Free DISA STIG and SRG Library | Vaulted

ArcGIS for Server 10.3 Security Technical Implementation Guide

Version 1 Release 2
2017-07-28
U_ArcGIS_Server_10-3_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (22)

The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.

Finding ID
AGIS-00-000007
Rule ID
SV-79809r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000015
CCI
CCI-001453
Target Key
(None)
Documentable
No
Discussion

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Fix Text

Configure the ArcGIS Server to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables. Navigate to IIS Manager >> [Default Website] >> Open "Bindings...". Click "Add..." Under "Type:", select "https". Select an organizationally approved SSL certificate to associate with the https binding. (If no SSL Certificate is available, refer to http://technet.microsoft.com/en-us/library/cc731977(v=ws.10).aspx for guidance on requesting and installing an Internet Server Certificate [IIS 7]). Navigate to IIS Manager >> [Default Website] >> SSL Settings. Check "Require SSL".

Check Content

Review the ArcGIS Server configuration to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables. 1. Navigate to IIS Manager >>> [Default Website] >> Open "Bindings..." Verify "https" is listed as a binding. If "https" is not identified as a binding, this is a finding. 2. Navigate to IIS Manager >> [Default Website] >> SSL Settings. Verify that "Require SSL" is checked. If "Require SSL" is not checked, this is a finding.

The ArcGIS Server must use Windows authentication for supporting account management functions.

Finding ID
AGIS-00-000009
Rule ID
SV-79813r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000023
CCI
CCI-001619
Target Key
(None)
Documentable
No
Discussion

Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application itself or may be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be comprised of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000065, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000171, SRG-APP-000173, SRG-APP-000174

Fix Text

Configure the ArcGIS Server to use Windows Domain authentication to support account management functions. Substitute the target environment’s values for [bracketed] variables. Configure the web adaptor so that "Administration" is enabled via the Web Adaptor. Open IIS Manager (click Start >> Control Panel >> Administrative Tools >> Internet Information Services Manager). Expand the left-hand tree of "IIS Manager", under "Sites". Expand "Default Web Site" to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named "arcgis". Edit the authentication property for the Web Adaptor >> Deselect "Anonymous Authentication" and select "Windows Authentication". Configure ArcGIS Server to use Windows Users and Roles. Perform these steps on any system that has TCP 443 access to the Web Adaptor hosted system: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager) (log on when prompted). Navigate to the "Security" tab. Navigate to the "Settings" sub-tab. Edit "Configuration Settings" by clicking on the pencil icon. Select "Users and roles from an existing enterprise system (LDAP or Windows Domain)", then click "Next". Select "Windows Domain", then click "Next". Supply Active Directory credentials with privileges "Logon To" the system on which ArcGIS Server is deployed, then click "Next". Select "Web Tier" as the "Authentication Tier", then click Next >> Finish.

Check Content

Review the ArcGIS Server configuration to ensure Windows authentication is being used to support account management functions. Substitute the target environment’s values for [bracketed] variables. Verify ArcGIS Server is using Windows Users & Roles as its security store. 1. Navigate to [https://server.domain.com/arcgis]/admin/security/config (log on when prompted). Verify the "User Store Configuration" value is set to "Type: Windows". If the "User Store Configuration" value is set to "Type: Built-In", this is a finding. 2. Verify the "Role Store Configuration" value is set to "Type: Windows". If the "Role Store Configuration" value is set to "Type: Built-In", this is a finding.

The ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Finding ID
AGIS-00-000016
Rule ID
SV-79875r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000033
CCI
CCI-001368
Target Key
(None)
Documentable
No
Discussion

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. This requirement is applicable to access control enforcement applications (e.g., authentication servers) and other applications that perform information and system access control functions. Satisfies: SRG-APP-000033, SRG-APP-000038, SRG-APP-000080, SRG-APP-000148, SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000158, SRG-APP-000163, SRG-APP-000172, SRG-APP-000176, SRG-APP-000177, SRG-APP-000178, SRG-APP-000180, SRG-APP-000190, SRG-APP-000220

Fix Text

Configure the ArcGIS Server to use Windows authentication to enforce approved authorizations for logical access to information system resources. Substitute the target environment’s values for [bracketed] variables. Configure the web adaptor so that "Administration" is enabled via the Web Adaptor. Open IIS Manager (click Start >> Control Panel >> Administrative Tools >> Internet Information Services Manager). Expand the left-hand tree of "IIS Manager", under "Sites". Expand "Default Web Site" to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named "arcgis". Edit the authentication property for the Web Adaptor >> Deselect "Anonymous Authentication" and select "Windows Authentication". Configure ArcGIS Server to use Windows Users and Roles. Perform these steps on any system that has TCP 443 access to the Web Adaptor hosted system: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager) (log on when prompted). Navigate to the "Security" tab. Navigate to the "Settings" sub-tab. Edit "Configuration Settings" by clicking on the pencil icon. Select "Users and roles from an existing enterprise system (LDAP or Windows Domain)", then click "Next". Select "Windows Domain", then click "Next". Supply Active Directory credentials with privileges "Logon To" the system on which ArcGIS Server is deployed, then click "Next". Select "Web Tier" as the "Authentication Tier", then click Next >> Finish. On the system that hosts the ArcGIS Web Adaptor, open IIS Manager. Select the "[arcgis]" application >> SSL Settings >> Check "Require SSL" and "Require Client Certificates" >> Apply.

Check Content

Review the ArcGIS Server configuration to ensure Windows authentication is used to enforce approved authorizations for logical access to information system resources. Substitute the target environment’s values for [bracketed] variables. 1. Navigate to [https://server.domain.com/arcgis]/admin/security/config (log on when prompted). Verify the "User Store Configuration" value is set to "Type: Windows". If the "User Store Configuration" value is set to "Type: Built-In", this is a finding. 2. Verify the "Role Store Configuration" value is set to "Type: Windows". If the "Role Store Configuration" value is set to "Type: Built-In", this is a finding. 3. Verify the "Authentication Tier" value is set to "WEB_ADAPTOR". If the "Authentication Tier" value is set to "GIS_SERVER", this is a finding. 4. Open IIS Manager on the system that hosts the ArcGIS Web Adaptor. Select the "[arcgis]" application. Open "SSL Settings". Verify the "Client Certificates" property is set to "Require". If the "Client Certificates" property is not set to "Require", this is a finding.

The ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components.

Finding ID
AGIS-00-000026
Rule ID
SV-79883r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000089
CCI
CCI-002234
Target Key
(None)
Documentable
No
Discussion

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit records can be generated from various components within the application (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the application will provide an audit record generation capability as the following: (i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); (ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and (iii) All account creation, modification, disabling, and termination actions. Satisfies: SRG-APP-000089, SRG-APP-000016, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000091, SRG-APP-000095, SRG-APP-000097, SRG-APP-000098, SRG-APP-000099, SRG-APP-000100, SRG-APP-000226, SRG-APP-000319, SRG-APP-000343, SRG-APP-000381, SRG-APP-000492, SRG-APP-000493, SRG-APP-000494, SRG-APP-000495, SRG-APP-000496, SRG-APP-000497, SRG-APP-000498, SRG-APP-000499, SRG-APP-000500, SRG-APP-000501, SRG-APP-000502, SRG-APP-000503, SRG-APP-000504, SRG-APP-000505, SRG-APP-000507, SRG-APP-000508, SRG-APP-000509, SRG-APP-000510

Fix Text

Configure the ArcGIS Server to ensure mechanisms for providing audit record generation capability for DoD-defined auditable events within application components are provided. Substitute the target environment’s values for [bracketed] variables. Open "ArcGIS Server Manager" ([https://server.domain.com/arcgis]/manager) (log on when prompted). Navigate to the "Logs" tab. Open "Settings". Change the "Log Level" value to "VERBOSE", then click "Save".

Check Content

Review the ArcGIS Server configuration to ensure mechanisms for providing audit record generation capability for DoD-defined auditable events within application components are provided. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]/admin/logs/settings (log on when prompted). Verify the "Log Level" value is set to "VERBOSE". If this value is set to any value other than "VERBOSE", this is a finding.

The ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion.

Finding ID
AGIS-00-000044
Rule ID
SV-79897r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000118
CCI
CCI-000164
Target Key
(None)
Documentable
No
Discussion

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. To ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access. This requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories. Additionally, applications with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Satisfies: SRG-APP-000118, SRG-APP-000119, SRG-APP-000120

Fix Text

Configure the ArcGIS Server to ensure mechanisms are provided that protect audit information from any type of unauthorized read access, modification or deletion. Substitute the target environment’s values for [bracketed] variables. Within Windows Explorer, access the "Security" (tab) property of the "[C:\arcgisserver]\logs" folder. Grant the "ArcGIS Server Account" full control of this folder. Remove any unauthorized accounts or groups from this folder.

Check Content

Review the ArcGIS Server configuration to ensure mechanisms are provided that protect audit information from any type of unauthorized read access, modification or deletion. Substitute the target environment’s values for [bracketed] variables. Within Windows Explorer, access the "Security" (tab) property of the "[C:\arcgisserver]\logs" folder. Verify only the "ArcGIS Server Account" has full control of this folder. Verify any other accounts that have read or other rights to this folder are authorized and documented. If unauthorized accounts have read or other rights to this folder, this is a finding.

The ArcGIS Server must be configured to disable non-essential capabilities.

Finding ID
AGIS-00-000054
Rule ID
SV-79903r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000141
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.

Fix Text

Configure the ArcGIS Server to ensure non-essential capabilities are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (log on when prompted). Uncheck the value for "Services Directory Enabled". Click "Save".

Check Content

Review the ArcGIS Server configuration to ensure that non-essential capabilities are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/system/handlers/rest/servicesdirectory (log on when prompted). Verify that the "Services Directory" property is set to "Disabled". If the "Services Directory" property is set to "Enabled", this is a finding.

The ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

Finding ID
AGIS-00-000055
Rule ID
SV-79905r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000142
CCI
CCI-000382
Target Key
(None)
Documentable
No
Discussion

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Fix Text

Configure the ArcGIS Server to ensure the application prohibits or restricts the use of PPSM CAL defined ports, protocols, and/or services. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Browse to Update. Update the Protocol parameter to "HTTPS Only". Click "Save"/"Apply".

Check Content

Review the ArcGIS Server configuration to ensure the application prohibits or restricts the use of PPSM CAL defined ports, protocols, and/or services. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Verify the "Protocol" parameter is not set to "HTTP Only". If the "Protocol" parameter is set to "HTTP Only", this is a finding.

The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.

Finding ID
AGIS-00-000062
Rule ID
SV-79919r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000156
CCI
CCI-002361
Target Key
(None)
Documentable
No
Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. A non-privileged account is any operating system account with authorizations of a non-privileged user. Satisfies: SRG-APP-000156, SRG-APP-000157, SRG-APP-000295

Fix Text

Configure the ArcGIS Server to use replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> Authentication >> enable "Windows Authentication". Within IIS >> within the "[arcgis]" application >> Authentication >> disable "Anonymous Authentication". Within IIS >> within the "[arcgis]" application >> Authentication >> Select "Windows Authentication" >> "Providers". Add/move "Negotiate" or "negotiate:Kerberos" to the top of the list. Remove or move "NTLM" to the bottom of the list.

Check Content

Review the ArcGIS Server configuration to ensure the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. 1. Within IIS >> within the "[arcgis]" application >> Authentication >> verify that "Windows Authentication" is "Enabled". 2. Verify that "Anonymous Authentication" is "Disabled". If "Windows Authentication" is not enabled, or "Anonymous Authentication" is enabled, this is a finding. 3. Within IIS >> within the ["arcgis"] application >> Authentication >> Select "Windows Authentication" >> "Providers". Verify "Negotiate" or "negotiate:Kerberos" are at the top of the list, with "NTLM" at the bottom of the list. If "NTLM" is at the top of the "Providers" list, this is a finding.

The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Finding ID
AGIS-00-000077
Rule ID
SV-79949r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000175
CCI
CCI-000185
Target Key
(None)
Documentable
No
Discussion

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used to for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.

Fix Text

Configure the ArcGIS Server to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account. Within Internet Explorer, click Tools >> Internet Options. Open the "Advanced" tab. Within the "Security" section, check "Check for publisher's certificate revocation". Within the "Security" section, check "Check for server certificate revocation". Restart the server. Access to the "[ArcGIS Server]" account is required to make this change.

Check Content

Review the ArcGIS Server configuration to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables. 1. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account. Within Internet Explorer, click Tools >> Internet Options. Open the "Advanced" tab. Within the "Security" section, verify "Check for publisher's certificate revocation" is checked. If "Check for publisher's certificate revocation" is not checked, this is a finding. 2. Within the "Security" section, verify "Check for server certificate revocation" is checked. If "Check for server certificate revocation" is not checked, this is a finding. Access to the "[ArcGIS Server]" account is required to perform this check.

The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Finding ID
AGIS-00-000081
Rule ID
SV-79957r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000179
CCI
CCI-001188
Target Key
(None)
Documentable
No
Discussion

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified, and therefore cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised. Applications utilizing encryption are required to use FIPS compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Satisfies: SRG-APP-000179, SRG-APP-000014, SRG-APP-000219, SRG-APP-000224

Fix Text

Configure the ArcGIS Server to use DoD-approved encryption certificates. Substitute the target environment’s values for [bracketed] variables. Using the Primary Site Administrator account, log on to the ArcGIS Server Administrator Directory at https://[server.domain.com]:6443/arcgis/admin. Navigate to machines >> [machine name] >> sslcertificates. Click "importRootOrIntermediate", then import a DoD-approved/provided root certificate file. Click "importRootOrIntermediate", then import a DoD-approved/provided intermediate certificate file (if applicable.) Click "importExistingServerCertificate", then import the SSL server certificate (public key) and private key pair. In the "Certificate password" field, enter the password to unlock the file containing the SSL certificate. In the "Alias" field, enter a unique name that easily identifies the certificate. Click "Browse" to choose the .p12 or .pfx file that contains the SSL certificate and its private key. Click "Import" to import the SSL certificate. Browse to machines >> [machine name]. Click "edit". Enter the alias of the SSL certificate (public/private key pair) that was chosen above in the box for "Web server SSL Certificate". Click "Save Edits" to apply the change. Browse to security >> config >> update. Update the Protocol parameter to "HTTPS Only". On the ArcGIS Server, open the "[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml" file. Search the string <Connector SSLEnabled="true". Within the "Connector" tag, add the following parameters (substitute DoD-approved ciphers for [bracketed] variables): sslProtocol="TLS" ciphers="[DoD-approved cipher], [DoD-approved cipher], [DoD-approved cipher...]" A list of all possible cipher values is located here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES An example of a valid configuration is provided below: <Connector SSLEnabled="true" clientAuth="false" keyAlias="MyValidCertificate" keystoreFile="C:\arcgisserver\config-store\machines\SERVER.DOMAIN.COM\arcgis.keystore" keystorePass="password" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"/> For each GIS Server system and each Web Adaptor system, apply the Local Policy or Group Policy: Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is set to "Enabled".

Check Content

Review the ArcGIS Server configuration to verify that DoD-approved encryption certificates are in place. Substitute the target environment’s values for [bracketed] variables. 1. Using the Primary Site Administrator account, log on to the ArcGIS Server Administrator Directory at https://[server.domain.com]:6443/arcgis/admin (log on when prompted). 2. Browse to machines >> [machine name] >> click "edit". Verify that the name of the SSL certificate listed in the box for "Web server SSL Certificate" is not set to "SelfSignedCertificate". If the name of the SSL certificate listed in the box for "Web server SSL Certificate" is set to "SelfSignedCertificate", this is a finding. 3. Browse to security >> config. Verify "Protocol" parameter is not set to "HTTP Only". If the "Protocol" parameter is set to "HTTP Only", this is a finding. 4. On the ArcGIS Server, open the "[C:\Program Files\]ArcGIS\Server\framework\runtime\tomcat\conf\server.xml" file. Search for the parameter "ciphers=". Verify the property of the "ciphers=" parameter is set to DoD-approved cipher suite value(s). A list of all possible values is located here: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES. An example of a valid configuration is provided below: <Connector SSLEnabled="true" clientAuth="false" keyAlias="MyValidCertificate" keystoreFile="C:\arcgisserver\config-store\machines\SERVER.DOMAIN.COM\arcgis.keystore" keystorePass="password" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"/> If the "ciphers" parameter is not found, this is a finding. If the "ciphers" parameter contains any non-DoD-approved ciphers, this is a finding. 5. On each GIS Server system and on each Web Adaptor system, run the command "rsop" as Administrator on the Windows Command line. Within the "Resultant Set of Policy" results, verify Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use "FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is set to "Enabled". If "Use FIPS 140 compliant System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is not set to "Enabled", this is a finding.

The ArcGIS Server must recognize only system-generated session identifiers.

Finding ID
AGIS-00-000098
Rule ID
SV-79967r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000223
CCI
CCI-001664
Target Key
(None)
Documentable
No
Discussion

Applications utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier, or can inject or manually insert session information, the session may be compromised. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).

Fix Text

Configure the ArcGIS Server to ensure the application recognizes only system-generated session identifiers. Substitute the target environment’s values for [bracketed] variables. Configure the web adaptor so that "Administration" is enabled via the Web Adaptor. Open IIS Manager (click Start >> Control Panel >> Administrative Tools >> Internet Information Services Manager). Expand the left-hand tree of "IIS Manager", under "Sites". Expand "Default Web Site" to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named "arcgis". Edit the authentication property for the Web Adaptor >> Deselect "Anonymous Authentication" and select "Windows Authentication". Configure ArcGIS Server to use Windows Users and Roles. Perform these steps on any system that has TCP 443 access to the Web Adaptor hosted system: Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager) (log on when prompted). Navigate to the "Security" tab. Navigate to the "Settings" sub-tab. Edit "Configuration Settings" by clicking on the pencil icon. Select "Users and roles from an existing enterprise system (LDAP or Windows Domain)", then click "Next". Select "Windows Domain", then click "Next". Supply Active Directory credentials with privileges "Logon To" the system on which ArcGIS Server is deployed, then click "Next". Select "Web Tier" as the "Authentication Tier", then click Next >> Finish.

Check Content

Review the ArcGIS Server configuration to ensure the application recognizes only system-generated session identifiers. Substitute the target environment’s values for [bracketed] variables. 1. Navigate to [https://server.domain.com/arcgis]/admin/security/config (log on when prompted). Verify the "User Store Configuration" value is set to "Type: Windows". If the "User Store Configuration" value is set to "Type: Built-In", this is a finding. 2. Verify the "Role Store Configuration" value is set to "Type: Windows". If the "Role Store Configuration" value is set to "Type: Built-In", this is a finding. 3. Verify the "Authentication Tier" value is set to "WEB_ADAPTOR". If the "Authentication Tier" value is set to "GIS_SERVER", this is a finding.

The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information.

Finding ID
AGIS-00-000102
Rule ID
SV-79973r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000231
CCI
CCI-001199
Target Key
(None)
Documentable
No
Discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices, laptops, desktops, and storage devices can be either lost or stolen, and the contents of their data storage (e.g., hard drives and non-volatile memory) can be read, copied, or altered. Applications and application users generate information throughout the course of their application use. This requirement addresses protection of user-generated data, as well as, operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.

Fix Text

Configure the ArcGIS Server to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "path" value. For example, "path": "\\[server.domain.com\share". Implement FIPS 140-2 compliant encryption at rest (such as BitLocker full disk encryption) on each infrastructure system that supplies each file path. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest'; Implement FIPS 140-2 compliant encryption at rest such as through the use of SQL Server TDE (Transparent Data Encryption) on each "SERVER", "DBCLIENT", and "DATABASE" entry identified above.

Check Content

Review the ArcGIS Server configuration to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables. 1. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "path" value. For example, "path": "\\[server.domain.com\share". Verify the infrastructure system(s) that supply each path implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption. If any infrastructure system(s) that supply each path do not implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption, this is a finding. 2. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.) Open each "Child Items" entry >> click "Edit". Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest'; Verify on each "SERVER", "DBCLIENT", and "DATABASE", that these systems implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption). If any "SERVER", "DBCLIENT", and "DATABASE" do not implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption), this is a finding.

The ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled.

Finding ID
AGIS-00-000104
Rule ID
SV-79975r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000234
CCI
CCI-001682
Target Key
(None)
Documentable
No
Discussion

Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account which is created for use by vendors or system maintainers. To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Fix Text

Configure the ArcGIS Server to ensure emergency accounts are never automatically removed or disabled. Substitute the target environment’s values for [bracketed] variables. Log on to the ArcGIS Server Administrator Directory ([https://[server.domain.com])/arcgis/admin) with an account that has administrative access. Navigate to security >> psa >> enable to enable the "Primary Site Administrator" account.

Check Content

Review the ArcGIS Server configuration to ensure emergency accounts are never automatically removed or disabled. Substitute the target environment’s values for [bracketed] variables. Log on to the ArcGIS Server Administrator Directory ([https://[server.domain.com])/arcgis/admin) (log on when promoted) with an account that has administrative access. Navigate to security >> psa. Verify that the Primary Site Administrator account has not been disabled. If the "Primary Site Administrator" account has been disabled, this is a finding.

The ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA.

Finding ID
AGIS-00-000111
Rule ID
SV-79977r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000267
CCI
CCI-001314
Target Key
(None)
Documentable
No
Discussion

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the application. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Fix Text

Configure the ArcGIS Server to ensure the application reveals error messages only to authorized personnel. Substitute the target environment’s values for [bracketed] variables. Edit the file system Security Properties of [C:\arcgisserver\logs]. Remove unauthorized user accounts and groups. Do not remove the SYSTEM account, [ArcGIS Server] account, or log agent accounts that support SIEM operations. Revoke "Publisher" and "Administrator ArcGIS Server" roles from unauthorized accounts. Log on to ArcGIS Server Manager >> navigate to Security >> Roles >> locate and edit the "Publisher" role. Remove any unauthorized users from the "Publisher" role. Log on to ArcGIS Server Manager >> navigate to Security >> Roles >> locate and edit the "Administrator" role. Remove any unauthorized users from the "Administrator" role.

Check Content

Review the ArcGIS Server configuration to ensure the application reveals error messages only to authorized personnel. Substitute the target environment’s values for [bracketed] variables. 1. Inspect the Security Properties of the [C:\arcgisserver\logs] folder. Verify that the [ArcGIS Server] account has full control of the folder and only authorized personnel have access to the folder. 2. Log on to ArcGIS Server Manager >> Security >> Roles >> Publisher. Verify that only [authorized personnel accounts] are granted this role. 3. Log on to ArcGIS Server Manager >> Security >> Roles >> Administrator (log on when prompted.) Verify that only [authorized personnel accounts] are granted this role. Verify any other accounts that have read or other rights to this folder are authorized and documented. If unauthorized accounts have read or other rights to this folder, this is a finding.

The ArcGIS Server must enforce access restrictions associated with changes to application configuration.

Finding ID
AGIS-00-000164
Rule ID
SV-79989r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000380
CCI
CCI-001813
Target Key
(None)
Documentable
No
Discussion

Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application components for the purposes of initiating changes, including upgrades and modifications. Logical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Fix Text

Configure the ArcGIS Server to enforce access restrictions associated with changes to application configuration. Substitute the target environment’s values for [bracketed] variables. Log on to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager]) (log on when prompted) >> Security >> Roles >> "Administrator" role. Remove unauthorized personnel from the "Administrator" role.

Check Content

Review the ArcGIS Server configuration to ensure the application enforces access restrictions associated with changes to application configuration. Substitute the target environment’s values for [bracketed] variables. Log on to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager]) (log on when prompted) >> Security >> Roles >> "Administrator" role. Verify that only authorized personnel are listed as members of the "Administrator" role. If unauthorized personnel are members of the "Administrator" role, this is a finding.

The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.

Finding ID
AGIS-00-000166
Rule ID
SV-79993r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000383
CCI
CCI-001762
Target Key
(None)
Documentable
No
Discussion

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.

Fix Text

Configure the ArcGIS Server to ensure organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Browse to Update. Update the Protocol parameter to "HTTPS Only". Click "Save"/"Apply".

Check Content

Review the ArcGIS Server configuration to ensure that organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables. Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted). Verify the "Protocol" parameter is not set to "HTTP Only". If the "Protocol" parameter is set to "HTTP Only", this is a finding.

The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials.

Finding ID
AGIS-00-000171
Rule ID
SV-79999r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000391
CCI
CCI-001954
Target Key
(None)
Documentable
No
Discussion

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392

Fix Text

Configure the ArcGIS Server to accept Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> Authentication >> enable "Windows Authentication". Within IIS >> within the "[arcgis]" application >> Authentication >> disable "Anonymous Authentication". Within IIS >> within the "[arcgis]" application >> SSL Settings >> set "Client Certificates:" to "Accept" or "Require".

Check Content

Review the ArcGIS Server configuration to ensure that the application accepts Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. 1. Within IIS >> within the "[arcgis]" application >> Authentication >> verify that "Windows Authentication" is "Enabled". Verify that "Anonymous Authentication" is "Disabled". If "Windows Authentication" is not enabled, or "Anonymous Authentication" is enabled, this is a finding. 2. Within IIS >> within the "[arcgis]" application >> SSL Settings >> verify the setting "Client Certificates:" is set to "Accept" or "Require". If "Client Certificates:" is set to "Ignore", this is a finding.

The ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

Finding ID
AGIS-00-000174
Rule ID
SV-80005r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000395
CCI
CCI-002238
Target Key
(None)
Documentable
No
Discussion

Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. For distributed architectures (e.g., service-oriented architectures), the decisions regarding the validation of authentication claims may be made by services separate from the services acting on those decisions. In such situations, it is necessary to provide authentication decisions (as opposed to the actual authenticators) to the services that need to act on those decisions. A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Because of the challenges of applying this requirement of a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. Satisfies: SRG-APP-000395, SRG-APP-000317, SRG-APP-000345, SRG-APP-000389, SRG-APP-000390, SRG-APP-000394

Fix Text

Configure the ArcGIS Server to authenticate all network-connected endpoint devices before establishing any connection using bidirectional authentication that is cryptographically based. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> Authentication >> enable "Windows Authentication". Within IIS >> within the "[arcgis]" application >> Authentication >> disable "Anonymous Authentication".

Check Content

Review the ArcGIS Server configuration to ensure the application authenticates all network-connected endpoint devices before establishing any connection using bidirectional authentication that is cryptographically based. Substitute the target environment’s values for [bracketed] variables. 1. Within IIS >> within the "[arcgis]" application >> Authentication >> verify that "Windows Authentication" is "Enabled". 2. Verify that "Anonymous Authentication" is "Disabled". If "Windows Authentication" is not enabled, or "Anonymous Authentication" is enabled, this is a finding.

The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Finding ID
AGIS-00-000187
Rule ID
SV-80007r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000416
CCI
CCI-002450
Target Key
(None)
Documentable
No
Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-APP-000416, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000514

Fix Text

Configure the ArcGIS Server to implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> SSL Settings >> check "Require SSL".

Check Content

Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> SSL Settings >> verify that "Require SSL" is checked. If "Require SSL" is not checked, this is a finding. Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies that enforce FIPS 140-2 compliance.

The ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions.

Finding ID
AGIS-00-000194
Rule ID
SV-80009r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000427
CCI
CCI-002470
Target Key
(None)
Documentable
No
Discussion

Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).

Fix Text

Configure the ArcGIS Server to only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. Substitute the target environment’s values for [bracketed] variables. Use a Java-compatible tool to access the Java keystore at [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts]. The password for the keystore is "changeit". Remove any non-DoD-approved certificates. Log on to the machine hosting ArcGIS Server. Open Certificate Manager. (You can do this by clicking the "Start" button, then typing "certmgr.msc" into the "Search" box, and pressing the "ENTER" key.) In the "Certificate Manager" window, click "Trusted Root Certificate Authorities", then click "Certificates". Remove any non-DoD-approved certificates. Use a Java-compatible tool to access the Java Keystore at [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore]. The password is the value of the "password" field within the [C:\arcgisserver\config-store\security\super\super.json] file. Remove any non-DoD-approved certificates.

Check Content

Review the ArcGIS Server configuration to ensure the application only allows the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions. Substitute the target environment’s values for [bracketed] variables. 1. Use a Java-compatible tool to access the java keystore at [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts]. The password for the keystore is "changeit". Verify that the Java Keystore [C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts] does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding. 2. Log on to the machine hosting ArcGIS Server. Open Certificate Manager. (You can do this by clicking the "Start" button, typing "certmgr.msc" into the "Search" box, and pressing the "ENTER" key.) In the "Certificate Manager" window, click "Trusted Root Certificate Authorities", then click" Certificates". Verify that the Windows Keystore does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding. 3. Use a Java-compatible tool to access the Java Keystore at [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore]. The password is the value of the "password" field within the [C:\arcgisserver\config-store\security\super\super.json] file. Verify that the Java Keystore [C:\arcgisserver\config-store\machines\machine_name\arcgis.keystore] does not contain any non-DoD-approved certificates. If any non-DoD-approved certificate authorities are listed as trusted, this is a finding.

The ArcGIS Server must maintain a separate execution domain for each executing process.

Finding ID
AGIS-00-000197
Rule ID
SV-80011r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000431
CCI
CCI-002530
Target Key
(None)
Documentable
No
Discussion

Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. An example is a web browser with process isolation that provides tabs that are separate processes using separate address spaces to prevent one tab crashing the entire browser. 

Fix Text

Configure the ArcGIS Server to ensure all published services maintain a separate execution domain for each process. Substitute the target environment’s values for [bracketed] variables. In PowerShell, run the following command, replacing the [bracketed] values with the path of the ArcGIS Server Site "config-store": Get-ChildItem -recurse [C:\arcgisserver\]config-store\services\*.json | Select-String -pattern "`"isolationLevel`": `"LOW`"" Stop ArcGIS Server, then replace the "LOW" with "HIGH" in all found files.

Check Content

Review the ArcGIS Server configuration to ensure all published services maintain a separate execution domain for each process. Substitute the target environment’s values for [bracketed] variables. In PowerShell, run the following command, replacing the [bracketed] values with the path of the ArcGIS Server Site "config-store": Get-ChildItem -recurse [C:\arcgisserver\]config-store\services\*.json | Select-String -pattern "`"isolationLevel`": `"LOW`"" If any values are returned, this is a finding.

The ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

Finding ID
AGIS-00-000247
Rule ID
SV-80059r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000516
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.

Fix Text

Deploy ArcGIS Server onto a Windows 2008 R2 or Windows 2012 R2 Active Directory Member server that aligns to the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide (respectively).

Check Content

Review the ArcGIS Server configuration to ensure it is deployed onto a Windows 2008 R2 or Windows 2012 R2 Active Directory Member server upon which the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide has been applied (respectively). If the server on which ArcGIS Server is deployed is not a Windows 2008 R2 or Windows 2012 R2 Active Directory member server which has the Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide or Windows Server 2008 R2 Member Server Security Technical Implementation Guide has been applied (respectively), this is a finding.