Best practices with the CFIDE and Jakarta virtual directories

Also, I believe a ColdFusion 10 Lockdown Guide is in the works.  Not sure when it will be released, but it is coming.

-Carl V.

Good deal.  I was reading a Best Practices guide that was designed for CF8 (even though we use CF10).  CF9 is a better step forward (and Ill be very interested when the version 10 comes out)  I want to run a tight ship for my web servers.  I'm gonna give this a read through and impart it's wisdom where I can, thanks.

So the Jakarta virtual directory is what gives it access to the ISAPI DLL file eh?  Wonder what reasoning they used behind using a virtual directory for that....

That's pretty common with Tomcat/IIS integration.  The last time I checked, OpenBD and Railo were doing the same thing for IIS integration (although that may have changed in the newer installers that VivioTech produces).

-Carl V.

The cursory glance at this article is VERY interesting.  Looks like it'll be a great read.

Sadly, there's a couple areas where it assumes the user has knowledge of the dreaded.... RIGHTS MANAGEMENT!!!!

Man, I REALLY need to just sit down and find a resource that can get me comfortable with setting up and understanding network rights, because even if I setup CF properly, a properly secured filesystem is always of the utmost importance.  But I've just yet to wrap my head around it.  User, groups, service accounts, local and remote settings, inheritance, rights, permissions... it's critical to know, but I'm just not there yet.

At least, for the time being, I can ensure other areas I DO comprehend, are all shored up.

Hollar at me if you need help with the user rights stuff.  I've been doing Active Directory stuff for longer than I care to remember.

-Carl V.

Oh Carl, you've opened the gates to the Underworld with that offer..... mwa ha ha ha!!!

Well, heck man if you have the time, I'd love to pick your brain.  As you know with my previous posts I've sometimes had the issue where I presumed something and found out that was wrong, so I think if I state what I THINK I know, you can make sure that's all in check for me.

Just a head's up, we're using ColdFusion 10 Standard on IIS 7.5 on Windows 2008 R2 Datacenter Virtualized as far as the environment goes.

The first thing I'll post is the special accounts which services can "Logon As"

Network Service - A builtin member of the local machine, with less local rights than Local Service, but the ability to access network resources that LocalSystem cannot.

Local Service - A builtin member of the local machine, with less local rights than Network Service.

LocalSystem - A builtin member of the local machine's Administrators Group.  Has high-level access.

(Local User/Group) - A local user-made account

(Domain User/Group) - A domain user-made account

Now, we're following some best practices which state to use separate accounts to run CF and IIS-related services.  We created 2 accounts, lets just call them WebAdmin and WebUser (the first for more powerful functionality where needed, and the latter for less)  Both are domain accounts and members of the Domain Admins group (unless they shouldn't be).  So the first question I have is of the following IIS/CF services, which account should they be setup to:

COLDFUSION SERVICES

ColdFusion 10 .NET Service

ColdFusion 10 Application Server

ColdFusion 10 Jetty Service

ColdFusion 10 ODBC Agent

ColdFusion 10 ODBC Server

IIS SERVICES

Application Host Helper Service

FTP Publishing Service

IIS Admin Service

World Wide Web Publishing Service

Windows Process Activation Service

Web Management Service

I guess it's more important that I understand the limitations and abilities of the accounts and the scope of what the services DO in order to know what account would be the most capable, yet lowest priviledge, to assign to it.

@Aegis,

Hopefully this clarifies the Domain Account/Local Account question: If ColdFusion needs access (or may every need access) to any files that exist on a separate server from your web server, then you need an Active Directory (AD) account for it to run as so that it can be granted access to those files on whatever server they reside on.  If ColdFusion will never need to access files that exist on a different server on your network, then you don't need an AD account for it to run as (a regular Windows account created on the local server will do).

The CF9 Lockdown guide shows how to create accounts and assign permissions to folders (see pages 2-5).  The only change I might suggest is that instead of creating the "cfusion" account (the account you will set the ColdFusion service to run as) as a local account on the server, create it in Active Directory as a domain account.  That way if you ever need ColdFusion to access files on other servers, you will be able to assign permissions to those files/folders to that AD account.

HTH,

-Carl V.

@Aegis,

As far as the ColdFusion Services and IIS Services, I can provide limited insight:

COLDFUSION SERVICES

ColdFusion 10 .Net Service - have never used this, so I'm not sure what account is appropriate here

ColdFusion 10 Application Server - run this as your "cfusion" local or AD account

ColdFusion 10 Jetty Service - run this as your "cfusion" local or AD account

ColdFusion 10 ODBC Agent/Server - not sure you need to alter these from whatever the default is.  I don't use ODBC anymore, so hopefully someone else can offer an opinion

IIS SERVICES

I'm running all these under the default accounts without issue.

As to what the Network Service/Local Service/Local System accounts do, I would suggest some Google search time on this.  I haven't spent much time myself worrying about them, to be honest.

HTH,

-Carl V.

@Carl

OK, I have setup all CF services to use the Domain Account (DOMAIN\WebAdmin).  All of the CF services successfully restarted and if I understand you correctly, this means that ColdFusion will, by default, use those credentials when accessing LOCAL and REMOTE resources.

For the IIS-related services, I have left those to their defaults (most are using Local System, which upon doing more research, seems to be a high-priviledge account but is limited to accessing local resources on the server.  This seems adaquate)

My next area of confusion has to do with how application pools can be used in tandem with the website, and determing which account/right is actually being used.

For example let's say our web server has 2 sites, each using their own application pool.

SiteA (appPoolA) - Uses anonymous authentication)

SiteB (appPoolB) - Uses windows integrated authentication)

So, I THINK an AppPool allows you to specify an Identity that it emulates.  By default, I BELIEVE that IIS creates a Virtual Account which belongs to a group call IIS AppPool.  So, in this IIS AppPool Group has 2 Virtual Members:

IIS AppPool\appPoolA

IIS AppPool\appPoolB

If you go into the application pool's advanced settings, I notice that under PROCESS MODEL > IDENTITY it is defaulted to APPLICATIONPOOLIDENTITY, meaning it will use the respective virtual account associated with it (IIS AppPool\appPoolA for siteA, etc.)  This can be changed to specify 1 of the 3 builtin accounts (LocalService, LocalSystem, NetworkService) OR a custom account (like our Domain accounts, DOMAIN\WebAdmin and DOMAIN\WebUser).

So my current area of confusion at this point is that I know there is another account known as IUSR (not sure if that's a user/group) but it is used in tandom with sites that use anonymous authentication.  So between the IUSR and application pool identities and Coldfusion's service identity, I"m just confused as to how to determine what is using what account when doing what.

I would assume ColdFusion, no matter WHAT site it is tied to, uses the credentials of the service is is logging on with, to determine what areas of the filesystem locally and remotely it can get to.  But when users connect in an anonymous or windows-integrated authentication system, how do I determine what user they are seen by IIS as?

ColdFusion and IIS "see" things differently.  ColdFusion doesn't care about IIS settings or permissions granted to the application pool identity.  It will use the ColdFusion service identity only.  So whatever files/folders you have granted the ColdFusion service account access to, that's all it can see/interact with (think how this applies to CFINCLUDE, CFINVOKE, CFFILE, etc.).

IIS, on the other hand, is more complex.  If you enable Anonymous authentication on a web site, any requested files will only be accessible if permissions to those files/folders have been granted to the appropriate application pool identity.  If you are using Windows authentication, any requested files will only be accessible if permissions have been granted to the Windows user that is browsing that site.

On my web server, I put all of my web applications inside of a E:\WebSites folder.  I have granted the following permissions on that folder:

• ColdFusion Service Account: Modify, Read & execute, List, Read, Write.  I might be able to restrict that to just read if ColdFusion isn't creating/modifying files in my apps (I'll have to check that further).
• IIS Service Account (this is the Application Pool root user): Read & execute, List, Read.
• Users (this Local group account usually includes the AD Domain Users group account): Read & execute, List, Read.

If your web application, or portions of it, should only be accessible to a select group of users, then don't use Anonymous authentication, and don't give the local Users group access to the restricted areas.  Create an AD Group that contains that select group of users, and grant that AD Group the Read & execute, List, and Read permissions to those restricted areas.

-Carl V.

OK, let's see if I get it.

ColdFusion's logon service (DOMAIN\WebAdmin) must be placed on the filesystem in locations where ColdFusion performs functions.  So, if I have a folder where I've removed execution rights for DOMAIN\WebAdmin, chances are ColdFusion could not execute CFML pages located there, right?

For IIS, it looks at the site's authentication.  For Anonymous, it uses the site's application pool identity (which can be set to just be the appPoolIdentity, LocalService, LocalSystem, NetworkService or a custom account of the user's choosing).  But in the event they are accessing ColdFusion functionality (vs just calling some .html file), then CF's service rights will be checked on that location as well, right?

For Windows Integrated Authentication, the user's credentials are captured (ie, DOMAIN\username) and these specific rights are checked against the resources requested to see if they have the proper rights, correct?

Assuming I have this right, we're having an issue.  The best practices wants me to create a local group (which I did, called COMPUTERNAME\Web Services) and to add the DOMAIN\WebAdmin, Local System and Local Service accounts to it.  Well, I added the DOMAIN\WebAdmin, but when I did a search for all local security principal accounts, it listed:

NT AUTHORITY\Network

NT AUTHORITY\Network Service

NT AUTHORITY\Service

NT AUTHORITY\Local Service

NT AUTHORITY\System

Notice that there's no 'NT AUTHORITY\Local System'.  My thought is that the 'Network Service' and 'Local Service' are legit, but where is 'Local System'?  There's only 'System'  So if the OS is using 'System' instead of 'Local System', then maybe 'Network' (for Network Service) and Service (for Local Service) are the actual accounts I need to add.  I have done extensive Google searching, and cannot find a site that tells me the difference between Network vs. Network Service and Service vs. Local Service.

As for your explanation of how you setup your website, that makes a lot of sense now.  Putting the CF service on that folder root with those rights ensures that all sites with home directories under it will have CF rights on their folders inherited from that level.  You pretty much did similar with the IIS service account.  The local Users account, in my case, being on a domain, I would add DOMAIN\Domain Users group to it so for Windows Authenticated Sites, I could use that 'Users' group to define what areas of access they have.

I think my initial problem was that for 1 request, I was assuming that only 1 service ultimately was checked, and as we see here, CF and IIS can both have permission checks done per request.

I did, however, find some neat info here to help differentiate between the IUSR and Application Pool for anonymous access:

http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-eit...

The best practices wants me to create a local group (which I did, called COMPUTERNAME\Web Services) and to add the DOMAIN\WebAdmin, Local System and Local Service accounts to it.  Well, I added the DOMAIN\WebAdmin, but when I did a search for all local security principal accounts, it listed: NT AUTHORITY\Network NT AUTHORITY\Network Service NT AUTHORITY\Service NT AUTHORITY\Local Service NT AUTHORITY\System Notice that there's no 'NT AUTHORITY\Local System'.  My thought is that the 'Network Service' and 'Local Service' are legit, but where is 'Local System'?  There's only 'System'  So if the OS is using 'System' instead of 'Local System', then maybe 'Network' (for Network Service) and Service (for Local Service) are the actual accounts I need to add.  I have done extensive Google searching, and cannot find a site that tells me the difference between Network vs. Network Service and Service vs. Local Service.

I think the CF9 Lockdown guide only suggests putting the ColdFusion and IIS Service account in the Web Services group.  I don't htink Local System and Local Service are necessary.

As for your explanation of how you setup your website, that makes a lot of sense now.  Putting the CF service on that folder root with those rights ensures that all sites with home directories under it will have CF rights on their folders inherited from that level.  You pretty much did similar with the IIS service account.  The local Users account, in my case, being on a domain, I would add DOMAIN\Domain Users group to it so for Windows Authenticated Sites, I could use that 'Users' group to define what areas of access they have. I think my initial problem was that for 1 request, I was assuming that only 1 service ultimately was checked, and as we see here, CF and IIS can both have permission checks done per request.

I think you're on the right track here.  Let me clarify something I stated earlier about CF and IIS accessing files.  When a user attempts to go to index.cfm (or any other .cfm page), the request first goes to IIS.  If the IIS credentials (whether it's the app pool for anonymous or the Users group for WIndows authentication) don't allow access to the file, you'll get an error (I think one of the 401 errors).  If IIS can access the file, it will pass the request to ColdFusion for processing.  At that point, the ColdFusion service needs to have permissions to access the file.

If you really want to lock down your apps, only grant the IIS service account access to files/folders from the webroot on.  This is especially true if you use a framework or methodology that puts your model/service/controller files outside the webroot.  IIS should only be able to access files that should be directly accessible via the web browser (or via AJAX requests from within your application).  On the other hand, ColdFusion needs to have access to any file that will be processed by ColdFusion (whether accessed via mappings, or via CFINCLUDE/CFINVOKE/CFFILE or other tags/functions).

Also, if you intend to serve files on a remote server via IIS Virtual Directories, the same IIS credential rules apply.  If you intent to access/process files on a remote server inside ColdFusion code, you'll need to make sure to grant access to the ColdFusion service account.

-Carl V.

Whoa, Carl.  That makes COMPLETE sense.  I've had a Eureka moment!

Let me explain why I was putting LocalSystem and LocalService into that Web Services Group.  (Still trying to figure out if Network = Network Service and Service = Local Service)

Right now, all my CF-related services (5 of them) are using DOMAIN\WebAdmin.

Of the 7 or so services that are IIS related, most are using LOCALSYSTEM but 1 is using LOCALSERVICE.

If I understand the Lockdown guide, it's saying I should make an "IIS Service" account (local) and then use IT to be the LOGONAS for all the IIS service.  If this is TRUE, though, would it not be right to think that this IIS Service account would need the cumulative abilities that LocalSystem and LocalService have (cause those were the default accounts on these services)

@Aegis,

If I understand the Lockdown guide, it's saying I should make an "IIS Service" account (local) and then use IT to be the LOGONAS for all the IIS service.  If this is TRUE, though, would it not be right to think that this IIS Service account would need the cumulative abilities that LocalSystem and LocalService have (cause those were the default accounts on these services)

I don't think the lockdown guide says anywhere to change the LOGONAS for any of the IIS services.  You only assign the application pools to the IIS Service account.  Leave the actual IIS services (as viewed in the Services administration applet) alone.

-Carl V.

OK.

For ColdFusion services, I created an account on the local machine called 'CFService', so it's SERVERNAME\CFService

For IIS services, I created an account on the local machine called 'IISService', so it's SERVERNAME\IISService

Now, understandably, in the event my CFService needs to do something across the domain, being a local user account, he has the equivalant rights of 'Local Service', which isn't much.  We have a domain account called 'DOMAIN\Domain Admins'.  If I put 'SERVERNAME\CFService' (a local user account) in as a member of DOMAIN\Domain Admins (a domain group account), would that give SERVERNAME\CFService all the rights that DOMAIN\Domain Admins has?

I can see CF needing cross-server functionality, but I don't think IISService does.  In the event I create a cross-server virtual directory, I simply would just add the SERVERNAME\IISService account onto the location that the virtual directory is pointing to, right?

Oh, and I also created the SERVERNAME\WebServices local group and added both the SERVERNAME\CFService and SERVERNAME\IISService local user accounts to it.

@Aegis,

Local accounts are unique to a specific server, and are not recognized by other servers.  That's why it's recommended to create the ColdFusion service account as Active Directory (AD) account - then it would be "universally" recognized across all servers in your domain.

You cannot add a local account or account group to an AD group, but you can add AD accounts/groups to local groups.

-Carl V.

If I may jump into this as I'm a bit confused at how ColdFusion 10 is now integrating with IIS 8. I've been fighting this for quite a few hours under the assumption that CF10 work similarly to CF9 but it appears that this is not the case?

To get CF 10 to work, I've removed all handler mappings and added the Jakarta virtual directory and boom, it's working.

Am I configured in a way that might compromise the server. Are handler mappings no longer being used and we're accessing everything through the Jakarta virtual directory?

@Citadelnetworks,

I have not yet had any experience with IIS8, so I can't directly answer that.  CF10 does integrate with IIS differently from CF9, since the switch from JRun to Tomcat required completely different connectors.  Have you downloaded the latest ColdFusion 10 installers?  They were updated a month or so ago to support Windows 8/Server 2012 (IIS8) and should set everything up properly.  The Jakarta virtual directory is important, but there are some handler mappings that should be set as well.  At least that is my experience with IIS7.5; I assume IIS8 integration works similarly.

HTH,

-Carl V.

+1 to Carl.

The behavior of Handler mappings remains the same in IIS 7/7.5 and 8. We are also running CF10 with IIS8 without any issues. While migrating from CF9 to CF10, you must remove the connector first for CF9 and then only we recommend to create the connector with CF10. As soon as you remove the connector, the handlers are removed (which may require an IIS restart, in some cases). Recreating the connectors will add the new handler mappings.

Regards,

Anit Kumar

Well that's where I'm a bit concerned with they way I'm currently set up...there are no handler mappings for ColdFusion 10 on the site that I'm testing. I only have handler mappings on my CF Administrator site which has been set up based on the CF9 lockdown recommendations...and those mappings are "local" and not inherited. Anybody have an idea how this particular setup might be working? Again, I only have the Jakarta virtual directory set up. If I remove that, then ColdFusion doesn't work.

@Citadelnetworks,

I would suggest starting over with IIS integration.  There is an updated lockdown guide specifically for CF10: http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf.  The process includes the steps required to lock down IIS7.5 (and 8 should be similar enough), and the process is somewhat different than it was from CF9.  Also, if you remove the Jakarta virtual directory manually, then run the Web Server Configuration Tool (WSCONFIG), it should wire up all of the required handlers and virtual directories.  Again, have you downloaded the updated installers that specifically added support for IIS8 (Windows 8 and 2012)?

-Carl V.

Hey Carl...thanks for the reference. Greatly appreciated.

Something else to note as well. When I added the handler mappings, when accessing CFM pages, it rendered 404 not found and static content (i.e. html, css, js) just empty pages.

Really weird. I'll go back to the CF 10 lockdown guid and try to start anew.

Again Carl...thanks for the info.