Community
Select to view content in your preferred language

User name enumerations

183
5
a week ago
htsubaie
by
Occasional Contributor
a week ago

Hello,

I want to share with you our cybersecurity team concern about user name enumerations for the directory of /portal/sharing/rest/community/users/(The name of the user),

we want to deploy our portal to be accessed from outside the local network but the cyber team did a penetration testing before authorizing posting the site on the internet.

We would like to lock anonymous access so the user names cannot be found by this method we have tried to create a rewrite rules by setting conditions to be met when trying to access the directory it works with the portal it self but not with ArcGIS pro the app crashes when trying to login, And ArcGIS field maps faces a problem after the login regarding the certificate, when the rule is disabled everything works normally.

 

Here is the report about the penetration testing

Penetration testingPenetration testing

 

Url rewrite Rule

Rewrite RulesRewrite Rules

 

ArcGIS Field Maps Error

ArcGIS Field MapsArcGIS Field Maps

 

 

Any solution or suggestion would be appreciated.

5 Replies
CodyPatterson
by MVP Regular Contributor
MVP Regular Contributor
a week ago

Hey @htsubaie 

This is something that I actually wasn't aware of, and trying it out, it gave out quite a bit of information and ability to outside users that I had not considered! Looking around I did find this here:

https://enterprise.arcgis.com/en/server/latest/administer/linux/disabling-the-services-directory.htm

But it still allows for JSON access, which is said to be possible to restrict as well. I found a Reddit post that had mentioned this access is required for some WebGIS related items, but I'm not sure it was specifically mentioning this. I'm not able to test the disabling of the service directory until the weekend as I don't want it to have any adverse affects during the workday, but if you don't have an answer by then I can definitely check. I'll be opening a ticket with Esri support as well so they can guide me through this next week hopefully, thanks for bringing this up!

Cody

htsubaie
by
Occasional Contributor
Thursday

Hey @CodyPatterson

Thanks for the reply,

It is concerning since the portal mentioned would not be possible to access without an employee credentials.

And we will try to disable the service directory and update regrading any findings.

Good day   

0 Kudos
htsubaie
by
Occasional Contributor
Friday

Update:

The method used to disable the service directory is:

https://enterprise.arcgis.com/en/portal/11.4/administer/windows/disabling-the-arcgis-portal-director...

Disabling the service directory doesn't help at all it only disables the html format of viewing so the page will be a blank html page, but it can be recalled using json format, you can check it out by entering the directory of portal/sharing/rest/community/users/(the name of the user)?f=json. it will show the information of the user in json format so it doesn't help at all.

 

 

MichaelVolz
by
Esteemed Contributor
a week ago

Do you have single sign-on enabled for your Portal?  Wouldn't this prevent anonymous access to /portal/sharing/rest if it is to be accessed outside your network?

0 Kudos
htsubaie
by
Occasional Contributor
Thursday

Hello @MichaelVolz

Unfortunately it is possible to try different user names in the mentioned directory until you find an existing user without the need to be signed in, our cyber team didn't have any user names given to them and they gave us a screen shot for the information regrading the user, and there is no option in the portal that can prevent it.

Good day

0 Kudos