STIGQter STIGQter: STIG Summary: ArcGIS for Server 10.3 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 26 Jan 2018:

The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

DISA Rule

SV-80007r2_rule

Vulnerability Number

V-65517

Group Title

SRG-APP-000416

Rule Version

AGIS-00-000187

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the ArcGIS Server to implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the "[arcgis]" application >> SSL Settings >> check "Require SSL".

Check Contents

Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.

Vulnerability Number

V-65517

Documentable

False

Rule Version

AGIS-00-000187

Severity Override Guidance

Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked.
If “Require SSL” is not checked, this is a finding.

Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance.

This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.)

This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.

Check Content Reference

M

Target Key

2961

Comments