Skip to main content
Miguel-F
Miguel-F
Inspiring
March 28, 2019
Question

ColdFusion 2018 Server Auto Lockdown Tool failed

  • March 28, 2019
  • 2 replies
  • 1673 views

I have created a new Windows Server 2016 and installed ColdFusion 2018 on it.  Everything was working. Next I started going through the lockdown guide.  I got to the part about running the auto lockdown tool (section 2.6).  The tool ran fine but when I was reviewing folder permissions and other IIS settings I was not seeing everything that it should have done.  After carefully looking through the log file I found that it encountered an error and then started rolling back changes.  Now I have an unstable server with a mix of settings.

The log file seems to indicate that it failed when attempting to change the logon user for the additional ColdFusion services.  Well I did not install the additional services as we don't need them.  I guess the tool is not smart enough to bypass that and so it failed.  Why?

Here is an excerpt from the log file:

2019-03-28 12:22:23 INFO  - Folder permissions changed!

2019-03-28 12:22:23 INFO  - Successfully setup file system permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Setting up registry permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Now starting to change registry permissions!

2019-03-28 12:22:24 INFO  - ColdFusion version is: 2018

2019-03-28 12:22:24 INFO  - Now getting all registry keys!

2019-03-28 12:22:24 INFO  - All registry keys to change received!

2019-03-28 12:22:24 INFO  - Registry permissions were successfully changed!

2019-03-28 12:22:24 INFO  - Successfully changed the registry permissions for ColdFusion!

2019-03-28 12:22:24 INFO  - Changing logon users for ColdFusion services

2019-03-28 12:22:24 INFO  - Trying to change logon user for ColdFusion

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion2018Add-onServices

2019-03-28 12:22:25 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion 2018 Application Server

2019-03-28 12:22:26 INFO  - [SC] ChangeServiceConfig SUCCESS

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Agent

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Server

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Failed to change the logon users for ColdFusion services!

2019-03-28 12:22:26 INFO  - Rolling back the changes because of the Lockdown failure

2019-03-28 12:22:26 INFO  - Reverting back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - SYSTEM\CurrentControlSet\Services\ColdFusion 2018 Application Server key permissions were changed.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  - Successfully reverted back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  - Reverting back the ColdFusion file system permissions to its original state

Why did it fail like this? Are the additional services required just to run this lock down tool?  That doesn't make a lot of sense if you don't need them.

This topic has been closed for replies.

2 replies

Miguel-F
Miguel-FAuthor
Inspiring
April 2, 2019

Just to update this thread, I posted this same issue on the CFML Slack channel and Priyank from Adobe responded that his team was able to duplicate the issue with the latest lock down tool and he has submitted a bug ticket for it.

Here is Priyank's response from the Slack channel:

I logged a bug for this issue on Windows platform. I have asked team to look into the issue and if possible provide a fix. As a workaround, you can install the Add-on service, .NET service during ColdFusion installation and after that the Auto lockdown will work. It is checking these component and if it is finding NOT INSTALLED, it failed.

I tried searching for the bug that he mentioned to link from here but I could not find it.

Priyank Shrivastava.
Community Manager
Priyank Shrivastava.Community Manager
Community Manager
April 2, 2019

It is an internal bug and I did not make it public. I will update the thread once it is fixed.

Thanks,

Priyank

Thanks, Priyank Shrivastava
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
April 5, 2019

[Subscribe] 

/Charlie (troubleshooter, carehart. org)
D
Community Expert
Dave WattsCommunity Expert
Community Expert
March 29, 2019

I would recommend checking the filesystem to see if the permissions have in fact been changed back. To be perfectly honest I'm a bit leery of the auto-lockdown tool, but part of that is simply that I'm well-versed in the manual lockdown process (thanks Pete Freitag for documenting it so well!)

If you don't have ODBC Agent and ODBC Service installed, there won't be any registry changes to be made, I believe.

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC
Miguel-F
Miguel-FAuthor
Inspiring
March 29, 2019

Agreed Dave.  I have always performed the steps manually and feel comfortable doing so (thanks to Pete).  The only reason I ran this tool is because Pete's latest lock down guide for CF 2018 recommends doing so. Believe me, my trust in Adobe's processes is not at the highest.

Anyway, to your other point, I was checking the filesystem permissions and that is what led me to realize that it did not work.  At least not fully,  The permissions that I know are required were missing.  And, yes, the fact that I did not install those additional services means there are no changes to be made in the registry or for the window's services.  That's my point, Adobe's own lock down process should recognize that those services are not required and be able to gracefully get passed updating of those items.  Right?

This is the point in the log file that I am referring to:

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion2018Add-onServices

2019-03-28 12:22:25 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

As you can see, it seems to recognize that the services are not installed.

2019-03-28 12:22:26 INFO  - Failed to change the logon users for ColdFusion services!

2019-03-28 12:22:26 INFO  - Rolling back the changes because of the Lockdown failure

2019-03-28 12:22:26 INFO  - Reverting back the registry permissions changed during Lockdown

But then why does it fail and start rolling changes back?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices