How big a security risk if we use a domain login for the cf application service

Question

The local account used as the login account for CF application service doesn't allow access via UNC to other servers in in the same subnet (behind a firewall with private ip addresses in use) for security reasons.

It would be easier if we used a domain account -- but all the installation instructions and hardening pdf - recommend a local account which I am using.

I can't seem to find details on how using a domain account is creating a security issue. Is this a major or minor security issue is another question...

TIA

Jay Bietz

Carl Von Stetten · Answer

I don't think the Lockdown Guides prohibit using domain accounts. They just recommend not using an administrator-level domain account (and rightly so). Create a domain user account and grant it access and permissions to the minimum network resources required for your applications to function, and no more. So, for example, if ColdFusion needs to be able to access certain folders on certain network shares, only grant the domain account access to those specific folders; if ColdFusion only needs read permissions on those folders, only grant read permissions to the domain account. The same principles apply to databases - if you are using SQL Server, add the domain account to SQL Server's logins, add that login as a user to the required databases, and only grant the user the minimum required permissions for each of those databases.

-Carl V.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded