We have implemented an open data portal that allows user to get service URLs from the API menu. We want to promote the use of our map and imagery services through an open data environment. However in the ESRI security documentation for ArcGIS Enterprise 10.5 it is recommended that the server rest directories be disabled to stop scanners and attackers from getting a complete menu of what your product can do.
Disabling the Rest services folder then stops the user being able to use the API links from the open data portal.
I'm a little confused here as to what is best practice. We want users to access our data however want a secure environment.
Any help would be appreciated.
Hi, Not always "Best practice" is applicable. Look for the "Best Fit" strategy. In this case of ArcGIS server and your requirement, it will help if basic security mechanism is applied (user authentication & authorization) with SSL enabled.
However, i think for an open data scenario try exploring the option of ArcGIS Portal. It has lot of features that really supports open data for users and really it is meant for this use. I think sharing data through the portal makes it easy across different level of users regardless of being technical, marketing or management, etc. Also it has robust security measures applied.
To start, I'd log a quick case with Support to ask to be added to the following enhancement:
There's dissonance between the Open Data design and ArcGIS Server best practices that should be reviewed.
We have been added to
This only seems to occur on rest end points that have had their services directory browsing disabled. Is there a work around ?