Restricting access to CF Admin

Question

I believe when we set up CF2018 a couple of years ago, we set it up for CF Admin to be accessed only if index.cfm is present. For example,

http://servername/CFIDE/Administrator/index.cfm - will serve it up

http://servername/CFIDE/Administrator/ - will not serve it up

I'm not sure whether this was done as part of lockdown guide but it appears this is no longer working and I don't see anything in the lockdown guide. We're migrating to 2023 and I would like to set this up. Where should I look? CF Admin is not showing up in IIS as of 2016 as it's using built-in web server.

Charlie Arehart · Accepted Answer

Adding to Dave's (always helpful) reply, I'll share that I'd offered an answer with still more detail in a discussion Dmitriy raised on this also on the facebook cf programmers group.

Dave Watts · Answer

Once you have multiple web servers, things can get kind of ... weird. I'm not sure how you'd have intentionally set this up in the past - I can think of some ways, but they're kind of kludgy - and I'm not surprised it would break if you upgraded. And I'm not sure what value it provides to set it up that way anyway, although I'm guessing it has some value.

Let's say you installed CF in C:\ColdFusion2018 with the built-in web server (Tomcat), the default webroot "cfusion", and the default listening port for the cfusion app as TCP/8500. That means your CFIDE directory should be here:

C:\ColdFusion2018\cfusion\wwwroot\CFIDE

You should then be able to access the CF Administrator using this URL:

http://localhost:8500/CFIDE/Administrator/index.cfm

Then, when you run the web server configuration tool to install the webconfig connector, you'll be able to run CF through IIS, but that will have a different configuration than Tomcat's web server. By default, I think, CF 2021 will create an IIS filter that will block the /CFIDE/administrator directory entirely. (I'm not sure of that offhand but it seems reasonable. I don't know when that behavior was introduced, if it was at all.) In any case, the web server configuration tool will fiddle with IIS internals to specify one behavior or another. You can also fiddle with IIS internals after the fact, within the IIS management console or by editing one of the several XML files IIS uses for its configuration.

But what it sounds like you want to do is mess around with Tomcat internals. That's ok, but it's not really related to CF that much, so there's no setting in CF Administrator for that. Specifically, you're going to want to remove index.cfm from the list of <welcome-file> items under <welcome-file-list> in:

C:\ColdFusion2018\cfusion\wwwroot\WEB-INF\web.xml

It's near the bottom of the page, in mine it's on line 553. Make sure you keep a backup copy!

SIDEBAR: Let's talk about the lockdown guide and what it's for, for a minute. In general, the idea is to improve the security of your CF install. But what does that mean exactly? For different people it might mean different things. Do you want to expose the CF Administrator via IIS at all? Do you want to expose it via Tomcat to remote machines other than through RDP or explicit firewall rules? There isn't really a right answer to those questions. You have to figure out how security should work within your organization, and implement it accordingly. That's why there's a CF lockdown GUIDE instead of CF lockdown INSTRUCTIONS. If you use the lockdown tool built into the secure profile, someone else is going to make those choices for you, and I've always thought that was a bad idea unless you didn't know how to make those choices yourself. And if you did know how to make those choices yourself, you might be better off doing it manually anyway! A lot of them can be wrapped up in short scripts, etc.

Anyway, good luck!

Dave Watts, Eidolon LLC

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded