Azure App Services FTP deployment is AllAllowed

ID

app_service_ftp_state

Severity

low

Vendor

Azure

Resource

App Service

Tags

reachable

Description

Azure App Services FTP deployment should not be configured with 'AllAllowed'.

FTPS is an extension to the commonly used File Transfer Protocol that adds support for the Transport Layer Security and, formerly, the Secure Sockets Layer cryptographic protocols

Microsoft recommends that for enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don’t use FTP deployment.

See For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don’t use FTP deployment[Enforce FTPS].

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2021-02-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "properties": {
        "httpsOnly": true,
        "siteConfig": {
          "linuxFxVersion": "[parameters('linuxFxVersion')]",
          "minTlsVersion": "1.2",
          "ftpsState": "AllAllowed"
        }
      }
    }
  ]
}
1 Unsafe FTP is allowed.

Terraform

resource "azurerm_linux_web_app" "fail" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_service_plan.example.location
  service_plan_id     = azurerm_service_plan.example.id
  logs {
    failed_request_tracing_enabled = false
    detailed_error_messages = false
  }
  client_certificate_enabled = true
  auth_settings {
    enabled = true
  }
  site_config {
    ftps_state = "AllAllowed" (1)
    cors {
      allowed_origins = ["*"]
    }
  }
}
1 Unsafe FTP is allowed.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2021-02-01",
      "name": "good",
      "location": "[parameters('location')]",
      "properties": {
        "httpsOnly": true,
        "siteConfig": {
          "linuxFxVersion": "[parameters('linuxFxVersion')]",
          "minTlsVersion": "1.2",
          "ftpsState": "FtpsOnly" (1)
        }
      }
    }
  ]
}
1 Fixed. Use 'Disabled' if deployment does not use ftp.

Terraform

resource "azurerm_linux_web_app" "fail" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_service_plan.example.location
  service_plan_id     = azurerm_service_plan.example.id
  logs {
    failed_request_tracing_enabled = false
    detailed_error_messages = false
  }
  client_certificate_enabled = true
  auth_settings {
    enabled = true
  }
  site_config {
    ftps_state = "FtpsOnly" (1)
    cors {
      allowed_origins = ["*"]
    }
  }
}
1 Fixed. Use 'Disabled' if deployment does not use ftp.

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Select Configuration > General settings from the left navigation.

  • To disable unencrypted FTP, select FTPS Only in FTP state. To disable both FTP and FTPS entirely, select Disabled. When finished, click Save. If using FTPS Only, you must enforce TLS 1.2 or higher by navigating to the TLS/SSL settings blade of your web app. TLS 1.0 and 1.1 are not supported with FTPS Only.

CLI Command

To change the FTP config, use the following command:

$ az webapp config set --name <app name> --resource-group <group name> --ftps-state FtpsOnly
Possible values for --ftps-state are AllAllowed (FTP and FTPS enabled), Disabled (FTP and FTPs disabled), and FtpsOnly (FTPS only).

See Set a web app’s configuration.