Users are asking us how ArcGIS Enterprise may be affected by Microsoft blocking unsigned LDAP communication in Active Directory starting in March 2020.

ArcGIS Enterprise itself is not affected by this as long as connections to active directory can be made using LDAPS (port 636). To meet this requirement, be sure that LDAPS is available on your Active Directory servers.

However, *if* your organization is using the Java Web adaptor (which itself requires a J2EE server like Tomcat/Glassfish/Weblogic etc) and you’re using web tier authentication and Active Directory, then the J2EE application server must itself be configured to connect to the directory server using LDAPS.

Even if ArcGIS Enterprise is configured to use LDAP over plaintext port 389, it will attempt to first connect via LDAPS (port 636) first regardless. Front end application servers are unlikely to follow this pattern and will communicate with the directory server as literally configured.

Microsoft released a patch in January for a critical issue in the Microsoft WIndows CryptoAPI (CVE-2020-0601).

Michael Young‌ has provided Esri's response to how our products are impacted and the steps we've taken to keep you safe. 

You'll find this statement in the 'Alerts and Announcements' section of the ArcGIS Trust Center.

The ArcGIS Online (AGO) Security Advisor has been updated.  For information regarding this product, see the ArcGIS Online Security Advisor story map.  You can launch the app from the ArcGIS Trust Center.  See the release notes below!

This release focuses on the up coming AGO HTTPS only enforcement September 2020. The HTTP Check is no longer beta and supports processing up to 1000 content items by analyzing the item page and the item's data information (if it can be handled as JSON - the HTTP Checker's help page identifies the content data types that are not processed). Improvements will be made as needed.

Use the search by just pressing the 'enter' key to scan all available items or enter keywords into the search filter to focus on specific content items. For more information, check out the HTTP Checker's help content once you've logged into the application.

The AGO HTTPS only enforcement is expected to be implemented in September 2020.

v2.0.4 - 2019/DEC/06

HTTP Check

• No longer Beta. Further improvements will be made as needed.
• Corrected issue that would prevent item page info from being processed and results displayed if there was an issue with that item's data information.
• Increased processing count to first 1000 items (up from 100).
• UI Updates
• Help text updated.

Application Changes

• Click on visitor page footer version number to view release notes.
• Adjusted text on visitor page to highlight that the advisor is not officially supported through Esri but is offered and maintained by the Esri Software Security & Privacy Team. Provided email address for questions.
• Adjusted the left side navigation menu to float and move with screen scroll.
• Updated bootstrap, jquery and arcgis javascript libraries to current versions.

Settings Advisor

• Policy message updated to include warning text when Social Logins is enabled.

Regards,

Esri Software Security & Privacy Team

AGO Security Advisor - https://arcg.is/ago-advisor

*******************

Update - August 2020:

ArcGIS Enterprise Portal's help documentation can now be sourced from the ArcGIS Enterprise Web Help instead of the locally installed help. Introduced at 10.8.1, the Help source determines whether your organization's access to help topics is derived from https://enterprise.arcgis.com or an installed source. By default, the source is set to the local, installed source. When internet access is available, enable this option to deliver help from https://enterprise.arcgis.com.

We've also updated this blog to explain how users of older versions might source the web based ArcGIS Enterprise Help via an HTTP redirect. 

*******************

The installed help documents for ArcGIS Enterprise are provided for everyone anonymously. The content is not sensitive, and can be easily found on the web. Sometimes however, organizations have policies that require that any website under their authority require authentication for all endpoints, and that can cause a challenge for site managers whose only other path is to seek an exclusion. Other organizations have strict policies regarding aged 3rd party libraries that support the installed help help doc. Regardless of the use case, some organizations may choose to prevent access to these pages. 

For those users, there are a few potential work arounds that can be explored, and those are to either implement web tier security or create an HTTP redirect specifically for the help docs.

Here's how the help doc can be secured: 

1. First, open windows explorer and drill down to where your Portal or Server web adaptor is installed. For this example we'll use 'Portal'. 

2. Inside (for example) c:\inetpub\wwwroot\portal\, create a new folder called "portalhelp"

3. Next, open IIS manager. Drill down to the website that hosts your web adaptor, and find the 'portalhelp' folder. 

4. Finally, use the IIS 'Authentication' feature to disable anonymous access and enable windows authentication. 

Now when users attempt to access the help documentation, they'll need to provide windows credentials.

Do the same for other help document locations:

ArcGIS Server:

• /<server web adaptor>/help/
• /<server web adaptor>/sdk/

A redirect can be achieved by:

1. Install the HTTP Redirect Module for IIS

2. Follow steps 1-3 above.

3. Use the HTTP Redirect Module to point the 'portalhelp' virtual directory to the web help source, eg: https://enterprise.arcgis.com/en/documentation/ 

In order to build full trust within your environment it is important to have all your machines trust each other. This is especially important if Portal, Server, Data Store and Web Adaptor are all on different machines as within most environments the communication will be terminated if there is invalid trust which is caused by invalid certificates.

This blog will be short, sweet and to the point.

You will need the following to put inside of portal and server sslcertificate store if -->

You have an external environment:

• Domain CA root certificate (.cer)
• Domain CA intermediate certificate (if you have one) (.cer)
• Public CA root certificate (.cer)
• Public CA intermediate certificate (if you have one) (.cer)
• Domain CA end/server certificate for each machine (if you have two or more server machines you need one for each then one for the portal machine) (.pfx)

You have an internal environment:

• Domain CA root certificate (.cer)
• Domain CA intermediate certificate (if you have one) (.cer)
• Domain CA end/server certificate for each machine (if you have two server machines we need one for each then one for the portal machine) (.pfx)

Then import each certificate into the server/portal internal web server through the admin endpoint starting with both Public CA and Domain CA Root Certificates - then all the Public CA and Domain CA intermediate certificates - then importing the domain CA pfx certificate for that specific machine to be used in order for valid certificate trust when accessing portal/server through the port (7443/6443)

You can also import the Domain CA certificate into the Data Store however most of the time this is not necessary.

How to import certificates into Portal, Server & Data Store:

Portal --> Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

Server --> Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

Data Store --> Replace ArcGIS Data Store SSL certificate—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

A little bit about why this is important:

Security best practices—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

Best practices for configuring a secure environment—ArcGIS Server Administration (Windows) | ArcGIS ...

Directly from the above documentation -->

"Like ArcGIS Server, the ArcGIS Enterprise portal also comes with a preconfigured self-signed certificate. If you'll be federating your site with a portal, you should request a certificate from a trusted CA and configure the portal to use it.

Configuring a certificate from a trusted authority is a secure practice for web-based systems and will also prevent users from encountering any browser warnings or other unexpected behavior. If you choose to use the self-signed certificate included with ArcGIS Server and the ArcGIS Enterprise portal during testing, you will experience the following:

• Warnings from your web browser, from ArcGIS Desktop, or from ArcGIS Pro about the site being untrusted. When a web browser encounters a self-signed certificate, it will typically display a warning and ask you to confirm that you want to proceed to the site. Many browsers display warning icons or a red color in the address bar for as long as you are using the self-signed certificate.
• The inability to open a federated service in the portal's Map Viewer, add a secured service item to the portal, log in to ArcGIS Server Manager on a federated server, or connect to the portal from ArcGIS Maps for Office.
• Unexpected behavior when configuring utility services, printing hosted services, and accessing the portal from client applications.

The California Consumer Privacy Act (CCPA) is almost month away. This is the equivalent of Europe’s General Data Protection Regulation(GDPR) dealing with consumer privacy.

What is it?

The law gives consumers broad new privacy rights and mandates how companies must manage, store and use customer data. Because of this large scope and the state’s important role in the US economy, this law is bound to impact marketing organizations across the entire US and beyond if they manage data on California residents.

So, what is going to change you ask?

This is similar to GDPR, the CCPA will require organizations to manage the personal data of 12% of Americans in a whole new way. Consumer data collection will become much more complex and data privacy will become a significant issue. Beginning in January 2020, new obligations are going to require organizations to:

1. Disclose to consumers what data  is being collected and with whom it is shared or sold,
2. Stop selling data if the consumer requests it,
3. Delete data if the consumer requests it,
4. Obtain explicit data collection opt-in for minors under the age of 16,
5. Obtain parental consent for minors under the age of 13,
6. Provide an easy mechanism for consumers to exercise their rights, including a free phone number and a prominent mechanism on their website explicitly labeled “Do Not Sell My Personal Information.”

Under CCPA, if consumers choose to exercise any of these rights, companies may not charge a higher price or offer a lower level of service (within reason).

NOTE: Esri is currently working on ensuring alignment by enforcement 1/1/2020. If you have any questions regarding  privacy with Esri products and services, please reach out to the Esri Software Security and Privacy @ Software_Security@esri.com 

Additional information regarding CCPA.

The Arcgis License Manager 2019.0 is available.

This update addresses several vulnerabilities in Flexera FlexNet Publisher that are exploitable prior to FlexNet Publisher 11.16.2.

The ArcGIS License Manager 2019.0 uses FLEXnet Publisher 11.16.2.1.

Versions of Flexera FlexNet Publisher prior to 11.16.2 are affected by multiple vulnerabilities:

• A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20031)

• A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20032)

• A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down.
  (CVE-2018-20033)

• A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20034)

The ArcGIS License Manager 2019.0 is compatible with the ArcGIS software versions described in the License Manager Guide.

Esri encourages all users to upgrade to ArcGIS License Manager 2019.0 to address these security concerns.

FAQ: What version of FLEXnet Publisher is used in ArcGIS License Manager?

A new repository of documents is now available exclusively for users who have subscribed to an ArcGIS account.

The Esri Software Security and Privacy team is proud to announce a new, exclusive document repository now available on the ArcGIS Trust Center at https://trust.arcgis.com. 

This repository requires that users log in with their Esri Account. Inside you'll find a growing catalog of detailed information designed to assist users and admins of Esri software understand implementation aspects that have impacts on security related domains.

We have a number of documents in the pipeline that we'll add here as we continue to grow this area.  Our goal is to both regularly publish new content and to update the existing content to meet the security and compliance needs of our customers.

We look forward to your feedback!

In Esri PSIRT, we get a LOT of questions. Some questions we see more frequently than others - like folks wondering where your data goes when you publish to ArcGIS Online, or where to go to ask other questions. 

We've documented many security, privacy, and compliance information over on our ArcGIS Trust Center.

Here are a few examples of some frequently asked questions, with some pointers on where to find references to support these answers. 

The first set of questions we're usually asked is along the lines of:

Q: Do you house the servers where ArcGIS Online is hosted?

Q: If not, do you have a third party such AMAZON, Microsoft that handles this for you?

This is an example of a question that's documented in DCS-04 in the ArcGIS.com Cloud Security Alliance Controls Matrix. The controls documented in the Cloud Security Controls Matrix map to NIST SP 800-53 and ISO/IEC 27001:2013, and cover a great many aspects of ArcGIS Online.

Q: What else can you share from a security, privacy, or compliance stand point?

We've accumulated a good bit of information for our customers. In fact, we curate https://trust.arcgis.com, which is a repository for knowledge regarding security, compliance, and privacy. Of particular note is our 'documents' section, found here: https://trust.arcgis.com/en/documents/.

Customers should know that ArcGIS Online is a FedRAMP Tailored Low authorized solution by the United States Department of Agriculture (USDA). This includes the requirement to adhere to robust continuous monitoring requirements and security controls are reviewed at a minimum of every three (3) years.

Q: Who can I reach out to to obtain additional or more granular information if I don't see it on the ArcGIS Trust Center?

Esri's PSIRT is here to help. If we're missing something on the Trust Center, let us know. We'll answer your question and update our docs.

Let us know how else we can help!

ArcGIS Enterprise security patches have been released for ArcGIS Server and Portal for ArcGIS..

ArcGIS Server Security 2019 Update 1 Patch

Portal for ArcGIS Security 2019 Update 1 Patch

You'll notice a new addition to our patch pages - CVSS base scoring and vector parameters. 

CVSS is a way that software security professionals come quantify risks associated with software security issues. Next to each patch above we list the highest risk addressed, moderate risk security issues are addressed by the Server patch and a high risk issue is addressed by the Portal patch.

We strongly suggest users patch their systems to address these security concerns.