Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide Adobe® ColdFusion® 10 Server Lockdown Guide
Setting Default Recommendation Description Disable access to internal ColdFusion Java components Prefix serialized JSON with Maximum Output Buffer size Unchecked Checked The internal ColdFusion Java components may allow administrative duties to be performed. Some developers may write code that relies on these components. This practice should be avoided as these components are not documented. Unchecked: // Checked: // This setting helps prevent JSON hijacking, and should be turned on. ColdFusion AJAX tags and functions automatically remove the prefix. If developers have written CFC functions with returnformat=”json” or use the SerializeJSON function, the prefix will be applied, and should be removed in the client code before processing. Developers can override this setting at the application level. 1024KB Lower A lower output buffer size may reduce the memory footprint in some applications. 58
Setting Default Recommendation Description Enable In-Memory File System Watch configuration files for changes (check every N seconds) Checked Unchecked if not used If your applications do not require in memory file system uncheck this checkbox. Ensure that you have sufficient heap space to accommodate the memory limit. Unchecked Unchecked If an attacker is able to modify the configuration of your ColdFusion server, their changes can become active within a short period of time when this setting is enabled. If your configuration requires this setting to be enabled (if using WebSphere ND vertical cluster for example), increase the time to be as large as possible. 59
- Page 8 and 9: In the Advanced Security Settings D
- Page 10 and 11: User / Group Permissions cfusion (Y
- Page 12 and 13: Next Click Add Roles, and select th
- Page 14 and 15: Review the list of Role Services an
- Page 16 and 17: Under Process Model change the Iden
- Page 18 and 19: URI Purpose Safe to Block /CFIDE/ad
- Page 20 and 21: CFIDE/ServerManager Contains the AI
- Page 22 and 23: Table 2.2.8.1 : CFIDE URIs Addition
- Page 24 and 25: Next click on Sites and Add Web Sit
- Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
- Page 29 and 30: Create a user for ColdFusion to run
- Page 31 and 32: SSLRequireSSL The above requires t
- Page 34 and 35: Do not install ColdFusion 10 ODBC S
- Page 36 and 37: Select an install directory, a non-
- Page 39 and 40: Choose a strong password and unique
- Page 41 and 42: Section 4 - Post ColdFusion Install
- Page 43 and 44: 4.1.3 Specify Log On User for ColdF
- Page 45 and 46: When the ColdFusion IIS connector i
- Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
- Page 49 and 50: without these settings enabled so y
- Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
- Page 53 and 54: # cp jvm.config jvm.config.backup T
- Page 55 and 56: connectionTimeout="20000" redirectP
- Page 57: Section 5: ColdFusion Administrator
- Page 61 and 62: Setting Default Recommendation Desc
- Page 63 and 64: 5.2 Server Settings > Request Tunin
- Page 65 and 66: 5.3 Server Settings > Client Variab
- Page 67 and 68: Setting Default Recommendation Desc
- Page 69 and 70: 5.8 Debugging & Logging > Debug Out
- Page 71 and 72: 5.11 Event Gateways > Settings Sett
- Page 73 and 74: 5.15 Security > Allowed IP Addresse
- Page 75 and 76: Section 6: ColdFusion Server Servic
- Page 77 and 78: JWS Files are Java Web Services fil
- Page 79 and 80: If you are not using the cfreport y
- Page 81 and 82: Note: it is important that you do n
- Page 83 and 84: Section 7: Patch Management Procedu
- Page 85 and 86: Appendix B: List of Acronyms Acrony
- Page 87: Written by Pete Freitag For more in
Setting Default Recommendation Description<br />
Enable In-Memory<br />
File System<br />
Watch<br />
configuration files<br />
for changes (check<br />
every N seconds)<br />
Checked Unchecked if not<br />
used<br />
If your applications do not require in<br />
memory file system uncheck this<br />
checkbox. Ensure that you have<br />
sufficient heap space to<br />
accommodate the memory limit.<br />
Unchecked Unchecked If an attacker is able to modify the<br />
configuration of your ColdFusion<br />
server, their changes can become<br />
active within a short period of time<br />
when this setting is enabled.<br />
If your configuration requires this<br />
setting to be enabled (if using<br />
WebSphere ND vertical cluster for<br />
example), increase the time to be as<br />
large as possible.<br />
59
Change language