lacework-global-581
Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption (Automated)
Profile Applicability
• Level 1
Description
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Use the latest version of TLS for encryption. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as Payment Card Industry Data Security Standard (PCI-DSS).
Rationale
App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.
Audit
From Azure Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
App Services
- Click on each App
- Under
Setting
section, Click onTLS/SSL settings
- Under the
Bindings
pane, ensure thatMinimum TLS Version
set to1.2
underProtocol Settings
From Azure CLI
To check TLS Version for an existing app, run the following command,
az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion
The output should return 1.2
if TLS Version is set to 1.2
(Which is currently the latest version).
From Azure PowerShell
List all web apps.
Get-AzWebApp
For each web app run the following command.
Get-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> |Select-Object -ExpandProperty SiteConfig
Make sure the minTlsVersion
is set to at least 1.2
.
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com.
- Go to App Services.
- Click each App.
- Under Setting section, click SSL settings.
- Under the Bindings pane, set Minimum TLS Version to 1.2 under Protocol Settings section.
From Azure CLI
To set TLS Version for an existing app, run the following command:
az webapp config set --resource-group <resource_group_name> --name <app_name> --min-tls-version 1.2
From Azure PowerShell
Set-AzWebApp -ResourceGroupName <resource_group_name> -Name <app_name> -MinTlsVersion 1.2
References
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-8-detect-and-disable-insecure-services-and--protocols
https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0