We welcome user feedback and feature requests!

Option to disable FTP (and force FTPS) in Azure Web Apps

I love the simplicity of deploying and configuring Web Apps but I would like to improve security by forcing clients to use FTPS instead of non-secure FTP.

Being able to toggle each deployment option on/off would be great to help minimise exposure.

380 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    James Hartcher shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Hi all,

    Thank you for your patience here! We have just deployed and announced the feature which will allow you to configure your apps to continue to use FTP and FTPS, limit access only over FTPS or completely disable FTP access.

    Please see our team blog for full details:
    https://blogs.msdn.microsoft.com/appserviceteam/2018/05/08/web-apps-making-changes-to-ftp-deployments/

    Thanks!
    Oded

    18 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Emma Laurijssens van Engelenhoven commented  ·   ·  Flag as inappropriate

        Is there any chance this can be set on the ASE level? We're using ASEs with an ILB and although we set the application to use FTPS only, we're turned down after vulnerability scans because the ILB still accepts FTP in general.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Thank you so much for completing this change. Any chance the overview blade can be updated so that when FTP/FTPS is disabled, that it indicates as much under "FTP hostname"?

      • Corné Rooster commented  ·   ·  Flag as inappropriate

        Been struggling with this for a while!
        A possibility is to setup a new user account and remove the current one.
        This way also the deployment credentials are cleared.
        The FTP host still exists but without an account
        "No FTP/deployment user set"

      • Jason Johndrow commented  ·   ·  Flag as inappropriate

        Even if it is not possible to Force FTPS, we need a way to disable it all together to aid in regulatory compliance.

        -Jason

      • Andy commented  ·   ·  Flag as inappropriate

        Please add a feature to simply allow disabling FTP(/s) and/or non-http(/s) incoming traffic. The lack of this, seemingly simple and obvious needed feature (ftp connections open everyone on a "secure" website), from a security perspective, is a deal breaker to securely use this service for several projects and industries.

      • Kaorin commented  ·   ·  Flag as inappropriate

        Both PCI DSS v3.0 and v3.1 require the multi-factor authentication for the network access.

        Azure App Service - Web Apps is currently in compliance with PCI DSS 3.0 and PCI standards will again be re-reviewed in FY17 as part of Microsoft's Fiscal 17 compliance planning, so believe Web Apps will be in compliance with PCI DSS 3.1 or the latest one (3.2).

        If App Service is compliance with PCI DSS (any version), FTP should (must) require the multi-factor authentication. Google App Engine, which is the similar service as Web Apps, requires it to publish contents on the server

      • Anonymous commented  ·   ·  Flag as inappropriate

        In the following URL, we can find PCI DSS standard document v3_2.

        <https://www.pcisecuritystandards.org/document_library>

        I read this document (Attached) and found the following item.

        --
        8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
        Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

        8.3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE.
        --

        Currently we can access WebApps via FTP with non-multi-factor-authentication when we deploy our application. But PCI DSS standard document recommends us "to verify multi-factor authentication is required for all non-console administrative access into the CDE.". So, if Microsoft Azure base on PCI DSS, we need to configure to use multi-factor authentication when we access WebApps via FTP. (This item is a best practice until January 31th, 2018, after which it becomes a requirement)

        Could you please add multi-factor authentication feature via FTP access? If can't, could you please give me any opinion how do we develop applications which base on PCI DSS?

      • Jake Garner commented  ·   ·  Flag as inappropriate

        Any update on this? We don't use FTP and from a security perspective it's a "loophole" for our application.

      Feedback and Knowledge Base