STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.

DISA Rule

SV-79919r2_rule

Vulnerability Number

V-65429

Group Title

SRG-APP-000156

Rule Version

AGIS-00-000062

Severity

CAT II

CCI(s)

• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Configure ArcGIS for Server to utilize replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables.

Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."

Check Contents

Review the ArcGIS for Server configuration to ensure that the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”.
Verify that “Anonymous Authentication” is “Disabled”.
If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding.

Within IIS >> within the [“arcgis”] application >> Authentication >> Select “Windows Authentication” >> “Providers”.
Verify “Negotiate” or “Negotate:Kerberos” are at the top of the list, with NTLM at the bottom of the list.
If “NTLM” is at the top of the “Providers” list, this is a finding.

This control is not applicable for ArcGIS Server deployments configured to allow anonymous access.

This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Vulnerability Number

V-65429

Documentable

False

Rule Version

AGIS-00-000062

Severity Override Guidance

Review the ArcGIS for Server configuration to ensure that the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”.
Verify that “Anonymous Authentication” is “Disabled”.
If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding.

Within IIS >> within the [“arcgis”] application >> Authentication >> Select “Windows Authentication” >> “Providers”.
Verify “Negotiate” or “Negotate:Kerberos” are at the top of the list, with NTLM at the bottom of the list.
If “NTLM” is at the top of the “Providers” list, this is a finding.

This control is not applicable for ArcGIS Server deployments configured to allow anonymous access.

This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Check Content Reference

M

Target Key

2961

Comments