Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide Adobe® ColdFusion® 10 Server Lockdown Guide
Setting Default Recommendation Description Site URL http://www.adobe. com/go/coldfusion -updates HTTPS version of url - or specify an internal URL Change the default URL to https to avoid a spoofed update. If your network security policy does not allow external internet connection you can maintain a internal update URL which could be updated manually. 74
Section 6: ColdFusion Server Services ColdFusion provides a large number of services for developers to take advantage of. Most applications do not make use of all these services, and can therefore be disabled to improve security. 6.1 Servlets and Servlet Mappings in web.xml All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a particular servlet responds to. For example the servlet that handles requests for .cfm files is called the CfmServlet the servlet mapping for that looks like this: CfmServlet *.cfm The servlets are also defined in the web.xml file, the CfmServlet is defined as: CfmServlet CFML Template Processor Compiles and executes CFML pages and tags coldfusion.bootstrap.BootstrapServlet servlet.class coldfusion.CfmServlet 4 We can remove servlet mappings in the web.xml to reduce the surface of attack. You don’t typically want to remove the CfmServlet or its servlet mapping, but there are other servlets and mappings that may be removed. 75
- Page 24 and 25: Next click on Sites and Add Web Sit
- Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
- Page 29 and 30: Create a user for ColdFusion to run
- Page 31 and 32: SSLRequireSSL The above requires t
- Page 34 and 35: Do not install ColdFusion 10 ODBC S
- Page 36 and 37: Select an install directory, a non-
- Page 39 and 40: Choose a strong password and unique
- Page 41 and 42: Section 4 - Post ColdFusion Install
- Page 43 and 44: 4.1.3 Specify Log On User for ColdF
- Page 45 and 46: When the ColdFusion IIS connector i
- Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
- Page 49 and 50: without these settings enabled so y
- Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
- Page 53 and 54: # cp jvm.config jvm.config.backup T
- Page 55 and 56: connectionTimeout="20000" redirectP
- Page 57 and 58: Section 5: ColdFusion Administrator
- Page 59 and 60: Setting Default Recommendation Desc
- Page 61 and 62: Setting Default Recommendation Desc
- Page 63 and 64: 5.2 Server Settings > Request Tunin
- Page 65 and 66: 5.3 Server Settings > Client Variab
- Page 67 and 68: Setting Default Recommendation Desc
- Page 69 and 70: 5.8 Debugging & Logging > Debug Out
- Page 71 and 72: 5.11 Event Gateways > Settings Sett
- Page 73: 5.15 Security > Allowed IP Addresse
- Page 77 and 78: JWS Files are Java Web Services fil
- Page 79 and 80: If you are not using the cfreport y
- Page 81 and 82: Note: it is important that you do n
- Page 83 and 84: Section 7: Patch Management Procedu
- Page 85 and 86: Appendix B: List of Acronyms Acrony
- Page 87: Written by Pete Freitag For more in
Section 6: ColdFusion <strong>Server</strong> Services<br />
ColdFusion provides a large number of services for developers to take advantage of. Most applications do not<br />
make use of all these services, and can therefore be disabled to improve security.<br />
6.1 Servlets and Servlet Mappings in web.xml<br />
All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and<br />
servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a particular servlet<br />
responds to. For example the servlet that handles requests for .cfm files is called the CfmServlet the servlet<br />
mapping for that looks like this:<br />
<br />
CfmServlet<br />
*.cfm<br />
<br />
The servlets are also defined in the web.xml file, the CfmServlet is defined as:<br />
<br />
CfmServlet<br />
CFML Template Processor<br />
Compiles and executes CFML pages and tags<br />
coldfusion.bootstrap.BootstrapServlet<br />
<br />
servlet.class<br />
coldfusion.CfmServlet<br />
<br />
4<br />
<br />
We can remove servlet mappings in the web.xml to reduce the surface of attack. You don’t typically want to<br />
remove the CfmServlet or its servlet mapping, but there are other servlets and mappings that may be removed.<br />
75