Skip to main content

๐Ÿ›ก๏ธ Azure App Service Basic Authentication is enabled๐ŸŸขโšช

  • Contextual name: ๐Ÿ›ก๏ธ Basic Authentication is enabled๐ŸŸขโšช
  • ID: /ce/ca/azure/app-service/disable-basic-authentication
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-ca52f63a2

Descriptionโ€‹

Open File

Descriptionโ€‹

Basic Authentication provides the ability to create identities and authentication for an App Service without a centralized identity provider. For a more effective, capable, and secure solution for identity, authentication, authorization, and accountability, a centralized identity provider such as Entra ID is strongly advised.

Rationaleโ€‹

Basic Authentication introduces an identity silo which can produce privileged access to a resource. This can be exploited in numerous ways and represents a significant vulnerability and attack vector.

Impactโ€‹

An identity provider that the App Service can use for authenticating users is required.

Auditโ€‹

From Azure Portalโ€‹
  1. Search for and open App Services from the search bar.
  2. For each App Service listed, do the following:
  3. Select the App Service name.
  4. Under the Settings menu item, click on Configuration.
  5. Under the General settings tab, scroll down to locate the two Basic Auth settings:
    • SCM Basic Auth Publishing Credentials.
    • FTP Basic Auth Publishing Credentials.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Search for and open App Services from the search bar.
  2. For each App Service listed, do the following:
  3. Select the App Service name.
  4. Under the Settings menu item, click on Configuration.
  5. Under the General settings tab, scroll down to locate the two Basic Auth settings:
    • Set the SCM Basic Auth Publishing Credentials radio button to Off.
    • Set the FTP Basic Auth Publishing Credentials radio button to Off.

CAUTION: The new settings are not yet applied. Applying them may cause your App Service resource to restart. Proceed with caution. Click the Save button, then click Continue to apply the updated configuration. Repeat this procedure for each App Service.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 9.6 Ensure that 'Basic Authentication' is 'Disabled' (Manual)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access53no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)237105no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)21416no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)61437no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)8no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)137no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)189no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-5 Access Restrictions for Change (L)(M)(H)216no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IA-5 Authenticator Management (L)(M)(H)437no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.2.3 Management of privileged access rights312no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.10 Acceptable use of information and other associated assets1127no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 5.15 Access control1431no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.3 Information access restriction1024no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.4 Access to source code822no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization43no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-03: Users, services, and hardware are authenticated53no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement3269123no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1221no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC6.1-8 Manages Identification and Authentication1824no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.3 Block unauthenticated inbound connections by default23no data