The ArcGIS Server must accept and electronically verify Personal Identity Verification (PIV) credentials.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-65509	AGIS-00-000171	SV-79999r2_rule		Medium

Description
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems. Satisfies: SRG-APP-000391, SRG-APP-000392

STIG	Date
ArcGIS for Server 10.3 Security Technical Implementation Guide	2017-12-22

Details

Check Text ( C-66091r2_chk )
Review the ArcGIS for Server configuration to ensure that the application accepts Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”. Verify that “Anonymous Authentication” is “Disabled”. If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding. Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify the setting “Client Certificates:” is set to “Accept” or “Require” If “Client Certificates:” is set to “Ignore” this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Check Text ( C-66091r2_chk )

Review the ArcGIS for Server configuration to ensure that the application accepts Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables.

Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”.
Verify that “Anonymous Authentication” is “Disabled”.
If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding.

Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify the setting “Client Certificates:” is set to “Accept” or “Require”
If “Client Certificates:” is set to “Ignore” this is a finding.

This control is not applicable for ArcGIS Server deployments configured to allow anonymous access.

This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Fix Text (F-71451r3_fix)
Configure ArcGIS for Server to accept Personal Identity Verification (PIV) credentials. Substitute the target environment’s values for [bracketed] variables. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."