Securing Services

09-15-2016 09:37 AM
Regular Contributor

If using the Web Adaptor is it really necessary to "secure" the published services?

   customer will only consume services via the REST, so in my mind it seems a bit of overkill to secure the published services on top of running the web adaptor.

Users = Domain A

ESRI = Domain B (this is by design and cannot be moved to Domain A)

   what would be the cleanest way to secure services....if they even nee to be secured at all?



0 Kudos
2 Replies
MVP Esteemed Contributor

A couple reasons I want to secure services using ArcGIS Server secure folders (beyond web adaptor) come to mind:

  1. we don't have the server/network resources to allow other "consumers" to include our REST in their apps., and
  2. some variations of our services are public, while others have more fields/data that are for internal use only.

I'm sure there are other reasons.  If all your services are public and you aren't concerned about #1, then you may not need security.  However, even if using the web adaptor and you don't openly publish your end point, a couple minutes with Fiddler or other developer tools can usually find this info.  However, if you have security (Configuring ArcGIS Server security—Documentation (10.4) | ArcGIS for Server  ) and a proxy, you can prevent others from using the services within their own.  Again, that might not be a concern, but something to keep in mind.

You may want to check out ArcGIS Security—Trust ArcGIS | ArcGIS since it has info on security for many of the products/platforms.

Also, just as a note, make sure your patches are up to date, including the one mentioned here:

ArcGIS Server Security Patch (2016 Update2) | ArcGIS Blog 

Regular Contributor II

if arcgis server services are not secure, one can simply hit up the Specific Port - side stepping the web adaptor and still get access to services.

Once you web tier auth, other than admin / manager, you must go through the web adaptor. or you will get a 403 

also handy through the web adaptor is the manager / publisher accounts are auto logged in... no need for Digging up KeePass credentials. 

0 Kudos