STIGQter STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018: The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.

DISA Rule

SV-79809r2_rule

Vulnerability Number

V-65319

Group Title

SRG-APP-000015

Rule Version

AGIS-00-000007

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the ArcGIS Server to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables.

Navigate to IIS Manager >> [Default Website] >> Open "Bindings...". Click "Add..."

Under "Type:", select "https". Select an organizationally approved SSL certificate to associate with the https binding. (If no SSL Certificate is available, refer to http://technet.microsoft.com/en-us/library/cc731977(v=ws.10).aspx for guidance on requesting and installing an Internet Server Certificate [IIS 7]).

Navigate to IIS Manager >> [Default Website] >> SSL Settings. Check "Require SSL".

Check Contents

Review the ArcGIS for Server configuration to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables.

Navigate to IIS Manager >> [Default Website] >> Open “Bindings...”
Verify “https” is listed as a binding.
If “https” is not identified as a binding, this is a finding.

Navigate to IIS Manager >> [Default Website] >> “SSL Settings”
Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adaptor component.

Vulnerability Number

V-65319

Documentable

False

Rule Version

AGIS-00-000007

Severity Override Guidance

Review the ArcGIS for Server configuration to ensure the application implements cryptographic mechanisms to protect the integrity of remote access sessions. Substitute the target environment’s values for [bracketed] variables.

Navigate to IIS Manager >> [Default Website] >> Open “Bindings...”
Verify “https” is listed as a binding.
If “https” is not identified as a binding, this is a finding.

Navigate to IIS Manager >> [Default Website] >> “SSL Settings”
Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adaptor component.

Check Content Reference

M

Target Key

2961

Comments