Forum Discussion

nabi04's avatar
nabi04
Brass Contributor
Jan 06, 2021
Solved

Disable FTP in Azure Policy

Hello all, is there an equivalent azure policy that disables the FTP of my applications in my subscription? If none, how can I disable the FTP of the applications under my subscription?

azure policy
FTP
  • ibnmbodji's avatar
    ibnmbodji
    Jan 06, 2021

    nabi04 

     

    You're welcome it's mentionned on the definition FTPs (s=secure) . If FTPs is enabled FTP will be disabled . 

    Below the details : 

    Name
    FTPS should be required in your Web App
    Description
    Enable FTPS enforcement for enhanced security
    Available Effects
    AuditIfNotExists, Disabled
    Category
    App Service
     
    Json definition :  
    {
      "properties": {
        "displayName": "FTPS should be required in your Web App",
        "policyType": "BuiltIn",
        "mode": "Indexed",
        "description": "Enable FTPS enforcement for enhanced security",
        "metadata": {
          "version": "2.0.0",
          "category": "App Service"
        },
        "parameters": {
          "effect": {
            "type": "String",
            "metadata": {
              "displayName": "Effect",
              "description": "Enable or disable the execution of the policy"
            },
            "allowedValues": [
              "AuditIfNotExists",
              "Disabled"
            ],
            "defaultValue": "AuditIfNotExists"
          }
        },
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "field": "kind",
                "like": "app*"
              }
            ]
          },
          "then": {
     
    By the way if you want to disable both  you cannot do that through policy but it's documented 
    To disable both FTP and FTPS entirely, select Disabled. When finished, click Save
    Deploy content using FTP/S - Azure App Service | Microsoft Docs
     
     
     
     
     
     
     

7 Replies

  • Jamesdld's avatar
    Jamesdld
    Brass Contributor
    Jan 26, 2021

    Hi nabi04 ibnmbodji 

     

    If it can help, please find here https://github.com/JamesDLD/azure-policies/blob/main/policies/_MVP_FTP_should_be_disabled_in_your_Web_App_278d0c76-3d3b-452d-9b8a-724ba7a6b43e/policy.json a custom policy that disables FTP on Web App using an https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template?WT.mc_id=AZ-MVP-5003548 for the remediation.

     

    In the same repo I have published the ones for API and Function App, always using the 

    effect "https://docs.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?WT.mc_id=AZ-MVP-5003548".

     

    Regards,

    Jamesdld

  • ibnmbodji's avatar
    ibnmbodji
    Iron Contributor
    Jan 06, 2021

    nabi04 

     

    Hi there is builtin policy to do that 

     

    Go to policy definitions blade : 

    Policy - Microsoft Azure

    Search for ftp  and you will see 3 policies :  

    FTPS only should be required in your Function App
    FTPS should be required in your Web App
    FTPS only should be required in your API App

    Take the policy for the web app and assign it to your subscription or resource groups 

    Enforce the policy and add a remediation step with a managed identity (Deploy if not exists)  

    You can also manually enforce FTPs

    The link below show how use FTP over TLS/SSL only (See Enforce FTPs  section )

     

    Deploy content using FTP/S - Azure App Service | Microsoft Docs

    • nabi04's avatar
      nabi04
      Brass Contributor
      Jan 06, 2021

      ibnmbodji thank you, but aren't those policies is to enable FTP? I need the policy that disables the FTP state.

      • ibnmbodji's avatar
        ibnmbodji
        Iron Contributor
        Jan 06, 2021

        nabi04 

         

        You're welcome it's mentionned on the definition FTPs (s=secure) . If FTPs is enabled FTP will be disabled . 

        Below the details : 

        Name
        FTPS should be required in your Web App
        Description
        Enable FTPS enforcement for enhanced security
        Available Effects
        AuditIfNotExists, Disabled
        Category
        App Service
         
        Json definition :  
        {
          "properties": {
            "displayName": "FTPS should be required in your Web App",
            "policyType": "BuiltIn",
            "mode": "Indexed",
            "description": "Enable FTPS enforcement for enhanced security",
            "metadata": {
              "version": "2.0.0",
              "category": "App Service"
            },
            "parameters": {
              "effect": {
                "type": "String",
                "metadata": {
                  "displayName": "Effect",
                  "description": "Enable or disable the execution of the policy"
                },
                "allowedValues": [
                  "AuditIfNotExists",
                  "Disabled"
                ],
                "defaultValue": "AuditIfNotExists"
              }
            },
            "policyRule": {
              "if": {
                "allOf": [
                  {
                    "field": "type",
                    "equals": "Microsoft.Web/sites"
                  },
                  {
                    "field": "kind",
                    "like": "app*"
                  }
                ]
              },
              "then": {
         
        By the way if you want to disable both  you cannot do that through policy but it's documented 
        To disable both FTP and FTPS entirely, select Disabled. When finished, click Save
        Deploy content using FTP/S - Azure App Service | Microsoft Docs
         
         
         
         
         
         
         

Resources