-
1. Re: How big a security risk if we use a domain login for the cf application service
I don't think the Lockdown Guides prohibit using domain accounts. They just recommend not using an administrator-level domain account (and rightly so). Create a domain user account and grant it access and permissions to the minimum network resources required for your applications to function, and no more. So, for example, if ColdFusion needs to be able to access certain folders on certain network shares, only grant the domain account access to those specific folders; if ColdFusion only needs read permissions on those folders, only grant read permissions to the domain account. The same principles apply to databases - if you are using SQL Server, add the domain account to SQL Server's logins, add that login as a user to the required databases, and only grant the user the minimum required permissions for each of those databases.
-Carl V.
-
2. Re: How big a security risk if we use a domain login for the cf application service
Carl:
Does changing from local to domain account for the CF application login cause a lot of broken CF security issues? Seems like there is potential for the CF application to NOT have all the permissions changed correctly and I would end up with a broken site.
Would CFX_EXEC (Adiabata, Inc. - CFX_EXEC) be a better fix then working through all the permissions across the site?
Thanks again
Jay
-
3. Re: How big a security risk if we use a domain login for the cf application service
No, not if you follow the Lockdown Guide directions. It has a listing of which folders in the ColdFusion installation directory need to be granted permissions to the domain account.
-Carl V.