📝 Azure App Service FTP deployments are not disabled 🟢

• Contextual name: 📝 FTP deployments are not disabled 🟢
• ID: /ce/ca/azure/app-service/disable-ftp-deployments
• Located in: 📁 Azure App Service

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Disable Plain FTP Deployment
• Internal
  • dec-x-c0a7793e

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-c0a7793e	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Azure App Service
  • 🔌 Azure App Service - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services.

If FTPS is not expressly required for the App, the recommended setting is Disabled.

Rationale

FTP is an unencrypted network protocol that will transmit data - including passwords - in clear-text. The use of this protocol can lead to both data and credential compromise, and can present opportunities for exfiltration, persistence, and lateral movement.

Impact

Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.

Audit

From Azure Portal

1. Go to the Azure Portal.
2. Select App Services.
3. Click on an app.
4. Select Settings and then Configuration.
5. Under General Settings, for the Platform Settings, the FTP state should not be set to All allowed.

From Azure CLI

List webapps to obtain the ids:

az webapp list

List the publish profiles to obtain the username, password and ftp server url:

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to the Azure Portal.
2. Select App Services.
3. Click on an app.
4. Select Settings and then Configuration.
5. Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only.

From Azure CLI

For each out of compliance application, run the following choosing either disabled or FtpsOnly as appropriate:

az webapp config set --resource-group <resource group name> --name <app name> --ftps-state [disabled|FtpsOnly]

From PowerShell

For each out of compliance application, run the following:

Set-AzWebApp -ResourceGroupName <resource group name> -Name <app name> -FtpsState <Disabled or FtpsOnly>

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		17	18
💼 CIS Azure v1.3.0 → 💼 9.10 Ensure FTP deployments are disabled - Level 1 (Automated)		1	1
💼 CIS Azure v1.4.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1
💼 CIS Azure v1.5.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1
💼 CIS Azure v2.0.0 → 💼 9.10 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1
💼 CIS Azure v2.1.0 → 💼 9.9 Ensure FTP deployments are Disabled - Level 1 (Automated)		1	1
💼 CIS Azure v3.0.0 → 💼 9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled' (Automated)			1
💼 Cloudaware Framework → 💼 Data Encryption			31
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	47
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	31	65
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		20	21
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			13
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	6	33
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	6	10
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		6	10
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		13	16
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		5	7
💼 FedRAMP High Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1	7	17
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			23
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		10
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			10
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Low Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		17
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			47
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		51
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			13
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		29
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		10
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			10
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			16
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			7
💼 FedRAMP Moderate Security Controls → 💼 SC-28 Protection of Information at Rest (L)(M)(H)	1		17
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		14	15
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		4	4
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		7	8
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	9
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		7	13
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		14	21
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		43	51
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		18	19
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		7	13
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			89
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			13
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			82
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			69
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			67
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			40
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		25	27
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		11	13
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	10
💼 NIST SP 800-53 Revision 5 → 💼 SC-28 Protection of Information at Rest	3	15	18
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	6	9
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		9
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		9