{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Here are some of the recommended steps to ensure LocalMaps adheres to best practice security measures. These configurations will not be applied by default as this may need to be confirmed by your IT Team, particularly when LocalMaps is being installed alongside other software. The IT team needs to validate these against the specific LocalMaps instances and requirements. If they deem this to be appropriate, can choose to make these changes in the relevant instances. Some of these suggestions are related to the IIS configuration.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"General Best Practices","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"ArcGIS and Database Data Sources - Least Privilege Principle","type":"text"}]},{"type":"paragraph","content":[{"text":"The principle of least privilege is a security concept in which user accounts are given the minimum level of access necessary to perform their purpose. We strongly recommend you follow this principle when configuring data sources. ","type":"text"}]},{"type":"paragraph","content":[{"text":"When configuring ArcGIS sources using authentication, it is recommended that you use an account created specifically for this purpose with read-only access to only the services you wish to make available to LocalMaps queries. This includes any accounts used for RAMM or Hilltop syncing.","type":"text"}]},{"type":"paragraph","content":[{"text":"When configuring database sources, again use an account with read-only privileges. Limit the data that this account can access. Ideally stored procedures should be used as these allow much more control over permissions and better protection against any database breaches.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"IIS and Application Header Configuration","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"CORS Policy - LocalMaps Gallery web.config Customization","type":"text"}]},{"type":"paragraph","content":[{"text":"The CORS policy can be configured to match a specific client site by changing the ","type":"text"},{"text":"Access-Control-Allow-Origin","type":"text","marks":[{"type":"code"}]},{"text":" header value from * to the clients domain, e.g. ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://localmaps.demos.eaglegis.co.nz"}},{"text":" ","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\n\t\n\t\n\t\n\t\n\t />\n\t\n\t\n","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Host Information disclosure - IIS Rewrite Module","type":"text"}]},{"type":"paragraph","content":[{"text":"The following headers can be removed from an implementation. This can help preventing any host information being disclosed unnecessarily. More details given below.","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://docs.microsoft.com/en-us/archive/blogs/benjaminperkins/change-or-modify-a-response-header-value-using-url-rewrite"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Location","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n\n \n\n \n />\n \n \n \n \n \n\n ","type":"text"}]},{"type":"paragraph","content":[{"text":"Server","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n\n \n \n \n \n\n ","type":"text"}]},{"type":"paragraph","content":[{"text":"ASP.NET","type":"text","marks":[{"type":"link","attrs":{"href":"http://ASP.NET"}}]},{"text":" Version","type":"text"}]},{"type":"codeBlock","content":[{"text":" \n \n \n \n \n \n\n ","type":"text"}]},{"type":"paragraph","content":[{"text":"X-Powered-By Header","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n \n \n \n","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"To do this, the IIS URL rewrite module can be used to remove the headers from any response.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"CSP - web.config customistation","type":"text"}]},{"type":"paragraph","content":[{"text":"Take extra care when customising the CSP (content security policy) - this can be difficult and may break things. To customize the below headers update ","type":"text"},{"text":"https://localmaps.demos.eaglegis.co.nz","type":"text","marks":[{"type":"link","attrs":{"href":"https://localmaps.demos.eaglegis.co.nz/"}}]},{"text":" to your Portal URL and ","type":"text"},{"text":"https://local-maps.maps.arcgis.com","type":"text","marks":[{"type":"link","attrs":{"href":"https://local-maps.maps.arcgis.com/"}}]},{"text":" to your ArcGIS Online URL. Further customization of the included URLs may be needed depending on your environment setup, authorization methods etc.","type":"text"},{"type":"hardBreak"},{"text":"To help configure CSP you can initially use the “Content-Security-Policy-Report-Only” header ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"}},{"text":" . This will apply the policy and show you in the browser console what is failing, whilst still allowing the site to load.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":" \n \n\n \n \n \n \n \n ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Custom error pages - IIS Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"Custom error pages can be added to IIS to hide information disclosed when LocalMaps returns an error. This may affect other client applications and may make troubleshooting more difficult, but might be valuable to reduce the information which can be found publicly through any external facing LocalMaps site. For more information, please have a read through the Microsoft documentation at ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httperrors/"}},{"text":" ","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"HSTS Strict Transport Security","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts"}},{"text":" ","type":"text"}]}],"version":1}

Browser not supported