Securing Your ArcGIS Server for the Microsoft .NET ...€¦ · Security OverviewSecurity Overview • ArcGIS Server security provides access control –Which users can access particular

Securing Your ArcGIS Server for the gMicrosoft .NET Framework Site

Tom BrennemanTom BrennemanLloyd Heberlie

ScheduleScheduleScheduleSchedule

•• Security overviewSecurity overview•• Setup and configurationSetup and configuration•• Securing GIS Web servicesSecuring GIS Web services•• Securing GIS Web servicesSecuring GIS Web services•• Using the token serviceUsing the token service

–– Using a proxy pageUsing a proxy page•• Securing Web applicationsSecuring Web applications•• Security pass throughSecurity pass through

•• We will answer questions at the end on the sessionWe will answer questions at the end on the sessionPlease complete the session survey!Please complete the session survey!

Security OverviewSecurity OverviewSecurity OverviewSecurity Overview

•• ArcGIS Server security provides access controlArcGIS Server security provides access control–– Which users can access particular services and applicationsWhich users can access particular services and applications

•• Remember other security tasksRemember other security tasks–– Security during transmissionSecurity during transmission–– Operating system Operating system –– updates, virus protectionupdates, virus protection–– Code Code –– SQL injection, crossSQL injection, cross--site scripting, etc.site scripting, etc.–– Physical securityPhysical securityPhysical securityPhysical security–– User education User education –– phishing, etc.phishing, etc.

Access control model for web usersAccess control model for web usersAccess control model for web usersAccess control model for web users

•• ArcGIS Server has roleArcGIS Server has role--based access controlbased access control

•• Uses standard IIS or ASP NET securityUses standard IIS or ASP NET security•• Uses standard IIS or ASP.NET securityUses standard IIS or ASP.NET security•• IISIIS

–– Basic, Digest, Integrated WindowsBasic, Digest, Integrated Windows•• ASP.NETASP.NET

–– Membership and role provider frameworkMembership and role provider framework

Two phases of access controlTwo phases of access controlTwo phases of access controlTwo phases of access control

•• AuthenticationAuthentication–– Verification of user credentialsVerification of user credentials–– User name and passwordUser name and passwordU pU p

•• AuthorizationAuthorization–– Verification that user has access to specific resource Verification that user has access to specific resource –– All authorization in ArcGIS Server based on rolesAll authorization in ArcGIS Server based on roles

Authenticating usersAuthenticating usersAuthenticating usersAuthenticating users

•• Authentication requires storage location for principlesAuthentication requires storage location for principles–– WindowsWindows–– SQL ServerSQL Server

ClientClientSQ SSQ S

–– CustomCustom IISIIS

ASP NETASP NETASP.NET ASP.NET

IIS Authentication ASP.NET Authentication

SQL ServerCustomWindowsle S

tore

s

ASP.NET 2.0 membership

SQL ServerCustom

Managed by OS

Windows

Prin

cip

Configuring securityConfiguring securityConfiguring securityConfiguring security

•• Decide where users and roles will be storedDecide where users and roles will be stored•• Install supporting items as neededInstall supporting items as needed

–– Secure Sockets Layer (SSL) certificate for Web serverSecure Sockets Layer (SSL) certificate for Web serverSecure Sockets Layer (SSL) certificate for Web serverSecure Sockets Layer (SSL) certificate for Web server–– SQL Server (Express)SQL Server (Express)–– Custom providerCustom provider

•• Configure security in ManagerConfigure security in Manager–– Configure location for users and rolesConfigure location for users and roles–– Add and manage users and rolesAdd and manage users and rolesAdd and manage users and rolesAdd and manage users and roles

•• Secure Web application(s) using Manager*Secure Web application(s) using Manager*-- and/or and/or --

S GIS W b i i MS GIS W b i i M•• Secure GIS Web services using ManagerSecure GIS Web services using Manager *or other toolsfor custom

applications

Decide where users and roles will be storedDecide where users and roles will be storedDecide where users and roles will be storedDecide where users and roles will be stored

•• Windows users and groupsWindows users and groups–– Manage with operating system toolsManage with operating system tools

•• SQL ServerSQL ServerSQL ServerSQL Server–– Full or Express versionFull or Express version–– Tables store users and roles in Tables store users and roles in

NET membership formatNET membership format.NET membership format.NET membership format•• Custom providerCustom provider

–– Oracle, Oracle, Active DirectoryActive Directory, XML, etc., XML, etc.–– To use, acquire a .NET To use, acquire a .NET

membership/role providermembership/role provider

How will users be authenticated?How will users be authenticated?How will users be authenticated?How will users be authenticated?

•• If users in SQL Server or custom providerIf users in SQL Server or custom provider–– Web Applications: ASP.NET Forms authenticationWeb Applications: ASP.NET Forms authentication–– Web Services: Tokens serviceWeb Services: Tokens serviceSS

•• If Windows users, options are:If Windows users, options are:–– IISIIS--controlled authenticationcontrolled authentication

•• Integrated WindowsIntegrated Windows•• BasicBasic•• DigestDigest

•• Token authenticationToken authentication–– Only supported if roles are in SQL ServerOnly supported if roles are in SQL Server–– Only supported if roles are in SQL ServerOnly supported if roles are in SQL Server

More details on users and rolesMore details on users and rolesMore details on users and rolesMore details on users and roles

•• User and role store usually same place, but can haveUser and role store usually same place, but can have–– Windows users + SQL Server rolesWindows users + SQL Server roles–– Windows users + roles in custom providerWindows users + roles in custom providerpp–– SQL Server users + roles in custom providerSQL Server users + roles in custom provider

•• BuiltBuilt--in SQL Server rolesin SQL Server roles–– Everyone (*): all users permitted whether provide login or notEveryone (*): all users permitted whether provide login or not–– Authenticated Users (@): users who provide a valid loginAuthenticated Users (@): users who provide a valid loginAuthenticated Users (@): users who provide a valid loginAuthenticated Users (@): users who provide a valid login–– Anonymous (?): users who do not provide a loginAnonymous (?): users who do not provide a login

Session agendaSession agendaSession agendaSession agenda



Securing ArcGIS Server servicesSecuring ArcGIS Server servicesSecuring ArcGIS Server servicesSecuring ArcGIS Server services

•• Two ways to connect to an ArcGIS Server serviceTwo ways to connect to an ArcGIS Server service

•• Local connectionLocal connectionLocal connectionLocal connection–– Works only on intranetsWorks only on intranets–– Access to all server functionalityAccess to all server functionality

U t b b f thU t b b f th d id i–– User must be a member of the User must be a member of the agsusersagsusers or or agsadminagsadmin groupsgroups

•• Web service (“Internet”) connectionsWeb service (“Internet”) connections–– SOAP, REST, WMS, KMLSOAP, REST, WMS, KML–– Works on intranets and over InternetWorks on intranets and over Internet

Securing GIS Web servicesSecuring GIS Web servicesSecuring GIS Web servicesSecuring GIS Web services

•• Services inherit folder Services inherit folder permissionspermissions

•• Good practice to secure Good practice to secure foldersfolders

•• Permissions changes Permissions changes cascade to all childrencascade to all children

–– Set permissions on root firstSet permissions on root first

Transitioning ArcGIS Server from open access toTransitioning ArcGIS Server from open access toTransitioning ArcGIS Server from open access to Transitioning ArcGIS Server from open access to secure accesssecure access

•• Enabling security for Enabling security for services is set separately services is set separately from permissionsfrom permissions

–– SecuritySecurity--Settings tab Settings tab

With itWith it•• With no security, everyone With no security, everyone has access to everythinghas access to everything

•• If you enable security before If you enable security before changing permissions, no changing permissions, no one will be able to useone will be able to useone will be able to use one will be able to use existing servicesexisting services

Using secured servicesUsing secured servicesUsing secured servicesUsing secured services

•• ArcGIS Desktop, ArcGIS ArcGIS Desktop, ArcGIS ExplorerExplorer

–– Provide identity in connection Provide identity in connection yydialogdialog

•• .NET Web applications.NET Web applicationsManager: use “Access securedManager: use “Access secured–– Manager: use Access secured Manager: use Access secured services”services”

–– Visual Studio: add identity in Visual Studio: add identity in the resource managerthe resource managerthe resource managerthe resource manager

•• SOAP, and REST applicationsSOAP, and REST applications–– Use token or Windows Use token or Windows

authenticationauthentication–– More on this shortlyMore on this shortly

When to use SSL for servicesWhen to use SSL for servicesWhen to use SSL for servicesWhen to use SSL for services

•• Using IIS security (windows for users and groups)Using IIS security (windows for users and groups)

•• Data being displayed in dynamic service is sensitiveData being displayed in dynamic service is sensitive•• Data being displayed in dynamic service is sensitiveData being displayed in dynamic service is sensitive

•• Attributes of a query contain sensitive informationAttributes of a query contain sensitive information

•• Require Encrypted Web Access for folders and servicesRequire Encrypted Web Access for folders and servicesAGS MAGS M A C t lA C t l–– AGS Manager or AGS Manager or ArcCatalogArcCatalog

–– You can't set encrypted access on a service, it has to be a You can't set encrypted access on a service, it has to be a folderfolder

DemoDemo

Securing GIS Web servicesSecuring GIS Web servicesSecuring GIS Web servicesSecuring GIS Web services




The Token serviceThe Token serviceThe Token serviceThe Token service

•• User authentication web serviceUser authentication web service–– Token provided to access servicesToken provided to access services–– Uses HTTPS by defaultUses HTTPS by defaultU S yU S y

•• Why do we need it?Why do we need it?–– .NET provides no mechanism for web service security .NET provides no mechanism for web service security

•• Forms just for applicationsForms just for applications–– Web service security when using and ASP.NET membership / Web service security when using and ASP.NET membership / y g py g p

role providerrole provider

•• Used only with GIS Web servicesUsed only with GIS Web services•• Used only with GIS Web servicesUsed only with GIS Web services–– Not used by default with Windows usersNot used by default with Windows users–– Not used to authenticate Web application usersNot used to authenticate Web application users

What is in a Token?What is in a Token?What is in a Token?What is in a Token?

•• Token is a string with encrypted information:Token is a string with encrypted information:–– User nameUser name–– Expiration timeExpiration timepp–– Client ID (optional)Client ID (optional)

•• IP address or Web URL (HTTP Referrer)IP address or Web URL (HTTP Referrer)•• If included expiration can be a longer time period (weeks/months)If included expiration can be a longer time period (weeks/months)•• If included, expiration can be a longer time period (weeks/months)If included, expiration can be a longer time period (weeks/months)

–– Used by most clients Used by most clients –– Desktop, ADF, Web API/REST applications, etc.Desktop, ADF, Web API/REST applications, etc.•• If not included, shorter expiration time If not included, shorter expiration time –– needs to be renewedneeds to be renewed

Working with the Token serviceWorking with the Token serviceWorking with the Token serviceWorking with the Token service

•• Most clients will work with tokens automaticallyMost clients will work with tokens automatically–– ArcGIS Desktop, ArcGIS Engine, ArcGIS ExplorerArcGIS Desktop, ArcGIS Engine, ArcGIS Explorer–– Web ADF (.NET and Java) and Mobile ADFWeb ADF (.NET and Java) and Mobile ADF( J )( J )

•• Some clients will require explicit token managementSome clients will require explicit token management–– SOAPSOAP--based clients not using ADFbased clients not using ADF

•• Use serverUse server--side code to acquire and use tokenside code to acquire and use token–– Web API/Web API/RESTclientsRESTclients

•• Developer obtains a token from getDeveloper obtains a token from get--token Web page token Web page •• Developer embeds token in application or proxyDeveloper embeds token in application or proxy

How developers commonly use the Token serviceHow developers commonly use the Token serviceHow developers commonly use the Token serviceHow developers commonly use the Token service

Developer 6. Copy/Paste tokenfrom token page i b d

5. Service1. Developer uses Token service page

into web app code

WebWeb4. Credentials

lid d

returnstoken

2. Enter required information

Web serverWeb server Token

service

Principal Store

validated

Principal Store(Users & Roles)

3. Clientrequestsqtoken

How the Web APIs/REST clients use the TokenHow the Web APIs/REST clients use the TokenHow the Web APIs/REST clients use the TokenHow the Web APIs/REST clients use the Token

Client Applications

1. Client requests with token

3. Server returns service data

Web serverWeb server Web service

handlerTokenservicehandler service

Principal Store(Users & Roles)

2. Get user’s roles/authorizes roles

Permission Store(.SEC files)

SOMSOMGIS Services

Getting a tokenGetting a tokenGetting a tokenGetting a token

Services Directory

•• Hello worldHello world

•• HTTP://myWebAppHost/myAppHTTP://myWebAppHost/myAppy pp y ppy pp y pp•• App must be accessed via App must be accessed via

HTTPHTTPW bA H tW bA H t// AA•• myWebAppHostmyWebAppHost//myAppmyApp

•• App can be accessed via App can be accessed via HTTP or HTTPSHTTP or HTTPS

•• Use IP with proxy page (more Use IP with proxy page (more later)later)

Using a tokenUsing a tokenUsing a tokenUsing a token

•• GIS service can provide the Token service URLGIS service can provide the Token service URL

•• Append the token to the URL of the serverAppend the token to the URL of the server•• Append the token to the URL of the serverAppend the token to the URL of the server–– http://myserver/arcgis/services/USA/MapServer?token=hpWKhttp://myserver/arcgis/services/USA/MapServer?token=hpWK

wq... wq...

•• Use HTTPS for maximum security over unsecure networksUse HTTPS for maximum security over unsecure networks–– Needed to guard against token hijacking and replay attacksNeeded to guard against token hijacking and replay attacksNeeded to guard against token hijacking and replay attacksNeeded to guard against token hijacking and replay attacks

DemoDemo

Using secure services in a flex applicationUsing secure services in a flex applicationUsing secure services in a flex applicationUsing secure services in a flex application

Using a proxy page for token managementUsing a proxy page for token managementUsing a proxy page for token managementUsing a proxy page for token management

•• Tokens in web API applications expireTokens in web API applications expire–– HTTP error code of 498HTTP error code of 498–– Refresh embedded tokens periodically Refresh embedded tokens periodically p yp y

(source / (source / configconfig file update)file update)•• Proxy page Proxy page

Embed token using servers IP address as referrerEmbed token using servers IP address as referrer–– Embed token using servers IP address as referrerEmbed token using servers IP address as referrer•• Pro: Token not exposed to clientPro: Token not exposed to client•• Con: Tokens must still be updated in proxy pageCon: Tokens must still be updated in proxy page

–– Embed user name and password for dynamic token generationEmbed user name and password for dynamic token generation•• Pro: No ongoing maintenancePro: No ongoing maintenance•• Con: User name and password is unencrypted on the serverCon: User name and password is unencrypted on the server

•• Forum post contains dynamic proxy:Forum post contains dynamic proxy:http://forums.esri.com/Thread.asp?c=158&f=2396&t=297001http://forums.esri.com/Thread.asp?c=158&f=2396&t=297001

Proxy page securityProxy page securityProxy page securityProxy page security

•• Proxy page contains no security logicProxy page contains no security logic–– If left unsecure proxy provides unsecure back door to servicesIf left unsecure proxy provides unsecure back door to services

•• Include proxy in web application and secure theInclude proxy in web application and secure theInclude proxy in web application and secure the Include proxy in web application and secure the applicationapplication

•• See See Using the proxy page Using the proxy page in JavaScript API helpin JavaScript API help

DemoDemo

Using a proxy page for token managementUsing a proxy page for token managementUsing a proxy page for token managementUsing a proxy page for token management




Application security considerationsApplication security considerationsApplication security considerationsApplication security considerations

•• Server based applications (.NET or Java Web ADF)Server based applications (.NET or Java Web ADF)–– Only application needs to be securedOnly application needs to be secured–– Web services are accessed from the serverWeb services are accessed from the server

•• Browser based applications (JavaScript, Flex, Silverlight)Browser based applications (JavaScript, Flex, Silverlight)–– Application and web services need to be securedApplication and web services need to be secured–– Web services are accessed from the browserWeb services are accessed from the browser

Securing Web ADF applications with ManagerSecuring Web ADF applications with ManagerSecuring Web ADF applications with ManagerSecuring Web ADF applications with Manager

•• Security button in Security button in Manager ApplicationsManager Applications

•• Enable securityEnable securityEnable securityEnable security•• Add permitted role(s)Add permitted role(s)

–– Notice roleNotice role--based security, not userbased security, not user--b db dbasedbased

•• Permission rules are stored in the Permission rules are stored in the applicationapplication

–– Web.configWeb.config -- <authorization> <authorization> element element

•• User will be prompted to loginUser will be prompted to loginUser will be prompted to loginUser will be prompted to login–– ASP.NetASP.Net security: Login.aspx pagesecurity: Login.aspx page–– IIS Security: PopIIS Security: Pop--up dialogup dialog

Securing Web API applicationsSecuring Web API applicationsSecuring Web API applicationsSecuring Web API applications

•• Can’t secure applications with only clientCan’t secure applications with only client--side codeside code•• Using IISUsing IIS

–– Secure using OSSecure using OSSecure using OSSecure using OS•• Using ASP.NETUsing ASP.NET

–– Wrap code in .Wrap code in .aspxaspx pagepage–– Use same approach shown earlier for securing the application Use same approach shown earlier for securing the application

outside of Manageroutside of Manager

DemoDemo

Securing a Web API applicationSecuring a Web API applicationSecuring a Web API applicationSecuring a Web API application




Passing identity from Web ADF application toPassing identity from Web ADF application toPassing identity from Web ADF application to Passing identity from Web ADF application to servicesservices

•• Scenario: Secure application with dynamic services based Scenario: Secure application with dynamic services based on useron user

–– User logs into the applicationUser logs into the applicationg ppg pp–– User sees only the services they have access toUser sees only the services they have access to

•• SecurityPassthroughSecurityPassthrough samplessamplesP ’ id tit t GIS i t tiP ’ id tit t GIS i t ti–– Passes user’s identity to GIS service at runtimePasses user’s identity to GIS service at runtime

–– Three samples:Three samples:•• SecurityPassthrough_FormsSecurityPassthrough_Forms::•• SecurityPassthrough_WinSecurityPassthrough_Win::•• SecurityPassthrough_WinInternetSecurityPassthrough_WinInternet•• Common_SecurityCommon_Security –– Page content controlled by logged in userPage content controlled by logged in user

Passing identity from Web API application toPassing identity from Web API application toPassing identity from Web API application to Passing identity from Web API application to services secured using windowsservices secured using windows

•• JavaScript, Flex, and SilverlightJavaScript, Flex, and Silverlight–– It just worksIt just works

•• Integrated Windows / Basic automatically pass credentialsIntegrated Windows / Basic automatically pass credentialsIntegrated Windows / Basic automatically pass credentials Integrated Windows / Basic automatically pass credentials from application to web servicesfrom application to web services

Passing identity from Web API application toPassing identity from Web API application toPassing identity from Web API application to Passing identity from Web API application to services secured using ASP.NETservices secured using ASP.NET

•• Web application requests token from tokens servicesWeb application requests token from tokens services–– Tokens service parametersTokens service parameters

•• usernameusername•• passwordpassword•• clientidclientid (ref.[URL], (ref.[URL], ipip.[IP ADDRESS]).[IP ADDRESS])•• Expiration (minutes)Expiration (minutes)p ( )p ( )

–– E.g. : E.g. : https://host/ArcGIS/tokens/?request=getToken&https://host/ArcGIS/tokens/?request=getToken&usernameusername=user=user&&passwordpassword==pass&pass&clientidclientid==ref.myAppHost&ref.myAppHost&expirationexpiration=10=10

•• Append token to layerAppend token to layer•• Silverlight Silverlight –– must use short lived token must use short lived token –– see see February 15 2010February 15 2010

Refresh token using a timerRefresh token using a timer–– Refresh token using a timerRefresh token using a timer

DemoDemo

Modifying Web application contentModifying Web application contentModifying Web application content Modifying Web application content based on user’s rolebased on user’s role

Security resources for ArcGIS ServerSecurity resources for ArcGIS ServerSecurity resources for ArcGIS ServerSecurity resources for ArcGIS Server

•• ArcGIS Server Resource CenterArcGIS Server Resource Center–– http://resources.esri.comhttp://resources.esri.com–– Accessing secure services: Web APIsAccessing secure services: Web APIsgg

•• Enterprise Resource CenterEnterprise Resource Center// / /// / /–– http://resources.esri.com/enterprisegis/http://resources.esri.com/enterprisegis/

•• Supporting Resources for ArcGIS ServerSupporting Resources for ArcGIS ServerSupporting Resources for ArcGIS ServerSupporting Resources for ArcGIS Server–– http://resources.esri.com/arcgisserver/index.cfm?fa=supporthttp://resources.esri.com/arcgisserver/index.cfm?fa=support–– ArcGIS Server Manager HelpArcGIS Server Manager Help–– Web APIs, REST, SOAP Developer HelpWeb APIs, REST, SOAP Developer Help

SummarySummarySummarySummary

•• ArcGIS Server Manager enables users toArcGIS Server Manager enables users to–– Configure user and role storesConfigure user and role stores–– Secure Web applicationsSecure Web applicationsS ppS pp–– Secure GIS Web servicesSecure GIS Web services

•• Clients work with securityClients work with security–– Desktop, Engine and Web ADF work seamlesslyDesktop, Engine and Web ADF work seamlessly–– SOAP and REST clients may require working with tokensSOAP and REST clients may require working with tokens

•• Use standard ASP.NET methods for finerUse standard ASP.NET methods for finer--grain security in grain security in g yg yapplicationsapplications

Additional ResourcesAdditional ResourcesAdditional ResourcesAdditional Resources

•• Other sessionsOther sessions–– Advanced Map Caching TopicsAdvanced Map Caching Topics

•• Social NetworkingSocial Networking–– Twitter @Twitter @esridevsummitesridevsummit

–– FacebookFacebook facebook.com/facebook.com/esridevsummitesridevsummit

Want to Learn More?Want to Learn More?Want to Learn More?Want to Learn More?ESRI Training and Education ResourcesESRI Training and Education Resources

•• InstructorInstructor--Led (Classroom) TrainingLed (Classroom) Training–– ArcGIS Server: Web Administration Using the Microsoft .NET ArcGIS Server: Web Administration Using the Microsoft .NET

FrameworkFramework

•• SelfSelf--Study (Virtual Campus) TrainingStudy (Virtual Campus) TrainingA GIS S S t d Ad i i t tiA GIS S S t d Ad i i t ti–– ArcGIS Server Setup and AdministrationArcGIS Server Setup and Administration

–– Implementing Security for ArcGIS Server .NET SolutionsImplementing Security for ArcGIS Server .NET Solutions

http://www.esri.com/traininghttp://www.esri.com/training

QuestionsQuestionsQuestionsQuestions

•• Thank youThank you

•• Please fill out the surveyPlease fill out the survey•• Please fill out the surveyPlease fill out the survey

Documents

Securing Your ArcGIS Server for the Microsoft .NET ...€¦ · Security OverviewSecurity Overview • ArcGIS Server security provides access control –Which users can access particular