ArcGIS Server comes with a Python script tool, serverScan.py, that scans for some common security issues. The tool checks for problems based on some of the best practices for configuring a secure environment for ArcGIS Server. It analyzes many criteria or configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The descriptions of these criteria are as follows:
Determines if HTTPS is enabled for ArcGIS Server. To prevent the interception of any communication, it is recommended that you configure ArcGIS Server and ArcGIS Web Adaptor (if installed) to enforce SSL encryption.
Determines if standardized queries are enforced. To provide protection against SQL injection attacks, it is critical that this option be enabled.
Determines if generate token requests via GET are supported. When generating tokens via GET, a user's credentials are sent as part of the URL and can be captured and exposed through browser history or network logs. This should be disabled unless required by other applications.
Determines if generate token requests via POST with credentials in the query parameter are supported. When generating tokens, a user's credentials could be provided as part of the URL and may be exposed through browser history or network logs. This should be disabled unless required by other applications.
Filter web content enabled
Generates a list of feature services where the filter web content property is disabled. Disabling this property allows a user to enter any text into the input fields, which exposes the service to potential cross-site scripting (XSS) attacks. This property is enabled by default and unless unsupported HTML entities or attributes are required, it should not be disabled.
System service permissions
Determines if nondefault permissions are applied to any service in the System folder in Server Manager. To ensure only administrators and publishers have access to the services in the System folder, no roles should be assigned.
REST services directory
Determines if the REST services directory is accessible through a web browser. Unless being actively used to search for and find services by users, this should be disabled to reduce the chance that your services can be browsed, found in a web search, or queried through HTML forms. This also provides further protection against cross-site scripting (XSS) attacks.
Determines if cross-domain requests are limited to specific domains. To reduce the possibility of an unknown application sending malicious commands to your web services, it is recommended to restrict the use of your services to applications hosted only in domains that you trust.
Generates a list of services where the database can be accessed via a dynamic workspace. Unless appropriately safeguarded, this can expose the database/workspace to access by malicious 3rd parties over REST. Dynamic workspaces should be enabled only if the service and the dynamic layer/workspace capability is intended for active use in a web application. In these cases, it is important to ensure that the database connection used by the map service to connect to the workspace/database has the least privileges needed for the application, for example, read-only access to only those additional tables within the workspace that are needed.
Web Adaptor over HTTPS
Determines if one or more Web Adaptors are registered over HTTPS. To allow Server Manager to successfully redirect to HTTPS, all Web Adaptors should be registered over HTTPS.
Disable PSA account
Determines if the primary site administrator account is enabled. It is recommended that you disable this account to ensure that there is no other way to administer ArcGIS Server other than the group or role specified in your identity store.
Feature service permissions
Returns a list of feature services that have the update or delete operations enabled and are open to anonymous access. This allows the feature service data to be changed or deleted without authentication.
LDAP identity store
If ArcGIS Server is configured with an LDAP identity store, this determines if encrypted communication is used. To ensure encrypted communication between ArcGIS Server and the LDAP identity provider, it is recommended to use ldaps:// in the connection URL defined for both the LDAP User Store and LDAP Role Store configurations (if used).
Server SSL certificate
Determines if a self-signed certificate is used by ArcGIS Server. To help reduce web browser warnings or other unexpected behavior from clients communicating with ArcGIS Server, it is recommended to import and use a CA-signed SSL certificate bound to port 6443.
System service sharing
Determines if any of the services in the System folder have been shared as a portal item. To ensure the proper permissions, these services are not intended to be shared through a portal. It is recommended to remove the associated portal item to restore the default service permissions.
The serverscan script is located in the <ArcGIS Server installation location>/tools/admin directory. Run the script from the command line or shell. You have the option to specify parameters when running the script.
The fully-qualified domain name of the machine where Server is installed (i.e.: gisserver.domain.com). The default is the hostname of the machine where the script is run.
The username of an administrator account.
The password of an administrator account.
The directory where the security scan report will be saved. The default directory is the same folder where you run the script.
A token can be generated and used in place of the username and password. If a Portal token is generated for a federated Server, the fully qualified domain name of the Server being scanned should be input in the 'Webapp URL' field. If a token is generated for an unfederated Server, the token must be generated through the Administrator directory (arcgis/admin/generateToken) and the client must be 'Request IP'. When a token is provided, it overrides any username or password that is provided.
Disables SSL certificate verification. Starting in 10.7.1, the script will attempt to verify all SSL certificates by default. If Python does not trust the issuer of the certificates, the script will fail to complete. If needed, this parameter can be specified to ignore all certificates.
-h or -?
Outputs a listing of the parameters that can be specified when running the script.
Example: python serverScan.py -n gisserver.domain.com -u admin -p my.password -o C:\Temp
If the serverScan.py script is run without specifying any parameters, you will be prompted to enter them manually or select the default value. If you wish to use a token, it must be provided as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified ArcGIS Server site.
By default, the report is saved in the same folder where you run the script and is named serverScanReport_[hostname]_[date].html.