Configuring ColdFusion MX 7 Server Security

ballscauliflowerΛογισμικό & κατασκευή λογ/κού

30 Ιουν 2012 (πριν από 6 χρόνια και 22 μέρες)

3.924 εμφανίσεις

1 of 1612/18/2005 11:48 PM
Try (
Buy (
ColdFusion Article
Configuring ColdFusion MX 7 Server Security
Erick Lee
Product Security Team
This article lists recommendations and best practices for securing servers on the web running Microsoft Windows Server 2003 and Macromedia ColdFusion MX 7. This is not a
comprehensive host-hardening guide for Windows 2003. Instead, this article describes a variety of security-hardening settings that you should implement to enhance the security of
ColdFusion MX 7 running on IIS 6.0 servers that host HTML content within a corporate intranet. To ensure that the ColdFusion application servers stay secure, however, you should
also implement security monitoring, detection, and response procedures.
I wrote this article primarily for consultants, security specialists, systems architects, and IT professionals who are responsible for planning application or infrastructure development
and deployment of ColdFusion MX 7 running on IIS 6.0. These roles include the following common job descriptions:
IT and Operations engineers who must deploy secure web applications and servers in customers' organizations, or their own
Architects and planners who are responsible for planning the architectural efforts for the clients in their organizations
IT security specialists who focus on providing security across the platforms within their organizations
Consultants from Macromedia and partners who need detailed resources of relevant, useful information for customers and partners
To read this article from a conceptual point of view, you do not need to download and install ColdFusion MX 7. However, to implement the recommended security settings while
reading along, you must download and install ColdFusion MX 7.
ColdFusion MX 7
Network Layer Security
Network security vulnerabilities are among the first threats to any Internet- or intranet-facing application server. This section deals with the process of hardening hosts on the network
against these vulnerabilities. It addresses network segmentation, TCP/IP stack hardening, and the use of firewalls for host protection.
2 of 1612/18/2005 11:48 PM
Place ColdFusion servers within a demilitarized zone (DMZ).
Segmentation should exist in at least two levels for web servers. Separate the external network from the DMZ that contains the web servers, which in turn must
be separated from the internal network. Use firewalls to implement the layers of separation. Categorize and control the traffic that passes through each network
layer to ensure that only the absolute minimum of required data is allowed.
Use Network Address Translation (NAT) with RFC 1918 private IP addresses on ColdFusion application servers.
Assign private IP addresses (,, or to make it more difficult for an attacker to route traffic to and from a NAT'd internal
host through the Internet.
Use a firewall to protect exposed network perimeters.
Use the following criteria to select a firewall solution:
Implement firewalls that support proxy servers and/or "stateful inspection," rather than simple packet-filtering solutions.
Use a firewall that supports a "deny all services except those explicitly permitted" security paradigm.
Implement a firewall solution that is dual-homed or multihomed. This architecture provides the greatest level of security and helps to prevent unauthorized
users from bypassing the security of the firewall.
Do not use default listening ports for databases (Oracle – 1521, MS SQL – 1433)
See the database documentation.
Operating System Security
By configuring many of the Windows 2003 systemwide settings through the Group Policy Objects, you do not have to configure Registry settings manually for servers on the same
domain. However, you should install web servers as stand-alone servers, not as members of the organization's domain. Using stand-alone servers potentially limits the scope of a
security breach to a single computer. To apply policy changes to multiple servers, use either scripts or a DMZ-only domain.
3 of 1612/18/2005 11:48 PM
Install only necessary IIS services.
Service vulnerabilities are used by attackers to compromise systems. The more services that are installed on the server, the more vulnerabilities that may be
IIS has the option to install WWW Service, IIS Admin, FTP, NNTP, and SMTP. FTP and NNTP should not be installed on a dedicated ColdFusion server. Also, if
no application needs the ability to send and receive e-mail locally, SMTP should not be installed.
Install all necessary security patches in Windows 2003.
There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a
timely fashion. Test patches before applying them to production servers.
Create policy and procedures to check for and install patches on a regular basis.
Apply the High Security Member Server Baseline Policy (MBSP).
Download the Windows Server 2003 Security Guide. The guide includes three policy templates; one is the High Security template. Apply only the High Security
template to the IIS server prior to installing ColdFusion.
After applying the template, you must modify the following settings to allow IIS to run properly:
Under User Rights Assignments:
To allow anonymous users to connect to IIS, remove the Guests group from the "Deny access to this computer from the network" policy. The IUSR account
is a member of the Guests group.
Under System Services:
Set HTTP SSL service to
. The HTTP SSL service enables IIS to perform Secure Sockets Layer (SSL) functions.
Set IIS Admin Service to
. The IIS Admin Service allows administration of IIS components such as File Transfer Protocol (FTP), Application
Pools, websites, web service extensions, and Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers.
Set World Wide Web Publishing Service to Automatic. The World Wide Web Publishing Service provides network connectivity and administration of
Change or remove the web server banner.
Modifying the IIS banner has some potential benefits if automated attack scripts that launch exploits against a server are based on the banner. Changing the
banner obscures the kind of web server that the attacker is connected to.
To remove the banner, set the following Registry key:
HLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader to 1
4 of 1612/18/2005 11:48 PM
Disk segmentation is a process of keeping specific data on your server on separate physical disks for added security. Arranging data in this way reduces the risk
of directory traversal attacks. Move the IIS inetpub or wwwroot directory to a partition different from the system (contains system32 directory) or boot partition.
Install and configure virus protection software.
Virus scanners can identify infected files by scanning for a signature or watching for anomalous behavior. Scanners keep their virus signatures in a file, which is
usually stored on the local hard drive. Because new viruses are discovered often, you should frequently update this file for the virus scanner to identify all current
Use Network Time Protocol (NTP) in a secure fashion.
For forensic analysis, keep accurate time on ColdFusion servers. Use NTP to synchronize the time on all systems that are connected directly to the Internet.
Figure 1 shows how to configure Internet time in Windows Server 2003 to
Figure 1. Configuring Internet time in Windows Server 2003
Now that you have hardened Windows 2003, you can install ColdFusion on the server. Whether you are new to ColdFusion or a seasoned veteran, the installation process is
straightforward. Remember that this article describes installing ColdFusion MX 7 on IIS 6.0 only.
Best Practices
Even before running the application installer, it is important to check the integrity of the installer and server. Maintain best practices throughout the entire installation process to
ensure a secure deployment.
5 of 1612/18/2005 11:48 PM
Log in with the least privileges.
Log in to your computer using an account that is not in the Administrators group, and use the Run As command
to run the ColdFusion installer.
Do not download or run ColdFusion from sources you distrust.
Malicious programs can contain code to violate security in several ways, including data theft, modification and deletion, and denial of service.
Installer Options
During installation many options are available that can either increase or decrease the security posture of ColdFusion. This section describes guiding principles to increase the
security of your installed ColdFusion server on IIS.
Do not enable RDS.
Macromedia does not recommend enabling RDS for production servers. For more information, see "Disable RDS in production environment
." If RDS is required for your organization, create a strong RDS password.
Use strong RDS and ColdFusion Administrator passwords.
Ensure that passwords are not easily guessable (for example, words in a dictionary or variations of the user name); do not pertain directly to a user's family or
personal interests; and contain both letters and numbers. Passwords for normal system users are a minimum of six characters. Passwords for privileged users
are a minimum of eight characters. If your organization uses a stronger password policy than this one, by all means continue using those guidelines.
Place ColdFusion content on a dedicated NTFS disk partition.
Disk segmentation is a process that keeps specific data on your server on separate physical disks for added security. Arranging data in this way reduces the risk
of directory traversal attacks. Move ColdFusion content directory to a partition different from the system partition, which contains the system32 directory, or boot
Disable unnecessary sub-components
Three sub-component options are available with the ColdFusion installer:
ColdFusion MX 7 ODBC Services
Provides a connection for data sources such as Microsoft Access. This service is unnecessary for database server access. You can disable ODBC services
after installation.
ColdFusion MX 7 Search Services
Handles local file indexing to facilitate searches of web server content. You can disable search services after installation.
Getting Started Experience, Tutorials, and Documentation
Consists of sample applications and documentation to assist new users in developing ColdFusion applications. Do not enable this option on production
The following section describes in detail the different tasks recommended to harden your installed ColdFusion MX 7 server. ColdFusion is highly customizable and can work in many
6 of 1612/18/2005 11:48 PM
different environments. Even though some of the recommendations may not fit your organization's needs, it is important to understand the security implications of improperly
configuring a public web server.
ColdFusion Server Security
The following recommended settings apply to the ColdFusion server outside of the Administrative web application (cfide\administrator). To reduce the security risks to the server,
apply these setting immediately after installing ColdFusion.
7 of 1612/18/2005 11:48 PM
Install necessary security patches for ColdFusion.
There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a
timely fashion. Test patches before applying them to production servers to ensure compatibility and availability of ColdFusion applications. In addition, create
policies and procedures to check for, and install, patches on a regular basis. You can find ColdFusion updates by visiting the ColdFusion Support Center
Remove the cfdocs virtual directory.
Sample applications are installed by default in the cfdocs virtual directory and are accessible to anyone. These applications should never be available on a
production server:
Log in to your computer using an account that is not in the Administrators group.1.
Use the Run As command (
to run IIS Manager as an administrator.2.
In IIS Manager, expand the local computer and expand the Default website.3.
Right-click the cfdocs directory and select Delete.4.
Restrict access to the cfide virtual directory to specific IP address and NT user accounts.
The administrative CFIDE web application is installed by default and grants access to everyone. The only protection offered by the application is a password
field. That means an attacker needs only to guess your password to gain administrative rights to your ColdFusion application server:
Log in to your computer using an account that is not in the Administrators group.1.
Use the Run As command (
to run IIS Manager as an administrator.
To grant access to a computer:
In IIS Manager, expand the local computer, right-click a website, directory, or file, and select Properties.3.
Click the Directory Security or File Security tab. In the IP Address and Domain Name Restrictions section, click Edit.4.
Click Denied Access. When you select Denied Access, you deny access to all computers and domains, except those to which you specifically grant
Click Add.6.
Select Single Computer.7.
Type the IP address of your administrative host; localhost is recommended (
Click OK twice.
To restrict access to an NT account:
In the Authentication and Access Control section, click Edit.10.
Deselect the Enable Anonymous Access option.11.
Disable unnecessary system services on the host.
8 of 1612/18/2005 11:48 PM
After installation, ColdFusion creates default system services that are configured to run when the system starts. Many of these services are not required in every
ColdFusion deployment. The following services are either required or optional to run ColdFusion MX 7:
ColdFusion MX 7 Application Server (Required)
Specifies the JRun 4 server on which ColdFusion needs to handle requests.
ColdFusion MX 7 Search Server (Optional)
Manages and controls configuration and services of a Verity K2 indexing engine
Create a ColdFusion service account.
ColdFusion installs this account by default using the LocalSystem account. The built-in LocalSystem user account has a high level of accessibility; it is part of the
Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system.
To run the ColdFusion MX 7 application server using a specific non-administrative account, follow these instructions:
In the Computer Management MMC, create a local user for the ColdFusion service to log in as.
Select the option"User cannot change password".a.
Under the Member Of tab, ensure that the Users group is listed.b.
Select Start menu > Settings > Control Panel > Administrative Tools > Services.2.
Double-click the ColdFusion MX 7 Application Server service. 3.
Stop the service.4.
Under the Log On tab, click the This Account option and browse to the user account you created. Enter the password for that account.5.
Give the user account that ColdFusion Server is running under the following rights. Under "User Rights Assignment" in the "Local Security Settings"
Deny log on through Terminal Services.a.
Deny log on locally.b.
Log on as Service (should be already set).c.
Give the new user account "Read & Execute, List Folder Contents, and Read" permissions for the following items:
ColdFusion web content directories (i.e. cfide or cfdocs)a.
C:\cfusion or C:\cfusionmx (and all subdirectories)b.
Start the ColdFusion MX 7 application server service.8.
Disable unused web service extensions.
If the server is used exclusively for ColdFusion, disable all other web extensions using the IIS Manager (see Figure 2).
9 of 1612/18/2005 11:48 PM
Figure 2. IIS Manager
Auditing and Logging
The proper and secure use of application auditing and logging can help ensure that security and other anomalous events are tracked and detected as quickly as possible. Effective
use of auditing and logging within an application includes such items as tracking successful and failed logins, as well as key application events such as the creation or deletion of key
You can use auditing to detect many types of attacks, including the following:
Brute-force password attacks
Denial of service attacks
Injection of hostile input, and related classes of scripting attacks
10 of 1612/18/2005 11:48 PM
Create logging event sources during deployment, not programmatically through application code.
Creating an event source requires administrative privileges. Do not grant these privileges to a running application process. Instead, in the deployment procedure
of an application, document a stand-alone script that is necessary to create the new event sources. An administrator executes this script once. Once the event
source is created, the script is no longer necessary; remove it from the system.
Set appropriate ColdFusion log file access control lists (ACLs).
Setting the appropriate credentials helps prevent attackers from deleting the files to cover their tracks.
The security permissions on the log file directory should be Full Control for Administrators and SYSTEM groups. The ColdFusion user account should have read
and write permissions only.
Set appropriate IIS log file ACLs.
Setting the appropriate credentials helps prevent attackers from deleting the files to cover their tracks. Make sure the ACLs on the IIS-generated log files
(%systemroot%\system32\LogFiles) are set appropriately. The permissions are set as secure by default in Windows 2003 Server; therefore, no modification is
needed. The security permissions on the log file directory should be Full Control for Administrators and SYSTEM groups.
Write logs to a separate server.
If resources permit, send logs to another server in real time that is not accessible by the attacker (write only), using Syslog, Tivoli, MOM (Microsoft Operations
Manager) Server, or some other mechanism. Protecting logs this way helps prevent tampering. In addition, storing logs in a central repository helps you correlate
and monitor—for example, when you use multiple ColdFusion servers and someone attempts a password-guessing attack across multiple machines where the
hacker queries each machine for a password.
Administrator Options
The following section describes most of the security-related options available in the ColdFusion Administrator. If the Administrator is unavailable, you can modify these options by
editing the XML files in the cf_root\lib\ directory. However, editing these files directly is not recommended. After modifying these options, you must restart the ColdFusion server. If
you don't, none of your changes will take effect.
11 of 1612/18/2005 11:48 PM
Server Setting > Settings > Time Requests
Set timeout requests to a maximum of 30 seconds to help prevent coding errors from becoming a denial of service issue. If there is an application that must run
longer, you can specify
<cfsetting requesttimeout="<seconds>">
to override this administrative setting.
Server Setting > Settings > Enable Use UUID for cftoken
A UUID guarantees a unique identifier for the token. This reduces the risk of session ID collisions, which makes it harder for an attacker to gain access to a valid
Server Setting > Settings > Enable Global Script Protection
Select the Global Script Protection option. This is a new security feature in ColdFusion MX 7 that isn't available in other web application platforms. It helps
protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks.
Server Setting > Settings > Specify a Sitewide Error Handler
Prevent information leaks through verbose error messages. Specifying a sitewide error handler covers you when cftry/cfcatch are not used. This page should be
a generic error message that you return to the user. Also, if the error handler displays user input, it should be reviewed for potential cross-site scripting issues.
Server Settings > Memory Variables > Use J2EE Session Variables
Enable the Use J2EE Session Variables option. ColdFusion provides two types of session management: its own proprietary means and through J2EE. J2EE
sessions provide the following security and performance related features in ColdFusion:
Session terminates when the user closes all browser windows.
J2EE session management uses a session-specific session identifier, jsessionid, which is created at the start of each session.
Share session variables between ColdFusion pages and JSP pages or Java servlets that you call from the ColdFusion pages. This could prevent you from
having to store sensitive information in a cookie.
Server Setting > Memory Variables > Maximum Timeout > Session
Set the maximum session timeout to 20 minutes to limit the window of opportunity for session hijacking.
Server Setting > Memory Variables > Default Timeout > Session
Set the default session timeout to 20 minutes to limit the window of opportunity for session hijacking. (The default value is 20 minutes.)
Server Setting > Memory Variables > Maximum Timeout > Application
Set the maximum application timeout to 24 hours.
Server Setting > Memory Variables > Default Timeout > Application
Set the default application timeout to 8 hours.
Server Settings > Mail > Mail Server
Require a user name and password to authenticate to your mail server.
Server Settings > Mail > Connection Timeout
12 of 1612/18/2005 11:48 PM
Data & Services > Data Sources
Do not use an administrative account to connect ColdFusion to a data source. For example, do not use SA account to connect to Microsoft SQL Server. The
account accessing the database should be granted specific privileges to the objects it needs to access. In addition, the account created to connect the database
should be Windows-based, not a SQL account. Windows accounts have many more auditing, password, and other security controls associated with them. For
example, account lockouts and password complexity requirements are built into Windows. However, a database would need custom code to handle these
security-related tasks.
Data & Services > Data Sources
Disable the following AllowedSQL options for all data sources:
As an administrator, you do not have control over what a developer sends to the database. However, there should be no circumstance where the previous
commands need to be sent to an SQL server from a web application.
Restricting database queries to parameterized stored procedures or query strings (using the CFQUERYPARAM tag) can greatly reduce the risk of SQL injection
attacks. For more information regarding CFQUERYPARAM and SQL injection, read Securing Database Access Using the cfqueryparam Tag
by Dave Watts.
Debugging & Logging > Debugging Settings > Enable Robust Exception Information
Disable this option for production servers. (Default)
Debugging & Logging > Debugging Settings > Enable Debugging
Disable this option for production servers. (Default)
Debugging & Logging > Logging Settings > Log directory
As a defensive measure, store log files in a different location than the default location. This obfuscates the whereabouts of the log files from an attacker.
Security > Sandbox Security > Enable ColdFusion Security
13 of 1612/18/2005 11:48 PM
The ColdFusion sandbox allows you to place access security restrictions on files, directories, methods, and data sources. Sandboxes make the most sense for a
hosting provider or corporate intranet where multiple applications share the same server. First, select this option.
Next, configure a sandbox. If you don't, all code in all directories can execute without restriction. Code in a directory and its subdirectories inherits the access
controls defined for the sandbox. For example, if ABC company creates multiple applications within a directory, all applications have the same permissions as
the parent. A sandbox applied to ABC-apps applies to app1 and app2. The following is a sample directory structure:
Note: If you create a new sandbox for app2, it does not inherit settings from ABC-apps.
Sandbox security configurations are application-specific; however, there are general guidelines to follow:
Create a default restricted sandbox and copy setting to each subsequent sandbox, removing restrictions as needed by the application, except in the case
of files/directories where access is granted rather than restricted:
Restrict access to data sources that the sandboxed application should not have accessed to
Restrict access to powerful tags, for example CFREGISTRY and CFEXECUTE
Restrict file and directory access to limit the ability of tags and functions to perform actions to specified paths.2.
Give every application a sandbox.3.
For more information on sandbox security, see the ColdFusion LiveDocs.
Application Deployment
After the server is properly configured and your application is developed, you must securely deploy the application to the production server. The following section describes some
recommendations for publishing content to your hardened ColdFusion server.
Disable RDS in a production environment.
In production environments, you should not use RDS. In earlier versions of ColdFusion, RDS ran as a separate service or process and could be disabled by
disabling the service. In ColdFusion MX 7, RDS is integrated into the main service. To disable it, you must disable the RDSServlet mapping in the web.xml file.
The following procedure assumes that ColdFusion is installed in the default location:
Back up C:\CFusionMX7\wwwroot\WEB-INF\web.xml.1.
Open web.xml for editing.2.
Comment out the RDSServlet mapping, as follows:3.
14 of 1612/18/2005 11:48 PM
Save the file.4.
Restart ColdFusion.5.
Use RDS over SSL.
During development, you should use SSL v3 to encrypt all RDS communications between Dreamweaver MX and the ColdFusion server. This includes remote
access to server data sources and drives, provided that both are accessed through RDS.
Use SFTP for remote file transfer.
The SSH protocol suite comes with SFTP, an encrypted replacement of FTP. Dreamweaver MX supports SFTP. Unfortunately, Windows 2003 Server does not
include the SSH server. You can install the SSH server using one of several commercial and free software packages. OpenSSH is a free SSH server program,
for example.
Ensure that FTP is disabled.
FTP transfers unencrypted data and authentication credentials over the network. To reduce the risk of eavesdropping, you should not use FTP. FTP is disabled
by default in IIS 6.
Select Programs > Administration Tools > Internet Information Services (IIS) Manager to ensure that FTP is disabled or not installed.
Implement page encoding.
ColdFusion MX includes a utility called cfencode, which obscures the source of ColdFusion pages that comprise an application. Although this technique cannot
prevent determined hackers from reading the contents of a CFML page, it does prevent trivial inspection of the pages.
Configure NFTS permissions on web content.
15 of 1612/18/2005 11:48 PM
Although the following permissions are application-dependent, some general rules apply:
File types: CGI (.exe, .dll, .cmd, .pl)
ACLs: Everyone (X), System and Administrators (Full Control)
File types:
Scripts (.cfm, .cfml, .jsp, .asp, .aspx, , .sgml, .wml, and .etc)
ACLs: Everyone (X), System and Administrators (Full Control)
File types:
Includes (.inc, .shtm, .shtml)
ACLs: Everyone (X), System and Administrators (Full Control)
File types: Static content (.txt, .gif, .jpg, .html, .xml)
Everyone (R), System and Administrators (Full Control)
Using the "Run As" command
The following steps describe how to use "Run As" to start IIS Manager from the command line and from the Windows Start menu:
From the command prompt, type the following:
You can also access the Run As command by using the Windows interface. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. Right-click
Internet Information Services Manager and select the options in the Run As dialog box (see Figure 3).
runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc"
16 of 1612/18/2005 11:48 PM
Figure 3. Accessing the Run As command in Windows
Where to Go from Here
The following information sources were the latest available at the time of writing this article:
The Security Zone (
in the ColdFusion Developer Center periodically publishes security bulletins and technical briefs that
provide information to customers about significant ColdFusion security issues.
The Security Notification Service
is a free e-mail notification service that Macromedia uses to send
information to customers about the security of Macromedia products. Bulletins describe any known security issue, its impact, and how customers can protect themselves. The
bulletins also detail any additional actions that Macromedia plans to take and additional resources that are available.
For additional information about Microsoft Windows 2003 security, go to the Microsoft TechNet Security Center.
About the author
Erick Lee has over a decade of information technology experience. His focus at Macromedia is on product security. Prior to joining Macromedia, he worked as a security consultant
for @stake, where he focused on application and network security by assessing cryptographic systems, source code, network protocols, and infrastructure security. Before that he
was the principal owner of IT firm Kinetisys. There he designed and built web applications for legal and service industry clients. He was also a member of the R&D team for
eSecurityOnline, formally a branch of Ernst & Young, where he researched vulnerabilities, wrote security policy (ISO-7799, HIPPA, etc.), and assembled host-hardening guidelines
for over 51 platforms and technologies.

Site Map
Privacy & Security
Contact Us
Report Piracy
Send Feedback
Copyright © 2005 Adobe Systems Incorporated. All rights reserved.
Use of this website signifies your agreement to the Terms of Use.
Search powered by