Securing Your ArcGIS Maps: A Government IT Director’s Guide to Preventing Accidental Data Exposure

Your agency’s GIS infrastructure contains some of the most sensitive data in your entire technology stack. Facility locations, utility networks, emergency evacuation routes, critical infrastructure coordinates—information that adversaries would pay significant resources to obtain. Yet many government IT directors treat ArcGIS security as an afterthought, assuming Esri’s platform handles protection automatically.

This assumption has proven catastrophic. In October 2025, security researchers revealed that Chinese state-sponsored hackers had maintained persistent access to an organization’s ArcGIS server for over a year, using it as a backdoor into internal networks. The attack wasn’t sophisticated in its entry point—it exploited a weak administrator password and a common architectural pattern.

If your agency runs ArcGIS, this guide provides the security framework you need to prevent accidental data exposure and defend against increasingly sophisticated threats.

The Stakes: Why GIS Security Matters for Government

Government GIS systems aren’t just mapping tools. They’re repositories of strategically valuable intelligence:

• Critical infrastructure locations: Power substations, water treatment facilities, communication towers
• Emergency response data: Evacuation routes, shelter locations, first responder staging areas
• Facility information: Government building layouts, access points, security camera placements
• Utility networks: Pipeline routes, electrical grid topology, fiber optic pathways
• Sensitive planning data: Future development zones, restricted areas, classified project locations

When this data leaks—whether through misconfiguration or compromise—the consequences extend far beyond embarrassment. Adversaries gain tactical intelligence that could inform physical attacks, infrastructure sabotage, or espionage operations.

CISA has explicitly warned that GIS systems are increasingly targeted by nation-state actors. The 2024 breach of a federal civilian agency through its GeoServer installation underscores that this isn’t theoretical risk.

Case Study: The Flax Typhoon ArcGIS Compromise

In October 2025, ReliaQuest published detailed findings on an ArcGIS server compromise attributed with high confidence to Flax Typhoon, a Chinese state-sponsored hacking group. The attack demonstrated how threat actors exploit common GIS deployment patterns.

How the Attack Unfolded

Initial Access: The attackers compromised a portal administrator account using a weak password. ReliaQuest noted the password appeared to be a “leet speak” variant—the kind of password that feels clever but fails basic security requirements.

Exploitation Path: The compromised public-facing ArcGIS portal was connected to an internal ArcGIS server for backend computations. This is a standard deployment architecture, but it created a bridge from the internet directly to internal systems.

Persistence Mechanism: Rather than deploying obvious malware, the attackers weaponized a legitimate ArcGIS component—the Java Server Object Extension (SOE). They modified this trusted component to function as a web shell, accepting base64-encoded commands through standard REST API parameters. To external monitoring, the traffic appeared as routine ArcGIS operations.

Duration: The attackers maintained access for over 12 months, conducting network reconnaissance, harvesting credentials from IT workstations, and establishing backup persistence through a renamed SoftEther VPN executable.

Recovery Complication: After initial remediation, the attackers returned. They had embedded their malicious SOE in system backups, transforming disaster recovery procedures into reinfection vectors.

Key Lessons

The ReliaQuest report concluded: “Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.”

This attack succeeded not because of zero-day vulnerabilities or sophisticated exploits, but through:

• Weak password on an administrative account
• Standard architecture connecting public and internal systems
• Abuse of legitimate platform functionality
• Insufficient monitoring for behavioral anomalies

The Most Common ArcGIS Misconfigurations

Based on Esri’s security documentation and real-world incident patterns, these misconfigurations most frequently expose government GIS data.

Overly Permissive Sharing Settings

ArcGIS defaults to private sharing—when you create a new item, only you can access it. The problem occurs when administrators or users share content with “Everyone” without understanding the implications.

The Risk: A single click can expose sensitive feature layers to the public internet. Once shared publicly, that data can be discovered through ArcGIS Online searches, indexed by search engines, or harvested by automated scrapers.

The Safeguard: In September 2020, Esri introduced the “Public Data Collection” setting for hosted feature layers. This additional control requires explicit approval before a layer with editing capabilities can be shared publicly. However, many administrators don’t know this safeguard exists or haven’t verified it’s properly configured.

Common Scenario: An analyst creates a feature layer for a collaborative project. They share it with “Everyone” to simplify access for external partners. The layer contains attributes they didn’t realize were sensitive—building access codes, personnel information, or infrastructure vulnerabilities. Months later, the project ends, but the layer remains publicly accessible.

Weak Authentication Practices

The Flax Typhoon attack hinged on a compromised administrator password. Authentication weaknesses remain the most common entry point for GIS compromises:

• Weak passwords: “Leet speak” substitutions (p@ssw0rd), dictionary words, predictable patterns
• Missing MFA: Administrative portals accessible with only username and password
• Shared accounts: Multiple administrators using the same credentials, making audit trails meaningless
• API keys in source control: Developers committing credentials to Git repositories
• Long-lived tokens: Access tokens that never expire, providing persistent access if compromised

Esri’s security best practices documentation explicitly warns: “Never expose client_secret or login credentials. Possession of these enables unauthorized token generation and service access billed to your account.”

Network Architecture Issues

Many ArcGIS deployments follow the pattern that enabled the Flax Typhoon attack: a public-facing portal directly connected to internal servers without adequate segmentation.

Problematic Patterns:

• Public ArcGIS Portal acting as proxy to internal ArcGIS Server
• No Web Application Firewall (WAF) protecting internet-facing components
• Administrative interfaces accessible from public internet
• Flat network architecture allowing lateral movement from compromised GIS systems

Esri’s hardening guidance recommends deploying a WAF for all internet-facing ArcGIS systems, but many government deployments skip this protection due to budget constraints or perceived complexity.

Outdated Software

Esri maintains an active security patch program, releasing multiple updates annually. The Portal for ArcGIS Security 2025 Update 1 addressed a critical severity vulnerability. Previous updates have resolved:

• Reflected XSS vulnerabilities
• Server-Side Request Forgery (SSRF) issues
• Directory traversal vulnerabilities
• Invalid authentication bypasses
• Local file inclusion (LFI) flaws

Organizations running unpatched ArcGIS installations expose themselves to publicly documented attack vectors. Nation-state actors actively scan for systems vulnerable to known CVEs.

Esri’s Built-In Security Tools

Many government IT administrators don’t realize Esri provides free security assessment tools. These should be part of every agency’s GIS security program.

Security Scanning Scripts

ArcGIS Enterprise includes Python scripts that scan for common security misconfigurations:

serverScan.py - Scans ArcGIS Server installations for security issues:

# Navigate to ArcGIS Server tools directory
cd /arcgis/server/tools/admin

# Run the security scan
python serverScan.py -u admin -p [password] -s https://gisserver.agency.gov:6443

portalScan.py - Scans Portal for ArcGIS for vulnerabilities:

# Navigate to Portal tools directory
cd /arcgis/portal/tools/security

# Run the portal security scan
python portalScan.py -u admin -p [password] -s https://portal.agency.gov:7443

These tools check against Esri’s best practices for secure deployment, identifying issues like:

• Anonymous access enabled where it shouldn’t be
• Weak SSL/TLS configurations
• Missing security headers
• Overly permissive service configurations

ArcGIS Security Adviser

For ArcGIS Online deployments, Esri offers the ArcGIS Security Adviser—a free tool that helps organization administrators:

• Review overall security posture
• Identify publicly shared items that may contain sensitive data
• Find editable feature layers shared with everyone
• Receive targeted recommendations for improvement

Action Item: If you administer an ArcGIS Online organization, run Security Adviser today. Many administrators discover publicly shared content they didn’t know existed.

Security Hardening Checklist for Government Deployments

Use this checklist to assess and improve your ArcGIS security posture.

Authentication & Access Control

• Enforce MFA on all administrative accounts - Portal administrators, ArcGIS Server managers, and anyone with publishing rights
• Implement strong password policies - Minimum 16 characters, no dictionary words, no predictable patterns
• Use principle of least privilege - Users get only the permissions their role requires
• Audit admin account access quarterly - Remove accounts for departed staff, review access patterns
• Rotate API keys regularly - Establish a 90-day rotation schedule for all programmatic access
• Use short-lived tokens - Configure token expiration appropriate to use case (hours, not weeks)

Sharing & Data Protection

• Run Security Adviser or portalScan.py monthly - Automated discovery of misconfigurations
• Audit all publicly shared items - Know exactly what’s exposed to the internet
• Enable “Public Data Collection” setting - Ensure public editing is intentional, not accidental
• Create read-only feature layer views - For public consumption, share views rather than source layers
• Disable Query capability on sensitive services - Prevent individual record extraction from map services
• Review sharing before staff transitions - When employees leave, audit content they shared

Network & Infrastructure

• Deploy WAF for internet-facing systems - Required protection per Esri hardening guidance
• Segment public portals from internal servers - Don’t allow direct backend access from DMZ
• Restrict admin portal access - Administrative interfaces should not be reachable from public internet
• Implement referrer-based limiting - Restrict which domains can embed your services
• Enable HTTPS exclusively - No HTTP access, full certificate validation

Patch Management

• Subscribe to Esri security advisories - Sign up at trust.arcgis.com
• Apply critical patches within 14 days - Nation-state actors move fast
• Apply standard patches within 30 days - Maintain a regular patching cadence
• Run security scans after each patch cycle - Verify patches applied correctly
• Test patches in staging first - But don’t let testing delay critical updates excessively

Monitoring & Detection

• Monitor outbound HTTPS connections - The Flax Typhoon attackers used outbound connections for C2
• Track service creation and configuration changes - Unauthorized services may indicate compromise
• Implement behavioral analytics - Signature-based detection missed the SOE-based backdoor
• Review backup integrity before restoration - Attackers embed persistence in backups
• Log and retain authentication events - Essential for incident investigation

What to Do If You Suspect a Breach

If you identify indicators of compromise in your ArcGIS environment:

1. Isolate the affected system immediately - Disconnect from network, but preserve state for forensics
2. Do not simply “clean” the system - The Flax Typhoon case required full server stack rebuilds; cleanup attempts failed
3. Check backups for persistence mechanisms - Assume backups are contaminated until verified clean
4. Engage incident response expertise - GIS-specific attacks require specialized analysis
5. Report to CISA - Federal agencies must report; state and local agencies should consider voluntary reporting
6. Contact Esri security resources - They can assist with platform-specific forensics

Critical: Do not restore from backups without forensic verification. Attackers specifically target backup systems to survive remediation attempts.

Security as Ongoing Practice

The Flax Typhoon attack persisted for over a year in an environment that presumably had some security controls. The attackers succeeded because they:

• Exploited common architectural patterns
• Used legitimate platform functionality
• Avoided obvious malware signatures
• Embedded persistence in trusted systems

Defending against this threat model requires treating GIS security as a continuous practice, not a one-time configuration:

• Monthly: Run security scanning tools, review sharing settings
• Quarterly: Audit administrative access, rotate credentials, review network architecture
• Annually: Comprehensive security assessment, architecture review, tabletop exercises

GIS systems have moved from “supporting infrastructure” to “high-value targets.” Nation-state actors recognize that government mapping systems contain strategic intelligence worth significant investment to obtain.

Your security posture should reflect that reality.

---

Take Action Today

If your agency needs assistance assessing ArcGIS security posture or implementing the controls described in this guide, Fruition’s Service Desk team specializes in government technology security. We can help you:

• Conduct comprehensive GIS security assessments
• Implement hardening controls aligned with federal requirements
• Develop monitoring and incident response capabilities
• Train staff on secure GIS administration practices

Don’t wait for an incident to prioritize GIS security. Contact us to discuss your agency’s needs.

---

Tony Diaz is Fruition’s Service Desk Lead, specializing in web security and government technology solutions. With extensive experience supporting public sector clients, Tony helps agencies protect critical digital infrastructure from evolving threats.