Following a malicious attack on our ArcGIS Enterprise environment, we have disabled the primary site admin account that was compromised during the attack. Since we disabled the account, Monitor is no longer reporting metrics on services tied to the server site. I would like to have an alternative authentication method that allows us to keep the primary site admin account disabled to meet the recommendations in Esri's Hardening Guide.
Hi @RachaelWebster13,
I'm sorry to hear about the cyber attack that happened to your enterprise GIS.
Yes, we are aware of the security recommendation change(s) in the ArcGIS Enterprise Hardening Guide and we're actively working with the ArcGIS Enterprise Dev team to look at alternate options.
Hello,
I would like Esri to consider one or more of the following improvements in a future ArcGIS Monitor release:
ArcGIS Monitor should support registering and monitoring a federated ArcGIS Server site by using a Portal for ArcGIS administrator account instead of requiring the ArcGIS Server PSA account.
This would allow organizations to keep the PSA account disabled while still allowing ArcGIS Monitor to collect the required metrics from the federated server.
It would be helpful to provide specific privileges in Portal for ArcGIS that can be assigned to a custom role for ArcGIS Monitor.
This would allow organizations to create a dedicated Monitor service account with only the minimum required privileges, instead of requiring a full Portal administrator or the ArcGIS Server PSA account.
Ideally, this custom role would allow ArcGIS Monitor to collect health, performance, service, machine, log, and availability metrics without granting unnecessary administrative permissions.
ArcGIS Monitor should also provide a supported way to register and monitor ArcGIS Data Store using an ArcGIS Enterprise identity, delegated credential, or Monitor-specific service account model.
This would reduce the need to manage separate native Data Store administrative credentials only for monitoring purposes.
This request is especially relevant for organizations with strict security policies where built-in administrator accounts must be disabled, and monitoring tools must use dedicated service accounts with controlled privileges.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.