Scan for security best practices

ArcGIS Enterprise on Kubernetes includes a Python script tool, kubernetesScan.py, that scans for some common security issues. It is included with the setup script under setup/tools/security. The tool checks for problems based on some of the best practices for configuring a secure environment for ArcGIS Enterprise. It analyzes many criteria and configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The following table describes these criteria:

IDSeverityPropertyDescription

ES01

Critical

Proxy restrictions

Determines whether the portal proxy capability is restricted. By default, the portal proxy server is open to any URL. To mitigate against potential Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, it's recommended that you restrict the portal's proxy capability to approved web addresses.

ES02

Critical

Web content filtering

Generates a list of feature services in which the filter web content property is disabled. Disabling this property allows a user to enter any text in the input fields, which exposes the service to potential cross-site scripting (XSS) attacks. This property is enabled by default and unless unsupported HTML entities or attributes are required, it should not be disabled.

ES03

Important

Enterprise services directories

Determines whether the Enterprise services directories are accessible through a web browser. Unless being actively used to search for and find services by users, this should be disabled to reduce the chance that your services can be browsed, found in a web search, or queried through HTML forms. This also provides further protection against cross-site scripting (XSS) attacks.

ES04

Important

Web communication

Determines whether HTTPS is enabled for ArcGIS Enterprise. To prevent the interception of any communication, it is recommended that you configure ArcGIS Enterprise and the web server hosting the reverse proxy or ArcGIS Web Adaptor (if installed) to enforce SSL encryption.

ES05

Recommended

Built-in account sign-up

Determines whether users can click the Create An Account button on the organization sign-up page to create a built-in account. If you're using organization-specific accounts or you want to create all accounts manually, disable this option.

ES06

Recommended

Anonymous access

Determines whether anonymous access is allowed. To prevent any user from accessing content without first providing credentials, it's recommended that you configure your organization to disable anonymous access.

ES07

Recommended

LDAP identity store

If your organization is configured with an LDAP identity store, this determines whether encrypted communication is used. It is recommended that you use LDAPS for the LDAP URL for users and groups.

ES08

Recommended

Ingress controller TLS certificate

Determines whether a self-signed certificate is used by the ingress controller. To help reduce web browser warnings or other unexpected behavior from clients communicating with the portal, it is recommended that you import and use a CA-signed TLS certificate bound to the ingress controller.

ES09

Recommended

Cross-domain requests

Determines whether cross-domain (CORS) requests are unrestricted. To reduce the possibility of an unknown application accessing a shared portal item, it is recommended that you restrict cross-domain requests to applications hosted only in trusted domains.

ES10

Critical

Federated server administrative URL

Determines whether your federated server's administrator URL is reachable by the portal and whether the TLS certificate used in this URL is trusted. If untrusted or not reachable, many portal functions and operations will fail.

ES11

Recommended

Federated server services URL

Determines whether your federated server's services URL is reachable by the portal and whether the SSL certificate used in this URL is trusted. If untrusted or not reachable, the portal will still function but some portal operations may fail.

ES12

Recommended

Public content

If your organization is configured so members cannot share content publicly, this will list any items that are still shared with Everyone.

ES13

Important

Dynamic workspace

Generates a list of services where the database can be accessed through a dynamic workspace. Unless appropriately safeguarded, this can expose the database/workspace to access by malicious third parties over REST. Dynamic workspaces should be enabled only if the service and the dynamic layer/workspace capability is intended for active use in a web application. In these cases, it is important to ensure that the database connection used by the map service to connect to the workspace/database has the least privileges needed for the application, for example, read-only access to only those additional tables within the workspace that are needed.

ES14

Recommended

Feature service permissions

Returns a list of feature services that have the update or delete operations enabled and are open to anonymous access. This allows the feature service data to be changed or deleted without authentication.

ES15

Important

SAML configuration settings

If your organization is configured to use SAML authentication, this determines whether encrypted assertions and signed requests are enabled. If supported by the identity provider, it is recommended that you configure the portal to require both encrypted assertions and signed requests.