How To: Restrict the ArcIMS Application Server service on Windows
Information provided describes a restrictive environment for the ArcIMS 4.0 Application Server on Windows. This information is useful when installing ArcIMS in high-security environments.
Warning: This article is intended as a suggestion when installing ArcIMS in a secure environment. This configuration has not been tested and is not considered certifiedby ESRI. Support is still available when using ArcIMS in this configuration, but these settings may need to be removed in order to continue any troubleshooting. To install any Service Pack or updates switching of the ArcIMS services to run as the user that originally installed ArcIMS is required. The ArcIMS Application Server manages requests made to the ArcIMS spatial server.
· The machine on which the Application Server is running is referred to as the AppServerMachine in this article.
· The Windows account under which the Tasker runs is referred to as the 'aimsAppServer' account for this article.
DOMAIN OR LOCAL ACCOUNT?
The aimsAppServer account should be a local Windows account if the working directory is on AppServerMachine (99% of users). If the working directory is on another machine then aimsAppServer must be a Windows-domain account (very rare).
Note: The Application Server's working directory is where the ArcIMSSite.sez and ArcIMSFolders.sez files reside. By default this is C:\Program Files\ArcGIS\ArcIMS\AppServer.
The aimsAppServer account does not need to be part of any Windows group.
The aimsAppServer account needs the following user rights on the AppServerMachine:
· Logon as a service
· Bypass Traverse Checking
- Restrict the ArcIMS Monitor service and Spatial Server on Windows
- Restrict the ArcIMS Tasker service on Windows