Securing Internet connections to services

Release 9.3 E-mail This Topic Printable Version Give Us Feedback

When you create a service, Web access is automatically enabled. This means that others can use the service when they make an ArcGIS Server Internet connection to your server. You can choose to turn off Web access completely or restrict access to a select group of users. You can also limit the types of operations that can be performed with the service through the Web. The contents of this topic are:

Note: The agsadmin and agsusers groups are not used for Internet connections; they are used to secure local connections. Security for both local and Internet connections should be part of your overall security strategy. For additional information, see Securing local connections to services.

Turning off Web access

If you don't want Internet clients to access a service, you need to explicitly disable Web access.

Turning off Web access in Manager

To disable Web access for a service in Manager, follow the steps below. The service must be stopped when you perform these steps.
  1. Click the Services tab in Manager.
  2. In the list of services, find the service for which you want to disable Web access and click its Edit link.
  3. Click Capabilities on the left menu.
  4. Uncheck the box next to Enable Web Access.
  5. Click Finish.
  6. Start the service.

Turning off Web access in ArcCatalog

To disable Web access for a service in ArcCatalog, follow the steps below. The service must be stopped when you perform these steps.
  1. Make an administrative connection to the server. See Connecting to a GIS server in ArcCatalog for instructions.
  2. Find the service for which you would like to disable Web access.
  3. Right-click the service and click Disable Web Access.

Note: For map services, the steps above only disable Web access for the Mapping capability. You can disable Web access for other capabilities on the Capabilities tab of the Service Properties dialog box.

Requiring HTTPS for folders and services

You can require clients that connect to your ArcGIS Server services use HTTPS for the connection. This will encrypt all communication between the client and the server, so that if someone intercepts the communication during transmission, the data will be encrypted against reading. If you also want to restrict access to the service to certain users, see the section below on Limiting which users can access a service.

The HTTPS requirement is set at the folder level, rather than for individual services. If you only want to require HTTPS for an individual service and not for the entire server or folder, create a new folder and add the service to the new folder.

Note that you must install a SSL certificate on the Web server in order for clients to request resources with HTTPS. For details, see Setting up SSL.

To use Manager to require HTTPS for a folder, follow these steps:

  1. Log in to ArcGIS Server Manager and click on Services.
  2. In the drop-down box for server folders, choose the folder where you want to require HTTPS. To require HTTPS for the entire server, select the server (root).
  3. Click Manage Folders, and in the drop-down list, click Properties.
  4. In the Folder Properties dialog that opens, check Require Encrypted Web Access, then click OK.

You can also require HTTPS for a folder using ArcCatalog. To do so:

  1. Open ArcCatalog, expand GIS Servers, and double-click the administrative server connection. If necessary, add an administrative connection by double-clicking Add ArcGIS Server, clicking Manage GIS Services, then entering the server name and URL (e.g., http://myserver.example.com/arcgis/services).
  2. Expand the server connection if necessary to find the folder for which you want to require HTTPS.
  3. Right-click on the folder and choose Properties (or to require SSL for all service, right-click on the server and click Root Folder Properties).
  4. In the Folder Properties dialog, check Require Encrypted Web Access, then click OK.

Note that after you require HTTPS for a folder, then any client application must use a URL with https:// in order to use the services in that folder. If a user connects to the server with ArcCatalog and does not use https in the URL, then the folder will not display even if the user otherwise is permitted access to the folder.

Limiting which users can access a service

You can use ArcGIS Server Manager to limit which users can access a service through Internet connections. To do this, you define a set of users and roles and designate which roles should have access to particular Internet services. Read the topic Overview of setting up users and roles to learn how to create the users and roles. You need to add at least one user and one role with a user before you configure security for services. You also must perform an additional step of enabling security for services before assigned permissions actually take effect.

The steps to implement security for GIS services are as follows:

  1. Set up the location to store users and roles and add users and roles. See Overview of setting up users and roles.
  2. Add permissions to folders and/or services. See Setting permissions for a service or folder below.
  3. Enable security for services. See Enabling security for services. Until you do this step, no restrictions will be enforced on Web access to services.

You can set permissions on folders and services. Services within a folder inherit the permissions set for the folder. If you set permissions for the root of Services, then all services will inherit those permissions. You can override inherited permissions by removing inherited roles for a service or folder.

Until you complete Step 3 above to enable security for services, anyone will be able to connect to your services that have Web access enabled. It is also important to understand that after you enable security, no users will be able to access any service unless (a) you add permissions for roles to the service or folder, and (b) the user logs in with an account in a role permitted for the service. Therefore, before you enable security, you must set up permissions for services. Depending on where user accounts are stored, an "Anonymous" role may be available to allow anyone to access services or folders.

One approach for security would be to assign broad permissions to the root of a server, then restrict permissions on folders and services. Another pattern would be to keep permissions limited on the root, then allow designated roles access to specific folders or services.

If a user is a member of multiple roles and any of the roles are permitted for the service, the user will have access. Manager does not have the ability to explicitly deny access to roles or users. Hence you should design your roles carefully to match the access you want to grant for services and folders.

Setting permissions for a service or folder

To set permissions on who can access a service or folder, follow these steps:

  1. In Manager, click the Services tab to see a list of services on your server. If you want to set permissions on a folder or on a service within a folder, use the "Services in" drop-down list to change the view to the folder.
  2. Open the Permissions dialog box for the service or folder:
    • For folder permissions, click Manage Folders and click Permissions in the list that opens.
    • For service permissions, click the permissions (lock) icon for the service.
  3. The Permissions dialog box opens. The list on the left shows the roles available, and the box on the right lists roles that are currently permitted access.
    • To allow a role to access the service or services within the folder, click the role in the list of available roles and click the Add button to move it to the allowed roles list.
    • To remove access for a role, click to select it in the allowed roles list and click Remove. The role is moved to the available roles list. (Note: If the role has been deleted or is not present in the current role store, it will not be shown when the Permissions dialog box is re-opened.)
  4. Once you've configured permissions, click Save to save the changes and apply them to the service. Click Cancel to abandon any changes to the service.

If the Everyone, Authenticated Users, and Anonymous roles have been added to your user store, you can add any of these roles to a service or folder or remove them if they have been inherited from a parent folder. When the Everyone role is allowed, anyone can access the service (or services within the folder) whether or not they supply a login. If Everyone is allowed, it is not necessary to add other roles to the list of allowed roles. Allowing Authenticated Users means that any user in the user store will be permitted access. For more information on these special roles, see the "Setting up users and roles" topic for your role provider ( SQL Server or Custom provider). These roles are not available when roles are Windows groups, since group membership must be determined from the operating system.

If you see the following message displayed in the Permissions dialog box then security has not yet been enabled for services:

"Warning: Security for GIS services has not been enabled. See Security-Settings to enable services security."

The permissions you are setting will not actually be enforced until you enable security. See Enabling security for services to learn how to enable security.

Permissions rules for services are stored internally by ArcGIS Server. The rules are not stored in the ArcGIS/Services Web application. Permissions are stored as .sec files in the <ArcGIS Install Location>\server\user\cfg folder. When permissions have been set for a folder, the folder will contain the file Folder.sec. When permissions have been set for a service, the folder will contain a file with the name matching the service's .cfg file, but the extension will be .sec. If permissions have not been set for a folder or a service, no .sec file will be present for that folder or service. For information on the format of the .sec files, see Security configuration files.

Access rules should not be set manually in the ArcGIS/Services Web application. In many ASP.NET Web applications, access is controlled by adding authorization rules into the web.config file for the Web application. ArcGIS Server now stores permission rules internally, rather than in the web.config file. If rules are added to the web.config file for the Services application, this may cause security settings in Manager to fail.

For further reading on how permissions behave, see these topics:

Enabling security for services

Enabling security causes permission rules you have set to be enforced for Internet connections to services. Until you enable security, all services are open to all users, even if you have set up permission rules.

Before you enable security for services, you should set up the permission rules you want to apply for your services. If you enable security before you assign permission rules for your services, no one will be able to make Internet connections to any of your services.

Once you enable security, you cannot disable security in Manager. This is to prevent inadvertent compromise of security for your services. See below for more information.

This step applies only to security for GIS services. Security for Web applications is applied individually to each application. See Securing Web Applications for details.

To enable security for services, follow these steps:

  1. Set permission rules as desired for GIS services. See the previous section "Setting permissions for a service or folder" for details. You can use the Anonymous role, if desired, to allow all users to access one or more services.
  2. In Manager, click Security > Settings. In Security for GIS Services, click the Enable button. A dialog box appears with information about setting up security for services. Read the information to ensure you understand the implications of enabling security. If you are sure you are prepared to enable security, click the Enable Security for Services button, then click to confirm on the dialog box that appears. Otherwise, click Cancel.
  3. If you chose to store users as Windows users, then you must disable anonymous access to the Services application. See for instructions on disabling anonymous access.
  4. Test your services to ensure that users in allowed roles can access the services. If necessary, adjust permissions as described in Setting permissions for a service or folder.

Disabling security for services

Once you enable security for GIS services, you cannot use Manager to disable security. This is to prevent accidental disabling of security and compromise of access to your services. If you decide later that you must disable security, you can do so with the following steps.

Warning: If you perform these steps, any user will be able to connect to any GIS service using an Internet connection without providing any login.

  1. Use a text editor (such as Notepad) or XML editor to open the file Server.dat on your server object manager (SOM) machine. This file is located in your ArcGIS Server installation at <ArcGIS Install Location>\server\system.
  2. Change the following element, located inside the <Server> element, from

    <SecurityEnabled>true</SecurityEnabled>

    to

    <SecurityEnabled>false</SecurityEnabled>

    Then save the file.
  3. Use a text or XML editor to open the file web.config in C:\Inetpub\wwwroot\ArcGIS\Services (adjust the path if you installed the ArcGIS Web services to a different location).
  4. Locate the following line withing the <appSettings> section:

    <add key="RequireToken" value="True" />

    and change it to:

    <add key="RequireToken" value="False" />

    Then save the file.
  5. Repeat the previous two steps for the web.config files in the Rest folder and also the Tokens folder in the C:\Inetpub\wwwroot\ArcGIS directory.
  6. If security was configured for Windows users, then re-enable anonymous access to the Services and Rest folders in the ArcGIS Server Web instance in IIS. Refer to the instructions in the section on Disabling anonymous access to ArcGIS Web services in Internet Information Services, except in step 3 of the instructions, choose to enable anonymous access. Do this for both Services and Rest directories.
  7. Restart the ArcGIS Server Object Manager service and the World Web Web Publishing Service.

To re-enable security, follow the steps in Enabling security for services.

Limiting what users can do with a service

To make it easy to control how your Web services are used, each type of service has a set of allowed operations that determine which methods users can call. You can allow all the operations if you want users to have complete use of the service, or you can disable certain operations to prevent users from doing certain things, like querying the data in your map or extracting data from your geodatabase.

You can set the operations allowed on the Capabilities tab of the Service Properties dialog box. For additional documentation on which methods are included in each operation, see Tuning and configuring services.