The Defender’s recommendation of “FTPS should be required in web apps” is focused on security hardening of Web Apps. It is not about “how application is used” but more – “how is it deployed”. And even if you’re deploying your web application securely – following this recommendation will cut off the possibility of doing a non-encrypted deployment.
To fulfill the recommendation you need to disable FTP (non-encrypted) deployment and enforce FTPS only. Alternatively – you can disable FTP at all.
Remediating in Azure Portal
1) Go to your Web App in Azure Portal and click the “Configuration” blade
2) Click the “General Settings” link
3) Select “FTPS only” in the “FTPS State” dropdown list. Optionally – you can disable it if that fits your scenario.
4) Save your changes
Fix “FTPS should be required in web apps” in Powershell
### Find the Web App named "webapp123456" - you should use the name of your App
PS> Get-AzWebApp -Name webapp123456
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
webapp123456 Running webapp123456_group {webapp123456.azurewebsites.net, webapp123456.scm.azure… Central US
### Finding out the current state of FTPS configuration
PS> $webapp= Get-AzWebApp -Name webapp123456
PS> $webapp.SiteConfig.FtpsState
AllAllowed
### Turning ON the FTPS enfrocement
PS> Set-AzWebApp -Name webapp123456 -ResourceGroupName webapp123456_group -FtpsState FtpsOnly
Name State ResourceGroup EnabledHostNames Location
---- ----- ------------- ---------------- --------
webapp123456 Running webapp123456_group {webapp123456.azurewebsites.net, webapp123456.scm.azure… Central US
### Validating if change was successful
PS> $webapp= Get-AzWebApp -Name webapp123456
PS> $webapp.SiteConfig.FtpsState
FtpsOnly
FTP vs FTPS
FTP is a File Transfer Protocol. It is all about transferring files and this is a task that it does well. FTPS – FTP-Secure – does the same job, but with encryption. It makes a huge difference as standard FTP transfers files in plain text. All the intermediaries or even other network users are able to look into this traffic and recreate all the data which is being transferred. In FTPS – the traffic is encrypted. Sniffers can recreate where the data is heading, but not its contents. Also – with encryption – network intermediaries will not modify the contents of the packets, which is very simple for standard FTP.
If you use FTP for deploying the code of your application – make sure it is FTPS. Even if you’re sure your client always uses FTPS for deployment – enforcing it in Azure does not cost anything and will cover you if you (or your co-workers) mistakenly use a misconfigured client.
Is FTPS the same as SFTP?
Those two protocols might seam similar a first, as they both implement encryption during transferring files. Yet there is a difference in what happens under the hood. FTPS builds upon the FTP protocol, simply adding encryption on top of it. SFTP builds upon SSH protocol. So it adds file transfer to an encrypted protocol designed to provide a remote shell. To put it even simpler – they have different history, different ports, and are not compatible.
Why Impact “High”?
Microsoft Defender for Cloud marks the finding “FTPS should be required in web apps” as impact “High”. And it has a good reason for it. Deployment of your application – your build or your code – is the most crucial moment and any interaction into this process from unwanted actor may have devastating consequences. There is no room for error and the only way to do this should be secure and fully understood by you.
This is not the only recommendation of Microsoft Defender for Cloud which is related to encryption in Web Apps. Once you’re at it – make sure you also enforce HTTPS on connections to your Web App. If you are using the built-in domain of azure websites – the certificate will be there without any actions from your side. Yet, it you’re using a custom domain – you can still use the a free certificate provided by Azure. You just have to click through the process of creating it for your domain.