When you install ArcGIS Server, you will find the following:
- ArcGIS Server initially has only one account, the primary site administrator you specified when you created your site. This is not a Windows account; it's an account that is used only for logging in to ArcGIS Server.
- All administration and publishing operations are initially secure and can be performed only by the primary site administrator.
- All services are publicly accessible.
- Most functionality is open (not locked down).
- All web traffic uses secure HTTPS protocol.
The topics in this section discuss how you can use ArcGIS Server Manager and the ArcGIS Server Administrator Directory to further modify your site's security settings.
To learn more about controlling who can access, publish, and administer your GIS resources, see the Control access section of the documentation.
Your services allow many operations that take user input, such as queries, edits, feature attachments, and so on. Accordingly, you have options to disable queries, downloads, and uploads for individual services.
To reduce the vulnerability of your server, you should follow best practices such as allowing only the minimum necessary privileges to the ArcGIS Server account. Some of these recommendations are outlined in Best practices for configuring a secure environment.