cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Lockdown of /CFIDE/Administrator

Guest
Feb 22, 2013 Feb 22, 2013

Copy link to clipboard

Copied

As part of the "Adobe ColdFusion 9 Server Lockdown Guide," Adobe recommends blocking /CFIDE requests (pages 9 and 10). 

After adding a <denyUrlSequences> block to the applicationHost.config file, located in the \windows\system32\inetsrv\config directory, the instructions say,

Next, you must allow access to the /CFIDE/administrator URI in the cfadmin website.  Create a file called web.config in the web root with the following content:

. <configuration>

     <system.webServer>

          <security>

               <requestFiltering>

                    <denyUrlSequences>

                         <remove sequence="/CFIDE/Administrator"/>

                    </denyUrlSequences>

                   </requestFiltering>

               </security>

             </system.webServer>

     </ configuration>

The above configuration overrides the global request filtering and removes the deny rule for the URI/CFIDE/administrator.

I want to make certain I put this in the correct directory/ies.  We're running three clustered instances and a fourth test server.  They are located in a data drive like so:

D:\JRun\servers\<instance name>\cfusion.ear\cfusion.war\CFIDE

where the <instance name> is the name of the particular instance.

So, my question is, do I need to put this new config file in the \<instance name> directory for each of the instances?  The \cfusion.war directory for each instance?  Or just once in the \servers directory?

TIA,

Pete

Views

1.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 1 Reply 1
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Feb 25, 2013 Feb 25, 2013

Copy link to clipboard

Copied

LATEST

Pete, those instructions you are quoting from are about locking down the CFIDE in IIS. Yet you later refer to the location of the CFIDE within the JRun instance directory, which is used for the built-in web server by default. That’s not what the lockdown guide is referring to. That said, if perhaps you have a CFIDE virtual directory defined in IIS that points to it, then the lockdown guide would apply—with respect to how you lockdown IIS’s use of that virtual directory (in which case, it doesn’t matter where the directory is that the VD points to.)

So to answer your primary question, you want to put those XML entries in either the applicationhost.config file, or in the web.config file (in the docroot of the IIS site pointing to a CFIDE directory.) I think if you re-read the doc now, with this new perspective, if should make sense.

If you are feeling lost and want to resolve things, there are people (myself included) who can provide direct remote assistance in resolving these and any other CF errors. I keep a list of such consultants at cf411.com/cfconsult. Hope that’s helpful.

/charlie


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices