STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information.

DISA Rule

SV-79973r1_rule

Vulnerability Number

V-65483

Group Title

SRG-APP-000231

Rule Version

AGIS-00-000102

Severity

CAT I

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Configure the ArcGIS Server to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables.

Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "path" value. For example, "path": "\\[server.domain.com\share".

Implement FIPS 140-2 compliant encryption at rest (such as BitLocker full disk encryption) on each infrastructure system that supplies each file path.

Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example:
'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest';

Implement FIPS 140-2 compliant encryption at rest such as through the use of SQL Server TDE (Transparent Data Encryption) on each "SERVER", "DBCLIENT", and "DATABASE" entry identified above.

Check Contents

Review the ArcGIS Server configuration to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables.

1. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "path" value. For example, "path": "\\[server.domain.com\share".

Verify the infrastructure system(s) that supply each path implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption.

If any infrastructure system(s) that supply each path do not implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption, this is a finding.

2. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest';

Verify on each "SERVER", "DBCLIENT", and "DATABASE", that these systems implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption).

If any "SERVER", "DBCLIENT", and "DATABASE" do not implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption), this is a finding.

Vulnerability Number

V-65483

Documentable

False

Rule Version

AGIS-00-000102

Severity Override Guidance

Review the ArcGIS Server configuration to ensure mechanisms that protect the confidentiality and integrity of all information at rest are provided. Substitute the target environment’s values for [bracketed] variables.

1. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/fileShares ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "path" value. For example, "path": "\\[server.domain.com\share".

Verify the infrastructure system(s) that supply each path implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption.

If any infrastructure system(s) that supply each path do not implement FIPS 140-2 compliant encryption at rest, such as through the use of BitLocker full disk encryption, this is a finding.

2. Log on to https://[server.domain.com]:6443/arcgis/admin/data/items/enterpriseDatabases ("Primary Site Administrator" account access is required.)

Open each "Child Items" entry >> click "Edit".

Note the "info" values "SERVER", "DBCLIENT", and "DATABASE", for example: 'SERVER=dbserver', 'DBCLIENT=sqlserver', 'DATABASE=vtest';

Verify on each "SERVER", "DBCLIENT", and "DATABASE", that these systems implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption).

If any "SERVER", "DBCLIENT", and "DATABASE" do not implement FIPS 140-2 compliant encryption at rest, such as through the use of SQL Server TDE (Transparent Data Encryption), this is a finding.

Check Content Reference

M

Target Key

2961

Comments