Securing Internet connections to services

When you create a service, Web access is automatically enabled. This means that others can use the service when they make an ArcGIS Server Internet connection to your server. You can choose to turn off Web access completely or restrict access to a select group of users. You can also limit the types of operations that can be performed with the service through the Web. The following are contained in this topic:

NoteNote:

The agsadmin and agsusers groups are not used for Internet connections; they are used to secure local connections. Security for both local and Internet connections should be part of your overall security strategy. For additional information, see Securing local connections to services.

Turning off Web access

If you don't want Internet clients to access a service, you need to explicitly disable Web access.

Turning off Web access in Manager

To disable Web access for a service in Manager, follow the steps below. The service must be stopped when you perform these steps.

  1. Click the Services tab in Manager.
  2. In the list of services, find the service for which you want to disable Web access and click its Edit link.
  3. Click the Capabilities tab.
  4. Uncheck Enable Web Access.
  5. Click Save and Restart.

Turning off Web access in ArcCatalog

To disable Web access for a service in ArcCatalog, follow the steps below. The service must be stopped when you perform these steps.

  1. Make an administrative connection to the server. See Making an administrative connection to ArcGIS Server in ArcCatalog for instructions.
  2. Find the service for which you would like to disable Web access.
  3. If the service is started, right-click the service and click Stop.
  4. Right-click the service and click Disable Web Access.
  5. Right-click the service and click Start.
NoteNote:

For map services, the steps above only disable Web access for the mapping capability. You can disable Web access for other capabilities on the Capabilities tab of the Service Properties dialog box.

Requiring HTTPS for folders and services

You can require that clients that connect to your ArcGIS Server services use HTTPS for the connection. This will encrypt all communication between the client and the server, so that if someone intercepts the communication during transmission, the data will be encrypted against reading. If you also want to restrict access to the service to certain users, see the section below, "Limiting which users can access a service."

The HTTPS requirement is set at the folder level rather than for individual services. If you only want to require HTTPS for an individual service and not for the entire server or folder, create a new folder and add the service to the new folder.

Note that you must install a SSL certificate on the Web server in order for clients to request resources with HTTPS. For details, see Setting up SSL.

To use Manager to require HTTPS for a folder, follow these steps:

Steps:
  1. Log in to ArcGIS Server Manager and click on Services.
  2. In the drop-down box for server folders (labeled Services in:), choose the folder where you want to require HTTPS. To require HTTPS for the entire server, choose the server (root).
  3. Click Manage Folders and, in the drop-down list, click Properties.
  4. On the Folder Properties dialog box that opens, check Require Encrypted Web Access and click OK.

You can also require HTTPS for a folder using ArcCatalog:

  1. Start ArcCatalog, expand GIS Servers, then double-click the administrative server connection. If necessary, add an administrative connection by double-clicking Add ArcGIS Server, clicking Manage GIS Services, then entering the server name and URL (for example, http://myserver.example.com/arcgis/services).
  2. Expand the server connection, if necessary, to find the folder for which you want to require HTTPS.
  3. Right-click the folder and choose Properties (or to require SSL for all services, right-click the server and click Root Folder Properties).
  4. On the Folder Properties dialog box, check Require Encrypted Web Access and click OK.

Note that after you require HTTPS for a folder, any client application must use a URL with https:// to use the services in that folder. If a user connects to the server with ArcCatalog and does not use https in the URL, the folder does not display even if the user otherwise is permitted access to the folder.

Limiting which users can access a service

You can use ArcGIS Server Manager to limit which users can access a service through Internet connections. To do this, you define a set of users and roles and designate which roles should have access to particular Internet services. Read the topic Overview of setting up users and roles to learn how to create the users and roles. You need to add at least one user and one role with a user before you configure security for services. You also must perform an additional step of enabling security for services before assigned permissions actually take effect.

The steps to implement security for GIS services are as follows:

  1. Set up the location to store users and roles and add users and roles. See Overview of setting up users and roles.
  2. Add permissions to folders and/or services. See Setting permissions for a service or folder below.
  3. Enable security for services. See Enabling security for services. Until you do this step, no restrictions are enforced on Web access to services.

You can set permissions on folders and services. Services within a folder inherit the permissions set for the folder. If you set permissions at the root level, all services inherit those permissions. You can override inherited permissions by removing inherited roles for a service or folder.

Until you complete step 3 above to enable security for services, anyone is able to connect to your services that have Web access enabled. It is also important to understand that after you enable security, no users are able to access any service unless (1) you add permissions for roles to the service or folder and (2) the user logs in with an account in a role permitted for the service. Therefore, before you enable security, you should set up permissions for services. Depending on where user accounts are stored, an Anonymous role may be available to allow anyone to access services or folders.

One approach for security would be to assign broad permissions to the root of a server, then restrict permissions on folders and services. Another pattern would be to keep permissions limited on the root, then allow designated roles access to specific folders or services.

If a user is a member of multiple roles and any of the roles are permitted for the service, the user has access. Manager does not have the ability to explicitly deny access to roles or users. Hence you should design your roles carefully to match the access you want to grant for services and folders.

Setting permissions for a service or folder

To set permissions on who can access a service or folder, follow these steps:

  1. In Manager, click the Services tab to see a list of services on your server. If you want to set permissions on a folder or on a service within a folder, use the Services in list to change the view to the folder.
  2. Open the Permissions dialog box for the service or folder:
    • For folder permissions, click Manage Folders and click Permissions in the list that opens.
    • For service permissions, click the permissions (lock) icon for the service.
  3. The Permissions dialog box opens. The list on the left shows the roles available, and the box on the right lists roles that are currently permitted access.
    • To allow a role to access the service or services within the folder, click the role in the list of available roles and click the Add button to move it to the allowed roles list.
    • To remove access for a role, click to select it in the allowed roles list and click Remove. The role is moved to the available roles list.

      NoteNote:

      If the role has been deleted or is not present in the current role store, it is not shown when the Permissions dialog box is reopened.

  4. Once you've configured permissions, click Save to save the changes and apply them to the service. Click Cancel to abandon any changes to the service.

If the Everyone, Authenticated Users, and Anonymous roles have been added to your user store, you can add any of these roles to a service or folder or remove them if they have been inherited from a parent folder. When the Everyone role is allowed, anyone can access the service (or services within the folder) whether or not they supply a login. If Everyone is allowed, it is not necessary to add other roles to the list of allowed roles. Allowing Authenticated Users means that any user in the user store is permitted access. For more information on these special roles, see the "Setting up users and roles" topic for your role provider (SQL Server or Custom provider). These roles are not available when roles are Windows groups, since group membership must be determined from the operating system.

If you see the following message displayed in the Permissions dialog box, security has not yet been enabled for services:

"Warning: Security for GIS services has not been enabled. See Security-Settings to enable services security."

The permissions you are setting are not actually enforced until you enable security. See Enabling security for services to learn how to enable security.

Permissions rules for services are stored internally by ArcGIS Server. The rules are not stored in the ArcGIS/Services Web application. Permissions are stored as .sec files in the <ArcGIS Installation Location>\server\user\cfg folder. When permissions have been set for a folder, the folder contains the file Folder.sec. When permissions have been set for a service, the folder contains a file with the name matching the service's .cfg file, but the extension is .sec. If permissions have not been set for a folder or a service, no .sec file is present for that folder or service. For information on the format of the .sec files, see Security configuration files.

Access rules should not be set manually in the ArcGIS/Services Web application. In many ASP.NET Web applications, access is controlled by adding authorization rules into the web.config file for the Web application. ArcGIS Server now stores permission rules internally rather than in the web.config file. If rules are added to the web.config file for the Services application, this may cause security settings in Manager to fail.

For further reading on how permissions function, see these topics:

Enabling security for services

Enabling security causes permission rules you have set to be enforced for Internet connections to services. Until you enable security, all services are open to all users, even if you have set up permission rules.

Before you enable security for services, you should set up the permission rules you want to apply for your services. If you enable security before you assign permission rules for your services, no one is able to make Internet connections to any of your services.

Once you enable security, you cannot disable security in Manager. This is to prevent inadvertent compromise of security for your services. See below for more information.

These steps apply only to security for GIS services. Security for Web applications is applied individually to each application. See Securing Web applications for details.

To enable security for services, follow these steps:

  1. Set permission rules as desired for GIS services. See the previous section, "Setting permissions for a service or folder," for details. You can use the Everyone role, if desired, to allow all users to access one or more services.
  2. In Manager, click Security > Settings. On Security for GIS Services, click the Enable button. A dialog box appears with information about setting up security for services. Read the information to ensure you understand the implications of enabling security. If you are sure you are prepared to enable security, click the Enable Security for Services button. Otherwise, click Cancel.
  3. If you chose to store users as Windows users, you must disable anonymous access to the Services application. See Disabling anonymous access to ArcGIS Web services in Internet Information Services for instructions on disabling anonymous access.
  4. Test your services to ensure that users in allowed roles can access the services. If necessary, adjust permissions as described in Setting permissions for a service or folder.

Disabling security for services

Once you enable security for GIS services, you cannot use Manager to disable security. This is to prevent accidental disabling of security and exposure of access to your services. If you decide later that you must disable security, you can do so with the following steps.

CautionCaution:

If you perform these steps, any user is able to connect to any GIS service using an Internet connection without providing any login.

  1. Open the Services management console by clicking Control Panel > Administrative Tools > Services.
  2. Right-click the ArcGIS Server Object Manager service and click Stop.
    CautionCaution:

    If you make the changes below before stopping ArcGIS Server, your changes will be overwritten when ArcGIS Server stops.

  3. Use a text editor (such as Notepad) or XML editor to open the file Server.dat on your server object manager (SOM) machine. This file is located in your ArcGIS Server installation at <ArcGIS Installation Location>\server\system.
  4. Change the following element, located inside the <Server> element, from
    <SecurityEnabled>true</SecurityEnabled>
    to
    <SecurityEnabled>false</SecurityEnabled>
    Save the file.
  5. Use a text or XML editor to open the file web.config in C:\Inetpub\wwwroot\ArcGIS\Services (adjust the path if you installed the ArcGIS Web services to a different location).
  6. Locate the following line within the <appSettings> section:
    <add key="RequireToken" value="True" />
    and change it to
    <add key="RequireToken" value="False" /> 
    Save the file.
  7. Repeat the previous two steps for the web.config files in the Rest folder and also the Tokens folder in the C:\Inetpub\wwwroot\ArcGIS directory.
  8. If security was configured for Windows users, reenable anonymous access to the Services and Rest folders in the ArcGIS Server Web instance in IIS. Refer to the instructions in the section entitled Disabling anonymous access to ArcGIS Web services in Internet Information Services, except in step 3 of the instructions, choose to enable anonymous access. Do this for both Services and Rest directories.
  9. Return to the Services management console, right-click the ArcGIS Server Object Manager service and click Start.
  10. Right-click the World Wide Web Publishing Service and click Restart.

To reenable security, follow the steps in Enabling security for services.

Limiting what users can do with a service

To make it easy to control how your Web services are used, each type of service has a set of allowed operations that determines which methods users can call. You can allow all the operations if you want users to have complete use of the service, or you can disable certain operations to prevent users from doing certain things, like querying the data in your map or extracting data from your geodatabase.

You can set the operations allowed on the Capabilities tab of the Service Properties dialog box. For additional documentation on which methods are included in each operation, see Tuning and configuring services.


11/18/2013