{"id":2788562,"date":"2025-05-09T09:41:33","date_gmt":"2025-05-09T16:41:33","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=2788562"},"modified":"2025-05-27T11:14:00","modified_gmt":"2025-05-27T18:14:00","slug":"2025-top-3-new-critical-security-recommendations","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations","title":{"rendered":"2025 Top 3 New Critical Security Recommendations"},"author":3911,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[33511,24071,241722],"industry":[],"product":[36571,763582],"class_list":["post-2788562","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-configuration","tag-security","tag-ssamlymlgp","product-arcgis-enterprise","product-trust-arcgis"],"acf":{"short_description":"This announcement covers three new critical security configuration recommendations that ArcGIS Enterprise customers should immediately validate.","flexible_content":[{"acf_fc_layout":"content","content":"<p>Security recommendations for Esri products and operations evolve as new capabilities become available and less secure configurations can be eliminated. This announcement covers three new critical security configuration recommendations that ArcGIS Enterprise customers should immediately validate:<\/p>\n<ul>\n<li>Configure allowedProxyHosts<\/li>\n<li>Remove legacy API Keys<\/li>\n<li>Remove Forward Proxy Authentication<\/li>\n<\/ul>\n<p><strong><br \/>\nConfigure Portal for ArcGIS Proxy Allow List (allowedProxyHosts)<\/strong><br \/>\nArcGIS Enterprise includes a sharing proxy which should always be configured by the customer to reduce their risk of Denial of Service (DoS) or Server-Side Request Forgery (SSRF) attacks exploiting their operations. The allowedProxyHosts property was initially listed as an Advanced profile item in the <a href=\"https:\/\/downloads.esri.com\/RESOURCES\/ENTERPRISEGIS\/ArcGIS_Enterprise_Hardening_Guide.pdf#page=18\">ArcGIS Enterprise Hardening Guide<\/a> due to potential implementation challenges, however we have moved it to the Basic profile, which means ALL customers should configure it \u2013 <a href=\"https:\/\/downloads.esri.com\/RESOURCES\/ENTERPRISEGIS\/ArcGIS_Enterprise_Hardening_Guide.pdf#page=137\">see Appendix J for configuration guidance details in the latest hardening guide<\/a>. Note that Esri is working towards disabling the usage of the sharing proxy by default for new deployments starting with ArcGIS Enterprise 12.0 release \u2013 Until then, always configure allowedProxyHosts.<\/p>\n<p><strong>Remove legacy API Keys<\/strong><br \/>\nEsri has introduced <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/\">new API Keys<\/a> in ArcGIS Location Platform, ArcGIS Online, and ArcGIS Enterprise which have stronger security mechanisms built-in and can be scoped for significantly stronger security assurance. Though ArcGIS Enterprise cannot create or process Legacy API Keys, some customers have embedded them into their ArcGIS Enterprise deployment by appending them to URLs calling ArcGIS Online and Location Platform. <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/api-key-legacy\/\">Legacy API Keys<\/a> are inherently insecure as they are not scoped and never expire. While Esri will allow legacy API keys to work for accessing ArcGIS services until their retirement in 2026, customers should transition to the new API key credentials immediately and remove\/delete legacy API keys from all ArcGIS systems.<\/p>\n<p><strong>Avoid Forward Proxy Authentication<\/strong><br \/>\nIf your organization requires routing all Internet bound traffic from your ArcGIS Enterprise systems to a proxy your organization manages, please ensure the following \u2013 otherwise skip to the Bonus section below. Basic authentication for use between ArcGIS Enterprise and a customer&#8217;s <a href=\"https:\/\/enterprise.arcgis.com\/en\/portal\/latest\/administer\/windows\/using-a-forward-proxy-server-with-portal-for-arcgis.htm\">Forward Proxying<\/a> system was incorporated many years ago to reduce access of systems utilizing the Forward Proxy to communicate with Internet systems. Due to how frequently we have seen Forward Proxies being incorrectly configured when utilizing Basic Authentication, Esri now strongly recommends NOT USING Basic Authentication between ArcGIS Enterprise and Forward Proxies,and instead utilizing industry standard restricted communications between systems such as network access controls \u2013 This recommendation was added to the latest <a href=\"https:\/\/downloads.esri.com\/RESOURCES\/ENTERPRISEGIS\/ArcGIS_Enterprise_Hardening_Guide.pdf#page=50\">ArcGIS Enterprise Hardening guide as a Basic profile security recommendation (See page 46)<\/a>. We are considering deprecating Basic Authentication support with customer forward proxies in future releases due to the risk it can present.<\/p>\n<p><strong>BONUS \u2013 Criticality of Product Updates<\/strong><br \/>\nLastly, a reminder that using products under a <a href=\"https:\/\/support.esri.com\/en-us\/products\/arcgis-enterprise\/life-cycle\">Mature or Retired life cycle status<\/a> is an extraordinarily high-risk deployment and should NOT be exposed to the Internet. This includes ArcGIS Enterprise 11.0 and ArcGIS Enterprise 10.9 and earlier. We strongly recommend keeping your systems updated with at least general availability versions of our products if not the latest version.<\/p>\n<p>Thanks for taking a few minutes to understand and hopefully implement these new recommendations for helping improve your organization\u2019s ArcGIS cybersecurity posture. Let us know if you have any questions, suggestions or concerns with these new recommendations.<\/p>\n<p>&#8211; Esri Software Security &amp; Privacy<\/p>\n"}],"related_articles":"","show_article_image":false,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/05\/2025-Ent-Sec-Recommendatio-ns.jpg","wide_image":false,"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}]},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>2025 Top 3 New Critical Security Recommendations<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"2025 Top 3 New Critical Security Recommendations\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-27T18:14:00+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\"},\"author\":{\"name\":\"Michael Young\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\"},\"headline\":\"2025 Top 3 New Critical Security Recommendations\",\"datePublished\":\"2025-05-09T16:41:33+00:00\",\"dateModified\":\"2025-05-27T18:14:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\"},\"wordCount\":5,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"configuration\",\"Security\",\"SSAMLYMLGP\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\",\"name\":\"2025 Top 3 New Critical Security Recommendations\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2025-05-09T16:41:33+00:00\",\"dateModified\":\"2025-05-27T18:14:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"2025 Top 3 New Critical Security Recommendations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\",\"name\":\"Michael Young\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"caption\":\"Michael Young\"},\"sameAs\":[\"http:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"2025 Top 3 New Critical Security Recommendations","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations","og_locale":"en_US","og_type":"article","og_title":"2025 Top 3 New Critical Security Recommendations","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2025-05-27T18:14:00+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations"},"author":{"name":"Michael Young","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678"},"headline":"2025 Top 3 New Critical Security Recommendations","datePublished":"2025-05-09T16:41:33+00:00","dateModified":"2025-05-27T18:14:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations"},"wordCount":5,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["configuration","Security","SSAMLYMLGP"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations","name":"2025 Top 3 New Critical Security Recommendations","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2025-05-09T16:41:33+00:00","dateModified":"2025-05-27T18:14:00+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"2025 Top 3 New Critical Security Recommendations"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678","name":"Michael Young","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","caption":"Michael Young"},"sameAs":["http:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000"}]}},"text_date":"May 9, 2025","author_name":"Michael Young","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":33511,"name":"configuration","slug":"configuration","term_group":0,"term_taxonomy_id":33511,"taxonomy":"post_tag","description":"","parent":0,"count":9,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"},{"term_id":241722,"name":"SSAMLYMLGP","slug":"ssamlymlgp","term_group":0,"term_taxonomy_id":241722,"taxonomy":"post_tag","description":"","parent":0,"count":25,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":428,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":979,"filter":"raw"},{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2788562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/3911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=2788562"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2788562\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=2788562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=2788562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=2788562"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=2788562"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=2788562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}