Skip to main content

lacework-global-581

Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption (Automated)

Profile Applicability

• Level 1

Description

The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Use the latest version of TLS for encryption. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as Payment Card Industry Data Security Standard (PCI-DSS).

Rationale

App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.

Audit

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com
  2. Go to App Services
  3. Click on each App
  4. Under Setting section, Click on TLS/SSL settings
  5. Under the Bindings pane, ensure that Minimum TLS Version set to 1.2 under Protocol Settings

From Azure CLI

To check TLS Version for an existing app, run the following command,

az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion

The output should return 1.2 if TLS Version is set to 1.2 (Which is currently the latest version).

From Azure PowerShell

List all web apps.

Get-AzWebApp

For each web app run the following command.

Get-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> |Select-Object -ExpandProperty SiteConfig

Make sure the minTlsVersion is set to at least 1.2.

Remediation

From Azure Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to App Services.
  3. Click each App.
  4. Under Setting section, click SSL settings.
  5. Under the Bindings pane, set Minimum TLS Version to 1.2 under Protocol Settings section.

From Azure CLI

To set TLS Version for an existing app, run the following command:

az webapp config set --resource-group <resource_group_name> --name <app_name> --min-tls-version 1.2

From Azure PowerShell

Set-AzWebApp -ResourceGroupName <resource_group_name> -Name <app_name> -MinTlsVersion 1.2

References

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-8-detect-and-disable-insecure-services-and--protocols
https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0