Applying Updates on a Locked down ColdFusion 10 Server

Note: This is valid from
Hotfix 9 onwards.

Depending on the user account that you have used to Lock down your server, you might need to consider the following few more steps for providing appropriate permissions to be able to apply the updates from ColdFusion Administrator.

Hotfix
needs two things to be installed properly from ColdFusion Administrator.

The user that is configured for ColdFusion Service should be permitted to
Start/Stop the service. More on this to setup is explained below.

Setting up the ColdFusion Service user:

Down load and Install Windows tool named SubInACL.exe (Installer name is SubInACL.msi)
to give service start/stop permissions from

http://www.microsoft.com/en-us/download/confirmation.aspx?id=23510

Once you install it, the tool subinacl.exe gets installed
under

C:Program Files (x86)Windows Resource KitsTools

Then, run the tool as follows from command prompt by
replacing <MachineName> and <username> with your username and machine
name.

a)
For machine’s local user

C:Program Files (x86)Windows Resource KitsTools>subinacl.exe /service “\<MachineName>ColdFusion 10
Application Server” /grant=<username>=TO

b) If the user is a Domain user you have to replace <Domainname> as well along
with <MachineName>, <username> in the following command.

C:Program Files (x86)Windows Resource KitsTools>subinacl.exe /service “\<MachineName>ColdFusion 10
Application Server” /grant=<Domainname><username>=TO

More details on this are explained in the below
resource.

http://support.microsoft.com/default.aspx?scid=kb;en-us;288129

This is a one-time setup that you have to do.

Once this is done -> Restart ColdFusion service
-> Open ColdFusion server Administrator -> Apply Update  -> You
should be able to apply the Hotfix successfully now.

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

 

9 thoughts on “Applying Updates on a Locked down ColdFusion 10 Server

  1. I have to say, this just isn’t a very good solution is it?! Yet again I’m left disappointed…

    There are very frequent security updates, I’m not sure if that’s a good or bad thing. I’d like there to be no patches needed because it was solid first time eh.

    But to then have a lockdown guide that if you follow it, breaks your ability to upload future security patches – isn’t really so secure. I just wish it was a bit better.

    You talk about roadmaps and new features and things, and honestly I can’t think of anything needed. There’s been a lot of talk about this already, but we don’t need anything new – we need what we have to be inherently secure out the box, and for vulnerabilities to be banished. Then CF would be great – right now it doesn’t inspire confidence.

  2. Thanks much for the feedback Henry.
    Security lock down guide mentions about the “detailed permission structure for the ColdFusion installation directory” for be able to apply Hot fixes. And here in this blog we are trying to tell you those particulars. Secondly, the permissions mentioned are only for the service account user.
    I believe this is not negation of lock down guide but it is elaboration.

    Many of these things depend on the end-user’s environment.
    However, as you suggested, where ever possible we will improve to have them
    in-built possibly in the installer.

    Thanks,
    Krishna

  3. Hi Krishna,

    This blog post has been helpful – thanks!

    Note to others: don’t do these steps on Windows:

    1) install CF per Lockdown Guide
    2) install latest CF update per Lockdown Guide
    3) change CF service user per Lockdown Guide
    4) uninstall latest CF update via CF Admin
    5) See CF won’t start anymore =P (maybe CF should handle this scenario more gracefully..)

    Note: I intentionally did step #4, before running SubInACL_exe, just to see what would happen.

    Suggestion: Maybe the Lockdown Guide should mention SubInACL_exe?

    @Debbie Folks-Huber, FWIW I’ve verified SubInACL_exe is necessary/works on Windows Server 2012 R2

    Thanks!,
    -Aaron

  4. @Krishna please make sure that this information is included in the Adobe ColdFusion lock down guides. I am referring to the current ones, not only future ones. They need to be updated.

  5. Another disappointment… A user posted a question on StackOverflow as to why he could not update his ColdFusion installation after performing the lock down steps. He found out that the ColdFusion administrator’s update page relies on the /CFIDE/scripts directory to function (a-la the cfform tag). Since the lock down guide suggests denying any requests to that URI the update page was failing. He had to allow access in order to use the update feature. Here is a link to the post: http://stackoverflow.com/q/30205018/1636917

    This is not good! The update feature should not require exposing that URI. This should be changed. The user was on ColdFusion 11.

  6. ColdFusion 11’s Hotfix 8 and ColdFusion 2016’s Hotfix 1 contains the fix to take care of directory permissions even when lockdown is applied.
    While the hotfix is applied, permissions would be changed by the hotfix installer and are restored back after the hotfix installation which were set as per the lockdown guide.
    Service account permissions, you still have to take care as it can be set only by the admin account.

Leave a Reply

Your email address will not be published. Required fields are marked *