Networks and Security in ArcGIS Enterprise

When working in an organization with access to mission-critical and / or sensitive data, the personal security choices that you make can have ramifications for the organization as a whole. Organizations are actively targeted by sophisticated cybercriminals, making vigilance even more challenging. Understanding the threats and how to defend against those threats requires some basic understanding of the computer networks that cybercriminals target.

This tutorial covers basic enterprise network and security principles with a specific orientation toward ESRI's ArcGIS Enterprise.

This tutorial is loosely organized around the OSI networking model.

Physical Layer
Data link Layer
Network Layer
Transport Layer
Presentation Layer
Application Layer

Introductions

Risk

A common heuristic for assessing risk is:

Risk = Threat * Vulnerability

Threat is the intensity of an environmental or social hazard.
Vulnerability is the inability to resist a threat.
Risk is the probability that the hazard will cause harm.

Vulnerability and threat must both be high to have high risk. Understanding risk can be useful for managers when making decisions about allocating scarce organizational resources to address the security vulnerabilities that present the highest risk(s) to an organization.

For example, buildings in the Midwest are commonly not built with high tolerance for earthquakes (high vulnerability), but because earthquakes are rare in the Midwest (low threat), the risk of earthquake damage to a building is low, albiet still present.

In contrast, within an enterprise comprised of large numbers of individuals (high vulnerability) who control information or resources that are highly valued by nefarious actors (high threat), the risk is high. Individual and collective vulnerability requires significant attention and resources to reduce risk to levels that are tolerable for smooth operation.

Security

Computer security has three aspects:

Confidentiality is controlling who can read information.
Integrity is controlling the creation, modification, and deletion of information.
Availability is assuring that resources are available when needed.

There are a wide variety of security threats.

Confidentiality

Spyware
Cracking

Integrity

Accidental creation, modification, or deletion
Intentional creation, modification, or deletion
Hardware failure
Software defects

Availability

Ransomware
Denial of service
Hardware failure
Software defects
Physical violence (burglary, looting, war)
Utility failures (electricity, water)
Building failures (fire, structural collapse, HVAC)
Meteorological conditions (wind, flooding)
Geological conditions (earthquakes, volcanoes, tsunami)

Security is fundamentally social, and there are a number of different actors that can present security threats.

Cybercriminals
Physical criminals
Disgruntled workers
Underskilled or complacent workers
Commercial competitors
Foreign intelligence services
Domestic intelligence services

The OSI Model

The Open Systems Interconnection (OSI) model is a hierarchical taxonomy for organizing network components into interconnected conceptual layers. The OSI model was initially developed by Charles Bachman and published in 1984 as ISO standard 7498 (IEEE 2023).

Layers of the model hide the complexity of the layers below so that managers and developers can more-easily understand, utilize, and debug the features at each layer.
While this abstract and contested model is often mismatched with contemporary technologies and protocols, it remains a useful framework for organizing network concepts and associated security issues.

A network protocol is the set of rules that defines how software and hardware communicate across a network.

The layers in the OSI model are defined by the protocols used at each layer.
Although data between computers on a network flows through the different hardware and software layers, layers communicate virtually with layers at the same level on other networked machines.

Console

The console will be used for some commands in this tutorial.

Operating systems provide a console where you can type commands for diagnosing problems and configuring capabilities. These are also sometimes called terminals because historically they were terminal displays and keyboards physically attached to mainframe computers.

On Windows, you can get a console by searching for cmd. You can also type commands in the newer PowerShell.

Two commands you will find useful for navigating around your storage are dir (list directory contents) and cd (change current directory).

The Windows PowerShell console

Physical Layer

The physical layer of the OSI model includes the hardware connections between machines.

Ethernet

Ethernet (IEEE 802.3) is a ubiquitous physical networking technique used to connect computers to a network. Contemporary server, desktop, and (some) laptop computers have Ethernet ports, usually with rectangular eight-wire RJ-45 connectors that can be used with CAT 5 / 5e / 6 cables.

While wired connectivity provides some measure of physical network security compared to shared media like WiFi or cellular networks, other computers on your network can often see network traffic going to your interface, and wired connectivity should not be assumed to be completely secure.

RJ-45 connector and CAT 5e Ethernet cable

WiFi Hotspots

Wi-Fi is a networking technology that uses radio signals to provide wireless high-speed Internet access through a variety of IEEE 802.11x standards.

All contemporary laptop computers and mobile devices contain Wi-Fi transceivers that connect to Wi-Fi access points (hotspots) which are physically connected to the internet.

Public Wi-Fi hotspots are common and convenient ways of connecting to the internet, but they present multiple security issues.

Rogue hotspots are set up by hackers to intercept Wi-Fi communications and capture sensitive information.
In a man in the middle attack, you think you are securely connected to a remote service, but an malicious actor has inserted their machine on the network between you and the remote service and can observe sensitive information like login credentials and credit card numbers.
Rogue hotspots can automatically serve web pages that infect your devices with malware that can then infect your organizational network when you return to work.

Steps you can take to avoid security risks when using public Wi-Fi hotspots include (Equifax 2024):

Verify the name of a business's official Wi-Fi network from public signage or a staff member before connecting.
Disconnect immediately if a hotspot redirects you to a suspicious web page that asks for personal information or refuses to close.
Use a VPN when performing any kind of authenticated work on organizational systems while connected via a public Wi-Fi hotspot.

Cellular Network

Mobile devices can connect to the internet through radio connections to cellular network antennas mounted on towers and buildings.

While the cells around towers vary in radius from one to thirty km, grids of overlapping cells provide seamless coverage in most populated or heavily trafficked areas in the developed world. The cellular network is operated by private companies and paid subscriptions are required for access.

The first generation (1G) network launched in Tokyo in 1979. 4G networks with 150 Mbit/s download capability debuted in the late 2000s, and 5G networks debuted 2019, although deployment was hampered by geopolitical and health concerns.

Bluetooth

Bluetooth is a short-range wireless standard used for exchanging data over short distances up to 10 meters. Bluetooth supports a variety of profiles that are commonly used for connecting peripherals to computers or cellular phones.

Bluetooth is subject to a variety of security vulnerabilities that permit crackers to access sensitive personal information or eavesdrop on written and oral communications. Some common security suggestions include (Norton 2024):

Turn off Bluetooth discovery on your device.
Turn off Bluetooth when not in use.
Only connect and allow connection with known devices.
Avoid connecting to shared resources, like rental cars.
Avoid pairing in public places where hackers can hijack the pairing process.

Bluetooth wireless headphones (Wikimedia 2020).

Flash Drives

While not a formal physical networking medium, flash drives are a common, convenient physical medium for moving data between machines.

Flash drives are also a very dangerous vector for moving viruses and malware between machines. Compromised machines can infect other machines on a network, resulting in operational and legal chaos within an organization.

Use secure network storage rather than flash drives whenever possible, especially for sensitive information that could present reputational or legal issues if the flash drive is lost or stolen.
Avoid keeping your only copy of any data on a flash drive. Flash drives are unreliable and data is often unrecoverable if the flash drive fails.
Pass along unfamiliar flash drives to your IT professionals before using them in your own machine. IT professionals have machines that can investigate the contents before mounting or autorunning software on the flash drives and potentially transferring malware to the machine.

USB Charging Ports

Public transportation facilities and vehicles commonly offer USB charging ports that customers can use to charge cellphones. While most are benign, USB connections provide access to the data on your phone, and nefarious actors can exploit security vulnerabilities to harvest your personal data and implant malware.

Data Link Layer

The data link layer of the OSI model includes the protocols used for sending data as electrical signals through cables and radio signals in the physical layer.

The data link layer primarily focuses on network interfaces, which are the software and hardware through which computers are connected to networks.

MAC addresses

Medium access control (MAC) numbers are unique, 48-bit (six byte) addresses that identify the network interface hardware.

These numbers are written as six hexadecimal numbers separated by colons or hyphens.
The first three bytes are codes identify the manufacturer.
The last three bytes identify individual devices produced by that manufacturer.

The MAC address is the Physical Address in the output of the ipconfig /all command.

Finding a MAC address with ipconfig

You can Google a MAC addresses to find the manufacturer.

Search for the manufacturer associated with a MAC address

Switches

Office Ethernet cables are usually connected to switches, which connect multiple clients to a single organizational network.

Ethernet switch (J. Smith via Wikimedia)

Network Layer

The devices and software in the network layer of the OSI model determine which routes the data will take to move from the client to the server and back.

IP addresses

Internet Protocol (IP) addresses are four-byte (32-bit) numbers that are used to uniquely identify devices on a network.

IP addresses are written as four decimal numbers separated by periods, giving a range of 0.0.0.0 to 255.255.255.255.
For example, the https://illinois.edu website is at IP address 130.126.157.20.
Ranges of IP addresses are assigned to large organizations and internet service providers.
For example, one group of IP addresses assigned to the University of Illinois is 130.126.0.0 to 130.126.255.255, which includes the IP address given above.

There are three ranges of private IP addresses reserved for private internal use. You will commonly see these addresses when looking at the IP addresses of machines on enterprise networks. These addresses are never used for public websites.

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Although there are 4.294 billion possible IP addresses, there are now far more internet connected devices on the planet than available IP addresses. Network address translation (NAT) is the use of private internal IP addresses for devices on an internal network with routers that translate messages to a smaller number of recycled public IP addresses for communicating outside the organizational network.

Another way of working around the limited number of available IP addresses is the use of extended 16-byte (128-bit) addresses referred to as IPv6 addresses. This is in contrast to four-byte IP addresses referred to as IPv4.

IPv6 addresses are written as eight groups of four-digit hexadecimal numbers separated by colons.
When a group is 0000, it can be omitted from the written address.
For example, the IPv6 address for illinois.edu is 2620:0:e00:4206::14.
IPv6 still does not have universal acceptance, so administrators routinely configure devices with both IPv4 and IPv6 addresses.

You can find the IPv4 and IPv6 addresses for your computer's network interface with the ipconfig command.

Finding a network interface IP address with ipconfig

If you are on a machine on an enterprise network using NAT, you can find your current public IPv4 address by searching for my IP address in Google.

Finding your public IPv4 address

DHCP

While servers commonly have fixed IP addresses so that clients know where to find them, client machines like desktops, laptops, and cellphones only need IP addresses when they are connected to the network.

Dynamic Host Configuration Protocol (DHCP) servers dynamically allocate IP addresses from a pool of available addresses to machines when they connect to a network.

A DHCP IP address lease lasts for a finite time (usually 24 hours) and the machine will need to get a new IP address from DHCP before the lease runs out (Rathnam 2020).
There is usually one DHCP server on a network. That server also sometimes serves as the network's DNS server (see below).

You can find your DHCP server with the ipconfig /all command.

Finding a DHCP server with ipconfig

Routing

A computer network allows devices on that network to exchange data and share resources with each other.

The Internet is a network of separate computer networks interconnected by routers.
Routers pass network data between networks based on routing rules defined by systems administrators.
Communications over the internet commonly pass through multiple routers and networks.
These routes can change depending on traffic and the configuration of the routers.

Interconnection of networks with routers

Connectivity Tools

The ping tool sends a test ICMP command every second to the IP address specified and is used to verify connectivity with another computer on the internet. You can also specify the address with a domain, such as in this example using illinois.edu. Press ctrl-C to stop the tool.

Checking connectivity with ping

You can pass a domain name to the tracert command to identify router nodes between your machine and a server.

The first entry is the client (10.232.0.5).
The last entry is the server (130.126.157.20).
The entries in the middle are routers.
When available, the tool lists text host names as well as IP addresses.

Listing routers with tracert

Virtual Private Networks

To enhance security, access to services at specific IP addresses on a network can be restricted to other machines on that network. However, workers often need to access network restricted services when working at home or when traveling.

Virtual private networks (VPNs) provide remote access to network restricted services by creating a tunnel (encrypted connection) between a remote machine and a VPN server on the private network, and then providing the remote machine with an IP address that virtually connects the remote machine to the private network.

Aside from common use by businesses to allow remote workers access to secure enterprise networks, VPNs can also be used to circumvent internet restrictions and surveillance by authoritarian governments, and to get around regional restrictions on access to commercial services.

There are a variety of vendors that provide VPN software. Products from the networking company Cisco are commonly used.

When you run ipconfig with a VPN active, you will see two network interfaces with separate IP addresses, one for the physical interface (Wi-Fi 172.16.190.174) and one for the virtual network (Ethernet 3 10.251.129.204).

ipconfig when connected in a virtual private network

VPN software provides different modes for how traffic is divided between the different network interfaces.

Split Tunnel sends traffic for servers on the organizational network through the VPN tunnel interface, but sends all other traffic (such as browsing Google or social media) through the physical interface. This is the normal default.
Tunnel All sends all traffic through the VPN tunnel interface.
Split Tunnel Public IPs Only is a variation on split tunnel when you are also connecting to non-organization private IP addresses.

Network Layer Security

Routers contain complex, mission-critical software that must be carefully configured and regularly patched to address newly discovered vulnerabilities and assure network performance and security.

As critical nodes in organizational operations, routers are potential targets for malicious actors (AVG 2024).

Spyware installed in routers can redirect traffic for eavesdropping and theft of sensitive information.
Malware in routers can be used as a vector for broader malware infection of machines in your organization.
Compromised routers can be harnassed into botnets for masking the sources of nefarious network activities or to facilitate denial-of-service attacks.

Because of the complexity and unpredictability of networks, router software updates commonly result in network degradation or failure, which requires time to diagnose and repair, and which can be highly disruptive to organizations that are dependent on their networks.

Security advisories from Cisco, the dominant vendor for enterprise routers

Transport Layer

The transport layer in a network handles the exchange of data between nodes on a network defined with IP addresses using transmission control protocol (TCP). Because IP and TCP work together, networking using this combination is commonly referred to as TCP/IP.

Ports

TCP ports are numbered connection points within an IP address that allow access to different services at the same IP address.

Services on a single server listen for requests sent to specific ports. Port numbers are 16-bit numbers that range from 0 to 65532. Some commonly used ports in an ArcGIS Enterprise environment include:

80: Insecure hypertext transport protocol (HTTP = insecure web pages)
443: Secure hypertext transport protocol (HTTPS = secure web pages)
587: Simple mail transport protocol (SMTPS = sending e-mail securely)
995: Post Office Protocol (POP3 = receiving e-mail securely)
3389: Remote desktop protocol (remotely connecting to Windows computers)
5432: PostgreSQL database servers
6443: Portal for ArcGIS
7443: ArcGIS Server (usually routed from 443 by Web Adaptor)
27000: ArcGIS License Manager

Ports in the range of 48,152 to 65,535 are ephemeral ports that are temporarily opened by clients to receive requested data packets back from servers.

Connection between an open server port and a client ephemeral port

Netstat

The netstat -aon command shows connections between machines and can be used to show open ports on a machine.

Ports are listed by the local IP address and the port number.
Lines with IP address 0.0.0.0 are open ports on all network interfaces.
Lines with IP address 127.0.0.1 are listening only within the server (loopback).
Other lines list the IP address of the interface and the port being listened on.

Servers commonly have multiple ports open for the various hosted servers. For example:

Port 80 is HTTP for the internet server (IIS).
Port 135 is a remote procedure call endpoint mapper.
Port 443 is HTTPS for the internet server (IIS).
Port 445 is a Server Message Block port used to provide access to shared files and printers.
Ports 1098 and 6099 are used by ArcGIS Server.
Ports 2443, 4369, and 9876 are used by ArcGIS Data Store.
Port 3389 is for Windows Remote Desktop connection.
Port 5432 is used by the PostgreSQL server.
Port 5701, 7080, 7099, 7443, 7654 are used by Portal for ArcGIS.
Port 7099 is used for printing.

Clients have fewer open ports, although in this case there are a number of ports open to facilitate remote administration of this virtual desktop client. For example:

Port 80 is the HTTP port open for Windows Remote Management.
Port 111 is a portmapper port.
Port 135 is a remote procedure call endpoint mapper.
Port 445 is a Server Message Block port used to provide access to shared files and printers.
Ports 1494 and 2598 is a port used by the Citrix system used to provide this virtual desktop.
Port 3389 is for Windows Remote Desktop connection.
Port 5985 and 5986 are for Windows Remote Management connection.
Port 7680 is for Windows Update Delivery Optimization.
Ports above 48152 are ephimeral ports.

Web Adaptor

In an ArcGIS Enterprise installation:

Portal for ArcGIS listens on port 7443.
ArcGIS Server listens on port 6443.
Internet Information Services (the web server) listens on port 443 (the default port for HTTPS requests).

Web Adaptor is a component of an ArcGIS Enterprise installation that routes HTTPS requests on port 443 to Portal for ArcGIS and ArcGIS Server.

Web Adaptor eliminates the need to degrade security by opening ports 6443 and 7443 to the outside world.
Web Adaptor eliminates the need for users of those services to indicate specific port numbers in their requests (e.g. https://domain.com:7443/portal/home).

Single server ArcGIS Enterprise architecture with Web Adaptor

Port Security

A common security best practice is to shut down all services that are not needed. Examples include:

Web servers
File servers
E-mail servers
Proxy servers
Remote desktop services

Services on a Windows server are started and stopped using the Services app.

Packets

Messages between clients and servers are of varying length. URL requests to a search engine may be only a few hundred bytes, while images or documents returned from servers can be millions of bytes in length.

TCP breaks messages into sequences of one or more packets that are sent separately sent through the internet and then reassembled on the receiving machine.

The beginnings of all packets (packet headers) contain source and destination IP addresses and ports so the network layer knows where to route the reassembled messages.
Packet headers also contain sequence numbers so that packets of data can be reassembled in the correct order even if the packets arrive out of order.

DDOS Attacks

Distributed denial of service (DDOS) attacks involve overwhelming a server or network with a flood of internet traffic from a botnet of client computers infected with malware.

DDOS attacks make it difficult for legitimate users to gain access to an organization's websites or services, thus negatively affectiing the organization's ability to function.
Malicious actors can use the threat of a DDOS attack to extract ransom.
Authoritarian governments can also use DDOS attacks to constrain access to opposition information or communication.
DDOS attacks can target different layers of the OSI model.

Defenses against DDOS attacks include:

Firewalls that detect and block malicious requests
Load balancers and caches that distribute requests across multiple machines
Network rate limiters that slow requests to manageable levels

Firewalls

Firewalls are security services and/or hardware that block the passage of information through a network connection based on firewall rules defined by the systems administrator. These rules can restrict access based on IP addresses, TCP ports, and/or packet content.

Servers and clients both have firewalls. Contemporary Windows machines come with the Windows Defender Firewall.

Windows Defender Firewall administrator screen in Windows Server 2022

Presentation Layer

Software in the presentation layer of the OSI model handle encryption of data before it is transported across the network.

Applications (like web browser or ArcGIS Pro) open sockets when they want to communicate with servers on a network, and the software and hardware in the lower layers of the OSI model handle the details of making the connection and passing the data.

Secure Certificates

Encryption is a mathematical technique for converting data to ciphertext that can only be understood after it is decrypted.

Secure communication over the web is handled with HTTPS (secure hypertext transport protocol) on TCP port 443, which utilizes a secure socket layer (SSL) to share encrypted data between machines.
HTTPS utilizes public key encryption in which information is encrypted using a publicly-available key, but which can only be decrypted using a private key known only to the message receiver.

The TLS handshake is an exchange of information between a client and server to create a master key that is then used to encrypt subsequent messages.

A security certificate contains a public/private key pair that is allocated by a certificate authority (CA) that can be trusted by both the sender and receiver of the information.

The systems administrator who manages a server is responsible for acquiring and installing the security certificate for that server.
Common commercial CAs include DigiCert, GeoTrust, Thawte, and COMODO, among many others.
A popular nonprofit certificate authority is Let's Encrypt.

The name of the certificate authority for a website and information on the public key can be found by clicking on the lock icon in the browser location bar. Common encryption algorithms include RSA and Elliptic-curve.

Viewing information on a secure certificate in Firefox

Security Certificate Problems

Numerous problems can arise with security certificates.

When users try to access a website with an invalid security certificate, they will receive a warning page.
Desktop software that accesses a service with an invalid certificate will fail, often with a cryptic error message.

Browser warning about an invalid security certificate

A common problem is an expired certificate. Certificates are issued for limited periods of time (usually 90 days max). Servers often have automated renewal capabilities, but if there is a server change or misconfiguration, a certificate may expire, resulting in browser warnings that can impair organizational operations.

Servers can issue self-signed certificates, and these are often used when developing new web apps or testing new services. However, self-signed certificates cause browser warnings and should not be used on production sites.

Application Layer

Software at the application layer of the OSI model is the end-user software that utilizes network services.

Domain Names

A fully-qualified domain name (FQDN) identifies a server.

In URLs, FQDNs follow the protocol name (usually https://) and consist of three parts:

An optional sequence of one or more sub-domains separated by periods
A domain name
A top-level domain name (TLD), usually .com, .org, .net, or .edu

Domains are purchased from domain registrars who coordinate to assure that ownership of specific domain names is unique. Domain registrars are commonly large web hosting providers like GoDaddy, Amazon Web Services, DreamHost, HostGator, and Bluehost.

The whois database lists ownership and contact information for domain owners. While details are often masked for privacy, some domain owners (like the University of Illinois) still make whois data available.

Viewing whois information on domains

As a security measure, domain registers will often serve as whois proxy contacts so that the contact details of the actual registrants are protected from companies that harvest whois information for marketing or big data analysis. Common whois proxies include GoDadday, Domains By Proxy, MarkMonitor, and Perfect Privacy.

Whois proxy registration for michaelminn.net

Domain Name Servers

Because TCP/IP only works with IP addresses, a protocol is needed for converting domain names into IP addresses that can be used to communicate with servers.

A domain name service (DNS) nameserver receives queries about domain names and returns IP addresses that can be used by browsers and other applications.

For home networks, a nameserver is usually assigned by your ISP when you connect to the network. The nameserver is often the same as the DHCP server (see above).

Larger organization that run their own DHCP servers will also have their own nameservers.

There is a hierarchy of DNS nameservers that work together to find the IP address associated with a domain name. This hierarchy is needed to handle the load of billions of domain name queries per second for the millions of different domain names.

A client like a web browser first sends the domain name to a local DNS resolver to see if it has the IP address for the domain name in its cache.
If the DNS resolver does not have the IP address in memory, it will query a root server to get the IP address of the nameserver for the TLD.
The DNS resolver will query the TLD server to get the IP address of the nameserver for the domain.
Finally the DNS resolver will query the domain nameserver for the IP address of the server.

You can use the ipconfig /all command to find the DNS resolver currently used by your machine.

Viewing DNS information with ipconfig

Domain Name Security

Domain names are a potential security vulnerability that need attention from organizations.

Systems administrators historically acquired the .com, .org, and .net versions of their domain name to assure that visitors would not stumble into another organization with the same domain name but different TLD.
While this is less important with the proliferation of different top-level domains and the limited number of website visitors typing domain names, if you can afford to get multiple TLDs associated with a domain name, that can be helpful to avoid confusion with a malicious actor that acquires your domain name under a different TLD.
Administrators also sometimes purchase domains with common variations and misspellings of the legitimate domain name(s).

Domain name squatters are organizations that purchase domain names for resale.

Buying out squatters can be expensive if your organization wishes to acquire a variation on your domain and finds that it is being squatted.
Malicious actors can also post fake websites with domain names that are common misspellings of popular domain names to extract login credentials and other sensitive information from unwitting visitors.
Fake websites can also exploit browser vulnerabilities to install malware.

Misspelled domain for gogle.com (google.com)

Domain names are registered for fixed periods of time.

While domain registrars will usually send e-mail addresses to institutional contacts to remind them to renew registration, personnel or organizational changes can result these messages being missed and the expiration of the registration.
Registrars will usually post placeholder pages on expired domains for a grace period (which will alert unaware administrators).
An expired domain that falls into the ownership of squatters can be expensive to recover.

Cookies

When accessing resources across a network, TCP/IP is stateless in that it maintains no information between transactions.

Cookies are small bits information kept in browser storage that can be set and read by pages from a specific domain to remember information (like logins) from prior visits to that domain.

Cookies permit servers to remember previous exchanges with specific web browsers, such as for web applications that require login or involve users working on tasks across multiple TCP/IP transactions.
Cookies are associated with specific domain names and can only be accessed by web pages from the domains that created them.
Cookies also have expiration dates.
Cookies are kept in local computer storage and are subject to undesired access through unpatched browser vulnerabilities, or through spyware that infects the computer.
The contents of cookies are often session identifiers used by websites to access information stored on the server without having to keep sensitive information in the cookies themselves.

Cookies can be viewed in browser Settings under Privacy and security.

Viewing browser cookies in Chrome

One technique to preserve privacy is to regularly clear your cookies and browsing history, which erases cookies from browser storage.

Clearing cookies is especially recommended after using a shared or public machine where subsequent users of that machine could access sensitive information like credit card numbers, passwords, or personal information.
Clearing cookies inhibits the ability of search engine and social media companies to track your browsing habits through third-party cookies.
Clearing cookies can sometimes improve browser speed since clearing cookies also clears the cache of stored browser information, and caches can become clogged with unneded data when left uncleared for long periods of time.

Clearing browser cookies in Chrome

Authentication

Authentication is the process of determining whether a user is who they say they are.

Credentials are usernames, passwords, and other identifying information needed to authenticate that someone trying to access system resources is indeed the user that they claim to be.

Passwords

A combination of a user name and a password is a very common set of credentials used for application authentication.

A strong password is a password that cannot be easily guessed using common hacking techniques:

Brute force attacks involving trying all possible combinations of characters.
Dictionary attacks involve going through lists of words commonly used passwords

Common poor short passwords subject to dictionary attacks include (Drapkin 2024):

Common sequences: 12345678, 111111, abc123, qwerty, Password, Password1
Personal names (Michael, Ashley, Jessica, Charlie, and Jordan are very common)
Years
Sports and sports teams
Musical artists and groups
Superheroes

Password Entropy

Password entropy is a quantitative metric for assessing password vulnerability to brute force attacks (Šlekytė 2023):

E = log2 (R^L)

R is the number of possible different characters (letters and numbers this would be 36).
L is the number of characters in the password.
E is the number of bits in the number of possible combinations.

E of 64 bits or more (2^64 or 18 quintillion possibilities) is considered strong.

A common strategy for getting high entropy includes:

Requiring at least eight characters for an L of 8
Requiring the the use of upper case letters (26), lower case letters (26), numbers (10), and characters (31) for an R of 93
log2(93^8) = 52

Note that because the length is the exponent in the entropy formula, increased length adds more entropy than increasing the range of characters, while adding additional characters decreases memorability and increases that likelihood that users will store passwords in an insecure manner. Accordingly, more recent recommendations include (NIST 2023, Raphelson 2017):

Make passwords simple, long, and memorable.
Phrases, lowercase letters and typical English words work well.
Passwords do not need to expire (promotes memorization).
A memorable phrase of 16 lower case letters would have E = log2(26^16) = 75.

Two-factor Authentication

Authentication uses one or more of the following factors:

Something you know: User names, passwords, challenge questions
Something you have: Cellphone or e-mail 2FA
Something you are: Biometric retna, thumb, or palm scans

Two-factor authentication (2FA) is the addition of a second authentication factor to mitigate the vulnerability of reliance on passwords as a single factor for authentication.

A common two-factor authentication technique is the use of one-time codes sent as cellphone messages or e-mails to non-institutional accounts (something you have) that are then entered along with the username and password.

A cellphone one-time code prompt for two-factor authentication

Single Sign On

Password fatigue is the stress experienced by users when required to memorize multiple passwords as part of their organizational duties and / or personal online activity. Password fatigue is especially problematic for IT workers who have to regularly access multiple computer systems.

Personal strategies for addressing password fatigue can introduce organizational vulnerabilities because of the central role played by IT employees in organizations.

Password recycling is the use of the same password on multiple machines. If the password is cracked on one machine, the malicious actor can gain access to multiple machines.
Password managers can store multiple passwords in an account that is accessed with a single password (or 2FA). This introduces a similar vulnerability as password recycling, since cracking a password manager account yields access to all associated user accounts.
Password autofill is the use of browser autofill capabilities to store passwords for multiple accounts accessed through that browser. This has the same problem as using a password manager in introducing a single point of vulnerability.
Written password lists kept in locked physical storage can be helpful to prevent loss of passwords if an administrator is fired or disabled. However, paper lists are inconvenient and are subject to inadvertant loss, careless handling, and physical theft.

Single sign-on (SSO) is "an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials" (One Identity 2024). SSO combined with 2FA is a common organizational technique for mitigating password fatigue.

SSO with using systems like Shibboleth based on Security Assertion Markup Language (SAML) utilize digitally signed tokens from an identity provider to authenticate identity across multiple systems.

Backup and Restore

Backups are copies of data that can be used to restore computer systems in the event of a hardware or security failure. Regular backups of mission-critical data and testing of restores are essential to assure data availability and business continuity in the face of security threats.

To preserve storage space and reduce backup time, backups are commonly performed incrementally.

Full backups of all data are performed on a regular basis, typically weekly or monthly.
Incremental backups that record only the changes since the last full backup are performed more regularly (nightly).

Periodic testing of restores is also essential to assure that backup procedures and systems are producing backups that can can actually be restored. Organizations generally do not care much about backups, but they do care very deeply about restores. Test restoration on parallel offline systems are a common technique for validating backup procedures.

A common rule for backup is the 3-2-1 rule: Three copies of everything, on two different types of media with one offsite copy for disaster recovery ( Ruggiero and Heckathorn 2020, Campbell 2024).

Backups can be performed on physical media like magnetic tape, which remains attactive because of large storage capacity, cost-effectiveness, and reliability (Nakivo 2023). Tape backups should be stored in a secure location separate from the systems they are backing up in case of damage to the systems facility (offsite backup).
With the advent of inexpensive cloud storage both for operational and archival data storage, cloud backups are increasingly popular. Multi-cloud backup involves mirroring data across two or more physically and virtually separate cloud services to reduce vulnerability to the threat of a technical or procedural failure involving one of the cloud services.

Backup plans need to consider the relationships between different systems that are backed up separately. In the ArcGIS Enterprise installation, databases and data stores require separate backups, but backups need to be compatible assure consistency of references between the two separate systems.

PostgreSQL and ArcGIS Enterprise have tools like

the Web GIS Disaster Recovery (WebGISDR) that can be used for backup and restore.