Coldfusion 2018 Lockdown Tool failure

Question

Hi folks,I am hoping someone can point me in the right direction to fixing a problem I am having with the lockdown tool. I have been following the CF2018 lockdown guide, I installed Coldfusion 2018 developer edition on a Server 2016 OS. I applied hotfix 3, only weird thing I found was that the ODBC server service would not start after.I checked the hotfix log and found no errors.Spent of a ton of time researching that problem, found there was issues in previous versions of CF, realized I don't have any ODBC datasources to worry about, so I set the ODBC Agent and ODBC Server service to be disabled following guidance from several of those threads.Successfully logging into CF Administrator. Followed the guide.Ran the lockdown tool following the guide, only major change's was that I selected no to the coldfusion update since I manually updated it, and I had the lockdown tool create the ColdFusion Runtime User for me. In checking the lockdown the log, I found it successfully created the user at one point, before it reverted several of the changes it made. This tells me the windows administrator account password should have been correct.The lockdown failed, relevant log entries below:I am hoping someone can shed some light on what may cause this failure. Thanks in advance for your help.JD2019-05-31 09:26:45 INFO  - Change Permissions of ColdFusion file system: Error Logs2019-05-31 09:26:45 INFO  - 2019-05-31 09:26:45 INFO  - Permissions changed for the user: IUSR for the path: "D:\ColdFusion2018\cfusion\wwwroot\cf_scripts" 2019-05-31 09:26:45 INFO  - Folder permissions changed!2019-05-31 09:26:45 INFO  - Successfully setup file system permissions for ColdFusion!2019-05-31 09:26:45 INFO  - Setting up registry permissions for ColdFusion!2019-05-31 09:26:45 INFO  - Now starting to change registry permissions!2019-05-31 09:26:45 INFO  - ColdFusion version is: 20182019-05-31 09:26:45 INFO  - Now getting all registry keys!2019-05-31 09:26:45 INFO  - All registry keys to change received!2019-05-31 09:26:46 INFO  - Registry permissions were successfully changed!2019-05-31 09:26:46 INFO  - Successfully changed the registry permissions for ColdFusion!2019-05-31 09:26:46 INFO  - Changing logon users for ColdFusion services2019-05-31 09:26:46 INFO  - Trying to change logon user for ColdFusion2019-05-31 09:26:47 INFO  - Changing for: ColdFusion2018Add-onServices2019-05-31 09:26:47 INFO  - [SC] ChangeServiceConfig SUCCESS2019-05-31 09:26:47 INFO  - Changing for: ColdFusion 2018 Application Server2019-05-31 09:26:47 INFO  - [SC] ChangeServiceConfig SUCCESS2019-05-31 09:26:47 INFO  - Changing for: ColdFusion 2018 ODBC Agent2019-05-31 09:26:47 INFO  - [SC] ChangeServiceConfig SUCCESS2019-05-31 09:26:47 INFO  - Changing for: ColdFusion 2018 ODBC Server2019-05-31 09:26:47 INFO  - [SC] ChangeServiceConfig SUCCESS2019-05-31 09:26:47 INFO  - All permissions changed!2019-05-31 09:26:47 INFO  - Restarting ColdFusion using ColdFusion services!2019-05-31 09:26:47 INFO  - The ColdFusion 2018 Add-on Services service was stopped successfully.2019-05-31 09:26:57 INFO  - The ColdFusion 2018 Application Server service is stopping....The ColdFusion 2018 Application Server service was stopped successfully.2019-05-31 09:26:57 INFO  - The ColdFusion 2018 ODBC Agent service is not started.More help is available by typing NET HELPMSG 3521.2019-05-31 09:26:57 INFO  - The ColdFusion 2018 ODBC Server service is not started.More help is available by typing NET HELPMSG 3521.2019-05-31 09:26:57 INFO  - Not all services could be stopped!2019-05-31 09:27:00 INFO  - The ColdFusion 2018 Add-on Services service could not be started.A system error has occurred.System error 1067 has occurred.The process terminated unexpectedly.2019-05-31 09:27:05 INFO  - The ColdFusion 2018 Application Server service could not be started.A service specific error occurred: 2.More help is available by typing NET HELPMSG 3547.2019-05-31 09:27:05 INFO  - System error 1058 has occurred.The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.2019-05-31 09:27:05 INFO  - System error 1058 has occurred.The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.2019-05-31 09:27:05 INFO  - Not all services could be restarted!2019-05-31 09:27:05 INFO  - All ColdFusion services restarted successfully!2019-05-31 09:27:05 INFO  - Successfully changed the logon users for ColdFusion services!2019-05-31 09:27:05 INFO  - Trying to restart ColdFusion2019-05-31 09:27:05 INFO  - ColdFusion restarted successfully!2019-05-31 09:27:05 INFO  - Setting up virtual directory for cf_scripts!2019-05-31 09:27:05 INFO  - Trying to add virtual directory for cf_scripts2019-05-31 09:27:05 INFO  - Adding virtual directory for cf_scripts!2019-05-31 09:27:06 INFO  - Successfully added virtual directory for cf_scripts!2019-05-31 09:27:06 INFO  - Changing scripts source in ColdFusion Administrator2019-05-31 09:27:07 INFO  - Old Value for scripts source: none2019-05-31 09:27:07 INFO  - It seems there has been an error while getting the script source values.2019-05-31 09:27:07 INFO  - Failed to change cf_scripts source in Administrator2019-05-31 09:27:07 INFO  - Failed to add virtual directory for cf_scripts2019-05-31 09:27:07 INFO  - Rolling back the changes because of the Lockdown failure2019-05-31 09:27:07 INFO  - Removing the alias created for ColdFusion scripts2019-05-31 09:27:08 INFO  - Successfully removed the alias created for ColdFusion scripts2019-05-31 09:27:08 INFO  - Reverting back the service logon users for ColdFusion services2019-05-31 09:27:08 INFO  - The ColdFusion 2018 Add-on Services service is not started.**There are more log entries about reverting and rolling back, but I didn't want to overload the post. I included a lot of the success entries at the top to provide context.

JD-16 · Accepted Answer

Hi folks,I just wanted to provide an update. I worked with Adobe support, and ended up solving this issue. In my case, I was a victim of my own good server hardening practices before installing ColdFusion.I usually only allow SYSTEM, and Administrators full control of the additional NTFS volumes. It turns out that the lockdown tool for some reason needs the "localserver\Users" group to have read/execute access to the volume where ColdFusion is installed. The account I was using to install ColdFusion and run the lockdown tool is in the Administrators group. All others installs succeeded until the lockdown tool was run.Once I added this permission back to the volume, it worked as expected. Thanks for the replies and help.JD

Dave Watts · Answer

Honestly, I'm amazed that the lockdown tool works at all. It's doing a lot of complicated and somewhat fragile things, and having done these things by hand for many years I can attest that there are lots of opportunities for things to go wrong during this process. So personally, I'd recommend following the lockdown guide for the previous version and at least reading it to understand the different things the lockdown tool is doing.

That said, it looks like the problem here is pretty specific. The lockdown tool can't find the current location for where scripts live ("cf_scripts"). This can be assigned a value in the CF Administrator, but can also be left empty. So go in the CF Administrator and assign a value here if there isn't one already.

Beyond that, I'd recommend either taking advantage of Adobe's installation support if you can, or using someone like Charlie Arehart to step through the process. It's very helpful to have a second set of eyes looking at things exactly when they go wrong, instead of relaying errors through the forums.

Dave Watts, Eidolon LLC

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded