When you install ArcGIS Server, you will find the following:
- ArcGIS Server initially has only one account, the primary site administrator you specified when you created your site. This is not a Windows account; it's an account that is used only for logging in to ArcGIS Server.
- All administration and publishing operations are initially secure and can be performed only by the primary site administrator.
- All services are publicly accessible.
- Most functionality is open (not locked down).
These settings are usually sufficient for organizations that are deploying ArcGIS Server for their own department's use. If you are using ArcGIS Server in an enterprise, a highly secure environment, or serving to the Internet, you will want to configure ArcGIS Server security further. The topics in this help book will help you do the following:
- Limit who can access your services
- Log who is using your services
- Control who can administer and publish to your ArcGIS Server
- Encrypt ArcGIS Server communications
GIS web services allow many operations that take user input, such as queries, edits, feature attachments, and so forth. Esri performs periodic security audits to test its software for vulnerabilities to SQL injection and other forms of attacks that could come through user input. Additionally, service administrators are given options to disable queries, downloads, and uploads for individual services.
In order to reduce the vulnerability of your server, you should follow best practices such as allowing only the minimum necessary privileges to the ArcGIS Server account. Some of these recommendations are outlined in Best practices for configuring a secure environment.