ArcGIS Help 10.1 - Configuring security in web.config for ArcGIS for Spatial Data Server for IIS

If your ArcGIS Spatial Data Server for IIS services will be accessed by Windows-authenticated users through an intranet, you can secure the spatial data server by configuring the web.config file found in the REST folder of your ArcGIS Spatial Data Server for IIS installation directory.

To do this, you must first enable IIS role services and enable Windows or Basic authentication. Then you can add location elements that contain an authorization element to the web.config as a child of the configuration element.

Enable IIS role services

Before you can add the location element to the web.config file to control access to your service, you must enable the URL Authorization IIS role service, and either the Windows Authentication or Basic Authentication IIS role services.

Role services are enabled from the Server Manager. You must log in to the server as a member of the Windows Administrators group to alter settings in the Server Manager.

Steps:

Start the Server Manager.
Start > Administrative Tools > Server Manager > Roles
The Server Manager dialog box opens.
Scroll to the Web Server (IIS) section and click Add Role Services.
Under Security, check URL Authorization.
Check Windows Authentication or, if you are going to use SSL certification, check Basic Authentication.
Click Next.
Review the settings to confirm they are correct, then click Install.
Click Close.
Close Server Manager.

Enable Windows or Basic Authentication

Now that either the Basic or Windows Authentication role service has been added, you can enable it within IIS Manager. You must log in to the server as a member of the Windows Administrators group to alter settings in the IIS Manager.

Steps:

Start the IIS Manager.
Start > Administrative Tools > Internet Information Services
The Internet Information Services (IIS) Manager opens.
Connect to the server from within the manager.
Under IIS in the Features View, double-click Authentication.
The Authentication pane opens.
Choose Windows Authentication or Basic Authentication in the Authentication and click Enable under Actions.
If Basic Authentication will be used, be sure to enable SSL so that credentials will not be sent in clear text.
Click File > Exit to close the IIS Manager.

Configuring the location element in the web.config file

You can add location elements to the web.config file to control access to services. The location element can be formatted as follows:

<location path="path">
    <system.webServer>
      <security>
        <authorization>
          <remove users="" roles="" verbs="" />
          <add accessType="Allow" 
               users="allowedUsers" 	
               roles="allowedRoles" />
        </authorization>
      </security>
    </system.webServer>
  </location>

Alter the values for the following child elements of the location element:

location path: Type the relative application URI path to the resource (in this case, the spatial data server) for which you want to secure access.
authentication: This must be set to Windows. If it is not already, change it.
remove: Removes authorization for the specified path. Authorization can be removed for users, roles, and/or verbs.
- users: A comma-separated list of specific Windows logins, all logins ("*"), or anonymous logins ("?")
- roles: A comma-separated list of specific Windows groups, all groups ("*"), or anonymous groups ("?")
- verbs: The HTTP verbs supported; either a comma-separated list of specific verbs or all verbs ("*")
add: Adds authorization rules for the specified path.
accessType: A property of the authorization rule. Set accessType to Allow to create a rule to designate logins and groups that can access the resource.
allowedUsers: When accessType is set to Allow, this is a comma-separated list of specific Windows logins that will have access to the resource or all logins ("*").
allowedRoles: When accessType is set to Allow, this is a comma-separated list of specific Windows groups that will have access to the resource or all groups ("*").

Add the location element as a child element of the configuration element. There are many direct child elements of the configuration element but you can add the location element anywhere after and at the same level as the configSections element.

Example 1: Securing admin requests

The following location element example removes the default IIS authorization settings from the web.config file and configures an authorization rule that allows only users who are in the Windows Administrators group to access content within the admin endpoint.

<configuration>
  <location path="admin">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs="" />
          <add accessType="Allow" 
               users="" 
               roles="Administrators" />
        </authorization>
      </security>
    </system.webServer>
  </location>
</configuration>

Example 2: Allowing access to all services by a specific user and role

In this example location element, the default IIS authorization settings in the web.config file are replaced with a rule to allow the svcsusers group and svcmgr Windows user to access all services on the spatial data server:

<configuration>
  <location path="rest/services">
   <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs="" />
          <add accessType="Allow" 
               users="mydomain\svcmgr" 
               roles="svcsusers" />
        </authorization>
      </security>
    </system.webServer>
  </location>
</configuration>

Example 3: Allowing access to a specific service

To restrict all access to a specific service by a single role, add a location element to the web.config file that applies to one service and gives authorization to the specified role. In this example, the weather service can only be accessed by members of the meteorologists role:

<configuration>
  <location path="rest/services/weather/FeatureServer">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs="" />
          <add accessType="Allow" 
               roles="meteorologists" />
        </authorization>
      </security>
    </system.webServer>
  </location>
</configuration>

Example 4: Allowing access to a specific service for multiple roles

To allow multiple roles access to a specific service, add a location element to the web.config file that applies to one service and allows access by several roles. In this example, the landuse service is accessible by members of the planners, contractors, and developers roles:

<configuration>
  <location path="rest/services/landuse/FeatureServer">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs="" />
          <add accessType="Allow" 
               roles="planners,contractors,developers" />
        </authorization>
      </security>
    </system.webServer>
  </location>
</configuration>

7/19/2012