What are the two ArcGIS Enterprise security profiles in Esri's Hardening Guide?

The Hardening Guide defines a Basic profile, recommended for 95% of deployments, and an Advanced profile that meets NIST critical software standards but reduces some ArcGIS Enterprise functionality. Esri advises that default installation settings fall short of even the Basic profile and are suitable only for development purposes.

Why should you replace default SSL certificates in ArcGIS Enterprise?

ArcGIS Enterprise installs with self-signed SSL certificates that cause browsers to display security warnings. Replacing them with CA-signed or domain-signed certificates is required to meet the Basic security profile, and CA-signed certificates are necessary if the environment is accessible outside your firewall.

A Simple Guide to Esri's Complex ArcGIS Enterprise Hardening Guide

Q: How do Web Adaptors improve ArcGIS Enterprise security?

Web Adaptors act as a reverse proxy that hides internal machine names and ports (6443, 7443) from end users, routing all external traffic through HTTPS on port 443 over your fully qualified domain name. This prevents direct access to the ArcGIS Server and Portal for ArcGIS administrative ports.

Q: How can you scan ArcGIS Enterprise for security vulnerabilities?

ArcGIS Server includes serverScan.py (checking 15 vulnerabilities) and Portal for ArcGIS includes portalScan.py (checking 17 vulnerabilities). These built-in Python scripts should be run regularly by GIS administrators to verify configuration settings and identify issues such as publicly shared content with anonymous edit access.

In January 2024, Esri released the ArcGIS Enterprise Hardening Guide, a dense but necessary 123-page technical paper on securing ArcGIS Enterprise deployments from top to bottom. This post breaks down the most critical security settings GIS administrators should prioritize, from SSL certificate configuration to automated vulnerability scanning.

Quick Summary

Esri's ArcGIS Enterprise Hardening Guide defines two security profiles: Basic, recommended for 95% of deployments, and Advanced, which meets NIST critical software standards but reduces some ArcGIS Enterprise functionality.
SSL certificates are among the most common ArcGIS Enterprise misconfigurations; CA-signed or domain-signed certificates must replace the default self-signed certificates to meet the Basic security profile.
ArcGIS Server and Portal for ArcGIS are configured via their respective Admin REST APIs; ArcGIS Data Store uses the updatesslcertificate.bat command-line tool instead.
Web Adaptors hide internal ports and machine names, routing traffic through HTTPS over your fully qualified domain name.
ArcGIS Server and Portal for ArcGIS each include a built-in Python security scan script (serverScan.py and portalScan.py) checking for 15 and 17 known configuration vulnerabilities, and should be run regularly by GIS administrators.

A basic definition of hardening is making modifications to a system to increase its security and performance. This involves implementing a set of procedures, practices, and technologies to protect your infrastructure.

In this blog article, I won't explain every action the Hardening Guide outlines; instead, I will provide some tips to help flag some of the most glaring security settings. At dymaptic, our GIS administration team regularly helps clients navigate these security requirements for their ArcGIS Enterprise deployments.

What Are the Two ArcGIS Enterprise Security Profiles?

First, let's distinguish between the two security profiles outlined in the Hardening Guide:

The Basic security profile: Esri recommends that 95% of users adjust their ArcGIS Enterprise security settings to align with the Basic security profile. When ArcGIS Enterprise is first installed, the default security settings for Server and Portal fall short of this profile. Esri advises that these default settings are suitable only for development purposes since the security configurations are lacking. Even then, I caution you against development or test environments with different settings than production. It's easy to have a deployment issue because of a setting difference between environments.
The Advanced security profile: This profile meets the NIST (National Institute of Standards and Technology) definition of critical software. It also requires configuration changes that result in a loss of ArcGIS Enterprise functionality.

How Should SSL Certificates Be Configured in ArcGIS Enterprise?

One of the most common misconfigurations is SSL certificates. Let's start with an overview of how the ArcGIS products transfer data to each other. The core of ArcGIS Enterprise consists of three pieces of software: ArcGIS Server, Portal for ArcGIS, and ArcGIS Data Store. After installation, each of these is accessible on a different port; they also talk to each other on these ports:

ArcGIS Server: 6443
Portal for ArcGIS: 7443
ArcGIS Data Store: 2443

A flow diagram showing internal port communication between Portal for ArcGIS (port 6443 and 2443), ArcGIS Server (port 7443), and ArcGIS Datastore (port 2443), with no external client access shown.

Figure 1. Communication over ports at the core of ArcGIS Enterprise.

By default, ArcGIS uses self-signed certificates, so that you can quickly get ArcGIS Enterprise up and running. However, this convenience comes at a price for your users. Their browser will notify them that the site is insecure, and they must click "Accept" or "I know the risks" to proceed. Therefore, to meet the Basic security profile, you must use proper CA (Certificate Authority) or domain-signed SSL certificates for these services.

A domain-signed SSL certificate can be appropriate if your environment is only accessed behind your firewall by devices under your control and can be instructed to trust your root domain and, consequently, the domain-signed certificates for your services. If your environment is accessible from outside your firewall, then a domain-signed SSL certificate is not an option and you should use a CA-signed certificate. Using a domain-signed certificate in this scenario would trigger the same "Accept" or "I know the risks" prompts as a self-signed SSL certificate.

How Do You Use the ArcGIS Enterprise Admin REST APIs?

ArcGIS Server can be configured using the Admin REST interface, as in Figure 2.

Screenshot of the ArcGIS Server Administrator Directory at version 11.1.0, showing Site Root with resource links including machines, services, security, system, data, uploads, logs, and supported operations including generateToken, exportSite, importSite, and deleteSite.

Figure 2. Configure many ArcGIS Server security settings including SSL certificates using the Admin REST API.

The Portal for ArcGIS can similarly be configured using its own Admin REST interface, shown in Figure 3.

Screenshot of the Portal Administrator Directory at version 11.1, showing Site Root with resource links including System, Security, Federation, Logs, Machines, License, Mode, Info, and Backup Restore Info, with supported operations Export Site and Import Site.

Figure 3. Configure many Portal for ArcGIS security settings including SSL certificates in the Admin REST API.

ArcGIS Data Store lacks an Admin REST interface and so must be configured by running the updatesslcertificate.bat command line tool located here: <ArcGIS Data Store installation directory>\datastore\tools (Figure 4).

$A Command Prompt in Administrator mode showing the updatesslcertificate.bat command run from C:\Program Files\ArcGIS\DataStore\tools, with parameters for the path to an SSL certificate (.pfx), certificate password, and certificate alias.$

Figure 4. ArcGIS Data Store does not have an Admin REST API and instead has a Windows batch tool that can be run from the command line in admin mode to configure it to use your CA-signed SSL certificate rather than the default self-signed one.

How Do Web Adaptors Improve ArcGIS Enterprise Security?

ArcGIS Enterprise also provides a basic load balancer called Web Adaptor. You typically configure a separate Web Adaptor for both Portal and Server. The Web Adaptors, which reside on your web server, should be configured to use HTTPS. They hide the machine name and the port that Server and Portal communicate over (:6443 and :7443 respectively), such that web traffic to your Portal and services occurs over the fully qualified domain name specified by your SSL certificate and the name of your Web Adaptor. For instance, https://webadaptorhost.domain.com/webadaptorname/rest/services, rather than https://gisserver.domain.com:6443/arcgis/rest/services (note that the Hardening Guide recommends that both the ArcGIS Server REST services and Portal services directories be disabled unless you need them.)

Once configured, the traffic diagram from above gets a bit more complex. You can see that the end-user or client only accesses the services via the Web Adaptors, but the services themselves continue to communicate on the other ports (7443, 6443, and 2443).

A flow diagram showing secure ArcGIS Enterprise communication with a Client connecting via port 443 to an ArcGIS Server Web Adaptor and a Portal Web Adaptor, which then route traffic internally to ArcGIS Server (port 6443), Portal for ArcGIS (port 7443), and ArcGIS Datastore (port 2443).

Figure 5. Completely secure communication over ports in ArcGIS Enterprise.

How Do You Scan ArcGIS Enterprise for Security Vulnerabilities?

ArcGIS Server and Portal for ArcGIS each come installed with two Python security scripts that search for common security vulnerabilities with your configuration. As of ArcGIS Enterprise 11.2, serverScan.py located in <ArcGIS Server installation location>/tools/admin checks for 15 vulnerabilities and portalScan.py located in <Portal for ArcGIS installation location>\tools\security checks for 17 vulnerabilities (Figures 6 and 7). Many vulnerabilities will be addressed by modifying or adding properties in the Server and Portal Admin REST APIs. It behooves GIS Administrators to regularly run these to ensure configuration settings are correctly set, as well as quickly pinpoint mistakenly publicly shared content. For instance, nobody wants to explain that a dataset's records were deleted, or that embarrassing updates were made to a text field by a stranger, facilitated by a feature service with edit capabilities open to anonymous access.

$A Python 3 Command Prompt in Administrator mode showing the command to run serverScan.py from C:\Program Files\ArcGIS\Server\tools\admin, with parameters for hostname, username, password, and output directory.$

Figure 6. ArcGIS Server comes with serverScan.py. If you have a federated ArcGIS Server, provide your Portal admin credentials. If it is a stand-alone instance of ArcGIS Server, provide your server admin credentials.

$A Python 3 Command Prompt in Administrator mode showing the command to run portalScan.bat from C:\Program Files\ArcGIS\Portal\tools\security, with parameters for hostname, username, password, and output directory.$

Figure 7. Portal for ArcGIS comes with portalScan.py.

The dymaptic team has a wealth of ArcGIS Enterprise experience and three Esri Certified ArcGIS Enterprise Admins. Our team can offer guidance on ArcGIS Enterprise security best practices, such as setting up ArcGIS Enterprise backups using webgisdr.bat or installing and/or upgrading ArcGIS Enterprise to the latest version, which also plays an integral part in keeping your ArcGIS Enterprise deployment safe from the latest cyberthreats.

A Simple Guide to Esri's Complex ArcGIS Enterprise Hardening Guide

Quick Summary

What Are the Two ArcGIS Enterprise Security Profiles?

How Should SSL Certificates Be Configured in ArcGIS Enterprise?

How Do You Use the ArcGIS Enterprise Admin REST APIs?

How Do Web Adaptors Improve ArcGIS Enterprise Security?

How Do You Scan ArcGIS Enterprise for Security Vulnerabilities?

Need Help Hardening Your ArcGIS Enterprise Deployment?

Get in Touch

Quick Summary

What Are the Two ArcGIS Enterprise Security Profiles?

How Should SSL Certificates Be Configured in ArcGIS Enterprise?

How Do You Use the ArcGIS Enterprise Admin REST APIs?

How Do Web Adaptors Improve ArcGIS Enterprise Security?

How Do You Scan ArcGIS Enterprise for Security Vulnerabilities?

Need Help Hardening Your ArcGIS Enterprise Deployment?

We Value Your Privacy