Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'

Overview

By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services.

If FTPS is not expressly required for the App, the recommended setting is Disabled.

Rationale

FTP is an unencrypted network protocol that will transmit data - including passwords - in clear-text. The use of this protocol can lead to both data and credential compromise, and can present opportunities for exfiltration, persistence, and lateral movement.

Impact

Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.

Default Value

By default, FTP based deployment is All allowed.

Remediation guidance

Remediate from Azure Portal

Open the web app using the Open in Azure button.
Select Settings and then Configuration
Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only

Remediate from Azure CLI

For each out of compliance application, run the following choosing either 'disabled' or 'FtpsOnly' as appropriate:

az webapp config set --resource-group <resourceGroupName> --name <appName> --ftps-state [Disabled|FtpsOnly]

Remediate from PowerShell

For each out of compliance application, run the following:

Set-AzWebApp -ResourceGroupName <resourceGroupName> -Name <appName> -FtpsState [Disabled|FtpsOnly]

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure App Services allowing plain FTP deployments

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { siteConfig: { ftpsState: "AllAllowed" } }) {
    ...AssetFragment
  }
}