iCompaas Support

Profile Applicability:

• Level 1

Description:

Azure App Service allows FTP access by default. This check ensures that FTP access is either set to 'FTPS Only' or 'Disabled' to prevent the use of the insecure FTP protocol, which transmits data (including credentials) in clear text. FTPS provides secure encryption, while disabling FTP access altogether ensures that no unencrypted traffic is allowed.

Rationale:

FTP is an insecure protocol that transmits sensitive data, including login credentials, in plain text. Using FTPS (FTP over SSL/TLS) ensures that data in transit is encrypted and secure. Disabling FTP altogether eliminates the risk of unencrypted data being exposed. This configuration is crucial to meet security best practices and compliance standards.

Impact:

Pros:

• Enforces secure file transfers using FTPS.
  

• Eliminates the risk of data interception by disabling unencrypted FTP.
  

• Meets compliance requirements for secure data transmission (e.g., PCI DSS).
  

Cons:

• Requires configuration and management of FTPS certificates if using FTPS.
  

• May impact existing workflows that rely on FTP (if FTPS is not configured or FTP is disabled).
  

Default Value:

By default, Azure App Service allows both FTP and FTPS. FTP is not disabled and must be manually configured to 'FTPS Only' or 'Disabled'.

Pre-requisites:

Ensure that FTPS certificates are configured for use if choosing the 'FTPS Only' option.

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the App Services blade.
   

3. Select the app you want to review.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, verify that FTP State is set to either 'FTPS Only' or 'Disabled'.
   

Using Azure CLI:

To check the FTP state for an existing app, run the following command:

az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query ftpsState

1. The output should return 'FtpsOnly' or 'Disabled' for compliance.
   

Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to configure FTP settings.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, set FTP State to 'FTPS Only' or 'Disabled'.
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To set the FTP state to 'FTPS Only', run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --ftps-state FtpsOnly

To disable FTP entirely, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --ftps-state Disabled

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to revert the FTP setting.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, set FTP State to 'All Allowed' if needed (to allow both FTP and FTPS).
   

6. Click Save to apply the changes.
   

Using Azure CLI:

To revert FTP state to 'All Allowed', run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --ftps-state AllAllowed

References:

• Azure App Service FTP Configuration
• Azure App Service: Securing FTP Access