App Service web app has FTP disabled or FTPS-only enforced
app_ftp_deployment_disabled
Azure App Service web apps are evaluated for FTP exposure via the ftpsState setting. Values FtpsOnly or Disabled indicate FTP is not allowed; AllAllowed means both FTP and FTPS are accepted.
Risk
Allowing FTP (unencrypted) exposes credentials on public endpoints, enabling credential theft and session hijacking.
Compromise grants write access to code and content, enabling malicious deployments, backdoors, and data leakage, degrading integrity and confidentiality-with greater blast radius if shared, user-scope publishing credentials are used.
prowler azure --checks app_ftp_deployment_disabled
Recommendation
Disable FTP or enforce FTPS (ftpsState: FtpsOnly or Disabled).
Prefer CI/CD over manual FTP and apply least privilege with app-scoped credentials. Rotate publishing secrets, enforce modern TLS, and restrict access via private networking. If FTP is unavoidable, require FTPS and monitor publishing logs.
Remediation
az webapp config set --resource-group <RESOURCE_GROUP> --name <APP_NAME> --ftps-state FtpsOnly
- In Azure Portal, go to App Services and select your app
- Go to Settings > Configuration > General settings
- Set FTP state to FTPS only (or Disabled)
- Click Save
Source Code
Resource Type
microsoft.web/sites
References
- https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/ftp-access-disabled.html
- https://learn.microsoft.com/en-gb/answers/questions/1323820/can-i-create-an-azure-policy-that-disables-both-ft
- https://icompaas.freshdesk.com/support/solutions/articles/62000234759-ensure-ftp-state-is-set-to-ftps-only-or-disabled-