STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

DISA Rule

SV-80007r2_rule

Vulnerability Number

V-65517

Group Title

SRG-APP-000416

Rule Version

AGIS-00-000187

Severity

CAT I

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Configure the ArcGIS Server to implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the "[arcgis]" application >> SSL Settings >> check "Require SSL".

Check Contents

Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.

Vulnerability Number

V-65517

Documentable

False

Rule Version

AGIS-00-000187

Severity Override Guidance

Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.

Check Content Reference

M

Target Key

2961

Comments