Disable FTP in Azure Policy

UserID883312 · ‎Jan 05 2021

Hello all, is there an equivalent azure policy that disables the FTP of my applications in my subscription? If none, how can I disable the FTP of the applications under my subscription?

ibrahimambodji · ‎Jan 06 2021

@UserID883312

Hi there is builtin policy to do that

Go to policy definitions blade :

Policy - Microsoft Azure

Search for ftp and you will see 3 policies :

FTPS only should be required in your Function App

FTPS should be required in your Web App

FTPS only should be required in your API App

Take the policy for the web app and assign it to your subscription or resource groups

Enforce the policy and add a remediation step with a managed identity (Deploy if not exists)

You can also manually enforce FTPs

The link below show how use FTP over TLS/SSL only (See Enforce FTPs section )

Deploy content using FTP/S - Azure App Service | Microsoft Docs

UserID883312 · ‎Jan 06 2021

@ibrahimambodji thank you, but aren't those policies is to enable FTP? I need the policy that disables the FTP state.

UserID883312 · ‎Jan 06 2021

@UserID883312

You're welcome it's mentionned on the definition FTPs (s=secure) . If FTPs is enabled FTP will be disabled .

Below the details :

Name

FTPS should be required in your Web App

Description

Enable FTPS enforcement for enhanced security

Available Effects

AuditIfNotExists, Disabled

Category

App Service

Json definition :

{

"properties": {

"displayName": "FTPS should be required in your Web App",

"policyType": "BuiltIn",

"mode": "Indexed",

"description": "Enable FTPS enforcement for enhanced security",

"metadata": {

"version": "2.0.0",

"category": "App Service"

},

"parameters": {

"effect": {

"type": "String",

"metadata": {

"displayName": "Effect",

"description": "Enable or disable the execution of the policy"

},

"allowedValues": [

"AuditIfNotExists",

"Disabled"

],

"defaultValue": "AuditIfNotExists"

}

},

"policyRule": {

"if": {

"allOf": [

{

"field": "type",

"equals": "Microsoft.Web/sites"

},

{

"field": "kind",

"like": "app*"

}

]

},

"then": {

By the way if you want to disable both you cannot do that through policy but it's documented

To disable both FTP and FTPS entirely, select Disabled. When finished, click Save

Deploy content using FTP/S - Azure App Service | Microsoft Docs

UserID883312 · ‎Jan 06 2021

@ibrahimambodji Okay great, that helps a lot. Thank you!

ibrahimambodji · ‎Jan 06 2021

@UserID883312

Youre welcome , glad that can help.

Thank you.

Jamesdld · ‎Jan 26 2021

Hi @UserID883312 @ibrahimambodji

If it can help, please find here JamesDLD/azure-policies a custom policy that disables FTP on Web App using an ARM Template deployment script for the remediation.

In the same repo I have published the ones for API and Function App, always using the

effect "DeployIfNotExists".

Regards,

Jamesdld

ibrahimambodji · ‎Jan 26 2021

@Jamesdld

Hi

Thanks for sharing !

Disable FTP in Azure Policy

Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Re: Disable FTP in Azure Policy

Products (70)

Special Topics (19)

Video Hub (87)

Most Active Hubs

Most Active Hubs

Video Hub

Disable FTP in Azure Policy