Free DISA STIG and SRG Library | Vaulted
  1. Security Guide Library
  2. ArcGIS for Server 10.3 Security Technical Implementation Guide
  3. V-65429

V-65429

The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.

Finding ID
AGIS-00-000062
Rule ID
SV-79919r2_rule79919r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000156
CCI
CCI-002361
Target Key
(None)
Documentable
No
Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. A non-privileged account is any operating system account with authorizations of a non-privileged user. Satisfies: SRG-APP-000156, SRG-APP-000157, SRG-APP-000295

Fix Text

Configure the ArcGIS for Server to utilizeuse replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. EnableWithin ActiveIIS Directory>> Clientwithin Certificatethe "[arcgis]" application >> Authentication >> enable "ToWindows mapAuthentication". clientWithin certificatesIIS by>> usingwithin Activethe Directory"[arcgis]" mappingapplication >> Authentication >> disable "Anonymous Authentication". Within IIS >> within the "[arcgis]" application >> Authentication >> Select "Windows Authentication" >> "Providers". Add/move "Negotiate" or "negotiate:Kerberos" to the top of the list. Remove or move "NTLM" to the bottom of the list.

Check Content

Review the ArcGIS for Server configuration to ensure that the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. 1. Within IIS >> within the "[arcgis]" application >> Authentication >> Verifyverify that "Windows Authentication" is "Enabled”.". 2. Verify that "Anonymous Authentication" is "Disabled”.". If "Windows Authentication" is not enabled, or "Anonymous Authentication" is enabled, this is a finding. 3. Within IIS >> within the ["arcgis"] application >> Authentication >> Select "Windows Authentication" >> "Providers”.". Verify "Negotiate" or “Negotate"negotiate:Kerberos" are at the top of the list, with "NTLM" at the bottom of the list. If "NTLM" is at the top of the "Providers" list, this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Vaulted is more than a library.

SIGN UP FOR FREE