"}],"short_description":"Protecting your ArcGIS Enterprise deployment has never been more critical","flexible_content":[{"acf_fc_layout":"content","content":"In today\u2019s evolving cybersecurity landscape, protecting your ArcGIS Enterprise deployment has never been more critical. Attackers are becoming more sophisticated, and GIS systems often containing sensitive operational data are increasingly targeted.<\/p>\n
Newer releases of ArcGIS Enterprise continue to strengthen secure\u2011by\u2011default behavior, reducing the number of manual steps required to harden a deployment. Features such as restricted proxy behavior and improved logging are enabled automatically in current releases, allowing administrators to focus on validation and monitoring rather than foundational security setup.<\/p>\n
This guide curates the most important resources ArcGIS Enterprise administrators should use to maintain a strong security posture so you know exactly where to start, what to check, and how to stay protected.<\/p>\n"},{"acf_fc_layout":"content","content":"
Before you can strengthen your system, you need to know where your vulnerabilities are. ArcGIS provides multiple security assessment tools that evaluate your deployment for potentially risky configuration settings. These tools do not detect active compromises, but they help identify gaps that could increase exposure if left unaddressed.<\/p>\n"},{"acf_fc_layout":"content","content":"
Leverage Esri\u2019s tools to audit your deployment. The ArcGIS Security Adviser <\/strong><\/a>is<\/span>\u00a0designed to\u00a0<\/span>scan your ArcGIS Enterprise configuration and flag risky settings. <\/span>The Portal for ArcGIS component of your ArcGIS Enterprise installation on includes a Python script, portalS<\/span>can.py<\/span><\/span><\/a>,<\/span><\/span> that checks for common security issues. ArcGIS Server also has this same python script called, serverScan.py<\/a>. Running these scripts generates an HTML report of critical or important weaknesses it finds \u2013 such as an unrestricted proxy, HTTP communication, or exposed services directories. Review these scan results and address any \u201cCritical\u201d or \u201cImportant\u201d issues promptly.<\/p>\n If using ArcGIS Enterprise on Kubernetes, you can use the python script called kubernetesScan.py<\/a>. The script is available in the directory where you extracted the deployment package under setup\/tools\/security and provides a similar output to the portalScan.py script.<\/p>\n"},{"acf_fc_layout":"content","content":" It’s important to keep your ArcGIS Enterprise deployment on a supported release\u00a0<\/span>in\u00a0<\/span>G<\/span>eneral\u00a0<\/span>A<\/span>vailability or\u00a0<\/span>E<\/span>xtended\u00a0<\/span>S<\/span>upport<\/span><\/span><\/a> and regularly apply security patches to maintain protection against vulnerabilities. Running a supported release in these phases of the product lifecycle ensures access to patches, security updates, and the latest hardening improvements. Running a retired release of ArcGIS Enterprise represents a high\u2011risk security posture. While restricting network access may reduce exposure temporarily, it does not address the underlying risk created by unpatched software. In many cases, this situation indicates that the organization may benefit from reevaluating its deployment strategy, including upgrading to a current release or considering a hosted option where security updates are managed automatically. If you\u2019re on a supported version, deploy the latest updates as they are released for the various components including Portal for ArcGIS, ArcGIS Server, ArcGIS Data Store, and ArcGIS Web Adaptor. It is important to be aware that you can subscribe to the RSS feed<\/a>, which provides notifications regarding security patches and their associated risks.<\/p>\n"},{"acf_fc_layout":"content","content":" Running the latest release of ArcGIS Enterprise ensures you benefit from improved security enhancements. For instance, ArcGIS Enterprise 12.0 restricts the portal\u2019s proxy capability by default, eliminating a class of attacks that exploit an open proxy. This aligns with best practices outlined in the ArcGIS Enterprise Hardening Guide<\/a>.<\/p>\n"},{"acf_fc_layout":"content","content":" Once you identify potential risks, the next step is applying proven hardening practices.<\/p>\n"},{"acf_fc_layout":"content","content":" If an assessment reveals weaknesses, such as a scan using ArcGIS Security Adviser<\/a> or the portalScan.py script, take corrective action immediately. For example, if your ArcGIS Enterprise administrative interfaces are accessible to the public, close those doors. If possible, restrict them to internal networks or VPN access, and enable multi-factor authentication for administrator logins. Implement all the fixes recommended by the Security Adviser or portalScan and serverScan results (enforce HTTPS-only, disable anonymous access, etc.). Critically ensure no unexpected add-ons or extensions are present.<\/p>\n"},{"acf_fc_layout":"sidebar","content":" Critical Fixes Checklist<\/u><\/strong><\/p>\n This list highlights a few common starting points, but it is not a complete security baseline. For a prioritized and comprehensive set of controls, refer to the ArcGIS Enterprise Hardening Guide.<\/a><\/p>\n ArcGIS Enterprise generates logs that are essential for security monitoring, but reviewing these logs manually is not a realistic or effective way to detect suspicious activity at scale. Meaningful detection requires centralizing logs and applying automated analysis. For this reason, organizations should forward ArcGIS Enterprise logs to a Security Information and Event Management (SIEM) system, where events can be correlated, analyzed, and alerted on in real time.<\/p>\n Logging capabilities have improved incrementally across ArcGIS Enterprise releases, with newer versions providing more complete audit coverage. Older releases may lack sufficient logging detail for effective detection, further reinforcing the importance of staying current. Guidance for exporting ArcGIS Enterprise logs to a SIEM is provided in the ArcGIS Enterprise Hardening Guide<\/a>.<\/p>\n Also monitor ArcGIS Server logs for unexpected requests (for instance, odd parameters or base64-encoded payloads in REST calls). Attackers who gain administrative access to ArcGIS Enterprise have access to legitimate APIs in an unintended way, so a sudden spike in administrative actions could indicate potential trouble. Consider setting alerts for these anomalies to help keep you notified at all times.<\/p>\n"},{"acf_fc_layout":"content","content":" Treat your ArcGIS Enterprise deployment as a high-value target on the network. Use a Web Application Firewall (WAF) to filter and inspect traffic to ArcGIS Enterprise endpoints. In many instances, a WAF could detect and block malicious web shell traffic. A WAF or intrusion detection system can provide an extra layer of awareness and protection for attacks that bypass normal software defenses.<\/p>\n"},{"acf_fc_layout":"content","content":" If you do find evidence of a breach (for example, a malicious extension or suspicious administrator activity), have an incident response plan. This may involve coordinating with your IT security team at first but report the issue immediately through ESRI\u2019s Report a Security Issue page<\/a>. Early engagement ensures appropriate investigation and guidance.<\/p>\n"},{"acf_fc_layout":"content","content":" Security is ongoing, not a one\u2011time setup. To detect threats early, GIS administrators should actively monitor ArcGIS Enterprise logs and set up alerts for anomalies.<\/p>\n Staying vigilant and proactive can greatly reduce the chance of a successful cyber-attack on your GIS infrastructure. By checking for risks and promptly hardening your ArcGIS Enterprise environment, you help ensure that your organization\u2019s spatial data and services remain secure against today\u2019s ever-increasing cyber threats.<\/p>\n Additional resources:<\/p>\n https:\/\/trust.arcgis.com\/en\/<\/a><\/p>\n https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/2025-top-3-new-critical-security-recommendations<\/a><\/p>\n https:\/\/enterprise.arcgis.com\/en\/portal\/latest\/administer\/windows\/scan-your-portal-for-security-best-practices.htm<\/a><\/p>\n https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/understanding-arcgis-server-soe-compromise<\/a><\/p>\n"},{"acf_fc_layout":"content","content":" Here\u2019s a curated list of Esri resources to support your security strategy:<\/p>\n Scanning & Assessment Tools<\/strong><\/p>\n Hardening & Best Practices<\/strong><\/p>\n Security Advisory & Incident Context<\/strong><\/p>\nStay Current with Supported Versions<\/h3>\n"},{"acf_fc_layout":"content","content":"
Keep Software Updated & Configure Key Settings<\/h3>\n"},{"acf_fc_layout":"content","content":"
Detection and Response: What to Do If You Find a Risk<\/strong><\/h2>\n"},{"acf_fc_layout":"content","content":"
Harden Your Configuration<\/h3>\n"},{"acf_fc_layout":"content","content":"
\n
Logging and Monitoring Require Centralized Analysis<\/h3>\n"},{"acf_fc_layout":"content","content":"
Enhance Network Defense<\/h3>\n"},{"acf_fc_layout":"content","content":"
Be Ready to Respond<\/h3>\n"},{"acf_fc_layout":"content","content":"
Build Long\u2011Term Security Readiness<\/strong><\/h2>\n"},{"acf_fc_layout":"content","content":"
Must\u2011Have ArcGIS Enterprise Security Resources<\/strong><\/h2>\n"},{"acf_fc_layout":"content","content":"
\n
\n