Is it possible to get an actual lockdown guide for CF 2018?
The documentation for the auto-lockdown tool is not very detailed and it has been finishing with errors, with most of the lockdown tasks remaining incomplete.
I've hardened instances from CF8 and up several times before - at this point it would be much faster to follow a guide rather than continue to troubleshoot the tool.
I don't think there's a lockdown guide for CF 2018 yet. But there is one for CF 2016, and almost all of that would directly apply here. The only major difference I can think of is how the /CFIDE virtual directory isn't exposed to external web servers (IIS, Apache) the same way as before, and that's basically just less stuff you'll have to do.
Dave Watts, Fig Leaf Software
Thank you, Dave.
I just started going through the 2016 Lockdown Guide a few minutes ago, deciding that it couldn't be that different.
I get why Adobe made the auto-lockdown tool (I was even excited when I heard about it!), but a little too much is happening under the hood for my taste. I want to go through and verify each step, so I might as well do it too! lol
That's a good plan, Dave. But note that the CFIDE not being exposed is not new to 2018. It was so in 2016, so all the more reason that the old guide could suffice for many.
And to rzindler, I'm with you on your sentiment in your reply to Dave's note.
Has there been an update about an actual lockdown guide for 2018? Due to the enhanced security architecture of where I am I'm running into problems and I too would like to be able to due the step-through like the old days to see what might actually be the cause of my issue(s).
So I just looked, and there is one!
I don't know how new it is, I don't remember seeing it before.
Dave Watts, Eidolon LLC
Thanks Dave - unfortunately that is the document that includes using the Auto Lockdown Tool.
I need the manual process - without using the Lockdown Tool. Old school step through.
We never setup 2016 but if the 'manual' lockdown for 2016 is applicable to 2018 then okay I'll use that document. I just need to know if there is any differences in locking down 2016 vs 2018.
To be clear:
Hope that helps answer the question.
Thanks so much for your time and response I greatly appreciate it.
Do we know if the 2018 Auto Lockdown tool was tested for MS Server OS 2016 with IIS 10?
Because of the enhanced security posture of the network(s) I'm trying to install 2018 into I believe the Auto Lockdown tool is running into issues such as the heavy implementation of UAC.
Just one of issues I've run into with the 2018 Auto Lockdown is where it appears as though the my Administrative account I identified in the Auto Lockdown setup was associated to the unique Application Pool identity it created - which is turn caused my Admin account to become locked out consistently. Changing the Application Pool identity from the one created by the Lockdown tool to an AD Service account resolved the problem.
This last run at setting up the server I ran into an issue where the CF Admin site just couldn't be displayed anymore in the browser - maybe a Tomcat situation I need to dig deeper into.
I'll continue this trial and error process between the 2 guides and eventually, hopefully, find success - I just hope I remember to document everything LOL.
Well, I can't say if it was tested. I would assume so, but I don't work for Adobe (and have not been involved closely in working with the Lockdown tool).
That said, I will note that there have been updates to the Auto Lockdown tool, the last (that I know of) being in June 2019, which was announced in the technote for CF2018 update 4: https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-4.html. Sadly, the page for downloading the installers doesn't report that or their version (https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg).
How long ago did you download it? I will say that I just downloaded the latest one offered today (for Windows, as that's what you're referring to), and when I look at the file's properties>details, its reported "file version" is 2018.0.2.
Finally, are you saying you applied the lockdown tool, and now you are trying to rectify things after the mess it's created? I don't hold out much hope for doing that. I would strongly recommend reverting to a snapshot or backup if you have one and it's not too old, or I might even just start over (new box), because the tool does SO much and touches SO many things (way beyond CF itself) that the chances of you resolving things seem slim.
Now, someone may want to point out that there is a log for the lockdown tool. And fair enough, if that may help you "undo" things, but again I have my doubts. As you can tell, I'm not a fan of the tool, because it just does too much and all at once. I appreciate its goal, just not a fan of its implementation.
Actually I did some testing Mr. Bihani, main developer of the Lockdown tool if I remember correctly, back in October to December of 2018; this was in fact due to issues I was having with the tool due to our enhanced security network environments - but that was with MS Server 2012r2 and IIS 8.5.
Last Thursday I did send an email off to Kailash Bihani and Manas Mahapatra over at Adobe regarding my issue but no response yet.
It wasn't too long ago that I had the tool downloaded - then again time flies so it could be longer - I checked the properties on the file and the version is 2018.0.0.2 ... last modified date of 11/12/19 ... digital signature shows a date of 8/30/19.
Thanks for mentioning the newest download - I'll have someone grab it and put it on the server for me.
Yes I did attempt, for a limited time, to resolve the issues experienced after applying the Lockdown tool but you have to cut your losses at some point and start over. Which is what I have done; had a clean VM spun up yesterday and started walking through the 2016 & 2018 guides but ran into the issue of the CF Admin site becoming 'not found'. So I cut my lossses again and had that VM removed and another new one stood up last night.
Let's see how it goes today LOL