Portal for ArcGIS comes with a Python script tool, portalScan.py, that scans for some common security issues. The tool checks for problems based on some of the best practices for configuring a secure environment for your portal. It analyzes six criteria or configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The descriptions of these criteria are as follows:
ID | Severity | Property | Description |
---|---|---|---|
PS01 | Critical | Proxy restrictions | Determines if the portal proxy capability is restricted. By default, the portal proxy server is open to any URL. To mitigate against potential Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, it's strongly recommended that you restrict the portal's proxy capability to approved web addresses. |
PS02 | Critical | Token requests | Determines if generate token requests with credentials in the query parameter are supported. If supported, when generating tokens, a user's credentials could be provided as part of the URL and may be exposed through browser history or in network logs. This should be disabled unless required by other applications. |
PS03 | Important | Portal services directory | Determines if the portal services directory is accessible through a web browser. This should be disabled to reduce the chances that your portal items, services, web maps, groups, and other resources can be browsed, found in a web search, or queried through HTML forms. |
PS04 | Important | Secure communication | Determines if the portal communicates through HTTPS only. To prevent the interception of any communication within the portal, it's recommended that you configure your portal and the web server hosting the Web Adaptor to enforce SSL. |
PS05 | Recommended | Built-in account sign-up | Determines if users can click the Create An Account button on the portal sign-up page to create a built-in portal account. If you're using enterprise accounts or you want to create all accounts manually, disable this option. |
PS06 | Recommended | Anonymous access | Determines if anonymous access is allowed. To prevent any user from accessing content without first providing credentials to the portal, it's recommended that you configure your portal to disable anonymous access. |
The portalScan.py script is located in the <Portal for ArcGIS installation location>\tools\security directory. Run the script from the command line or shell. You'll need to provide the portal URL as well as the username and password for an Administrator.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified portal. The report is generated in the same folder where you run the script and is named portalScanReport_[hostname]_[date].html.