STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server must use Windows authentication for supporting account management functions.

DISA Rule

SV-79813r2_rule

Vulnerability Number

V-65323

Group Title

SRG-APP-000023

Rule Version

AGIS-00-000009

Severity

CAT I

CCI(s)

• CCI-000015 - The organization employs automated mechanisms to support the information system account management functions.
• CCI-000017 - The information system automatically disables inactive accounts after an organization-defined time period.
• CCI-000018 - The information system automatically audits account creation actions.
• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
• CCI-000192 - The information system enforces password complexity by the minimum number of upper case characters used.
• CCI-000193 - The information system enforces password complexity by the minimum number of lower case characters used.
• CCI-000194 - The information system enforces password complexity by the minimum number of numeric characters used.
• CCI-000195 - The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.
• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.
• CCI-000198 - The information system enforces minimum password lifetime restrictions.
• CCI-000199 - The information system enforces maximum password lifetime restrictions.
• CCI-000200 - The information system prohibits password reuse for the organization-defined number of generations.
• CCI-000205 - The information system enforces minimum password length.
• CCI-001619 - The information system enforces password complexity by the minimum number of special characters used.

Weight

10

Fix Recommendation

Configure ArcGIS for Server to provide mechanisms for supporting account management functions. Substitute the target environment’s values for [bracketed] variables.

Configure ArcGIS for Server to utilize a Windows Domain for User and Role Management. Note: This procedure will disrupt existing systems connected to ArcGIS for Server:

Identify a system that will serve as the service endpoint for the ArcGIS for Server environment. This must be an Active Directory joined Windows 2008 R2 system with IIS 7.5 or later installed. If a Web Application Firewall (WAF), and/or Load Balancer serves as the user-connection endpoint, this system must be deployed on a trusted network behind these front-end technologies.

On this system (locally), perform the following steps:
Install the “ArcGIS Web Adaptor”.
Configure the “ArcGIS Web Adaptor” such that “Administration” is enabled via the Web Adaptor.

Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."

Configure ArcGIS for Server to utilize Windows Users and Roles:

Navigate to ArcGIS Server Manager ([https://server.domain.com/arcgis]/manager). (logon when prompted.)
Navigate to the “Security” tab.
Navigate to the “Settings” sub-tab.
Edit “Configuration Settings” by clicking on the pencil icon.

Select “Users and roles from an existing enterprise system (LDAP or Windows Domain)”, then click “Next”.
Select “Windows Domain”, then click “Next”.
Supply Active Directory credentials with privileges “Logon To” the system on which ArcGIS for Server is deployed, then click “Next”.
Select “Web Tier” as the “Authentication Tier”, then click “Next” >> “Finish”.

Check Contents

Review the ArcGIS for Server configuration to ensure mechanisms for supporting account management functions are provided. Substitute the target environment’s values for [bracketed] variables.

Verify ArcGIS for Server is utilizing Windows Users & Roles as its security store.

Navigate to [https://server.domain.com/arcgis]/admin/security/config (logon when prompted.)
Verify the “User Store Configuration” value = “Type: Windows”.
If the “User Store Configuration” value is set to “Type: Built-In”, this is a finding.

Verify the “Role Store Configuration” value = “Type: Windows”.
If the “Role store Configuration” value is set to “Type: Built-In”, this is a finding.

If the "Type" parameter of the "User Store Configuration" or "Role Store Configuration" is set to "Built-In", this is a finding.

This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain.

This control is not applicable for ArcGIS Server deployments configured to allow anonymous access.

This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Vulnerability Number

V-65323

Documentable

False

Rule Version

AGIS-00-000009

Severity Override Guidance

Review the ArcGIS for Server configuration to ensure mechanisms for supporting account management functions are provided. Substitute the target environment’s values for [bracketed] variables.

Verify ArcGIS for Server is utilizing Windows Users & Roles as its security store.

Navigate to [https://server.domain.com/arcgis]/admin/security/config (logon when prompted.)
Verify the “User Store Configuration” value = “Type: Windows”.
If the “User Store Configuration” value is set to “Type: Built-In”, this is a finding.

Verify the “Role Store Configuration” value = “Type: Windows”.
If the “Role store Configuration” value is set to “Type: Built-In”, this is a finding.

If the "Type" parameter of the "User Store Configuration" or "Role Store Configuration" is set to "Built-In", this is a finding.

This test requires the account performing the check to have "Administrator" privilege to the ArcGIS for Server site. This check can be performed remotely via HTTPS. This configuration is only valid when ArcGIS for Server has been deployed onto a Windows 2008 or later operating system that is a member of an Active Directory domain.

This control is not applicable for ArcGIS Server deployments configured to allow anonymous access.

This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Check Content Reference

M

Target Key

2961

Comments