Internet security overview
ArcGIS Server enables you to secure your Web applications and Web services. This section primarily addresses how to restrict access for applications and services to authorized users. Of course, other security issues apply to your ArcGIS Server system, such as the accounts used by ArcGIS Server to access data, security for code that executes on your server, and physical security of the equipment. See Ways to implement security for additional information on security with ArcGIS Server.
With ArcGIS Server you can manage security for your Web services and Web applications. The key tasks for security that you need to perform are:
A section follows that summarizes the options: Common configurations for security for ArcGIS Server services. You can use Manager for most of these tasks. More information about each of these is provided below, as well as in individual sections of this topic. The Internet security checklist also serves as a guide for implementing security for services and applications.
To restrict access to services and applications, you need a set of users and roles so that you can assign permissions to them. The users for your services and applications may be stored in one of several locations. Since permissions are based on roles rather than on individual user accounts, users must be members of one or more roles. You have several choices for the location for roles. ArcGIS Server leverages platform standards for user and role storage. In some cases, Manager may be used to add, edit and delete users and roles. In other cases, you use tools appropriate for the user or role store for management.
For ArcGIS Server for the Microsoft .NET Framework, three locations are available for users and roles:
Custom providers are supported through the standard ASP.NET Membership framework. This enables use of a variety of other locations for users and roles, such as other databases, XML files, Active Directory, LDAP, etc.
For some guidelines and examples of user and role locations, see the section of this page on Common configurations for security for ArcGIS Server services . For details on setting up users and roles, see Overview of setting up users and roles.
Authentication is the process of identifying who is attempting to access the system. The user provides credentials, typically a user name and password, to authenticate to the system. The authentication method determines how the server validates the identity of the user.
The authentication method may be tied to the choice of user store. Authentication methods also vary in terms of the level of security provided. Read the documentation carefully and consult with your security staff before choosing a method appropriate for your situation.
The authentication methods available with ArcGIS Server for the Microsoft .NET Framework are:
You can support multiple authentication methods, if needed, by setting up multiple ArcGIS Server Web instances. Each instance would be tied to the same GIS server but would be configured for a different authentication method.
For guidelines on authentication methods, see Common configurations for security for ArcGIS Server services. The Overview of setting up users and roles has additional information on authentication methods.
Depending on the requirements of your user store and authentication method, you may need to acquire a SSL certificate for your Web server. SSL enables the use of HTTPS, which encrypts communication between clients and your Web server. Generally speaking, SSL is essential when authenticating users with HTTP Basic, token-based, or forms-based authentication, though SSL may increase the security of credentials with other authentication methods as well. Learn more about Setting up SSL.
For a user to access a service or application, you must add permissions in the service or application for a role in which the user is a member. ArcGIS Server permissions are based on roles. You add permissions for a service, a service folder, or application in Manager by permitting roles, rather than by permitting individual users.
When you apply security to a Web service, it applies to all forms of the Web service: SOAP, REST, and OGC (such as WMS). If you allow access to a role (for example, Planners) for a service in Manager, then users in that role will be able to access the service through SOAP, REST and any OGC methods enabled for the service. The Services Directory also automatically respects security settings, so only logged-in users will see secured services for which they are permitted.
The table below depicts common configurations for security for ArcGIS Server services. This is based on three aspects of how and where services are configured: (1) whether the services are deployed on an intranet or over the Internet, (2) the type of user and role store, and (3) the authentication method.
|Intranet||None||Not applicable||No ArcGIS Server security. Firewall limits services/applications to internal users.|
|Windows domain users/roles (groups)||Integrated Windows Authentication|
|Windows domain users, SQL Server roles||Integrated Windows Authentication|
|Internet||None||Not applicable||No ArcGIS Server security. All services open to all users.|
|Windows users, SQL Server roles||2 ArcGIS Web instances (1 HTTP Basic/Digest, 1 token-based)||HTTP Basic/Digest supports SOAP, OGC, KML; token-based supports REST access.|
|SQL Server users and roles||Token-based||No support for OGC or KML clients.|
|Custom provider||Token-based||No support for OGC or KML clients.|