randall_williams-esristaff

Securing ArcGIS Enterprise's Help Documentation

Blog Post created by randall_williams-esristaff Employee on Dec 12, 2019

*******************

Update - August 2020:

 

ArcGIS Enterprise Portal's help documentation can now be sourced from the ArcGIS Enterprise Web Help instead of the locally installed help. Introduced at 10.8.1, the Help source determines whether your organization's access to help topics is derived from https://enterprise.arcgis.com or an installed source. By default, the source is set to the local, installed source. When internet access is available, enable this option to deliver help from https://enterprise.arcgis.com.

 

We've also updated this blog to explain how users of older versions might source the web based ArcGIS Enterprise Help via an HTTP redirect. 

*******************

 

The installed help documents for ArcGIS Enterprise are provided for everyone anonymously. The content is not sensitive, and can be easily found on the web. Sometimes however, organizations have policies that require that any website under their authority require authentication for all endpoints, and that can cause a challenge for site managers whose only other path is to seek an exclusion. Other organizations have strict policies regarding aged 3rd party libraries that support the installed help help doc. The exploitability of these issues in the context of the help doc is debatable, as the help doc does not accept or reflect untrusted input. Regardless of the use case, some organizations may choose to prevent access to these pages. 

 

For those users, there are a few potential work arounds that can be explored, and those are to either implement web tier security or create an HTTP redirect specifically for the help docs.

 

Here's how the help doc can be secured: 

 

1. First, open windows explorer and drill down to where your Portal or Server web adaptor is installed. For this example we'll use 'Portal'. 

 

2. Inside (for example) c:\inetpub\wwwroot\portal\, create a new folder called "portalhelp"

 

3. Next, open IIS manager. Drill down to the website that hosts your web adaptor, and find the 'portalhelp' folder. 

 

4. Finally, use the IIS 'Authentication' feature to disable anonymous access and enable windows authentication. 

 

Now when users attempt to access the help documentation, they'll need to provide windows credentials.

 

Do the same for other help document locations:

 

ArcGIS Server:

  • /<server web adaptor>/help/
  • /<server web adaptor>/sdk/

 

A redirect can be achieved by:

 

1. Install the HTTP Redirect Module for IIS

 

2. Follow steps 1-3 above.

 

3. Use the HTTP Redirect Module to point the 'portalhelp' virtual directory to the web help source, eg: https://enterprise.arcgis.com/en/documentation/ 

 

Outcomes