Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check that the Azure App requests incoming client certificates

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AppService-008

Ensure that your Microsoft Azure App Service web applications are configured to require an SSL certificate from all incoming requests, for security and compliance purposes. Once the certificate is implemented, only web clients that have this valid SSL certificate will be able to reach your web application. By default, incoming client certificates are disabled for Azure App Service web applications.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The SSL/TLS mutual authentication approach utilized in enterprise cloud environments ensures the authenticity of web clients to the application server. If incoming client certificates are enabled, then only an authenticated client with a valid SSL certificate can access the web application.


Audit

To determine if your Azure App Service web applications are configured to require client certificates for incoming requests, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#browse/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine, listed in the Name column.

04 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

05 Select the General settings tab and perform the following checks:

  1. If HTTP version is set to 2.0, the web application is using HTTP/2 and incoming client certificates are ignored. For HTTP/2 applications the Audit process ends here. If HTTP version is 1.1, you can continue the Audit process with the next step.
  2. Check the Client certificate mode setting available under Incoming client certificates to determine if the client authentication is required. If Client certificate mode is not set to Require, the selected Microsoft Azure App Service web application is not configured to require a client certificate for incoming requests.

06 Repeat steps no. 3 – 5 for each Azure App Service web application deployed in the current subscription.

07 Repeat steps no. 3 – 6 for each subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) with custom query filters to list the IDs of all App Service web applications available in your current Azure subscription:

az webapp list
  --query '[*].id'

02 The command output should return the requested web application IDs:

[
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app",
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-webapp"
]

03 Run webapp config show command (Windows/macOS/Linux) with the ID of the Azure App Service web application that you want to examine as the identifier parameter, to determine the HTTP version configured for the selected application:

az webapp config show
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
  --query 'http20Enabled'

04 Incoming client certificates are always ignored for HTTP/2 applications. If the command output return true, the selected web application is using HTTP version 2.0 and the Audit process ends here. If the output is false, the application is using HTTP version 1.1 and the Audit process continues with the next step:

false

05 Run webapp show command (Windows/macOS/Linux) with the ID of the web application that you want to examine as the identifier parameter and custom output filters to describe the status of the Incoming Client Certificates feature for the selected application:

az webapp show
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
  --query 'clientCertEnabled'

06 The command output should return the Incoming Client Certificates feature status (true for enabled, false for disabled):

false

If the webapp show command output returns false, as shown in the example above, the selected Microsoft Azure App Service web application is not configured to require a client certificate for incoming requests.

07 Repeat steps no. 3 - 6 for each Azure App Service application deployed within the current subscription.

08 Repeat steps no. 1 – 7 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update the TLS/SSL configuration settings available for your Microsoft Azure App Service web applications in order to require client certificates for incoming requests, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#browse/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to configure, listed in the Name column.

04 In the resource navigation panel, under Settings, choose Configuration to access the configuration settings available for the selected web application.

05 Select the General settings tab, ensure that HTTP version is 1.1, and set the Client certificate mode setting to Require to ensure that all incoming requests are authenticated through a client certificate. (Optional) To exclude paths from requiring authentication, click on the Edit button (pencil icon) next to Certificate exclusion paths and define your exclusion paths. Choose Save to apply the configuration changes. Select Continue for confirmation. If the Client certificate mode setting can't be modified, your web application requires a basic or higher App Service plan. To upgrade to a higher plan, choose Click here to upgrade to a higher SKU and enable additional features from the top menu, and follow the setup wizard to upgrade your App Service pricing plan.

06 Repeat steps no. 3 – 5 for each Azure App Service web application that you want to configure, available within the current Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp update command (Windows/macOS/Linux) using the ID of the Azure App Service web application that you want to configure as the identifier parameter, to enable the Incoming Client Certificates feature for the selected web application in order to ensure that all incoming requests are authenticated through a client certificate. This will automaticaly set the Client certificate mode setting to Require:

az webapp update
  --ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
  --set clientCertEnabled=true

02 If successful, the command output should return the information available for the configured Azure App Service web application. If a Bad Request error message is returned (i.e. Operation returned an invalid status 'Bad Request'), your web application requires a basic or higher App Service plan:

{
	"availabilityState": "Normal",
	"clientAffinityEnabled": false,
	"clientCertEnabled": true,
	"clientCertExclusionPaths": null,
	"clientCertMode": "Required",
	"cloningInfo": null,
	"dailyMemoryTimeQuota": 0,
	"daprConfig": null,
	"defaultHostName": "cc-ecommerce-app.azurewebsites.net",
	"enabled": true,

	...

	"slotSwapStatus": null,
	"state": "Running",
	"storageAccountRequired": false,
	"trafficManagerHostNames": null,
	"type": "Microsoft.Web/sites",
	"usageState": "Normal",
	"virtualNetworkSubnetId": null,
	"vnetContentShareEnabled": false,
	"vnetImagePullEnabled": false,
	"vnetRouteAllEnabled": false,
	"workloadProfileName": null
}

03 Repeat steps no. 1 and 2 for each Azure App Service web application that you want to configure, available in the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019