Hard-coded passwords are very dangerous

[peter-bertok]

Admins may run these scripts unmodified, which will result in the same username and password deployed at multiple organisations.

Example: https://github.com/Esri/arcgis-cookbook/blob/237b0e39fca0a3b5988b997430bf7beb3637e039/templates/arcgis-webadaptor/11.0/windows/arcgis-server-webadaptor-install.json#L5

[cameronkroeker]

Hi @peter-bertok,

Yes, this is a valid point. In each template readme we did our best to list the arcgis.run_as_password attribute as a required attribute that should be changed. For example:

https://github.com/Esri/arcgis-cookbook/tree/master/templates/arcgis-webadaptor/11.0#arcgis-server-webadaptor-install

arcgis-server-webadaptor-install
Installs and configures Microsoft IIS web server on Windows and Apache Tomcat application server on Linux. Installs ArcGIS Web Adaptor without registering it.

Required attribute changes:

arcgis.run_as_password - (Windows only) password of 'arcgis' Windows user account

This is also the case with a few other attributes like arcgis.portal.security_question and arcgis.portal.sercurity_question_answer:

https://github.com/Esri/arcgis-cookbook/blob/237b0e39fca0a3b5988b997430bf7beb3637e039/templates/arcgis-portal/11.0/windows/arcgis-portal-primary.json#L19-L20

https://github.com/Esri/arcgis-cookbook/tree/master/templates/arcgis-portal/11.0#arcgis-portal-primary

The thought process of putting those values in there was to provide examples that people can refer to, but you have a valid point. We will think of a different solution for the next release.

Thanks, Cameron K.

[cameronkroeker]

Hi @peter-bertok,

Default passwords have been removed in the latest release, v4.1.0.

https://github.com/Esri/arcgis-cookbook/releases/tag/v4.1.0

Thanks, Cameron K.