ColdFusion 2016 Update 4, ColdFusion 11 Update 12 and ColdFusion 10 Update 23 released

This post is to announce the release of the following ColdFusion updates:

ColdFusion 2016 Update 4

ColdFusion 2016 Update 4 upgrades Tomcat to version 8.5.11.0 and fixes 115 bugs (including 52 external bugs) in areas such as Security, Language, Charting and Performance. This update also addresses vulnerabilities mentioned in the security bulletin APSB17-14.  For details and instructions on how to apply this update refer this technote.

ColdFusion 11 Update 12

ColdFusion 11 Update 12 upgrades Tomcat to version 7.0.75. It also addresses vulnerabilities mentioned in the security bulletin APSB17-14 and fixes 59 bugs (including 28 external bugs) related to areas such as AJAX, Charting and Language. For details and instructions on how to apply this update refer this technote.

ColdFusion 10 Update 23

ColdFusion 10 Update 23 upgrades Tomcat version to 7.0.75. This update addresses vulnerabilities mentioned in the security bulletin APSB17-14 and includes a total of 17 bug fixes (including 7 external bugs) related to Language, Charting, Scheduler, Document Management and certain other areas. For details and instructions on how to apply this update refer this technote.

The build number after applying thse updates should be:

2106,0,4,302561 for ColdFusion 2016;
11,0,12,302575 for ColdFusion 11.
10,0,23,302580 for ColdFusion 10.

Note:

  • Support for Windows Server 2016 will be introduced with the refreshed full ColdFusion 2016 server installer which will be made available shortly. Update: The new installer is now available, as of Apr 28.
  • The core support for ColdFusion 10 effectively ends on May 16, 2017. It will, therefore, receive no further updates. For detailed support timelines, see this EOL matrix.

 

 

ColdFusion 11 Update 11 and ColdFusion 10 Update 22 released

This post is to announce the release of ColdFusion 11 Update 11 and ColdFusion 10 Update 22.
Update 11 and Update 22 fix approximately 164 and 45 bugs respectively. For the list of bugs fixed in these updates, refer the following documents:
Bugs fixed with Update 11
Bugs fixed with Update 22

Follow the steps below to apply the updates:

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Switch to the "Settings" tab.
  3. Ensure that the update site URL is set to the right value by clicking on the "Restore Default URL" button.
  4. Click on "Submit changes" to save your changes.
  5. Switch to "Available Updates" tab. Click on "Check for Updates".
  6. "ColdFusion 11 Update 11" or "ColdFusion 10 Update 22" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.

Refer the following technotes for instructions and other details related to the updates:

ColdFusion 11 Update 11 technote 
ColdFusoin 10 Update 22 technote

To apply these updates manually, download the required update by clicking on one of the applicable links below:

ColdFusion 11 Update 11 jar
ColdFusoin 10 Update 22 jar
 
To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_0xx.jar
You should use the JRE used by ColdFusion for running the update jar (for standalone CF, it should be <cf_root>/jre/bin)
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be:
11,0,11,301867 for ColdFusion 11;
10,0,22,301868 for ColdFusion 10.

ColdFusion 11 Update 11 and ColdFusion 10 Update 22 PreRelease build available for download

NOTE: THIS POST has been made obsolete with the final release of these updates in Dec 2016. Please see the post announcing that.

The information below, this post and its comments, is left for history sake.

ColdFusion 11 Update 11 and ColdFusion Update 22 early access builds are now available for your testing and feedback. Please note that these are test builds and should not be used in a production environment.

For the list of bugs fixed with these updates, refer the following documents:

Follow the steps below to apply the update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check "Automatically Check for Updates" check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the "Available Updates" tab, click on the “Check for Updates” button.
  6. "ColdFusion 11 Update 11" or "ColdFusion 10 Update 22" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.
To apply this update manually, download the required update by clicking on one of the applicable links below:
 
To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_0xx.jar
You should use the JRE used by CF for running the update jar (for standalone CF, it should be <cf_root>/jre/bin)
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be
11,0,11,300779 (Pre-Release) for ColdFusion 11;
10,0,22,300783 (Pre-Release) for ColdFusion 10.
 

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.

Removing Corrupt Connector Dependencies from IIS

This blog post talks about a few scenarios related to connector misconfiguration and ways to handle them. The most common scenarios discussed in this article are

  • Connectors that are created for ALL and individual websites at the same time.
  • Multiple attempts to add/remove the connectors during configuration.

As a best practice, remove the connector using the WSCONFIG utility. Once the connectors are removed, verify that there are no residual files/settings/configuration remains, using the steps mentioned below. (WSCONFIG Utility location: ColdFusion<instance>runtimebin)

Consider a scenario where, upon launching the WSCONFIG utility, you see the following dialog box:

In this scenario, configuration conflict might occur, since the same connector is created for both ALL and individual website (for this case).

Follow the below steps to fix the connector misconfiguration:

  1. Remove both the connectors one by one, as shown in the below image. Select the connector and click “Remove”.

  1. In the dialog below, click “Yes” to continue.

  1. You can see that the first connector is now removed.

  1. Repeat the process for the other connectors. In this scenario, there are only two connectors.
  2. Launch IIS Manager.
  3. Click on any website (in this case, CF11) and double-click Handler Mappings.

 

 

  1. Manually remove all the ColdFusion handlers as shown below (if present):

 

  1. Navigate to “CF11” website and double-click ISAPI Filters.

 

 

  1. Remove “tomcat” entries (if any), as shown below:

 

  1. Repeat steps “-6-” to “-9-”, for all the sites with duplicate or corrupted connector settings.
  1. Navigate to the IIS Server home and double-click Handler Mappings.

 

 

  1. Remove all ColdFusion handler entries (if any), as shown below:

 

  1. Navigate to IIS Server and double-click on ISAPI Filters

 

 

  1. Remove entries for tomcat if any as shown below:

 

 

  1. Navigate to IIS Server and double-click ISAPI & CGI Restrictions.

 

  1. Remove all entries of tomcat as shown below:

 

  1. Once all the above entries have been verified and removed, launch the command prompt as Administrator (or with elevated privileges) and run IISRESET.

  1. Run the WSCONFIG utility to recreate the connector and test your website

 

Configuring Data Sources using Admin API in ColdFusion

Today, APIs are widely used and are very popular in the developer community. APIs make work easier, as developers can perform difficult task programmatically and automate repeatable routines.

In ColdFusion, there are Admin APIs available through which developers can add, modify, and delete Admin task programmatically. This is helpful for developers who do not have access to ColdFusion Administrator, for example, component event gateway, data sources, mail, and so on.

To access the components, use the below link, RDS needs to be enabled.

    http://{ip address}:<port>/CFIDE/adminapi/

 

How to enable RDS in ColdFusion Administrator

  • Login to ColdFusion Administrator>Security>RDS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Let us see how the Data Sources can be added in ColdFusion Administrator using the Data Sources Admin API. You can use the syntax to add and modify the Data Sources without affecting the other admin settings. There are multiple attributes that can be used to add the DB which are supported in ColdFusion. For attribute details, please refer to this doc:
http://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html

We will discuss about Microsoft SQL server and Oracle (RAC) with Macromedia driver and Thin drivers. Before that, let us take a look into the Data Source Management for ColdFusion, where users can add parameters.

 

Data Source Management for ColdFusion

This document has all the components which user can define create database connection using Admin API. Please refer to the link below https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html

 

Using Macromedia driver MSSQL

ColdFusion provides MSSQL driver in both Standard and Enterprise editions. This example is with Macromedia drivers:

See the sample script below:

<cfscript>

    // Login is always required. This example uses two lines of code.

    adminObj = createObject("component","cfide.adminapi.administrator");

    adminObj.login("PASSWORD");  //CF admin password.

    // Instantiate the data source object.

    myObj = createObject("component","cfide.adminapi.Data Sources");

    // Create a DSN.

    myObj.setOther(driver="macromedia.jdbc.MacromediaDriver",

                                url="jdbc:macromedia:sqlserver://localhost:1433;databaseName=CaseResolution"       

                                class="macromedia.jdbc.MacromediaDriver"

        name="jd",

        login_timeout = "29",

        timeout = "23",

        interval = 6,

        buffer = "64000",

        blob_buffer = "64000",

        setStringParameterAsUnicode = "false",

        description = "JD",

        pooling = true,

        maxpooledstatements = 999,

        enableMaxConnections = "true",

        maxConnections = "299",

        disable_clob = true,

        disable_blob = true,

        disable = false,

        storedProc = true,

        alter = false,

        grant = true,

        select = true,

        update = true,

        create = true,

        delete = true,

        drop = false,

        revoke = false );

</cfscript>

 

Using Macromedia driver MSSQL when using OTHER as driver

Copy the MSSQL driver in cfusionlib and restart ColdFusion service.

See the sample script below:

<cfscript>

    // Login is always required. This example uses two lines of code.

    adminObj = createObject("component","cfide.adminapi.administrator");

    adminObj.login("PASSWORD"); //CF Admin password

    // Instantiate the data source object.

    myObj = createObject("component","cfide.adminapi.Data Sources");

    // Create a DSN.

    myObj.setOther(driver="macromedia.jdbc.MacromediaDriver",

                                url="jdbc:microsoft:sqlserver://HOST:1433;DatabaseName=DATABASE",      

                                class=" com.microsoft.jdbc.sqlserver.SQLServerDriver",

        name="jd",

        username="",

        password="");

</cfscript> 

 

Using Macromedia driver Oracle when using OTHER as driver

This example describes when users using Oracle RAC with a service name, as ColdFusion do not allow users to add Service name in ColdFusion Admin because only SID is available.

See the sample script below:

<cfscript>

    // Login is always required. This example uses two lines of code.

    adminObj = createObject("component","cfide.adminapi.administrator");

    adminObj.login("PASSWORD");  //CF Admin password

    // Instantiate the data source object.

    myObj = createObject("component","cfide.adminapi.Data Sources");

    // Create a DSN.

    myObj.setOther(driver="macromedia.jdbc.MacromediaDriver",

                                url="jdbc:macromedia:oracle://localhost:1521; service_name=DEV",            

                                class="macromedia.jdbc.MacromediaDriver",

        name="DATA SOURCE NAME",

        username="DB USERNAME",

        password="PASSWORD");

</cfscript>

 

Using Oracle thin driver Oracle when using OTHER as driver

ColdFusion Standard does not provide Oracle driver as it is part of ColdFusion Enterprise. To add Oracle DB in Standard edition, use Oracle thin driver and place it in cfusionlib and restart ColdFusion to load it.

See the sample script below:

<cfscript>

    // Login is always required. This example uses two lines of code.

    adminObj = createObject("component","cfide.adminapi.administrator");

    adminObj.login("admin");

    // Instantiate the data source object.

    myObj = createObject("component","cfide.adminapi.Data Sources");

    // Create a DSN.

    myObj.setOther(driver="oracle.jdbc.driver.OracleDriver",

                                url="jdbc:oracle:thin:@//localhost:1521/DEV", 

                                class="oracle.jdbc.driver.OracleDriver",

        name="DATA SOURCE NAME",

        username="DB USERNAME",

        password="DB PASSWORD");

</cfscript>

 

Note: If you are using Sandbox security, user has to provide access to Admin API. Refer this doc: http://help.adobe.com/en_US/ColdFusion/10.0/Admin/WSc3ff6d0ea77859461172e0811cbf364104-7fcf.html

 

Installing and troubleshooting Java updates in ColdFusion

With the recent ColdFusion releases, we have come across many queries regarding Java updates. The table below shows the default Java shipped with the supported versions.

 ColdFusion Version  Base Installer  Refreshed Installer
 ColdFusion 2016  1.8.0_72   NA
 ColdFusion 11  1.7.0_55   1.8 _25
 ColdFusion 10  1.6.0_29  1.7.0_15

 

Now, let us look at the supported Java versions for ColdFusion 2016,11 & 10.

Java Version  ColdFusion 2016  ColdFusion 11  ColdFusion 10
Java 1.8  All the updates  Update 3 and above  Update 14 and Above
Java 1.7  Not Supported  Update 2 and earlier  Update 8 and Above
Java 1.6  Not Supported  Not Supported  Update 7 and earlier

 

Once the support for a major version of Java is added, it also covers all the minor/sub versions.

 

Upgrading to Java 1.8:

  1. Download the latest version of Java from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html. Please make sure that you download 64-bit Java for 64-bit ColdFusion and 32-bit Java for 32 bit ColdFusion.
  2. Run the installer to install Java.
  3. Take a backup of jvm.config(located at <cf_install_root>cfusionbin)
  4. To change from ColdFusion’s default Java, modify the Java home url in either jvm.config or in ColdFusion administrator (Settings ->Java and JVM -> Java virtual machine path).
  5. Restart ColdFusion after making the changes.
  6. To verify the update, log in to ColdFusion Administrator and see verify the newer Java version .

If you are using Web Services, please do the following:

  1. Take a backup of tools.jar from {cf_install_home}/cfusion/lib/
  2. Copy tools.jar from {JDK8_Home}/lib to {cf_install_home}/cfusion/lib/
  3. Clear the stubs from {cf_install_home}/cfusion/stubs/ to get the newly compiled classes.

 

Note: Any SSL certificates added to the previous JDK will also need to be re-added to the new JDK (cacerts) file.

You can use Java keytool tool located in Javajre1.8.0_XXbin to import the certificate.  You can use the below command:

keytool -import -alias name -keystore Javajre1.8.0_XXlibsecuritycacerts -file mycert.cer

 

Java upgrade issues and troubleshooting

  1. If you are unable to start ColdFusion after the Java update:
  • Check the location of Java home in jvm.config.
  • The Java auto-update modifies the Java install directory location, which causes failure to ColdFusion start. Disable the java auto upgrade.
  • Try starting ColdFusion from command line to see specific errors. If the error is "Error loading: C:Program FilesJavajdk1.X.Xjrebinserverjvm.dll", then copy the msvcr100.dll file to <cf_install_root>/cfusion/bin from {JDK8_Home}/bin (for Windows OS).
  1. After importing certificates, if you have issues related to SSL, then you need to enable debugging for SSL. Take a backup of jvm.config at ColdFusioncfusionbin and add -Djavax.net.debug=all under the “Arguments to VM” in jvm.config. This would require a CF service restart. The argument would append the debugging info to the coldfusion-out.log at ColdFusioncfusionlogs.

 

Configuring connectors with Apache Virtual Hosts in ColdFusion (2016 release)

ColdFusion (2016 release) has a webserver configuration tool for creating connectors with external web servers. These connectors work with Apache and IIS webservers. You can create one single connector (ALL) to run with all your websites or create individual connectors (ALL-Individually) for each website. We have seen scenarios, where users use “Virtual Host” to run multiple websites on a single server, in Apache.

In this blog, we will see, how to configure ColdFusion connector to work with multiple Virtual hosts in Apache and map the virtual hosts with individual instance of ColdFusion.

Note: – This blog is written, in context of Apache being installed in an RHEL environment.

 

Scenario 1:  Configuring connector to run with multiple Virtual hosts

Unlike IIS, we don’t have the option to select multiple websites, when we run the Web Server Configuration tool or WSCONFIG tool. To achieve this, we will have to create a connector with Apache, which will have multiple websites (Virtual hosts).  Assuming that we have already installed ColdFusion (2016 release) and Apache, we shall go ahead and create the connectors with Apache.

To create a connector in ColdFusion (2016 release) with Apache in RHEL, please follow the below:

  1. Navigate to cf_root/cfusion/runtime/bin
  2. Enter the command

sudo ./wsconfig -ws Apache  -bin /usr/sbin/httpd -script /usr/sbin/apachectl -dir /etc/httpd/conf/ -v

Note: The above command assumes pre-configured Apache in RHEL environment, command line switches and path for binaries may change across different flavors of Unix (Reference article).

Once you have created the connector successfully, ColdFusion creates a file mod_jk.conf in the location /Apache_root/conf/ (/etc/httpd/conf/ in this example).

To configure the connector and run multiple Virtual hosts, copy the JKMountFile path entry from mod_jk.conf file and add it to each of the Virtual Host blocks. For example, refer to the screenshot below:

 

Add the entry JkMountFile "/opt/coldfusion2016/config/wsconfig/1/uriworkermap.properties" and add it to each Virtual Hosts in /etc/httpd/conf/httpd.conf, as highlighted below:

 

Scenario 2: Configure Apache virtual host for each ColdFusion instance

Consider the scenario where you have three virtual hosts that need to be run independently, and are not to be served by a single instance of ColdFusion.

To achieve this, you require three instances of ColdFusion server. Each server instance has separate settings. For example, let there be three instances of ColdFusion servers Instance1, Instance2, and Instance3 to be configured with three virtual hosts Website1, Website2, and Website3 respectively.

  1. Create the connector with Instance1 using the command (mentioned in Scenario 1). This step creates the connector-related files in the cf_rootconfigwsconfig1 folder.
  1. Add the server names to worker list in workers.properties located in cf_rootconfigwsconfig1 folder. Add Instance1, Instance2, and Instance3 to the parameter worker.list.

  1. Add the configurations below for each instance of server in workers.properties file:

For server Instance1

worker.Instance1.host=localhost

worker.Instance1.port=8017

For server Instance2

worker.Instance2.host=localhost

worker.Instance2.port=8018

For server Instance3

worker.Instance3.host=localhost

worker.Instance3.port=8019

 

Note: Instance* is the AJP/1.3 port number associated with individual server instance that can be found in server.xml at cf_rootinstance_nameruntimeconf.

                          

 

  1. Create the file uriworkermap.properties for each instance of ColdFusion at the location cf_rootconfigwsconfig1. In this example, you require three copies of uriworkermap.properties file (name it as – uriworkermap1.properties, uriworkermap2.properties, and uriworkermap3.properties).

4.1 Copy the content of uriworkermap.properties in cf_rootconfigwsconfig1 to uriworkermap1.properties, uriworkermap2.properties, and uriworkermap3.properties.

4.2 Replace the instances with the corresponding servers: –

  • In uriworkermap1.properties, all the entries for server name will become “Instance1” (Screenshot 1),
  • uriworkermap2.properties will have “Instance2” as server name (Screenshot 2)
  • uriworkermap3.properties will have “Instance3” as server name (Screenshot 3).

 

Screenshot 1:

 

Screenshot 2:

 

Screenshot3:

 

  1. Define the URI mappings associated with each server instance in virtual host configuration to run the websites independently.

To run Website1 on server instance "Instance1", add the JKMountFile path as mentioned below in virtual host configuration (/etc/httpd/conf/httpd.conf):

JkMountFile "/opt/coldfusion2016/config/wsconfig/1/uriworkermap1.properties"

Notice that uriworkermap1.properties file contains URI mappings for Instance1.

Similarly, add the JKMountFile path for Website2 and Website3 that contain URI mappings for server instances "Instance2" and "Instance3".

Add the path in Website2:

JkMountFile "/opt/coldfusion2016/config/wsconfig/1/uriworkermap2.properties"

Add this path in Website3:

JkMountFile "/opt/coldfusion2016/config/wsconfig/1/uriworkermap3.properties"

 

Now, go ahead and verify your setup and website.

 

Note:

  • Any changes made to connector files requires an Apache restart for the changes to take effect.
  • Any changes made to httpd.conf file within Apache, requires an Apache restart for the changes to take effect.

 

ColdFusion 11 Update 10 and ColdFusion 10 Update 21 released

This post is to announce the release of updates for ColdFusion 11 and ColdFusion 10.
These updates address the security vulnerability CVE-2014-3529, mentioned in the bulletin APSB16-30.
ColdFusion 2016 is not affected by this vulnerability.
Refer the following KB articles for instructions on how to download and install the updates.
ColdFusion 11 Update 10
ColdFusion 10 Update 21

Updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10 released

This article announces the release of updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB16-22.

ColdFusion 2016 Update 2

ColdFusion 2016 Update 2 fixes an important security issue. It also includes some other important fixes related to Language, Security Analyzer, AJAX, document management, SharePoint, CLI, API Manager and a few other areas.

For details, refer this technote.

ColdFusion Builder 2016 Update 2

ColdFusion Builder 2016 Update 2 (standalone) has been upgraded from Kepler to Mars. It includes important updates to Security Analyzer, a few bug fixes related to performance and other bug fixes. PhoneGap has been upgraded to 5.2.

For details, refer this technote.

ColdFusion 11 Update 9

ColdFusion 11 Update 9 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes.

For details, refer this technote.

ColdFusion 10 Update 20

ColdFusion 10 Update 20 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes

For details, refer this technote.

 

Applying update on a ColdFusion instance running with a non-admin user

You may run into issues if you are using a non-administrator user account to install ColdFusion updates manually, or if an installation is attempted from the ColdFusion administrator console when ColdFusion service is running with a non-administrator account. In such cases, the update may not install successfully. and may complete with errors.

The Windows user account used by the ColdFusion service should have the privileges to start and stop the ColdFusion service. The updater needs to stop the ColdFusion service, so that it can replace the class files used by the service. After the update is installed, the updater starts up the ColdFusion service. Similarly if the updater packages any updates related to the other ColdFusion services, such as ColdFusion Add-On/Jetty service or ColdFusion .NET service or ColdFusion ODBC service, it would stop and start these services as well.

To avoid running into the issue above, one can take either of the following 2 approaches: 

 – Stop the ColdFusion service manually before running the updater jar. Restart the service, once the update is installed. This, of course, would need to be done every time you install an update; or

 – Assign the ColdFusion user account the privileges to start/stop the service. This would be a one-time fix.

If you are using Windows 2003 server, XP you can follow this blog post, to assign start/stop privileges to the ColdFusion service user account. But, if you are on a later edition of Windows such as Windows 7 or Windows 2012 server, you can keep on reading.

Windows Service Controller command can be used to set permissions on a Windows service. We will be using the following 2 variants of the command :

SDSHOW : To display the permissions on a service. 

syntax : sc [<ServerName>] sdshow <ServiceName> <ServiceSecurityDescriptor>

SDSET : To set the permissions on a service.

syntax : sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>

The security descriptors in the syntax above are represented by what is known as "Security Descriptor Definition Language" (SDDL). An SDDL descriptor has it's own syntax and formatting conventions which, at first, may seem a bit intimidating, and I might add, somewhat bland. But we will just dwell on the elementary details that are relevant to our purpose. If you want to get into the nuances of the Language you can check out the resources referenced at the end of this post.

Before modifying the permissions to a service , it would be a good idea to view the permissions first. To do that run the following command:

sc SDSHOW "ColdFusion 2016 Application Server"

You can find out the name of the service from the service properties in the Services window. The output should be something similar to the following :

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

I'll break down the output above into subsections and try to describe them.

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

The prefix D is for discretionary access control list (DACL) permissions. it identifies users or groups that are allowed or denied access to a secured object.

S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The prefix S is for system access control list (SACL) which controls how access is audited. It enables administrators to log attempts to access a secured object in security event logs. This section is not pertinent to our interest, and hence will not be discussed further. 

Each segment enclosed by parentheses such as "(A;;CCLCSWRPWPDTLOCRRC;;;SY)", is an ACE or "Access Control Entry". It describes the permissions to a specific user or group.

The first letter in the ACE specifies the ACE type. 'A' here denotes "Allow". Similarly a 'D' would denote "Deny".

The next set of letters ("CCLCSWRPWPDTLOCRRC") denote the permissions. It is a combination of sets of 2 letters that specify the nature of permission. I'll list out the components below :

CC : SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration

DC : Delete All Child Objects

LC : SERVICE_QUERY_STATUS

SW : SERVICE_ENUMERATE_DEPENDENTS

RP : Read all properites

WP : Stop the service

DT : SERVICE_PAUSE_CONTINUE

LO : SERVICE_INTERROGATE

CR : SERVICE_USER_DEFINED_CONTROL

SD : Delete

RC : READ_CONTROL – read the security descriptor on this service.

WD : Modify permissions

WO : Modify owner

 

The last code in ACE denotes the trustee. Some of the values it can take are:

SY : Local system

BU : Built-in users

IU : Interactively logged-on user

BA : Built-in administrators

If the intent is to modify the permission for a specific user and not a group, then you should rather use the SID associated with that user account. Suppose the ColdFusion Application service is running with a non-administrator account called "cfuser". To get the security identifier (SID) for "cfuser" account, you can execute the following WMIC command :

wmic useraccount where name='cfuser' get sid

That should output something similar to the following:

SID

S-1-5-21-464414946-3681088821-1826911322-1510

To enable start/stop permission for "cfuser" on ColdFusion Application service, you can use the output generated in the SDSHOW command and append an ACE element for "cfuser" with the desired permission set, as follows : 

SC SDSET "ColdFusion 2016 Application Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-464414946-3681088821-1826911322-1510)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

And, of course, you should run the command with administrator privileges.

If you are using other ColdFusion services, such as ColdFusion Add-on Services, ColdFusion .NET Service, ODBC Agent and ODBC server, you can follow the same steps as above to change permissions to them.

 

References:

https://msdn.microsoft.com/en-in/library/windows/hardware/ff563667(v=vs.85).aspx

The Security Descriptor Definition Language of Love (Part 2)