question

vanBoheemenMatthew-1366 avatar image
0 Votes"
vanBoheemenMatthew-1366 asked ·

Azure App Service - How to block MsDeploy.axd on port 8172

We have an App Service running in Azure that hosts a website. We've recently had a security review on the web site and one of the items found was that the end point below was exposed.

https://<appName>.azurewebsites.net:8172/msdeploy.axd

The recommendation is that this end point should be blocked and using a whitelist to allow limited access (e.g. the build machine that deploys to Azure). How do I block this end point?

azure-webapps
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SnehaAgrawal-MSFT avatar image
0 Votes"
SnehaAgrawal-MSFT answered ·

@vanBoheemenMatthew-1366 Thanks for asking question! Inbound and outbound network traffic on a subnet is controlled using a network security group. Controlling inbound traffic requires creating network security rules in a network security group, and then assigning the network security group the subnet containing the App Service Environment. Once a network security group is assigned to a subnet, inbound traffic to apps in the App Service Environment is allowed/blocked based on the allow and deny rules defined in the network security group.

Reference: https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-control-inbound-traffic#outbound-connectivity-and-dns-requirements.

You may refer below document, which describes regarding Outbound network address with ASE:
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-network-architecture-overview#outbound-network-addresses.

Also, you could use IP restrictions in App Services or you can connect to a WebApp from IIS manager and config Restrict IP:

https://blogs.msdn.microsoft.com/benjaminperkins/2016/03/02/how-to-setup-ip-security-restrictions-for-an-azure-app-service/

Using web.config to restrict IP manually is also a way.

Reference: https://stackoverflow.com/questions/41958723/how-to-restrict-access-to-an-app-service-using-a-setting-inside-the-azure-portal.


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @SnehaAgrawal-MSFT

I've looked at the IP restrictions and it seemed like a good approach. However, from what I can see this allows/denies access to the entire application rather than to a specific end point/port. I need to deny access to the specific port (8172). Blocking access to the entire site would stop my users from connecting. Is there a way to do this just for a specific port?

0 Votes 0 ·

For the network security group the documentation above suggests that an App Service Environment is required to do this. Is this correct? From what I can tell an ASE is considerably more expensive for us and adds significantly more complexity and power than what we need.

The App Service IP restrictions allow the SCM site to have different settings from the main application site. I really just want similar functionality for the MSDeploy endpoint. I feel like the SCM site has this for security purposes and I'm struggling with why this isn't also available for the MSDeploy endpoint or port?

0 Votes 0 ·
ryanchill avatar image
0 Votes"
ryanchill answered ·

There isn't a way to disable this port @vanBoheemenMatthew-1366. The port is to allow variations of msdeploy to work. I will note that the port in question is only allowed for authenticated users publising from Visual Studio so there isn't any risk as long as your team is practicing good account protection.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vanBoheemenMatthew-1366 avatar image
0 Votes"
vanBoheemenMatthew-1366 answered ·

After discussions with Microsoft support it appears that port 8172 is enabled for backwards compatibility with old versions of MsDeploy. This port is being phased out and will be open sometimes and not other times.

The fix was for us to create a new resource group, app service plan and app services multiple times until we ended up a server that had the port closed. This was frustrating but ultimately it did resolve the issue.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.