Services Security

When services expose business functions they must play their part in protecting and securing the business rules, data, and functionality. Security issues involve a range of concerns, including protecting sensitive data, user authentication and authorization, guarding against attack from malicious code and users, and auditing and logging events and user activity.

General Service Security Guidelines

• The most common security mechanism for services is currently transport layer security such as SSL.
• Improve authentication of the users in Advanced Security need environments with Public Key Infrastructure (PKI)
  • For extranet and intranet based solutions you can use certificates issued through an organization-based certificate service.
  • For business-to-business (B2B) services and general public services, the certificate should be issued by a commercial certificate authority.
• If your service passes through other servers, consider implementing message-based security. This is required because each time a message secured with transport layer security passes through another server, that server decrypts the message and then re-encrypts it before sending it on to the next server.
  • Most GIS implementations do not use message-based authentication at this time

ArcGIS Server Manager

• For ArcGIS Server You control access to services from the Services tab in Manager.
• Set permissions on folders as well as individual services.
• Setting permissions on a GIS service secures access to it via all supported Web interfaces: SOAP, REST, OGC and KML

SOAP API Security

• Applications that use a SOAP toolkit to access the WSDL of the GIS Web service, without using the ADF connection classes, need to acquire and use tokens explicitly.
• WS-Security is not currently built into ArcGIS components and if needed can be addressed by 3rd party XML/SOAP gateways
• HTTP\Windows authentication available out of the box with ArcGIS
• Token-based authentication available out of the box with ArcGIS
• Working with secure ArcGIS Server SOAP Services

Rest API Security

• The services directory is turned on by default, so disable it if you don’t want service location information browsable.

Secure Online Service Utilization

• Sharing Data on ArcGIS.com
• Displaying your data in Microsoft Bing and Google Maps

Local Service Security

• Local service requests to ArcGIS Server can be removed for users by emptying out the AGSUsers group
• Restricting access to some services but not others on the same GIS server is only available through Internet connections.
• If you only want access via Local connections then you can turn off the web service access on a service-by-service basis through ArcCatalog or ArcGIS Manager.