Securing Internet connections to services |
|
Release 9.3 |
When you create a service, Web access is automatically enabled. This means that others can use the service when they make an ArcGIS Server Internet connection to your server. You can choose to turn off Web access completely or restrict access to a select group of users. You can also limit the types of operations that can be performed with the service through the Web. The contents of this topic are:
Note: The agsadmin and agsusers groups are not used for Internet connections; they are used to secure local connections. Security for both local and Internet connections should be part of your overall security strategy. For additional information, see Securing local connections to services.
If you don't want Internet clients to access a service, you need to explicitly disable Web access.
Note: For map services, the steps above only disable Web access for the Mapping capability. You can disable Web access for other capabilities on the Capabilities tab of the Service Properties dialog box.
You can require clients that connect to your ArcGIS Server services use HTTPS for the connection. This will encrypt all communication between the client and the server, so that if someone intercepts the communication during transmission, the data will be encrypted against reading. If you also want to restrict access to the service to certain users, see the section below on Limiting which users can access a service.
The HTTPS requirement is set at the folder level, rather than for individual services. If you only want to require HTTPS for an individual service and not for the entire server or folder, create a new folder and add the service to the new folder.
Note that you must install a SSL certificate on the Web server in order for clients to request resources with HTTPS. For details, see Setting up SSL.
To use Manager to require HTTPS for a folder, follow these steps:
You can also require HTTPS for a folder using ArcCatalog. To do so:
Note that after you require HTTPS for a folder, then any client application must use a URL with https:// in order to use the services in that folder. If a user connects to the server with ArcCatalog and does not use https in the URL, then the folder will not display even if the user otherwise is permitted access to the folder.
You can use ArcGIS Server Manager to limit which users can access a service through Internet connections. To do this, you define a set of users and roles and designate which roles should have access to particular Internet services. Read the topic Overview of setting up users and roles to learn how to create the users and roles. You need to add at least one user and one role with a user before you configure security for services. You also must perform an additional step of enabling security for services before assigned permissions actually take effect.
The steps to implement security for GIS services are as follows:
You can set permissions on folders and services. Services within a folder inherit the permissions set for the folder. If you set permissions for the root of Services, then all services will inherit those permissions. You can override inherited permissions by removing inherited roles for a service or folder.
Until you complete Step 3 above to enable security for services, anyone will be able to connect to your services that have Web access enabled. It is also important to understand that after you enable security, no users will be able to access any service unless (a) you add permissions for roles to the service or folder, and (b) the user logs in with an account in a role permitted for the service. Therefore, before you enable security, you must set up permissions for services. Depending on where user accounts are stored, an "Anonymous" role may be available to allow anyone to access services or folders.
One approach for security would be to assign broad permissions to the root of a server, then restrict permissions on folders and services. Another pattern would be to keep permissions limited on the root, then allow designated roles access to specific folders or services.
If a user is a member of multiple roles and any of the roles are permitted for the service, the user will have access. Manager does not have the ability to explicitly deny access to roles or users. Hence you should design your roles carefully to match the access you want to grant for services and folders.
To set permissions on who can access a service or folder, follow these steps:
If the Everyone, Authenticated Users, and Anonymous roles have been added to your user store, you can add any of these roles to a service or folder or remove them if they have been inherited from a parent folder. When the Everyone role is allowed, anyone can access the service (or services within the folder) whether or not they supply a login. If Everyone is allowed, it is not necessary to add other roles to the list of allowed roles. Allowing Authenticated Users means that any user in the user store will be permitted access. For more information on these special roles, see the "Setting up users and roles" topic for your role provider ( SQL Server or Custom provider). These roles are not available when roles are Windows groups, since group membership must be determined from the operating system.
If you see the following message displayed in the Permissions dialog box then security has not yet been enabled for services:
"Warning: Security for GIS services has not been enabled. See Security-Settings to enable services security."
The permissions you are setting will not actually be enforced until you enable security. See Enabling security for services to learn how to enable security.
Permissions rules for services are stored internally by ArcGIS Server. The rules are not stored in the ArcGIS/Services Web application. Permissions are stored as .sec files in the <ArcGIS Install Location>\server\user\cfg folder. When permissions have been set for a folder, the folder will contain the file Folder.sec. When permissions have been set for a service, the folder will contain a file with the name matching the service's .cfg file, but the extension will be .sec. If permissions have not been set for a folder or a service, no .sec file will be present for that folder or service. For information on the format of the .sec files, see Security configuration files.
Access rules should not be set manually in the ArcGIS/Services Web application. In many ASP.NET Web applications, access is controlled by adding authorization rules into the web.config file for the Web application. ArcGIS Server now stores permission rules internally, rather than in the web.config file. If rules are added to the web.config file for the Services application, this may cause security settings in Manager to fail.
For further reading on how permissions behave, see these topics:
Enabling security causes permission rules you have set to be enforced for Internet connections to services. Until you enable security, all services are open to all users, even if you have set up permission rules.
Before you enable security for services, you should set up the permission rules you want to apply for your services. If you enable security before you assign permission rules for your services, no one will be able to make Internet connections to any of your services.
Once you enable security, you cannot disable security in Manager. This is to prevent inadvertent compromise of security for your services. See below for more information.
This step applies only to security for GIS services. Security for Web applications is applied individually to each application. See Securing Web Applications for details.
To enable security for services, follow these steps:
Once you enable security for GIS services, you cannot use Manager to disable security. This is to prevent accidental disabling of security and compromise of access to your services. If you decide later that you must disable security, you can do so with the following steps.
Warning: If you perform these steps, any user will be able to connect to any GIS service using an Internet connection without providing any login.
<SecurityEnabled>true</SecurityEnabled>
<SecurityEnabled>false</SecurityEnabled>
<add key="RequireToken" value="True" />
<add key="RequireToken" value="False" />
To re-enable security, follow the steps in Enabling security for services.
To make it easy to control how your Web services are used, each type of service has a set of allowed operations that determine which methods users can call. You can allow all the operations if you want users to have complete use of the service, or you can disable certain operations to prevent users from doing certain things, like querying the data in your map or extracting data from your geodatabase.
You can set the operations allowed on the Capabilities tab of the Service Properties dialog box. For additional documentation on which methods are included in each operation, see Tuning and configuring services.