Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Remote Debugging

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AppService-011

Ensure that your Azure App Services web applications have remote debugging disabled in order to enhance security and protect the applications from unauthorized access. Remote Debugging feature is available for web applications (e.g. ASP.NET, ASP.NET Core, Node.js, Python).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Remote Debugging feature requires certain inbound ports to be opened for the Visual Studio remote debugger within your Microsoft Azure App Services web applications configuration. Implementing the principle of least privilege by closing the access to these inbound ports will help you significantly reduce the possibility of a security breach.


Audit

To determine if your Azure App Services web apps are configured to use remote debugging, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services web application that you want to examine.

04 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected app.

05 On the General settings panel, under Debugging, check the Remote debugging configuration setting. If the setting is turned On, the Remote Debugging feature is currently enabled for the selected Microsoft Azure App Services web application.

06 Repeat steps no. 3 – 5 for each Azure App Services application available within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Services web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested web application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the Remote Debugging feature state, configured for the selected application:

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
	--query 'remoteDebuggingEnabled'

04 The command output should return the requested configuration status (true for enabled, false for disabled):

true

If the webapp config show command output returns true, as shown in the example above, the Remote Debugging feature is enabled for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application deployed in the current account subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To enhance your web application's security by disabling Remote Debugging feature, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right app).

04 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected app.

05 On the General settings panel, under Debugging, select Off next to Remote debugging setting to disable remote debugging using Microsoft Visual Studio for the selected Azure App Services web application. Click Save to apply the changes.

06 Repeat steps no. 3 – 6 for each Azure App Services web application that you want to reconfigure in order to disable remote debugging, available in the current subscription.

07 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Services web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right app) to disable remote debugging for the selected application:

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
	--remote-debugging-enabled false

02 The command output should return the metadata for reconfigured Microsoft Azure App Services application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "autoSwapSlotName": null,
  "azureStorageAccounts": null,
  "connectionStrings": null,
  "handlerMappings": null,
  "http20Enabled": true,
  "httpLoggingEnabled": false,

  ...

  "remoteDebuggingEnabled": false,

  ...

  "requestTracingEnabled": false,
  "requestTracingExpirationTime": null,
  "reservedInstanceCount": 0,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmIpSecurityRestrictionsUseMain": false,
  "scmType": "None",
  "tracingOptions": null,
  "type": "Microsoft.Web/sites",
  "use32BitWorkerProcess": true,
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

03 Repeat step no. 1 and 2 for each Azure App Services web application that you want to reconfigure in order to turn off remote debugging, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 3, 2020