Internet security checklist

The following checklist provides some things you'll need to do to make sure your Web applications and services are secure. These steps are described in greater detail throughout this section of the help. See Internet security overview for an introduction to security.

Security checklist for Web services and Web applications

Steps:
  1. Install ArcGIS Server, including the Applications Manager, Services Manager, and Web Services components. This installs Manager, Web services, and the Token service.
  2. Obtain and install a Secure Sockets Layer (SSL) certificate for your Web server to enable encrypted communication using HTTPS.
  3. If you will be using SQL Server Express to store users and/or roles, install SQL Server Express, which is included with the ArcGIS Server media.
  4. In Manager, click Security, then click Settings, then click Change. In the security wizard, set the location for users and roles:
    • Windows users: Users are operating system users. With Windows users, you may choose Windows groups as roles, or roles may be in SQL Server or a custom location (see the next two options for details).
    • SQL Server: Use the wizard to connect to the database server, then choose to create a new database, or specify an existing database where users and roles will be stored. To enable users to change and recover lost passwords, enter settings for the mail (SMTP) server.
    • Custom provider (other database, XML file, and so on): Only available if you have added the required configuration into the security application.
  5. Add users and add roles as needed based on the chosen user and role stores.
    • For Windows users and groups, use operating system tools to add users and groups to the local server or to the domain as needed.
    • For SQL Server, add users and roles to the database (for Windows users plus SQL Server roles, add only roles). When using SQL Server for users, click Security, then click Users and add users. When using SQL Server for roles, click Security, then click Roles and add roles.
    • For a custom provider, you may use Manager to manage users and roles if the custom provider supports it. Otherwise, use the provider's tools to manage users and roles.
  6. Do the following to assign permissions to services and folders:
    • In Manager, click Services.
    • Assign folder permissions by selecting the folder from the drop-down list, then clicking the Manage Folders drop-down list, then click Permissions.
    • Assign service permissions by clicking the permission button next to the service name.
  7. Do the following to apply security to Services:
    • In Manager, click Security, then click Settings. Under Security for GIS Services, click Enable. Until you do this step, the permissions in the previous step are not enforced. After this step, only users in roles permitted in Manager will be allowed access to any services.
    • Only if using Windows users as the user store: Using IIS Manager, disable anonymous access to the ArcGIS/Services and ArcGIS/Rest Web services applications.
  8. Do the following to assign and apply permissions to Web applications:
    • In Manager, click Applications.
    • Click the Permissions (lock) button for the Web application.
    • Check the check box to secure this Web application.
    • Add roles that should be permitted access, then click OK.
  9. For map and globe services with tile caches, secure the cache directory for these services.
  10. Require HTTPS for any Web pages that transmit sensitive data, such as login pages.
  11. Optional: If the user store supports changing and recovering passwords, and you want to enable users to do so, provide a link to the PasswordManager.aspx page somewhere in your organization's Web site.

11/18/2013