STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.

DISA Rule

SV-79993r2_rule

Vulnerability Number

V-65503

Group Title

SRG-APP-000383

Rule Version

AGIS-00-000166

Severity

CAT II

CCI(s)

• CCI-001762 - The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Weight

10

Fix Recommendation

Configure the ArcGIS Server to ensure organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables.

Navigate to [https://server.domain.com/arcgis]admin/security/config (log on when prompted).

Browse to Update. Update the Protocol parameter to "HTTPS Only".

Click "Save"/"Apply".

Check Contents

Review the ArcGIS for Server configuration to ensure that organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables.

Using an ArcGIS Server account that is a member of the ArcGIS Server Administrator role, logon to the ArcGIS Server Administrator Directory at https://[server.domain.com:6443]/arcgis/admin.
Browse to “security” >> “config”.
Verify “Protocol” parameter is not set to “HTTP Only”.
If the “Protocol” parameter is set to “HTTP Only”, this is a finding.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

Vulnerability Number

V-65503

Documentable

False

Rule Version

AGIS-00-000166

Severity Override Guidance

Review the ArcGIS for Server configuration to ensure that organization-defined unnecessary or insecure ports, functions, and services are disabled. Substitute the target environment’s values for [bracketed] variables.

Using an ArcGIS Server account that is a member of the ArcGIS Server Administrator role, logon to the ArcGIS Server Administrator Directory at https://[server.domain.com:6443]/arcgis/admin.
Browse to “security” >> “config”.
Verify “Protocol” parameter is not set to “HTTP Only”.
If the “Protocol” parameter is set to “HTTP Only”, this is a finding.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

Check Content Reference

M

Target Key

2961

Comments