Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Administrative Endpoints

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that administrative endpoints are disabled for your Microsoft Azure Function Apps in order to enhance security by preventing unauthorized access to sensitive management operations, reducing the risk of attacks like privilege escalation or data breaches. Administrative endpoints can be disabled by setting the functionsRuntimeAdminIsolationEnabled application setting to true.

Security

Application settings in an Azure Function App provide configuration options that impact all functions within the app and are accessed as environment variables. An important application setting is functionsRuntimeAdminIsolationEnabled, which controls access to the built-in administrator (i.e. /admin) endpoints. By default, this is set to false, allowing requests to the /admin endpoints if a master key is provided. When set to true, access to these endpoints is blocked, even with a master key. Function apps expose /admin endpoints for tasks like retrieving host status and performing test invocations, which require the app's master key for access. For optimal security and compliance with regulatory requirements, it is strongly recommended to disable administrative endpoints on your Microsoft Azure Function Apps.

Audit

To determine if administrative endpoints are disabled for your Microsoft Azure Function Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, choose Environment variables and select the App settings tab to access the application settings available for the selected Function App.

07 Type functionsRuntimeAdminIsolationEnabled in the Search box to locate the required application setting. If no results are returned, functionsRuntimeAdminIsolationEnabled is set to false (default value), therefore, administrative endpoints are not disabled for the selected Microsoft Azure Function App. If the functionsRuntimeAdminIsolationEnabled setting appears in the search results, choose Show value to display the setting's value. If functionsRuntimeAdminIsolationEnabled is set to false, administrative endpoints are not disabled for your Azure Function App.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp config appsettings list command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to list the application settings configured for the selected Function App: 

az functionapp config appsettings list
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope

07 The command output should return the requested configuration information: 

[
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-appadba"
	},
	{
		"name": "functionsRuntimeAdminIsolationEnabled",
		"slotSetting": false,
		"value": "false"
	}
]

If the functionapp config appsettings list command output does not return the "functionsRuntimeAdminIsolationEnabled" application setting, it means the setting is set to false by default, therefore, administrative endpoints are not disabled for the selected Microsoft Azure Function App. If the command output returns the "functionsRuntimeAdminIsolationEnabled" application setting but the setting's value is "false", as shown in the example above, administrative endpoints are not disabled for your Azure Function App.

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To disable administrative endpoints for your Microsoft Azure Function Apps, perform the following operations:

1. functionsRuntimeAdminIsolationEnabled can be set for apps running on the Linux Consumption SKU and it cannot be set for apps running on version 1.x of Azure Function Apps. If you are using version 1.x, you must first migrate to version 4.x.
2. Your Azure Function App may restart if you are updating application settings or connection strings.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, choose Environment variables and select the App settings tab to access the application settings available for the selected Function App.

07 Type functionsRuntimeAdminIsolationEnabled in the Search box and perform one of the following sets of actions:

  1. If no results are returned, functionsRuntimeAdminIsolationEnabled is not explicitly configured. To disable administrative endpoints for the selected Azure Function App, choose Add, enter functionsRuntimeAdminIsolationEnabled for Name and true for Value, then choose Apply to save the changes. Choose Apply and Confirm to apply the configuration changes.
  2. If the functionsRuntimeAdminIsolationEnabled setting appears in the search results, the application setting is already configured. Click on the setting name (link), set Value to true, and choose Apply. Choose Apply and Confirm to apply the changes.

08 Repeat steps no. 5 – 7 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp config appsettings set command (Windows/macOS/Linux) to disable administrative endpoints for the selected Azure Function App, by setting the functionsRuntimeAdminIsolationEnabled application setting to true: 

az functionapp config appsettings set
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --settings functionsRuntimeAdminIsolationEnabled=true

05 The command output should return the application settings configured for the selected Function App: 

[
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-appadba"
	},
	{
		"name": "functionsRuntimeAdminIsolationEnabled",
		"slotSetting": false,
		"value": "true"
	}
]

06 Repeat steps no. 4 and 5 for each Azure Function App that you want to configure, available within the current subscription.

07 Repeat steps no. 3 – 16 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules