STIGQter STIGQter: STIG Summary:

ArcGIS for Server 10.3 Security Technical Implementation Guide

Version: 1

Release: 3 Benchmark Date: 26 Jan 2018

SV-79809r2_ruleThe ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.
SV-79813r2_ruleThe ArcGIS Server must use Windows authentication for supporting account management functions.
SV-79875r2_ruleThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SV-79883r1_ruleThe ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components.
SV-79897r1_ruleThe ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion.
SV-79903r1_ruleThe ArcGIS Server must be configured to disable non-essential capabilities.
SV-79905r1_ruleThe ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-79919r2_ruleThe ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.
SV-79949r1_ruleThe ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-79957r2_ruleThe ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-79967r2_ruleThe ArcGIS Server must recognize only system-generated session identifiers.
SV-79973r1_ruleThe ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information.
SV-79975r1_ruleThe ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled.
SV-79977r1_ruleThe ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA.
SV-79989r2_ruleThe ArcGIS Server must enforce access restrictions associated with changes to application configuration.
SV-79993r2_ruleThe organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.
SV-79999r2_ruleThe ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials.
SV-80005r2_ruleThe ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-80007r2_ruleThe ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-80009r1_ruleThe ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions.
SV-80011r1_ruleThe ArcGIS Server must maintain a separate execution domain for each executing process.
SV-80059r1_ruleThe ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.