Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Remote Debugging

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the Remote Debugging feature is disabled for your Microsoft Azure Function Apps in order to prevent unauthorized access, as it can expose sensitive information and increase the risk of security vulnerabilities if not properly secured.

Security

The Remote Debugging feature requires certain inbound ports to be opened for the Visual Studio remote debugger within your Microsoft Azure Function Apps configuration. To comply with security best practices, restricting access to these inbound ports can significantly reduce the risk of a security breach.

Audit

To determine if your Microsoft Azure Function Apps are configured to use remote debugging, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected Function App.

07 Select the General settings tab and check the Remote debugging setting available under Debugging to determine the current status of the Remote Debugging feature. If Remote debugging is set to On, the Remote Debugging feature is enabled for the selected Microsoft Azure Function App.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp config show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to describe the Remote Debugging feature status available for the selected Function App: 

az functionapp config show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'remoteDebuggingEnabled'

07 The command output should return the requested configuration status (true for enabled, false for disabled): 

true

If the functionapp config show command output returns true, as shown in the example above, the Remote Debugging feature is enabled for the selected Microsoft Azure Function App.

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enhance your Azure Function App's security by disabling the Remote Debugging feature, perform the following operations:

Your Azure Function App may restart if you are updating application settings or connection strings.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected Function App.

07 Select the General settings tab and set the Remote debugging setting to Off under Debugging, to disable remote debugging using Microsoft Visual Studio for the selected Microsoft Azure Function App.

08 Choose Save and select Continue to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp update command (Windows/macOS/Linux) with the name of the Microsoft Azure Function App that you want to configure as the identifier parameter, to disable the Remote Debugging feature for the selected Microsoft Azure Function App: 

az functionapp update
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --set siteConfig.remoteDebuggingEnabled=false

05 The command output should return the configuration settings available for the selected Azure Function App: 

{
	"availabilityState": "Normal",
	"clientAffinityEnabled": false,
	"clientCertEnabled": false,
	"clientCertExclusionPaths": null,
	"clientCertMode": "Required",
	"cloningInfo": null,
	"containerSize": 1536,
	"dailyMemoryTimeQuota": 0,
	"daprConfig": null,
	"defaultHostName": "cc-main-function-app.azurewebsites.net",
	"enabled": true,

	...

	"slotSwapStatus": null,
	"state": "Running",
	"storageAccountRequired": false,
	"suspendedTill": null,
	"targetSwapSlot": null,
	"trafficManagerHostNames": null,
	"type": "Microsoft.Web/sites",
	"usageState": "Normal",
	"vnetContentShareEnabled": false,
	"vnetImagePullEnabled": false,
	"vnetRouteAllEnabled": false,
	"workloadProfileName": null
}

06 Repeat steps no. 4 and 5 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules