Cybersecurity Best Practices

Software is the backbone of modern business operations, powering everything from Utility Networks to data analytics. A growing reliance on technology and data also exposes everyone to increasing risks. Implementing robust software security practices is essential for any business that wants to protect sensitive data, maintain customer trust, and avoid costly downtime.

In addition to security considerations for ArcGIS Server and Portal for ArcGIS, the topics in this section include information about our privacy policy plus the importance of digital signatures. These recommendations are relatively standard across all XI series apps, and app-specific ones are in the topics below.

ArcGIS Server Considerations

All ArcGIS Servers must be protected against cross-site scripting attacks by configuring the origins allowed to be accessed alongside content from ArcGIS Server.

IMPORTANT: It is crucial that you follow the instructions to Restrict cross-domain requests to ArcGIS Server and also secure your ArcGIS Server site according to the guidelines that Esri provides.
ArcGIS Server is usually hosted within another HTTP stack (IIS, Apache). Follow the vendor's best practices for hardening the server against attack.
If you install ArcGIS Web Adaptor to allow ArcGIS Server to integrate with your existing web server, you must enable HTTPS on your web server, which means you need to obtain a server certificate and bind it to the website that hosts ArcGIS Web Adaptor.
You must specify the log retention period for ArcGIS Server logs. The retention period aligns with your policy but we recommend the debug level be set to the default value of Error. Only change this setting when actively troubleshooting an issue. The ArcGIS Server logs should never be disabled. See the Esri topic about how to specify server log settings for more information.

Portal for ArcGIS Considerations

Your Portal-based authentication can use Portal built-in users or Active Directory (AD)-based users.
Whether you use built-in users or AD-based users, you need to let traffic come from Auth0 (a hosted service that enables single sign-on) through the firewall to your Portal instance.
Decide which groups, whether built-in or AD-based, map to which roles as specified in the ArcFM Solution XI Series Named User Functionality Matrix. We make assignments via group information from the identity provider so that group membership can be managed in a central location.
Refer to Esri’s recommendations for securing your portal, which are outlined in their securing your portal article.

Machine-to-Machine Credential Management

If your organization uses operational maps with machine-to-machine (M2M) credentials, as a best practice we highly recommend that you regularly cycle those credentials.

Privacy Policy

For details about how Schneider Electric processes and protects your personal information, refer to the ArcFM Privacy article on myArcFM.

Digital Signatures

Schneider Electric’s ArcFMXI software is always digitally signed. However, in the extremely rare event that an issue arises, the software should not be installed and you should contact Technical Support. If the application doesn’t open, then there might be an issue with the validity of the digital signature.

For an extra level of security, you can manually check the digital signature for any of our software. You have a couple options:

Digital Signature Details

Contact Technical Support to obtain the digitally-signed hash number for the executable that we deployed to you.
Right-click the executable and select Properties > Digital Signatures tab.
Under Signature List, select the Schneider Electric entry and click Details. You can view the signing status near the top of the Digital Signatures Details window.
Under Countersignatures, select DigiCert Timestamp and click Details.
In the Signature section, look for Subject Key Identifier and select it.
Using the hash number in the Value section, compare it with the one Technical Support provided.
If they don’t match, you should contact Technical Support to obtain the properly signed executable.

Command Line Hash Comparison

Contact Technical Support to obtain the digitally-signed hash number for the executable that we deployed to you.
At a command prompt, switch to the subfolder where the executable is located.
Type Get-FileHash <name of executable>.exe | Format-List and hit Enter, after which you are given a hash number.
At the command prompt, type (Get-FileHash <name of executable>.exe).hash -eq “<hash number given to you by Technical Support>” and hit Enter. You then receive a response of True or False.
If the response is false, you should contact Technical Support to obtain the properly signed executable.

ArcGIS Add-In Installation Recommendations

Add-ins for Editor XI and Fiber Manager XI are custom functionality created by developers or users that integrate seamlessly with ArcGIS Pro. These can be installed to a default local folder with an installation utility or loaded from a folder designated as a well-known folder.

Add-ins appear on the Add-In Manager page in ArcGIS Pro settings. It is strongly recommended that you install ArcGIS Add-Ins using the Esri ArcGIS Add-In Installation Utility.

To verify that an add-in is trustworthy, locate and double-click the add-in file to open the Add-In Installation Utility. The Utility’s dialog box displays pertinent add-in information, such as the name, date, author, version, and description of the add-in. If the add-in file is digitally signed, signature information is also displayed in this dialog.

A secure add-in file must have at least one digital signature that is both valid and trusted. An invalid signature indicates that the contents of the add-in file have been modified in some way since the signature was applied.