I have been thinking and reading a lot about ArcGIS for Server security lately. My current dev server has the web adapter up and running, the rest services directory turned off, and SSL enabled. Currently users connect independently (not through Portal) though Flex Viewer apps and security is handled by domain user at the IIS (Web Tier) Level. Users do not have direct access to the SQL DB, nor can they login through ArcMap (most dont even have it). When installing ArcGIS Portal and Federating the server I seem to have lost all ability to access ArcGIS Manager and now all service securities are run through Portal which seems to not function quite as well as through Manager.
My question is what security holes am I leaving open? What access point have I left vulnerable? If I mark all services as 'public' and have the rest directory turned off, with no username access to portal, through ArcMap, or though SQL what potential hazards could I be facing? It is also worth mentioning that all of this is only accessible through our internet and will not be on the internet. Another thought... What are your opinions of SSL in an intranet?
Thanks and I look forward to your responses!