Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable FTPS-Only Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-012

Ensure that your Azure App Services web applications enforce FTPS-only access to encrypt FTP traffic. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and help you to comply with the industry standards and regulations.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

With FTP, the transmission of data between the web application and the FTP client is unencrypted, leaving the data vulnerable to being intercepted and read. Even if a Man-in-the-Middle (MITM) attack is a risk that you can quickly mitigate, industry requirements such as PCI DSS, HIPAA, and others require data transfers to be fully encrypted. Enforcing FTPS-only access for your Azure App Services applications, can guarantee that the encrypted traffic between the web application servers and the FTP clients cannot be decrypted by malicious actors in case they are able to intercept packets sent across the FTP connection.


Audit

To determine if your Azure App Services web apps are configured to accept FTPS-only connections, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services web application that you want to examine.

04 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected app.

05 On the General settings panel, under Platform Settings, check the FTP state configuration setting. If the setting status is set to All allowed, the existing configuration does not enforce FTPS-only access for the selected Microsoft Azure App Services web application.

06 Repeat steps no. 3 – 5 for each Azure App Services application available within the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Services web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

02 The command output should return the requested web application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-node10-webapp"
]

03 Run webapp config show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to describe the FTPS-only feature state, configured for the selected web application:

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp"
	--query 'ftpsState'

04 The command output should return the existing FTPS-only feature state:

"AllAllowed"

If the webapp config show command output shows "AllAllowed", as shown in the example above, the existing configuration does not enforce FTPS-only access for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application deployed in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

Remediation / Resolution

To disable unencrypted FTP and enforce FTPS-only access and deployment for your Microsoft Azure App Services web applications, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right app).

04 To enable FTPS-only, you must enforce TLS 1.2 or higher as the TLS version 1.0 and 1.1 are not supported by the FTPS-only feature. To configure TLS 1.2 for the selected app, go to Settings section in the navigation panel, choose TLS/SSL settings, then select 1.2 from Minimum TLS version.

05 In the navigation panel, under Settings, choose Configuration and select the General settings tab to access the platform configuration settings available for the selected application.

06 On the General settings panel, under Platform Settings, select FTPS only from the FTP state dropdown list to enforce FTPS-only access and deployment for the selected Microsoft Azure App Services web application. Click Save to apply the changes.

07 Repeat steps no. 3 – 6 for each Azure App Services web application that you want to reconfigure in order to enforce FTPS-only access, available in the current subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp config set command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Services web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right app) to enable the FTPS-only feature for the selected application:

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-aspnet-webapp"
	--ftps-state FtpsOnly

02 The command output should return the metadata for reconfigured Microsoft Azure App Services application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "autoSwapSlotName": null,
  "azureStorageAccounts": null,
  "connectionStrings": null,
  "cors": null,
  "documentRoot": null,
  "experiments": {
    "rampUpRules": []
  },

  ...

  "ftpsState": "FtpsOnly",

  ...

  "name": "cc-aspnet-webapp",
  "netFrameworkVersion": "v4.0",
  "numberOfWorkers": 1,
  "publishingUsername": "$cc-aspnet-webapp",
  "push": null,
  "reservedInstanceCount": 0,
  "resourceGroup": "cc-vm-resource-group",
  "scmIpSecurityRestrictionsUseMain": false,
  "scmType": "None",
  "tags": {},
  "tracingOptions": null,
  "type": "Microsoft.Web/sites",
  "use32BitWorkerProcess": true,
  "webSocketsEnabled": false
}

03 Repeat step no. 1 and 2 for each Azure App Services web application that you want to reconfigure in order to enable FTPS-only access and deployment, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 3, 2020