Skip to content

Disable App Service remote debugging#

Security · App Service · Rule · 2020_12 · Important

Disable remote debugging on App Service apps when not in use.

Description#

Remote debugging can be enabled on apps running within Azure App Services.

To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.

Recommendation#

Consider disabling remote debugging when not in use.

Examples#

Configure with Azure template#

To deploy App Services that pass this rule:

  • Set the properties.siteConfig.remoteDebuggingEnabled property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "kind": "web",
  "properties": {
    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
    "httpsOnly": true,
    "siteConfig": {
      "alwaysOn": true,
      "minTlsVersion": "1.2",
      "ftpsState": "Disabled",
      "remoteDebuggingEnabled": false,
      "http20Enabled": true,
      "netFrameworkVersion": "v8.0",
      "healthCheckPath": "/healthz",
      "metadata": [
        {
          "name": "CURRENT_STACK",
          "value": "dotnet"
        }
      ]
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
  ]
}

Configure with Bicep#

To deploy App Services that pass this rule:

  • Set the properties.siteConfig.remoteDebuggingEnabled property to false.

For example:

Azure Bicep snippet
resource web 'Microsoft.Web/sites@2023-01-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'Disabled'
      remoteDebuggingEnabled: false
      http20Enabled: true
      netFrameworkVersion: 'v8.0'
      healthCheckPath: '/healthz'
      metadata: [
        {
          name: 'CURRENT_STACK'
          value: 'dotnet'
        }
      ]
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/web/site:<version>

To use the latest version:

br/public:avm/res/web/site:0.9.0

Comments