App Service site allows insecure TLS versions

Security · App Service · Rule · 2020_06 · Critical

App Service should not accept weak or deprecated transport protocols for client-server communication.

Description

The minimum version of TLS that Azure App Service accepts is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

App Service lets you disable outdated protocols and enforce TLS 1.2. By default, a minimum of TLS 1.2 is enforced.

Recommendation

Consider configuring the minimum supported TLS version to be 1.2. Also consider using Azure Policy to audit or enforce this configuration.

Examples

Configure with Bicep

To deploy App Services that pass this rule:

• Set the properties.siteConfig.minTlsVersion property to 1.2 or 1.3.

For example:

Azure Bicep snippet

resource web 'Microsoft.Web/sites@2024-04-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    clientAffinityEnabled: false
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'Disabled'
      remoteDebuggingEnabled: false
      http20Enabled: true
      netFrameworkVersion: 'v8.0'
      healthCheckPath: '/healthz'
      metadata: [
        {
          name: 'CURRENT_STACK'
          value: 'dotnet'
        }
      ]
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/web/site:<version>

To use the latest version:

br/public:avm/res/web/site:0.9.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy App Services that pass this rule:

• Set the properties.siteConfig.minTlsVersion property to 1.2 or 1.3.

For example:

Azure Template snippet

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "kind": "web",
  "properties": {
    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
    "httpsOnly": true,
    "siteConfig": {
      "alwaysOn": true,
      "minTlsVersion": "1.2",
      "ftpsState": "Disabled",
      "remoteDebuggingEnabled": false,
      "http20Enabled": true,
      "netFrameworkVersion": "v8.0",
      "healthCheckPath": "/healthz",
      "metadata": [
        {
          "name": "CURRENT_STACK",
          "value": "dotnet"
        }
      ]
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
  ]
}

Configure with Azure Policy

To address this issue at runtime use the following policies:

• App Service apps should use the latest TLS version /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b.
• App Service app slots should use the latest TLS version /providers/Microsoft.Authorization/policyDefinitions/4ee5b817-627a-435a-8932-116193268172.
• Configure App Service apps to use the latest TLS version /providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d.
• Configure App Service app slots to use the latest TLS version /providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df.

Links

• SE:07 Encryption
• DP-3: Encrypt sensitive data in transit
• Enforce TLS versions
• TLS encryption in Azure
• Preparing for TLS 1.2 in Microsoft Azure
• Insecure protocols
• Azure Policy built-in definitions for Azure App Service
• Azure deployment reference

Comments