The following checklist provides some things you'll need to do
to make sure your Web applications and services are secure. These
steps are described in greater detail throughout this section
of the help. See Internet security overview for an introduction to security.
Security checklist for Web services and Web applications
-
Install ArcGIS Server, including the Web applications option. This
installs Manager, Web Services and Token service.
- Obtain and install a
Secure Sockets Layer (SSL) certificate
for
your Web server to enable encrypted communication using
HTTPS.
- If you will be using SQL Server Express to store users and/or
roles, install SQL Server Express, which is included with the
ArcGIS Server media.
- In Manager, click on Security, then Settings, and click Change. In the security wizard, set the location for users and roles:
-
Windows users: users are operating system users. With Windows users, you may choose Windows groups as roles, or roles may be in SQL Server or a custom location (see the next two options for details).
-
SQL Server: use the wizard to connect to the database
server, and then choose to create a new database, or specify an
existing database where users and roles will be stored. To enable users to change and recover lost passwords, enter settings for the mail (SMTP) server.
-
Custom provider (other database, XML file, etc.): only
available if you have added the required configuration into the security
application.
-
Add users
and add roles as needed based on
the chosen user and role stores.
- For Windows users and groups, use operating system tools to add users and groups to the local server or to the domain
as needed.
- For SQL Server, add
users and roles to the database (for Windows users plus SQL Server
roles, add only roles). When using SQL Server for users, click Security, then click Users, and add users. When using SQL Server for roles, click Security, then click Roles, and add roles.
- For a custom provider, you may use Manager to manage users and roles if the custom provider supports it. Otherwise, use the provider's tools to manage
users and roles.
- To assign permissions to services and folders:
- In Manager, click Services.
- Assign folder permissions by selecting the folder from the drop-down list, then clicking the Manage Folders drop-down list, and then click Permissions.
- Assign service permissions by clicking the permission button
next to the service name.
- To apply security to Services:
- In Manager, click Security, then click Settings, and under
Security for GIS Services, click
Enable. Until you do this step, the permissions in
the previous step are not enforced. After this step, only users in
roles permitted in Manager will be allowed access to any
services.
-
Only if using Windows users as the user store: using IIS Manager, disable
anonymous access to the ArcGIS/Services and ArcGIS/Rest Web services applications.
- To assign and apply permissions to Web applications:
- In Manager, go to Applications.
- Click the Permissions (lock) button for the Web application.
- Check the box to secure this Web application.
- Add roles that should be permitted access, then click OK.
- For map and globe services with tile caches, secure the cache directory for these services.
-
Require HTTPS for any Web pages that transmit sensitive data,
such as login pages.
- Optional: if the user store supports changing and recovering passwords, and you want to enable users to do so, provide a link to the PasswordManager.aspx page somewhere in your organization's Web site.