lacework-global-581
9.3 Ensure Web App is using the latest version of TLS encryption (Automated)
Profile Applicability
• Level 1
Description
The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.
Rationale
App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.
Audit
From Azure Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
App Services
- Click on each App
- Under
Setting
section, Click onTLS/SSL settings
- Under the
Bindings
pane, ensure thatMinimum TLS Version
set to1.2
underProtocol Settings
From Azure CLI
To check TLS Version for an existing app, run the following command,
az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion
The output should return 1.2
if TLS Version is set to 1.2
(Which is currently the latest version).
From Azure PowerShell
List all web apps.
Get-AzWebApp
For each web app run the following command.
Get-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> |Select-Object -ExpandProperty SiteConfig
Make sure the minTlsVersion
is set to at least 1.2
.
Remediation
From Azure Portal
- Login to Azure Portal using https://portal.azure.com
- Go to
App Services
- Click on each App
- Under
Setting
section, Click onSSL settings
- Under the
Bindings
pane, setMinimum TLS Version
to1.2
underProtocol Settings
section
From Azure CLI
To set TLS Version for an existing app, run the following command:
az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --min-tls-version 1.2
From Azure PowerShell
Set-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> -MinTlsVersion 1.2
References
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-8-detect-and-disable-insecure-services-and--protocols
https://docs.microsoft.com/en-us/powershell/module/az.websites/set-azwebapp?view=azps-8.1.0