Esri Software Security & Privacy Blog - Page 2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Latest Activity

(33 Posts)
RandallWilliams
Esri Regular Contributor

Microsoft released a patch in January for a critical issue in the Microsoft WIndows CryptoAPI (CVE-2020-0601).

Michael Young‌ has provided Esri's response to how our products are impacted and the steps we've taken to keep you safe. 

You'll find this statement in the 'Alerts and Announcements' section of the ArcGIS Trust Center.

more
2 1 1,361
GregoryBrown2
New Contributor III

The ArcGIS Online (AGO) Security Advisor has been updated.  For information regarding this product, see the ArcGIS Online Security Advisor story map.  You can launch the app from the ArcGIS Trust Center.  See the release notes below!

This release focuses on the up coming AGO HTTPS only enforcement September 2020. The HTTP Check is no longer beta and supports processing up to 1000 content items by analyzing the item page and the item's data information (if it can be handled as JSON - the HTTP Checker's help page identifies the content data types that are not processed). Improvements will be made as needed.

Use the search by just pressing the 'enter' key to scan all available items or enter keywords into the search filter to focus on specific content items. For more information, check out the HTTP Checker's help content once you've logged into the application.

The AGO HTTPS only enforcement is expected to be implemented in September 2020.

v2.0.4 - 2019/DEC/06

HTTP Check

  • No longer Beta. Further improvements will be made as needed.
  • Corrected issue that would prevent item page info from being processed and results displayed if there was an issue with that item's data information.
  • Increased processing count to first 1000 items (up from 100).
  • UI Updates
  • Help text updated.

Application Changes

  • Click on visitor page footer version number to view release notes.
  • Adjusted text on visitor page to highlight that the advisor is not officially supported through Esri but is offered and maintained by the Esri Software Security & Privacy Team. Provided email address for questions.
  • Adjusted the left side navigation menu to float and move with screen scroll.
  • Updated bootstrap, jquery and arcgis javascript libraries to current versions.

Settings Advisor

  • Policy message updated to include warning text when Social Logins is enabled.

 

Regards,

Esri Software Security & Privacy Team

AGO Security Advisor - https://arcg.is/ago-advisor

more
2 2 1,906
RandallWilliams
Esri Regular Contributor

*******************

Update - August 2020:

 

ArcGIS Enterprise Portal's help documentation can now be sourced from the ArcGIS Enterprise Web Help instead of the locally installed help. Introduced at 10.8.1, the Help source determines whether your organization's access to help topics is derived from https://enterprise.arcgis.com or an installed source. By default, the source is set to the local, installed source. When internet access is available, enable this option to deliver help from https://enterprise.arcgis.com.

 

We've also updated this blog to explain how users of older versions might source the web based ArcGIS Enterprise Help via an HTTP redirect. 

*******************

 

The installed help documents for ArcGIS Enterprise are provided for everyone anonymously. The content is not sensitive, and can be easily found on the web. Sometimes however, organizations have policies that require that any website under their authority require authentication for all endpoints, and that can cause a challenge for site managers whose only other path is to seek an exclusion. Other organizations have strict policies regarding aged 3rd party libraries that support the installed help help doc. Regardless of the use case, some organizations may choose to prevent access to these pages. 

 

For those users, there are a few potential work arounds that can be explored, and those are to either implement web tier security or create an HTTP redirect specifically for the help docs.

 

Here's how the help doc can be secured: 

 

1. First, open windows explorer and drill down to where your Portal or Server web adaptor is installed. For this example we'll use 'Portal'. 

 

2. Inside (for example) c:\inetpub\wwwroot\portal\, create a new folder called "portalhelp"

 

3. Next, open IIS manager. Drill down to the website that hosts your web adaptor, and find the 'portalhelp' folder. 

 

4. Finally, use the IIS 'Authentication' feature to disable anonymous access and enable windows authentication. 

 

Now when users attempt to access the help documentation, they'll need to provide windows credentials.

 

Do the same for other help document locations:

 

ArcGIS Server:

  • /<server web adaptor>/help/
  • /<server web adaptor>/sdk/

 

A redirect can be achieved by:

 

1. Install the HTTP Redirect Module for IIS

 

2. Follow steps 1-3 above.

 

3. Use the HTTP Redirect Module to point the 'portalhelp' virtual directory to the web help source, eg: https://enterprise.arcgis.com/en/documentation/ 

 

more
2 0 1,931
BrendanBladdickEsri
Esri Contributor

In order to build full trust within your environment it is important to have all your machines trust each other. This is especially important if Portal, Server, Data Store and Web Adaptor are all on different machines as within most environments the communication will be terminated if there is invalid trust which is caused by invalid certificates.

This blog will be short, sweet and to the point.

You will need the following to put inside of portal and server sslcertificate store if -->

 

You have an external environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Public CA root certificate (.cer)
  • Public CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two or more server machines you need one for each then one for the portal machine) (.pfx)

 

You have an internal environment:

  • Domain CA root certificate (.cer)
  • Domain CA intermediate certificate (if you have one) (.cer)
  • Domain CA end/server certificate for each machine (if you have two server machines we need one for each then one for the portal machine) (.pfx)

 

Then import each certificate into the server/portal internal web server through the admin endpoint starting with both Public CA and Domain CA Root Certificates - then all the Public CA and Domain CA intermediate certificates - then importing the domain CA pfx certificate for that specific machine to be used in order for valid certificate trust when accessing portal/server through the port (7443/6443)

You can also import the Domain CA certificate into the Data Store however most of the time this is not necessary.

 

How to import certificates into Portal, Server & Data Store:

 

Portal --> Import a certificate into the portal—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

 

Server --> Configure ArcGIS Server with an existing CA-signed certificate—ArcGIS Server Administration (Windows... 

Data Store --> Replace ArcGIS Data Store SSL certificate—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

A little bit about why this is important:

Security best practices—Portal for ArcGIS (10.7 and 10.7.1) | ArcGIS Enterprise 

Best practices for configuring a secure environment—ArcGIS Server Administration (Windows) | ArcGIS ...

Directly from the above documentation -->

"Like ArcGIS Server, the ArcGIS Enterprise portal also comes with a preconfigured self-signed certificate. If you'll be federating your site with a portal, you should request a certificate from a trusted CA and configure the portal to use it.

Configuring a certificate from a trusted authority is a secure practice for web-based systems and will also prevent users from encountering any browser warnings or other unexpected behavior. If you choose to use the self-signed certificate included with ArcGIS Server and the ArcGIS Enterprise portal during testing, you will experience the following:

  • Warnings from your web browser, from ArcGIS Desktop, or from ArcGIS Pro about the site being untrusted. When a web browser encounters a self-signed certificate, it will typically display a warning and ask you to confirm that you want to proceed to the site. Many browsers display warning icons or a red color in the address bar for as long as you are using the self-signed certificate.
  • The inability to open a federated service in the portal's Map Viewer, add a secured service item to the portal, log in to ArcGIS Server Manager on a federated server, or connect to the portal from ArcGIS Maps for Office.
  • Unexpected behavior when configuring utility services, printing hosted services, and accessing the portal from client applications.
Caution:

The above list of issues you will experience when using a self-signed certificate is not exhaustive. It's imperative that you use a CA-signed certificate to fully test and deploy your portal."

more
6 0 2,408
PeterBuwembo
Esri Contributor

The California Consumer Privacy Act (CCPA) is almost month away. This is the equivalent of Europe’s General Data Protection Regulation(GDPR) dealing with consumer privacy.

What is it?

The law gives consumers broad new privacy rights and mandates how companies must manage, store and use customer data. Because of this large scope and the state’s important role in the US economy, this law is bound to impact marketing organizations across the entire US and beyond if they manage data on California residents.

So, what is going to change you ask?

This is similar to GDPR, the CCPA will require organizations to manage the personal data of 12% of Americans in a whole new way. Consumer data collection will become much more complex and data privacy will become a significant issue. Beginning in January 2020, new obligations are going to require organizations to:

  1. Disclose to consumers what data  is being collected and with whom it is shared or sold,
  2. Stop selling data if the consumer requests it,
  3. Delete data if the consumer requests it,
  4. Obtain explicit data collection opt-in for minors under the age of 16,
  5. Obtain parental consent for minors under the age of 13,
  6. Provide an easy mechanism for consumers to exercise their rights, including a free phone number and a prominent mechanism on their website explicitly labeled “Do Not Sell My Personal Information.”

Under CCPA, if consumers choose to exercise any of these rights, companies may not charge a higher price or offer a lower level of service (within reason).

NOTE: Esri is currently working on ensuring alignment by enforcement 1/1/2020. If you have any questions regarding  privacy with Esri products and services, please reach out to the Esri Software Security and Privacy @ Software_Security@esri.com 

Additional information regarding CCPA.

more
1 0 370
RandallWilliams
Esri Regular Contributor

The Arcgis License Manager 2019.0 is available.

This update addresses several vulnerabilities in Flexera FlexNet Publisher that are exploitable prior to FlexNet Publisher 11.16.2.

The ArcGIS License Manager 2019.0 uses FLEXnet Publisher 11.16.2.1.

Versions of Flexera FlexNet Publisher prior to 11.16.2 are affected by multiple vulnerabilities:

  • A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20031)

  • A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20032)

  • A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down.
    (CVE-2018-20033)

  • A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon to stop, and the vendor daemon to shut down. (CVE-2018-20034)

The ArcGIS License Manager 2019.0 is compatible with the ArcGIS software versions described in the License Manager Guide.

Esri encourages all users to upgrade to ArcGIS License Manager 2019.0 to address these security concerns.

FAQ: What version of FLEXnet Publisher is used in ArcGIS License Manager?

more
2 4 1,517
RandallWilliams
Esri Regular Contributor

A new repository of documents is now available exclusively for users who have subscribed to an ArcGIS account.

The Esri Software Security and Privacy team is proud to announce a new, exclusive document repository now available on the ArcGIS Trust Center at https://trust.arcgis.com. 

This repository requires that users log in with their Esri Account. Inside you'll find a growing catalog of detailed information designed to assist users and admins of Esri software understand implementation aspects that have impacts on security related domains.

We have a number of documents in the pipeline that we'll add here as we continue to grow this area.  Our goal is to both regularly publish new content and to update the existing content to meet the security and compliance needs of our customers.

We look forward to your feedback!

more
0 0 291
RandallWilliams
Esri Regular Contributor

In Esri PSIRT, we get a LOT of questions. Some questions we see more frequently than others - like folks wondering where your data goes when you publish to ArcGIS Online, or where to go to ask other questions. 

We've documented many security, privacy, and compliance information over on our ArcGIS Trust Center.

Here are a few examples of some frequently asked questions, with some pointers on where to find references to support these answers. 

The first set of questions we're usually asked is along the lines of:

Q: Do you house the servers where ArcGIS Online is hosted?

Q: If not, do you have a third party such AMAZON, Microsoft that handles this for you?

This is an example of a question that's documented in DCS-04 in the ArcGIS.com Cloud Security Alliance Controls Matrix. The controls documented in the Cloud Security Controls Matrix map to NIST SP 800-53 and ISO/IEC 27001:2013, and cover a great many aspects of ArcGIS Online.

 

Q: What else can you share from a security, privacy, or compliance stand point?

We've accumulated a good bit of information for our customers. In fact, we curate https://trust.arcgis.com, which is a repository for knowledge regarding security, compliance, and privacy. Of particular note is our 'documents' section, found here: https://trust.arcgis.com/en/documents/.

 

Customers should know that ArcGIS Online is a FedRAMP Tailored Low authorized solution by the United States Department of Agriculture (USDA). This includes the requirement to adhere to robust continuous monitoring requirements and security controls are reviewed at a minimum of every three (3) years.

 

Q: Who can I reach out to to obtain additional or more granular information if I don't see it on the ArcGIS Trust Center?

Esri's PSIRT is here to help. If we're missing something on the Trust Center, let us know. We'll answer your question and update our docs.

 

Let us know how else we can help!

more
0 0 396
RandallWilliams
Esri Regular Contributor

ArcGIS Enterprise security patches have been released for ArcGIS Server and Portal for ArcGIS..

ArcGIS Server Security 2019 Update 1 Patch

Portal for ArcGIS Security 2019 Update 1 Patch

You'll notice a new addition to our patch pages - CVSS base scoring and vector parameters

CVSS is a way that software security professionals come quantify risks associated with software security issues. Next to each patch above we list the highest risk addressed, moderate risk security issues are addressed by the Server patch and a high risk issue is addressed by the Portal patch.

We strongly suggest users patch their systems to address these security concerns.

more
2 0 508
RandallWilliams
Esri Regular Contributor

In the last blog I wrote, I described ways to test desktop apps, operating systems, and Java installs to validate they were correctly sending requests to ArcGIS Online in order to validate that your apps will continue to function after TLS 1.0 and 1.1 are no longer supported after April 16, 2019.

Some users have expressed concern related to their mobile apps – older Android or iOS devices may not natively have support for TLS 1.2 enabled. Android fully supports TLS 1.2 starting at Android 5 (Lolipop), but custom Android apps may have enabled support for TLS 1.2 for Android 4.1.

Starting an iOS 9, Apple introduced App Transport Security, which enforces TLS 1.2 for most apps – but it’s possible that some vendors may have globally disabled or created domain exceptions for this feature.

All that’s well and good, but for the person who’s responsible for making sure apps are going to work, what does this mean? Is there a painless way that an app or device’s TLS 1.2 compatibility can be quickly validated?

Happily, the answer is yes, and just like in the last blog, we can use the Fiddler web debugging proxy to validate!

Because Fiddler won’t run natively on a mobile OS, there’s a bit of setup we need to do before we can validate.

First, go ahead and install Fiddler on a Windows machine. While there is a beta version of Fiddler for Linux, we’ll test with Windows.

Once it’s installed, we’ll need to gather some information set some options.

Next, if you don’t already know it, you’ll want to take note of your Windows machine hostname and IP address. You can get those details by opening a Windows console and entering the HOSTNAME and IPCONFIG commands like in the example below (details redacted to protect the innocent). These details will be used later.

Figure 1: Ipconfig and Hostname

IPCONFIG AND HOSTNAME COMMANDS

Once you have those details, open Fiddler and navigate to tools>options. Enable the option to allow remote computers to connect and keep the rest of the results.

Figure 2: Fiddler Connections options

Fiddler connection options

Next, click the ‘HTTPS’ tab. By default, the ‘Decrypt HTTPS traffic’ option is unchecked, but if you’ve used Fiddler to debug HTTPS traffic already, this option may be enabled.

Figure 3: Fiddler HTTPS options

fiddler https options

Next, you’ll want to configure your mobile device to push your web traffic through the Fiddler proxy.

To do this, your mobile device will need to use WIFI and be on the same local network as your Windows machine.

I have an iOS device I’m testing with, but the instructions for configuring your device to use a proxy should be similar.

Your favorite search engine should be able to assist with specifics.

 

In my case, once I’ve joined the WIFI, I click on the WIFI connection and scroll down to ‘Configure Proxy’

 

Figure 4: WIFI proxy configuration

configure device to use proxy

Once in the ‘Configure Proxy’ dialog, enable ‘Manual’ configuration, and populate the Server and Port settings.

Populate the ‘Server’ value with the hostname or IP address of the machine where Fiddler is running. By default, Fiddler listens on port 8888.

Figure 5: WIFI proxy configuration

device proxy config

Once that’s complete, you’re ready to test! Open your app and connect to your test resource.

Assuming your’re watching the Fiddler console, you’ll start to see your WIFI traffic being routed through the Fiddler proxy.

Click on one of the sessions that was captured that represents the endpoint you’re connecting to. In my case, I’m connecting to an internal ArcGIS Enterprise instance I maintain.

After you’ve selected a session, in Fiddler, click on the ‘Inspectors’ tab, and then the ‘Headers’ subtab. You’ll want to have a quick check to make sure that the Client is your mobile browser or app instead of a desktop browser or app. Typically Esri clients indicate “Esri” or “ArcGIS” for the user-agent.

Figure 6: Confirm user-agent in Fiddler Headers tab

review user-agent

After you’ve checked the user-agent and are sure you’re reviewing the correct traffic, click the ‘TextView’ tab. Just like before, you can review the TLS version that the client is using.

Here I’m satisfied that my iOS browser is creating sessions to my server using TLS 1.2.

Figure 7: TLS version in Fiddler TextView tab

fiddler textview tab

Hopefully this workflow can help users who require an additional level of validation with mobile apps they use.

more
1 0 2,432
87 Subscribers