Title

The ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts. (Cat II impact)

Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. A non-privileged account is any operating system account with authorizations of a non-privileged user. Satisfies: SRG-APP-000156, SRG-APP-000157, SRG-APP-000295

Check Content

Review the ArcGIS for Server configuration to ensure that the application implements replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. Within IIS >> within the [“arcgis”] application >> Authentication >> Verify that “Windows Authentication” is “Enabled”. Verify that “Anonymous Authentication” is “Disabled”. If “Windows Authentication” is not enabled, or “Anonymous Authentication” is enabled, this is a finding. Within IIS >> within the [“arcgis”] application >> Authentication >> Select “Windows Authentication” >> “Providers”. Verify “Negotiate” or “Negotate:Kerberos” are at the top of the list, with NTLM at the bottom of the list. If “NTLM” is at the top of the “Providers” list, this is a finding. This control is not applicable for ArcGIS Server deployments configured to allow anonymous access. This control is not applicable for ArcGIS Server deployments which are integrated with and protected by one or more third party DoD compliant certificate authentication solutions.

Fix Text

Configure ArcGIS for Server to utilize replay-resistant authentication mechanisms for network access to privileged accounts. Substitute the target environment’s values for [bracketed] variables. Enable Active Directory Client Certificate Authentication "To map client certificates by using Active Directory mapping."

Additional Identifiers

Rule ID: SV-237327r879597_rule

Vulnerability ID: V-237327

Group Title: SRG-APP-000156

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.