ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT
Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication and Authorization: ArcGIS Tokens Building the Enterprise Encryption (HTTPS) Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance Summary
ArcGIS Enterprise Logical Architecture ArcGIS Web Adaptor Portal for ArcGIS Focus ArcGIS Web Adaptor ArcGIS Server ArcGIS Data Store (relational + tile cache)
ArcGIS Enterprise Security Model Protect your Assets Control Access and Set Permissions
ArcGIS Enterprise Security Model Authentication vs. Authorization
ArcGIS Enterprise Security Model token
ArcGIS Enterprise Security Model The token is your access key into ArcGIS Maps Insights Collector Portal Geocoding Analysis Living Survey Enrichment for Atlas Desktop Pro Online Server 123 PowerBI Sharepoint Office ArcGIS
ArcGIS Enterprise Security Model The token is your access key into ArcGIS Enterprise
ArcGIS Enterprise Security Model OK. So what is a token?
ArcGIS Enterprise Security Model A token represents your login credentials (1AyZcQDO6xJjtWyycn206filCzn) and must be passed to with any request for secured content
ArcGIS Enterprise Security Model A token represents your login credentials and other attributes to make them randomized, unique and scoped.
ArcGIS Enterprise Security Model Good news ArcGIS Enterprise handles this transparently for you
ArcGIS Enterprise Security Model Lets see how this works
ArcGIS Enterprise Security Model 1. User requests access to Service
ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service Service Token Service
ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service User Token Service Token Service
ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User User Token Service Token Service
ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User 5. User passes Token to Service Token Service
ArcGIS Enterprise Security Model 1. User requests access to Service 2. Service sends user to Token Service 3. User Authenticates to Token Service 4. Token Service issues Token to User 5. User passes Token to Service 6. Service grants access Content Service
ArcGIS Enterprise Security Model But what about Forms Single Smart Active Sign Cards Auth Directory On
ArcGIS Enterprise Security Model All authentication methods ultimately deliver a token
ArcGIS Enterprise Security Model the token is your key into ArcGIS Enterprise
ArcGIS Enterprise ArcGIS Portal ArcGIS Server ArcGIS DataStore
package service item layer web map
content item=
How do we grant access to items?
user group item access
Access Portal for ArcGIS - Permissions set by item owner - Can be changed by administrators Portal Items Web map Data Web app ArcGIS Server - Permissions can be set by any publisher/administrator Web Services
What security options are available?
Flexible Security Options with ArcGIS Enterprise ArcGIS Enterprise ArcGIS Enterprise Supports Enterprise Groups LDAP OAuth SAML CAC Cards IWA Forms Auth Single Sign On NTLM HTTP Auth Built-In Accounts Smart Cards Certificates PKI Active Directory Kerberos Custom Roles
Single Web Sign On through SAML (Security Assertion Markup Language) Industry standard for SSO
SAML login User Experience With SAML authentication enabled, user will be prompted by IDP to login Use IDP login or built-in login
SAML Conceptual Workflow 1. User attempts to login 3. User sends login credentials to IDP ArcGIS Enterprise 2. Redirected to IDP Client 4. IDP authenticates user and sends SAML response to browser Identity Provider (IDP) 3 rd party 6. Portal verifies SAML response and user is logged in 5. Browser sends SAML response to Portal
SAML Conceptual Workflow But what about the token?!
SAML Conceptual Workflow 1. User attempts to login 3. User sends login credentials to IDP ArcGIS Enterprise 2. Portal redirects client to IDP Client 4. IDP authenticates user and sends SAML response to browser Identity Provider (IDP) 3 rd party 6. Portal verifies SAML response and user is logged in 5. Browser sends SAML response to Portal Token You Token ArcGIS Server
Groups vs Roles
Groups user group item access
Roles As an administrator I can Roles are privileges As a user I can As a viewer I can As a publisher I can
Permissions Roles Permissions for Portal users defined by roles 4 default roles 1. Administrator 2. Publisher 3. User 4. Viewer
Portal for ArcGIS: Custom Roles Provide more flexibility to enable fine grained control on what members can do My Organization page > Edit Settings > Roles > Create Role
Enterprise Groups Enabled when Portal is configured with Windows Active Directory or LDAP
Building the Enterprise 1. Registering services 2. Federating a Server Portal for ArcGIS ArcGIS Server
Building the Enterprise Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Registered web service ArcGIS Server site 1 Identity Store Identity Store
Demo Registering a Service
Building the Enterprise Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Registered web service ArcGIS Server site 1 Identity Store Identity Store
Implementation Patterns Portal for ArcGIS + ArcGIS Server Portal for ArcGIS Item A Item B Registered web service Federated Server ArcGIS Server site 1 ArcGIS Server site 2 Identity Store Identity Store
Encryption and HTTPS Securing communication protocols
Sensitive Content Is the service valid? HTTPS Can I trust the content? What happens to my password? Is the data secure?
Implementing HTTPS Web Adaptor Load Balancer Portal for ArcGIS Web Adaptor Load Balancer ArcGIS Server ArcGIS Data Store (relational + tile cache)
How do you set up a Security Certificate? 1. Generate a Certificate Signing Request (CSR) 2. Send CSR for signing - By a domain or well-known Certificate Authority 3. Import signed certificate
Production Considerations for Threat Mitigation and Regulatory Compliance A Brief Intro
Threat Mitigation, Prevention, and Regulatory Compliance Defense in Depth Paradigm Disable Services and Portal Directories Restrict Cross Domain (CORS) Requests Restrict ArcGIS Server System Folder Permissions Disable PSA Account Scan Server / Scan Portal Scripts HTTPS: Protocol and Cipher Configuration
Defense In Depth Paradigm Security plans have many layers multiple levels of security Layered security mechanisms increase the security of the system as a whole Each feature discussed is considered a layer
How to Disable the Services Directory Server Administrator Directory - System > Handlers > Rest > Servicesdirectory > edit - Uncheck Services Directory Enabled option Help topic: Disable the Services Directory
Disable ArcGIS Portal Directory https://<machinename>.domain.com/arcgis/sharing Provides a browsable HTML-based representation of all of Portal items - services, web maps, and content Recommend disable this to reduce the chance that your items can be browsed, found in a web search, or queried through HTML forms Before After
How to Disable ArcGIS Portal Directory Access the Portal Administrator Directory - Security > Config > Update Security Configuration - Set property = true
Restrict System Folder Permissions in Manager Verify System folder permissions are limited to Administrators and Publishers only - Prevents potential Denial of Service due to resource consumption, service deletion, etc. - Usually changed from default when troubleshooting
Restrict Cross-Domain (CORS) Requests enterprise.arcgis.com > Search cross-domain requests For JavaScript applications, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing) Required when making POST requests to Feature or GP services on a different server Client Web Browser JavaScript Web Application ArcGIS Server
Restrict Cross-Domain (CORS) Requests enterprise.arcgis.com > Search cross-domain requests For JavaScript applications, a common method used to make cross domain requests is called a CORS request (cross origin resource sharing) Required when making POST requests to Feature or GP services on a different server Client Web Browser JavaScript Web Application ArcGIS Server
Disable Primary Site Administrator (PSA) Account Recommend disable the PSA account to remove an alternate method of administering ArcGIS Server outside of your enterprise users Access the Server Administrator Directory - Security > PSA > disable PSA account
Scan ArcGIS Enterprise for Security Checks serverscan.py is a script in the Server installation directory - Located: <install directory>\arcgis\server\tools\admin portalscan.py is a script in the Portal installation directory - Location: <install_directory>\arcgis\portal\tools\security Scripts check for security settings generates a report that makes recommendations to improve security. *Protip run as scheduled tasks, output to web server directory, view online.
SSL Protocol Configurations https://www.ssllabs.com/ssltest/clients.html In 10.4, both Server and Portal can be configured to limit which SSL protocol is accepted and used. SSLv3 is *NOT* an option at ArcGIS 10.3+ For organizations that are very security-aware and/or compliance focus, restricting Server and Portal to TLS 1.2 is highly recommended TLS (and it predecessor SSL) are cryptographic protocols designed to provide secure network communication between a client and a server TLS 1.0 Client App TLS 1.2 Ports: 6443 7443 Portal for ArcGIS
SSL Protocols and Cipher Suites Portal Administrator Directory - Security > SSLCertificates Server Administrator Directory - Security > Config
Compliance ArcGIS Online: TRUST.ArcGIS.com Compliance Documentation (Cloud Security Alliance, NIST 800-53, GDPR, etc.) FedRAMP Tailored Low (Updated Boundary) Expected Q2 ArcGIS Enterprise: Esri Managed Cloud Services: FedRAMP MODERATE Authorized (Advanced Plus Offering) 10.6 STIG ArcGIS Server Stand Alone complete. 10.3 STIG still valid. ArcGIS Enterprise validated, not published (yet)
Security Findings? Esri PSIRT! https://doc.arcgis.com/en/trust/ Vulnerability - report a vulnerability found in our site or application. Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address, or have received other suspicious e-mail correspondence from Esri. Privacy Issue - if you have a privacy concern related to our application or organization. Other - for all other security, privacy or compliance related concerns.
Summary Tokens are the Foundation of the ArcGIS Enterprise Security Model ArcGIS Enterprise Supports many Authentication Options Use SAML if you can HTTPS *Everywhere* Use CA Signed Certificates Federate Server with Portal to Fully Enable the ArcGIS Enterprise Use Security Scan tools to validate your baseline Review advanced options to achieve compliance
Print Your Certificate of Attendance Print stations located in the 140 Concourse Tuesday 12:30 pm 6:30 pm GIS Solutions Expo Hall B Wednesday 10:30 am 5:15 pm GIS Solutions Expo Hall B 5:00 pm 6:30 pm GIS Solutions Expo Social Hall B 6:30 pm 9:00 pm Networking Reception Smithsonian National Portrait Gallery
Download the Esri Events app and find your event Please Take Our Survey in the Esri Events App Select the session you attended Scroll down to find the feedback section Complete answers and select Submit