Option to disable FTP (and force FTPS) in Azure Web Apps
I love the simplicity of deploying and configuring Web Apps but I would like to improve security by forcing clients to use FTPS instead of non-secure FTP.
Being able to toggle each deployment option on/off would be great to help minimise exposure.
Thank you for your patience here! We have just deployed and announced the feature which will allow you to configure your apps to continue to use FTP and FTPS, limit access only over FTPS or completely disable FTP access.
Please see our team blog for full details:
Emma Laurijssens van Engelenhoven commented
Is there any chance this can be set on the ASE level? We're using ASEs with an ILB and although we set the application to use FTPS only, we're turned down after vulnerability scans because the ILB still accepts FTP in general.
We'll take that feedback to our UX team to investigate. Thanks!
Thank you so much for completing this change. Any chance the overview blade can be updated so that when FTP/FTPS is disabled, that it indicates as much under "FTP hostname"?
Matthew Mulhearn commented
We need this to pass security reviews at our company.
Corné Rooster commented
Been struggling with this for a while!
A possibility is to setup a new user account and remove the current one.
This way also the deployment credentials are cleared.
The FTP host still exists but without an account
"No FTP/deployment user set"
As said before, we may be able to implement this in ASE in the future, but currently we don't have a timeline to share to complete the feature.
Jason Johndrow commented
Even if it is not possible to Force FTPS, we need a way to disable it all together to aid in regulatory compliance.
We are still looking at options on how to complete this request. We will update once we have more details. Thanks for the patience!
Teruyuki Ishii commented
Please enable this ASAP.
Please add a feature to simply allow disabling FTP(/s) and/or non-http(/s) incoming traffic. The lack of this, seemingly simple and obvious needed feature (ftp connections open everyone on a "secure" website), from a security perspective, is a deal breaker to securely use this service for several projects and industries.
With the increased maturity and usage of Azure Web Apps, it is time to provide firewall functionality, disabling FTP, HTTP,
Both PCI DSS v3.0 and v3.1 require the multi-factor authentication for the network access.
Azure App Service - Web Apps is currently in compliance with PCI DSS 3.0 and PCI standards will again be re-reviewed in FY17 as part of Microsoft's Fiscal 17 compliance planning, so believe Web Apps will be in compliance with PCI DSS 3.1 or the latest one (3.2).
If App Service is compliance with PCI DSS (any version), FTP should (must) require the multi-factor authentication. Google App Engine, which is the similar service as Web Apps, requires it to publish contents on the server
In the following URL, we can find PCI DSS standard document v3_2.
I read this document (Attached) and found the following item.
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
8.3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE.
Currently we can access WebApps via FTP with non-multi-factor-authentication when we deploy our application. But PCI DSS standard document recommends us "to verify multi-factor authentication is required for all non-console administrative access into the CDE.". So, if Microsoft Azure base on PCI DSS, we need to configure to use multi-factor authentication when we access WebApps via FTP. (This item is a best practice until January 31th, 2018, after which it becomes a requirement)
Could you please add multi-factor authentication feature via FTP access? If can't, could you please give me any opinion how do we develop applications which base on PCI DSS?
Robert Aspinall commented
Please enable this ASAP.
I use slot deployment only. I'd like the option to turn off both.
yes - we would like to be able to tun off ftp access and only have stfp
We have same requirement in our environment. Please update.
Jake Garner commented
Any update on this? We don't use FTP and from a security perspective it's a "loophole" for our application.