Skip to main content
D
dmalloy
Participating Frequently
June 27, 2012
Question

Securing ColdFusion 10

  • June 27, 2012
  • 1 reply
  • 2947 views

We are preparing to upgrade to ColdFusion 10 from ColdFusion 8.  We are particulary interested in best practices for securing the installation, in particular securing the administrator on external facing systems.

The installation will be in a Solaris environment using Oracle iPlanet Web Server.

Can anyone provide such best practices, experiences or suggestions?

Thanks in advance.

This topic has been closed for replies.

1 reply

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
June 27, 2012

Yes, there are many. (While you refer to CF10, I’ll assume you’re also open to general guidelines that apply to all releases of CF10.)

First is the “Adobe ColdFusion 9 server lockdown guide file”, at http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf.

There is also the “ColdFusion 8 developer security guidelines file”, at ColdFusion 8 developer security guidelines file.

Both of these are listed at the bottom of (because they’re older) of the CF Security center site:

http://www.adobe.com/devnet/coldfusion/security.html

As for CF10 security, there have been many changes, discussed among other places here: http://www.adobe.com/devnet/coldfusion/articles/security-improvements.html (which is also listed on that security center). It also has preso recordings and more.

As for CF security in general, the “go to guy” for that (who in fact wrote that Lockdown guide) is Pete Freitag, who with his company Foundeo (foundeo.com) offer still other resources (info and tools), among which the most important is the free HackMyCF.com service (which offers additional commercial features), which can scan your server and identify vulnerabilities and recommends fixes.

Finally, as for your root question of securing your Admin, that’s best done by either securing its access with your external web server (iPlanet, in your case) which can involve requiring basic, digest, or other additional authentication (beyond CF’s password), limiting IP addresses that can access it, and more. Those are features of the web server, though, not CF.

On the other hand, some resort to NOT allowing access to the CF Admin (via that external web server) and let it be accessed only via CF’s internal web server (Tomcat’s web server, in CF10). Because by default that works on a port other than 80 (8500, for instance), that would be blocked on your server unless opened in your firewall. Surprisingly, I find that this idea is not discussed in either of the first two guides above. But the CF documentation (both the Installing, and the Configuring and Administering manuals) does discuss the internal web server.

Hope that helps.

/charlie

/Charlie (troubleshooter, carehart. org)
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
June 28, 2012

Doh, i should have added as well that when it comes to securing CF, you also should seriously consider Foundeo's FuseGuard Web App Firewall for CF. No, it's not free, but it could easily add significant security best practices for your environment. More at http://foundeo.com/security/.

Also, they offer a 4-page PDF CF security checklist for a modest price, at http://foundeo.com/security/coldfusion-checklist/.

/Charlie (troubleshooter, carehart. org)
D
dmalloyAuthor
Participating Frequently
August 8, 2012

Charlie,

Thank you for the information.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices