How To: Secure GIS services and Web applications
Note: The content in this article pertains to ArcGIS versions 9.x only. Later versions of ArcGIS may contain different functionality, as well as different names and locations for menus, commands and geoprocessing tools.
Instructions provided describe how to secure the GIS services and Web applications.
Note: While the concepts presented here apply to both the Microsoft .Net Framework and Java platforms for ArcGIS Server, the steps provided are for ArcGIS Server for the Microsoft .Net Framework.
When managing the GIS Server, planning security for the GIS services and Web Applications includes these common tasks:
- Manage the list of users for the Web GIS. Add, edit and remove users and roles or groups.
- Allow only authenticated users to use the Web GIS. Users must log in before using a service or application.
- Limit services and applications to authorized users. Specify which users and roles or groups may access a service or application.
- Manage finer-grained access to Web applications. For example, allow only certain users to access specific layers or perform tasks.
- Ensure that all communication with a Web service or Web application is encrypted, if needed. Protect passwords during login. If needed, encrypt all transmission of GIS maps and data
How to get these tasks done with ArcGIS Server 9.2
Manage users for the Web GIS
- For GIS services, use the Windows operating system tools to add and edit users and groups. Permissions for GIS Web services are based on Windows users and groups.
- For Web applications, users may be Windows users or Web applications may be stored in a custom location, depending on the authentication method chosen for the Web application.
Allow only authenticated users to use the Web GIS
- For GIS services, disable anonymous access in IIS by editing configuration files to specify authentication method. See the topic, Limiting which users can access a service, in the Server Web Help.
- For Web applications, require users to log in. How this is done depends on which authentication method is chosen.
Limit services and applications to authorized users
- For GIS services, edit the configuration file for ArcGIS Web services. See the topic, Limiting which users can access a service, in the Server Web Help.
- For Web applications, edit the configuration (web.config) file of the application to specify permitted users and roles in the <authorization> tag.
Manage finer-grained access to Web applications
- This is done programmatically with custom code. See the developer sample on EDN.
- Also check out the ArcGIS Server blog post on Web ADF security techniques.
- For GIS services, see the Requiring an encrypted connection topic in the Server Web Help.
- For Web applications using ASP.NET and IIS, see the article in Related Information, "How to implement SSL in IIS".
How to get these tasks done in ArcGIS Server 9.3
In the future 9.3 release, many of these common security tasks can be done in ArcGIS Server Manager. Instead of editing configuration files, use the Manager user interface to configure security for the Web GIS. Here are the tasks that can be accomplished using Manager:
- Create and manage users
- Create and manage roles/groups
- Create and manage permissions for Web services and Web applications
- Configure the stores for users, roles and permissions
- Deploy services and applications with security enabled
Managing finer-grained access to Web applications and Web services are still done through custom code in ArcGIS Server 9.3.
- How To: Use Windows Authentication in ASP.NET 2.0 (Microsoft.com)
- How To: Use Forms Authentication with SQL Server in ASP.NET 2.0 (Microsoft.com)
- Walkthrough: Managing Web Site Users with Roles (Microsoft.com)
- How to implement SSL in IIS (Microsoft.com)