The following details describe best practices when deploying ArcGIS Enterprise.
Application security settings
The following best practices are recommended for ArcGIS Enterprise. When possible, it is recommended that you apply the following application-level settings to your ArcGIS Enterprise implementation:
- Require HTTPS across your ArcGIS Enterprise implementation.
- Requiring HTTPS encrypts and protects your data in transit.
- Do not expose ArcGIS Server Manager, Server Admin or Portal Admin interfaces to the public.
- This can be accomplished by deploying the web adaptor or a reverse proxy.
- Disable the services and portal directories (especially for public-facing servers).
- Do not allow anyone except developers freely discover services and associated operations.
- Disable service query operations (where feasible).
- If query operations are not required for a particular service, they should be disabled to minimize potential attack surface.
- Disable the ArcGIS Server Primary Site Administrator (PSA) account, and demote or delete the Portal for ArcGIS Initial Administrator Account (IAA).
- Disabling the default accounts ensures a singular access path for administrators identified in the enterprise identity store and provides additional accountability.
- Limit the use of commercial databases under your website.
- Do not allow public users direct (or indirect) access to the enterprise database. A file geodatabase can be a useful intermediary and help mitigate potential SQL injection attacks.
- Enable standardized SQL queries.
- Enable this security option in ArcGIS Server to provide greater protection against SQL injection attacks.
- Restrict cross-domain requests.
- Restrict the use of ArcGIS Enterprise resources to only applications hosted in a whitelist of trusted domains.
- Use the ArcGIS Online print service instead of the ArcGIS Server print service for public-facing applications (accessible outside the corporate firewall).
- This enables offloading requests to cloud infrastructure and prevents web service requests directly to an internal ArcGIS Server.
- If you must use the ArcGIS Server print service externally, always deploy the public-facing ArcGIS Server into the DMZ and not internally on a trusted network.
Authentication involves verifying the credentials in a connection attempt to confirm the identity of the client.
- Require authentication to ArcGIS Server services using either GIS-tier or web-tier authentication. If using Portal for ArcGIS federated with your ArcGIS Server, your customers also have the option of leveraging enterprise logins using SAML 2.0.
- GIS-tier authentication—Uses ArcGIS Token model authentication and the built-in user store.
- Web-tier authentication—Uses any authentication supported by the web server, such as Integrated Windows Authentication, or even leverages an organization's existing Public Key Infrastructure (PKI).
- Enterprise logins—If Portal for ArcGIS is federated with ArcGIS Server as part of an ArcGIS Enterprise deployment, there is also the option to use Enterprise logins.
- Integrate with a SAML 2.0 Identity Provider (IdP) to provide Web Single Sign On.
- SAML is an open standard to securely exchange authentication data between an IdP and a server provider (in this case, Portal for ArcGIS).
Authorization is the process by which client permissions are verified prior to accessing a resource or performing a specific function.
- Perform Role-Based Access Control (RBAC).
- Use a least-privilege model for role management in ArcGIS Enterprise.
- Only assign privileges necessary for a user to perform their required functions.
- The default roles that exist in ArcGIS Server are the following:
- If using Portal for ArcGIS, it is recommended that you use custom roles based on a principle of least privilege to more granularly define user access.
Encryption is the process of transforming data so that it is unreadable by those without access to a decryption key.
- Encrypt data-in-transit by enabling HTTPS on ArcGIS Enterprise.
- Use TLS 1.1 and later.
- Use existing certificate infrastructure and certificates signed by a trusted third party certificate authority.
- Encrypt data-at-rest (as feasible) particularly for sensitive data sets.
- For databases, consider using Transparent Data Encryption (TDE).
- For file repositories, consider using full disk encryption.
- Use strong encryption algorithms.
- Cryptography is a constantly changing field and older algorithms will continue to be found unsafe.
- Monitor standard bodies such as NIST for recommendations.
Logging and auditing
Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure your system is functioning desirably or to answer a specific question about a particular transaction that occurred.
- Log events of interest such as who is publishing services.
- Ensure logging is used across the system at the application, operating system, and network layers.
- Ensure logs are reviewed at an organization-defined interval.
- The use of a Security Information and Event Management (SIEM) is beneficial to aid in automatic correlation.
Hardening is the process of securely configuring systems to mitigate as many security risks as possible. The attack surface can be minimized on a given system by the following:
- Implement application-level hardening such as the guidance mentioned above.
- Remove unnecessary software.
- Disable unnecessary services.
- Consult additional application-specific hardening guidelines, such as the Esri ArcGIS Server STIG.
- OS Vendor Baseline policies, using tools such as the Microsoft Security Compliance Toolkit.
- Review independent security guidelines, such as the CIS Security Benchmarks.
Additional best practice information for ArcGIS Server can be found in the help documentation.