LocalMaps - Best practice security measures

Here are some of the recommended steps to ensure LocalMaps adheres to best practice security measures. These configurations will not be applied by default as this may need to be confirmed by your IT Team, particularly when LocalMaps is being installed alongside other software. The IT team needs to validate these against the specific LocalMaps instances and requirements. If they deem this to be appropriate, can choose to make these changes in the relevant instances. Some of these suggestions are related to the IIS configuration.

General Best Practices

ArcGIS and Database Data Sources - Least Privilege Principle

The principle of least privilege is a security concept in which user accounts are given the minimum level of access necessary to perform their purpose. We strongly recommend you follow this principle when configuring data sources.

When configuring ArcGIS sources using authentication, it is recommended that you use an account created specifically for this purpose with read-only access to only the services you wish to make available to LocalMaps queries. This includes any accounts used for RAMM or Hilltop syncing.

When configuring database sources, again use an account with read-only privileges. Limit the data that this account can access. Ideally stored procedures should be used as these allow much more control over permissions and better protection against any database breaches.

IIS and Application Header Configuration

CORS Policy - LocalMaps Gallery web.config Customization

The CORS policy can be configured to match a specific client site by changing the Access-Control-Allow-Origin header value from * to the clients domain, e.g. https://localmaps.demos.eaglegis.co.nz

<customHeaders>
	<remove name="Access-Control-Allow-Origin" />
	<remove name="X-UA-Compatible" />
	<add name="Access-Control-Allow-Methods" value="OPTIONS,GET,POST,CONNECT" />
	<add name="X-UA-Compatible" value="IE=Edge" />
	<!-- Change from Default to Updated value below to configur cors-->
	<!-- Default -> <add name="Access-Control-Allow-Origin" value="*" />-->
	<!-- Updated --> <add name="Access-Control-Allow-Origin" value="<https://localmaps.demos.eaglegis.co.nz"> />
	<add name="Access-Control-Allow-Headers" value="Content-Type, X-Requested-With, Authorization" />
	<!-- ... other headers ... -->
</customHeaders>

Host Information disclosure - IIS Rewrite Module

The following headers can be removed from an implementation. This can help preventing any host information being disclosed unnecessarily. More details given below.

https://docs.microsoft.com/en-us/archive/blogs/benjaminperkins/change-or-modify-a-response-header-value-using-url-rewrite

Location

<outboundRules>

       <!-- This rule changes the domain in the HTTP location header for redirection responses -->

       <rule name="Change Location Header">
           <match serverVariable="RESPONSE_LOCATION" pattern="^<http://[^/]+/(.*)"> />
           <conditions>
               <add input="{RESPONSE_STATUS}" pattern="^301" />
           </conditions>
           <action type="Rewrite" value=""/>
       </rule>

   </outboundRules>

Server

 <outboundRules rewriteBeforeCache="true">

   <rule name="Remove Server header">
     <match serverVariable="RESPONSE_Server" pattern=".+" />
     <action type="Rewrite" value="" />
   </rule>

 </outboundRules>

ASP.NET Version

X-Powered-By Header

To do this, the IIS URL rewrite module can be used to remove the headers from any response.

CSP - web.config customistation

Take extra care when customising the CSP (content security policy) - this can be difficult and may break things. To customize the below headers update https://localmaps.demos.eaglegis.co.nz to your Portal URL and https://local-maps.maps.arcgis.com to your ArcGIS Online URL. Further customization of the included URLs may be needed depending on your environment setup, authorization methods etc.
To help configure CSP you can initially use the “Content-Security-Policy-Report-Only” header Content-Security-Policy-Report-Only - HTTP | MDN . This will apply the policy and show you in the browser console what is failing, whilst still allowing the site to load.

Custom error pages - IIS Configuration

Custom error pages can be added to IIS to hide information disclosed when LocalMaps returns an error. This may affect other client applications and may make troubleshooting more difficult, but might be valuable to reduce the information which can be found publicly through any external facing LocalMaps site. For more information, please have a read through the Microsoft documentation at HTTP Errors <httpErrors>

HSTS Strict Transport Security

IIS 10.0 Version 1709 HTTP Strict Transport Security (HSTS) Support