Disable App Service remote debugging
March 21, 2025 ยท View on GitHub
SYNOPSIS
Disable remote debugging on App Service apps when not in use.
DESCRIPTION
Remote debugging can be enabled on apps running within Azure App Services.
To enable remote debugging, App Service allows connectivity to additional ports. While access to remote debugging ports is authenticated, the attack service for an app is increased.
RECOMMENDATION
Consider disabling remote debugging when not in use.
EXAMPLES
Configure with Azure template
To deploy App Services that pass this rule:
- Set the
properties.siteConfig.remoteDebuggingEnabledproperty tofalse.
For example:
{
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
Configure with Bicep
To deploy App Services that pass this rule:
- Set the
properties.siteConfig.remoteDebuggingEnabledproperty tofalse.
For example:
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
}