ArcGIS Server
Security Threats & Best Practices 2014
•
Introduction
•Threats
•
Best practice
- ArcGIS Server settings - Infrastructure settings - Processes
•
Summary
Introduction
Application Security Risks
Threats
Standardized Vulnerability Ranking
•
Common Vulnerability Scoring
System (CVSS)
- Open and standardized method
for rating IT vulnerabilities
- Overall score based on input
from 3 scores - Base
- Temporal
Threats
Calculate Your Vulnerability Risk
•
NIST online calculator
for calculating
vulnerability risk
Attacks
Injection
•
What
- Tricking an application into including unintended commands in the data set to an
interpreter
•
Example
- Attacker sends attack in form data, such as ‘ or 1=1 - Application forwards attack to database in a SQL query
- Database runs modified query containing attack and sends results to app
•
Recommendations
Attacks
Cross-Site Scripting (XSS)
•
What
- Raw data from attacker is sent to an innocent user’s browser
•
Example
- Attacker sets trap by entering a malicious script into a web page that stores the data on the server - Victim views the page and the script runs inside the victim’s browser with full access to the DOM
and cookies
- Script silently sends attacker victim’s session cookie
•
Recommendations
Attacks
Security Misconfiguration
•
What
- Web applications rely on a secure foundation from OS up through Application Server
•
Example
- Install backdoor through missing OS or server patch
- Accidentally exposing ArcGIS Admin and Manager interfaces to Internet
•
Recommendations
- Ensure security patches in place – e.g. OpenSSL/Heartbleed - Utilize the ArcGIS Web Adaptor
Attacks
Sensitive Data Exposure
•
What
- Storing and transmitting sensitive data insecurely
•
Example
- Victim enters sensitive information in a form - Error handler logs sensitive info
- Logs accessible to all IT staff for debugging purposes providing opportunity for
malicious insider to review sensitive info
•
Recommendations
Attacks
Cross-Site Request Forgery (CSRF)
•
What
- Victim’s browser is tricked into issuing a command to a vulnerable web app
•
Example
- Attacker sets trap on a website or email – Hidden <img> tag contains attack against
vulnerable site
- While logged onto vulnerable site, victim views attackers site where the <img> tag is
loaded by browser, sending GET request (including credentials) to vulnerable site
- Vulnerable site sees legitimate request from victim and performs the action requested
•
Recommendations
Attacks
Using Components with Known Vulnerabilities
•
What
- Vulnerable components are common can be identified and exploited with automated tools
•
Example
- Vulnerable framework library incorporated as part of web application
- Developer does not know dependent component being used, let alone the version - Results in application weakness such as injection, broken access control, XSS
•
Recommendations
Attacks
Un-validated Redirects and Forwards
•
What
- Web application redirect includes user supplied parameters in the destination URL
and are not validated
•
Example
- Attacker sends attack to victims email/webpage
- Victim clicks link containing un-validated parameter and app redirects victim to
attacker’s site. Attackers site installs malware on victim system
•
Recommendations
Attacks
Disable the primary site administrator
Enterprise users?
Recommend: Disable the “Primary Site
Administrator” (PSA) account
Worried about token sniffing?
How do tokens work?
Disable Services Directory
What is services directory?
Limiting access to your web services
Which web apps can access
your services?
Default: Any
Preventing Injection and Spying
Use HTTPS for everything
Infrastructure Settings
1.
Firewall Ports
2.
Least privileges
Firewall ports
Product Port Purpose Who Accesses
Server 6080 Service Access Web Adaptor or Reverse Proxy Server 6443 Encrypted Access Web Adaptor or Reverse Proxy Portal 7080 Service Access Web Adaptor or Reverse Proxy Portal 7443 Encrypted Access Web Adaptor or Reverse Proxy Server 4000-4003 Internal
communications