Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for TLS Protocol Latest Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-007

Ensure that all Microsoft Azure App Service web applications are using the latest version of TLS encryption protocol to secure the applications traffic over the Internet and comply with the industry standards.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Transport Layer Security (TLS) protocol secures transmission of data between servers and web browsers, over the Internet, using standard encryption technology. To follow security best practices and the latest PCI compliance standards, Cloud Conformity strongly recommends enabling the latest version of TLS protocol (i.e. TLS 1.2) for all your Microsoft Azure App Service web applications. PCI DSS information security standard requires that all websites accepting credit card payments uses TLS 1.2 after June 30, 2018.


Audit

To determine if your Azure App Service web applications are using the latest version of TLS protocol, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation panel, under Settings, select TLS/SSL settings to access the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) configuration settings available for the selected app.

05 On the TLS/SSL settings panel, under Protocol Settings, check the Minimum TLS Version configuration to determine the TLS version used by the application. If Minimum TLS Version setting value is not set to 1.2, the selected Microsoft Azure App Service web application is not configured to use the latest version of TLS protocol (i.e. TLS 1.2) to encrypt data in transit.

06 Repeat steps no. 3 – 5 for each Azure App Service web application launched in the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
   --query '[*].id'

02 The command output should return the requested web application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-production-app",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to expose the Transport Layer Security (TLS) protocol version configured for the selected web application:

az webapp config show
	--ids /subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-production-app
	--query 'minTlsVersion'

04 The command output should return the TLS protocol version currently in use:

"1.1"

If webapp config show command output does not return "1.2" as the version of the Transport Layer Security (TLS) protocol, the selected Microsoft Azure App Service web application is not configured to use the latest version of TLS to encrypt data in transit.

05 Repeat step no. 3 and 4 for each Azure App Service application deployed in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To update TLS/SSL configuration settings for your Microsoft Azure App Service web applications in order to enable the latest version of TLS protocol (TLS 1.2), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right web app).

04 In the navigation panel, under Settings, select TLS/SSL settings to access the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) configuration settings available for the selected app.

05 On the TLS/SSL settings panel, under Protocol Settings, select 1.2 for the Minimum TLS Version setting, as the latest version of TLS protocol required by the selected web application.

06 Repeat steps no. 3 – 5 for each Azure App Service web application that you want to reconfigure in order to use the latest version of TLS protocol, available in the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right web app) to enable the latest version of Transport Layer Security (TLS) protocol, i.e. TLS 1.2, for the selected web application:

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-production-app"
	--min-tls-version 1.2

02 The command output should return the configuration metadata available for selected Microsoft Azure App Service web application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "limits": null,
  "linuxFxVersion": "NODE|10.14",
  "loadBalancing": "LeastRequests",
  "localMySqlEnabled": false,
  "location": "West Europe",
  "logsDirectorySizeLimit": 35,
  "machineKey": null,
  "managedPipelineMode": "Integrated",
  "managedServiceIdentityId": null,
  "minTlsVersion": "1.2",
  "name": "cc-production-app",
  "netFrameworkVersion": "v4.0",
  "nodeVersion": "",
 
  ...
 
  "numberOfWorkers": 1,
  "publishingUsername": "$cc-production-app",
  "push": null,
  "remoteDebuggingEnabled": false,
  "remoteDebuggingVersion": "VS2017",
  "requestTracingEnabled": false,
  "requestTracingExpirationTime": null,
  "reservedInstanceCount": 0,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmIpSecurityRestrictionsUseMain": false,
  "scmType": "None",
  "tracingOptions": null,
  "type": "Microsoft.Web/sites",
  "use32BitWorkerProcess": true,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

03 Repeat step no. 1 and 2 for each Azure App Service application that you want to reconfigure with the latest version of TLS protocol (TLS 1.2), available within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019