I recently installed CF10 standalone on IIS 7.5. I notice a new /jakarta/ virtual folder on the root of all my web sites. Most are public sites. This seems like an obvious security issue since anyone could just point to the operating files (.dll's) in that directory. So my questions are:
1) What is this folder for, and what is it doing there anyway? I've been using CF since v3 and I can't seem to find a quick and easy answer except that it has something to do with Tomcat.
2) What happens if I simply remove it?
3) If I can't remove it, how do I hide it to prevent anyone in the public realm from going there?
It is used by the CF10/tomcat IIS connector. I have found that if you block access to the virtual directory it will prevent CF from executing as well. You will find that the connector will block direct access to the log files, and whatnot in the directory automatically for you. Try hitting each file in there to make sure you can't access anything you don't want public.
Well, at the very least, I can access /jakarta/readme.txt, but interestingly when I try to access /jakarta/isapi_redirect.log I get an error that it is rejected by URLScan. Anyway, as the Webmaster for several high level federal sites, I can tell you that my security officer frowns down on ANY kind of random directories like this being on our public sites and possibly providing info on site/server brand, etc.