Skip To Content

Desktop implementation guidance

This topic describes some best practices for ArcGIS Desktop application deployments. As an important note, ArcGIS Desktop products are self-certified according to the United States Government Configuration Baseline (USGCB, formerly FDCC). ArcGIS Pro (1.4.1 and later) is also USGCB self-certified. For more information, see Compliance.

Desktop-based protections

Consider deploying and configuring the following on the desktop client to aid in the mitigation of potential risk:

  • Host-based antivirus (A/V)
  • Host-based firewall
  • Host-based intrusion detection systems (IDS)

Authentication

Authentication involves verifying the credentials in a connecting attempt to confirm the identity of the client. Consider a single sign-on (SSO) or federated authentication solution.

Authorization

Authorization is the process by which client permissions are verified prior to accessing a resource. This occurs after successful authentication. It's important to implement the principle of least privilege and role-based access control. SinceArcGIS Desktop application architecture traditionally involves interaction between the client desktop and a centralized source such as a relational database management system (RDBMS), it's important to consider how privileges are granted at the database levels. User privileges can be set at different levels, such as the following:

  • Database management system (DBMS)
    • Privileges at this level affect the entire database management system. Generally, this is applied only to database administrators who may need to access and manage all objects in the system.
  • Database
    • Privileges at this level determine what a user or group of users can do in the geodatabase.
  • Geodatabase version
  • Dataset

Encryption

Encryption is the process of transforming data so it's unreadable by those without a decryption key.

  • Encrypt data in transit using HTTPS (TLS 1.2 and later) for all communication inbound and outbound from the desktop client.
    • Use existing certificate infrastructure and trusted certificates signed by a trusted third-party certificate authority.
  • Encrypt data at rest (as feasible).
    • For workstations, consider using full disk encryption.
    • For databases, consider using Transparent Data Encryption (TDE).
    • For file repositories, consider using full disk encryption.
  • Ensure the use of strong encryption algorithms.
    • Cryptography is a constantly changing field, and older algorithms will continue to be found unsafe.
    • Monitor standard bodies such as NIST for recommendations.

Logging and auditing

Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure the system is functioning desirably or to answer a specific question about a particular transaction that occurred.

  • Log events such as successful logins, failed logins, and other events as directed by organizational policy.
  • Consider logging at the application, operating system, and network levels.
  • Consider using an enterprise security information and event management solution to perform analysis and correlation of the events. This will aid in identifying potential malicious activity.

Hardening

Hardening is the process of securely configuring systems to mitigate as many security risks as possible. The attack surface can be minimized on a given system by doing the following:

  • Implementing application-level hardening such as the guidance mentioned above.
  • Removing unnecessary software.
  • Disabling unnecessary services.
  • Using a security-hardened image. ArcGIS Desktop and ArcGIS Pro products are self-certified according to the United States Government Configuration Baseline (USGCB, formerly FDCC).