Profile Applicability:

  • Level 1

Description:

This check ensures that the web app hosted in Azure App Service is using the latest version of TLS (Transport Layer Security) encryption. TLS is a protocol used to secure communications over a computer network. Ensuring that the latest version of TLS is used (e.g., TLS 1.2 or higher) provides protection against vulnerabilities present in older versions, such as TLS 1.0 and TLS 1.1.

Rationale:

Older versions of the TLS protocol, such as TLS 1.0 and 1.1, have known vulnerabilities that can be exploited by attackers to compromise the integrity and confidentiality of data. By ensuring the use of the latest version of TLS (e.g., TLS 1.2 or higher), web applications can prevent attacks such as man-in-the-middle attacks, data interception, and other security risks.

Impact:

Pros:

  • Ensures that web traffic is encrypted and protected with the latest security protocols.

  • Reduces the risk of data breaches and cyberattacks that target older versions of TLS.

  • Meets security compliance requirements for data encryption in transit (e.g., PCI DSS).

Cons:

  • May require configuration changes for legacy applications that rely on older versions of TLS.

  • Some older clients and browsers may not support the latest TLS versions, potentially causing compatibility issues.

Default Value:

By default, Azure App Service supports TLS 1.2 or higher for web applications. However, it must be manually configured to ensure that only the latest supported version is used.

Pre-requisites:

Ensure that the web app is using HTTPS, and that the necessary TLS certificates are configured.

Test Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to the App Services blade.

  3. Select the app you want to review.

  4. Under the Settings section, click on TLS/SSL settings.

  5. In the Bindings pane, ensure that the Minimum TLS Version is set to 1.2.

Using Azure CLI:

To check the TLS version for an existing app, run the following command:

az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion

  1. The output should return 1.2 (or higher), which indicates that the latest version of TLS is being used.

Implementation Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to App Services.

  3. Select the app for which you want to configure TLS settings.

  4. Under the Settings section, click on TLS/SSL settings.

  5. In the Bindings pane, set Minimum TLS Version to 1.2 (or the latest version supported).

  6. Click Save to apply the changes.

Using Azure CLI:

To set the minimum TLS version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --min-tls-version 1.2

Backout Plan:

Using Azure Console:

  1. Log in to the Azure portal at https://portal.azure.com.

  2. Go to App Services.

  3. Select the app for which you want to revert the TLS version setting.

  4. Under the Settings section, click on TLS/SSL settings.

  5. In the Bindings pane, set Minimum TLS Version to 1.0 or 1.1, if required for legacy systems.

  6. Click Save to apply the changes.

Using Azure CLI:

To revert the TLS version to an older version, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --min-tls-version 1.0

References: