Best practices with the CFIDE and Jakarta virtual directories

Question

Right now I'm going through setting up our new virtualized ColdFusion 10 Application/Web/Data server, and I noticed that during install, since I had 'Connect all IIS sites' selected, it created the handler mappings for each but also gave each a virtual directory for 'CFIDE' and 'Jakarta'.

Best practice guides have said to restrict access to the 'adminapi', 'administrator', 'componentutils' and 'wizards' folders under the CFIDE directory, but is it safe to just remove these virtual directories (and leave the handler mappings) so that the sites can still process CF-related file types?

The 1 site we have that is the default that localhost is bound to, I felt I would just leave those virtual directories there, since in order to get to that server's CF ACP, we'd have to goto: http://localhost/CFIDE/administrator/index.cfm

I know that if a file in a site needs access to things like the CFScripts folder, CF will automatically assume the virtual directory is there and create <script> tags that use a src of '/CFIDE/scripts' (which if I remove that virtual directory, would break functionality, but assuming I'm not using such tech in other sites, is removing 'CFIDE' and 'Jakarta' going to hurt anything?

Carl Von Stetten · Accepted Answer

Look at the ColdFusion 9 Lockdown Guide that Pete Freitag wrote. Much of it still applies to ColdFusion 10, especially the IIS security aspects. There is a section on creating global request filters which will block access to most (or all) of the subdirectories under CFIDE.

As for the Jakarta virtual directory, you need that one. It is what enables the IIS connector to function.

-Carl V.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded