Description:

Azure App Services support FTP and FTPS for application deployment, but FTP uses clear-text credentials and is not secure. Attackers can intercept FTP traffic and gain unauthorized access to application code, configuration files, or sensitive assets. This control ensures that FTP deployments are disabled and only secure alternatives like FTPS or WebDeploy are used. Disabling FTP prevents credential exposure, reduces attack surface, and aligns with modern deployment security standards.


Rationale:

This control verifies whether FTP deployments are disabled for App Services. If FTP is enabled, an attacker monitoring insecure networks may capture credentials and gain full access to the app environment. FTP exposure creates a significant risk when deployment credentials are subscription-scoped. Ensuring only FTPS or no FTP is allowed helps prevent credential theft, unauthorized code changes, and application compromise.


Impact:

Disabling FTP improves application security but may impact workflows that rely on legacy FTP-based deployment. Teams must transition to secure methods. Any automated pipelines or tools using FTP will require updates to use FTPS or preferred deployment APIs.


Default Value:

By default, FTP deployments are enabled for Azure App Services.


Pre-requisites:

  •  Azure App Service must exist and be configured under App Services. 


Test Plan:

  1. Sign in to the Azure Portalhttps://portal.azure.com

  2. Navigate to App Services.

  3. Select the target App Service.

  4. Open Configuration under Settings.

  5. In General settings, under Platform settings, check the FTP state.

  6. Verify the FTP state is set to Disabled or FTPS Only.

  7. If the FTP state is not Disabled or FTPS Only, follow the implementation steps.

Implementation Steps:

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Navigate to App Services.

  3. Select the target App Service.

  4. Open Configuration under Settings.

                                       

  1. In General settings, under Platform settings, locate the FTP state option.

  2. Set the FTP state to Disabled or FTPS Only.

  1. Save the configuration changes.


Backout Plan:

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Navigate to App Services.

  3. Select the App Service.

  4. Open Configuration under Settings.

  5. In General settings, under Platform settings, locate the FTP state.

  6. Change the FTP state back to All allowed if required for legacy workflows.

  7. Save the configuration changes.


References: