Skip navigation
phein53
Currently Being Moderated

Lockdown of /CFIDE/Administrator

Feb 22, 2013 12:56 PM

Tags: #64bit #coldfusion9 #administrator

As part of the "Adobe ColdFusion 9 Server Lockdown Guide," Adobe recommends blocking /CFIDE requests (pages 9 and 10). 

 

After adding a <denyUrlSequences> block to the applicationHost.config file, located in the \windows\system32\inetsrv\config directory, the instructions say,

 

Next, you must allow access to the /CFIDE/administrator URI in the cfadmin website.  Create a file called web.config in the web root with the following content:

 

. <configuration>

     <system.webServer>

          <security>

               <requestFiltering>

                    <denyUrlSequences>

                         <remove sequence="/CFIDE/Administrator"/>

                    </denyUrlSequences>

                   </requestFiltering>

               </security>

             </system.webServer>

     </ configuration>

 

The above configuration overrides the global request filtering and removes the deny rule for the URI/CFIDE/administrator.

 

 

I want to make certain I put this in the correct directory/ies.  We're running three clustered instances and a fourth test server.  They are located in a data drive like so:

 

D:\JRun\servers\<instance name>\cfusion.ear\cfusion.war\CFIDE

 

where the <instance name> is the name of the particular instance.

 

So, my question is, do I need to put this new config file in the \<instance name> directory for each of the instances?  The \cfusion.war directory for each instance?  Or just once in the \servers directory?

 

TIA,

 

Pete

 
Replies
  • Currently Being Moderated
    Feb 25, 2013 8:19 PM   in reply to phein53

    Pete, those instructions you are quoting from are about locking down the CFIDE in IIS. Yet you later refer to the location of the CFIDE within the JRun instance directory, which is used for the built-in web server by default. That’s not what the lockdown guide is referring to. That said, if perhaps you have a CFIDE virtual directory defined in IIS that points to it, then the lockdown guide would apply—with respect to how you lockdown IIS’s use of that virtual directory (in which case, it doesn’t matter where the directory is that the VD points to.)

     

    So to answer your primary question, you want to put those XML entries in either the applicationhost.config file, or in the web.config file (in the docroot of the IIS site pointing to a CFIDE directory.) I think if you re-read the doc now, with this new perspective, if should make sense.

     

    If you are feeling lost and want to resolve things, there are people (myself included) who can provide direct remote assistance in resolving these and any other CF errors. I keep a list of such consultants at cf411.com/cfconsult. Hope that’s helpful.

     

    /charlie

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points