Learn to Apply Security Best Practices to an ArcGIS Server Site

Are you running ArcGIS for Server in your organization? Do you want to ensure that it has been properly configured to be secure?

In this tip, you will learn how to verify that you’ve followed Esri’s best practices for security and see whether they have been applied to your server site. Note that “ArcGIS for Server” is the product name, but this tip only applies to the GIS server (aka ArcGIS Server) component of ArcGIS for Server. This tip is meant to work with ArcGIS 10.4 for Server, but you can still apply it to Server sites for ArcGIS 10.3 or later versions.

One of the many great enhancements in ArcGIS 10.4 for Server is the new command line tool called This tool scans your ArcGIS Server site and checks to see whether it has been configured following the security best practices recommended by Esri. It is written in Python and can be found in the ArcGIS Server installation directory (<installation location>\arcgis\server\tools\admin). In a default ArcGIS Server installation, it is located at: C:\Program Files\ArcGIS\Server\tools\admin.

After the tool executes, it returns a report that lists all the recommended actions that you can apply to make your ArcGIS Server site more secure and, therefore, better protect your data and GIS web services. This tip shows you how to run the tool and interpret the results in the report that is generated.

Step 1: Open a new command prompt window on your server computer (ensure that you have the appropriate administrator privileges on the computer).

Step 2: In the command prompt window, navigate to the ArcGIS Server installation directory. Then navigate to the admin folder in the tools directory.

For example, in a default ArcGIS Server installation, the tool would be located here: C:\Program Files\ArcGIS\Server\tools\admin

Step 3: Run the tool. Before it executes, it will prompt you for three input parameters:

For example:

Step 4: After you enter the last parameter, hit return and the tool will run.

The tool generates a report written in HTML format. By default, the report will be named serverScanReport_<machinename>_<dategenerated> and will be stored at the same location as where the tool is executed—in this case, within the admin folder.

Step 5: Open Windows Explorer and navigate to the location where the report was generated. In this example, the location is C:\Program Files\ArcGIS\Server\tools\admin.
Step 6: Double-click to open the report in a web browser, as it is an HTML page, to view its contents.

Notice that each reported item has a unique ID, is categorized based on the severity of the issue, and includes a name and description. The report recommends some parameter settings you can set and/or adjust in your ArcGIS Server site so that you can make it more secure.

Step 7: Review the report results and check them against the ArcGIS for Server online help topic Scan ArcGIS Server for security best practices.

This help topic describes each of the 12 different Esri security best practices for an ArcGIS Server site. You have the option to apply all, some, or none of these to your site. The more best practices you apply, the more secure your ArcGIS Server site will be.

See how easy it was to check that your ArcGIS Server site was properly configured following the Esri best practices for enabling security? For more information on securing your ArcGIS Server site see the following help topics:

Note: Portal for ArcGIS 10.4 also includes a new command line tool called that performs a similar best practices security check on your Portal.

About the author

Derek Law

Derek Law is a senior product manager working on ArcGIS Monitor. Based in the Esri Redlands, California, office, he's involved with requirements gathering, software development, and product marketing. Follow on Twitter: @GIS_Bandit | Mastodon: