SlideShare a Scribd company logo

Locking Down CF Servers

ColdFusionConference, profile picture
ColdFusionConference

This document discusses how to lock down ColdFusion servers through securing the installation, post-installation configuration, and settings in the ColdFusion Administrator. It recommends following principles of least privilege, defense in depth, and reducing the attack surface. Specific steps include installing only necessary components, disabling unneeded servlets, restricting file permissions, updating to the latest JVM, securing sessions, and locking down the ColdFusion Administrator interface. The overall goal is to grant only the minimum permissions required to operate ColdFusion securely.

Technology
1 of 47
Downloaded 26 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Locking Down CF Servers Pete Freitag, Foundeo Inc. foundeo.com | hackmycf.com | fuseguard.com
About Pete Freitag ✤ Owner of Foundeo Inc. ✤ HackMyCF - Remote ColdFusion Security Scanner ✤ FuseGuard - Web App Firewall for CFML ✤ Consulting - Install, Configure, Review, CFML Dev ✤ 17+ Years working with CF ✤ Author of CF9-11 Lockdown Guides, CFMX Cookbook (SAMs) ✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
Our FocusToday ✤ Securing your ColdFusion Server Install ✤ Not covering: ✤ Hardening Your Operating System ✤ Database Security ✤ Securing your Application Source Code
Agenda ✤ Guiding Principals ✤ Installation ✤ Post Installation Lockdown ✤ ColdFusion Administrator Configuration ✤ Tomcat Configuration
Heavily Based on: ✤ Adobe ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown ✤ Adobe ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown ✤ Adobe ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown ✤ This talk assumes CF11, but is mostly the same for CF10 as well ✤ CF9 and below are no longer supported (no more security patches)
Why Do I need to Lockdown my install? Can't the installer do everything for me? What is secure? What tradeoffs are acceptable? (cc) http://www.flickr.com/photos/toddler/4169974226/
Principal of Least Privilege Grant only the minimum permission required to accomplish a task. (cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
Defense in Depth Multiple Layers of Redundant Security. (cc) http://www.flickr.com/photos/flygraphix/4791988161/
Reduce Attack Surface
ColdFusion ASP.NET PHP DNS FTP Web Server ColdFusion Web Server vs. Reduce Attack Surface
Avoid Defaults Avoid using defaults for configurable options such as paths, usernames, etc.
Services I Like: ✤ Duo Security: Two Factor Authentication ✤ (RDP, SSH) ✤ Dome9: Cloud Firewall ✤ Easily grant temporary access to administrative ports.
Pre-Installation ✤ Lockdown and Patch OS ✤ OS Vendors have Lockdown Guides as well. ✤ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Security_Guide/ ✤ Windows Security Compliance Toolkit: http:// technet.microsoft.com/en-us/library/cc677002.aspx ✤ Ensure network firewall in place. ✤ Remove all unnecessary software.
Pre-Installation ✤ Windows: Create multiple partitions OS, CF, Web Root. ✤ Limits impact of a path traversal vulnerability. ✤ Create a user account for CF to run as.
Installation
Installation Install only necessary subcomponents
Installation Disable unneeded Servlets
Installation
Installation
Installation
Installation
Installation
Post-Install ✤ Install any/all CF security hotfixes and updates. ✤ Install / Update Web Server connectors ✤ Configure administrator settings.
Accessing CF Administrator ✤ Setup webserver (IIS / Apache) ✤ IP Restrictions, SSL, Additional User Auth ✤ or Use Builtin Web Server
Using BuiltinWeb Server ✤ Pro: Easy /CFIDE block ✤ Con: Harder to configure SSL, Virtual Directories, IP Restrictions ✤ Works well if using RDP to access from localhost, or setting up ssh tunneling on unix ✤ If you need to access from public network, create a dedicated site, use SSL, IP restrictions, etc.
Block /CFIDE ✤ If possible block all CFIDE ✤ If partially required block everything else. ✤ Block server wide, not by virtual host ✤ Always Restrict: ✤ /CFIDE/administrator ✤ /CFIDE/adminapi ✤ CF11 no longer has /CFIDE/GraphData.cfm
X Red = Should be blocked Orange = Block if possible Yellow = Low risk but can be blocked
Apache ✤ RedirectMatch 404 (?i).*/CFIDE.* ✤ <LocationMatch "(?i).*/CFIDE">
IIS Request Filtering ✤ Block or whitelist URIs ✤ Block or whitelist by file extension ✤ Block or whitelist HTTP verbs ✤ Request Limits ✤ Content Length ✤ URL Length ✤ Query String Length
IIS Request Filtering
Application Pool Defaults
Block unused servlet mappings ✤ /cfform-gateway ✤ /cfform-internal ✤ /rest ✤ /CFIDE/main/rds.cfm ✤ /CFIDE/GraphData.cfm (cfchart on CF10) ✤ /WSRPProducer ✤ /CFFileServlet ✤ /CFFormGateway ✤ /flashservices/gateway ✤ /flex2gateway ✤ See web.xml
Restrict File Extensions ✤ By Folder (user upload directories): ✤ Eg: Restrict folder to serve only jpg, png, gif files. ✤ Can be done globally or on site specific as well ✤ The /jakarta virtual directory needs dll extension
Dedicated User Account ✤ Windows: Change Service Log On identity. Otherwise CF runs with full permission to everything. ✤ Unix: The installer allows you to specify a user to run CF as. ✤ The default nobody user is probably not the best choice as other services might share this account.
File System Permissions Path CF User Permissions Web Server User Permissions Web Root Read Only Additional as needed
 Read Only CF Root Full Can be restricted further /CFIDE CF Connector Read Read Write (Logs)

File System Permissions ✤ /CFIDE and other directories under CF root can be restricted read only permission by the cf user to prevent runtime change. ✤ Run CF10/CF11 hotfix installer from command line as administrator. ✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
Update JVM ✤ Update to latest supported JVM (1.8 currently for CF10-11) ✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle! ✤ Adobe recommends you run the latest supported JVM (eg 1.8. {highest number}) instead of specific version numbers.
Sandbox Security ✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry ✤ More flexible on Enterprise but still works on standard.
Session Mechanism Feature J2EE CF Configure in Application.cfc No Yes Token size configurable Yes No Configure in web.xml Yes No Interoperates with J2EE applications Yes No SessionRotate No Yes SessionInvalidate No Yes CF10-11/tomcat
web.xml Servlet Mappings
Tomcat ✤ Shutdown port / password ✤ Changing port on windows causes CF service stop to fail. ✤ Connector settings: ✤ connector secret (have to redo when updating connector) ✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/ tomcat-7.0-doc/security-howto.html
ColdFusion Administrator
ColdFusion Administrator ✤ Default ScriptSrc Directory ✤ Setup an alias so /CFIDE/scripts/ -> /some-folder/ ✤ Allows you to block /CFIDE ✤ If you don’t use cfform, cfajaxproxy, etc you can skip. ✤ If you use the builtin web server you need to configure an alias
ColdFusion Administrator ✤ Allowed file extensions for CFInclude tag ✤ Mitigates directory traversal / path injection that leads to code execution attack. ✤ Comma separated list of file extensions that execute, typically can be set to just cfm
ColdFusion Administrator Additional Settings
AdditionalTools ✤ HackMyCF ✤ FuseGuard ✤ CF Unofficial Updater (CF9 and below)
Questions? foundeo.com | hackmycf.com | fuseguard.com

More Related Content

PDF
Keep Applications Online
ColdFusionConference
 
PDF
ColdFusion builder plugins
ColdFusionConference
 
PDF
Realtime with-websockets-2015
ColdFusionConference
 
PDF
Hidden gems in cf2016
ColdFusionConference
 
PDF
Command box
ColdFusionConference
 
PDF
10 common cf server challenges
ColdFusionConference
 
PDF
Realtime with websockets
ColdFusionConference
 
PDF
Instant ColdFusion with Vagrant
ColdFusionConference
 
Keep Applications Online
ColdFusionConference
 
ColdFusion builder plugins
ColdFusionConference
 
Realtime with-websockets-2015
ColdFusionConference
 
Hidden gems in cf2016
ColdFusionConference
 
Command box
ColdFusionConference
 
10 common cf server challenges
ColdFusionConference
 
Realtime with websockets
ColdFusionConference
 
Instant ColdFusion with Vagrant
ColdFusionConference
 

What's hot (20)

PDF
Securing applications
ColdFusionConference
 
PDF
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
PDF
Super Fast Application development with Mura CMS
ColdFusionConference
 
PDF
Locking Down CF Servers
ColdFusionConference
 
PPTX
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
PDF
Cfml features modern_coding
ColdFusionConference
 
PPT
Restful API's with ColdFusion
ColdFusionConference
 
PDF
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
ColdFusionConference
 
PPTX
My Database Skills Killed the Server
ColdFusionConference
 
PDF
Dev objective2015 lets git together
ColdFusionConference
 
PPTX
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
PPTX
Workflows and Digital Signatures
ColdFusionConference
 
PDF
Can you contain the future - Docker, Container Technologies, The Future, and You
ColdFusionConference
 
PDF
Hidden Gems in ColdFusion 2016
ColdFusionConference
 
PDF
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
Stacy London
 
PDF
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
PDF
Php Performance On Windows
ruslany
 
PPTX
PHP Enhancement with Windows Server 2008
Krit Kamtuo
 
PDF
Migration to ColdFusion 11 – making it seamless and easy anit
ColdFusionConference
 
PDF
Expand Your ColdFusion App Power with AWS
ColdFusionConference
 
Securing applications
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Super Fast Application development with Mura CMS
ColdFusionConference
 
Locking Down CF Servers
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Cfml features modern_coding
ColdFusionConference
 
Restful API's with ColdFusion
ColdFusionConference
 
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
ColdFusionConference
 
My Database Skills Killed the Server
ColdFusionConference
 
Dev objective2015 lets git together
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
Workflows and Digital Signatures
ColdFusionConference
 
Can you contain the future - Docker, Container Technologies, The Future, and You
ColdFusionConference
 
Hidden Gems in ColdFusion 2016
ColdFusionConference
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
Stacy London
 
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Php Performance On Windows
ruslany
 
PHP Enhancement with Windows Server 2008
Krit Kamtuo
 
Migration to ColdFusion 11 – making it seamless and easy anit
ColdFusionConference
 
Expand Your ColdFusion App Power with AWS
ColdFusionConference
 
Ad

Similar to Locking Down CF Servers (20)

PDF
Cold fusion Security-How to Secure Coldfusion Server
Mindfire Solutions
 
PDF
Cf camp 2019 cfconfig - a new way to manage your cold-fusion engine config
Ortus Solutions, Corp
 
PPT
"Running CF in a Shared Hosting Environment"
webhostingguy
 
PDF
Whats new in CF10, 11, 2016
Carol Hamilton
 
PDF
CFDJ_6-9_ALEX
Alex Hübner
 
PPTX
ColdFusion Internals
ColdFusionConference
 
PDF
ColdFusion for Penetration Testers
Chris Gates
 
PDF
Hidden Gems in ColdFusion 11
ColdFusionConference
 
PDF
Securing Legacy CFML Code
ColdFusionConference
 
PDF
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Gavin Pickin
 
PDF
Security practices with CFEngine: Config Management Camp 2016
Michael Clelland
 
PDF
Security_Practices_with_CFEngine-cfgcamp_2016
Nick Anderson
 
PPTX
Upgrade to cf 2016 1
SandipHalder11
 
PDF
Secure your Secrets and Settings in ColdFusion
Ortus Solutions, Corp
 
PDF
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
PPTX
Securing your web applications in CF 2016
Pavan Kumar
 
PPTX
The app server, web server and everything in between
ColdFusionConference
 
PDF
Updating hotfixing ColdFusion
ColdFusionConference
 
PDF
Accessing ColdFusion Services From Flex Applications
Matt Gifford
 
PPT
Coldfusion
Ram
 
Cold fusion Security-How to Secure Coldfusion Server
Mindfire Solutions
 
Cf camp 2019 cfconfig - a new way to manage your cold-fusion engine config
Ortus Solutions, Corp
 
"Running CF in a Shared Hosting Environment"
webhostingguy
 
Whats new in CF10, 11, 2016
Carol Hamilton
 
CFDJ_6-9_ALEX
Alex Hübner
 
ColdFusion Internals
ColdFusionConference
 
ColdFusion for Penetration Testers
Chris Gates
 
Hidden Gems in ColdFusion 11
ColdFusionConference
 
Securing Legacy CFML Code
ColdFusionConference
 
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Gavin Pickin
 
Security practices with CFEngine: Config Management Camp 2016
Michael Clelland
 
Security_Practices_with_CFEngine-cfgcamp_2016
Nick Anderson
 
Upgrade to cf 2016 1
SandipHalder11
 
Secure your Secrets and Settings in ColdFusion
Ortus Solutions, Corp
 
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
Securing your web applications in CF 2016
Pavan Kumar
 
The app server, web server and everything in between
ColdFusionConference
 
Updating hotfixing ColdFusion
ColdFusionConference
 
Accessing ColdFusion Services From Flex Applications
Matt Gifford
 
Coldfusion
Ram
 
Ad

More from ColdFusionConference (20)

PDF
Api manager preconference
ColdFusionConference
 
PDF
Cf ppt vsr
ColdFusionConference
 
PDF
Building better SQL Server Databases
ColdFusionConference
 
PDF
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
PDF
Don't just pdf, Smart PDF
ColdFusionConference
 
PDF
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
PDF
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
PDF
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
PDF
ColdFusion in Transit action
ColdFusionConference
 
PDF
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
PDF
Where is cold fusion headed
ColdFusionConference
 
PDF
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
PDF
Instant ColdFusion with Vagrant
ColdFusionConference
 
PPT
Restful services with ColdFusion
ColdFusionConference
 
PDF
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
PDF
Why Everyone else writes bad code
ColdFusionConference
 
PDF
Testing automaton
ColdFusionConference
 
PDF
Rest ful tools for lazy experts
ColdFusionConference
 
PDF
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
PDF
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 
Api manager preconference
ColdFusionConference
 
Cf ppt vsr
ColdFusionConference
 
Building better SQL Server Databases
ColdFusionConference
 
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
Don't just pdf, Smart PDF
ColdFusionConference
 
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
ColdFusion in Transit action
ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
Where is cold fusion headed
ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
Instant ColdFusion with Vagrant
ColdFusionConference
 
Restful services with ColdFusion
ColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
Why Everyone else writes bad code
ColdFusionConference
 
Testing automaton
ColdFusionConference
 
Rest ful tools for lazy experts
ColdFusionConference
 
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Approach and Philosophy of On baking technology
30anthuong17
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Locking Down CF Servers

  • 1. Locking Down CF Servers Pete Freitag, Foundeo Inc. foundeo.com | hackmycf.com | fuseguard.com
  • 2. About Pete Freitag ✤ Owner of Foundeo Inc. ✤ HackMyCF - Remote ColdFusion Security Scanner ✤ FuseGuard - Web App Firewall for CFML ✤ Consulting - Install, Configure, Review, CFML Dev ✤ 17+ Years working with CF ✤ Author of CF9-11 Lockdown Guides, CFMX Cookbook (SAMs) ✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
  • 3. Our FocusToday ✤ Securing your ColdFusion Server Install ✤ Not covering: ✤ Hardening Your Operating System ✤ Database Security ✤ Securing your Application Source Code
  • 4. Agenda ✤ Guiding Principals ✤ Installation ✤ Post Installation Lockdown ✤ ColdFusion Administrator Configuration ✤ Tomcat Configuration
  • 5. Heavily Based on: ✤ Adobe ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown ✤ Adobe ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown ✤ Adobe ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown ✤ This talk assumes CF11, but is mostly the same for CF10 as well ✤ CF9 and below are no longer supported (no more security patches)
  • 6. Why Do I need to Lockdown my install? Can't the installer do everything for me? What is secure? What tradeoffs are acceptable? (cc) http://www.flickr.com/photos/toddler/4169974226/
  • 7. Principal of Least Privilege Grant only the minimum permission required to accomplish a task. (cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
  • 8. Defense in Depth Multiple Layers of Redundant Security. (cc) http://www.flickr.com/photos/flygraphix/4791988161/
  • 11. Avoid Defaults Avoid using defaults for configurable options such as paths, usernames, etc.
  • 12. Services I Like: ✤ Duo Security: Two Factor Authentication ✤ (RDP, SSH) ✤ Dome9: Cloud Firewall ✤ Easily grant temporary access to administrative ports.
  • 13. Pre-Installation ✤ Lockdown and Patch OS ✤ OS Vendors have Lockdown Guides as well. ✤ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Security_Guide/ ✤ Windows Security Compliance Toolkit: http:// technet.microsoft.com/en-us/library/cc677002.aspx ✤ Ensure network firewall in place. ✤ Remove all unnecessary software.
  • 14. Pre-Installation ✤ Windows: Create multiple partitions OS, CF, Web Root. ✤ Limits impact of a path traversal vulnerability. ✤ Create a user account for CF to run as.
  • 23. Post-Install ✤ Install any/all CF security hotfixes and updates. ✤ Install / Update Web Server connectors ✤ Configure administrator settings.
  • 24. Accessing CF Administrator ✤ Setup webserver (IIS / Apache) ✤ IP Restrictions, SSL, Additional User Auth ✤ or Use Builtin Web Server
  • 25. Using BuiltinWeb Server ✤ Pro: Easy /CFIDE block ✤ Con: Harder to configure SSL, Virtual Directories, IP Restrictions ✤ Works well if using RDP to access from localhost, or setting up ssh tunneling on unix ✤ If you need to access from public network, create a dedicated site, use SSL, IP restrictions, etc.
  • 26. Block /CFIDE ✤ If possible block all CFIDE ✤ If partially required block everything else. ✤ Block server wide, not by virtual host ✤ Always Restrict: ✤ /CFIDE/administrator ✤ /CFIDE/adminapi ✤ CF11 no longer has /CFIDE/GraphData.cfm
  • 27. X Red = Should be blocked Orange = Block if possible Yellow = Low risk but can be blocked
  • 28. Apache ✤ RedirectMatch 404 (?i).*/CFIDE.* ✤ <LocationMatch "(?i).*/CFIDE">
  • 29. IIS Request Filtering ✤ Block or whitelist URIs ✤ Block or whitelist by file extension ✤ Block or whitelist HTTP verbs ✤ Request Limits ✤ Content Length ✤ URL Length ✤ Query String Length
  • 32. Block unused servlet mappings ✤ /cfform-gateway ✤ /cfform-internal ✤ /rest ✤ /CFIDE/main/rds.cfm ✤ /CFIDE/GraphData.cfm (cfchart on CF10) ✤ /WSRPProducer ✤ /CFFileServlet ✤ /CFFormGateway ✤ /flashservices/gateway ✤ /flex2gateway ✤ See web.xml
  • 33. Restrict File Extensions ✤ By Folder (user upload directories): ✤ Eg: Restrict folder to serve only jpg, png, gif files. ✤ Can be done globally or on site specific as well ✤ The /jakarta virtual directory needs dll extension
  • 34. Dedicated User Account ✤ Windows: Change Service Log On identity. Otherwise CF runs with full permission to everything. ✤ Unix: The installer allows you to specify a user to run CF as. ✤ The default nobody user is probably not the best choice as other services might share this account.
  • 35. File System Permissions Path CF User Permissions Web Server User Permissions Web Root Read Only Additional as needed
 Read Only CF Root Full Can be restricted further /CFIDE CF Connector Read Read Write (Logs)

  • 36. File System Permissions ✤ /CFIDE and other directories under CF root can be restricted read only permission by the cf user to prevent runtime change. ✤ Run CF10/CF11 hotfix installer from command line as administrator. ✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
  • 37. Update JVM ✤ Update to latest supported JVM (1.8 currently for CF10-11) ✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle! ✤ Adobe recommends you run the latest supported JVM (eg 1.8. {highest number}) instead of specific version numbers.
  • 38. Sandbox Security ✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry ✤ More flexible on Enterprise but still works on standard.
  • 39. Session Mechanism Feature J2EE CF Configure in Application.cfc No Yes Token size configurable Yes No Configure in web.xml Yes No Interoperates with J2EE applications Yes No SessionRotate No Yes SessionInvalidate No Yes CF10-11/tomcat
  • 41. Tomcat ✤ Shutdown port / password ✤ Changing port on windows causes CF service stop to fail. ✤ Connector settings: ✤ connector secret (have to redo when updating connector) ✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/ tomcat-7.0-doc/security-howto.html
  • 43. ColdFusion Administrator ✤ Default ScriptSrc Directory ✤ Setup an alias so /CFIDE/scripts/ -> /some-folder/ ✤ Allows you to block /CFIDE ✤ If you don’t use cfform, cfajaxproxy, etc you can skip. ✤ If you use the builtin web server you need to configure an alias
  • 44. ColdFusion Administrator ✤ Allowed file extensions for CFInclude tag ✤ Mitigates directory traversal / path injection that leads to code execution attack. ✤ Comma separated list of file extensions that execute, typically can be set to just cfm
  • 46. AdditionalTools ✤ HackMyCF ✤ FuseGuard ✤ CF Unofficial Updater (CF9 and below)