More Info:

Enable FTPS-only access for your Microsoft Azure App Services web applications.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP

Triage and Remediation

Remediation

Using Console

To enable FTPS-only access for App Services in Azure, you can follow these steps:
  1. Open the Azure Portal and navigate to the App Service that you want to configure.
  2. Click on the “Networking” tab in the left-hand menu.
  3. Under “FTP Access,” select “FTPS Only” from the drop-down menu.
  4. Click “Save” to apply the changes.
Note: Enabling FTPS-only access will disable standard FTP and SFTP access.Additionally, you can also configure the SSL/TLS settings for FTPS by following these steps:
  1. Under “SSL/TLS settings,” select “Require SSL/TLS” from the drop-down menu.
  2. Under “FTP Access,” select “FTPS Only” from the drop-down menu.
  3. Click “Save” to apply the changes.
These steps will ensure that only FTPS is enabled for your App Service, and that SSL/TLS encryption is required for all FTPS connections.

To remediate the misconfiguration “Enable FTPS-Only Access For App Services” for Azure using Azure CLI, you can follow the below steps:Step 1: Open the Azure CLI and login to your Azure account using the command “az login”.Step 2: Once you are logged in, you need to select the subscription that contains the App Service you want to remediate. You can use the command “az account set —subscription <subscription-id>” to set the subscription.Step 3: Now, you need to enable FTPS-Only Access for the App Service. You can use the following command to do this:
az webapp config set --resource-group <resource-group-name> --name <app-service-name> --ftps-state FtpsOnly
In the above command, replace <resource-group-name> with the name of the resource group that contains the App Service you want to remediate, and replace <app-service-name> with the name of the App Service.Step 4: Once you run the above command, it will enable FTPS-Only Access for the App Service. You can verify this by going to the Azure portal and checking the FTPS settings for the App Service.By following the above steps, you can successfully remediate the misconfiguration “Enable FTPS-Only Access For App Services” for Azure using Azure CLI.
To remediate the misconfiguration “Enable FTPS-Only Access for App Services” in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using the below command:
pip install azure
Step 2: Connect to the Azure subscription using the below code:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.web import WebSiteManagementClient

# Tenant ID for Azure subscription
TENANT_ID = '<Tenant ID>'

# Client ID (Application ID) for Service Principal
CLIENT_ID = '<Client ID>'

# Client Secret for Service Principal
CLIENT_SECRET = '<Client Secret>'

# Subscription ID for Azure subscription
SUBSCRIPTION_ID = '<Subscription ID>'

# Resource Group Name
RESOURCE_GROUP_NAME = '<Resource Group Name>'

# Web App Name
WEB_APP_NAME = '<Web App Name>'

# Create Service Principal Credentials object
credentials = ServicePrincipalCredentials(
    client_id=CLIENT_ID,
    secret=CLIENT_SECRET,
    tenant=TENANT_ID
)

# Create Resource Management Client object
resource_client = ResourceManagementClient(
    credentials,
    SUBSCRIPTION_ID
)

# Create Web Site Management Client object
web_client = WebSiteManagementClient(
    credentials,
    SUBSCRIPTION_ID
)
Step 3: Get the FTPS state of the web app using the below code:
# Get the web app
web_app = web_client.web_apps.get(RESOURCE_GROUP_NAME, WEB_APP_NAME)

# Get the FTPS state
ftps_state = web_app.ftps_state
Step 4: If the FTPS state is not ‘FtpsOnly’, then update the FTPS state using the below code:
if ftps_state != 'FtpsOnly':
    # Update the FTPS state to 'FtpsOnly'
    web_app.ftps_state = 'FtpsOnly'
    web_client.web_apps.create_or_update(RESOURCE_GROUP_NAME, WEB_APP_NAME, web_app)
Step 5: Verify that the FTPS state has been updated to ‘FtpsOnly’ using the below code:
# Get the web app
web_app = web_client.web_apps.get(RESOURCE_GROUP_NAME, WEB_APP_NAME)

# Get the FTPS state
ftps_state = web_app.ftps_state

# Verify that the FTPS state is 'FtpsOnly'
if ftps_state == 'FtpsOnly':
    print('FTPS-Only Access has been enabled for the web app.')
else:
    print('Failed to enable FTPS-Only Access for the web app.')
This should remediate the misconfiguration “Enable FTPS-Only Access for App Services” in Azure using Python.