Free DISA STIG and SRG Library

V-65477

The ArcGIS Server must recognize only system-generated session identifiers.

Finding ID

AGIS-00-000098

Rule ID

SV-~~79967r2_rule~~79967r1_rule

Severity

~~Cat II~~

CCE

(None)

Group Title

SRG-APP-000223

CCI

CCI-001664

Target Key

(None)

Documentable

Discussion

Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).

Fix Text

Configure the ArcGIS ~~for~~ Server to ensure the application recognizes only system -generated session identifiers. Substitute the target environment’s values for [bracketed] variables. ~~Identify~~Configure athe ~~system~~web ~~that~~adaptor ~~will~~so ~~serve~~that as"Administration" ~~the~~is ~~service~~enabled ~~endpoint~~via ~~for~~ the ~~ArcGIS~~Web ~~for~~Adaptor. ~~Server~~Open ~~environment.~~IIS ~~This~~Manager ~~must~~(click beStart an>> ~~Active~~Control ~~Directory~~Panel ~~joined~~>> ~~Windows~~Administrative ~~2008~~Tools R2>> ~~system~~Internet ~~with~~Information ~~IIS~~Services 7Manager).5 orExpand ~~later~~the ~~installed.~~left-hand Iftree aof ~~Web~~"IIS ~~Application Firewall (WAF)~~Manager", ~~and/or~~under ~~Load~~"Sites". ~~Balancer~~Expand ~~serves~~"Default asWeb ~~the~~Site" ~~user-connection~~to ~~endpoint,~~find ~~this~~the ~~system~~ArcGIS ~~must~~Web beAdaptor ~~deployed~~(IIS) onapplication. aBy ~~trusted~~default, ~~network~~the ~~behind~~ArcGIS ~~these~~Web ~~front-end~~Adaptor ~~technologies. On this system~~ (~~locally~~IIS), ~~perform~~is ~~the~~named ~~following~~"arcgis". ~~steps:~~Edit ~~Install~~ the ~~“ArcGIS~~authentication ~~Web~~property ~~Adaptor”~~for ~~Configure~~ the ~~“ArcGIS~~ Web Adaptor” ~~such~~>> ~~that~~Deselect ~~“Administration”~~"Anonymous isAuthentication" ~~enabled~~and ~~via~~select ~~the~~"Windows ~~Web Adaptor~~Authentication". ~~Enable~~Configure ~~Active~~ArcGIS ~~Directory~~Server ~~Client~~to ~~Certificate~~use ~~Authentication~~Windows ~~"To~~Users ~~map~~and ~~client~~Roles. ~~certificates~~Perform bythese ~~using~~steps ~~Active~~on ~~Directory~~any ~~mapping."~~system ~~Configure~~that ~~ArcGIS~~has ~~for~~TCP ~~Server~~443 access to ~~utilize~~the ~~Windows~~Web ~~Users~~Adaptor ~~and~~hosted ~~Roles~~system: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager). (~~logon~~log on when prompted).) Navigate to the “"Security”" tab. Navigate to the “"Settings”" sub-tab. Edit “"Configuration Settings”" by clicking on the pencil icon. Select “"Users and roles from an existing enterprise system (LDAP or Windows Domain)”,", then click “"Next”.". Select “"Windows Domain”,", then click “"Next”.". Supply Active Directory credentials with privileges “"Logon To”" the system on which ArcGIS ~~for~~ Server is deployed, then click “"Next”.". Select “"Web Tier”" as the “"Authentication Tier”,", then click “Next” >> “Finish”..

Check Content

Review the ArcGIS ~~for~~ Server configuration to ensure the application recognizes only system -generated session identifiers. Substitute the target environment’s values for [bracketed] variables. 1. Navigate to [https://server.domain.com/arcgis]/admin/security/config (~~logon~~log on when prompted).) Verify the “"User Store Configuration”" value =is “set to "Type: Windows”.". If the “"User Store Configuration”" value is set to “"Type: Built-In”,", this is a finding. 2. Verify the “"Role Store Configuration”" value =is “set to "Type: Windows”.". If the “"Role ~~store~~Store Configuration”" value is set to “"Type: Built-In”,", this is a finding. 3. Verify the “"Authentication Tier”" value is set to “"WEB_ADAPTOR”.". If the “"Authentication Tier”" value is set to “"GIS_SERVER”,", this is a finding. This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain that disables identifiers that show more than 35 days of inactivity. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.