Azure Introduction
Azure Pricing
Azure Threats
Disable Plain FTP Deployment
More Info:
Ensure that FTP access is disabled for your Azure App Services web applications.
Risk Level
Medium
Address
Security
Compliance Standards
Triage and Remediation
Remediation
To remediate the misconfiguration of disabling plain FTP deployment in AZURE, please follow the below steps:
-
Log in to the AZURE portal (https://portal.azure.com/).
-
Select the App Service that you want to remediate.
-
Click on the “Deployment Center” option from the left-hand side menu.
-
Select the “FTP” option under the “Deployment method” section.
-
Click on the “FTP Access” option.
-
In the “FTP Access” window, select the “FTP” option and click on the “Save” button.
-
Now, select the “FTP/S (SSL)” option and click on the “Save” button.
-
Click on the “Save” button in the “Deployment Center” window to save the changes.
-
Now, plain FTP deployment is disabled, and only secure FTP/S (SSL) is enabled for the selected App Service.
Note: It is recommended to use secure FTP/S (SSL) for deployment to ensure that the data is encrypted during transmission.
To remediate the misconfiguration of disabling plain FTP deployment in Azure using Azure CLI, you can follow the below steps:
Step 1: Open Azure CLI and login to your Azure account using the command:
az login
Step 2: Once you have logged in, you need to select the subscription that contains the App Service where you want to disable plain FTP deployment using the command:
az account set --subscription <subscription-id>
Replace the <subscription-id> with the actual ID of your subscription.
Step 3: Next, you need to set the configuration of your App Service to disable plain FTP deployment. To do this, use the following command:
az webapp config set --name <app-name> --resource-group <resource-group-name> --ftps-state Disabled
Replace <app-name> with the name of your App Service and <resource-group-name> with the name of the resource group where your App Service is located.
Step 4: Finally, verify that plain FTP deployment has been disabled by running the following command:
az webapp config show --name <app-name> --resource-group <resource-group-name> --query ftpsState
This command will return the current state of the FTPS (FTP over SSL) deployment for your App Service. If it returns “Disabled”, then plain FTP deployment has been successfully disabled.
That’s it! You have now remediated the misconfiguration of disabling plain FTP deployment in Azure using Azure CLI.
To remediate the misconfiguration of disabling plain FTP deployment in Azure using Python, you can follow these steps:
- Connect to the Azure Subscription using the Azure Python SDK.
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.web import WebSiteManagementClient
from azure.mgmt.web.models import SiteConfig, FtpsState
# Tenant ID for Azure Subscription
TENANT_ID = '<your tenant id>'
# Client ID (Application ID) for Azure Subscription
CLIENT_ID = '<your client id>'
# Client Secret for Azure Subscription
CLIENT_SECRET = '<your client secret>'
# Subscription ID for Azure Subscription
SUBSCRIPTION_ID = '<your subscription id>'
# Resource Group Name for the Web App
RESOURCE_GROUP_NAME = '<your resource group name>'
# Name of the Web App
WEB_APP_NAME = '<your web app name>'
# Create a Service Principal Credential object
credentials = ServicePrincipalCredentials(
client_id=CLIENT_ID,
secret=CLIENT_SECRET,
tenant=TENANT_ID
)
# Create a Resource Management Client object
resource_client = ResourceManagementClient(
credentials,
SUBSCRIPTION_ID
)
# Create a WebSite Management Client object
web_client = WebSiteManagementClient(
credentials,
SUBSCRIPTION_ID
)
# Get the Web App Configuration
web_app_config = web_client.web_apps.get_configuration(
RESOURCE_GROUP_NAME,
WEB_APP_NAME
)
# Get the current Ftps State
ftps_state = web_app_config.ftps_state
# Check if the Ftps State is not set to FtpsOnly
if ftps_state != FtpsState.FtpsOnly:
# Set the Ftps State to FtpsOnly
web_app_config.ftps_state = FtpsState.FtpsOnly
# Update the Web App Configuration
web_client.web_apps.update_configuration(
RESOURCE_GROUP_NAME,
WEB_APP_NAME,
web_app_config
)
-
Replace the
TENANT_ID,CLIENT_ID,CLIENT_SECRET,SUBSCRIPTION_ID,RESOURCE_GROUP_NAME, andWEB_APP_NAMEvariables with your own values. -
Run the script to disable plain FTP deployment in Azure for the specified Web App.