https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432459#M16692 <HTML><HEAD></HEAD><BODY><P>If using the Web Adaptor is it really necessary to "secure" the published services?</P><P>&nbsp; &nbsp;customer will only consume services via the REST, so in my mind it seems a bit of overkill to secure the published services on top of running the web adaptor.</P><P></P><P></P><P>Users = Domain A</P><P>ESRI = Domain B (this is by design and cannot be moved to Domain A)</P><P></P><P>&nbsp; &nbsp;what would be the cleanest way to secure services....if they even nee to be secured at all?</P><P></P><P>thanks</P><P>dave</P></BODY></HTML> Thu, 15 Sep 2016 16:37:20 GMT DaveTenney 2016-09-15T16:37:20Z https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432459#M16692 <HTML><HEAD></HEAD><BODY><P>If using the Web Adaptor is it really necessary to "secure" the published services?</P><P>&nbsp; &nbsp;customer will only consume services via the REST, so in my mind it seems a bit of overkill to secure the published services on top of running the web adaptor.</P><P></P><P></P><P>Users = Domain A</P><P>ESRI = Domain B (this is by design and cannot be moved to Domain A)</P><P></P><P>&nbsp; &nbsp;what would be the cleanest way to secure services....if they even nee to be secured at all?</P><P></P><P>thanks</P><P>dave</P></BODY></HTML> Thu, 15 Sep 2016 16:37:20 GMT https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432459#M16692 DaveTenney 2016-09-15T16:37:20Z https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432460#M16693 <HTML><HEAD></HEAD><BODY><P>A couple reasons I want to secure services using ArcGIS Server secure folders (beyond web adaptor) come to mind:</P><OL><LI>we don't have the server/network resources to allow other "consumers" to include our REST in their apps., and</LI><LI>some variations of our services are public, while others have more fields/data that are for internal use only.</LI></OL><P></P><P>I'm sure there are other reasons.&nbsp; If all your services are public and you aren't concerned about #1, then you may not need security.&nbsp; However, even if using the web adaptor and you don't openly publish your end point, a couple minutes with Fiddler or other developer tools can usually find this info.&nbsp; However, if you have security (<A class="link-titled" href="http://server.arcgis.com/en/server/latest/administer/linux/configuring-arcgis-server-security.htm" title="http://server.arcgis.com/en/server/latest/administer/linux/configuring-arcgis-server-security.htm">Configuring ArcGIS Server security—Documentation (10.4) | ArcGIS for Server</A>&nbsp; ) and a <A href="https://github.com/Esri/resource-proxy">proxy</A>, you can prevent others from using the services within their own.&nbsp; Again, that might not be a concern, but something to keep in mind.</P><P></P><P>You may want to check out <A class="link-titled" href="http://doc.arcgis.com/en/trust/security/security-overview.htm" title="http://doc.arcgis.com/en/trust/security/security-overview.htm">ArcGIS Security—Trust ArcGIS | ArcGIS</A> since it has info on security for many of the products/platforms.</P><P></P><P>Also, just as a note, make sure your patches are up to date, including the one mentioned here:</P><P><A class="link-titled" href="https://blogs.esri.com/esri/arcgis/2016/05/20/arcgis-server-security-patch-released-2016-u2/" title="https://blogs.esri.com/esri/arcgis/2016/05/20/arcgis-server-security-patch-released-2016-u2/">ArcGIS Server Security Patch (2016 Update2) | ArcGIS Blog</A>&nbsp;</P></BODY></HTML> Thu, 15 Sep 2016 17:41:38 GMT https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432460#M16693 RebeccaStrauch__GISP 2016-09-15T17:41:38Z https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432461#M16694 <HTML><HEAD></HEAD><BODY><P>if arcgis server services are not secure, one can simply hit up the Specific Port - side stepping&nbsp;the web adaptor and still get access to services.</P><P>Once you web tier auth, other than admin / manager, you must go through the web adaptor. or you will get a 403&nbsp;</P><P>also handy through the web adaptor is the manager / publisher accounts are auto logged in... no need for Digging up KeePass credentials.&nbsp;</P></BODY></HTML> Mon, 19 Sep 2016 22:32:21 GMT https://community.esri.com/t5/arcgis-enterprise-questions/securing-services/m-p/432461#M16694 MichaelRobb 2016-09-19T22:32:21Z