Security.....

Report · Dec 11, 2009

I Know we should all know this but I will throw this out anyway.

I have been working in the LAN environment for over 10 years and I know that is not an excuse so before you guys blast me I pleed the dummy clause because I am. 🙂

If I have a website in the cloud that is hosed on an IIS webserver and CF 7+ where and how do I deal with the administrative login page so it is NOT available to the world so they can use a password hacker tool to get access to the administrative console?

This is easy I am sure and this is a noob question but again I pleed the 5th here.

Thanks in advance.

Report · Dec 11, 2009

You can limit it by IP restriction in IIS. Right-click on your website/cfide folder in IIS, Directory Security, IP address and domain name restrictions - edit, Add the IP's you want to allow into the cfide folder.Give that a shot, works for me.

Report · Dec 11, 2009

I was googling this and ran into this site.

This was outstanding security infomation.

http://blog.crankybit.com/notes-coldfusion-8-application-security/

Report · Dec 14, 2009

These are very good suggestions.

Also: the CF8 server should be running from a fairly-restricted user-id; one that has been set aside just for this purpose. File access, especially download targets, should be limited so that, even if the CF8 server has "temporarily been taken over by the evil Borg," the operating-system will not permit it to do anything that it "should" not do. Ditto the database-server.

"The mere fact that it is the ColdFusion server is issuing the request does not mean that the request should be honored. (It could well have been "assimilated..." )

The so-called principle of least privilege should be used throughout any public-facing application. The computer is wonderful at enforcing rules. But you must take care to place those boundaries just as close as you can.