STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

DISA Rule

SV-79949r1_rule

Vulnerability Number

V-65459

Group Title

SRG-APP-000175

Rule Version

AGIS-00-000077

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

Configure the ArcGIS Server to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables.

On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account.

Within Internet Explorer, click Tools >> Internet Options.

Open the "Advanced" tab. Within the "Security" section, check "Check for publisher's certificate revocation".

Within the "Security" section, check "Check for server certificate revocation".

Restart the server.

Access to the "[ArcGIS Server]" account is required to make this change.

Check Contents

Review the ArcGIS Server configuration to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables.

1. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account.

Within Internet Explorer, click Tools >> Internet Options.

Open the "Advanced" tab. Within the "Security" section, verify "Check for publisher's certificate revocation" is checked.

If "Check for publisher's certificate revocation" is not checked, this is a finding.

2. Within the "Security" section, verify "Check for server certificate revocation" is checked.

If "Check for server certificate revocation" is not checked, this is a finding.

Access to the "[ArcGIS Server]" account is required to perform this check.

Vulnerability Number

V-65459

Documentable

False

Rule Version

AGIS-00-000077

Severity Override Guidance

Review the ArcGIS Server configuration to ensure PKI-based authenticated endpoints validate certificates by constructing a certification path. Substitute the target environment’s values for [bracketed] variables.

1. On each GIS Server in the ArcGIS Server Site, left-shift + right-click on Internet Explorer >> Run as a different user >> log on using the "[ArcGIS Server]" account.

Within Internet Explorer, click Tools >> Internet Options.

Open the "Advanced" tab. Within the "Security" section, verify "Check for publisher's certificate revocation" is checked.

If "Check for publisher's certificate revocation" is not checked, this is a finding.

2. Within the "Security" section, verify "Check for server certificate revocation" is checked.

If "Check for server certificate revocation" is not checked, this is a finding.

Access to the "[ArcGIS Server]" account is required to perform this check.

Check Content Reference

M

Target Key

2961

Comments