English

How To: Secure GIS services and Web applications

Summary

Instructions provided describe how to secure the GIS services and Web applications.

Note:
While the concepts presented here apply to both the Microsoft .Net Framework and Java platforms for ArcGIS Server, the steps provided are for ArcGIS Server for the Microsoft .Net Framework.

When managing the GIS Server, planning security for the GIS services and Web Applications includes these common tasks:

· Manage the list of users for the Web GIS
o Add, edit and remove users and roles or groups

· Allow only authenticated users to use the Web GIS
o Users must log in before using a service or application

· Limit services and applications to authorized users
o Specify which users and roles or groups may access a service or application

· Manage finer-grained access to Web applications
o For example, allow only certain users to access specific layers or perform tasks

· Ensure that all communication with a Web service or Web application is encrypted, if needed
o Protect passwords during login
o If needed, encrypt all transmission of GIS maps and data

Procedure

How to get these tasks done with ArcGIS Server 9.2

· Manage users for the Web GIS

o For GIS services, use the Windows operating system tools to add and edit users and groups. Permissions for GIS Web services are based on Windows users and groups.
o For Web applications, users may be Windows users or Web applications may be stored in a custom location, depending on the authentication method chosen for the Web application.
<a href='http://support.esri.com/en/knowledgebase/techarticles/detail/33858' target='_blank'>[O] Authentication methods for ASP.NET</a>

· Allow only authenticated users to use the Web GIS

o For GIS services, disable anonymous access in IIS by editing configuration files to specify authentication method. See the topic, Limiting which users can access a service, in the Server Web Help.
o For Web applications, require users to log in. How this is done depends on which authentication method is chosen.
<a href='http://support.esri.com/en/knowledgebase/techarticles/detail/33858' target='_blank'>[O] Authentication methods for ASP.NET</a>

· Limit services and applications to authorized users

o For GIS services, edit the configuration file for ArcGIS Web services. See the topic, Limiting which users can access a service, in the Server Web Help.
o For Web applications, edit the configuration (web.config) file of the application to specify permitted users and roles in the <authorization> tag.
<a href='http://support.esri.com/en/knowledgebase/techarticles/detail/33858' target='_blank'>[O] Authentication methods for ASP.NET</a>

· Manage finer-grained access to Web applications

o This is done programmatically with custom code. See the developer sample on EDN.
o Also check out the ArcGIS Server blog post on Web ADF security techniques.

· Ensure that all communication with a Web service or Web application is encrypted, if needed

o For GIS services, see the Requiring an encrypted connection topic in the Server Web Help.
o For Web applications using ASP.NET and IIS, see the article in Related Information, "How to implement SSL in IIS".

How to get these tasks done in ArcGIS Server 9.3

In the future 9.3 release, many of these common security tasks can be done in ArcGIS Server Manager. Instead of editing configuration files, use the Manager user interface to configure security for the Web GIS. Here are the tasks that can be accomplished using Manager:


· Create and manage users
· Create and manage roles/groups
· Create and manage permissions for Web services and Web applications
· Configure the stores for users, roles and permissions
· Deploy services and applications with security enabled

Managing finer-grained access to Web applications and Web services are still done through custom code in ArcGIS Server 9.3.

Related Information