Web apps disable insecure FTP

Security · App Service · 2022_06

Web apps should disable insecure FTP and configure SFTP when required.

Description

Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.

When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.

Recommendation

Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.

Examples

Configure with Azure template

To deploy Web Apps that pass this rule:

• Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

For example:

Azure Template snippet

{
    "type": "Microsoft.Web/sites",
    "apiVersion": "2021-03-01",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "identity": {
        "type": "SystemAssigned"
    },
    "kind": "web",
    "properties": {
        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
        "httpsOnly": true,
        "siteConfig": {
            "alwaysOn": true,
            "minTlsVersion": "1.2",
            "ftpsState": "FtpsOnly",
            "remoteDebuggingEnabled": false,
            "http20Enabled": true,
            "netFrameworkVersion": "v6.0",
            "healthCheckPath": "/healthz"
        }
    },
    "tags": "[parameters('tags')]",
    "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
    ]
}

Configure with Bicep

To deploy Web Apps that pass this rule:

• Set properties.siteConfig.ftpsState to FtpsOnly or Disabled.

For example:

Azure Bicep snippet

resource webApp 'Microsoft.Web/sites@2021-03-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'FtpsOnly'
      remoteDebuggingEnabled: false
      http20Enabled: true
      netFrameworkVersion: 'v6.0'
      healthCheckPath: '/healthz'
    }
  }
  tags: tags
}

Links

• Data encryption in Azure
• Deploy your app to Azure App Service using FTP/S
• Azure deployment reference

---

Last update: 2022-11-27

Comments