"FeatureName": "AppService", "Reference": "", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_AppService_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "AppService110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Remove any excessive privileges granted on the App Service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Use_CNAME_With_SSL", "Description": "Custom domain with SSL binding must be configured for App Service", "Id": "AppService120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceCustomDomainWithSSLConfig", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Custom Domains and follow the steps mentioned to configure a custom domain. Run command 'New-AzureRmWebAppSSLBinding' to enable the SSL binding for your custom domain. Run 'Get-Help New-AzureRmWebAppSSLBinding -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_AuthN_Use_AAD_for_Client_AuthN", "Description": "App Service must authenticate users using Azure Active Directory backed credentials", "Id": "AppService130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceADAuthentication", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Authentication/Authorization --> turn on 'App Service Authentication' --> Click on 'Azure Active Directory' under Authentication Providers to configure the AAD authentication. Note: If you are implementing this control via code, then you can attest to the same and mark this as passed.", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "Owner", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Deploy_Dont_Use_Publish_Profiles", "Description": "Publish profile credentials must not be used for App Service deployment", "Id": "AppService140", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "No predefined role should be present in the App Service and all the custom roles must have all 'publishxml' operations added as the Non Actions, e.g. 'microsoft.web/sites/publishxml/read'.", "Tags": [ "SDL", "TCP", "Manual", "Deploy", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_AuthZ_Trigger_Url_AuthN", "Description": "Trigger URL for the App Service Web Job must require authentication", "Id": "AppService150", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Use bearer tokens and AAD-based authentication to in the trigger.", "Tags": [ "SDL", "Information", "Manual", "AuthZ", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Encrypt_In_Transit_Webhook", "Description": "The webhook used for a Web Job must encrypt sensitive data in transit", "Id": "AppService180", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Encryption in transit in the context of webhooks can be achieved by using HTTPS URLs.", "Tags": [ "SDL", "Information", "Manual", "DP", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Store_Secrets_in_Key_Vault", "Description": "All App Service secrets should be stored in Key Vault", "Id": "AppService190", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer for configuring Key Vault and storing secrets.", "Tags": [ "SDL", "Best Practice", "Manual", "DP", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Deploy_Use_Notification_Hub", "Description": "App Service should use Notification Hub for push notification (instead of directly using Push Notification Service)", "Id": "AppService200", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer for details on configuring Notification Hub for push notifications.", "Tags": [ "SDL", "Best Practice", "Manual", "Deploy", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Config_Disable_Remote_Debugging", "Description": "Remote debugging must be turned off for App Service", "Id": "AppService210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceRemoteDebuggingConfiguration", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Application Settings --> Remote Debugging --> Click on 'OFF'.", "Tags": [ "SDL", "TCP", "Automated", "Config", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Config_Disable_Web_Sockets", "Description": "Web Sockets should be disabled for App Service", "Id": "AppService220", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceWebSocketsConfiguration", "Recommendation": "Run command 'Set-AzureRmWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -WebSocketsEnabled $false'. Run 'Get-Help Set-AzureRmWebApp -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_BCDR_Use_AlwaysOn", "Description": "'Always On' should be configured for App Service", "Id": "AppService230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceAlwaysOnConfiguration", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Application Settings --> Always On --> Click on 'ON'.", "Tags": [ "SDL", "Best Practice", "Automated", "BCDR", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Deploy_Use_Latest_Version", "Description": "The latest version of .NET framework version should be used for App Service", "Id": "AppService240", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckAppServiceDotNetFrameworkVersion", "Recommendation": "Run command 'Set-AzureRmWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -NetFrameworkVersion 'v4.0''. Run 'Get-Help Set-AzureRmWebApp -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Deploy_Use_64_bit", "Description": "64-bit platform should be used for App Service", "Id": "AppService250", "ControlSeverity": "Low", "Automated": "Yes", "MethodName": "CheckAppService64BitPlatformConfiguration", "Recommendation": "Run command 'Set-AzureRmWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -Use32BitWorkerProcess $false'. Run 'Get-Help Set-AzureRmWebApp -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "Deploy", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Deploy_Use_ARM_Template", "Description": "Deployment of App Service should be done using ARM template", "Id": "AppService260", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Use an ARM Template to ensure fully repeatable and secured configuration of a deployment. Refer to get sample quickstart templates.", "Tags": [ "SDL", "Best Practice", "Manual", "Deploy", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_BCDR_Use_Multiple_Instances", "Description": "App Service must be deployed on a minimum of two instances to ensure availability", "Id": "AppService270", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceInstanceCount", "Recommendation": "Run command 'Set-AzureRmAppServicePlan -Name '<AppServicePlanName>' -ResourceGroupName '<RGName>' -NumberofWorkers '<NumberofInstances>''. Run 'Get-Help Set-AzureRmAppServicePlan -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "BCDR", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_BCDR_Use_App_Backup", "Description": "Backup feature must be configured to backup data for App Service", "Id": "AppService280", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceBackupConfiguration", "Recommendation": "Run command 'Edit-AzureRmWebAppBackupConfiguration -FrequencyInterval '1' -FrequencyUnit 'Day' -RetentionPeriodInDays '<0 or 365>' -StartTime '<TimeLessThanOrEqualToCurrentTime>' -Name '<WebAppName>' -ResourceGroupName '<RGName>' -StorageAccountUrl '<StorageAccountUrl>' -KeepAtLeastOneBackup'. Run 'Get-Help Edit-AzureRmWebAppBackupConfiguration -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "BCDR", "OwnerAccess", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_Audit_Enable_Logging_and_Monitoring", "Description": "Auditing and Monitoring must be enabled for App Service", "Id": "AppService290", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceDiagnosticLogsConfiguration", "Recommendation": "Run command 'Set-AzureRmWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -DetailedErrorLoggingEnabled $true -HttpLoggingEnabled $true -RequestTracingEnabled $true'. Run 'Get-Help Set-AzureRmWebApp -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_BCDR_Configure_Auto_Healing", "Description": "Auto healing should be configured for App Service", "Id": "AppService300", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Refer for details on configuring auto healing.", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Dont_Allow_HTTP_Access", "Description": "App Service must only be accessible over HTTPS", "Id": "AppService310", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceHttpCertificateSSL", "Recommendation": "Refer for details on redirecting HTTP traffic to HTTPS.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp" ], "Enabled": true }, { "ControlID": "Azure_AppService_DP_Website_Load_Certificates_Not_All", "Description": "WEBSITE_LOAD_CERTIFICATES parameter must not be set to '*' (i.e. all) for App Service", "Id": "AppService320", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceLoadCertAppSettings", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Application Settings --> App Settings --> Check for 'WEBSITE_LOAD_CERTIFICATES' key and make sure that value is not set to '*'. Instead choose the specific certificate that is required by the App Service. Refer for more details.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp" ], "Enabled": true } ] } |