Fixing recommendation “FTPS should be required in API apps” is one of the simplest recommendation to fix. Follow the step by step guide to enforce FTPS on your Azure Api App.
1) Go to your Api App in the Azure Portal and click the “Configuration” blade.
2) Proceed to “General settings”
3) Change the “FTPS state” to “FTPS only”
4) Click “Save” to confirm the change
Fixing “FTPS should be required in API apps” from powershell
### finding an ApiApp named "api654321" - you replace the name with your app
PS> Get-AzWebApp -Name api654321
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
api654321 Running api654321_group {api654321.azurewebsites.net, api654321.scm.azure… Central US
### checking if the FTP (non encrypted) is allowed
PS> $api= Get-AzWebApp -Name api654321
PS> $api.SiteConfig.FtpsState
AllAllowed
### Enforcing FTPS
PS> Set-AzWebApp -Name api654321 -ResourceGroupName api654321_group -FtpsState FtpsOnly
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
api654321 Running api654321_group {api654321.azurewebsites.net, api654321.scm.azure… Central US
### Validating if change was successful
PS> $api= Get-AzWebApp -Name api654321
PS> $api.SiteConfig.FtpsState
FtpsOnly
Impact of not taking action
Azure Defender for cloud marks this recommendation as impact High. And this is not without a reason. FTP is used to deploy the code of your API App into the folder of /home/site/wwwroot. FTP protocol does this one thing well – transfer files. But it does not implement encryption, and as a result – does not implement non-repudiation.
This means that every computer or network device that has contact with your traffic is able to see the exact contents of it. But this is not all – as the traffic is not encrypted by the sender – there is no guarantee that the traffic will reach the receiver unchanged. Lack of (asymmetric) encryption makes tampering possible. And the last thing you want is to deploy code to your application which has been tampered with by an unknown entity.
But I don’t have FTP in my app
A lot of application owners are not even aware that the FTP is open to their app. To highlight it – FTP is not about functionality of the API App, it is about the way it is deployed. And by default – FTP is enabled, and the encrypted version – FTPS – is not enforced.
You actually need to take action to override this setting.
My 3 cents
My idea is that the only advantage of non-encrypted protocols was that they do not require public certificates, which costed money. Right now we can acquire public certificates for free from a number of organizations, and Azure itself provides SSL/TLS certificates to most of its services – sometimes even to your custom domains.
Where the cost is not involved – the encrypted (“S”-versions) of protocols should be the default. But the charm of public cloud is that we do not have full control over some settings and some defaults of the settings. Which can be good or bad – depending on a scenario.
Make sure you enable HTTPS on your API App!