This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+. Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions. I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders. So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not. Some use the <cflogin> features of ColdFusion; others roll their own.
I could be completely off about this, though. Do you use Application.cfc in your apps, or Application.cfm? That may have a bearing as well.
I should be more specific. I know CF has always been this way. In IIS6 you could force IIS to make sure the file exists and then pass control to CF. In IIS7.5, that checkbox is gone. I want IIS to check perms before passing to CF. Has anyone managed to get this to work, and if so, what was the solution? I am an admin, not a developer.
CF10 Update 14 was just released. I tried responding to the support email addresses used earlier this year for this issue, including the one you told me to use then, and all of them bounce back. I was forwarding our conversation history so they can tell me if it will break what we fixed. Please tell me how to forward the conversation/fix history to a good email address with my questions.
Hello?? Anyone there? I have honored Support's request to not discuss the solution in public, so I would appreciate a response from Support so I can ask my questions about CF10 Update14 potentially breaking this again before I install the update. I do NOT see where it is listed in the fix list for this update. Maybe I missed it. If it isn't fixed, I will be extremely disappointed. I tried all of the email addresses used earlier this year to contact Support and all failed.
The email address is still the same cfinstal<AT>adobe<DOT>com. NTFS permission is not fixed in CF10 Update 14. Here is the list of bug fixes in this release Bugs fixed in ColdFusion 10 Update 14.
Tried emailing yet again, we shall see if it bounces back like it did last week.
I am extremely disappointed that this issue was not fixed in this update. It is a HUGE security issue! We can't be the only people who noticed it. It needs to be taken SERIOUSLY!