ColdFusion 9 Server Lockdown Guide Published

The ColdFusion team has published a detailed 30+ page lockdown guide to securing your ColdFusion 9 server. This document is required reading for anyone hosting a ColdFusion server! The guide was written by Pete Freitag (create of of HackMyCF).

7 responses to “ColdFusion 9 Server Lockdown Guide Published”

  1. Damon Gentry Avatar
    Damon Gentry

    Thanks for the post, Ben! I’m about to start building 5 new CF9 servers and this guide will certainly come in handy!

  2. Rick O Avatar
    Rick O

    From a security standpoint, shouldn’t it be a little worrisome that it takes a 30 page document to explain how to get the application to a reasonably safe state? I see that most of the doc is focused on getting other applications (the web servers) secure, but wouldn’t it really be best if the installer did all of those things by default?
    We’re not talking about a piece of end-user software. As long as there’s some GUI option in the Administrator to enable the initially-disabled features, such as remote CFC access or vice-versa for sandbox security, no one loses. There’s no need for a wide-open out-of-box experience — not even for the sake of backwards compatibility or upgrades.
    Building these settings as defaults would also put them in the Administrator where they belong, instead of relying on the maintainer to muck around in config files. I’d assert that this document would get ignored by a large portion of the community, simply out of fear of all that mucking. But, if there’s a simple checkbox or button for each setting then that document drops to a quarter of its size. You also shift the psychology of the choices from "if I change this I might break something" to "if I change this I’ll need to worry about its ramifications", which is the correct mental state.

  3. Misha Avatar

    Thanks Ben, really appreciated for sharing this info….

  4. Ben Forta Avatar
    Ben Forta

    I agree, somewhat. I do think that we need better defaults, I’d like the installer to ask "is this a development box or a production box?" and set things up differently based on that.
    Having said that, even if we did that (and I hope we do) I’d still want this type of info published, even 30+ pages. Default security settings, while necessary, often create a false illusion of security. There might be a valid argument to suggesting that with tighter defaults this type of document would be even more critical.
    — Ben

  5. Rick O Avatar
    Rick O

    I completely agree with you that the documentation needs to be there.
    When I have my students install CF, I do a very quick walk-through of tightening down some of the easier settings to get to. (But hardening Apache is, unfortunately, well beyond the scope of the class.) There’s always one student that asks "why doesn’t it just start like this?".
    This might even be a good niche for a third-party plug-in to the Administrator — one that allows you to flip between Dev and Prod and scan for common holes like this.
    And, for the record, the installer now is leaps and bounds beyond what it used to be in the pre-MX and even MX days.

  6. Tunc Avatar

    I have tried to follow this guide and got stuck. Where is the best place to ask some questions regarding this guide?

  7. Matthew Mathers Avatar
    Matthew Mathers

    Does the ColdFusion 9 Server Lockdown Guide also apply to ColdFusion 10 Server?

Leave a Reply