MACROMEDIA COLDFUSION 5 - INSTALING AND CONFIGURING SERVER Informations techniques

ColdFusion 11 Lockdown Guide Pete Freitag

Adobe documentation - Confidential Next select only the Sub-components which are required for your application(s). Check each servlet that is not need

Adobe documentation - Confidential Select the Built-in web server, we will run the web server configuration utility later in this guide to connect Col

Adobe documentation - Confidential For Administrator Credentials, select a unique username (not admin) and a strong password. Adobe documentation -

Adobe documentation - Confidential Install ColdFusion Hotfixes and Updates Login to the ColdFusion administrator via the built-in web server. For exa

Adobe documentation - Confidential Create User Accounts Create a windows user account (in Computer Management) for ColdFusion to run as. In this guide

Adobe documentation - Confidential Next create a user for the IIS Application pool identity. For each user created in this section right click and sel

Adobe documentation - Confidential Setup Permissions for ColdFusion User Grant the user you created for ColdFusion to run as (cfuser in our example)

Adobe documentation - Confidential For maximum security you should consider a more detailed permission structure for the ColdFusion installation di

Adobe documentation - Confidential Folder Principal Permission {cf.root}/config/wsconfig/ IUSR, iisuser Read & execute List folder contents Read {

Adobe documentation - Confidential ColdFusion service, for example ColdFusion 11 Application Server. Right click on each key and select Permissions an

Adobe documentation - Confidential Contents Introduction ...

Adobe documentation - Confidential Specify Log On User for ColdFusion Services Open the Services Manager and change the user the service runs as to

Adobe documentation - Confidential Adobe documentation - Confidential

Adobe documentation - Confidential Setup Web Root Permissions Right click on the web site partition folder (eg d:\web-sites\), and select Properties.

Adobe documentation - Confidential Principal (User / Group) Permissions IUSR (the anonymous authentication account) Read & execute List folder con

Adobe documentation - Confidential Check Replace all child object permission entries with inheritable permission entries from this object and click O

Adobe documentation - Confidential • Application Development: ISAPI Filters • Management Tools: IIS Management Console If you use WebSockets you shou

Adobe documentation - Confidential Configure IIS Open IIS, expand Sites and remove any sites that you do not need, for example the Default Web Site.

Adobe documentation - Confidential Table 2.10.1 : CFIDE URIs URI Purpose Safe to Block /CFIDE/administrator ColdFusion Administrator Yes, we will cre

Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/multiservermonitor-access-policy.xml Used to set a policy for allowing viewing the

Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/services Contains CFCs that can act as a service layer to Flex, or other client si

Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool ...

Adobe documentation - Confidential URI Purpose Safe to Block /flex2gateway Flex Remoting Only if Flex Remoting is not used. /cfform-internal Used for

Adobe documentation - Confidential Configure Application Pool Defaults Click on Application Pools, remove any unused or unnecessary Application Pools

Adobe documentation - Confidential Create ColdFusion Administrator Web Site In this section we will create an IIS site which will be used exclusively

Adobe documentation - Confidential Click the Test Settings… button to verify that permissions are setup correctly. Consider disabling anonymous acces

Adobe documentation - Confidential If you blocked /CFIDE globally in section 2.10, add request filtering rules to block all the /CFIDE uri’s except /C

Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool Right click on wsconfig.exe, located in {cf.instance.root}/runt

Adobe documentation - Confidential Sites that use the ColdFusion WebSocket proxy must change the .NET Framework Version in Application Pool Settings

Adobe documentation - Confidential Add IP Restrictions to /CFIDE In IIS expand the ColdFusion Administrator site you created and select the CFIDE fol

Adobe documentation - Confidential Before editing, create a backup of the jvm.config file located in the {cf.instance.root}/bin/ directory. Open the

Adobe documentation - Confidential ColdFusion on Linux This section covers installation of ColdFusion on Linux with Apache, Windows/IIS readers may s

Adobe documentation - Confidential Server Settings > Mappings ...

Adobe documentation - Confidential # adduser -g webusers -s /sbin/nologin -M -c ColdFusion cfuser Specify a strong password for the new user: # pass

Adobe documentation - Confidential Click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity

Adobe documentation - Confidential # fgrep LoadModule /etc/httpd/conf/httpd.conf Some modules that you may be able to remove (or comment out by plac

Adobe documentation - Confidential SELinux requires permissions to allow apache to read the web root, we will copy the permissions from /var/www (the

Adobe documentation - Confidential <Context path="/" docBase="/opt/cf11/cfusion/wwwroot" WorkDir="/opt/cf11/cfusio

Adobe documentation - Confidential RedirectMatch 404 (?i).*/WSRPProducer.* Restart apache and test URIs that should be blocked. Specify permission

Adobe documentation - Confidential /opt/coldfusion10/config/wsconfig/1/mod_jk.so: failed to map segment from shared object: Permission denied If you

Adobe documentation - Confidential Next we will use the semanage utility (you may need to run yum install policycoreutils-python) to add port 8014 to

Adobe documentation - Confidential # /usr/bin/htdigest -c /etc/httpd/cfadmin.digest.pwd cfadmins petefreitag The above command will create or overwri

Adobe documentation - Confidential To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/

Adobe documentation - Confidential Optionally Remove ASP.NET ...

Adobe documentation - Confidential ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings.

Adobe documentation - Confidential Setting Default Recommendation Description Prefix serialized JSON with Unchecked: // Checked: // This setting helps

Adobe documentation - Confidential Setting Default Recommendation Description Watch configuration files for changes (check every N seconds) Unchecked

Adobe documentation - Confidential Setting Default Recommendation Description Default ScriptSrc Directory /CFIDE/scripts/ /somewhere-else/ See section

Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of POST request parameters 100 50 or as low as your appli

Adobe documentation - Confidential Server Settings > Request Tuning The Request Tuning settings can help mitigate the ability to perform a succes

Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of simultaneous CFC function requests 15 1 if not using R

Adobe documentation - Confidential Setting Default Recommendation Description Default Storage Mechanism for Client Sessions Cookie None / Cookie If ap

Adobe documentation - Confidential Setting Default Recommendation Description Cookie Timeout 1440 Minutes -1 By setting to -1 ColdFusion will set the

Adobe documentation - Confidential Setting Default Recommendation Description Enable WebSocket Service Unchecked Unchecked if not needed. Disable the

Adobe documentation - Confidential Introduction The ColdFusion 11 Server Lockdown Guide is written to help server administrators secure their ColdFus

Adobe documentation - Confidential Data & Services > PDF Service If the PDF Service is used to generate PDFs containing sensitive data ensure

Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of archives 10 Larger When a log file reaches the Maxi

Adobe documentation - Confidential Security > Administrator Setting Default Recommendation Description ColdFusion Administration Authentication Se

Adobe documentation - Confidential Security > Allowed IP Addresses Setting Default Recommendation Description Allowed IP Addresses for Exposed S

Adobe documentation - Confidential Setting Default Recommendation Description Check for Updates every N days Unchecked Checked Setup email alerts to b

Adobe documentation - Confidential Additional Lockdown Measures The steps outlined in this section can provide additional security but may require s

Adobe documentation - Confidential To Configure the Builtin Web Server to listen on a single IP Address By default the connector will listen on all

Adobe documentation - Confidential Consider adding additional URIs to this file (see table 2.10.1 and 2.10.2), also consider restricting all of /CF

Adobe documentation - Confidential Blocking by File Extension on IIS Click on the root node of IIS and then double click Request Filtering. Click on

Adobe documentation - Confidential <Server port="8007" shutdown="SHUTDOWN"> Change 8007 to -1 to disable this feature, or to

Adobe documentation - Confidential ColdFusion on Windows This section covers the installation and configuration of ColdFusion 11 on a Windows 2012 se

Adobe documentation - Confidential All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and ser

Adobe documentation - Confidential Servlet Mapping Servlet Purpose *.cfml *.CFML *.Cfml CfmServlet Handles execution of CFML contained in files with t

Adobe documentation - Confidential Servlet Mapping Servlet Purpose /rest/* CFRestServlet Used for rest web services *.hbmxml CFForbiddenServlet Used

Adobe documentation - Confidential the files located in {cf.instance.home}/runtime/conf/ contain important configuration files utilized by the Tomcat

Adobe documentation - Confidential <web-resource-name>POST ONLY SSL</web-resource-name> <url-pattern>

Adobe documentation - Confidential Patch Management Procedures Staying up to date with patches is essential to maintaining security on the server. T

Adobe documentation - Confidential Appendix A: Sources of Information A.1 - Microsoft Security Compliance Management Toolkit: http://www.microsoft.co

Adobe documentation - Confidential © 2014 Adobe Systems Incorporated. All rights reserved. Adobe documentation. This guide is licensed for use under t

Adobe documentation - Confidential Run the installer exe. On the Installer Configuration view select Server configuration unless you are deploying to

Adobe documentation - Confidential Select Production Profile + Secure Profile, and specify IP addresses which may access ColdFusion Administrator. T