Securing Services

09-15-2016 09:37 AM
Occasional Contributor III

If using the Web Adaptor is it really necessary to "secure" the published services?

   customer will only consume services via the REST, so in my mind it seems a bit of overkill to secure the published services on top of running the web adaptor.

Users = Domain A

ESRI = Domain B (this is by design and cannot be moved to Domain A)

   what would be the cleanest way to secure services....if they even nee to be secured at all?



0 Kudos
2 Replies
MVP Emeritus

A couple reasons I want to secure services using ArcGIS Server secure folders (beyond web adaptor) come to mind:

  1. we don't have the server/network resources to allow other "consumers" to include our REST in their apps., and
  2. some variations of our services are public, while others have more fields/data that are for internal use only.

I'm sure there are other reasons.  If all your services are public and you aren't concerned about #1, then you may not need security.  However, even if using the web adaptor and you don't openly publish your end point, a couple minutes with Fiddler or other developer tools can usually find this info.  However, if you have security (Configuring ArcGIS Server security—Documentation (10.4) | ArcGIS for Server  ) and a proxy, you can prevent others from using the services within their own.  Again, that might not be a concern, but something to keep in mind.

You may want to check out ArcGIS Security—Trust ArcGIS | ArcGIS since it has info on security for many of the products/platforms.

Also, just as a note, make sure your patches are up to date, including the one mentioned here:

ArcGIS Server Security Patch (2016 Update2) | ArcGIS Blog 

Occasional Contributor III

if arcgis server services are not secure, one can simply hit up the Specific Port - side stepping the web adaptor and still get access to services.

Once you web tier auth, other than admin / manager, you must go through the web adaptor. or you will get a 403 

also handy through the web adaptor is the manager / publisher accounts are auto logged in... no need for Digging up KeePass credentials. 

0 Kudos