ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks...
Transcript of ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks...
![Page 1: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/1.jpg)
ArcGIS Enterprise Security:
An Introduction
Randall Williams
Esri PSIRT
![Page 2: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/2.jpg)
AgendaArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users
• ArcGIS Enterprise Security Model
• Portal for ArcGIS
• Authentication and Authorization: ArcGIS Tokens
• Building the Enterprise
• Encryption (HTTPS)
• Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance
• Summary
![Page 3: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/3.jpg)
ArcGIS EnterpriseLogical Architecture
Focus
Portal
for ArcGIS
ArcGIS
Server
ArcGIS
Data Store
(relational + tile cache)
ArcGIS
Web Adaptor
ArcGIS
Web Adaptor
![Page 4: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/4.jpg)
ArcGIS Enterprise Security ModelProtect your Assets
Control Access and Set Permissions
![Page 5: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/5.jpg)
ArcGIS Enterprise Security Model
Authentication vs. Authorization
![Page 6: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/6.jpg)
ArcGIS Enterprise Security Model
token
![Page 7: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/7.jpg)
ArcGIS Enterprise Security Model
The token is your access key into…ArcGIS ServerPortal for ArcGISArcGIS OnlineInsightsCollectorArcGIS ProArcGIS DesktopMaps for OfficeMaps for SharepointGeo EnrichmentGeocodingLiving AtlasSurvey 123AnalysisMaps for PowerBI
![Page 8: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/8.jpg)
ArcGIS Enterprise Security Model
The token is your access key into… ArcGIS Enterprise
![Page 9: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/9.jpg)
ArcGIS Enterprise Security Model
OK. So what is a token?
![Page 10: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/10.jpg)
ArcGIS Enterprise Security Model
A token represents your login credentials…
(1AyZcQDO6xJjtWyycn206filCzn)
…and must be passed to with any request for secured content
![Page 11: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/11.jpg)
ArcGIS Enterprise Security Model
A token represents your login credentials…
…and other attributes to make them randomized, unique and scoped.
![Page 12: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/12.jpg)
ArcGIS Enterprise Security Model
Good news…
…ArcGIS Enterprise handles this transparently for you
![Page 13: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/13.jpg)
ArcGIS Enterprise Security Model
Lets see how this works…
![Page 14: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/14.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
![Page 15: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/15.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
2. Service sends user to Token Service
Service
Token Service
![Page 16: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/16.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
2. Service sends user to Token Service
3. User Authenticates to Token Service
User Service
Token Service
Token
![Page 17: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/17.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
2. Service sends user to Token Service
3. User Authenticates to Token Service
4. Token Service issues Token to UserUser Service
Token Service
Token
![Page 18: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/18.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
2. Service sends user to Token Service
3. User Authenticates to Token Service
4. Token Service issues Token to User
5. User passes Token to ServiceService
Token
![Page 19: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/19.jpg)
ArcGIS Enterprise Security Model
1. User requests access to Service
2. Service sends user to Token Service
3. User Authenticates to Token Service
4. Token Service issues Token to User
5. User passes Token to Service
6. Service grants access
ServiceContent
![Page 20: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/20.jpg)
ArcGIS Enterprise Security Model
But what about… Single Sign OnForms AuthActive DirectorySmart Cards
![Page 21: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/21.jpg)
ArcGIS Enterprise Security Model
All authentication methods ultimately deliver a
token…
![Page 22: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/22.jpg)
ArcGIS Enterprise Security Model
…the token is your key into… ArcGIS Enterprise
![Page 23: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/23.jpg)
ArcGIS Enterprise
ArcGIS Portal
ArcGIS Server
ArcGIS DataStore
![Page 24: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/24.jpg)
item
package
web map
service
layer
![Page 25: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/25.jpg)
itemcontent =
![Page 26: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/26.jpg)
How do we grant access to items?
![Page 27: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/27.jpg)
itemgroupuser
access
![Page 28: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/28.jpg)
• Portal for ArcGIS
- Permissions set by item owner
- Can be changed by administrators
• ArcGIS Server
- Permissions can be set by any publisher/administrator
Access
Web Services
Portal Items
Web map Web appData
![Page 29: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/29.jpg)
What security options are available?
![Page 30: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/30.jpg)
Flexible Security Options with ArcGIS Enterprise
ArcGIS Enterprise
ArcGIS Enterprise Supports…
Single Sign OnIWAForms Auth
Active Directory
LDAP
HTTP Auth
OAuth SAML
Built-In Accounts
NTLM
PKI
Kerberos
CAC CardsCertificates
Custom Roles
Enterprise Groups Smart Cards
![Page 31: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/31.jpg)
Single Web Sign On through SAML(Security Assertion Markup Language)
Industry standard for SSO
![Page 32: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/32.jpg)
• With SAML authentication enabled, user will be prompted by IDP to login
• Use IDP login or built-in login
SAML login User Experience
![Page 33: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/33.jpg)
SAML – Conceptual Workflow
ArcGIS Enterprise
Client
Identity Provider (IDP)
3rd party
1. User attempts to login
6. Portal verifies
SAML response
and user is
logged in
3. User sends login
credentials to IDP
2. Redirected to IDP
4. IDP authenticates user
and sends SAML response
to browser
5. Browser sends SAML
response to Portal
![Page 34: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/34.jpg)
SAML – Conceptual Workflow
But what about the token?!
![Page 35: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/35.jpg)
SAML – Conceptual Workflow
ArcGIS Enterprise
Client
Identity Provider (IDP)
3rd party
1. User attempts to login
6. Portal verifies
SAML response
and user is
logged in
3. User sends login
credentials to IDP
2. Portal redirects
client to IDP 4. IDP authenticates user
and sends SAML response
to browser
5. Browser sends SAML
response to Portal
Token
You ArcGIS Server
Token
![Page 36: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/36.jpg)
Groups vs Roles
![Page 37: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/37.jpg)
Groups
itemgroupuser
access
![Page 38: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/38.jpg)
Roles
Roles are privileges
As an administrator I can …
As a publisher I can …
As a viewer I can …
As a user I can …
![Page 39: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/39.jpg)
• Permissions for Portal users defined by roles
• 4 default roles
1. Administrator
2. Publisher
3. User
4. Viewer
Roles
Perm
issio
ns
![Page 40: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/40.jpg)
Portal for ArcGIS: Custom Roles
• Provide more flexibility to
enable fine grained control on
what members can do
• My Organization page > Edit
Settings > Roles > Create Role
![Page 41: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/41.jpg)
Enterprise GroupsEnabled when Portal is configured with
Windows Active Directory or LDAP
![Page 42: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/42.jpg)
Building the Enterprise
1. Registering services
2. Federating a ServerPortal
for ArcGIS
ArcGIS
Server
![Page 43: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/43.jpg)
Building the Enterprise
Identity
Store
Portal for ArcGIS
Item A
Registered
web service
Portal for ArcGIS + ArcGIS Server
ArcGIS Server
site 1
Identity
Store
![Page 44: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/44.jpg)
Registering a Service
Demo
![Page 45: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/45.jpg)
Building the Enterprise
Identity
Store
Portal for ArcGIS
ArcGIS Server
site 1
Item A
Registered
web service
Portal for ArcGIS + ArcGIS Server
Identity
Store
![Page 46: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/46.jpg)
Implementation Patterns
Identity
Store
Portal for ArcGIS
ArcGIS Server
site 1
Item A
Registered
web service
Federated
Server
ArcGIS Server
site 2
Item B
Portal for ArcGIS + ArcGIS Server
Identity
Store
![Page 47: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/47.jpg)
Encryption and HTTPS Securing communication protocols
![Page 48: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/48.jpg)
Sensitive Content
HTTPS
Is the service valid?
Is the data secure?
What happens to my password?
Can I trust the content?
![Page 49: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/49.jpg)
Implementing HTTPS
Portal
for ArcGIS
ArcGIS
Server
ArcGIS
Data Store
(relational + tile cache)
Web Adaptor
Load Balancer
Web Adaptor
Load Balancer
![Page 50: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/50.jpg)
How do you set up a Security Certificate?
1. Generate a Certificate Signing Request (CSR)
2. Send CSR for signing
- By a domain or well-known Certificate Authority
3. Import signed certificate
![Page 51: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/51.jpg)
A Brief Intro
Production Considerations
for Threat Mitigation and
Regulatory Compliance
![Page 52: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/52.jpg)
Threat Mitigation, Prevention, and Regulatory Compliance
• Defense in Depth Paradigm
• Disable Services and Portal Directories
• Restrict Cross Domain (CORS) Requests
• Restrict ArcGIS Server System Folder Permissions
• Disable PSA Account
• Scan Server / Scan Portal Scripts
• HTTPS: Protocol and Cipher Configuration
![Page 53: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/53.jpg)
Defense In Depth Paradigm
• Security plans have many “layers” – multiple levels of security
• Layered security mechanisms increase the security of the system as a whole
• Each feature discussed is considered a “layer”
![Page 54: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/54.jpg)
How to Disable the Services Directory
• Server Administrator Directory
- System > Handlers > Rest > Servicesdirectory > edit
- Uncheck Services Directory Enabled option
• Help topic: Disable the Services Directory
![Page 55: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/55.jpg)
Disable ArcGIS Portal Directory https://<machinename>.domain.com/arcgis/sharing
• Provides a browsable HTML-based representation of all of Portal items
- services, web maps, and content
• Recommend disable this to reduce the chance that your items can be browsed,
found in a web search, or queried through HTML forms
BeforeAfter
![Page 56: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/56.jpg)
How to Disable ArcGIS Portal Directory
• Access the Portal Administrator Directory
- Security > Config > Update Security Configuration
- Set property = ‘true’
![Page 57: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/57.jpg)
Restrict System Folder Permissions in Manager
• Verify System folder permissions are
limited to Administrators and Publishers
only
- Prevents potential Denial of Service due to
resource consumption, service deletion,
etc.
- Usually changed from default when
troubleshooting
![Page 58: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/58.jpg)
Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”
• For JavaScript applications, a common method used to make cross domain requests
is called a CORS request (cross origin resource sharing)
• Required when making POST requests to Feature or GP services on a different server
ArcGIS Server
JavaScript
Web Application
Client Web Browser
![Page 59: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/59.jpg)
Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”
• For JavaScript applications, a common method used to make cross domain requests
is called a CORS request (cross origin resource sharing)
• Required when making POST requests to Feature or GP services on a different server
ArcGIS Server
JavaScript
Web Application
Client Web Browser
![Page 60: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/60.jpg)
Disable Primary Site Administrator (PSA) Account
• Recommend disable the PSA account to remove an alternate method of
administering ArcGIS Server outside of your enterprise users
• Access the Server Administrator Directory
- Security > PSA > disable
PSA account
![Page 61: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/61.jpg)
Scan ArcGIS Enterprise for Security Checks
• serverScan.py is a script in the Server installation directory
- Located: <install directory>\ArcGIS\Server\tools\admin
• portalScan.py is a script in the Portal installation directory
- Location: <install_directory>\ArcGIS\Portal\tools\security
• Scripts check for security settings → generates a report that makes
recommendations to improve security.
• *Protip – run as scheduled tasks, output to web server directory, view online.
![Page 62: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/62.jpg)
SSL Protocol Configurationshttps://www.ssllabs.com/ssltest/clients.html
• In 10.4, both Server and Portal can be configured to limit which SSL protocol is
accepted and used.
• SSLv3 is *NOT* an option at ArcGIS 10.3+
• For organizations that are very security-aware and/or compliance focus, restricting
Server and Portal to TLS 1.2 is highly recommended
• TLS (and it predecessor SSL) are cryptographic protocols designed to provide
secure network communication between a client and a server
TLS 1.0
TLS 1.2
Ports:
• 6443
• 7443
Portal for ArcGISClient App
![Page 63: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/63.jpg)
SSL Protocols and Cipher Suites
• Portal Administrator Directory
- Security > SSLCertificates
• Server Administrator Directory
- Security > Config
![Page 64: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/64.jpg)
Compliance
ArcGIS Online:
• TRUST.ArcGIS.com – Compliance Documentation (Cloud Security Alliance, NIST
800-53, GDPR, etc.)
• FedRAMP Tailored Low (Updated Boundary) Expected Q2
10.6 STIG
• ArcGIS Server “Stand Alone” – complete. 10.3 STIG still valid.
• ArcGIS Enterprise – validated, not published (yet)
ArcGIS Enterprise:
• Esri Managed Cloud Services: FedRAMP MODERATE Authorized (Advanced Plus
Offering)
![Page 65: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/65.jpg)
Security Findings?Esri PSIRT!
• https://doc.arcgis.com/en/trust/
• Vulnerability - report a vulnerability found in our site or application.
• Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address, or have received other suspicious e-mail correspondence from Esri.
• Privacy Issue - if you have a privacy concern related to our application or organization.
• Other - for all other security, privacy or compliance related concerns.
![Page 66: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/66.jpg)
Summary
• Tokens are the Foundation of the ArcGIS Enterprise Security Model
• ArcGIS Enterprise Supports many Authentication Options
• Use SAML if you can
• HTTPS *Everywhere* – Use CA Signed Certificates
• Federate Server with Portal to Fully Enable the ArcGIS Enterprise
• Use Security Scan tools to validate your baseline
• Review advanced options to achieve compliance
![Page 67: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/67.jpg)
Print Your Certificate of AttendancePrint stations located in the 140 Concourse
Tuesday Wednesday12:30 pm – 6:30 pm GIS Solutions Expo Hall B
5:00 pm – 6:30 pm GIS Solutions Expo SocialHall B
10:30 am – 5:15 pm GIS Solutions Expo Hall B
6:30 pm – 9:00 pm Networking ReceptionSmithsonian National Portrait Gallery
![Page 68: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/68.jpg)
Download the Esri Events
app and find your eventSelect the session
you attended
Scroll down to find the
feedback section
Complete answers
and select “Submit”
Please Take Our Survey in the Esri Events App
![Page 69: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis](https://reader030.fdocuments.us/reader030/viewer/2022013023/60091451ebbeb108c448b9a6/html5/thumbnails/69.jpg)