ArcGIS Server Security Threats & Best Practices 2014
Transcript of ArcGIS Server Security Threats & Best Practices 2014
![Page 1: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/1.jpg)
ArcGIS ServerSecurity Threats & Best Practices 2014
David CordesMichael Young
![Page 2: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/2.jpg)
• Introduction• Threats• Best practice
- ArcGIS Server settings- Infrastructure settings- Processes
• Summary
Agenda
![Page 3: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/3.jpg)
IntroductionApplication Security Risks
* OWASP Top 10 - 2013
![Page 4: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/4.jpg)
ThreatsStandardized Vulnerability Ranking
• Common Vulnerability Scoring System (CVSS)
- Open and standardized method for rating IT vulnerabilities
- Overall score based on input from 3 scores
- Base- Temporal- Environmental
![Page 5: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/5.jpg)
ThreatsCalculate Your Vulnerability Risk
• NIST online calculator for calculating vulnerability risk
http://nvd.nist.gov/cvss.cfm?calculator&version=2
![Page 6: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/6.jpg)
AttacksInjection
• What- Tricking an application into including unintended commands in the data set to an
interpreter
• Example- Attacker sends attack in form data, such as ‘ or 1=1- Application forwards attack to database in a SQL query- Database runs modified query containing attack and sends results to app
• Recommendations- Utilize standardized queries added in 10.2+- Minimize database privileges to reduce impact
![Page 7: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/7.jpg)
AttacksCross-Site Scripting (XSS)
• What- Raw data from attacker is sent to an innocent user’s browser
• Example- Attacker sets trap by entering a malicious script into a web page that stores the data on the server- Victim views the page and the script runs inside the victim’s browser with full access to the DOM
and cookies- Script silently sends attacker victim’s session cookie
• Recommendations- Don’t include user supplied input in the output page- Ensure any ArcGIS Server security patches are applied
![Page 8: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/8.jpg)
AttacksSecurity Misconfiguration
• What- Web applications rely on a secure foundation from OS up through Application Server
• Example- Install backdoor through missing OS or server patch- Accidentally exposing ArcGIS Admin and Manager interfaces to Internet
• Recommendations- Ensure security patches in place – e.g. OpenSSL/Heartbleed- Utilize the ArcGIS Web Adaptor- Server hardening guide coming
![Page 9: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/9.jpg)
AttacksSensitive Data Exposure
• What- Storing and transmitting sensitive data insecurely
• Example- Victim enters sensitive information in a form- Error handler logs sensitive info - Logs accessible to all IT staff for debugging purposes providing opportunity for
malicious insider to review sensitive info
• Recommendations- Utilize encryption and ensure rigorous key management- Require SSL for services
![Page 10: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/10.jpg)
AttacksCross-Site Request Forgery (CSRF)
• What- Victim’s browser is tricked into issuing a command to a vulnerable web app
• Example- Attacker sets trap on a website or email – Hidden <img> tag contains attack against
vulnerable site- While logged onto vulnerable site, victim views attackers site where the <img> tag is
loaded by browser, sending GET request (including credentials) to vulnerable site- Vulnerable site sees legitimate request from victim and performs the action requested
• Recommendations- Properly encode all input on the way out.
![Page 11: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/11.jpg)
AttacksUsing Components with Known Vulnerabilities
• What- Vulnerable components are common can be identified and exploited with automated tools
• Example- Vulnerable framework library incorporated as part of web application- Developer does not know dependent component being used, let alone the version- Results in application weakness such as injection, broken access control, XSS
• Recommendations- Incorporate automated checks for libraries being out of date, such as Maven Versions Plugin- Subscribe to Trust.ArcGIS.com feed soon for security patch info
![Page 12: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/12.jpg)
AttacksUn-validated Redirects and Forwards
• What- Web application redirect includes user supplied parameters in the destination URL
and are not validated
• Example- Attacker sends attack to victims email/webpage- Victim clicks link containing un-validated parameter and app redirects victim to
attacker’s site. Attackers site installs malware on victim system
• Recommendations- Minimize use of redirects and validate target URL to ensure authorized external site
![Page 13: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/13.jpg)
AttacksRisk Factor Summary
![Page 14: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/14.jpg)
Best Practices
![Page 15: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/15.jpg)
Disable the primary site administrator
Enterprise users?Recommend: Disable the “Primary Site Administrator” (PSA) account
Can be re-enabled if locked out of ArcGIS Server
![Page 16: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/16.jpg)
Worried about token sniffing?
How do tokens work?
Recommend: Use https and shorten the max token times…
![Page 17: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/17.jpg)
Disable Services Directory
What is services directory?
Recommend: Disable on non-development machines
![Page 18: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/18.jpg)
Limiting access to your web services
Which web apps can access your services?
Default: AnyRecommend: Specify
![Page 19: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/19.jpg)
Preventing Injection and Spying
Use HTTPS for everythingDon’t use dynamic work spacesUpgrade to 10.2 or later
![Page 20: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/20.jpg)
Infrastructure Settings
![Page 21: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/21.jpg)
Infrastructure Settings
1. Firewall Ports2. Least privileges3. Protect the config-store
![Page 22: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/22.jpg)
Firewall ports
Product Port Purpose Who AccessesServer 6080 Service Access Web Adaptor or Reverse ProxyServer 6443 Encrypted Access Web Adaptor or Reverse ProxyPortal 7080 Service Access Web Adaptor or Reverse ProxyPortal 7443 Encrypted Access Web Adaptor or Reverse ProxyServer 4000-4003 Internal
communicationsOther machines in site
![Page 23: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/23.jpg)
Least privileges
10.0 and prior – admin required
10.1 and later – minimal privileges Windows - run as a service. Linux – use SELinux
![Page 24: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/24.jpg)
Protect your config-store at all costs
config-store and directories must be secured
Be paranoid – don’t even allow read access
Securing Your ArcGIS for Server
![Page 25: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/25.jpg)
Processes
![Page 26: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/26.jpg)
Simple processes go a long way….
1. Monitor your logs2. Review elevated privileges3. Change SSL certs yearly4. Change token key yearly
![Page 27: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/27.jpg)
Monitor the logs
ArcGIS Server logs dodgy things….Bad password attemptsLocked out accountsPotential CSRF attacks and IP
![Page 28: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/28.jpg)
Admin API (10.2+)Review groups with publisher, administrator privileges
Review Elevated Privileges
![Page 29: ArcGIS Server Security Threats & Best Practices 2014](https://reader037.fdocuments.in/reader037/viewer/2022110110/58a2d6ef1a28ab6d6a8b7362/html5/thumbnails/29.jpg)