ColdFusion 11 Lockdown Guide Pete Freitag
Adobe documentation - Confidential Next select only the Sub-components which are required for your application(s). Check each servlet that is not need
Adobe documentation - Confidential Select the Built-in web server, we will run the web server configuration utility later in this guide to connect Col
Adobe documentation - Confidential For Administrator Credentials, select a unique username (not admin) and a strong password. Adobe documentation -
Adobe documentation - Confidential Install ColdFusion Hotfixes and Updates Login to the ColdFusion administrator via the built-in web server. For exa
Adobe documentation - Confidential Create User Accounts Create a windows user account (in Computer Management) for ColdFusion to run as. In this guide
Adobe documentation - Confidential Next create a user for the IIS Application pool identity. For each user created in this section right click and sel
Adobe documentation - Confidential Setup Permissions for ColdFusion User Grant the user you created for ColdFusion to run as (cfuser in our example)
Adobe documentation - Confidential For maximum security you should consider a more detailed permission structure for the ColdFusion installation di
Adobe documentation - Confidential Folder Principal Permission {cf.root}/config/wsconfig/ IUSR, iisuser Read & execute List folder contents Read {
Adobe documentation - Confidential ColdFusion service, for example ColdFusion 11 Application Server. Right click on each key and select Permissions an
Adobe documentation - Confidential Contents Introduction ...
Adobe documentation - Confidential Specify Log On User for ColdFusion Services Open the Services Manager and change the user the service runs as to
Adobe documentation - Confidential Adobe documentation - Confidential
Adobe documentation - Confidential Setup Web Root Permissions Right click on the web site partition folder (eg d:\web-sites\), and select Properties.
Adobe documentation - Confidential Principal (User / Group) Permissions IUSR (the anonymous authentication account) Read & execute List folder con
Adobe documentation - Confidential Check Replace all child object permission entries with inheritable permission entries from this object and click O
Adobe documentation - Confidential • Application Development: ISAPI Filters • Management Tools: IIS Management Console If you use WebSockets you shou
Adobe documentation - Confidential Configure IIS Open IIS, expand Sites and remove any sites that you do not need, for example the Default Web Site.
Adobe documentation - Confidential Table 2.10.1 : CFIDE URIs URI Purpose Safe to Block /CFIDE/administrator ColdFusion Administrator Yes, we will cre
Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/multiservermonitor-access-policy.xml Used to set a policy for allowing viewing the
Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/services Contains CFCs that can act as a service layer to Flex, or other client si
Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool ...
Adobe documentation - Confidential URI Purpose Safe to Block /flex2gateway Flex Remoting Only if Flex Remoting is not used. /cfform-internal Used for
Adobe documentation - Confidential Configure Application Pool Defaults Click on Application Pools, remove any unused or unnecessary Application Pools
Adobe documentation - Confidential Create ColdFusion Administrator Web Site In this section we will create an IIS site which will be used exclusively
Adobe documentation - Confidential Click the Test Settings… button to verify that permissions are setup correctly. Consider disabling anonymous acces
Adobe documentation - Confidential If you blocked /CFIDE globally in section 2.10, add request filtering rules to block all the /CFIDE uri’s except /C
Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool Right click on wsconfig.exe, located in {cf.instance.root}/runt
Adobe documentation - Confidential Sites that use the ColdFusion WebSocket proxy must change the .NET Framework Version in Application Pool Settings
Adobe documentation - Confidential Add IP Restrictions to /CFIDE In IIS expand the ColdFusion Administrator site you created and select the CFIDE fol
Adobe documentation - Confidential Before editing, create a backup of the jvm.config file located in the {cf.instance.root}/bin/ directory. Open the
Adobe documentation - Confidential ColdFusion on Linux This section covers installation of ColdFusion on Linux with Apache, Windows/IIS readers may s
Adobe documentation - Confidential Server Settings > Mappings ...
Adobe documentation - Confidential # adduser -g webusers -s /sbin/nologin -M -c ColdFusion cfuser Specify a strong password for the new user: # pass
Adobe documentation - Confidential Click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity
Adobe documentation - Confidential # fgrep LoadModule /etc/httpd/conf/httpd.conf Some modules that you may be able to remove (or comment out by plac
Adobe documentation - Confidential SELinux requires permissions to allow apache to read the web root, we will copy the permissions from /var/www (the
Adobe documentation - Confidential <Context path="/" docBase="/opt/cf11/cfusion/wwwroot" WorkDir="/opt/cf11/cfusio
Adobe documentation - Confidential RedirectMatch 404 (?i).*/WSRPProducer.* Restart apache and test URIs that should be blocked. Specify permission
Adobe documentation - Confidential /opt/coldfusion10/config/wsconfig/1/mod_jk.so: failed to map segment from shared object: Permission denied If you
Adobe documentation - Confidential Next we will use the semanage utility (you may need to run yum install policycoreutils-python) to add port 8014 to
Adobe documentation - Confidential # /usr/bin/htdigest -c /etc/httpd/cfadmin.digest.pwd cfadmins petefreitag The above command will create or overwri
Adobe documentation - Confidential To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/
Adobe documentation - Confidential Optionally Remove ASP.NET ...
Adobe documentation - Confidential ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings.
Adobe documentation - Confidential Setting Default Recommendation Description Prefix serialized JSON with Unchecked: // Checked: // This setting helps
Adobe documentation - Confidential Setting Default Recommendation Description Watch configuration files for changes (check every N seconds) Unchecked
Adobe documentation - Confidential Setting Default Recommendation Description Default ScriptSrc Directory /CFIDE/scripts/ /somewhere-else/ See section
Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of POST request parameters 100 50 or as low as your appli
Adobe documentation - Confidential Server Settings > Request Tuning The Request Tuning settings can help mitigate the ability to perform a succes
Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of simultaneous CFC function requests 15 1 if not using R
Adobe documentation - Confidential Setting Default Recommendation Description Default Storage Mechanism for Client Sessions Cookie None / Cookie If ap
Adobe documentation - Confidential Setting Default Recommendation Description Cookie Timeout 1440 Minutes -1 By setting to -1 ColdFusion will set the
Adobe documentation - Confidential Setting Default Recommendation Description Enable WebSocket Service Unchecked Unchecked if not needed. Disable the
Adobe documentation - Confidential Introduction The ColdFusion 11 Server Lockdown Guide is written to help server administrators secure their ColdFus
Adobe documentation - Confidential Data & Services > PDF Service If the PDF Service is used to generate PDFs containing sensitive data ensure
Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of archives 10 Larger When a log file reaches the Maxi
Adobe documentation - Confidential Security > Administrator Setting Default Recommendation Description ColdFusion Administration Authentication Se
Adobe documentation - Confidential Security > Allowed IP Addresses Setting Default Recommendation Description Allowed IP Addresses for Exposed S
Adobe documentation - Confidential Setting Default Recommendation Description Check for Updates every N days Unchecked Checked Setup email alerts to b
Adobe documentation - Confidential Additional Lockdown Measures The steps outlined in this section can provide additional security but may require s
Adobe documentation - Confidential To Configure the Builtin Web Server to listen on a single IP Address By default the connector will listen on all
Adobe documentation - Confidential Consider adding additional URIs to this file (see table 2.10.1 and 2.10.2), also consider restricting all of /CF
Adobe documentation - Confidential Blocking by File Extension on IIS Click on the root node of IIS and then double click Request Filtering. Click on
Adobe documentation - Confidential <Server port="8007" shutdown="SHUTDOWN"> Change 8007 to -1 to disable this feature, or to
Adobe documentation - Confidential ColdFusion on Windows This section covers the installation and configuration of ColdFusion 11 on a Windows 2012 se
Adobe documentation - Confidential All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and ser
Adobe documentation - Confidential Servlet Mapping Servlet Purpose *.cfml *.CFML *.Cfml CfmServlet Handles execution of CFML contained in files with t
Adobe documentation - Confidential Servlet Mapping Servlet Purpose /rest/* CFRestServlet Used for rest web services *.hbmxml CFForbiddenServlet Used
Adobe documentation - Confidential the files located in {cf.instance.home}/runtime/conf/ contain important configuration files utilized by the Tomcat
Adobe documentation - Confidential <web-resource-name>POST ONLY SSL</web-resource-name> <url-pattern>
Adobe documentation - Confidential Patch Management Procedures Staying up to date with patches is essential to maintaining security on the server. T
Adobe documentation - Confidential Appendix A: Sources of Information A.1 - Microsoft Security Compliance Management Toolkit: http://www.microsoft.co
Adobe documentation - Confidential © 2014 Adobe Systems Incorporated. All rights reserved. Adobe documentation. This guide is licensed for use under t
Adobe documentation - Confidential Run the installer exe. On the Installer Configuration view select Server configuration unless you are deploying to
Adobe documentation - Confidential Select Production Profile + Secure Profile, and specify IP addresses which may access ColdFusion Administrator. T
Commentaires sur ces manuels