Check: AGIS-00-000187
ArcGIS for Server 10.3 STIG:
AGIS-00-000187
(in version v2 r1)
Title
The ArcGIS Server SSL settings must use NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. (Cat I impact)
Discussion
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-APP-000416, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000514
Check Content
Review the ArcGIS Server configuration to ensure the application implements NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> SSL Settings >> Verify that “Require SSL” is checked. If “Require SSL” is not checked, this is a finding. Note: To comply with this control, the Active Directory domain on which the ArcGIS Server and the IIS system are deployed must implement policies which enforce FIPS 140-2 compliance. This control is not applicable for ArcGIS Servers which are deployed as part of a solution which ensures user web service traffic flows through third-party DoD compliant transport encryption devices (such as a load balancer that supports TLS encryption using DoD-approved certificates.) This control is not applicable for ArcGIS Servers which are not deployed with the ArcGIS Web Adapter component.
Fix Text
Configure the ArcGIS Server to implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the "[arcgis]" application >> SSL Settings >> check "Require SSL".
Additional Identifiers
Rule ID: SV-237338r879944_rule
Vulnerability ID: V-237338
Group Title: SRG-APP-000416
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
| CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
| CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
| CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
| CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |