Security recommendations for Esri products and operations evolve as new capabilities become available and less secure configurations can be eliminated. This announcement covers three new critical security configuration recommendations that ArcGIS Enterprise customers should immediately validate:
- Configure allowedProxyHosts
- Remove legacy API Keys
- Remove Forward Proxy Authentication
Configure Portal for ArcGIS Proxy Allow List (allowedProxyHosts)
ArcGIS Enterprise includes a sharing proxy which should always be configured by the customer to reduce their risk of Denial of Service (DoS) or Server-Side Request Forgery (SSRF) attacks exploiting their operations. The allowedProxyHosts property was initially listed as an Advanced profile item in the ArcGIS Enterprise Hardening Guide due to potential implementation challenges, however we have moved it to the Basic profile, which means ALL customers should configure it – see Appendix J for configuration guidance details in the latest hardening guide. Note that Esri is working towards disabling the usage of the sharing proxy by default for new deployments starting with ArcGIS Enterprise 12.0 release – Until then, always configure allowedProxyHosts.
Remove legacy API Keys
Esri has introduced new API Keys in ArcGIS Location Platform, ArcGIS Online, and ArcGIS Enterprise which have stronger security mechanisms built-in and can be scoped for significantly stronger security assurance. Though ArcGIS Enterprise cannot create or process Legacy API Keys, some customers have embedded them into their ArcGIS Enterprise deployment by appending them to URLs calling ArcGIS Online and Location Platform. Legacy API Keys are inherently insecure as they are not scoped and never expire. While Esri will allow legacy API keys to work for accessing ArcGIS services until their retirement in 2026, customers should transition to the new API key credentials immediately and remove/delete legacy API keys from all ArcGIS systems.
Avoid Forward Proxy Authentication
If your organization requires routing all Internet bound traffic from your ArcGIS Enterprise systems to a proxy your organization manages, please ensure the following – otherwise skip to the Bonus section below. Basic authentication for use between ArcGIS Enterprise and a customer’s Forward Proxying system was incorporated many years ago to reduce access of systems utilizing the Forward Proxy to communicate with Internet systems. Due to how frequently we have seen Forward Proxies being incorrectly configured when utilizing Basic Authentication, Esri now strongly recommends NOT USING Basic Authentication between ArcGIS Enterprise and Forward Proxies,and instead utilizing industry standard restricted communications between systems such as network access controls – This recommendation was added to the latest ArcGIS Enterprise Hardening guide as a Basic profile security recommendation (See page 46). We are considering deprecating Basic Authentication support with customer forward proxies in future releases due to the risk it can present.
BONUS – Criticality of Product Updates
Lastly, a reminder that using products under a Mature or Retired life cycle status is an extraordinarily high-risk deployment and should NOT be exposed to the Internet. This includes ArcGIS Enterprise 11.0 and ArcGIS Enterprise 10.9 and earlier. We strongly recommend keeping your systems updated with at least general availability versions of our products if not the latest version.
Thanks for taking a few minutes to understand and hopefully implement these new recommendations for helping improve your organization’s ArcGIS cybersecurity posture. Let us know if you have any questions, suggestions or concerns with these new recommendations.
– Esri Software Security & Privacy
Commenting is not enabled for this article.