How To: Restrict the ArcIMS Monitor service and Spatial Server on Windows


Instructions provided detail a restrictive environment for the ArcIMS 4.0 Monitor and Spatial Server on Windows. This information is useful when installing ArcIMS in high-security environments.

This article is intended as a suggestion when installing ArcIMS in a secure environment. This configuration has not been tested and is not considered certifiedby ESRI. Support is still available when using ArcIMS in this configuration, but these settings may need to be removed in order to continue any troubleshooting. To install any Service Pack or updates switching of the ArcIMS services to run as the user that originally installed ArcIMS is required.


The ArcIMS Spatial Server generates map images, performs queries, geocodes, and outputs zipped shapefiles. The ArcIMS Monitor starts the spatial server and monitors its status.
The spatial server and monitor in high volume environments are typically installed on multiple machines.

- The machine on which the spatial server and monitor are running is referred to as the SpatialServerMachine in this article.
- The machine on which the spatial server outputs images, files, and zip files is referred to as the OutputMachine in this article. This is not necessarily the same as the SpatialServerMachine.
- The machine on which shapefiles and images are stored is referred to as the DataMachine in this article. This is not necessarily the same as the SpatialServerMachine.
- The Windows account under which the Monitor and the spatial server runs is referred to as the 'aimsMonitor' account for this article.

It is recommended that the aimsMonitor account be a Windows-domain account. The only situation in which a local account may be used is when the DataMachine, OutputMachine, and SpatialServerMachine are all the same.

The aimsMonitor account does not need to be part of any Windows groups.

The aimsMonitor account needs the following user rights on the SpatialServerMachine:
- Logon as a service
- Bypass Traverse Checking
The aimsMonitor account needs the following user rights on the OutputMachine and DataMachine if different from the SpatialServerMachine:
- Access the computer from the network
- Bypass Traverse Checking

The spatial server's many functions are performed by subcomponents called virtual servers. Each virtual server requires different permissions.
[O-Image] SpatialServer40FilePermissions

A. Click Start > Run and type: dcomcnfg.exe.
B. Locate the AppLockMgr application in the list of DCOM enabled applications. It is listed as esriSystem.esriAppLockMgr.
C. Select esriSystem.esriAppLockMgr and click the properties button.
D. Click the Identity tab.
E. Select the 'This User' option and use the aimsmonitor account that you created for the Monitor service.
F. Select the Security tab.
G. Click 'Use custom launch permissions'
H. Click 'Edit' and add the aimsmonitor account
I. Save and close all the DCOM
J. Restart the Monitor service.

Related Information