Highlighted

ColdFusion 2018 - Lockdown

New Here ,
Sep 19, 2018

Copy link to clipboard

Copied

Is it possible to get an actual lockdown guide for CF 2018?

The documentation for the auto-lockdown tool is not very detailed and it has been finishing with errors, with most of the lockdown tasks remaining incomplete.

I've hardened instances from CF8 and up several times before - at this point it would be much faster to follow a guide rather than continue to troubleshoot the tool.

Adobe Community Professional
Correct answer by Dave Watts | Adobe Community Professional

I don't think there's a lockdown guide for CF 2018 yet. But there is one for CF 2016, and almost all of that would directly apply here. The only major difference I can think of is how the /CFIDE virtual directory isn't exposed to external web servers (IIS, Apache) the same way as before, and that's basically just less stuff you'll have to do.

Dave Watts, Fig Leaf Software

Views

432

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion 2018 - Lockdown

New Here ,
Sep 19, 2018

Copy link to clipboard

Copied

Is it possible to get an actual lockdown guide for CF 2018?

The documentation for the auto-lockdown tool is not very detailed and it has been finishing with errors, with most of the lockdown tasks remaining incomplete.

I've hardened instances from CF8 and up several times before - at this point it would be much faster to follow a guide rather than continue to troubleshoot the tool.

Adobe Community Professional
Correct answer by Dave Watts | Adobe Community Professional

I don't think there's a lockdown guide for CF 2018 yet. But there is one for CF 2016, and almost all of that would directly apply here. The only major difference I can think of is how the /CFIDE virtual directory isn't exposed to external web servers (IIS, Apache) the same way as before, and that's basically just less stuff you'll have to do.

Dave Watts, Fig Leaf Software

Views

433

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 19, 2018 0
Adobe Community Professional ,
Sep 19, 2018

Copy link to clipboard

Copied

I don't think there's a lockdown guide for CF 2018 yet. But there is one for CF 2016, and almost all of that would directly apply here. The only major difference I can think of is how the /CFIDE virtual directory isn't exposed to external web servers (IIS, Apache) the same way as before, and that's basically just less stuff you'll have to do.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 19, 2018 0
New Here ,
Sep 19, 2018

Copy link to clipboard

Copied

Thank you, Dave.

I just started going through the 2016 Lockdown Guide a few minutes ago, deciding that it couldn't be that different.

I get why Adobe made the auto-lockdown tool (I was even excited when I heard about it!), but a little too much is happening under the hood for my taste. I want to go through and verify each step, so I might as well do it too! lol

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 19, 2018 0
Adobe Community Professional ,
Sep 19, 2018

Copy link to clipboard

Copied

That's a good plan, Dave. But note that the CFIDE not being exposed is not new to 2018. It was so in 2016, so all the more reason that the old guide could suffice for many.

And to rzindler, I'm with you on your sentiment in your reply to Dave's note.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 19, 2018 0
New Here ,
Feb 11, 2020

Copy link to clipboard

Copied

Has there been an update about an actual lockdown guide for 2018?  Due to the enhanced security architecture of where I am I'm running into problems and I too would like to be able to due the step-through like the old days to see what might actually be the cause of my issue(s).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 11, 2020 0
Adobe Community Professional ,
Feb 11, 2020

Copy link to clipboard

Copied

So I just looked, and there is one!

 

https://www.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2018-lockdown-guide.pd...

 

I don't know how new it is, I don't remember seeing it before.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 11, 2020 0
New Here ,
Feb 11, 2020

Copy link to clipboard

Copied

Thanks Dave - unfortunately that is the document that includes using the Auto Lockdown Tool. 

 

I need the manual process - without using the Lockdown Tool.  Old school step through.

 

We never setup 2016 but if the 'manual' lockdown for 2016 is applicable to 2018 then okay I'll use that document.  I just need to know if there is any differences in locking down 2016 vs 2018.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 11, 2020 0
Adobe Community Professional ,
Feb 11, 2020

Copy link to clipboard

Copied

To be clear:

  • there was no CF2018 lockdown guide originally (this thread started in Sept 2018, 3 months after CF2018 had come out)
  • the lockdown guide that WAS created for 2018 did indeed presume that one uses the Auto Lockdown tool. For instance, the section on setting up the Windows Service to run as a limited function user is gone from that CF2018 version of the doc. It IS covered in the CF2016 version.
  • And as Dave had shared back in 2018, most of the 2016 guide applies JUST FINE to using it to lockdown 2018. You would do best to have both guides open and follow along in both, to let each supplement the other.
  • It would have been nice if Adobe had tasked Pete to create a version of the 2018 guide that did NOT presume use of the Auto lockdown tool, but they did not.
  • It would be nice if he or someone were to come up with a "change doc" for what about the CF2016 guide would need to be different for 2018, but I am not aware that anyone has

 

Hope that helps answer the question.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 11, 2020 0
New Here ,
Feb 12, 2020

Copy link to clipboard

Copied

Charlie,

 

Thanks so much for your time and response I greatly appreciate it.

 

Do we know if the 2018 Auto Lockdown tool was tested for MS Server OS 2016 with IIS 10?

 

Because of the enhanced security posture of the network(s) I'm trying to install 2018 into I believe the Auto Lockdown tool is running into issues such as the heavy implementation of UAC.

 

Just one of  issues I've run into with the 2018 Auto Lockdown is where it appears as though the my Administrative account I identified in the Auto Lockdown setup was associated to the unique Application Pool identity it created - which is turn caused my Admin account to become locked out consistently. Changing the Application Pool identity from the one created by the Lockdown tool to an AD Service account resolved the problem.

 

This last run at setting up the server I ran into an issue where the CF Admin site just couldn't be displayed anymore in the browser - maybe a Tomcat situation I need to dig deeper into.


I'll continue this trial and error process between the 2 guides and eventually, hopefully, find success - I just hope I remember to document everything LOL.

Thanks again.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 12, 2020 0
Adobe Community Professional ,
Feb 12, 2020

Copy link to clipboard

Copied

Well, I can't say if it was tested. I would assume so, but I don't work for Adobe (and have not been involved closely in working with the Lockdown tool).

 

That said, I will note that there have been updates to the Auto Lockdown tool, the last (that I know of) being in June 2019, which was announced in the technote for CF2018 update 4: https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-4.html. Sadly, the page for downloading the installers doesn't report that or their version (https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg).

 

How long ago did you download it? I will say that I just downloaded the latest one offered today (for Windows, as that's what you're referring to), and when I look at the file's properties>details, its reported "file version" is 2018.0.2.

 

Finally, are you saying you applied the lockdown tool, and now you are trying to rectify things after the mess it's created? I don't hold out much hope for doing that. I would strongly recommend reverting to a snapshot or backup if you have one and it's not too old, or I might even just start over (new box), because the tool does SO much and touches SO many things (way beyond CF itself) that the chances of you resolving things seem slim.

 

Now, someone may want to point out that there is a log for the lockdown tool. And fair enough, if that may help you "undo" things, but again I have my doubts. As you can tell, I'm not a fan of the tool, because it just does too much and all at once. I appreciate its goal, just not a fan of its implementation. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 12, 2020 0
New Here ,
Feb 13, 2020

Copy link to clipboard

Copied

Actually I did some testing Mr. Bihani, main developer of the Lockdown tool if I remember correctly, back in October to December of 2018; this was in fact due to issues I was having with the tool due to our enhanced security network environments - but that was with MS Server 2012r2 and IIS 8.5.

 

Last Thursday I did send an email off to Kailash Bihani and Manas Mahapatra over at Adobe regarding my issue but no response yet.


It wasn't too long ago that I had the tool downloaded - then again time flies so it could be longer - I checked the properties on the file and the version is 2018.0.0.2 ... last modified date of 11/12/19 ... digital signature shows a date of 8/30/19.

 

Thanks for mentioning the newest download - I'll have someone grab it and put it on the server for me.

Yes I did attempt, for a limited time, to resolve the issues experienced after applying the Lockdown tool but you have to cut your losses at some point and start over.  Which is what I have done; had a clean VM spun up yesterday and started walking through the 2016 & 2018 guides but ran into the issue of the CF Admin site becoming 'not found'.  So I cut my lossses again and had that VM removed and another new one stood up last night.

Let's see how it goes today LOL

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 13, 2020 0