arcgis server security threats & best practices 2014
TRANSCRIPT
ArcGIS ServerSecurity Threats & Best Practices 2014
David CordesMichael Young
• Introduction• Threats• Best practice
- ArcGIS Server settings- Infrastructure settings- Processes
• Summary
Agenda
IntroductionApplication Security Risks
* OWASP Top 10 - 2013
ThreatsStandardized Vulnerability Ranking
• Common Vulnerability Scoring System (CVSS)
- Open and standardized method for rating IT vulnerabilities
- Overall score based on input from 3 scores
- Base- Temporal- Environmental
ThreatsCalculate Your Vulnerability Risk
• NIST online calculator for calculating vulnerability risk
http://nvd.nist.gov/cvss.cfm?calculator&version=2
AttacksInjection
• What- Tricking an application into including unintended commands in the data set to an
interpreter
• Example- Attacker sends attack in form data, such as ‘ or 1=1- Application forwards attack to database in a SQL query- Database runs modified query containing attack and sends results to app
• Recommendations- Utilize standardized queries added in 10.2+- Minimize database privileges to reduce impact
AttacksCross-Site Scripting (XSS)
• What- Raw data from attacker is sent to an innocent user’s browser
• Example- Attacker sets trap by entering a malicious script into a web page that stores the data on the server- Victim views the page and the script runs inside the victim’s browser with full access to the DOM
and cookies- Script silently sends attacker victim’s session cookie
• Recommendations- Don’t include user supplied input in the output page- Ensure any ArcGIS Server security patches are applied
AttacksSecurity Misconfiguration
• What- Web applications rely on a secure foundation from OS up through Application Server
• Example- Install backdoor through missing OS or server patch- Accidentally exposing ArcGIS Admin and Manager interfaces to Internet
• Recommendations- Ensure security patches in place – e.g. OpenSSL/Heartbleed- Utilize the ArcGIS Web Adaptor- Server hardening guide coming
AttacksSensitive Data Exposure
• What- Storing and transmitting sensitive data insecurely
• Example- Victim enters sensitive information in a form- Error handler logs sensitive info - Logs accessible to all IT staff for debugging purposes providing opportunity for
malicious insider to review sensitive info
• Recommendations- Utilize encryption and ensure rigorous key management- Require SSL for services
AttacksCross-Site Request Forgery (CSRF)
• What- Victim’s browser is tricked into issuing a command to a vulnerable web app
• Example- Attacker sets trap on a website or email – Hidden <img> tag contains attack against
vulnerable site- While logged onto vulnerable site, victim views attackers site where the <img> tag is
loaded by browser, sending GET request (including credentials) to vulnerable site- Vulnerable site sees legitimate request from victim and performs the action requested
• Recommendations- Properly encode all input on the way out.
AttacksUsing Components with Known Vulnerabilities
• What- Vulnerable components are common can be identified and exploited with automated tools
• Example- Vulnerable framework library incorporated as part of web application- Developer does not know dependent component being used, let alone the version- Results in application weakness such as injection, broken access control, XSS
• Recommendations- Incorporate automated checks for libraries being out of date, such as Maven Versions Plugin- Subscribe to Trust.ArcGIS.com feed soon for security patch info
AttacksUn-validated Redirects and Forwards
• What- Web application redirect includes user supplied parameters in the destination URL
and are not validated
• Example- Attacker sends attack to victims email/webpage- Victim clicks link containing un-validated parameter and app redirects victim to
attacker’s site. Attackers site installs malware on victim system
• Recommendations- Minimize use of redirects and validate target URL to ensure authorized external site
AttacksRisk Factor Summary
Best Practices
Disable the primary site administrator
Enterprise users?Recommend: Disable the “Primary Site Administrator” (PSA) account
Can be re-enabled if locked out of ArcGIS Server
Worried about token sniffing?
How do tokens work?
Recommend: Use https and shorten the max token times…
Disable Services Directory
What is services directory?
Recommend: Disable on non-development machines
Limiting access to your web services
Which web apps can access your services?
Default: AnyRecommend: Specify
Preventing Injection and Spying
Use HTTPS for everythingDon’t use dynamic work spacesUpgrade to 10.2 or later
Infrastructure Settings
Infrastructure Settings
1. Firewall Ports2. Least privileges3. Protect the config-store
Firewall ports
Product Port Purpose Who AccessesServer 6080 Service Access Web Adaptor or Reverse ProxyServer 6443 Encrypted Access Web Adaptor or Reverse ProxyPortal 7080 Service Access Web Adaptor or Reverse ProxyPortal 7443 Encrypted Access Web Adaptor or Reverse ProxyServer 4000-4003 Internal
communicationsOther machines in site
Least privileges
10.0 and prior – admin required
10.1 and later – minimal privileges Windows - run as a service. Linux – use SELinux
Protect your config-store at all costs
config-store and directories must be secured
Be paranoid – don’t even allow read access
Securing Your ArcGIS for Server
Processes
Simple processes go a long way….
1. Monitor your logs2. Review elevated privileges3. Change SSL certs yearly4. Change token key yearly
Monitor the logs
ArcGIS Server logs dodgy things….Bad password attemptsLocked out accountsPotential CSRF attacks and IP
Admin API (10.2+)Review groups with publisher, administrator privileges
Review Elevated Privileges