UCF STIG Viewer Logo

ArcGIS for Server 10.3 Security Technical Implementation Guide


Overview

Date Finding Count (22)
2017-12-22 CAT I (High): 9 CAT II (Med): 13 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-65483 High The ArcGIS Server must use a full disk encryption solution to protect the confidentiality and integrity of all information.
V-65323 High The ArcGIS Server must use Windows authentication for supporting account management functions.
V-65519 High The ArcGIS Server keystores must only contain certificates of PKI established certificate authorities for verification of protected sessions.
V-65515 High The ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-65385 High The ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-65517 High The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-65393 High The ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components.
V-65319 High The ArcGIS Server must protect the integrity of remote access sessions by enabling HTTPS with DoD-approved certificates.
V-65467 High The ArcGIS Server must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-65487 Medium The ArcGIS Server must reveal error messages only to the ISSO, ISSM, and SA.
V-65485 Medium The ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled.
V-65459 Medium The ArcGIS Server, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-65477 Medium The ArcGIS Server must recognize only system-generated session identifiers.
V-65415 Medium The ArcGIS Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-65413 Medium The ArcGIS Server must be configured to disable non-essential capabilities.
V-65499 Medium The ArcGIS Server must enforce access restrictions associated with changes to application configuration.
V-65503 Medium The organization must disable organization-defined functions, ports, protocols, and services within the ArcGIS Server deemed to be unnecessary and/or nonsecure.
V-65569 Medium The ArcGIS Server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-65509 Medium The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials.
V-65429 Medium The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.
V-65407 Medium The ArcGIS Server must protect audit information from any type of unauthorized read access, modification or deletion.
V-65521 Medium The ArcGIS Server must maintain a separate execution domain for each executing process.