Web apps disable insecure FTP#
Security · App Service · 2022_06
Web apps should disable insecure FTP and configure SFTP when required.
Description#
Azure App Service supports configuration of FTP and SFTP for uploading site content. By default, both FTP and SFTP are enabled. In many circumstances, use of FTP or SFTP is not required for automated deployments.
When interactive deployments are required consider using SFTP instead of FTP. Use of FTP alone is not sufficient to prevent disclosure of sensitive information that may be transferred.
Recommendation#
Consider disabling insecure FTP and configure SFTP only when required. Also consider using Azure Policy to audit or enforce this configuration.
Examples#
Configure with Azure template#
To deploy Web Apps that pass this rule:
- Set
properties.siteConfig.ftpsStatetoFtpsOnlyorDisabled.
For example:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0",
"healthCheckPath": "/healthz"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep#
To deploy Web Apps that pass this rule:
- Set
properties.siteConfig.ftpsStatetoFtpsOnlyorDisabled.
For example:
resource webApp 'Microsoft.Web/sites@2021-03-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
healthCheckPath: '/healthz'
}
}
tags: tags
}
Links#
Last update:
2022-05-26