The following details describe best practices when deploying ArcGIS Enterprise.
Application security settings
The following best practices are recommended for hardened instances of ArcGIS Enterprise. Depending on your specific use case, it is recommended that you apply the following application-level settings to your ArcGIS Enterprise implementation:
- Require HTTPS across your ArcGIS Enterprise implementation.
- Requiring HTTPS encrypts and protects your data in transit.
- Do not expose ArcGIS Server Manager, Server Admin or Portal Admin interfaces to the public.
- This can be accomplished by deploying the web adaptor or a reverse proxy.
- Disable the Services and Portal directories for production systems.
- The Services Directory can be a useful development tool; however, Esri recommends that you disable the Services Directory for production systems when you don't want users browsing your list of services, finding your services in a web search, or making requests to your services through HTML forms.
- Disable service query operations (where feasible).
- If query operations are not required for a particular service, they should be disabled to minimize potential attack surface.
- Disable the ArcGIS Server Primary Site Administrator (PSA) account, and demote or delete the Portal for ArcGIS Initial Administrator Account (IAA).
- Disabling the default accounts ensures a singular access path for administrators identified in the enterprise identity store and provides additional accountability.
- Limit the use of commercial databases under your website.
- Do not allow public users direct (or indirect) access to the enterprise database. A file geodatabase can be a useful intermediary and help mitigate potential SQL injection attacks.
- Enable standardized SQL queries.
- Enable this security option in ArcGIS Enterprise to provide greater protection against SQL injection attacks.
- Restrict cross-domain requests.
- Restrict the use of ArcGIS Enterprise resources to only applications hosted in an allow list of trusted domains.
- Use the ArcGIS Online print service instead of the ArcGIS Server print service for public-facing applications (accessible outside the corporate firewall).
- This enables offloading requests to cloud infrastructure and prevents web service requests directly to an internal ArcGIS Server.
- If you must use the ArcGIS Server print service externally, always deploy the public-facing ArcGIS Server into the DMZ and not internally on a trusted network.
Moderate- to high-risk vulnerabilities are addressed as part of standard security patches, which are released for the long-term support (LTS) releases of ArcGIS Enterprise products that are still in the General Availability and Extended Support phases. Risk is determined through internal scoring using the CVSSv3.1 formula. See the Esri product life cycle definitions for the phases of support, and the Update to ArcGIS Enterprise Product Lifecycle blog post describing STS and LTS releases.
Critical, proven exploitable vulnerabilities are rare in Esri products. When a critical, proven exploitable vulnerability is discovered in Esri software, Esri may release a patch for all currently supported versions of affected ArcGIS software regardless of their phase of support or availability of LTS releases.
Security patches released for ArcGIS Enterprise are cumulative and include all previous security patches released for the ArcGIS Enterprise version the patch targets.
Authentication involves verifying the credentials in a connection attempt to confirm the identity of the client.
- Require authentication to ArcGIS Server services using either GIS-tier or web-tier authentication. If using Portal for ArcGIS federated with your ArcGIS Server, your customers also have the option of using organization-specific logins using SAML 2.0 or OpenID connect.
- GIS-tier authentication—Uses ArcGIS Token model authentication and the built-in user store.
- Web-tier authentication—Uses any authentication supported by the web server, such as Integrated Windows Authentication, or uses an organization's existing Public Key Infrastructure (PKI).
- Organization-specific logins—If Portal for ArcGIS is federated with ArcGIS Server as part of an ArcGIS Enterprise deployment, there is also the option to use SAML logins or Open ConnectID.
- Integrate with a SAML 2.0 Identity Provider (IdP) or OpenID Connect to provide Web Single Sign On.
- SAML and OpenID connect are open standards to securely exchange authentication data between an IdP and a server provider (in this case, Portal for ArcGIS).
Authorization is the process by which client permissions are verified before accessing a resource or performing a specific function.
- Perform Role-Based Access Control (RBAC).
- Use a least-privilege model for role management in ArcGIS Enterprise.
- Only assign privileges necessary for a user to perform their required functions.
- The default roles that exist in ArcGIS Server are the following:
- If using Portal for ArcGIS, it is recommended that you use custom roles based on a principle of least privilege to more granularly define user access.
Encryption is the process of transforming data so that it is unreadable by those without access to a decryption key.
- Encrypt data-in-transit by enabling HTTPS on ArcGIS Enterprise.
- Use TLS 1.2.
- Use existing certificate infrastructure and certificates signed by a trusted third-party certificate authority.
- Encrypt data-at-rest (as feasible) particularly for sensitive data sets.
- For databases, consider using Transparent Data Encryption (TDE).
- For file repositories, consider using full disk encryption.
- Use strong encryption algorithms.
- Cryptography is a constantly changing field and older algorithms will continue to be found unsafe.
- Monitor standard bodies such as NIST for recommendations.
Logging and auditing
Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure your system is functioning desirably or to answer a specific question about a particular transaction that occurred.
- Log events of interest such as who is publishing services.
- Ensure logging is used across the system at the application, operating system, and network layers.
- Ensure logs are reviewed at an organization-defined interval.
- The use of a Security Information and Event Management (SIEM) is beneficial to aid in automatic correlation.
Hardening is the process of securely configuring systems to mitigate as many security risks as possible. The attack surface can be minimized on a given system by the following:
- Implement application-level hardening such as the guidance mentioned above.
- Remove unnecessary software.
- Disable unnecessary services.
- Consult additional application-specific hardening guidelines, such as the Esri ArcGIS Server STIG.
- OS Vendor Baseline policies, using tools such as the Microsoft Security Compliance Toolkit.
- Review independent security guidelines, such as the CIS Security Benchmarks.
ArcGIS Server Security Validation
The serverScan.py script is located in the <ArcGIS Server installation location>/tools/admin directory. Run the script from the command line or shell. You can specify parameters when running the script.
If you run the serverScan.py script without specifying any parameters, you are prompted to enter them manually or select the default value. To use a token, you must provide it as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified ArcGIS Server site.
By default, the report is saved in the same folder where you run the script and is named serverScanReport_[hostname]_[date].html.
Portal for ArcGIS security validation
The portalScan.py script is located in the <Portal for ArcGIS installation location>\tools\security directory. Run the script from the command line or shell. You can specify one or more parameters when running the script.
If you run the portalScan.py script without specifying any parameters, you are prompted to enter them manually or select the default value. To use a token, you must provide it as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified portal.
By default, the report is saved in the same folder where you run the script and is named portalScanReport_[hostname]_[date].html.
Additional best practice information for ArcGIS Server can be found in the help documentation.