ArcFM Designer XI – Implementation Guide

Security Considerations

This topic provides security recommendations.


Vulnerabilities in Third Party Applications

Designer XI is able to import CAD files into a design. To do so, Designer XI leverages a component provided by the Open Design Alliance (ODA) to process the CAD file during import. Schneider Electric is aware that currently there is a vulnerability in the ODA component. However, while Designer XI employs the component, it does not employ the specific function that is currently vulnerable. Designer XI imports CAD files from the local disk drive or a folder on a local network, and it does not expose end users to the vulnerability. Thus, there is no risk posed by this current vulnerability.

Schneider Electric is aware of the vulnerability and is actively engaged with the ODA supplier. We continue to monitor the situation. As soon as a patched version of the component is released, a patch for Designer XI will also be released.

For technical details about the vulnerability, visit the topic CVE-2022-37434.


ArcGIS Server:

  • All ArcGIS Servers must be protected against cross-site scripting attacks by configuring the origins allowed to be accessed alongside content from ArcGIS Server. It is crucial that you follow the instructions to Restrict cross-domain requests to ArcGIS Server.

  • ArcGIS Server is usually hosted within another HTTP stack (IIS, Apache). Follow the vendor's best practices for hardening the server against attack.

  • If you install ArcGIS Web Adaptor to allow ArcGIS Server to integrate with your existing web server, you must enable HTTPS on your web server, which means you need to obtain a server certificate and bind it to the website that hosts ArcGIS Web Adaptor.


ArcGIS Portal (if using Portal for authentication):

  1. Your Portal-based authentication can use Portal built-in users or Active Directory (AD)-based users.

  2. Whether you use built-in users or AD-based users, you need to let traffic come from Auth0 (a hosted service that enables single sign-on) through the firewall to your portal instance.

  3. Decide which groups, whether built-in or AD-based, map to which roles as specified during Tenant Provisioning. We make assignments via group information from the identity provider so that group membership can be managed in a central location.


Client Devices that Run the Designer XI Application

Designer XI provides users with offline access to an important asset of the organization: its GIS data. As such, it is important to secure that data against theft.

Recommendations specifically for securing client devices:

  1. Enable full disk encryption on devices that host Designer XI.

  2. Configure screen lock timeout for a maximum of five minutes.

  3. Follow these recommendations for general Windows settings:

    • Do not grant local administrator privileges to end users.

    • Do not grant end-user account permissions to install applications.

    • Use application “allow-listing” to permit only approved applications or executables to run.

    • Use real-time endpoint protection to detect unauthorized changes to installed components.


Uninstalling the Application and Transferring Equipment

Uninstall the application from the Control Panel.

When you uninstall the application, the user-specific files and configurations are left untouched in these user folders:

  • C:\Users\username\AppData\Local\DesignerXI

  • C:\Users\username\AppData\Roaming\SE

In this manner, if the user re-installs the application, the settings are preserved. However, if your company intends to transfer the equipment to another user, you should follow best practices for the secured deletion of the previous user’s AppData directories.

For more information about the directories and files, see the topic File Directories and File Types on Client Machine.

QR Code is a registered trademark of DENSO WAVE INCORPORATED in Japan and other countries.

Was this helpful?

Contact Information
Legal Information
Privacy Policy
Change your cookie settings