Adobe® ColdFusion® 10 Server Lockdown Guide

16.04.2013 Views
CFFileServlet /CFFileServlet/* 6.10 Disabling Remote CFC Invocation The CFCServlet is used to serve SOAP web service requests, remote CFC method invocation (eg file.cfc?method=doSomething), AIR synchronization, and flash remoting. If you do not require these features you can change the servlet mappings that point to the CFCServlet to the CFForbiddenServlet. Change the servlet mappings: CFCServlet *.cfc/* CFCServlet *.cfc Change to the following: CFForbiddenServlet *.cfc/* CFForbiddenServlet *.cfc 80

Note: it is important that you do not delete these mappings, as this will allow your CFC source code to be downloaded. 81

Page 1 and 2: Adobe ColdFusion 10 Server Lockdown

Page 3 and 4: Section 2: Installation Prerequisit

Page 6 and 7: Next create a new user for the IIS

Page 8 and 9: In the Advanced Security Settings D

Page 10 and 11: User / Group Permissions cfusion (Y

Page 12 and 13: Next Click Add Roles, and select th

Page 14 and 15: Review the list of Role Services an

Page 16 and 17: Under Process Model change the Iden

Page 18 and 19: URI Purpose Safe to Block /CFIDE/ad

Page 20 and 21: CFIDE/ServerManager Contains the AI

Page 22 and 23: Table 2.2.8.1 : CFIDE URIs Addition

Page 24 and 25: Next click on Sites and Add Web Sit

Page 27 and 28: 2.3 Prerequisites for a RedHat Ente

Page 29 and 30: Create a user for ColdFusion to run

Page 31 and 32: SSLRequireSSL The above requires t

Page 34 and 35: Do not install ColdFusion 10 ODBC S

Page 36 and 37: Select an install directory, a non-

Page 39 and 40: Choose a strong password and unique

Page 41 and 42: Section 4 - Post ColdFusion Install

Page 43 and 44: 4.1.3 Specify Log On User for ColdF

Page 45 and 46: When the ColdFusion IIS connector i

Page 47 and 48: 4.1.8 Remove Unused Handler Mapping

Page 49 and 50: without these settings enabled so y

Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc

Page 53 and 54: # cp jvm.config jvm.config.backup T

Page 55 and 56: connectionTimeout="20000" redirectP

Page 57 and 58: Section 5: ColdFusion Administrator

Page 59 and 60: Setting Default Recommendation Desc


Page 63 and 64: 5.2 Server Settings > Request Tunin

Page 65 and 66: 5.3 Server Settings > Client Variab


Page 69 and 70: 5.8 Debugging & Logging > Debug Out

Page 71 and 72: 5.11 Event Gateways > Settings Sett

Page 73 and 74: 5.15 Security > Allowed IP Addresse

Page 75 and 76: Section 6: ColdFusion Server Servic

Page 77 and 78: JWS Files are Java Web Services fil

Page 79: If you are not using the cfreport y

Page 83 and 84: Section 7: Patch Management Procedu

Page 85 and 86: Appendix B: List of Acronyms Acrony

Page 87: Written by Pete Freitag For more in

coldfusion

server

directory

apache

administrator

settings

unchecked

servlet

recommendation

installation

lockdown

Adobe® ColdFusion® 10 Server Lockdown Guide

Adobe® ColdFusion® 10 Server Lockdown Guide ... View more Adobe® ColdFusion® 10 Server Lockdown Guide

Delete template?

Save as template ?

Adobe® ColdFusion® 10 Server Lockdown Guide Adobe® ColdFusion® 10 Server Lockdown Guide