FTP deployments should be disabled for Azure functions, web, and API services
Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0
Description
By default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.
Rationale
Azure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.
From the console
- Go to the Azure Portal
- Select App Services
- Click on an app
- Select Settings > Configuration
- Under Platform Settings, set FTP state to Disabled or FTPS Only
Impact
Deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.
References
- Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp
- Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit
- https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities
CIS Controls
Version 7
14.4 Encrypt All Sensitive Information in Transit
16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.