The ArcGIS Enterprise portal includes a Python script tool, portalScan.py, that scans for common security issues. The tool checks for problems based on some of the best practices for configuring a secure environment for your portal. It analyzes many criteria or configuration properties and divides them into three severity levels: Critical, Important, and Recommended. The descriptions of these criteria are as follows:
ID | Severity | Property | Description |
---|---|---|---|
PS01 | Critical | Proxy restrictions | Determines whether the portal proxy capability is restricted. By default, the portal proxy server is open to any URL. To mitigate against potential Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, it's recommended that you restrict the portal's proxy capability to approved web addresses. |
PS02 | Critical | Token requests | Determines whether generate token requests with credentials in the query parameter are supported. If supported, when generating tokens, a user's credentials could be provided as part of the URL and may be exposed through browser history or in network logs. It is recommended that you disable this unless required by other applications. |
PS03 | Important | Portal services directory | Determines whether the portal services directory is accessible through a web browser. This should be disabled to reduce the chances that your portal items, services, web maps, groups, and other resources can be browsed, found in a web search, or queried through HTML forms. |
PS04 | Important | Secure communication | Determines whether the portal communicates through HTTPS only. To prevent the interception of any communication within the portal, it's recommended that you configure your portal and the web server hosting the Web Adaptor to enforce SSL. |
PS05 | Recommended | Built-in account sign-up | Determines whether users can click the Create An Account button on the portal sign-up page to create a built-in portal account. If you're using organization-specific accounts or you want to create all accounts manually, disable this option. |
PS06 | Recommended | Anonymous access | Determines whether anonymous access is allowed. To prevent any user from accessing content without first providing credentials to the portal, it's recommended that you configure your portal to disable anonymous access. |
PS07 | Recommended | LDAP identity store | If the portal is configured with an LDAP identity store, this determines whether encrypted communication is used. It is recommended that you use LDAPS in the ldapURLForUsers and ldapURLForRoles properties listed in the user store and group store configuration parameters. |
PS08 | Recommended | Portal SSL certificate | Determines whether a self-signed certificate is used by the portal. To help reduce web browser warnings or other unexpected behavior from clients communicating with the portal, it is recommended that you import and use a CA-signed SSL certificate bound to port 7443. |
PS09 | Recommended | Cross-domain requests | Determines whether cross-domain (CORS) requests are unrestricted. To reduce the possibility of an unknown application accessing a shared portal item, it is recommended that you restrict cross-domain requests to applications hosted only in trusted domains. |
PS10 | Critical | Federated server administrative URL | Determines whether your federated server's administrator URL is reachable by the portal and whether the SSL certificate used in this URL is trusted. If untrusted or not reachable, many portal functions and operations will fail. |
PS11 | Recommended | Federated server services URL | Determines whether your federated server's services URL is reachable by the portal and whether the SSL certificate used in this URL is trusted. If untrusted or not reachable, the portal will still function but some portal operations may fail. |
PS12 | Recommended | Public content | If the portal is configured so members cannot share content publicly, this will list items that are still shared with Everyone. |
PS13 | Important | SAML configuration settings | If the portal is configured to use SAML authentication, this determines whether encrypted assertions and signed requests are enabled. If supported by the identity provider, it is recommended that you configure the portal to require both encrypted assertions and signed requests. |
PS14 | Important | Default print service status | The print service that is configured by default on the portal is typically overwritten once an ArcGIS Server has been federated. It is recommended that you disable the default print service if it is not being used. |
PS15 | Recommended | Legend service status | The legend service is used by the portal to retrieve legend icons from older map and feature services (through SOAP). Unless older services are being accessed that do not support retrieving the legend through REST, it is recommended that you disable this service. |
PS16 | Recommended | RSS service status | The RSS service is used by the portal to communicate with GeoRSS feeds. If no GeoRSS feeds will be accessed through any web maps on the portal, it is recommended that you disable this service. |
PS17 | Recommended | KML service status | The KML service is used by the portal to communicate with KML endpoints. If no KML endpoints will be accessed through any web maps on the portal, it is recommended that you disable this service. |
The portalScan.py script is in the <Portal for ArcGIS installation location>\tools\security directory. Run the script from the command line using portalScan.bat, which is in the same directory. You have the option to specify one or more parameters when running the script.
portalScan.py parameters
The following table describes portalScan.py parameters:
Parameter | Description |
---|---|
-n | The fully qualified domain name of the machine where Portal is installed (in other words, gisportal.domain.com). The default is the host name of the machine where the script is run. |
-u | The username of an administrator account. |
-p | The password of an administrator account. |
-o | The directory where the security scan report will be saved. The default directory is the same folder where you run the script. |
-t | A token can be generated and used in place of the username and password. When generating a token, portalScan should be input in the Webapp URL field. When a token is provided, it overrides any username or password that is provided. |
--ignoressl | Disable SSL certificate verification. Starting in 10.7.1, the script will attempt to verify all SSL certificates by default. If Python does not trust the issuer of the certificates, the script will fail to complete. If needed, this parameter can be specified to ignore all certificates. |
-h or -? | Outputs a listing of the parameters that can be specified when running the script. |
Example: python portalScan.py -n portal.domain.com -u admin -p my.password -o C:\Temp
If the portalScan.py script is run without specifying parameters, you will be prompted to enter them manually or select the default value. If you want to use a token, it must be provided as a parameter when running the script.
The scan generates a report in HTML format that lists any of the above issues that were found in the specified portal.
By default, the report is saved in the same folder where you run the script and is named portalScanReport_[hostname]_[date].html.