In today’s evolving cybersecurity landscape, protecting your ArcGIS Enterprise deployment has never been more critical. Attackers are becoming more sophisticated, and GIS systems often containing sensitive operational data are increasingly targeted.
Newer releases of ArcGIS Enterprise continue to strengthen secure‑by‑default behavior, reducing the number of manual steps required to harden a deployment. Features such as restricted proxy behavior and improved logging are enabled automatically in current releases, allowing administrators to focus on validation and monitoring rather than foundational security setup.
This guide curates the most important resources ArcGIS Enterprise administrators should use to maintain a strong security posture so you know exactly where to start, what to check, and how to stay protected.
Check If You’re at Risk
Start with a Security Health Check
Before you can strengthen your system, you need to know where your vulnerabilities are. ArcGIS provides multiple security assessment tools that evaluate your deployment for potentially risky configuration settings. These tools do not detect active compromises, but they help identify gaps that could increase exposure if left unaddressed.
Run Security Scans
Leverage Esri’s tools to audit your deployment. The ArcGIS Security Adviser is designed to scan your ArcGIS Enterprise configuration and flag risky settings. The Portal for ArcGIS component of your ArcGIS Enterprise installation on includes a Python script, portalScan.py, that checks for common security issues. ArcGIS Server also has this same python script called, serverScan.py. Running these scripts generates an HTML report of critical or important weaknesses it finds – such as an unrestricted proxy, HTTP communication, or exposed services directories. Review these scan results and address any “Critical” or “Important” issues promptly.
If using ArcGIS Enterprise on Kubernetes, you can use the python script called kubernetesScan.py. The script is available in the directory where you extracted the deployment package under setup/tools/security and provides a similar output to the portalScan.py script.
Stay Current with Supported Versions
It’s important to keep your ArcGIS Enterprise deployment on a supported release in General Availability or Extended Support and regularly apply security patches to maintain protection against vulnerabilities. Running a supported release in these phases of the product lifecycle ensures access to patches, security updates, and the latest hardening improvements. Running a retired release of ArcGIS Enterprise represents a high‑risk security posture. While restricting network access may reduce exposure temporarily, it does not address the underlying risk created by unpatched software. In many cases, this situation indicates that the organization may benefit from reevaluating its deployment strategy, including upgrading to a current release or considering a hosted option where security updates are managed automatically. If you’re on a supported version, deploy the latest updates as they are released for the various components including Portal for ArcGIS, ArcGIS Server, ArcGIS Data Store, and ArcGIS Web Adaptor. It is important to be aware that you can subscribe to the RSS feed, which provides notifications regarding security patches and their associated risks.
Keep Software Updated & Configure Key Settings
Running the latest release of ArcGIS Enterprise ensures you benefit from improved security enhancements. For instance, ArcGIS Enterprise 12.0 restricts the portal’s proxy capability by default, eliminating a class of attacks that exploit an open proxy. This aligns with best practices outlined in the ArcGIS Enterprise Hardening Guide.
Detection and Response: What to Do If You Find a Risk
Once you identify potential risks, the next step is applying proven hardening practices.
Harden Your Configuration
If an assessment reveals weaknesses, such as a scan using ArcGIS Security Adviser or the portalScan.py script, take corrective action immediately. For example, if your ArcGIS Enterprise administrative interfaces are accessible to the public, close those doors. If possible, restrict them to internal networks or VPN access, and enable multi-factor authentication for administrator logins. Implement all the fixes recommended by the Security Adviser or portalScan and serverScan results (enforce HTTPS-only, disable anonymous access, etc.). Critically ensure no unexpected add-ons or extensions are present.
Logging and Monitoring Require Centralized Analysis
ArcGIS Enterprise generates logs that are essential for security monitoring, but reviewing these logs manually is not a realistic or effective way to detect suspicious activity at scale. Meaningful detection requires centralizing logs and applying automated analysis. For this reason, organizations should forward ArcGIS Enterprise logs to a Security Information and Event Management (SIEM) system, where events can be correlated, analyzed, and alerted on in real time.
Logging capabilities have improved incrementally across ArcGIS Enterprise releases, with newer versions providing more complete audit coverage. Older releases may lack sufficient logging detail for effective detection, further reinforcing the importance of staying current. Guidance for exporting ArcGIS Enterprise logs to a SIEM is provided in the ArcGIS Enterprise Hardening Guide.
Also monitor ArcGIS Server logs for unexpected requests (for instance, odd parameters or base64-encoded payloads in REST calls). Attackers who gain administrative access to ArcGIS Enterprise have access to legitimate APIs in an unintended way, so a sudden spike in administrative actions could indicate potential trouble. Consider setting alerts for these anomalies to help keep you notified at all times.
Enhance Network Defense
Treat your ArcGIS Enterprise deployment as a high-value target on the network. Use a Web Application Firewall (WAF) to filter and inspect traffic to ArcGIS Enterprise endpoints. In many instances, a WAF could detect and block malicious web shell traffic. A WAF or intrusion detection system can provide an extra layer of awareness and protection for attacks that bypass normal software defenses.
Be Ready to Respond
If you do find evidence of a breach (for example, a malicious extension or suspicious administrator activity), have an incident response plan. This may involve coordinating with your IT security team at first but report the issue immediately through ESRI’s Report a Security Issue page. Early engagement ensures appropriate investigation and guidance.
Build Long‑Term Security Readiness
Security is ongoing, not a one‑time setup. To detect threats early, GIS administrators should actively monitor ArcGIS Enterprise logs and set up alerts for anomalies.
Staying vigilant and proactive can greatly reduce the chance of a successful cyber-attack on your GIS infrastructure. By checking for risks and promptly hardening your ArcGIS Enterprise environment, you help ensure that your organization’s spatial data and services remain secure against today’s ever-increasing cyber threats.
Additional resources:
Must‑Have ArcGIS Enterprise Security Resources
Here’s a curated list of Esri resources to support your security strategy:
Scanning & Assessment Tools
Hardening & Best Practices
Security Advisory & Incident Context
Planning & Version Support
Commenting is not enabled for this article.