Yes, there are many. (While you refer to CF10, I’ll assume you’re also open to general guidelines that apply to all releases of CF10.)

First is the “Adobe ColdFusion 9 server lockdown guide file”, at http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products /coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf.

There is also the “ColdFusion 8 developer security guidelines file”, at ColdFusion 8 developer security guidelines file.

Both of these are listed at the bottom of (because they’re older) of the CF Security center site:

http://www.adobe.com/devnet/coldfusion/security.html

As for CF10 security, there have been many changes, discussed among other places here: http://www.adobe.com/devnet/coldfusion/articles/security-improvements. html (which is also listed on that security center). It also has preso recordings and more.

As for CF security in general, the “go to guy” for that (who in fact wrote that Lockdown guide) is Pete Freitag, who with his company Foundeo (foundeo.com) offer still other resources (info and tools), among which the most important is the free HackMyCF.com service (which offers additional commercial features), which can scan your server and identify vulnerabilities and recommends fixes.

Finally, as for your root question of securing your Admin, that’s best done by either securing its access with your external web server (iPlanet, in your case) which can involve requiring basic, digest, or other additional authentication (beyond CF’s password), limiting IP addresses that can access it, and more. Those are features of the web server, though, not CF.

On the other hand, some resort to NOT allowing access to the CF Admin (via that external web server) and let it be accessed only via CF’s internal web server (Tomcat’s web server, in CF10). Because by default that works on a port other than 80 (8500, for instance), that would be blocked on your server unless opened in your firewall. Surprisingly, I find that this idea is not discussed in either of the first two guides above. But the CF documentation (both the Installing, and the Configuring and Administering manuals) does discuss the internal web server.

Hope that helps.

/charlie

Charlie Arehart wrote:

 

“Adobe ColdFusion 9 server lockdown guide file”

 

[...]

 

securing your Admin, that’s best done by either securing its access with your external web server (iPlanet, in your case) which can involve requiring basic, digest, or other additional authentication (beyond CF’s password), limiting IP addresses that can access it, and more.

That's a lot of good advice offered above, Charlie.  And I like to restrict CF Admin access at the web server level as well.  Just wanted to add 2 notes regarding what I quoted.  Regarding the server lockdown guide, I believe the CF team said a CF10 version is on its way.  And regarding restricting CF Admin access, CF10 now enables CF Admin to be IP-restricted.  Copied from the security improvements article you linked to above:

----

IP-based access for the Administrator Console

We added the Whitelist filter for Administrator access. In the ColdFusion administrator, go to Security > Allowed IP Addresses > Allowed IP Addresses for ColdFusion Administrator access. If you specify no IP, all IPs can access the administrator.

----

Also, here is another article on CF10 Security: http://blogs.adobe.com/asset/2012/05/coldfusion-10-provides-powerful-n ew-security-tools.html  Interestingly, this article is not linked to from the Developer Center's Security page.  Adobe, should that link be added?

Thanks,

-Aaron