Internet security overview

ArcGIS Server enables you to secure your Web applications and Web services. This section primarily addresses how to restrict access for applications and services to authorized users. Of course, other security issues apply to your ArcGIS Server system, such as the accounts used by ArcGIS Server to access data, security for code that executes on your server, and physical security of the equipment. See Ways to implement security for additional information on security with ArcGIS Server.

With ArcGIS Server you can manage security for your Web services and Web applications. The key tasks for security that you need to perform are:

Defining users and roles
Choosing an authentication method
Implementing Secure Sockets Layer (SSL)
Setting permissions for services and applications

A section follows that summarizes the options: Common configurations for security for ArcGIS Server services. You can use Manager for most of these tasks. More information about each of these is provided below, as well as in individual sections of this topic. The Internet security checklist also serves as a guide for implementing security for services and applications.

Defining Users and Roles

To restrict access to services and applications, you need a set of users and roles so that you can assign permissions to them. The users for your services and applications may be stored in one of several locations. Since permissions are based on roles rather than on individual user accounts, users must be members of one or more roles. You have several choices for the location for roles. ArcGIS Server leverages platform standards for user and role storage. In some cases, Manager may be used to add, edit and delete users and roles. In other cases, you use tools appropriate for the user or role store for management.

For ArcGIS Server for the Microsoft .NET Framework, three locations are available for users and roles:

Windows operating system users and groups
Microsoft SQL Server
Custom provider

Custom providers are supported through the standard ASP.NET Membership framework. This enables use of a variety of other locations for users and roles, such as other databases, XML files, Active Directory, LDAP, etc.

For some guidelines and examples of user and role locations, see the section of this page on Common configurations for security for ArcGIS Server services . For details on setting up users and roles, see Overview of setting up users and roles.

Choosing an authentication method

Authentication is the process of identifying who is attempting to access the system. The user provides credentials, typically a user name and password, to authenticate to the system. The authentication method determines how the server validates the identity of the user.

The authentication method may be tied to the choice of user store. Authentication methods also vary in terms of the level of security provided. Read the documentation carefully and consult with your security staff before choosing a method appropriate for your situation.

The authentication methods available with ArcGIS Server for the Microsoft .NET Framework are:

Integrated Windows authentication
- Known as Windows authentication on Windows Server 2008 and Windows Vista
- Relies on the Web server (Internet Information Server (IIS)) to validate the user's identity
- Generally only used in intranets, not over the Internet
- Used only when users are Windows operating system users
- When the browser is Internet Explorer on the same local network as the server, the user's logged-on identity is passed transparently without a login prompt. The same applies to ArcGIS clients (Desktop, Engine, ArcGIS Explorer). This allows users to connect and use services without explicitly logging in.
HTTP Basic and Digest
- Also relies on IIS Web server to authenticate the user
- Used on intranets and over the Internet
- Used only when users are Windows operating system users
- Browser users typically see a standard pop-up login dialog
Token-based authentication
- Implemented in ArcGIS Server
- Used only for Web services, not for applications
- The client obtains a token from the server by passing user name and password, and the token is then used to access the service
- Works with any user store
Forms-based authentication
- Used for Web applications when user store is SQL Server or a custom provider
- Browser users typically see a form on a Web page for login

You can support multiple authentication methods, if needed, by setting up multiple ArcGIS Server Web instances. Each instance would be tied to the same GIS server but would be configured for a different authentication method.

For guidelines on authentication methods, see Common configurations for security for ArcGIS Server services. The Overview of setting up users and roles has additional information on authentication methods.

Implementing Secure Sockets Layer (SSL)

Depending on the requirements of your user store and authentication method, you may need to acquire a SSL certificate for your Web server. SSL enables the use of HTTPS, which encrypts communication between clients and your Web server. Generally speaking, SSL is essential when authenticating users with HTTP Basic, token-based, or forms-based authentication, though SSL may increase the security of credentials with other authentication methods as well. Learn more about Setting up SSL.

Setting Permissions for Services and Applications

For a user to access a service or application, you must add permissions in the service or application for a role in which the user is a member. ArcGIS Server permissions are based on roles. You add permissions for a service, a service folder, or application in Manager by permitting roles, rather than by permitting individual users.

When you apply security to a Web service, it applies to all forms of the Web service: SOAP, REST, and OGC (such as WMS). If you allow access to a role (for example, Planners) for a service in Manager, then users in that role will be able to access the service through SOAP, REST and any OGC methods enabled for the service. The Services Directory also automatically respects security settings, so only logged-in users will see secured services for which they are permitted.

Learn more about Securing Internet connections to services and about Securing Web applications.

Common configurations for security for ArcGIS Server services

The table below depicts common configurations for security for ArcGIS Server services. This is based on three aspects of how and where services are configured: (1) whether the services are deployed on an intranet or over the Internet, (2) the type of user and role store, and (3) the authentication method.

All configurations support all clients (Web, JavaScript, ArcGIS Desktop, OGC, and KML) except where noted.

Network	User/role store	Authentication	Notes
Intranet	None	Not applicable	No ArcGIS Server security. Firewall limits services/applications to internal users.
	Windows domain users/roles (groups)	Integrated Windows Authentication
	Windows domain users/roles (groups)	HTTP Basic/Digest	JavaScript applications must use a proxy/redirector.
	Windows domain users, SQL Server roles	Integrated Windows Authentication
	Windows domain users, SQL Server roles	HTTP Basic/Digest	JavaScript applications must use a proxy/redirector.
Internet	None	Not applicable	No ArcGIS Server security. All services open to all users.
	Windows users/roles	HTTP Basic/Digest	JavaScript applications must use a proxy/redirector.
	Windows users, SQL Server roles	2 ArcGIS Web instances (1 HTTP Basic/Digest, 1 token-based)	HTTP Basic/Digest supports SOAP, OGC, KML; token-based supports REST access.
	SQL Server users and roles	Token-based	No support for OGC or KML clients.
	Custom provider	Token-based	No support for OGC or KML clients.