Latest Contributions by RandallWilliams

What version of ArcGIS Server are you working with? I know of a few memory leaks related to geocoding that have since been addressed in 10.7.1. ... View more

The Esri Software Security and Privacy team has a list of file extensions to add to the 'allowed' list that is currently available upon request. The document is currently in a raw format and is intended to be included in an upcoming ArcGIS Enterprise hardening guidance document. ... View more

Hi John Mitchell‌, Out of the box, ArcGIS Enterprise (and more specifically, Portal for ArcGIS) is designed with a number of different user bases in mind. At it's heart, Portal for ArcGIS is meant to help users share geographic content and information - it's a social sharing tool. Some organizations have more stringent requirements than others, and we try to accomodate the needs of our all of our various user bases in the design.  What this means is that each ArcGIS Enterprise site may be unique in how it's implemented. There are responsiblities that we (Esri) must meet in terms of coding standards, implementation guidance and administrative options we provide, as well as configuration and governance responsibilites that administrators of a given ArcGIS Enterprise site must meet in turn. In the end, when properly configured, standards are applied, and adhereance is measurable, a level of compliance is met. Esri has achived this level in house.  Examples of configurable options that Esri provides but must be user configured include (but aren't limited to) requring TLS only for all communications, configuration of allowed encryption algorithms, defining password complexity requirements, and defining allowed CORS whitelists. Items the organization is responsbile for include the acquisition and usage of trusted certificates at both the GIS and web tiers (the front end, where the web adaptor/reverse proxy/WAF/web gateway), web server configuration configuration consderations to reduce information exposure (like custom error messages and removing technology identifying banners (like X-Powered-By asp.net). Other considerations an administrator is responsible for include data classification, configuration of enterprise user and role stores (eg: configuring the Portal to work with a SAML provider that is capable of providing MFA) etc.  For instance, our Esri Managed Cloud Services Advanced Plus offering is a FedRAMP Moderate compliant offering. FedRAMP is a security authorization framework developed by the Federal Government along with industry professionals to align requirements for cloud service providers with that of the NIST framework and containing mappings to ISO/IEC 27001 &15408 and NIST special publication 800-53. ArcGIS Online has itself achieved FedRAMP Tailored Low certification. From our side, Esri utilizes the BSIMM (Building Security in Maturity Model as the backbone to measure our efforts to immerse security throughout our development life cycle. We also incorporate OWASP best practices into our training and our SDLC.  For our customers, Esri has deliniated responses to the Cloud Security Alliance Cloud Controls Matrix for both EMCS Advanced Plus and ArcGIS Online offerings. The CCM consists of answers to a number of questions auditors and users who have questions regarding how various compliance instruments are implemented in a given offering. While not explicitly mapped, you can see how the answers in our CCM attestation documents map to the controls described in the ASV you've attached, with the understanding that we've achieved measurable compliance for FedRAMP standards by accreddited auditors. For instance, the controls mentioned in V1.1 (Secure Software Development Lifecycle Requirements) relate to controls discussed under control IDs BCR (Business Continuity  & Operational Resilience). As you can see, the answer to this kind of question isn't really binary - there's not a real Yes/No answer. That's because there's a lot of variables in play regarding Esri as a software provider and our SDLC activities and an administrator or organization's roadmap to achieving a compliance benchmark.   Feedback regarding ArcGIS Online and Esri's product compliance initiatives are welcome and may be directed to Esri's Software Security and Privacy Team at SoftwareSecurity@esri.com. ... View more

Hi Kara Shindle‌, This is a great question, and there are actually a few different answers to it depending on your perspective and which accounts you're discussing - OS tier accounts or GIS tier accounts in ArcGIS for Server (specifically). Let's start with OS tier accounts, since I'm assuming that these is what your IT mandates 3 month rotation.  In terms of OS accounts, the best answer you could have been provided would have been to use a gMSA (Group Managed Service Account). A gMSA is a special account used on Windows domains where password management is handled by the OS, passwords are generated on the fly based on key exchange, and is never actually known by a user.  Using a gMSA can be done already in 10.7.1 and earlier. The use of a gMSA account precludes the need to reset passwords at all. See: How To: Configure ArcGIS Enterprise to use a group-managed Service Account  More: At 10.8, gMSA is supported at install time. Prior to 10.8, the software needs to be installed under a 'standard' account, then later moved to a gMSA.  You are correct that updating the ArcGIS Account (the os/domain account that 'owns' the ArcGIS processes) will cause a restart of the ArcGIS Server processes - that must happen when rights to files on disk used by a process change. The Configure ArcGIS Account utility handles permission updates for you. In terms of the web adaptor, that process is typically run under the context of the IIS application pool identity. Updating the ArcGIS account will not change the application pool identity and does not itself require updating the web adaptor.  From the other perspetive, there's the GIS tier. That's the built-in user and role store that ships with ArcGIS Server.  If those passwords should be rotated, I'd recommend integrating ArcGIS Server with your Windows Active Directory, which allows for centralized administration. We'd also typically recommend disabling the Primary Site Administrator (PSA) account. This is the account that's typically used when configuring the web adaptor. Disabling the PSA will not break communication between the Web Adaptor and the GIS Server. Disabling the PSA would prevent you from changing the user and role store from the built in store to the enterprise store (active directory). You should promote one or more trusted domain accounts to the ArcGIS Server administrator role prior to disabling the PSA.  Another consideration you may need to think about is if using older patterns like embedded passwords in proxy pages that web applications may use to communicate with the GIS Server. Other than that, I haven't personally run into issues when updating service accounts or built-in accounts. If others out there in GeoNet-land have considerations I haven't thought about for password update workflows, I'd appreciate the dialog in the continued comments.  Best, Randall Esri Software Security and Privacy, Esri PSIRT ... View more

Problem: The Supports ApplyEdits With Global Ids parameter is set to false  ... View more

An update to .net shouldn't impact an ArcGIS Enterprise site becase it's mostly a Java product. An update to .Net could only impact the web adaptor, and that's also unlikely. I'd contact Technical Support. ... View more

Try checking this path in the registry. Does the invalid host exist there? HKEY_CURRENT_USER\Software\ESRI\ArcGIS Online\SignIn ... View more

Check out this doc and see if the suggestions help. Block untrusted fonts in an enterprise (Windows 10) | Microsoft Docs  ... View more

I believe it does. I haven't really worried about it because I'm auto-enrolled in our CA and submit my cert requests directly to our enterprise CA from the certificates MMC, always using the SHA256 template ever since Chrome started requiring a SAN in a cert. ... View more

What specifically are you looking for? It's a cert provided by our internal CA, created using SHA256. Note that the changes you're proposing affect the web server, but don't affect the GIS Server where ArcGIS is a client to the web adaptor host. ... View more

Thomas Colson‌ I just set this on my 10.7.1 instance and don't have problems. ... View more

Thomas Colson‌ I just set this on my 10.7.1 instance and don't have problems. ... View more