Adobe® ColdFusion® 10 Server Lockdown Guide

More documents

Recommendations

Info

Table 2.2.8.1 : CFIDE URIs Additional URI Sequences to consider blocking: URI Purpose Safe to Block Application.cf Block Application.cfc and Application.cfm requests which result in an error when accessed directly. WEB-INF WEB-INF contains configuration data used by the java application server. The Tomcat connector will block this already, but you can block it at the web server level as well. /cfformgateway Used for Only if Flash Forms are not used. /flex2gateway Flex Remoting Only if Flex Remoting is not used. /cfform-internal Used for Only if Flash Forms are not used. /flex-internal Flex Remoting Only if Flex Remoting is not used. Yes Yes 22
URI Purpose Safe to Block /cffileservlet Serves dynamically generated assets. It supports the cfreport, cfpresentation, and cfimage (with action=captcha and action=writeToBrowser) tags /rest Used for CF10 Rest web services support. /WSRPProducer Web Services Endpoint for WSRP. .svn If you use subversion to deploy your ColdFusion applications you can block the .svn folders, which may allow source code disclosure. 2.2.9 Create a Website For ColdFusion Administrator Only if cfreport, cfpresentations and cfimage are not used. Only if CF10 REST web services are not used. Usually, unless WSRP is used. First create a self signed certificate (or preferably utilize a certificate from a trusted certificate authority) by clicking on the Server Certificates icon under the IIS root. Click on the link to Create Self-Signed Certificate on the right. Create an empty directory for the web site root of the ColdFusion administrator web site (eg f:\web\cfadmin\) Yes 23
Page 1 and 2: Adobe ColdFusion 10 Server Lockdown
Page 3 and 4: Section 2: Installation Prerequisit
Page 6 and 7: Next create a new user for the IIS
Page 8 and 9: In the Advanced Security Settings D
Page 10 and 11: User / Group Permissions cfusion (Y
Page 12 and 13: Next Click Add Roles, and select th
Page 14 and 15: Review the list of Role Services an
Page 16 and 17: Under Process Model change the Iden
Page 18 and 19: URI Purpose Safe to Block /CFIDE/ad
Page 20 and 21: CFIDE/ServerManager Contains the AI
Page 24 and 25: Next click on Sites and Add Web Sit
Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
Page 29 and 30: Create a user for ColdFusion to run
Page 31 and 32: SSLRequireSSL The above requires t
Page 34 and 35: Do not install ColdFusion 10 ODBC S
Page 36 and 37: Select an install directory, a non-
Page 39 and 40: Choose a strong password and unique
Page 41 and 42: Section 4 - Post ColdFusion Install
Page 43 and 44: 4.1.3 Specify Log On User for ColdF
Page 45 and 46: When the ColdFusion IIS connector i
Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
Page 49 and 50: without these settings enabled so y
Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
Page 53 and 54: # cp jvm.config jvm.config.backup T
Page 55 and 56: connectionTimeout="20000" redirectP
Page 57 and 58: Section 5: ColdFusion Administrator
Page 59 and 60: Setting Default Recommendation Desc
Page 63 and 64: 5.2 Server Settings > Request Tunin
Page 65 and 66: 5.3 Server Settings > Client Variab
Page 69 and 70: 5.8 Debugging & Logging > Debug Out
Page 71 and 72: 5.11 Event Gateways > Settings Sett
Page 73 and 74:
5.15 Security > Allowed IP Addresse
Page 75 and 76:
Section 6: ColdFusion Server Servic
Page 77 and 78:
JWS Files are Java Web Services fil
Page 79 and 80:
If you are not using the cfreport y
Page 81 and 82:
Note: it is important that you do n
Page 83 and 84:
Section 7: Patch Management Procedu
Page 85 and 86:
Appendix B: List of Acronyms Acrony
Page 87:
Written by Pete Freitag For more in
show all

Adobe® ColdFusion® 10 Server Lockdown Guide

Create successful ePaper yourself

Delete template?

Save as template?