Comment by mystraline

I'm acutely aware of that.

The folks who hired me didn't realize I was also a hacker. I did my due diligence as well, and this was more 10.3 . And yes, it was terrible.

I know that FEMA and EPA both are running their public portals as 10.8 , which is really bad. There's usually between 8-12 critical (cvss 3.0 9 or greater) per version bump. Fuck if I know how federal acquisitions even allow this, but yeahhh.

Also, on Hosting Server install, theres configs with commented out internal ticket numbers. You search this on google, and you'll find out 25% of the IPs that hit it are Chinese. Obviously, for software thats used predominantly in the US government, a whole bunch of folks in opposition to us are writing it. And damn, the writing quality is TERRIBLE.

basically, if you have to run ArcGIS enterprise, keep it internal only if at all possible. Secure Portal operation is NOT to be trusted. And if you do need a public API, keep the single machine in DMZ, or better yet, isolated on a cloud. Copy the data as a bastion, like a S3 bucket or rsync, or something. Dont connect it to your enterprise.

Oh and even with 11.5 , there are a multitude of hidden options you can set with the config for WebAdapter, including full debug. Some even save local creds like for portaladmin.

Oh yeah, and if you access the Portal postgres DB, and query the users table, you'll find 20 or so Esri accounts that are intentionally hidden from the Users list in portal on :7443 . The accounts do appear disabled... But, why are they even there to begin with?