rules/findings/azure/appservices/azure-app-service-ftp-enabled.json
|
{
"args": [], "provider": "Azure", "serviceType": "_ARG_0_", "serviceName": "Hosted Services", "displayName": "Ensure 'FTP State' is set to 'FTPS only' or 'Disabled'", "description": "By default, App Service supports deployment over FTP. If FTP is essential for a deployment workflow, FTPS should be enforced for all App Service apps.<br/><br/>If FTPS is not explicitly required, the recommended setting is Disabled.", "rationale": "FTP is an unencrypted network protocol that transmits data—including passwords —in clear text. The use of this protocol can lead to both data and credential compromise and can present opportunities for exfiltration, persistence, and lateral movement.", "impact": "Deployment workflows that rely on FTP or FTPS rather than WebDeploy or HTTPS endpoints may be affected.", "remediation": { "text": " #### Remediate from Azure Portal 1. Go to the Azure Portal 2. Select App Services 3. Click on an app 4. Select Settings and then Configuration 5. Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp", "https://learn.microsoft.com/en-us/azure/app-service/overview-security", "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-encrypt-sensitive-information-in-transit", "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities", "https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-configuration?view=rest-appservice-2025-05-01&tabs=HTTP#ftpsstate", "https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest", "https://learn.microsoft.com/en-us/powershell/module/az.websites/get-azwebapp?view=azps-15.4.0", "https://learn.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-15.4.0" ], "compliance": [ { "name": "_ARG_1_", "version": "_ARG_2_", "reference": "_ARG_3_", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_app_services", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "config.properties.ftpsState", "notmatch", "Disabled|FtpsOnly" ] ] } ] }, { "connectOperator": "and", "filter": [ { "include": "_ARG_4_" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "config.properties.ftpsState":"FTPS State" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "resourceGroupName", "config" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "config.properties.ftpsState":"FTPS State" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure 'FTP State' is set to 'FTPS only' or 'Disabled' for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure__ARG_0__ftp_enabled", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_app_service__ARG_5_" } |