iCompaas Support

Description:

This check ensures that the web app hosted in Azure App Service is configured to require incoming client certificates for authentication. Enabling client certificates provides a secure way to authenticate clients by verifying that only those with valid certificates can access the web app.

Rationale:

Enabling client certificates ensures that only authenticated clients with valid certificates can connect to the web application. This method uses mutual TLS (mTLS), providing a high level of security by verifying both the server and client. It is essential for environments that require strict access control, such as financial services or government applications.

Impact:

This provides an additional layer of security by requiring certificates from clients for authentication, ensuring that only authorized users and systems can access the web application. It also reduces the risk of unauthorized access and protects against man-in-the-middle attacks.

Default Value:

By default, incoming client certificates are disabled in Azure App Service. This setting must be manually configured.

Pre-requisites:

• Required permissions on the Web App (Owner / Contributor / Website Contributor).

• Client certificates available.

• HTTPS is enabled on the Web App.

Test Plan:

1. Sign in to the Azure Portal.

2. Navigate to App Services and select the target Web App.

3. Under Settings, select Configuration.

4. In the General settings tab.

5. Locate Incoming client certificates.

6. Verify Client Certificate Mode is set to Require.

7. If Client Certificate Mode is not set to Require, follow the Implementation Steps

Implementation steps:

1. Sign in to the Azure Portal.

2. Navigate to App Services.

3. Select the required Web App.

4. Under Settings, click Configuration.

5. In the General settings tab.

6. Locate Incoming client certificates.

7. Set Client Certificate Mode to Require.

8. Click Save to apply the changes.

Backout Plan:

1. Sign in to the Azure Portal.

2. Navigate to App Services.

3. Select the affected Web App.

4. Under Settings, click Configuration.

5. Open the General settings tab.

6. Locate Incoming client certificates.

7. Change Client Certificate Mode to the previous option.

8. Click Save to apply the changes.

References:

• https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

• https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management