ArcGIS for Server 10.3 Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]


Version / Release: V1R3

Published: 2017-12-22

Updated At: 2018-09-23 19:12:19




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-79809r2_rule AGIS-00-000007 CCI-001453 HIGH The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an exter
    SV-79813r2_rule AGIS-00-000009 CCI-000015 HIGH The ArcGIS Server must use Windows authentication for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that inc
    SV-79875r2_rule AGIS-00-000016 CCI-000166 HIGH The ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access cont
    SV-79883r1_rule AGIS-00-000026 CCI-000067 HIGH The ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the
    SV-79897r1_rule AGIS-00-000044 CCI-000162 MEDIUM The ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion. If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an at
    SV-79903r1_rule AGIS-00-000054 CCI-000381 MEDIUM The ArcGIS Server must be configured to disable non-essential capabilities. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to
    SV-79905r1_rule AGIS-00-000055 CCI-000382 MEDIUM The ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-79919r2_rule AGIS-00-000062 CCI-001941 MEDIUM The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts. A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process
    SV-79949r1_rule AGIS-00-000077 CCI-000185 MEDIUM The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is
    SV-79957r2_rule AGIS-00-000081 CCI-000068 HIGH The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Applications utilizing encryption are requir
    SV-79967r2_rule AGIS-00-000098 CCI-001664 MEDIUM The ArcGIS Server must recognize only system-generated session identifiers. Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised. Unique session I
    SV-79973r1_rule AGIS-00-000102 CCI-001199 HIGH The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either los
    SV-79975r1_rule AGIS-00-000104 CCI-001682 MEDIUM The ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled. Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If the
    SV-79977r1_rule AGIS-00-000111 CCI-001314 MEDIUM The ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA. Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operatio
    SV-79989r2_rule AGIS-00-000164 CCI-001813 MEDIUM The ArcGIS Server must enforce access restrictions associated with changes to application configuration. Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be note
    SV-79993r2_rule AGIS-00-000166 CCI-001762 MEDIUM The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-79999r2_rule AGIS-00-000171 CCI-001953 MEDIUM The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials. The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary com
    SV-80005r2_rule AGIS-00-000174 CCI-001958 HIGH The ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of gre
    SV-80007r2_rule AGIS-00-000187 CCI-002418 HIGH The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides ass
    SV-80009r1_rule AGIS-00-000194 CCI-002470 HIGH The ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-80011r1_rule AGIS-00-000197 CCI-002530 MEDIUM The ArcGIS Server must maintain a separate execution domain for each executing process. Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is performed in a manner controlled throu
    SV-80059r1_rule AGIS-00-000247 CCI-000366 MEDIUM The ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security p