Copy link to clipboard
Copied
How do you remediate the below issue after a Tenable scan reports the below
Plugin Output:
Path : c:\coldfusion2018\cfusion\bin\coldfusionsvc.exe
Used by services : ColdFusion 2018 Application Server
File write allowed for groups : Authenticated Users (S-1-5-11)
Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swagent.exe
Used by services : ColdFusion 2018 ODBC Agent
File write allowed for groups : Authenticated Users (S-1-5-11)
Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swstrtr.exe
Used by services : ColdFusion 2018 ODBC Server
File write allowed for groups : Authenticated Users (S-1-5-11)
Path : c:\coldfusion2018\cfusion\jetty\jetty.exe
Used by services : ColdFusion2018Add-onServices
File write allowed for groups : Authenticated Users (S-1-5-11)
Path : c:\coldfusion2018\cfusion\jnbridge\cfdotnetsvc.exe
Used by services : ColdFusion 2018 .NET Service
File write allowed for groups : Authenticated Users (S-1-5-11)
Copy link to clipboard
Copied
You'd want to identify the group (S-1-5-11) and its users, and decide whether to remove its permissions from that folder--or remove the group if it's some old unneeded one (the name seems unusual).
The only user that needs write access to that folder is the user running the cf odbc services (viewable in the Windows Services panel), which by default is the System account (and which has write permission by default).
Copy link to clipboard
Copied
Can I remove the authenticated users and then add Local system? Will that break anything?
Copy link to clipboard
Copied
That should work fine, assuming CF and related services are running in the Local System security context.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Strange. I suspect that something was changed in your ColdFusion 2018 installation.
I say this because, when ColdFusion is installed, the files in the following directories are Read-Only by default:
Take the first directory, for example. If you navigate to c:\coldfusion2018\cfusion\, right-click on bin and select Properties, you should see something like:
Copy link to clipboard
Copied
The "Authenticated Users" group is a dynamic one, consisting of any user who's successfully authenticated. You can restrict these directories to the CF user account and an administrator.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Hey, Dave. In your experience, does that message they showed add that number--in their case, (S-1-5-11)--when displaying it, and when indeed its the only group of that name (authenticated users) on that system?
I'd thought I'd seen that number added when it was not, but I could be confusing matters.
Anyway, let's all see what the op may offer. We 3 musketeers have given them plenty to consider. 🙂
Also, Dave, please see a direct message I'd sent within here a couple of days ago. (I often miss them, myself.)
Copy link to clipboard
Copied
@uhururuto12 , you can find out the details of the user(s) S-1-5-11. To do so, proceed as follows:
@ECHO OFF
:: This batch file reveals Windows log-on processes.
C:\temp\logonSessions\logonsessions64.exe -p
PAUSE
and save it as getLogonSessions.bat . Copy link to clipboard
Copied
I do know that's the RID (relative identifier) for the "Authenticated Users" group and is used as part of the Windows SID for that group. It's not really a new thing, but because membership is contextual so to speak, most people don't think too much about it. It's a great convenience compared to the Everyone Group or any of the other groups with fixed membership. I don't know which versions of Windows show the SID along with the name of the group or user.
https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
Also, I did see the DM and got in touch with the person. Thanks!
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Based on the Tenable scan report you provided, it appears that the ColdFusion 2018 application server and its associated components have file write permissions allowed for the "Authenticated Users" group (S-1-5-11). This could potentially pose a security risk as it allows any authenticated user on the system to modify these files.