Ensure that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and helps you to comply with the industry standards and regulations.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
excellence
With FTP, the transmission of data between your web application and the FTP client is unencrypted, leaving your data vulnerable to being intercepted and read. By default, Azure App Services web applications can be deployed over plain FTP. If FTP is required for an essential deployment workflow, FTPS should be used instead, otherwise the FTP deployment should be disabled. Industry requirements such as PCI DSS, HIPAA, and others require data transfers to be fully encrypted. Enforcing FTPS-only deployment for your Azure App Services web applications, can guarantee that the encrypted traffic between the web application server and the FTP client can't be decrypted by malicious actors in case they are able to intercept packets sent across the FTP connection.
Audit
To determine the type of the FTP deployment configured for your Azure App Services web applications, perform the following operations:
Remediation / Resolution
To disable the default, non-compliant FTP deployment type configured for your Microsoft Azure App Services applications, perform the following operations:
References
- Azure Official Documentation
- App Service
- Deploy your app to Azure App Service using FTP/S
- Security in Azure App Service
- DP-4: Encrypt sensitive information in transit
- PV-7: Rapidly and automatically remediate software vulnerabilities
- Azure PowerShell Documentation
- az webapp
- az webapp list
- az webapp config show
- az webapp config set