🛡️ Azure App Service FTP deployments are not disabled🟢

Contextual name: 🛡️ FTP deployments are not disabled🟢
ID: /ce/ca/azure/app-service/disable-ftp-deployments
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure App Service
- 🔌 Azure App Service - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Disable Plain FTP Deployment
Internal: dec-x-c0a7793e

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-c0a7793e	1

Description

Open File

Description

By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP logins on all App Services.

If FTPS is not expressly required for the App, the recommended setting is Disabled.

Rationale

FTP is an unencrypted network protocol that transmits data, including passwords, in clear text. The use of this protocol can lead to both data and credential compromise and can present opportunities for exfiltration, persistence, and lateral movement.

Impact

Any deployment workflows that rely on FTP or FTPS rather than the WebDeploy or HTTPS endpoints may be affected.

Audit

From Azure Portal

Go to the Azure portal.

Select App Services.

Select an app.

Select Settings and then Configuration.

Under General Settings, in Platform Settings, the FTP state should not be set to All allowed.

From Azure CLI

List web apps to obtain the IDs:
az webapp list
List the publish profiles to obtain the username, password, and FTP server URL:

... see more

Remediation

Open File

Remediation

From Azure Portal

Go to the Azure portal.

Select App Services.

Select an app.

Select Settings and then Configuration.

Under General Settings, in Platform Settings, set FTP state to Disabled or FTPS Only.

From Azure CLI

For each out-of-compliance application, run the following, choosing either disabled or FtpsOnly as appropriate:
az webapp config set \
    --resource-group {{resource-group-name}} \
    --name {{app-name}} \
    --ftps-state [disabled|FtpsOnly]
From PowerShell

For each out-of-compliance application, run the following:
Set-AzWebApp `
    -ResourceGroupName {{resource-group-name}} `
    -Name {{app-name}} `
    -FtpsState {{Disabled or FtpsOnly}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22	no data
💼 CIS Azure v1.3.0 → 💼 9.10 Ensure FTP deployments are disabled - Level 1 (Automated)		1	1	no data
💼 CIS Azure v1.4.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1	no data
💼 CIS Azure v1.5.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.0.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1	no data
💼 CIS Azure v2.1.0 → 💼 9.9 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1	no data
💼 CIS Azure v3.0.0 → 💼 9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled' (Automated)			1	no data
💼 Cloudaware Framework → 💼 Data Encryption			61	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27	no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84	no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25	no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24	no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43	no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21	no data
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	36	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		36	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5	no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15	no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10	no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53	no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91	no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27	no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	17	37	no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16	no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28	no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16	no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28	no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16	no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28	no data
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

From Azure Portal

From Azure CLI

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections