reconfigure as the identifier parameter, to disable the default, non-compliant FTP deployment for the selected application. Replace --ftps-state Disabled with --ftps-state FtpsOnly to enforce the FTPS-only secure deployment for the selected App Services application:

az webapp config set
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp"
  --ftps-state Disabled

02 The command output should return the metadata for reconfigured application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "apiManagementConfig": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "autoSwapSlotName": null,
  "connectionStrings": null,
  "cors": null,
  "defaultDocuments": [
    "Default.htm",
    "Default.html",
    "Default.asp",
    "index.htm",
    "index.html",
    "iisstart.htm",
    "default.aspx",
    "index.php",
    "hostingstart.html"
  ],
  "detailedErrorLoggingEnabled": false,
  "documentRoot": null,
  "experiments": {
    "rampUpRules": []
  },
  "ftpsState": "Disabled",
  "handlerMappings": null,
  "healthCheckPath": null,
  "http20Enabled": true,
  "httpLoggingEnabled": false,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp",
  "ipSecurityRestrictions": [
    {
      "action": "Allow",
      "description": "Allow all access",
      "headers": null,
      "ipAddress": "Any",
      "name": "Allow all",
      "priority": 1,
      "subnetMask": null,
      "subnetTrafficTag": null,
      "tag": null,
      "vnetSubnetResourceId": null,
      "vnetTrafficTag": null
    }
  ],
  "javaContainer": null,
  "javaContainerVersion": null,
  "javaVersion": null,
  "kind": null,
  "limits": null,
  "linuxFxVersion": "",
  "loadBalancing": "LeastRequests",
  "localMySqlEnabled": false,
  "location": "West Europe",
  "logsDirectorySizeLimit": 35,
  "machineKey": null,
  "managedPipelineMode": "Integrated",
  "managedServiceIdentityId": null,
  "minTlsVersion": "1.2",
  "name": "cc-aspnet-webapp",
  "netFrameworkVersion": "v4.0",
  "nodeVersion": "",
  "numberOfWorkers": 1,
  "phpVersion": "",
  "powerShellVersion": "",
  "preWarmedInstanceCount": 0,
  "publishingUsername": "$cc-aspnet-webapp",
  "push": null,
  "pythonVersion": "",
  "remoteDebuggingEnabled": false,
  "remoteDebuggingVersion": "VS2019",
  "requestTracingEnabled": false,
  "requestTracingExpirationTime": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmIpSecurityRestrictions": [
    {
      "action": "Allow",
      "description": "Allow all access",
      "headers": null,
      "ipAddress": "Any",
      "name": "Allow all",
      "priority": 1,
      "subnetMask": null,
      "subnetTrafficTag": null,
      "tag": null,
      "vnetSubnetResourceId": null,
      "vnetTrafficTag": null
    }
  ],
  "scmIpSecurityRestrictionsUseMain": false,
  "scmMinTlsVersion": "1.0",
  "scmType": "None",
  "systemData": null,
  "tags": {},
  "tracingOptions": null,
  "type": "Microsoft.Web/sites",
  "use32BitWorkerProcess": true,
  "virtualApplications": [
    {
      "physicalPath": "site\\wwwroot",
      "preloadEnabled": false,
      "virtualDirectories": null,
      "virtualPath": "/"
    }
  ],
  "vnetName": "",
  "vnetPrivatePortsCount": 0,
  "vnetRouteAllEnabled": false,
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

03 Repeat steps no. 1 and 2 for each Azure App Services application that you want to reconfigure in order to disable default FTP deployment, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Azure Official Documentation
App Service
Deploy your app to Azure App Service using FTP/S
Security in Azure App Service
DP-4: Encrypt sensitive information in transit
PV-7: Rapidly and automatically remediate software vulnerabilities

Publication date Nov 18, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Disable Plain FTP Deployment

Risk Level: Medium

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related AppService rules