Ensure 'Remote debugging' is set to 'Off' for App Service

Overview

Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.

Rationale

Disabling remote debugging on Azure App Service is primarily about enhancing security.

Remote debugging opens a communication channel that attackers can exploit. By disabling it, you reduce the number of potential entry points for unauthorized access.

If remote debugging is enabled without proper access controls, unauthorized users can connect to your application, potentially leading to data breaches or malicious code execution.

Sensitive information might be exposed during a remote debugging session. Disabling remote debugging helps ensure that such data remains secure. This minimizes the use of remote access tools to reduce risk.

Impact

You will not be able to connect to your application from a remote location to diagnose and fix issues in real-time. You cannot step through code, set breakpoints, or inspect variables and the call stack while the application runs on the server. Remote debugging is particularly useful for diagnosing issues that only occur in the production environment. Without it, you must rely on logs and other diagnostic tools.

Default Value

By default, remote debugging is set to off

Remediation guidance

Remediate from Azure Portal

Open the web app using the Open in Azure button.
Under Setting section, Click on Configuration
Under the General settings tab, set the Remote debugging option to Off.

Remediate from Azure CLI

To set remote debugging status to off, run the following command

az webapp config set --resource-group <resource_group_name> --name <app_name> --remote-debugging-enabled false

Remediation from PowerShell

To set remote debugging status to off, run the following command

Set-AzWebApp -ResourceGroupName <resource_group_name> -Name <app_name> -RemoteDebuggingEnabled $false

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure App Services with remote debugging enabled

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(where: { siteConfig: { remoteDebuggingEnabled: true } }) {
    ...AssetFragment
  }
}