arcgis enterprise security: an introduction · scan arcgis enterprise for security checks...

$: ArcGIS Enterprise Security: An Introduction · Scan ArcGIS Enterprise for Security Checks •serverScan.pyis a script in the Server installation directory-Located: \ArcGIS\Server\tools\admin•portalScan.pyis$
ArcGIS Enterprise Security:

An Introduction

Randall Williams

Esri PSIRT

AgendaArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users

• ArcGIS Enterprise Security Model

• Portal for ArcGIS

• Authentication and Authorization: ArcGIS Tokens

• Building the Enterprise

• Encryption (HTTPS)

• Defense in Depth - Threat Prevention, Mitigation, and Regulatory Compliance

• Summary

ArcGIS EnterpriseLogical Architecture

Focus

Portal

for ArcGIS

ArcGIS

Server

ArcGIS

Data Store

(relational + tile cache)

ArcGIS

Web Adaptor

ArcGIS

Web Adaptor

ArcGIS Enterprise Security ModelProtect your Assets

Control Access and Set Permissions

ArcGIS Enterprise Security Model

Authentication vs. Authorization


token


The token is your access key into…ArcGIS ServerPortal for ArcGISArcGIS OnlineInsightsCollectorArcGIS ProArcGIS DesktopMaps for OfficeMaps for SharepointGeo EnrichmentGeocodingLiving AtlasSurvey 123AnalysisMaps for PowerBI


The token is your access key into… ArcGIS Enterprise


OK. So what is a token?


A token represents your login credentials…

(1AyZcQDO6xJjtWyycn206filCzn)

…and must be passed to with any request for secured content


A token represents your login credentials…

…and other attributes to make them randomized, unique and scoped.


Good news…

…ArcGIS Enterprise handles this transparently for you


Lets see how this works…


1. User requests access to Service



2. Service sends user to Token Service

Service

Token Service




3. User Authenticates to Token Service

User Service

Token Service

Token





4. Token Service issues Token to UserUser Service

Token Service

Token





4. Token Service issues Token to User

5. User passes Token to ServiceService

Token





4. Token Service issues Token to User

5. User passes Token to Service

6. Service grants access

ServiceContent


But what about… Single Sign OnForms AuthActive DirectorySmart Cards


All authentication methods ultimately deliver a

token…


…the token is your key into… ArcGIS Enterprise

ArcGIS Enterprise

ArcGIS Portal

ArcGIS Server

ArcGIS DataStore

item

package

web map

service

layer

itemcontent =

How do we grant access to items?

itemgroupuser

access

• Portal for ArcGIS

- Permissions set by item owner

- Can be changed by administrators

• ArcGIS Server

- Permissions can be set by any publisher/administrator

Access

Web Services

Portal Items

Web map Web appData

What security options are available?

Flexible Security Options with ArcGIS Enterprise

ArcGIS Enterprise

ArcGIS Enterprise Supports…

Single Sign OnIWAForms Auth

Active Directory

LDAP

HTTP Auth

OAuth SAML

Built-In Accounts

NTLM

PKI

Kerberos

CAC CardsCertificates

Custom Roles

Enterprise Groups Smart Cards

Single Web Sign On through SAML(Security Assertion Markup Language)

Industry standard for SSO

• With SAML authentication enabled, user will be prompted by IDP to login

• Use IDP login or built-in login

SAML login User Experience

SAML – Conceptual Workflow

ArcGIS Enterprise

Client

Identity Provider (IDP)

3rd party

1. User attempts to login

6. Portal verifies

SAML response

and user is

logged in

3. User sends login

credentials to IDP

2. Redirected to IDP

4. IDP authenticates user

and sends SAML response

to browser

5. Browser sends SAML

response to Portal


But what about the token?!


ArcGIS Enterprise

Client

Identity Provider (IDP)

3rd party

1. User attempts to login

6. Portal verifies

SAML response

and user is

logged in

3. User sends login

credentials to IDP

2. Portal redirects

client to IDP 4. IDP authenticates user

and sends SAML response

to browser

5. Browser sends SAML

response to Portal

Token

You ArcGIS Server

Token

Groups vs Roles

Groups

itemgroupuser

access

Roles

Roles are privileges

As an administrator I can …

As a publisher I can …

As a viewer I can …

As a user I can …

• Permissions for Portal users defined by roles

• 4 default roles

1. Administrator

2. Publisher

3. User

4. Viewer

Roles

Perm

issio

ns

Portal for ArcGIS: Custom Roles

• Provide more flexibility to

enable fine grained control on

what members can do

• My Organization page > Edit

Settings > Roles > Create Role

Enterprise GroupsEnabled when Portal is configured with

Windows Active Directory or LDAP

Building the Enterprise

1. Registering services

2. Federating a ServerPortal

for ArcGIS

ArcGIS

Server


Identity

Store

Portal for ArcGIS

Item A

Registered

web service

Portal for ArcGIS + ArcGIS Server

ArcGIS Server

site 1

Identity

Store

Registering a Service

Demo


Identity

Store

Portal for ArcGIS

ArcGIS Server

site 1

Item A

Registered

web service


Identity

Store

Implementation Patterns

Identity

Store

Portal for ArcGIS

ArcGIS Server

site 1

Item A

Registered

web service

Federated

Server

ArcGIS Server

site 2

Item B


Identity

Store

Encryption and HTTPS Securing communication protocols

Sensitive Content

HTTPS

Is the service valid?

Is the data secure?

What happens to my password?

Can I trust the content?

Implementing HTTPS

Portal

for ArcGIS

ArcGIS

Server

ArcGIS

Data Store

(relational + tile cache)

Web Adaptor

Load Balancer

Web Adaptor

Load Balancer

How do you set up a Security Certificate?

1. Generate a Certificate Signing Request (CSR)

2. Send CSR for signing

- By a domain or well-known Certificate Authority

3. Import signed certificate

A Brief Intro

Production Considerations

for Threat Mitigation and

Regulatory Compliance

Threat Mitigation, Prevention, and Regulatory Compliance

• Defense in Depth Paradigm

• Disable Services and Portal Directories

• Restrict Cross Domain (CORS) Requests

• Restrict ArcGIS Server System Folder Permissions

• Disable PSA Account

• Scan Server / Scan Portal Scripts

• HTTPS: Protocol and Cipher Configuration

Defense In Depth Paradigm

• Security plans have many “layers” – multiple levels of security

• Layered security mechanisms increase the security of the system as a whole

• Each feature discussed is considered a “layer”

How to Disable the Services Directory

• Server Administrator Directory

- System > Handlers > Rest > Servicesdirectory > edit

- Uncheck Services Directory Enabled option

• Help topic: Disable the Services Directory

http://server.arcgis.com/en/server/latest/administer/windows/securing-your-arcgis-server-site.htm

Disable ArcGIS Portal Directory https://<machinename>.domain.com/arcgis/sharing

• Provides a browsable HTML-based representation of all of Portal items

- services, web maps, and content

• Recommend disable this to reduce the chance that your items can be browsed,

found in a web search, or queried through HTML forms

BeforeAfter

How to Disable ArcGIS Portal Directory

• Access the Portal Administrator Directory

- Security > Config > Update Security Configuration

- Set property = ‘true’

Restrict System Folder Permissions in Manager

• Verify System folder permissions are

limited to Administrators and Publishers

only

- Prevents potential Denial of Service due to

resource consumption, service deletion,

etc.

- Usually changed from default when

troubleshooting

Restrict Cross-Domain (CORS) Requestsenterprise.arcgis.com > Search “cross-domain requests”

• For JavaScript applications, a common method used to make cross domain requests

is called a CORS request (cross origin resource sharing)

• Required when making POST requests to Feature or GP services on a different server

ArcGIS Server

JavaScript

Web Application

Client Web Browser

Disable Primary Site Administrator (PSA) Account

• Recommend disable the PSA account to remove an alternate method of

administering ArcGIS Server outside of your enterprise users

• Access the Server Administrator Directory

- Security > PSA > disable

PSA account

Scan ArcGIS Enterprise for Security Checks

• serverScan.py is a script in the Server installation directory

- Located: <install directory>\ArcGIS\Server\tools\admin

• portalScan.py is a script in the Portal installation directory

- Location: <install_directory>\ArcGIS\Portal\tools\security

• Scripts check for security settings → generates a report that makes

recommendations to improve security.

• *Protip – run as scheduled tasks, output to web server directory, view online.

https://dev0002608.esri.com/scans/serverScanReport_dev0002608_2018-03-15.html

https://dev0002608.esri.com/scans/portalScanReport_dev0002608_2018-03-15.html

SSL Protocol Configurationshttps://www.ssllabs.com/ssltest/clients.html

• In 10.4, both Server and Portal can be configured to limit which SSL protocol is

accepted and used.

• SSLv3 is *NOT* an option at ArcGIS 10.3+

• For organizations that are very security-aware and/or compliance focus, restricting

Server and Portal to TLS 1.2 is highly recommended

• TLS (and it predecessor SSL) are cryptographic protocols designed to provide

secure network communication between a client and a server

TLS 1.0

TLS 1.2

Ports:

• 6443

• 7443

Portal for ArcGISClient App

SSL Protocols and Cipher Suites

• Portal Administrator Directory

- Security > SSLCertificates

• Server Administrator Directory

- Security > Config

Compliance

ArcGIS Online:

• TRUST.ArcGIS.com – Compliance Documentation (Cloud Security Alliance, NIST

800-53, GDPR, etc.)

• FedRAMP Tailored Low (Updated Boundary) Expected Q2

10.6 STIG

• ArcGIS Server “Stand Alone” – complete. 10.3 STIG still valid.

• ArcGIS Enterprise – validated, not published (yet)

ArcGIS Enterprise:

• Esri Managed Cloud Services: FedRAMP MODERATE Authorized (Advanced Plus

Offering)

Security Findings?Esri PSIRT!

• https://doc.arcgis.com/en/trust/

• Vulnerability - report a vulnerability found in our site or application.

• Suspicious E-mail from Esri - if you believe you were targeted by a possible phishing attack from an Esri e-mail address, or have received other suspicious e-mail correspondence from Esri.

• Privacy Issue - if you have a privacy concern related to our application or organization.

• Other - for all other security, privacy or compliance related concerns.

https://doc.arcgis.com/en/trust/

Summary

• Tokens are the Foundation of the ArcGIS Enterprise Security Model

• ArcGIS Enterprise Supports many Authentication Options

• Use SAML if you can

• HTTPS *Everywhere* – Use CA Signed Certificates

• Federate Server with Portal to Fully Enable the ArcGIS Enterprise

• Use Security Scan tools to validate your baseline

• Review advanced options to achieve compliance

Print Your Certificate of AttendancePrint stations located in the 140 Concourse

Tuesday Wednesday12:30 pm – 6:30 pm GIS Solutions Expo Hall B

5:00 pm – 6:30 pm GIS Solutions Expo SocialHall B

10:30 am – 5:15 pm GIS Solutions Expo Hall B

6:30 pm – 9:00 pm Networking ReceptionSmithsonian National Portrait Gallery

Download the Esri Events

app and find your eventSelect the session

you attended

Scroll down to find the

feedback section

Complete answers

and select “Submit”

Please Take Our Survey in the Esri Events App

arcgis enterprise security: an introduction · scan arcgis enterprise for security checks...

Documents