Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Latest Version of .NET Framework

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AppService-003

Ensure that all Microsoft Azure App Service web applications developed with the .NET software stack are using the latest available version of .NET Framework in order to take advantage of latest security fixes and/or new functionalities and features.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Performance
efficiency

With each software installation, an organization need to determine if a newer version of the software meets their requirements. The organization also verifies the compatibility and support provided for any additional software against the update revision that is selected. These newer software versions contain security enhancements and additional functionality, therefore it is highly recommended to use the latest software version to take advantage of security and performance enhancements, and new capabilities.


Audit

To determine if your Azure App Service ASP.NET applications are using the latest version of .NET Framework, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the application general settings.

06 In the Stack settings section, check the Stack setting value to determine the type of the software stack used by the selected web application. If Stack is set to .NET, check the Microsoft. NET Framework version available in the .NET Framework version dropdown list. If .NET Framework version does not show the latest version available in the list (for example, v4.7), the selected Azure App Service ASP.NET web application is not configured to use the latest version of Microsoft .NET Framework.

07 Repeat steps no. 3 – 6 for each Azure App Service web application launched in the current subscription.

08 Repeat steps no. 3 – 7 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list-runtimes command (Windows/macOS/Linux) using custom query filters to list the .NET Framework versions currently supported by Microsoft Azure App Service:

az webapp list-runtimes | grep aspnet

02 The command output should return the supported versions of the Microsoft .NET Framework:

"aspnet|v4.7",
"aspnet|v3.5"

03 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications deployed in the current Azure subscription:

az webapp list
	--query '[*].id'

04 The command output should return the requested Azure App Service application IDs:

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-aspnet-app",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-mobile-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-laravel-webapp"
]

05 Run webapp config show command (Windows/macOS/Linux) using the ID of the application that you want to examine as identifier parameter and custom query filters to describe the .NET Framework version configured for the selected Azure App Service web application:

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-aspnet-app"
	--query '{"netFrameworkVersion":netFrameworkVersion}'

06 The command output should return the .NET Framework version currently in use:

{
  "netFrameworkVersion": "v3.0"
}

If the value returned by the webapp config show command output for "netFrameworkVersion" configuration attribute is null or an empty string (i.e. ""), the verified web application is not using a .NET software stack. Otherwise, check the returned attribute value and compare it with each version returned at step no. 2. For comparison use the following conversion method: "v4.0" for .NET Framework 4.7 and "v3.0" for .NET Framework version 3.5. If "netFrameworkVersion" value is not set to the latest version of the .NET Framework returned at step no. 2, the selected Azure App Service ASP.NET web application is not using the latest version of the Microsoft .NET Framework for its software stack.

07 Repeat steps no. 3 – 6 for each Azure App Service web application deployed within the current subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure your Azure App Service ASP.NET web applications in order to enable the latest version of Microsoft .NET Framework, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right ASP.NET application).

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the web application general settings.

06 In the Stack settings section, select the latest version of the .NET Framework available in the .NET Framework version dropdown list.

07 Click Save to apply the configuration change. Once the change becomes active, the Azure Management Console should display the following confirmation message: "Successfully updated web app settings".

08 Repeat steps no. 3 – 7 for each Azure App Service ASP.NET web application available in the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list-runtimes command (Windows/macOS/Linux) using custom query filters to list the .NET Framework versions currently supported by Microsoft Azure App Service:

az webapp list-runtimes | grep aspnet

02 The command output should return the supported versions of the Microsoft .NET Framework:

"aspnet|v4.7",
"aspnet|v3.5"

03 Run webapp config set command (Windows/macOS/Linux) using the ID of the Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part I to identify the right ASP.NET application) to enable the latest version of the Microsoft .NET Framework for the selected web application. For --net-framework-version parameter value, use "v4.0" to enable .NET Framework version 4.7 (latest stable version of .NET Framework returned by the webapp list-runtimes command at step no. 2):

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-aspnet-app"
	--net-framework-version "v4.0"

04 The command output should return the metadata available for the reconfigured Azure App Service web application:

{
  "alwaysOn": false,
  "apiDefinition": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "javaContainer": null,
  "javaContainerVersion": null,
  "javaVersion": null,
  "limits": null,
  "linuxFxVersion": "",
  "loadBalancing": "LeastRequests",
  "localMySqlEnabled": false,
  "location": "West Europe",
  "logsDirectorySizeLimit": 35,
  "machineKey": null,
  "managedPipelineMode": "Integrated",
  "managedServiceIdentityId": null,
  "minTlsVersion": "1.2",
  "name": "cc-main-aspnet-app",
  "netFrameworkVersion": "v4.0",
 
  ...
 
  "nodeVersion": "",
  "numberOfWorkers": 1,
  "phpVersion": "5.6",
  "publishingUsername": "$cc-main-aspnet-app",
  "push": null,
  "pythonVersion": "",
  "remoteDebuggingEnabled": false,
  "remoteDebuggingVersion": "VS2017",
  "requestTracingEnabled": false,
  "requestTracingExpirationTime": null,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmIpSecurityRestrictionsUseMain": false,
  "scmType": "None",
  "tracingOptions": null,
  "type": "Microsoft.Web/sites",
  "use32BitWorkerProcess": true,
  "vnetName": "",
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

05 Repeat step no. 3 and 4 for each Azure App Service ASP.NET web application deployed in the current subscription.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019