HTTPS, short for Hypertext Transfer Protocol for Secure communication, allows for the secure transmission of data, both incoming and outgoing, between a client, such as a web browser, and the server. Esri is making the HTTPS-Only change in a phased approach. Esri customers must act now to be ready for this change.
Currently, ArcGIS Online supports configuring HTTP or HTTPS. With the update planned for December 8, 2020, the “HTTPS Only” default will be enforced, and customers will no longer have the option of turning it off. However, for ArcGIS Enterprise the customer has full control of the HTTPS/HSTS enforcement for their configuration.
Written for Survey Authors, admins, and privacy professionals and specifically intended to provide targeted guidance for public health initiatives, this guidance highlights best practices, public survey layer discoverability, details specific scenarios, and provides contextual discussion around the various configuration options to be considered to protect your data prior to announcing a public survey where results are to remain secure.
From the abstract:
"Designing and configuring a Survey with an underlying survey layer can be tricky when the survey is intended to be completed by the public. Discovering insecure survey layers can be challenging for an organization administrator responsible for ensuring collected data is secure and configured to respect respondent privacy. This document provides guidance for GIS administrators, survey owners or users involved in implementing a public survey with respect to privacy and security."
We partnered with the ArcGIS Survey123 team to provide this guidance, and we strongly feel that organizations see value in bookmarking this document for reference.
A new Windows-based application has been created by a malicious individual or group that uses the the online map posted by John Hopkins University athttps://coronavirus.jhu.edu/map.html as a decoy for installing Malware.Michael Younghas written a blog describing this issue.
Bottom-line, you are fine browsing the Coronavirus dashboard on the web with your browser as no software needs to be downloaded. If you come across someone offering a Coronavirus dashboard where you need to download software to view it, don’t use it!
You'll find this blog titled "Coronavirus Downloadable Malware Map App Clarification" in the 'Alerts and Announcements' section on the front page of theArcGIS Trust Center.
Esri’sSoftware Security and Privacy team is often called by both current and prospective customers to provide assurance as to the kinds of controls we’ve implemented to help keep your data and our infrastructure safe.Esrihas provided a detailed list of answers to questions related to the security of the ArcGIS Online platform for security professionals in the form of the CAIQ Answers document.Esri’sCAIQresponse document provides a set of 295 yes or no questions acloud consumerorcloud auditormay wish to ask of a cloud provider.You’ll find this document (along with many others) in theDocuments tabin theArcGIS Trust Center.
TheCAIQis a survey provided bytheCloud Security Alliance(CSA) for cloudsolutionconsumers and auditors to assess the security capabilities of a cloud service providerlikeArcGIS Online. The CAIQ was developed to create commonly accepted industry standards to documenthow service providers likeEsriimplement security controls ininfrastructure-as-a-service(IaaS), platform-as-a-service and(PaaS)/orsoftware-as-a service(SaaS)applications.
The CAIQ questionnaire is designed to support organizations when interacting with cloud provider during the cloud provider assessment process by giving organizations specific questions to ask about provider operations and processes.The CAIQ is part of theCSA governance, risk management and compliance stack.
TheCSAis a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”.
A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. Esri began providing answers for the CSA CCM (133 questions) in 2013, and in 2019 shifted to utilizing the more extensive (CAIQ) with 295 questions/answers.
ArcGIS Online is audited annually by a 3rd party assessor to ensure alignment with its Federal Risk and Authorization Management Program (FedRAMP) Tailored Low Authority to Operate (ATO) by the United States Department of Interior.
For more information concerning the security, privacy and compliance of ArcGIS Online please see the Trust Center at:https://Trust.ArcGIS.com.
ArcGIS Online utilizesthe World-Class Cloud Infrastructure of Microsoft Azure and Amazon Web Services, both of which have completed the CSA questionnaires for their capabilities and may be downloaded from the CSA Registry located at:https://cloudsecurityalliance.org/star/#_registry
A new Tomcat CVE (CVE-2020-1938) referred to as 'Ghostcat' has a lot of users asking how Esri software is affected.
Michael Younghas written a blog describing how users may be impacted and offers guidance for customers who deploy the Java version of the ArcGIS Web Adaptor on Tomcat or use Apache httpd along with Tomcat in a reverse proxy solution.
You'll find this blog titled "Don't get Bitten by GhostCat Tomcat Vulnerability"in the 'Alerts and Announcements' section on the front page of theArcGIS Trust Center.
ArcGIS Enterprise itself is not affected by thisas long as connections to active directory can be made using LDAPS (port 636). To meet this requirement, be sure that LDAPS is available on your Active Directory servers.
However, *if* your organization is using the Java Web adaptor (which itself requires a J2EE server like Tomcat/Glassfish/Weblogic etc) and you’re using web tier authentication and Active Directory, then the J2EE application server must itself be configured to connect to the directory server using LDAPS.
Even ifArcGIS Enterpriseis configured to use LDAP over plaintext port 389, it will attempt to first connect via LDAPS (port 636) first regardless. Front end application servers are unlikely to follow this pattern and will communicate with the directory server as literally configured.
This release focuses on the up coming AGO HTTPS only enforcement September 2020. The HTTP Check is no longer beta and supports processing up to 1000 content items by analyzing the item page and the item's data information (if it can be handled as JSON - the HTTP Checker's help page identifies the content data types that are not processed). Improvements will be made as needed.
Use the search by just pressing the 'enter' key to scan all available items or enter keywords into the search filter to focus on specific content items. For more information, check out the HTTP Checker's help content once you've logged into the application.
The AGO HTTPS only enforcement is expected to be implemented in September 2020.
v2.0.4 - 2019/DEC/06
No longer Beta. Further improvements will be made as needed.
Corrected issue that would prevent item page info from being processed and results displayed if there was an issue with that item's data information.
Increased processing count to first 1000 items (up from 100).
Help text updated.
Click on visitor page footer version number to view release notes.
Adjusted text on visitor page to highlight that the advisor is not officially supported through Esri but is offered and maintained by the Esri Software Security & Privacy Team. Provided email address for questions.
Adjusted the left side navigation menu to float and move with screen scroll.
Policy message updated to include warning text when Social Logins is enabled.
ArcGIS Enterprise Portal's help documentation can now be sourced from the ArcGIS Enterprise Web Help instead of the locally installed help. Introduced at 10.8.1, theHelp sourcedetermines whether your organization's access to help topics is derived fromhttps://enterprise.arcgis.comor an installed source. By default, the source is set to the local, installed source. When internet access is available, enable this option to deliver help fromhttps://enterprise.arcgis.com.
We've also updated this blog to explain how users of older versions might source the web based ArcGIS Enterprise Help via an HTTP redirect.
The installed help documents for ArcGIS Enterprise are provided for everyone anonymously. The content is not sensitive, and can be easily found on the web. Sometimes however, organizations have policies that require that any website under their authority require authentication for all endpoints, and that can cause a challenge for site managers whose only other path is to seek an exclusion. Other organizations have strict policies regarding aged 3rd party libraries that support the installed help help doc. The exploitability of these issues in the context of the help doc is debatable, as the help doc does not accept or reflect untrusted input. Regardless of the use case, some organizations may choose to prevent access to these pages.
For those users, there are a few potential work arounds that can be explored, and those are to either implement web tier security or create an HTTP redirect specifically for the help docs.
Here's how the help doc can be secured:
1. First, open windows explorer and drill down to where your Portal or Server web adaptor is installed. For this example we'll use 'Portal'.
2. Inside (for example) c:\inetpub\wwwroot\portal\, create a new folder called "portalhelp"
3. Next, open IIS manager. Drill down to the website that hosts your web adaptor, and find the 'portalhelp' folder.
4. Finally, use the IIS 'Authentication' feature to disable anonymous access and enable windows authentication.
Now when users attempt to access the help documentation, they'll need to provide windows credentials.