ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Similar documents
ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Securing ArcGIS Services

Securing ArcGIS Server Services An Introduction

Introduction to Your First ArcGIS Enterprise Deployment. Thomas Edghill & Jonathan Quinn

Administering Your ArcGIS Enterprise Portal Bill Major Craig Cleveland

ArcGIS Enterprise: Portal Administration BILL MAJOR CRAIG CLEVELAND

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

High Availability and Disaster Recovery. Cherry Lin, Jonathan Quinn

Implementing a Hybrid Approach to ArcGIS. Philip McNeilly and Margaret Jen

ArcGIS for Server: Security

Data Store Management Best Practices. Bill Major Laurence Clinton

Configuring ArcGIS Enterprise in Disconnected Environments

Architect your deployment using Chef

ArcGIS Enterprise: Advanced Topics in Administration. Thomas Edghill & Moginraj Mohandas

ArcGIS Enterprise: Configuring Backups, Disaster Recovery, and Replication. Harrold Sompotan and Patrick Jackson

Introduction to ArcGIS Server Architecture and Services. Amr Wahba

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

High Availability & Disaster Recovery. Witt Mathot

ArcGIS for Server: Administration and Security. Amr Wahba

Web AppBuilder Presented by

ArcGIS GeoEvent Server: Leveraging Stream Services. Ken Gorton RJ Sunderman

Corporate Brand Your Vector Basemap. ANDREW GREEN

ArcGIS Online: Item Administration and Group Sharing. Brendan O Neill Caitlin Hillis

Security overview Setup and configuration Securing GIS Web services. Securing Web applications. Web ADF applications

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

Cloud Operations Using Microsoft Azure. Nikhil Shampur

ArcGIS Enterprise: Performance and Scalability Best Practices. Darren Baird, PE, Esri

What Makes a good content item GREAT?

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Android Team Awareness Kit (ATAK) and ArcGIS

ArcGIS Server Components: An Introduction to Server IT

ArcGIS Viewer for Microsoft Silverlight An Introduction

Udocx for Office 365 HP MFP Deployment Guide

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

All about SAML End-to-end Tableau and OKTA integration

SAP Security in a Hybrid World. Kiran Kola

Realms and Identity Policies

Working with Feature Layers. Russell Brennan Gary MacDougall

DreamFactory Security Guide

[GSoC Proposal] Securing Airavata API

ArcGIS Enterprise Portal for ArcGIS

ArcGIS for Server: Publishing and Using Map Services

Web AppBuilder for ArcGIS: A Deep Dive in Enterprise Deployments. Nick Brueggemann and Mark Torrey

ArcGIS Enterprise Performance and Scalability Best Practices. Andrew Sakowicz

Sharing Web Layers and Services in the ArcGIS Platform. Melanie Summers and Ty Fitzpatrick

ArcGIS Enterprise Administration

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

Designing and Using Cached Map Services

SonicOS Enhanced Release Notes

ArcGIS GeoEvent Server: Making 3D Scenes Come Alive with Real-Time Data

SSL VPN Web Portal User Guide

Security in Bomgar Remote Support

Version Installation Guide. 1 Bocada Installation Guide

Penetration Testing. James Walden Northern Kentucky University

How To Configure & Use Insights for ArcGIS ARAVIND SIVASAILAM MATT THOMAS

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

How to Configure Authentication and Access Control (AAA)

TTerm Connect Installation Guide

Learning What s New in ArcGIS 10.1 for Server: Administration

IBM Security Access Manager Version December Release information

ArcGIS Enterprise: Architecture & Deployment. Anthony Myers

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Microsoft Architecting Microsoft Azure Solutions.

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

ArcGIS GeoEvent Server: Leveraging Stream Services

Xerox Connect for Dropbox App

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Partner Integration Portal (PIP) Installation Guide

Security in the Privileged Remote Access Appliance

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Deploying Tableau at Enterprise Scale in the Cloud

Enabling High-Quality Printing in Web Applications. Tanu Hoque & Jeff Moulds

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Understanding and Using Metadata in ArcGIS. Adam Martin Marten Hogeweg Aleta Vienneau

Server Installation and Administration Guide

Configure Unsanctioned Device Access Control

Recommendations for Device Provisioning Security

From Desktop to the Cloud with Forge

Implementing Security for ArcGIS Server Java Solutions

Understanding and using Metadata across the ArcGIS Platform. Aleta Vienneau Marten Hogeweg

EasyCrypt passes an independent security audit

Collector for ArcGIS: Using Relationships with your Inspection Workflows. Morgan Zhang Kevin Burke

Developing Qt Apps with the Runtime SDK

Solutions Business Manager Web Application Security Assessment

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

User Identity Sources

HOMELESS INDIVIDUALS AND FAMILIES INFORMATION SYSTEM HIFIS 4.0 TECHNICAL ARCHITECTURE AND DEPLOYMENT REFERENCE

Secure Coding: Storing Secrets In Your Salesforce Instance

ArcGIS Runtime SDK for Qt: Building Apps. Koushik Hajra and Lucas Danzinger

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

CHAPTER. Introduction

Application of GIS to Cybersecurity. Brian Biesecker Ken Mitchell

Cloud Access Manager Overview

What s New in ArcGIS 10.4 for Server

Transcription:

Enterprise Security: Advanced Gregory Ponto & Jeff Smith

Agenda Focus: Security best practices for Enterprise Server Portal for 10.5.x Features Strongly Recommend: Knowledge of Server and Portal for

Security is Important http://www.databreachtoday.com/news

Enterprise Logical Architecture Web Adaptor Portal for Focus Web Adaptor Server Data Store (relational + tile cache)

Agenda GIS Server - Enable and use HTTPS - Disable services directory - Restrict cross domain requests - Restrict file permissions - Disable PSA account - Scan Server script Portal for Advanced options Web Adaptor Web Adaptor Portal for Server Data Store (relational + tile cache)

Review: Server Administrator Directory https://localhost:6443/arcgis/admin Web App, provides interface into an Server site Many security settings enabled via this interface

Enable and Use HTTPS HTTPS Hypertext Transfer Protocol Secure Initial step in creating a secure environment should always be to encrypt traffic Protects against a simple network sniffer Enabled by default in 10.4+ Recommended to restrict to HTTPS only if possible Server Admin Directory - Security > config > update

Disable the Services Directory Services Directory exposes GIS web services - http://localhost//rest Recommend to NOT expose GIS web services on Production Servers Before After REST

How to Disable the Services Directory Server Administrator Directory - System > Handlers > Rest > Servicesdirectory > edit - Uncheck Services Directory Enabled option Help topic: Disable the Services Directory

Restrict Cross-Domain (CORS) Requests server.arcgis.com > Search cross-domain requests By default, Server allows cross-domain requests so that client apps can invoke its services from any domain Client Web Browser Web Application Server

How to Restrict Cross-Domain Requests For JavaScript, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing) These can be restricted in the Server Administrator Directory - system > handlers > rest > servicesdirectory > edit - AllowOrigins field: specify a comma-separated list of domain names that are allowed to make CORS requests to access your web services

Demo Restrict Cross-Domain Requests

Restrict File Permissions Recommend restrict file and folder permissions on - Server installation directory - Configuration store - Server directories to the Server account Server (GIS Server) Installation directory Configuration store Server directories Your organization may require that additional accounts have access - Warning: Any account with write access to the configuration store can change Server settings

Disable Primary Site Administrator (PSA) Account Recommend disable the PSA account to remove an alternate method of administering Server outside of your enterprise users Access the Server Administrator Directory - Security > PSA > disable PSA account

Scan GIS Server for Security Checks serverscan.py is a script in the Server installation directory - Located: <install directory>\\server\tools\admin Script checks for security settings generates a report that makes recommendations to improve security

Demo Run serverscan.py Security Check

Agenda GIS Server Portal for - Enforce HTTPS Communication only - Disable Portal Directory - Restrict proxies - Disable the Create Account - Trusted servers list - Scan Portal script Advanced options Web Adaptor Web Adaptor Portal for Server Data Store (relational + tile cache)

Enable HTTPS Communication Enforce HTTPS so that all communication in your portal is sent using HTTPS Configure your portal and the web server hosting Web Adaptor to only allow communication through HTTPS

Disable Portal Directory (Production Servers) https://<machinename>.domain.com/arcgis/sharing Provides a browsable HTML-based representation of all of Portal items - services, web maps, and content Recommend disable this to reduce the chance that your items can be browsed, found in a web search, or queried through HTML forms Before After

How to Disable Portal Directory Access the Portal Administrator Directory - Security > Config > Update Security Configuration - Set property = true

Restrict Proxy Hosts Portal ships with a built-in proxy server that is used in some scenarios to access resources on a different machine - Storing credentials (Single Sign On) - OGC Services - Non-CORS Systems Client App Portal for PROXY Machine A gis.site.com Firewall

Restrict Proxy Hosts Portal ships with a built-in proxy server that is used in some scenarios to access resources on a different machine By default the portal's proxy is open - Your Portal can be used to launch attacks against internal and external targets Attacker Portal for PROXY web.site.com (Victim) Firewall Machine B (Victim)

How to Restrict Proxies Access the Portal Administrator Directory - Security > Config > Update Security Configuration - For Configuration field, add the allowedproxyhosts property and specify the list of approved addresses

Disable Create Account on Login Page Recommend disable ability to create a new Portal account Access Portal Administrator Directory - System > Properties

Trusted Servers List in Portal Configure list of trusted servers that work with Portal for My Organization > Edit settings > Security

Trusted Servers in Portal A list of servers to where credentials will be passed when making a CORS request to access secured resources Client Web Browser Web Map Application (Portal for ) PROXY Server

Demo Trusted Servers in Portal for

Scan Portal for Security Checks portalscan.py is a script in the Portal installation directory - Location: <install_directory>\\portal\tools\security When you run the script, it checks for security settings generates a report that makes recommendations to improve security

Demo Run portalscan.py Security Check

Agenda GIS Server Portal for Advanced Topics Web Adaptor Portal for Web Adaptor Server Data Store (relational + tile cache)

Password settings for Portal (long passwords, complex, etc) Portal > My Organization > Edit Settings > Security > Update Password Policy

SSL Property Configurations https://www.ssllabs.com/ssltest/clients.html In 10.4, both Server and Portal can be configured to limit which SSL protocol is accepted and used For organizations that are very security-aware, restricting Server and Portal to TLS 1.2 is highly recommended TLS (and it predecessor SSL) are cryptographic protocols designed to provide secure network communication between a client and a server TLS 1.0 Client App TLS 1.2 Ports: 6443 7443 Portal for

How to Specify Cipher Suites Access the Portal Administrator Directory - Security > SSLCertificates > Update - For the SSL Protocols text box, specify the protocols to be used

SAML Access to any Enterprise Bring secured services together from anywhere! SAML Portal Esri Apps SAML Portal Feature: Allow Portal Access - Portal > My Organization > Edit Settings > Security

Demo Allow Portal Access

Collaboration Security Considerations

Collaboration What is it?

Collaboration Enterprise Item Enterprise Item

Collaboration As a Developer what do I need to know? Collaborating Apps - Oauth? - App ID? - Access Token? Enterprise App Enterprise App

Collaboration As an Administrator what do I need to know? Collaborating Service by Reference - Low Risk Enterprise Service Enterprise Service Data

Collaboration As an Administrator what do I need to know? Collaborating Feature Layer by Copy - Moderate Risk Enterprise Layer Data Enterprise Layer Data

Collaboration As an Administrator what do I need to know? Collaborating Data Items - Moderate Risk Enterprise Data Enterprise Data

Collaboration As an Administrator what do I need to know? Transitive Trust - High Risk Enterprise Data Enterprise Data Enterprise Data

Collaboration As an Administrator what do I need to know? Recommended Practices - Limit Collaborations to Trusted Partners - Collaborate Layers by Reference - Establish New Groups for Collaboration Enterprise Enterprise Enterprise

Other Related Sessions Enterprise Security: An Introduction Tuesday, July 11, 10:15 AM SDCC - Room 16 B Enterprise Security: Advanced Topics Tuesday, July 11, 1:30 PM SDCC - Room 16 B Designing a Web GIS Security Strategy Tuesday, July 11, 3:15 PM SDCC - Room 31 B Building Security into Your System Tuesday, July 11, 4:30 PM SDCC - Esri Services (Showcase) Enterprise: Introducing Portal for Wednesday, July 12, 10:15 AM SDCC - Room 09 Enterprise Security: An Introduction Thursday, July 13, 8:30 AM SDCC - Room 14 A Enterprise Security: Advanced Topics Thursday, July 13, 10:15 AM SDCC - Room 14 A Best Practices for Configuring Secured Services Thursday, July 13, 12:30 PM SDCC - Demo Theater 09 Designing a Web GIS Security Strategy Thursday, July 13, 3:15 PM SDCC - Room 32 A Enterprise: Introducing Portal for Friday, July 14, 9:00 AM SDCC - Room 04

Key Takeaways Summary Use Server Scan Script to Validate Server Security Use Portal Scan Script to Validate Portal for Security Developers: Collaborating Apps = No code changes required Admins: Collaborate Carefully, particularly when sharing Data Items

Please Take Our Survey on the Esri Events App! Download the Esri Events app and find your event Select the session you attended Scroll down to find the survey Complete Answers and Select Submit

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback