ColdFusion 10 Server Lockdown Guide

November 28, 2012 / Rakshith Naresh 13 Comments

  Adobe ColdFusion 10 | Announcements | Application Server | ColdFusion | Rapid Application Development | Tomcat | web application development | web application security

The server lockdown guide for ColdFusion 10 is now available on the Adobe website. The ColdFusion 10 Server Lockdown Guide will help server administrators secure their ColdFusion 10 installations. You will also find several tips and suggestions intended to improve the security of your ColdFusion server. 

You can access the lockdown guide here.

ColdFusion 10 Server Lockdown Guide

13 comments so far ↓

  • 1 David Epler // Nov 28, 2012 at 7:59 AM
    Thank you for getting this published and to Pete Freitag for another great lockdown guide.

    I do have two observations that I think should be clarified in the guide Section 4.1.6 and 4.2.6.

    Section 4.1.6 doesn't list any steps on how to change the JVM on Windows and leaves the reader to figure it out by referring to 4.2.6. Please list the steps or direct the reader to 4.2.6.

    Section 4.2.6 says to use /usr/java/latest, but that could be problematic if the system has Java 7 installed into /latest since it is not yet supported on ColdFusion 10 or 9. Any update as to when it will be?

    I understand the reasoning to point to /latest but think a note should added to check it is Java 6. Also a reference to http://helpx.adobe.com/coldfusion/kb/upgrading-java-coldfusion.html would also be helpful.
  • 2 Phil // Nov 29, 2012 at 7:21 AM
    I do have another observation, question. It says to compare the MD5 checksum with the one on the Adobe download page. Unfortunately, there is no MD5 checksum on the Adobe ColdFusion download page. I cannot get CF10 to install on my Mac OSX (CF 9 installed fine) to save my life.
  • 3 Mike Collins // Nov 29, 2012 at 11:36 AM
    If you have several IIS servers it's easier to edit the web.config on your web root vs using the IIS IDE.

    Below is an example of a web.config. I did not include /CFIDE/scripts or /CFIDE/Graphdata.

    If you do move the scripts directory as suggested make sure you update it as each update comes out.


    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <system.webServer>
    <security>
    <requestFiltering>
    <denyUrlSequences>
    <add sequence="/CFIDE/administrator" />
    <add sequence="/CFIDE/adminapi" />
    <add sequence="/CFIDE/AIR" />
    <add sequence="/CFIDE/appdeployment" />
    <add sequence="/CFIDE/classes" />
    <add sequence="/CFIDE/compnentutils" />
    <add sequence="/CFIDE/debug" />
    <add sequence="/CFIDE/images" />
    <add sequence="/CFIDE/multiservermonitor-access-policy.xml" />
    <add sequence="/CFIDE/orm" />
    <add sequence="/CFIDE/portlets" />
    <add sequence="/CFIDE/probe.cfm" />
    <add sequence="/CFIDE/scheduler" />
    <add sequence="/CFIDE/ServerManager" />
    <add sequence="/CFIDE/services" />
    <add sequence="/CFIDE/websocket" />
    <add sequence="/CFIDE/wizards" />
    <add sequence="/CFIDE/main" />
    </denyUrlSequences>

    </requestFiltering>
    </security>
    </system.webServer>


    </configuration>
  • 4 Sumit Verma // Nov 29, 2012 at 11:46 AM
    Thanks for a great guide.

    Are you sure about this statement:

    "It is not possible using request filtering to deny the URI /CFIDE but then allow /CFIDE/GraphData.cfm for example."

    Because I have all my server setup exactly that way and it is working for me. (Win 2008 R2 + IIS 7.5)
  • 5 Mike Collins // Nov 29, 2012 at 1:57 PM
    @Sumit,

    I tried with with IIS 7.5 and when I tested it it did not seem to work. I did see an article that made it look that it worked.

    Can you post your web.config(s) as it relates to this.

    Thanks.
  • 6 Sumit Verma // Nov 29, 2012 at 2:09 PM
    I always do it at the server level, so, it's not in the web.config file. It gets written in applicationHost.config. But, here is the snipit: The key is having allow sequence after the deny sequence.

    <denyUrlSequences>
    <add sequence="/CFIDE/" />
    </denyUrlSequences>
    <alwaysAllowedUrls>
    <add url="/CFIDE/GraphData.cfm" />
    </alwaysAllowedUrls>
  • 7 Alex Smersi // Dec 1, 2012 at 1:31 AM
    @Rakshith,

    Thank you for another great lockdown guide.

    It's possible to generate ColdFusion 10 Server Lockdown Guide PDF in portrait orientation instead of landscape?

    Thanks.
  • 8 Steve // Dec 4, 2012 at 5:45 PM
    Not sure about the folder permissions on pages 41 & 42. 41 talks about full control for cfusion user on the cf install directory. 42 talks about read for the iisservice account for /wsconfig/ but then the chart shows full control for coldfusion install directory twice but no user account is referenced.
  • 9 Steve // Dec 10, 2012 at 4:33 AM
    Got the previous worked out I think but now getting 404 errors on pages that do exist.

    domain.com/ (which loads index.cfm) works fine

    domain.com/index.cfm (or any .cfm file) gives a 404.

    domain.com/whatever.htm works fine.
  • 10 David McGuigan // Feb 8, 2013 at 9:27 AM
    It would be pretty amazing if we could turn the CF Documentation into a community editable wiki and stuff like this could be managed there too so that new security techniques can be perpetually added by the community.

    The quality and clarity of the CF docs would shoot up 1000% if you let the people in the community that have the resources to do so manage and edit them, we'd love to help.

    Just an idea. Thanks!
  • 11 Steve // Feb 8, 2013 at 9:50 AM
    @David - that would be a fantastic idea.
  • 12 Jim // May 16, 2013 at 7:34 AM
    Are there errors in the lockdown guide?

    1) It says to create the cfadmin directory, but then it doesn't say anything about copying anything to it. Are you supposed to copy what's under the Coldfusion cfusion\wwwroot to your new cfadmin folder? If you do, will the updates then fail since it does not know where the actual CFIDE is or do you have to copy it over again after each update.

    2) Moving the CFIDE appears to break the updates, the accordions are gone and when I click on "Download" nothing happens though the rest of the administrator appears to work.
  • 13 YASHAS R R // May 23, 2013 at 7:19 AM
    Hi Jim ,

    I am not sure which sub section of the lockdown guide you are talking about . But if you are talking about creating a site in IIS , You need not copy the contents present inside cfusion\wwwroot to your IIS root . Just put your application files inside IIS root and everything should work fine . No need to move CFIDE directory or anything else .

    Regards,
    YASHAS R R
    ADOBE CF TEAM

Leave a Comment

Leave this field empty:

Blue Mango Theme Design By Mark Aplet

Super Powered by Mango Blog