Adobe® ColdFusion® 10 Server Lockdown Guide

More documents

Recommendations

Info

URI Purpose Safe to Block /CFIDE/administrator ColdFusion Administrator Yes, we will create a dedicated web site for ColdFusion administrator access. /CFIDE/adminapi Admin API Usually, if the admin api is called from internal CFML code it will still work when the URI is blocked. If the admin api is accessed through a remote cfc function call then use another method to protect this uri (eg IP restriction) /CFIDE/AIR AIR Sync API Usually, unless AIR sync API is used. /CFIDE/appdeployment Yes /CFIDE/classes Contains java applets for cfgrid, cftree, and cfslider /CFIDE/componentutils CFC Documentation viewer Yes /CFIDE/debug Used when debugging is enabled on the server. /CFIDE/images Contains two image files that do not appear to be used anymore Usually, unless java applets are used. Yes Yes 18
CFIDE/multiservermonitoraccess-policy.xml Used to set a policy for allowing viewing the server monitor from multiple domains. /CFIDE/orm Contains interfaces used with ORM. These interfaces do not need to be accessible through the web server. /CFIDE/portlets Contains API for building portlets with JSR-286, JSR- 168 or WSRP. The API does not need to be accessible through the web server. /CFIDE/probe.cfm You can configure probes in the ColdFusion administrator which are used to monitor a URL for failures. This will throw an exception if not run over 127.0.0.1. /CFIDE/scheduler Contains an interface for scheduled task event handlers. Does not need to be accessible through the web server. /CFIDE/scripts Contains javascript and other assets for several ColdFusion features cfform, cfchart, ajax tags, etc. Yes - the server monitor now runs on its own web server on port 5500. Yes Yes Yes, however if you want to use probes you should create a web site that only listens on 127.0.0.1 and remove this block. Yes Yes - we will create a new, non default URI for this folder, and specify the new URI in the ColdFusion administrator. 19
Page 1 and 2: Adobe ColdFusion 10 Server Lockdown
Page 3 and 4: Section 2: Installation Prerequisit
Page 6 and 7: Next create a new user for the IIS
Page 8 and 9: In the Advanced Security Settings D
Page 10 and 11: User / Group Permissions cfusion (Y
Page 12 and 13: Next Click Add Roles, and select th
Page 14 and 15: Review the list of Role Services an
Page 16 and 17: Under Process Model change the Iden
Page 20 and 21: CFIDE/ServerManager Contains the AI
Page 22 and 23: Table 2.2.8.1 : CFIDE URIs Addition
Page 24 and 25: Next click on Sites and Add Web Sit
Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
Page 29 and 30: Create a user for ColdFusion to run
Page 31 and 32: SSLRequireSSL The above requires t
Page 34 and 35: Do not install ColdFusion 10 ODBC S
Page 36 and 37: Select an install directory, a non-
Page 39 and 40: Choose a strong password and unique
Page 41 and 42: Section 4 - Post ColdFusion Install
Page 43 and 44: 4.1.3 Specify Log On User for ColdF
Page 45 and 46: When the ColdFusion IIS connector i
Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
Page 49 and 50: without these settings enabled so y
Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
Page 53 and 54: # cp jvm.config jvm.config.backup T
Page 55 and 56: connectionTimeout="20000" redirectP
Page 57 and 58: Section 5: ColdFusion Administrator
Page 59 and 60: Setting Default Recommendation Desc
Page 63 and 64: 5.2 Server Settings > Request Tunin
Page 65 and 66: 5.3 Server Settings > Client Variab
Page 69 and 70:
5.8 Debugging & Logging > Debug Out
Page 71 and 72:
5.11 Event Gateways > Settings Sett
Page 73 and 74:
5.15 Security > Allowed IP Addresse
Page 75 and 76:
Section 6: ColdFusion Server Servic
Page 77 and 78:
JWS Files are Java Web Services fil
Page 79 and 80:
If you are not using the cfreport y
Page 81 and 82:
Note: it is important that you do n
Page 83 and 84:
Section 7: Patch Management Procedu
Page 85 and 86:
Appendix B: List of Acronyms Acrony
Page 87:
Written by Pete Freitag For more in
show all

Adobe® ColdFusion® 10 Server Lockdown Guide

Create successful ePaper yourself

Delete template?

Save as template?