Adobe Community: Message List - How big a security risk if we use a domain login for the cf application service

Re: How big a security risk if we use a domain login for the cf application service

forums_noreply@adobe.com — Thu, 30 Oct 2014 20:14:42 GMT

No, not if you follow the Lockdown Guide directions. It has a listing of which folders in the ColdFusion installation directory need to be granted permissions to the domain account.

-Carl V.

Re: How big a security risk if we use a domain login for the cf application service

forums_noreply@adobe.com — Thu, 30 Oct 2014 17:44:36 GMT

Carl:

Does changing from local to domain account for the CF application login cause a lot of broken CF security issues? Seems like there is potential for the CF application to NOT have all the permissions changed correctly and I would end up with a broken site.

Would CFX_EXEC (Adiabata, Inc. - CFX_EXEC) be a better fix then working through all the permissions across the site?

Thanks again

Jay

Re: How big a security risk if we use a domain login for the cf application service

forums_noreply@adobe.com — Thu, 30 Oct 2014 17:21:47 GMT

I don't think the Lockdown Guides prohibit using domain accounts. They just recommend not using an administrator-level domain account (and rightly so). Create a domain user account and grant it access and permissions to the minimum network resources required for your applications to function, and no more. So, for example, if ColdFusion needs to be able to access certain folders on certain network shares, only grant the domain account access to those specific folders; if ColdFusion only needs read permissions on those folders, only grant read permissions to the domain account. The same principles apply to databases - if you are using SQL Server, add the domain account to SQL Server's logins, add that login as a user to the required databases, and only grant the user the minimum required permissions for each of those databases.

-Carl V.

How big a security risk if we use a domain login for the cf application service

forums_noreply@adobe.com — Thu, 30 Oct 2014 17:15:45 GMT

The local account used as the login account for CF application service doesn't allow access via UNC to other servers in in the same subnet (behind a firewall with private ip addresses in use) for security reasons.

It would be easier if we used a domain account -- but all the installation instructions and hardening pdf - recommend a local account which I am using.

I can't seem to find details on how using a domain account is creating a security issue. Is this a major or minor security issue is another question...

TIA

Jay Bietz