Secured federated server site and Monitor 2023

803
3
06-30-2023 08:47 AM
JeffreyGrussing-GRE
Occasional Contributor

Hello I have a question around registering a secure federated server site in Monitor 2023. Best practice for security of ArcGIS server requires the Primary Site Administrator account (PSA) to be disabled. However Monitor required the PSA to be able to register a server site. How do you register a server site it the PSA is disabled?

0 Kudos
3 Replies
AndrewSakowicz
Esri Contributor

I agree, ensuring the security is not compromised is a critical requirement when configuring ArcGIS Monitor, or any other monitoring tools.  Administrators need to evaluate the risks and understand that in order to provide effective monitoring, a direct “admin” access to a target component is required. This goes for windows, Linux as well ArcGIS Server.  In this specific case, accessing directly ArcGIS Server (through local port) allows monitoring to continue even if the web adaptor or portal are not available.  This would be very helpful when troubleshooting outages.  Therefore, ArcGIS Monitor requires PSA and registration through local port.  This access can be restricted using firewall rules.  Also, please note the below security tip context. 

https://enterprise.arcgis.com/en/server/latest/administer/windows/disabling-the-primary-site-adminis...

“To help ensure a secure environment for ArcGIS Server, Esri recommends you disable the primary site administrator account. This ensures the only way to administer ArcGIS Server is through the group or role you've specified in your identity store.”

JeffreyGrussing-GRE
Occasional Contributor

Here is a little more info on the environment we have installed. we have an HA enterprise with two server sites on hosting with RDS installed the other with general content. there is no web adapter install we are using load balancers. we are using two factor authentication using saml and ping federated. arcgis server is being accessed on the default port of 6443 thought the load balancer.  I am not the IT guy but i know enough to understand.  I know how to disable the PSA we have done that but every time we do we loose monitoring of the server site. So that is my question how to i get monitoring to continue if I disable the PSA

0 Kudos
AndrewSakowicz
Esri Contributor

You are correct, ArcGIS Monitor requires PSA to monitor.  The rational is to allow monitoring independent of ArcGIS Portal.  In your case of federated server (web adopter or no), without server PSA, the authentication would have to be managed by Portal.  That means, if Portal is down, server monitoring would stop working.   

We are evaluating allowing for authorization via Portal federated user.  However, this will lose ability of independent monitoring as mentioned above, which will remain our recommended best practice.

I agree with the least privilege principle.  However, allowing PSA is not inherently insecure and the access to can be further restricted.