ArcGIS ServerSecurity Threats & Best Practices 2014

David CordesMichael Young

• Introduction• Threats• Best practice

- ArcGIS Server settings- Infrastructure settings- Processes

• Summary

Agenda

IntroductionApplication Security Risks

* OWASP Top 10 - 2013

ThreatsStandardized Vulnerability Ranking

• Common Vulnerability Scoring System (CVSS)

- Open and standardized method for rating IT vulnerabilities

- Overall score based on input from 3 scores

- Base- Temporal- Environmental

ThreatsCalculate Your Vulnerability Risk

• NIST online calculator for calculating vulnerability risk

http://nvd.nist.gov/cvss.cfm?calculator&version=2

AttacksInjection

• What- Tricking an application into including unintended commands in the data set to an

interpreter

• Example- Attacker sends attack in form data, such as ‘ or 1=1- Application forwards attack to database in a SQL query- Database runs modified query containing attack and sends results to app

• Recommendations- Utilize standardized queries added in 10.2+- Minimize database privileges to reduce impact

AttacksCross-Site Scripting (XSS)

• What- Raw data from attacker is sent to an innocent user’s browser

• Example- Attacker sets trap by entering a malicious script into a web page that stores the data on the server- Victim views the page and the script runs inside the victim’s browser with full access to the DOM

and cookies- Script silently sends attacker victim’s session cookie

• Recommendations- Don’t include user supplied input in the output page- Ensure any ArcGIS Server security patches are applied

AttacksSecurity Misconfiguration

• What- Web applications rely on a secure foundation from OS up through Application Server

• Example- Install backdoor through missing OS or server patch- Accidentally exposing ArcGIS Admin and Manager interfaces to Internet

• Recommendations- Ensure security patches in place – e.g. OpenSSL/Heartbleed- Utilize the ArcGIS Web Adaptor- Server hardening guide coming

AttacksSensitive Data Exposure

• What- Storing and transmitting sensitive data insecurely

• Example- Victim enters sensitive information in a form- Error handler logs sensitive info - Logs accessible to all IT staff for debugging purposes providing opportunity for

malicious insider to review sensitive info

• Recommendations- Utilize encryption and ensure rigorous key management- Require SSL for services

AttacksCross-Site Request Forgery (CSRF)

• What- Victim’s browser is tricked into issuing a command to a vulnerable web app

• Example- Attacker sets trap on a website or email – Hidden <img> tag contains attack against

vulnerable site- While logged onto vulnerable site, victim views attackers site where the <img> tag is

loaded by browser, sending GET request (including credentials) to vulnerable site- Vulnerable site sees legitimate request from victim and performs the action requested

• Recommendations- Properly encode all input on the way out.

AttacksUsing Components with Known Vulnerabilities

• What- Vulnerable components are common can be identified and exploited with automated tools

• Example- Vulnerable framework library incorporated as part of web application- Developer does not know dependent component being used, let alone the version- Results in application weakness such as injection, broken access control, XSS

• Recommendations- Incorporate automated checks for libraries being out of date, such as Maven Versions Plugin- Subscribe to Trust.ArcGIS.com feed soon for security patch info

AttacksUn-validated Redirects and Forwards

• What- Web application redirect includes user supplied parameters in the destination URL

and are not validated

• Example- Attacker sends attack to victims email/webpage- Victim clicks link containing un-validated parameter and app redirects victim to

attacker’s site. Attackers site installs malware on victim system

• Recommendations- Minimize use of redirects and validate target URL to ensure authorized external site

AttacksRisk Factor Summary

Best Practices

Disable the primary site administrator

Enterprise users?Recommend: Disable the “Primary Site Administrator” (PSA) account

Can be re-enabled if locked out of ArcGIS Server

Worried about token sniffing?

How do tokens work?

Recommend: Use https and shorten the max token times…

Disable Services Directory

What is services directory?

Recommend: Disable on non-development machines

Limiting access to your web services

Which web apps can access your services?

Default: AnyRecommend: Specify

Preventing Injection and Spying

Use HTTPS for everythingDon’t use dynamic work spacesUpgrade to 10.2 or later

Infrastructure Settings

Infrastructure Settings

1. Firewall Ports2. Least privileges3. Protect the config-store

Firewall ports

Product Port Purpose Who AccessesServer 6080 Service Access Web Adaptor or Reverse ProxyServer 6443 Encrypted Access Web Adaptor or Reverse ProxyPortal 7080 Service Access Web Adaptor or Reverse ProxyPortal 7443 Encrypted Access Web Adaptor or Reverse ProxyServer 4000-4003 Internal

communicationsOther machines in site

Least privileges

10.0 and prior – admin required

10.1 and later – minimal privileges Windows - run as a service. Linux – use SELinux

Protect your config-store at all costs

config-store and directories must be secured

Be paranoid – don’t even allow read access

Securing Your ArcGIS for Server

Processes

Simple processes go a long way….

1. Monitor your logs2. Review elevated privileges3. Change SSL certs yearly4. Change token key yearly

Monitor the logs

ArcGIS Server logs dodgy things….Bad password attemptsLocked out accountsPotential CSRF attacks and IP

Admin API (10.2+)Review groups with publisher, administrator privileges

Review Elevated Privileges