ArcGIS Enterprise on Kubernetes includes a Python script tool, kubernetesScan.py, that scans for some common security issues. It is included with the setup script under setup/tools/security. The tool checks for problems based on some of the best practices for configuring a secure environment for ArcGIS Enterprise. It analyzes many criteria and configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The following table describes these criteria:
ID | Severity | Property | Description |
---|---|---|---|
ES01 | Critical | Proxy restrictions | Determines whether the portal proxy capability is restricted. By default, the portal proxy server is open to any URL. To mitigate against potential Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, it's recommended that you restrict the portal's proxy capability to approved web addresses. |
ES02 | Critical | Web content filtering | Generates a list of feature services in which the filter web content property is disabled. Disabling this property allows a user to enter any text in the input fields, which exposes the service to potential cross-site scripting (XSS) attacks. This property is enabled by default and unless unsupported HTML entities or attributes are required, it should not be disabled. |
ES03 | Important | Enterprise services directories | Determines whether the Enterprise services directories are accessible through a web browser. Unless being actively used to search for and find services by users, this should be disabled to reduce the chance that your services can be browsed, found in a web search, or queried through HTML forms. This also provides further protection against cross-site scripting (XSS) attacks. |
ES04 | Important | Web communication | Determines whether HTTPS is enabled for ArcGIS Enterprise. To prevent the interception of any communication, it is recommended that you configure ArcGIS Enterprise and the web server hosting the reverse proxy or ArcGIS Web Adaptor (if installed) to enforce SSL encryption. |
ES05 | Recommended | Built-in account sign-up | Determines whether users can click the Create An Account button on the organization sign-up page to create a built-in account. If you're using organization-specific accounts or you want to create all accounts manually, disable this option. |
ES06 | Recommended | Anonymous access | Determines whether anonymous access is allowed. To prevent any user from accessing content without first providing credentials, it's recommended that you configure your organization to disable anonymous access. |
ES07 | Recommended | LDAP identity store | If your organization is configured with an LDAP identity store, this determines whether encrypted communication is used. It is recommended that you use LDAPS for the LDAP URL for users and groups. |
ES08 | Recommended | Ingress controller TLS certificate | Determines whether a self-signed certificate is used by the ingress controller. To help reduce web browser warnings or other unexpected behavior from clients communicating with the portal, it is recommended that you import and use a CA-signed TLS certificate bound to the ingress controller. |
ES09 | Recommended | Cross-domain requests | Determines whether cross-domain (CORS) requests are unrestricted. To reduce the possibility of an unknown application accessing a shared portal item, it is recommended that you restrict cross-domain requests to applications hosted only in trusted domains. |
ES10 | Critical | Federated server administrative URL | Determines whether your federated server's administrator URL is reachable by the portal and whether the TLS certificate used in this URL is trusted. If untrusted or not reachable, many portal functions and operations will fail. |
ES11 | Recommended | Federated server services URL | Determines whether your federated server's services URL is reachable by the portal and whether the SSL certificate used in this URL is trusted. If untrusted or not reachable, the portal will still function but some portal operations may fail. |
ES12 | Recommended | Public content | If your organization is configured so members cannot share content publicly, this will list any items that are still shared with Everyone. |
ES13 | Important | Dynamic workspace | Generates a list of services where the database can be accessed through a dynamic workspace. Unless appropriately safeguarded, this can expose the database/workspace to access by malicious third parties over REST. Dynamic workspaces should be enabled only if the service and the dynamic layer/workspace capability is intended for active use in a web application. In these cases, it is important to ensure that the database connection used by the map service to connect to the workspace/database has the least privileges needed for the application, for example, read-only access to only those additional tables within the workspace that are needed. |
ES14 | Recommended | Feature service permissions | Returns a list of feature services that have the update or delete operations enabled and are open to anonymous access. This allows the feature service data to be changed or deleted without authentication. |
ES15 | Important | SAML configuration settings | If your organization is configured to use SAML authentication, this determines whether encrypted assertions and signed requests are enabled. If supported by the identity provider, it is recommended that you configure the portal to require both encrypted assertions and signed requests. |