Ensure FTP deployments are Disabled

By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.

Risk Level: Low
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.45
Covered by Spectral: No
Category: Compute

GSL LOGIC

WebApp should not have ftpState='AllAllowed'

REMEDIATION

From Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to 'App Services'.
  3. Click on each WebApp.
  4. Under 'Settings' section, click on 'Configuration'.
  5. Click on the 'General settings' pane, for the Platform Settings, the FTP state should not be set to All allowed.
  6. Click Save.

From TF

Set the ftps_state argument as below:

resource "azurerm_app_service" "example" {
	..
	ftps_state = "FtpsOnly"
	..
}

From Command Line
Run

az webapp config set --resource-group RESOURCEGROUP --name WEBAPP --ftps-state FtpsOnly

References

  1. https://docs.microsoft.com/en-us/azure/app-service/configure-language-php?pivots=platform-windows
  2. https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_web_app#ftps_state

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset