Lock Down .cfm Pages in IIS

Report · Oct 25, 2006

What is happening is that the images (.gif, jpg, and .doc) along with .html pages are protected via IIS, but the .cfm pages are being serve up in the browser.

How would I make it so that .cfm pages are not served up by IIS if they have Windows authentication enabled?

Thank you!

Report · Oct 26, 2006

Not sure what you are asking.

I would start by turning off annonymous access in IIS.

Report · Oct 26, 2006

I am asking that the ".cfm" pages are protected in the folder just like the images and ".htm" pages.

I cannot get to the images and ".htm" pages because windows security prevents me from seeing them which is the correct behavior, but the "cfm" pages are served up and shouldn't be.

What is going on?

Anonymous access is already turned off.
We can use iAuth, but would rather not use it.

Are there no more ColdFusion Experts? Anyone left from the Allaire days or have you all jumped the cfml ship for .NET and Java?

Report · Oct 26, 2006

In your Application.cfm, put in a login script or authentication script. That'll work for all of your cfm pages.

Report · Oct 26, 2006

There is no application.cfm right now. If I add the application.cfm what do you use to check that they are authenticated through Windows? There are no cookies or sessions being set.

Report · Oct 26, 2006

There is no application.cfm right now. If I add the application.cfm
what do you use to check that they are authenticated through Windows?
There are no cookies or sessions being set.

I'm not sure what your issue is. When I set security in IIS it applies
to all my templates htm, cfm or otherwise. Once security is set CFML
can access the user from the cgi.auth_user variable.

Report · Oct 26, 2006

you mustbe using some database to authenticate the user. The same parameters can be used to authenticate whether the user should be allowed to view the cfm pages. You can also set ip addresses, url's that are allowed access etc. Depends on how you've set up authentication.

Report · Oct 26, 2006

Incase of a database athentication, you'll need to set up the database connection using the coldfusion administrator and then use <cflogin> to authenticate the user.
If you search the web, there are a number of cflogin scripts availabe. Look in easycfm.com

Report · Oct 26, 2006

I don't want to use a database, I want to utilize the Active Directory groups in Windwos Security.

Report · Oct 26, 2006

I don't want to use a database, I want to utilize the Active Directory
groups in Windwos Security.

Can you detail how you have security setup for you websites?

Report · Oct 26, 2006

sorry, I am out of depth here. Maybe someone else can give some suggestions

Report · Oct 26, 2006

I was hoping to use the CGI_Auth_User in the application .cfm

Report · Oct 26, 2006

That would work too. You will still need to have a list somewhere of the authorized users so the comparison can be made and user authenticated.

Report · Oct 26, 2006

I was hoping to use the CGI_Auth_User in the application .cfm

If you have anonymous login turned off and windows integrated or some
other IIS security turned on, then the cgi.authUser will be populated
with the domain/username of the logged in user.

We often use that in conjunction with <cfldap ...> to provide
authentication and validation with our systems. It is fairly straight
forward.

Are you getting a value in your cgi.auth_user field?

Report · Oct 26, 2006

We are using IIS and All I care about it authentication not authorization right now.

Lock Down .cfm Pages in IIS

Photos