Skip To Content

ArcGIS security

This section provides an overview of security capabilities available for the ArcGIS platform components and current best practices. The ArcGIS platform enables customers to leverage the required GIS capabilities with the assurance that Esri continues to follow a robust and effective security framework. Esri is continually advancing the security of the entire mapping platform including:

  • Cloud: ArcGIS Online, Esri Managed Cloud Services Advanced Plus
  • Enterprise: ArcGIS Server, Portal for ArcGIS
  • Desktop: ArcGIS for Desktop, ArcGIS Pro
  • Mobile: ArcGIS Mobile Apps
Note:

To be notified about the latest security related information such as vulnerabilities, security patches and announcements, subscribe to the RSS feed associated with the security blog.

Documents and presentations

For popular documents and presentations to learn about security, privacy and compliance for the ArcGIS Platform, please see Documents.

Available security validation tools

ArcGIS Enterprise comes with Python script tools, serverScan.py and portalScan.py, that scan for common security issues. The tools check for problems based on some of the best practices for configuring a secure environment for ArcGIS Enterprise. The Esri Software Security and Privacy team also offers the ArcGIS Online Advisor tool, a free tool to help ArcGIS Online organization admins perform a quick check on their security configuration.

Scan ArcGIS Server for security best practices

The serverscan script is located in the <ArcGIS Server installation location>/tools/admin directory. Run the script from the command line or shell. You have the option to specify parameters when running the script.

If the serverScan.py script is run without specifying any parameters, you will be prompted to enter them manually or select the default value. If you wish to use a token, it must be provided as a parameter when running the script.

The scan generates a report in HTML format that lists any of the above issues that were found in the specified ArcGIS Server site.

By default, the report is saved in the same folder where you run the script and is named serverScanReport_[hostname]_[date].html

Scan Portal for ArcGIS for security best practices

The portalScan.py script is located in the <Portal for ArcGIS installation location>\tools\security directory. Run the script from the command line or shell. You have the option to specify one or more parameters when running the script.

If the portalScan.py script is run without specifying any parameters, you will be prompted to enter them manually or select the default value. If you wish to use a token, it must be provided as a parameter when running the script.

The scan generates a report in HTML format that lists any of the above issues that were found in the specified portal.

By default, the report is saved in the same folder where you run the script and is named portalScanReport_[hostname]_[date].html.

Validate your ArcGIS Online organization's security stance

The ArcGIS Online Advisor tool was created by the Esri Software Security and Privacy team to provide a simple, color coded interface for ArcGIS Online administrators to review security settings and past changes to the ArcGIS Online organizations at a glance.

The ArcGIS Online Advisor reports the current security state of your ArcGIS Online organizations, and provides remediation guidance for any potential findings discovered.

Enhancements are planned for this tool to offer policy guidance based on your organization's specific security requirements.

Be on the look out for additional resources planned for release in 2019 and into 2020!

A note about security updates

Moderate to high risk vulnerabilities are addressed as part of standard security patches, which are released for the last minor release in a series of ArcGIS products that are still in the General Availability and Extended Support phases. Risk is determined through internal scoring using the CVSSv3 formula. See the Esri product life cycle definitions for the phases of support.

Critical, proven exploitable vulnerabilities are rare with our products. When a critical, proven exploitable vulnerability is discovered in Esri software, Esri may take the exceptional action of releasing a patch for all currently supported versions of affected ArcGIS software regardless of their phase of support or availability of newer minor versions.