The ColdFusion team has published a detailed 30+ page lockdown guide to securing your ColdFusion 9 server. This document is required reading for anyone hosting a ColdFusion server! The guide was written by Pete Freitag (create of of HackMyCF).
ColdFusion 9 Server Lockdown Guide Published
7 responses to “ColdFusion 9 Server Lockdown Guide Published”
-
Thanks for the post, Ben! I’m about to start building 5 new CF9 servers and this guide will certainly come in handy!
-
From a security standpoint, shouldn’t it be a little worrisome that it takes a 30 page document to explain how to get the application to a reasonably safe state? I see that most of the doc is focused on getting other applications (the web servers) secure, but wouldn’t it really be best if the installer did all of those things by default?
We’re not talking about a piece of end-user software. As long as there’s some GUI option in the Administrator to enable the initially-disabled features, such as remote CFC access or vice-versa for sandbox security, no one loses. There’s no need for a wide-open out-of-box experience — not even for the sake of backwards compatibility or upgrades.
Building these settings as defaults would also put them in the Administrator where they belong, instead of relying on the maintainer to muck around in config files. I’d assert that this document would get ignored by a large portion of the community, simply out of fear of all that mucking. But, if there’s a simple checkbox or button for each setting then that document drops to a quarter of its size. You also shift the psychology of the choices from "if I change this I might break something" to "if I change this I’ll need to worry about its ramifications", which is the correct mental state. -
Thanks Ben, really appreciated for sharing this info….
-
Rick,
I agree, somewhat. I do think that we need better defaults, I’d like the installer to ask "is this a development box or a production box?" and set things up differently based on that.
Having said that, even if we did that (and I hope we do) I’d still want this type of info published, even 30+ pages. Default security settings, while necessary, often create a false illusion of security. There might be a valid argument to suggesting that with tighter defaults this type of document would be even more critical.
— Ben -
Ben-
I completely agree with you that the documentation needs to be there.
When I have my students install CF, I do a very quick walk-through of tightening down some of the easier settings to get to. (But hardening Apache is, unfortunately, well beyond the scope of the class.) There’s always one student that asks "why doesn’t it just start like this?".
This might even be a good niche for a third-party plug-in to the Administrator — one that allows you to flip between Dev and Prod and scan for common holes like this.
And, for the record, the installer now is leaps and bounds beyond what it used to be in the pre-MX and even MX days. -
Hi,
I have tried to follow this guide and got stuck. Where is the best place to ask some questions regarding this guide?
Thanks. -
Does the ColdFusion 9 Server Lockdown Guide also apply to ColdFusion 10 Server?
Leave a Reply