Internet security overview

ArcGIS Server enables you to secure your Web applications and Web services. This section primarily addresses how to restrict access for applications and services to authorized users. Of course, other security issues apply to your ArcGIS Server system, such as the accounts used by ArcGIS Server to access data, security for code that executes on your server, and physical security of the equipment. See Ways to implement security for additional information on security with ArcGIS Server.

With ArcGIS Server, you can manage security for your Web services and Web applications. The key tasks for security that you need to perform are the following:

A section follows that summarizes the options: Common configurations for security for ArcGIS Server services. You can use Manager for most of these tasks. More information about each of these is provided below, as well as in individual sections of this topic. The Internet security checklist also serves as a guide for implementing security for services and applications.

Defining management of users and roles

The fundamental component of any access control mechanism is the ability to authenticate users. All authentication mechanisms require that users' information and the roles to which they belong be centrally stored somewhere on the system. ASP.NET applications allow security to be stored and managed either with the operating system or an ASP.NET membership provider. ArcGIS Server uses these two user store options provided by ASP.NET.

The decision about where to store you users depends a lot on the audience for your applications and services. For example, if you are building mostly intranet applications, you may want to leverage the existing users and groups available on your operating system to grant access to your applications. Likewise, if you are creating Internet applications and you don't want your Web users to be users in your active directory, you may want to store those users in an ASP.NET membership provider. For more details on setting up users and roles, see Overview of setting up users and roles.

ArcGIS Server allows you to easily configure the ASP.NET Membership provider for Microsoft SQL Server using nothing more than ArcGIS Server Manager. However, the ASP.NET membership framework is very flexible and can support a wide variety of custom providers such as other databases, XML files, Active Directory, LDAP, and so on. Once configured on your system, ArcGIS Server can be configured to use these custom providers.

These links summarize how you can configure users and roles and lead to more information about each option:

Choosing an authentication method

Authentication is the process of identifying who is attempting to access the system. The user provides credentials, typically a user name and password, to authenticate to the system. The authentication method determines how the server validates the identity of the user.

Your options for authentication are dependent on your choice for user and role storage.

User store

Authentication

Windows operating system users and groups

IIS

ASP.NET membership provider

ASP.NET

Authentication methods also vary in terms of the level of security provided. Read the documentation carefully and consult with your security staff before choosing a method appropriate for your situation.

The authentication methods available with ArcGIS Server for the Microsoft .NET Framework are the following:

You can support multiple authentication methods, if needed, by setting up multiple ArcGIS Server Web instances. Each instance would be tied to the same GIS server but would be configured for a different authentication method.

For guidelines on authentication methods, see Common configurations for security for ArcGIS Server services. The Overview of setting up users and roles has additional information on authentication methods.

Implementing Secure Sockets Layer (SSL)

Depending on the requirements of your user store and authentication method, you may need to acquire an SSL certificate for your Web server. SSL enables the use of HTTPS, which encrypts communication between clients and your Web server. Generally speaking, SSL is essential when authenticating users with HTTP Basic, token-based, or forms-based authentication, though SSL may increase the security of credentials with other authentication methods as well. Learn more about Setting up SSL.

Setting Permissions for Services and Applications

For a user to access a service or application, you must add permissions in the service or application for a role in which the user is a member. ArcGIS Server permissions are based on roles. You add permissions for a service, a service folder, or application in Manager by permitting roles, rather than by permitting individual users.

When you apply security to a Web service, it applies to all forms of the Web service: SOAP, REST, and OGC (such as WMS). If you allow access to a role (for example, Planners) for a service in Manager, then users in that role will be able to access the service through SOAP, REST and any OGC methods enabled for the service. The Services Directory also automatically respects security settings, so only logged-in users will see secured services for which they are permitted.

Learn more about Securing Internet connections to services and about Securing Web applications.

Common configurations for security for ArcGIS Server services

The table below depicts common configurations for security for ArcGIS Server services. This is based on three aspects of how and where services are configured: (1) whether the services are deployed on an intranet or over the Internet, (2) the type of user and role store, and (3) the authentication method.

All configurations support all clients (Web, JavaScript, ArcGIS Desktop, OGC, and KML) except where noted.

Network User/Role store Authentication Notes

Intranet

None

Not Applicable

No ArcGIS Server security. Firewall limits services/applications to internal users.

Windows domain users/roles (groups)

Integrated Windows Authentication

HTTP Basic/Digest

JavaScript applications must use a proxy/redirector.

Windows domain users, SQL Server roles

Integrated Windows Authentication

HTTP Basic/Digest

JavaScript applications must use a proxy/redirector.

Internet

None

Not applicable

No ArcGIS Server security. All services open to all users.

Windows users/roles

HTTP Basic/Digest

JavaScript applications must use a proxy/redirector.

Windows users, SQL Server roles

2 ArcGIS Web Instances

(1 HTTP Basic/Digest, 1 token-based)

HTTP Basic/Digest supports SOAP, OGC, KML; token-based supports REST access.

SQL Server users and roles

Token-based

No support for OGC or KML clients.

Custom provider

Token-based

No support for OGC or KML clients.


8/22/2012