Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the ArcGIS for Server configuration to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables. Navigate to IIS Manager >> [Default Website] >> Open “Bindings...” Verify “https” is listed as a binding. If “https” is not identified as a binding, this is a finding. Navigate to IIS Manager >> [Default Website] >> “SSL Settings” Verify that “Require SSL” is checked. If “Require SSL” is not checked, this is a finding. This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.) This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adaptor component.
Configure the ArcGIS Server to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables. Navigate to IIS Manager >> [Default Website] >> Open "Bindings...". Click "Add..." Under "Type:", select "https". Select an organizationally approved SSL certificate to associate with the https binding. (If no SSL Certificate is available, refer to http://technet.microsoft.com/en-us/library/cc731977(v=ws.10).aspx for guidance on requesting and installing an Internet Server Certificate [IIS 7]). Navigate to IIS Manager >> [Default Website] >> SSL Settings. Check "Require SSL".
Review the ArcGIS for Server configuration to ensure mechanisms for supporting account management functions are provided. Substitute the target environment’s values for [bracketed] variables. Verify ArcGIS for Server is utilizing Windows Users & Roles as its security store. Navigate to [https://server.domain.com/arcgis]/admin/security/config (logon when prompted.) Verify the “User Store Configuration” value = “Type: Windows”. If the “User Store Configuration” value is set to “Type: Built-In”, this is a finding. Verify the “Role Store Configuration” value = “Type: Windows”. If the “Role store Configuration” value is set to “Type: Built-In”, this is a finding. If the "Type" parameter of the "User Store Configuration" or "Role Store Configuration" is set to "Built-In", this is a finding. This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure ArcGIS for Server to provide mechanisms for supporting account management functions. Substitute the target environment’s values for [bracketed] variables. Configure ArcGIS for Server to utilize a Windows Domain for User and Role Management. Note: This procedure will disrupt existing systems connected to ArcGIS for Server: Identify a system that will serve as the service endpoint for the ArcGIS for Server environment. This must be an Active Directory joined Windows 2008 R2 system with IIS 7.5 or later installed. If a Web Application Firewall (WAF), and/or Load Balancer serves as the user-connection endpoint, this system must be deployed on a trusted network behind these front-end technologies. On this system (locally), perform the following steps: Install the “ArcGIS Web Adaptor”. Configure the “ArcGIS Web Adaptor” such that “Administration” is enabled via the Web Adaptor. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping." Configure ArcGIS for Server to utilize Windows Users and Roles: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager). (logon when prompted.) Navigate to the “Security” tab. Navigate to the “Settings” sub-tab. Edit “Configuration Settings” by clicking on the pencil icon. Select “Users and roles from an existing enterprise system (LDAP or Windows Domain)”, then click “Next”. Select “Windows Domain”, then click “Next”. Supply Active Directory credentials with privileges “Logon To” the system on which ArcGIS for Server is deployed, then click “Next”. Select “Web Tier” as the “Authentication Tier”, then click “Next” >> “Finish”.
Review the ArcGIS for Server configuration to ensure that the application enforces approved authorizations for logical access to information system resources. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]/admin/security/config (logon when prompted.) Verify the "User Store Configuration" value = "Type: Windows". If the "User Store Configuration" value is set to "Type: Built-In", this is a finding. Verify the "Role Store Configuration" value = "Type: Windows". If the "Role store Configuration" value is set to "Type: Built-In", this is a finding. Verify the "Authentication Tier" value is set to "WEB_ADAPTOR". If the "Authentication Tier" value is set to "GIS_SERVER", this is a finding. Open IIS Manager on the system that hosts the ArcGIS Web Adaptor. Select the "[arcgis]" application. Open "SSL Settings". Verify the "Client Certificates" property is set to "Require". If the "Client Certificates" property is not set to "Require", this is a finding. This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD-compliant certificate authentication solutions.
Configure ArcGIS for Server to ensure that the application enforces approved authorizations for logical access to information system resources. Substitute the target environment’s values for [bracketed] variables. Identify a system that will serve as the service endpoint for the ArcGIS for Server environment. This must be an Active Directory joined Windows 2008 R2 system with IIS 7.5 or later installed. If a Web Application Firewall (WAF), and/or Load Balancer serves as the user-connection endpoint, this system must be deployed on a trusted network behind these front-end technologies. On this system (locally), perform the following steps: Install the “ArcGIS Web Adaptor”.' Configure the “ArcGIS Web Adaptor” such that “Administration” is enabled via the Web Adaptor. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping." Configure ArcGIS for Server to utilize Windows Users and Roles: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager). (logon when prompted.) Navigate to the “Security” tab. Navigate to the “Settings” sub-tab. Edit “Configuration Settings” by clicking on the pencil icon. Select “Users and roles from an existing enterprise system (LDAP or Windows Domain)”, then click “Next”. Select “Windows Domain”, then click “Next”. Supply Active Directory credentials with privileges “Logon To” the system on which ArcGIS for Server is deployed, then click “Next”. Select “Web Tier” as the “Authentication Tier”, then click “Next” >> “Finish”. On the system that hosts the ArcGIS Web Adaptor, open IIS Manager. Select “[arcgis]” application >> SSL Settings >> Check “Require SSL” and “Require Client Certificates” >> Apply.
Review the ArcGIS Server configuration to ensure mechanisms for providing audit record generation capability for DoD-defined auditable events within application components are provided. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]/admin/logs/settings (log on when prompted). Verify the "Log Level" value is set to "VERBOSE". If this value is set to any value other than "VERBOSE", this is a finding.
Configure the ArcGIS Server to ensure mechanisms for providing audit record generation capability for DoD-defined auditable events within application components are provided. Substitute the target environment’s values for [bracketed] variables. Open "ArcGIS Server Manager" ([https://server.domain.com/arcgis]/manager) (log on when prompted). Navigate to the "Logs" tab. Open "Settings". Change the "Log Level" value to "VERBOSE", then click "Save".
Review the ArcGIS Server configuration to ensure mechanisms are provided that protect audit information from any type of unauthorized read access, modification or deletion. Substitute the target environment’s values for [bracketed] variables. Within Windows Explorer, access the "Security" (tab) property of the "[C:\arcgisserver]\logs" folder. Verify only the "ArcGIS Server Account" has full control of this folder. Verify any other accounts that have read or other rights to this folder are authorized and documented. If unauthorized accounts have read or other rights to this folder, this is a finding.
Configure the ArcGIS Server to ensure mechanisms are provided that protect audit information from any type of unauthorized read access, modification or deletion. Substitute the target environment’s values for [bracketed] variables. Within Windows Explorer, access the "Security" (tab) property of the "[C:\arcgisserver]\logs" folder. Grant the "ArcGIS Server Account" full control of this folder. Remove any unauthorized accounts or groups from this folder.
Review the ArcGIS Server configuration to ensure that non-essential capabilities are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (log on when prompted). Verify that the "Services Directory" property is set to "Disabled". If the "Services Directory" property is set to "Enabled", this is a finding.
Configure the ArcGIS Server to ensure non-essential capabilities are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (log on when prompted). Uncheck the value for "Services Directory Enabled". Click "Save".
Review the ArcGIS Server configuration to ensure the application prohibits or restricts the use of PPSM CAL defined ports, protocols, and/or services. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Verify the "Protocol" parameter is not set to "HTTP Only". If the "Protocol" parameter is set to "HTTP Only", this is a finding.
Configure the ArcGIS Server to ensure the application prohibits or restricts the use of PPSM CAL defined ports, protocols, and/or services. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Browse to Update. Update the Protocol parameter to "HTTPS Only". Click "Save"/"Apply".
Review the ArcGIS for Server configuration to ensure that the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”. Verify that “Anonymous Authentication” is “Disabled”. If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding. Within IIS >> within the [“arcgis”] application >> Authentication >> Select “Windows Authentication” >> “Providers”. Verify “Negotiate” or “Negotate:Kerberos” are at the top of the list, with NTLM at the bottom of the list. If “NTLM” is at the top of the “Providers” list, this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure ArcGIS for Server to utilize replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."
Review the ArcGIS Server configuration to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables. 1. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account. Within Internet Explorer, click Tools >> Internet Options. Open the "Advanced" tab. Within the "Security" section, verify "Check for publisher's certificate revocation" is checked. If "Check for publisher's certificate revocation" is not checked, this is a finding. 2. Within the "Security" section, verify "Check for server certificate revocation" is checked. If "Check for server certificate revocation" is not checked, this is a finding. Access to the "[ArcGIS Server]" account is required to perform this check.
Configure the ArcGIS Server to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account. Within Internet Explorer, click Tools >> Internet Options. Open the "Advanced" tab. Within the "Security" section, check "Check for publisher's certificate revocation". Within the "Security" section, check "Check for server certificate revocation". Restart the server. Access to the "[ArcGIS Server]" account is required to make this change.
Review the ArcGIS for Server configuration to ensure the application uses mechanisms that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (logon when prompted.) Browse to “machines” >> [machine name] >> Click “edit”. Verify that the name of the SSL certificate listed in the box for “Web server SSL Certificate” is not set to “SelfSignedCertificate”. If the name of the SSL certificate listed in the box for “Web server SSL Certificate” is set to “SelfSignedCertificate”, this is a finding. Browse to “security” >> “config”. Verify “Protocol” parameter is not set to “HTTP Only”. If the “Protocol” parameter is set to “HTTP Only”, this is a finding. On the local system where the GIS Server is installed, open the “[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml” file. Search for the parameter “ciphers=”. Verify the property of the “ciphers=” parameter is set DoD-approved cipher suite value(s). A list of all possible values is located here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES. An example of a valid configuration is provided below: <Connector SSLEnabled="true" clientAuth="false" keyAlias=["MyValidCertificate"] keystoreFile=["C:\arcgisserver\config-store\machines\SERVER.DOMAIN.COM\arcgis.keystore"] keystorePass="password" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"/> If the “ciphers” parameter is not found, this is a finding. If the “ciphers” parameter contains any non-DoD-approved ciphers, this is a finding. On each GIS Server system and on each Web Adaptor system, Run the command “rsop” as Administrator on the Windows Command line. Within the “Resultant Set of Policy” results, verify “Computer Configuration” >> “Windows Settings” >> “Security Settings” >> “Local Policies” >> “Security Options” >> “System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms” is set to “Enabled”. If “System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms” not set to “Enabled”, this is a finding. This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)
Configure the ArcGIS Server to use DoD-approved encryption certificates. Substitute the target environment’s values for [bracketed] variables. Using the Primary Site Administrator account, log on to the ArcGIS Server Administrator Directory at https://[server.domain.com]:6443/arcgis/admin. Navigate to machines >> [machine name] >> sslcertificates. Click "importRootOrIntermediate", then import a DoD-approved/provided root certificate file. Click "importRootOrIntermediate", then import a DoD-approved/provided intermediate certificate file (if applicable.) Click "importExistingServerCertificate", then import the SSL server certificate (public key) and private key pair. In the "Certificate password" field, enter the password to unlock the file containing the SSL certificate. In the "Alias" field, enter a unique name that easily identifies the certificate. Click "Browse" to choose the .p12 or .pfx file that contains the SSL certificate and its private key. Click "Import" to import the SSL certificate. Browse to machines >> [machine name]. Click "edit". Enter the alias of the SSL certificate (public/private key pair) that was chosen above in the box for "Web server SSL Certificate". Click "Save Edits" to apply the change. Browse to security >> config >> update. Update the Protocol parameter to "HTTPS Only". On the ArcGIS Server, open the "[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml" file. Search the string <Connector SSLEnabled="true". Within the "Connector" tag, add the following parameters (substitute DoD-approved ciphers for [bracketed] variables): sslProtocol="TLS" ciphers="[DoD-approved cipher], [DoD-approved cipher], [DoD-approved cipher...]" A list of all possible cipher values is located here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES An example of a valid configuration is provided below: <Connector SSLEnabled="true" clientAuth="false" keyAlias="MyValidCertificate" keystoreFile="C:\arcgisserver\config-store\machines\SERVER.DOMAIN.COM\arcgis.keystore" keystorePass="password" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"/> For each GIS Server system and each Web Adaptor system, apply the Local Policy or Group Policy: Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is set to "Enabled".
Review the ArcGIS for Server configuration to ensure the application recognizes only system generated session identifiers. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]/admin/security/config (logon when prompted.) Verify the “User Store Configuration” value = “Type: Windows”. If the “User Store Configuration” value is set to “Type: Built-In”, this is a finding. Verify the “Role Store Configuration” value = “Type: Windows”. If the “Role store Configuration” value is set to “Type: Built-In”, this is a finding. Verify the “Authentication Tier” value is set to “WEB_ADAPTOR”. If the “Authentication Tier” value is set to “GIS_SERVER”, this is a finding. This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain that disables identifiers that show more than 35 days of inactivity. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure ArcGIS for Server to ensure the application recognizes only system generated session identifiers. Substitute the target environment’s values for [bracketed] variables. Identify a system that will serve as the service endpoint for the ArcGIS for Server environment. This must be an Active Directory joined Windows 2008 R2 system with IIS 7.5 or later installed. If a Web Application Firewall (WAF), and/or Load Balancer serves as the user-connection endpoint, this system must be deployed on a trusted network behind these front-end technologies. On this system (locally), perform the following steps: Install the “ArcGIS Web Adaptor” Configure the “ArcGIS Web Adaptor” such that “Administration” is enabled via the Web Adaptor. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping." Configure ArcGIS for Server to utilize Windows Users and Roles: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager). (logon when prompted.) Navigate to the “Security” tab. Navigate to the “Settings” sub-tab. Edit “Configuration Settings” by clicking on the pencil icon. Select “Users and roles from an existing enterprise system (LDAP or Windows Domain)”, then click “Next”. Select “Windows Domain”, then click “Next”. Supply Active Directory credentials with privileges “Logon To” the system on which ArcGIS for Server is deployed, then click “Next”. Select “Web Tier” as the “Authentication Tier”, then click “Next” >> “Finish”.
Review the ArcGIS Server configuration to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables. 1. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "path" value. For example, "path": "\\[server.domain.com\share". Verify the infrastructure system(s) that supply each path implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption. If any infrastructure system(s) that supply each path do not implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption, this is a finding. 2. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest'; Verify on each "SERVER", "DBCLIENT", and "DATABASE", that these systems implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption). If any "SERVER", "DBCLIENT", and "DATABASE" do not implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption), this is a finding.
Configure the ArcGIS Server to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "path" value. For example, "path": "\\[server.domain.com\share". Implement FIPS 140-2 compliant encryption at rest (such as BitLocker full disk encryption) on each infrastructure system that supplies each file path. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest'; Implement FIPS 140-2 compliant encryption at rest such as through the use of SQL Server TDE (Transparent Data Encryption) on each "SERVER", "DBCLIENT", and "DATABASE" entry identified above.
Review the ArcGIS Server configuration to ensure emergency accounts are never automatically removed or disabled. Substitute the target environment’s values for [bracketed] variables. Log on to the ArcGIS Server Administrator Directory ([https://[server.domain.com])/arcgis/admin) (log on when promoted) with an account that has administrative access. Navigate to security >> psa. Verify that the Primary Site Administrator account has not been disabled. If the "Primary Site Administrator" account has been disabled, this is a finding.
Configure the ArcGIS Server to ensure emergency accounts are never automatically removed or disabled. Substitute the target environment’s values for [bracketed] variables. Log on to the ArcGIS Server Administrator Directory ([https://[server.domain.com])/arcgis/admin) with an account that has administrative access. Navigate to security >> psa >> enable to enable the "Primary Site Administrator" account.
Review the ArcGIS Server configuration to ensure the application reveals error messages only to authorized personnel. Substitute the target environment’s values for [bracketed] variables. 1. Inspect the Security Properties of the [C:\arcgisserver\logs] folder. Verify that the [ArcGIS Server] account has full control of the folder and only authorized personnel have access to the folder. 2. Log on to ArcGIS Server Manager >> Security >> Roles >> Publisher. Verify that only [authorized personnel accounts] are granted this role. 3. Log on to ArcGIS Server Manager >> Security >> Roles >> Administrator (log on when prompted.) Verify that only [authorized personnel accounts] are granted this role. Verify any other accounts that have read or other rights to this folder are authorized and documented. If unauthorized accounts have read or other rights to this folder, this is a finding.
Configure the ArcGIS Server to ensure the application reveals error messages only to authorized personnel. Substitute the target environment’s values for [bracketed] variables. Edit the file system Security Properties of [C:\arcgisserver\logs]. Remove unauthorized user accounts and groups. Do not remove the SYSTEM account, [ArcGIS Server] account, or log agent accounts that support SIEM operations. Revoke "Publisher" and "Administrator ArcGIS Server" roles from unauthorized accounts. Log on to ArcGIS Server Manager >> navigate to Security >> Roles >> locate and edit the "Publisher" role. Remove any unauthorized users from the "Publisher" role. Log on to ArcGIS Server Manager >> navigate to Security >> Roles >> locate and edit the "Administrator" role. Remove any unauthorized users from the "Administrator" role.
Review the ArcGIS for Server configuration to ensure that the application enforces access restrictions associated with changes to application configuration. Substitute the target environment’s values for [bracketed] variables. Logon to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager]) (logon when prompted) >> “Security” >> “Roles” >> “Administrator” role. Verify that only authorized personnel are listed as members of the “Administrator” role. If unauthorized personnel are members of the “Administrator” role, this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure the ArcGIS Server to enforce access restrictions associated with changes to application configuration. Substitute the target environment’s values for [bracketed] variables. Log on to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager]) (log on when prompted) >> Security >> Roles >> "Administrator" role. Remove unauthorized personnel from the "Administrator" role.
Review the ArcGIS for Server configuration to ensure that organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables. Using an ArcGIS Server account that is a member of the ArcGIS Server Administrator role, logon to the ArcGIS Server Administrator Directory at https://[server.domain.com:6443]/arcgis/admin. Browse to “security” >> “config”. Verify “Protocol” parameter is not set to “HTTP Only”. If the “Protocol” parameter is set to “HTTP Only”, this is a finding. This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)
Configure the ArcGIS Server to ensure organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Browse to Update. Update the Protocol parameter to "HTTPS Only". Click "Save"/"Apply".
Review the ArcGIS for Server configuration to ensure that the application accepts Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”. Verify that “Anonymous Authentication” is “Disabled”. If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding. Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify the setting “Client Certificates:” is set to “Accept” or “Require” If “Client Certificates:” is set to “Ignore” this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure ArcGIS for Server to accept Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."
Review the ArcGIS for Server configuration to ensure that the application authenticates all network connected endpoint devices before establishing any connection. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”. Verify that “Anonymous Authentication” is “Disabled”. If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.
Configure ArcGIS for Server to accept Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."
Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked. If “Require SSL” is not checked, this is a finding. Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance. This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.) This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.
Configure the ArcGIS Server to implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> SSL Settings >> check "Require SSL".
Review the ArcGIS Server configuration to ensure the application only allows the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. Substitute the target environment’s values for [bracketed] variables. 1. Use a Java-compatible tool to access the java keystore at [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts]. The password for the keystore is "changeit". Verify that the Java Keystore [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts] does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding. 2. Log on to the machine hosting ArcGIS Server. Open Certificate Manager. (You can do this by clicking the "Start" button, typing "certmgr.msc" into the "Search" box, and pressing the "ENTER" key.) In the "Certificate Manager" window, click "Trusted Root Certificate Authorities", then click" Certificates". Verify that the Windows Keystore does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding. 3. Use a Java-compatible tool to access the Java Keystore at [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore]. The password is the value of the "password" field within the [C:\arcgisserver\config-store\security\super\super.json] file. Verify that the Java Keystore [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore] does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding.
Configure the ArcGIS Server to only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. Substitute the target environment’s values for [bracketed] variables. Use a Java-compatible tool to access the Java keystore at [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts]. The password for the keystore is "changeit". Remove any non-DoD-approved certificates. Log on to the machine hosting ArcGIS Server. Open Certificate Manager. (You can do this by clicking the "Start" button, then typing "certmgr.msc" into the "Search" box, and pressing the "ENTER" key.) In the "Certificate Manager" window, click "Trusted Root Certificate Authorities", then click "Certificates". Remove any non-DoD-approved certificates. Use a Java-compatible tool to access the Java Keystore at [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore]. The password is the value of the "password" field within the [C:\arcgisserver\config-store\security\super\super.json] file. Remove any non-DoD-approved certificates.
Review the ArcGIS Server configuration to ensure all published services maintain a separate execution domain for each process. Substitute the target environment’s values for [bracketed] variables. In PowerShell, run the following command, replacing the [bracketed] values with the path of the ArcGIS Server Site "config-store": Get-ChildItem -recurse [C:\arcgisserver\]config-store\services\*.json | Select-String -pattern "`"isolationLevel`": `"LOW`"" If any values are returned, this is a finding.
Configure the ArcGIS Server to ensure all published services maintain a separate execution domain for each process. Substitute the target environment’s values for [bracketed] variables. In PowerShell, run the following command, replacing the [bracketed] values with the path of the ArcGIS Server Site "config-store": Get-ChildItem -recurse [C:\arcgisserver\]config-store\services\*.json | Select-String -pattern "`"isolationLevel`": `"LOW`"" Stop ArcGIS Server, then replace the "LOW" with "HIGH" in all found files.
Review the ArcGIS Server configuration to ensure it is deployed onto a Windows 2008 R2 or Windows 2012 R2 Active Directory Member server upon which the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide has been applied (respectively). If the server on which ArcGIS Server is deployed is not a Windows 2008 R2 or Windows 2012 R2 Active Directory member server which has the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide has been applied (respectively), this is a finding.
Deploy ArcGIS Server onto a Windows 2008 R2 or Windows 2012 R2 Active Directory Member server that aligns to the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide (respectively).
ArcGIS 10.3 is no longer supported by the vendor. If the server is running ArcGIS 10.3, this is a finding.
Upgrade to a supported version.