ColdFusion 10 Server Lockdown Guide

The server lockdown guide for ColdFusion 10 is now available on the Adobe website. The ColdFusion 10 Server Lockdown Guide will help server administrators secure their ColdFusion 10 installations. You will also find several tips and suggestions intended to improve the security of your ColdFusion server. 

You can access the lockdown guide here.

20 thoughts on “ColdFusion 10 Server Lockdown Guide

  1. Thank you for getting this published and to Pete Freitag for another great lockdown guide.

    I do have two observations that I think should be clarified in the guide Section 4.1.6 and 4.2.6.

    Section 4.1.6 doesn’t list any steps on how to change the JVM on Windows and leaves the reader to figure it out by referring to 4.2.6. Please list the steps or direct the reader to 4.2.6.

    Section 4.2.6 says to use /usr/java/latest, but that could be problematic if the system has Java 7 installed into /latest since it is not yet supported on ColdFusion 10 or 9. Any update as to when it will be?

    I understand the reasoning to point to /latest but think a note should added to check it is Java 6. Also a reference to http://helpx.adobe.com/coldfusion/kb/upgrading-java-coldfusion.html would also be helpful.

  2. I do have another observation, question. It says to compare the MD5 checksum with the one on the Adobe download page. Unfortunately, there is no MD5 checksum on the Adobe ColdFusion download page. I cannot get CF10 to install on my Mac OSX (CF 9 installed fine) to save my life.

  3. If you have several IIS servers it’s easier to edit the web.config on your web root vs using the IIS IDE.

    Below is an example of a web.config. I did not include /CFIDE/scripts or /CFIDE/Graphdata.

    If you do move the scripts directory as suggested make sure you update it as each update comes out.

  4. Thanks for a great guide.

    Are you sure about this statement:

    “It is not possible using request filtering to deny the URI /CFIDE but then allow /CFIDE/GraphData.cfm for example.”

    Because I have all my server setup exactly that way and it is working for me. (Win 2008 R2 + IIS 7.5)

  5. @Sumit,

    I tried with with IIS 7.5 and when I tested it it did not seem to work. I did see an article that made it look that it worked.

    Can you post your web.config(s) as it relates to this.

    Thanks.

  6. I always do it at the server level, so, it’s not in the web.config file. It gets written in applicationHost.config. But, here is the snipit: The key is having allow sequence after the deny sequence.

  7. Not sure about the folder permissions on pages 41 & 42. 41 talks about full control for cfusion user on the cf install directory. 42 talks about read for the iisservice account for /wsconfig/ but then the chart shows full control for coldfusion install directory twice but no user account is referenced.

  8. Got the previous worked out I think but now getting 404 errors on pages that do exist.

    domain.com/ (which loads index.cfm) works fine

    domain.com/index.cfm (or any .cfm file) gives a 404.

    domain.com/whatever.htm works fine.

  9. It would be pretty amazing if we could turn the CF Documentation into a community editable wiki and stuff like this could be managed there too so that new security techniques can be perpetually added by the community.

    The quality and clarity of the CF docs would shoot up 1000% if you let the people in the community that have the resources to do so manage and edit them, we’d love to help.

    Just an idea. Thanks!

  10. Are there errors in the lockdown guide?

    1) It says to create the cfadmin directory, but then it doesn’t say anything about copying anything to it. Are you supposed to copy what’s under the Coldfusion cfusionwwwroot to your new cfadmin folder? If you do, will the updates then fail since it does not know where the actual CFIDE is or do you have to copy it over again after each update.

    2) Moving the CFIDE appears to break the updates, the accordions are gone and when I click on “Download” nothing happens though the rest of the administrator appears to work.

  11. Is there a release of the lockdown guide for Windows Server 2012. There are enough differences between 2008 and 2012 that I’m concerned about errors running or updating CF in the future.

  12. Just finished a CF10/Windows Server 2012 installation and have the same question as Jim.

    At “2.2.9 Create a Website For ColdFusion Administrator” you are instructed to create a web site in IIS for the CF Admin.

    Nothing else that I can find points to what is done with this website.

    What am I missing?

  13. You create a locally accessible CFAdmin website, so you can remove the exclusions that are defaulted server wide to all your other websites.

    Then to access that website expand the folder on the left to CFIDE and highlight the administrator folder, then on the right side click run website, then when you are promtped with the ssl warning say continue, and then you can access cfadmin locally, but not publicly.

  14. Setting up a new CF10 server and either I’m reading the PDF wrong or there’s something not right here. On pages 29-30 – the chart for permissions on the coldfusion home folder.

    I removed all inherited permissions and setup exactly what the PDF says:

    {coldfusion-home} Administrators and cfusion user full control
    {coldfusion-home}/config/wsconfig/
    and
    {coldfusion-home}/cfusion/wwwroot/CFIDE

    IUSR and the IIS service account (iisservice) list & read

    When I open administrator now I get a 401.3 unauthorized (ACL) and the file throwing the error was isapi_redirect.dll

    When I put the inherited permissions back in place, it works fine.

  15. I’ve followed the lockdown guide using CF 10 on a Win 2012 Server with IIs 8. I can’t get Webdav to be working, is there any explaination of this? Have done the settings correctly in IIS according to guides provided by Microsoft. But maybe some of the lockdown steps will disable webdav? What is the best practice for uploading files from a client to a webserver? We must use this for our developers, would avoid FTP.

  16. Hi Kjetil,

    I don’t know if webdav is the best solution for uploading files, you might consider running a SFTP or FTPS server instead.

    You will need to make sure that the IIS Application pool identity has permission to write to the web content, you also need to make sure that the HTTP verbs are not restricted, webdav uses several HTTP verbs to operate.

  17. The CF10 lockdown instructions have at least one small issue. It provides the following instructions to make sure that Apache and mod_jk can talk to each other:

    setsebool httpd_can_network_connect 1

    While this is definitely needed, the above does not persist the change, so as soon as you reboot the server, the setting is lost.

    You need to add the persist flag:

    setsebool -P httpd_can_network_connect 1

Leave a Reply

Your email address will not be published. Required fields are marked *