We are preparing to upgrade to ColdFusion 10 from ColdFusion 8. We are particulary interested in best practices for securing the installation, in particular securing the administrator on external facing systems.
The installation will be in a Solaris environment using Oracle iPlanet Web Server.
Can anyone provide such best practices, experiences or suggestions?
Thanks in advance.
Yes, there are many. (While you refer to CF10, I’ll assume you’re also open to general guidelines that apply to all releases of CF10.)
First is the “Adobe ColdFusion 9 server lockdown guide file”, at http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products /coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf.
There is also the “ColdFusion 8 developer security guidelines file”, at ColdFusion 8 developer security guidelines file.
Both of these are listed at the bottom of (because they’re older) of the CF Security center site:
As for CF10 security, there have been many changes, discussed among other places here: http://www.adobe.com/devnet/coldfusion/articles/security-improvements. html (which is also listed on that security center). It also has preso recordings and more.
As for CF security in general, the “go to guy” for that (who in fact wrote that Lockdown guide) is Pete Freitag, who with his company Foundeo (foundeo.com) offer still other resources (info and tools), among which the most important is the free HackMyCF.com service (which offers additional commercial features), which can scan your server and identify vulnerabilities and recommends fixes.
Finally, as for your root question of securing your Admin, that’s best done by either securing its access with your external web server (iPlanet, in your case) which can involve requiring basic, digest, or other additional authentication (beyond CF’s password), limiting IP addresses that can access it, and more. Those are features of the web server, though, not CF.
On the other hand, some resort to NOT allowing access to the CF Admin (via that external web server) and let it be accessed only via CF’s internal web server (Tomcat’s web server, in CF10). Because by default that works on a port other than 80 (8500, for instance), that would be blocked on your server unless opened in your firewall. Surprisingly, I find that this idea is not discussed in either of the first two guides above. But the CF documentation (both the Installing, and the Configuring and Administering manuals) does discuss the internal web server.
Hope that helps.
Doh, i should have added as well that when it comes to securing CF, you also should seriously consider Foundeo's FuseGuard Web App Firewall for CF. No, it's not free, but it could easily add significant security best practices for your environment. More at http://foundeo.com/security/.
Also, they offer a 4-page PDF CF security checklist for a modest price, at http://foundeo.com/security/coldfusion-checklist/.
Charlie Arehart wrote:
“Adobe ColdFusion 9 server lockdown guide file”
securing your Admin, that’s best done by either securing its access with your external web server (iPlanet, in your case) which can involve requiring basic, digest, or other additional authentication (beyond CF’s password), limiting IP addresses that can access it, and more.
That's a lot of good advice offered above, Charlie. And I like to restrict CF Admin access at the web server level as well. Just wanted to add 2 notes regarding what I quoted. Regarding the server lockdown guide, I believe the CF team said a CF10 version is on its way. And regarding restricting CF Admin access, CF10 now enables CF Admin to be IP-restricted. Copied from the security improvements article you linked to above:
We added the Whitelist filter for Administrator access. In the ColdFusion administrator, go to Security > Allowed IP Addresses > Allowed IP Addresses for ColdFusion Administrator access. If you specify no IP, all IPs can access the administrator.
Also, here is another article on CF10 Security: http://blogs.adobe.com/asset/2012/05/coldfusion-10-provides-powerful-n ew-security-tools.html Interestingly, this article is not linked to from the Developer Center's Security page. Adobe, should that link be added?
Thanks. BTW, there’s a feature in the web interface of the forums where you can mark a given reply as “the answer”, to help others who may read the thread in the future, if you think that may be helpful.
Europe, Middle East and Africa