Skip To Content

Security best practices

When securing ArcGIS Monitor, it's important that the environment that Monitor runs in is secure. There are several best practices that you can follow to ensure the greatest security.

Request and configure your own server certificate

Monitor is preconfigured with a self-signed certificate, which allows you to perform initial testing and verify that the installation was successful. However, in most cases, an organization should request a certificate from a trusted certificate authority (CA) and configure Monitor Server to use it. This can be a domain certificate issued by your organization or a CA-signed certificate.

Configuring a certificate from a trusted authority is a secure practice for web-based systems and prevents users from encountering browser warnings and other unexpected behavior. If you use the self-signed certificate included with Monitor during testing, you may experience warnings from your web browser about the site being untrusted. When a web browser encounters a self-signed certificate, it typically displays a warning and asks you to confirm that you want to proceed to the site. Many browsers display warning icons or a red color in the address bar for as long as you are using the self-signed certificate.


The above list of issues that you may experience when using a self-signed certificate is not exhaustive. It is recommended that you use a CA-signed certificate to fully test and deploy Monitor.

Learn more about configuring Monitor with an existing CA-signed certificate

Restrict file permissions

Set file permissions so that only necessary access is granted to the ArcGIS Monitor installation and configuration store directories. The only account that Monitor is required to access is the ArcGIS Monitor account. This is the account used to run the software. Your organization may require additional accounts to have access. Keep in mind that the ArcGIS Monitor account must have full access to the configuration store directory to function properly.

Monitor inherits file permissions from the configuration store directory's parent directory. Files that are created by Monitor, such as logs, inherit their permissions from the configuration store's parent directory. To secure the configuration store directory, set restricted permissions on its parent directory.

Any account that has write access to the configuration store directory can change Monitor settings that can normally only be modified by a system administrator. Monitor uses a built-in security store to maintain users, and the configuration store directory contains encrypted passwords for those users. Read access to the configuration store directory should be restricted.

Use a group Managed Service Account

You can configure Monitor to use a group Managed Service Account (gMSA) as the account that runs the ArcGIS Monitor Server or ArcGIS Monitor Agent service. A gMSA provides the advantages of an Active Directory domain account and keeps the account secure through periodic password updates.

Learn more about group Managed Service Accounts

Related topics