module/ConfigurationProvider/ControlConfigurations/Services/AppService.json
|
{
"FeatureName": "AppService", "Reference": "aka.ms/azsktcp/appservice", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_AppService_DP_Use_CNAME_With_SSL", "Description": "Custom domain with SSL binding must be configured for App Service", "Id": "AppService120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceCustomDomainWithSSLConfig", "DisplayName": "Custom domain with SSL binding must be configured for App Service", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of custom domain protects a web application from common attacks such as phishing, session hijacking and other DNS-related attacks.", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Custom Domains and follow the steps mentioned to configure a custom domain. Run command 'New-AzWebAppSSLBinding' to enable the SSL binding for your custom domain. Run 'Get-Help New-AzWebAppSSLBinding -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [ "Windows", "EligibleForSelfAttestation", "Linux" ] }, { "ControlID": "Azure_AppService_Config_Disable_Remote_Debugging", "Description": "Remote debugging must be turned off for App Service", "Id": "AppService210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceRemoteDebuggingConfiguration", "ControlScanSource": "MDCAndReader", "DisplayName": "Remote debugging should be turned off for Web Applications", "Category": "Remote debugging must be disabled", "ControlRequirements": "Remote debugging is disabled by default", "Rationale": "Remote debugging requires inbound ports to be opened on App Service. These ports become easy targets for compromise from various internet-based attacks.", "Recommendation": "To disable remote debugging on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save. To disable remote debugging on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save", "AssessmentProperties": { "AssessmentNames": [ "093c685b-56dd-13a3-8ed5-887a001837a2", "64b8637e-4e1d-76a9-0fc9-c1e487a97ed8" ] }, "Tags": [ "SDL", "TCP", "Automated", "Config", "AppService", "FunctionApp", "Baseline", "Daily", "CSEOPilotP1", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "RemoteDebuggingEnabled", "SiteConfig", "DeploymentSlots", "SlotRemoteDebuggingEnabled", "SlotSiteConfig" ] }, "ControlSettings": { "FallBackToReaderLogic": true }, "Enabled": true, "CustomTags": [ "Windows", "Linux", "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave8", "CAIPreview", "EDPreview", "SMTPreview", "SN:AppSvc_Debug", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_AppService_Config_Disable_Web_Sockets", "Description": "Web Sockets should be disabled for App Service", "Id": "AppService220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceWebSocketsConfiguration", "DisplayName": "Web Sockets should be disabled for App Service", "ControlRequirements": "Data must be encrypted in transit and at rest", "Category": "Encrypt data in transit", "Rationale": "WebSockets protocol (WS) is vulnerable to different types of security attacks. Usage of Web Sockets within web applications has to be carefully reviewed.", "Recommendation": "To disable Web Sockets on default 'Production' slot: Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -WebSocketsEnabled `$false'. Run 'Get-Help Set-AzWebApp -full' for more help. To disable Web Sockets on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -WebSocketsEnabled `$false' Refer: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#websockets", "Tags": [ "SDL", "Best Practice", "Automated", "Config", "AppService", "FunctionApp", "Baseline", "Weekly", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "WebSocketsEnabled", "SiteConfig", "DeploymentSlots", "SlotWebSocketsEnabled", "SlotSiteConfig" ] }, "Enabled": true, "CustomTags": [ "Windows", "EligibleForSelfAttestation", "Linux", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_AppService_BCDR_Use_AlwaysOn", "Description": "'Always On' should be configured for App Service", "Id": "AppService230", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAppServiceAlwaysOnConfiguration", "DisplayName": "'Always On' should be configured for App Service", "Category": "Reader role access to all subscription and resources", "ControlRequirements": "Security team visibility into all Microsoft assets", "Rationale": "By default, websites are unloaded if they have been idle for some period of time. However, this may not be ideal for 'high availability' requirements. Configuring 'Always On' can help prevent app services from getting timed out.", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Always On --> Click on 'ON'.", "Tags": [ "SDL", "Best Practice", "Automated", "BCDR", "AppService", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "ApplicableAppServiceKinds": [ "app" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "AppServiceKind", "AlwaysOn" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_AppService_BCDR_Use_Multiple_Instances", "Description": "App Service must be deployed on a minimum of two instances to ensure availability", "Id": "AppService270", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAppServiceInstanceCount", "DisplayName": "App Service must be deployed on a minimum of two instances to ensure availability", "Category": "Reader role access to all subscription and resources", "ControlRequirements": "Security team visibility into all Microsoft assets", "Rationale": "App Service deployed on multiple instances ensures that the App Service remains available even if an instance is down.", "Recommendation": "Run command 'Set-AzAppServicePlan -Name '<AppServicePlanName>' -ResourceGroupName '<RGName>' -NumberofWorkers '<NumberofInstances>''. Run 'Get-Help Set-AzAppServicePlan -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "BCDR", "AppService", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "MinimumRequiredInstances": 2, "ApplicableAppServiceKinds": [ "app" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "AppServiceKind", "AppServicePlan" ] }, "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_AppService_Audit_Enable_Logging_and_Monitoring", "Description": "Auditing and Monitoring must be enabled for App Service", "Id": "AppService290", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceDiagnosticLogsConfiguration", "DisplayName": "Monitoring must be enabled for App Service", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "AssessmentName": "", "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0", "Rationale": "Auditing enables log collection of important system events pertinent to security. Regular monitoring of audit logs can help to detect any suspicious and malicious activity early and respond in a timely manner.", "Recommendation": "To enable monitoring on default 'Production' slot: Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -DetailedErrorLoggingEnabled `$true -HttpLoggingEnabled `$true -RequestTracingEnabled `$true'. Run 'Get-Help Set-AzWebApp -full' for more help. To enable monitoring on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -DetailedErrorLoggingEnabled `$true -HttpLoggingEnabled `$true -RequestTracingEnabled `$true'", "Tags": [ "SDL", "TCP", "Automated", "Audit", "AppService", "FunctionApp", "Baseline", "Weekly", "ExcludedControl" ], "ControlEvaluationDetails": { "RequiredProperties": [ "AuditAndLogging", "SiteConfig", "DeploymentSlots", "SlotAuditAndLogging", "SlotSiteConfig" ] }, "Enabled": true, "FixControl": { "FixMethodName": "EnableLogging", "FixControlImpact": "Low" }, "PolicyDefinitionGuid": "752c6934-9bcc-4749-b004-655e676ae2ac", "PolicyDefnResourceIdSuffix": "/config/web", "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_AppService_DP_Dont_Allow_HTTP_Access", "Description": "App Service must only be accessible over HTTPS", "Id": "AppService310", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceHttpsOnly", "DisplayName": "Use HTTPS for app services", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "To enable only https traffic on default 'Production' slot:Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -HttpsOnly `$true'. Run 'Get-Help Set-AzWebApp -full' for more help. To enable only https traffic on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -HttpsOnly `$true'", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Daily", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "HttpsEnabled", "DeploymentSlots", "SlotHttpsEnabled" ] }, "Enabled": true, "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "cb0acdc6-0846-fd48-debe-9905af151b6d", "1b351b29-41ca-6df5-946c-c190a56be5fe", "bf82a334-13b6-ca57-ea75-096fc2ffce50" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "ControlSettings": { "FallBackToReaderLogic": true }, "FixControl": { "FixMethodName": "EnableHttpsFlag", "FixControlImpact": "High" }, "PolicyDefinitionGuid": "a4af4a39-4135-47fb-b175-47fbdf85311d", "CustomTags": [ "Windows", "Linux", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "P2", "Wave5", "CSEOPilot", "CAIPreview", "EDPreview", "SMTPreview", "SN:HTTPS", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview" ] }, { "ControlID": "Azure_AppService_DP_Configure_EndToEnd_TLS", "Description": "End-to-end TLS encryption must be enabled for App Service", "Id": "AppService320", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceEndToEndTLS", "DisplayName": "End-to-end TLS encryption must be enabled for App Service", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "End-to-end TLS encryption ensures that data is encrypted from the client to the server and vice versa. This helps in protecting data from eavesdropping attacks.", "Recommendation": "To enable end-to-end TLS encryption : Go to Azure Portal --> your App Service --> Settings --> Configuration --> End-to-End TLS encryption --> Click on 'ON'.", "Tags": [ "DP", "AppService", "Baseline" ], "Enabled": true, "ControlSettings": { "ApplicableAppServiceKinds": [ "app" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "EndtoEndEncryption", "appServiceKind" ] }, "CustomTags": [ "Daily" ] }, { "ControlID": "Azure_AppService_DP_Restrict_CORS_Access", "Description": "Ensure that CORS access is granted to a limited set of trusted origins.", "Id": "AppService380", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceCORSAllowed", "DisplayName": "Ensure that CORS access is granted to a limited set of trusted origins", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Recommendation": "Go to Azure Portal --> your App Service --> API --> CORS --> Provide the specific domain names that should be allowed to make cross-origin calls. Note: No action is needed if you are not using CORS for your app.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "SiteConfig", "SlotSiteConfig" ] }, "Rationale": "CORS enables applications running under one domain to access a resource under another domain. Using '*' (allow all) for CORS setting means that an application running under any domain can have access to your application's resources and data. Restricting allowed origins to the specific set that needs access aligns with the principle of least privilege.", "CustomTags": [ "Windows", "Linux" ], "ControlSettings": { "AllowAllSetting": "*" } }, { "ControlID": "Azure_AppService_AuthN_Use_Managed_Service_Identity", "Description": "Use Managed Service Identity (MSI) for accessing other AAD-protected resources from the app service.", "Id": "AppService400", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceMsiEnabled", "DisplayName": "Use Managed Service Identity (MSI) for accessing other AAD-protected resources from the app service", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Go to Azure Portal --> your App Service --> Settings --> Identity --> System assigned --> ON", "Tags": [ "SDL", "TCP", "Automated", "Config", "AppService", "FunctionApp", "Baseline", "Weekly" ], "Enabled": true, "Rationale": "Managed Service Identity (MSI) allows your app to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and eliminates the need to provision/manage/rotate any secrets thus reducing the overall risk. ", "CustomTags": [ "Windows", "Linux" ], "ControlSettings": { "AllowedManagedServiceIdentityTypes": [ "SystemAssigned", "SystemAssigned, UserAssigned", "UserAssigned" ] } }, { "ControlID": "Azure_AppService_DP_Use_Secure_TLS_Version", "Description": "Use approved version of TLS for the App Service", "Id": "AppService420", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceTLSVersion", "DisplayName": "Use Approved TLS Version in App Service", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To set required TLS version on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason). To set required TLS version on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason).", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Daily", "CSEOPilotSub" ], "ControlEvaluationDetails": { "RequiredProperties": [ "MinTlsVersion", "SiteConfig", "DeploymentSlots", "SlotMinTlsVersion", "SlotSiteConfig" ] }, "Enabled": true, "ControlScanSource": "Reader", "AssessmentProperties": { "AssessmentNames": [ "15be5f3c-e0a4-c0fa-fbff-8e50339b4b22", "2a54c352-7ca4-4bae-ad46-47ecd9595bd2", "5a659d57-117d-bb18-65f6-54e51da1bb9b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "ControlSettings": { "MinReqTLSVersion": "1.2", "FallBackToReaderLogic": true }, "CustomTags": [ "Windows", "Linux", "TenantBaseline", "CSEOBaseline", "MSD", "Prod", "P2", "Wave7", "CSEOPilot", "CAIPreview", "EDPreview", "SMTPreview", "SN:AppSvc_TLS", "CAIWave1" ] }, { "ControlID": "Azure_AppService_AuthZ_Configure_IP_Restrictions", "Description": "Setup IP-based access restrictions for App Service if feasible", "Id": "AppService440", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAppServiceAccessRestriction", "DisplayName": "Setup IP-based access restrictions for App Service if feasible", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Recommendation": "Consider using IP-based access restrictions for App Service if feasible. Steps: Go to Azure Portal --> your App Service --> Networking --> Access Restrictions --> Configure Access Restrictions --> Add/Verify access restriction rule for app and scm site. For more information, refer: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "SiteConfig", "IpSecurityRestrictions", "ScmIpSecurityRestrictions", "ScmIpSecurityRestrictionsUseMain" ] }, "Enabled": true, "Rationale": "Using the IP/VNet subnet rules-based access restriction ensures that access to the data or the service is restricted to a specific set of IPs. NOTE: While this control does provide an extra layer of access control protection, it may not always be feasible to implement in all scenarios.", "CustomTags": [ "Windows", "Linux" ] }, { "ControlID": "Azure_AppService_DP_Review_CORS_Request_Credential", "Description": "Review use of credentials in CORS request for App Service", "Id": "AppService450", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Reader", "MethodName": "CheckAppServiceCORSCredential", "DisplayName": "Review use of credentials in CORS request for App Service", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Recommendation": "Go to Azure Portal --> your App Service --> API --> CORS --> Request Credentials --> Review if you need to enable 'Access-Control-Allow-Credentials'. Note: No action is needed if you are not using CORS for your app.", "Tags": [ "SDL", "TCP", "Automated", "DP", "AppService", "FunctionApp", "Baseline", "Weekly" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "SiteConfig", "SlotSiteConfig" ] }, "Rationale": "CORS enables applications running under one domain to access a resource under another domain. Allowing cross-origin credentials is a security risk. A website at another domain can send a signed-in user's credentials to the app on the user's behalf without the user's knowledge.", "CustomTags": [ "Windows" ] }, { "ControlID": "Azure_AppService_DP_Dont_Have_Plaintext_Secrets", "Description": "App Service must not have secrets/credentials present in plain text", "Id": "AppService470", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "AvoidPlaintextSecretsAsync", "DisplayName": "App Service must not have secrets/credentials present in plain text", "Category": "Credentials Access", "ControlRequirements": "Eliminating plain text credentials", "Rationale": "Keeping secrets/credentials such as DB connection strings, passwords, keys, etc. in plain text can lead to exposure at various avenues during an application's lifecycle. Storing them in a key vault ensures that they are protected at rest.", "Recommendation": "Find detected secrets/credentials using the API information available in Source, rotate those credentials and remove them. Use KeyVault to store secrets/credentials.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "TRWave4", "TRPreview", "TRBaseline", "CAIPreview", "EDPreview", "SMTPreview", "SN:AppService_AvoidSecrets", "CAIWave1", "Secrets" ] }, { "ControlID": "Azure_AppService_DP_Use_Secure_FTP_Deployment", "Description": "App Services should use secure FTP deployments", "Id": "AppService480", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckAppServiceFtpDeployment", "DisplayName": "App Services should use secure FTP deployments", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "FTPS is used to enhance security for your Azure Web Application as it adds an extra layer of security to the FTP protocol,Enforcing FTPS-only Access for your Azure App Services apps can guarantee that the encrypted traffic between the web apps and servers and the FTP clients cannot be decrypted by malicious actors", "Recommendation": "To make production slot compliant,Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save.To make non-production slot compliant,Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save", "Tags": [ "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b", "19beaa2a-a126-b4dd-6d35-617f6cc83fca" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)OffByPolicy|Exempt(.)", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "SiteConfig", "SlotSiteConfig", "BasicAuthSettingConfig", "FTPBasicAuthEnabled" ] }, "CustomTags": [ "Windows", "Linux", "CAIPreview", "EDPreview", "SMTPreview", "WEBXTWave1", "WEBXTPreview", "EPSFWave1", "EPSFPreview", "Daily", "MSD", "TenantBaseline", "SN:AppSvc_FTPS", "Wave9" ] }, { "ControlID": "Azure_AppService_DP_Enable_FTPS_MCSB", "Description": "[MCSB] FTPS should be required in function apps and web apps", "Id": "AppService501", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] FTPS should be required in function apps and web apps", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "FTPS is used to enhance security for your Azure Web Application as it adds an extra layer of security to the FTP protocol,Enforcing FTPS-only Access for your Azure App Services apps can guarantee that the encrypted traffic between the web apps and servers and the FTP clients cannot be decrypted by malicious actors", "Recommendation": "To make production slot compliant,Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save.To make non-production slot compliant,Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save", "Tags": [ "SDL", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "972a6579-f38f-c0b9-1b4b-a5bbeba3ab5b", "19beaa2a-a126-b4dd-6d35-617f6cc83fca" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_DP_HTTPS_Only_MCSB", "Description": "[MCSB] Function App and Web Application should only be accessible over HTTPS", "Id": "AppService502", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Function App and Web Application should only be accessible over HTTPS", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Usage of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "To enable only https traffic on default 'Production' slot:Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -HttpsOnly `$true'. Run 'Get-Help Set-AzWebApp -full' for more help. To enable only https traffic on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -HttpsOnly `$true'", "Tags": [ "SDL", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "cb0acdc6-0846-fd48-debe-9905af151b6d", "1b351b29-41ca-6df5-946c-c190a56be5fe" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_AuthN_Enable_Incoming_Client_Certificates_MCSB", "Description": "[MCSB] Function apps and Web apps should have Client Certificates (Incoming client certificates) enabled", "Id": "AppService503", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Function apps and Web apps should have Client Certificates (Incoming client certificates) enabled", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.", "Recommendation": "To set Client Certificates for your Web App: 1. Navigate to Azure App Service 2. Select Configuration 3. Go to the General Settings tab 4. Set Incoming Client Certificates to Require. For more information, visit here: https://aka.ms/auth-tls", "Tags": [ "SDL", "Automated", "Baseline", "AuthN" ], "AssessmentProperties": { "AssessmentNames": [ "c2ab4bea-c663-3259-a4cd-03a8feb02825", "ca4e6a5a-3a9a-bad3-798a-d420a1d9bd6d" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_SI_Resolve_Vulnerability_Findings_MCSB", "Description": "[MCSB] Function apps should have vulnerability findings resolved", "Id": "AppService504", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Function apps should have vulnerability findings resolved", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Runtime vulnerability scanning for functions scans your function apps for security vulnerabilities and exposes detailed findings. Resolving the vulnerabilities can greatly improve your serverless applications security posture and protect them from attacks.", "Recommendation": "To resolve function app vulnerabilities: 1. Click on each vulnerability to view its details and explicit remediation instructions and scripts. 2. Remediate the vulnerability using the provided instructions described in the 'Remediation' field.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "afd071f0-ebaa-422b-bb2f-8a772a31db75" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_DP_Use_Latest_TLS_MCSB", "Description": "[MCSB] TLS should be updated to the latest version for function apps and web apps", "Id": "AppService505", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] TLS should be updated to the latest version for function apps and web apps", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To set required TLS version on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason). To set required TLS version on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason).", "Tags": [ "SDL", "Automated", "Baseline", "DP" ], "AssessmentProperties": { "AssessmentNames": [ "15be5f3c-e0a4-c0fa-fbff-8e50339b4b22", "2a54c352-7ca4-4bae-ad46-47ecd9595bd2" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_Config_Disable_Remote_Debugging_MCSB", "Description": "[MCSB] Remote debugging should be turned off for App Service", "Id": "AppService520", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Remote debugging should be turned off for App Service", "Category": "Remote debugging must be disabled", "ControlRequirements": "Remote debugging is disabled by default", "Rationale": "Remote debugging requires inbound ports to be opened on App Service. These ports become easy targets for compromise from various internet-based attacks.", "Recommendation": "To disable remote debugging on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save. To disable remote debugging on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save", "Tags": [ "AppService", "Automated", "Baseline", "Config", "FunctionApp" ], "AssessmentProperties": { "AssessmentNames": [ "093c685b-56dd-13a3-8ed5-887a001837a2", "64b8637e-4e1d-76a9-0fc9-c1e487a97ed8" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_DP_Restrict_CORS_Access_MCSB", "Description": "[MCSB] CORS should not allow every resource to access your App Service", "Id": "AppService530", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] CORS should not allow every resource to access your App Service", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "CORS enables applications running under one domain to access a resource under another domain. Using '*' (allow all) for CORS setting means that an application running under any domain can have access to your application's resources and data. Restricting allowed origins to the specific set that needs access aligns with the principle of least privilege.", "Recommendation": "To configure App Service using Azure Portal, go to Azure Portal --> your App Service --> API --> CORS --> Provide the specific domain names that should be allowed to make cross-origin calls. Note: No action is needed if you are not using CORS for your app.", "Tags": [ "AppService", "Automated", "Baseline", "DP", "FunctionApp" ], "AssessmentProperties": { "AssessmentNames": [ "7b3d4796-9400-2904-692b-4a5ede7f0a1e", "df4d1739-47f0-60c7-1706-3731fea6ab03" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_SI_Use_latest_Java_Version_MCSB", "Description": "[MCSB] Java should be updated to the latest version for App Service", "Id": "AppService540", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Java should be updated to the latest version for App Service", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/app-service/configure-language-java?pivots=platform-linux", "Tags": [ "AppService", "Automated", "Baseline", "SI", "FunctionApp" ], "AssessmentProperties": { "AssessmentNames": [ "39c63596-aa92-1b90-ee7c-628bee592cc0", "f0fd27eb-25aa-4335-0ba2-0720cccda9a4" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_Audit_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in App Service should be enabled", "Id": "AppService550", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Resource logs in App Service should be enabled", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", "Recommendation": "Please refer: https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs#enable-application-logging-windows", "Tags": [ "AppService", "Automated", "Baseline", "Audit", "FunctionApp" ], "AssessmentProperties": { "AssessmentNames": [ "40394a2c-60fb-7cc5-1944-065772e94f05" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_AppService_AuthN_FTP_and_SCM_Access_Disable_Basic_Auth", "Description": "AppService must not use basic authentication for FTP and SCM access", "Id": "AppService560", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppServiceBasicAuthAllowed", "DisplayName": "AppService must not use basic authentication for FTP and SCM access", "Category": "Authentication must be enabled on all user accounts and services", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control. All enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "To make production slot compliant, go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Basic Authentication --> Off --> Save. To make non-production slot compliant, go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> Basic Authentication --> Off --> Save", "Tags": [ "SDL", "TCP", "Automated", "DP", "AuthN", "Baseline" ], "CustomTags": [ "Daily", "TBv11", "TenantBaseline", "MSD", "CAIPreview", "EDPreview", "SMTPreview", "SN:AppService_Disable_Basic_Auth" ], "Enabled": true, "ControlEvaluationDetails": { "RequiredProperties": [ "BasicAuthSettingConfig", "SCMBasicAuthEnabled", "FTPBasicAuthEnabled" ] } }, { "ControlID": "Azure_AppService_Config_Disable_Remote_Debugging_KR51", "Description": "[KR51] Remote debugging must be turned off for App Service.", "Id": "AppService590", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Remote debugging must be turned off for App Service.", "Category": "Remote debugging must be disabled", "ControlRequirements": "Remote debugging is disabled by default", "Rationale": "Remote debugging requires inbound ports to be opened on App Service. These ports become easy targets for compromise from various internet-based attacks.", "Recommendation": "To disable remote debugging on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save. To disable remote debugging on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save", "Tags": [ "Baseline", "Automated", "AppService", "Config" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/microsoft.authorization/policydefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Remote debugging should be turned off for Web Applications", "Description": "Remote debugging requires inbound ports to be opened on a web application. Remote debugging is currently enabled. If you no longer need to use remote debugging, it should be turned off.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_FunctionApp_Config_Disable_Remote_Debugging_KR51", "Description": "[KR51] Remote debugging must be turned off for Function Apps.", "Id": "AppService600", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Remote debugging must be turned off for Function Apps.", "Category": "Remote debugging must be disabled", "ControlRequirements": "Remote debugging is disabled by default", "Rationale": "Remote debugging requires inbound ports to be opened on App Service. These ports become easy targets for compromise from various internet-based attacks.", "Recommendation": "To disable remote debugging on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save. To disable remote debugging on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> Remote Debugging (Under Debugging) --> Click on 'OFF' --> Save", "Tags": [ "Baseline", "Automated", "FunctionApp", "Config" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/microsoft.authorization/policydefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Remote debugging should be turned off for Function App", "Description": "Remote debugging requires inbound ports to be opened on an Azure Function app. Remote debugging should be turned off.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_AppService_DP_Use_Secure_TLS_Version_KR51", "Description": "[KR51] Use approved version of TLS in App Service.", "Id": "AppService610", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Use approved version of TLS in App Service.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To set required TLS version on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason). To set required TLS version on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason).", "Tags": [ "Baseline", "Automated", "AppService", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "TLS should be updated to the latest version for web apps", "Description": "Upgrade to the latest TLS version", "Id": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_FunctionApp_DP_Use_Secure_TLS_Version_KR51", "Description": "[KR51] Use approved version of TLS in Function Apps.", "Id": "AppService620", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Use approved version of TLS in Function Apps.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "TLS provides confidentiality and data integrity between client and server. Using approved TLS version significantly reduces risks from security design issues and security bugs that may be present in older versions.", "Recommendation": "To set required TLS version on default 'Production' slot: Go to Azure Portal --> your App Service --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason). To set required TLS version on any non-production slot: Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> TLS/SSL --> Minimum TLS version --> set to org approved version (see status reason).", "Tags": [ "Baseline", "Automated", "FunctionApp", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "TLS should be updated to the latest version for function apps", "Description": "Upgrade to the latest TLS version", "Id": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_AppService_DP_Dont_Allow_HTTP_Access_KR51", "Description": "[KR51] App Service must only be accessible over HTTPS.", "Id": "AppService630", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] App Service must only be accessible over HTTPS.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "To enable only https traffic on default 'Production' slot:Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -HttpsOnly `$true'. Run 'Get-Help Set-AzWebApp -full' for more help. To enable only https traffic on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -HttpsOnly `$true'", "Tags": [ "Baseline", "Automated", "AppService", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Web Application should only be accessible over HTTPS", "Description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d" }, { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Web Application should only be accessible over HTTPS", "Description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_FunctionApp_DP_Dont_Allow_HTTP_Access_KR51", "Description": "[KR51] Function Apps must only be accessible over HTTPS.", "Id": "AppService640", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] Function Apps must only be accessible over HTTPS.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Recommendation": "To enable only https traffic on default 'Production' slot:Run command 'Set-AzWebApp -Name '<WebAppName>' -ResourceGroupName '<RGName>' -HttpsOnly `$true'. Run 'Get-Help Set-AzWebApp -full' for more help. To enable only https traffic on any non-production slot: Run command 'Set-AzWebAppSlot -ResourceGroupName '<RGName>' -Name '<WebAppName>' -Slot '<SlotName>' -HttpsOnly `$true'", "Tags": [ "Baseline", "Automated", "FunctionApp", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ { "EffectType": "Deny", "DefinitionType": "Definition", "DisplayName": "Function App should only be accessible over HTTPS", "Description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab" }, { "EffectType": "Dine", "DefinitionType": "Definition", "DisplayName": "Function App should only be accessible over HTTPS", "Description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", "Id": "/providers/Microsoft.Authorization/policyDefinitions/a096cbd0-4693-432f-9374-682f485f23f3" } ] }, "Enabled": false, "CustomTags": [ "KR51", "Daily" ] }, { "ControlID": "Azure_AppService_DP_Use_Secure_FTP_Deployment_KR51", "Description": "[KR51] App Services must use secure FTP deployments.", "Id": "AppService650", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] App Services must use secure FTP deployments.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "FTPS is used to enhance security for your Azure Web Application as it adds an extra layer of security to the FTP protocol,Enforcing FTPS-only Access for your Azure App Services apps can guarantee that the encrypted traffic between the web apps and servers and the FTP clients cannot be decrypted by malicious actors", "Recommendation": "To make production slot compliant,Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save.To make non-production slot compliant,Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save", "Tags": [ "Baseline", "Automated", "AppService", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ ] }, "Enabled": false, "CustomTags": [ "Windows", "Linux", "KR51", "Daily" ] }, { "ControlID": "Azure_FunctionApps_DP_Use_Secure_FTP_Deployment_KR51", "Description": "[KR51] FunctionApps must use secure FTP deployments.", "Id": "AppService660", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "Policy", "DisplayName": "[KR51] FunctionApps must use secure FTP deployments.", "Category": "Encrypt data in transit", "ControlRequirements": "Data must be encrypted in transit and at rest", "Rationale": "FTPS is used to enhance security for your Azure Web Application as it adds an extra layer of security to the FTP protocol,Enforcing FTPS-only Access for your Azure App Services apps can guarantee that the encrypted traffic between the web apps and servers and the FTP clients cannot be decrypted by malicious actors", "Recommendation": "To make production slot compliant,Go to Azure Portal --> your App Service --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save.To make non-production slot compliant,Go to Azure Portal --> your App Service --> Deployment --> Deployment slots --> Select slot --> Settings --> Configuration --> General Settings --> FTP state -->(Choose FTPS Only/Disabled based on requirement)--> Save", "Tags": [ "Baseline", "Automated", "FunctionApps", "DP" ], "CustomPolicyProperties": { "PolicyDefinitionandAssignmentIdMapping": [ { "PolicyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", "AssignmentId": "" } ] }, "CustomDeploymentPolicyProperties": { "PolicyDefinitonMappings": [ ] }, "Enabled": false, "CustomTags": [ "Windows", "Linux", "KR51", "Daily" ] }, { "ControlID": "Azure_AppService_Audit_Enable_Diagnostic_Settings", "Description": "Diagnostics logs and metrics must be enabled for App Service", "Id": "AppService670", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceDiagnosticsSettings", "DisplayName": "Diagnostics logs and metrics must be enabled for App Service", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Category": "Monitoring must be correctly configured", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "AppService", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "ApplicableAppServiceKinds": [ "app" ], "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "AppServiceHTTPLogs", "AppServiceIPSecAuditLogs", "AppServiceAuditLogs" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_FunctionApps_Audit_Enable_Diagnostic_Settings", "Description": "Enable Security Logging in Function Apps", "Id": "AppService680", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppServiceDiagnosticsSettings", "DisplayName": "Enable Security Logging in Function Apps", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Category": "Monitoring must be correctly configured", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "Baseline", "FunctionApp" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "ApplicableAppServiceKinds": [ "functionapp" ], "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "FunctionAppLogs" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv12", "SN:FunctionApps_Logging" ] } ] } |