Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
AdobeColdFusion2018LockdownGuideWrittenbyPeteFreitag,FoundeoInc.
©2018AdobeSystemsIncorporatedanditsLicensors.AllRightsReserved.
AdobeColdFusion(2018release)LockdownGuide
Ifthisguideisdistributedwithsoftwarethatincludesanenduseragreement,thisguide,aswellasthesoftwaredescribedinit,isfurnishedunderlicenseandmaybeusedorcopiedonlyinaccordancewiththetermsofsuchlicense.Exceptaspermittedbyanysuchlicense,nopartofthisguidemaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,electronic,mechanical,recording,orotherwise,withoutthepriorwrittenpermissionofAdobeSystemsIncorporated.Pleasenotethatthecontentinthisguideisprotectedundercopyrightlawevenifitisnotdistributedwithsoftwarethatincludesanenduserlicenseagreement.
Thecontentofthisguideisfurnishedforinformationaluseonly,issubjecttochangewithoutnotice,andshouldnotbeconstruedasacommitmentbyAdobeSystemsIncorporated.AdobeSystemsIncorporatedassumesnoresponsibilityorliabilityforanyerrorsorinaccuraciesthatmayappearintheinformationalcontentcontainedinthisguide.
Pleaserememberthatexistingartworkorimagesthatyoumaywanttoincludeinyourprojectmaybeprotectedundercopyrightlaw.Theunauthorizedincorporationofsuchmaterialintoyournewworkcouldbeaviolationoftherightsofthecopyrightowner.Pleasebesuretoobtainanypermissionrequiredfromthecopyrightowner.Anyreferencestocompanynamesinsampletemplatesarefordemonstrationpurposesonlyandarenotintendedtorefertoanyactualorganization.
Adobe,theAdobelogo,AdobeContentServer,AdobeDigitalEditions,andAdobePDFareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedintheUnitedStatesand/orothercountries.JavaisatrademarkorregisteredtrademarkofSunMicrosystems,Inc.intheUnitedStatesandothercountries.LinuxistheregisteredtrademarkofLinusTorvaldsintheU.S.andothercountries.Microsoft,WindowsandWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.MacintoshandMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Allothertrademarksarethepropertyoftheirrespectiveowners.
AdobeSystemsIncorporated,345ParkAvenue,SanJose,California95110,USA.
NoticetoU.S.GovernmentEndUsers.TheSoftwareandDocumentationare“CommercialItems,”asthattermisdefinedat48C.F.R.§2.101,consistingof“CommercialComputerSoftware”and“CommercialComputerSoftwareDocumentation,”assuchtermsareusedin48C.F.R.§12.212or48C.F.R.§227.7202,asapplicable.Consistentwith48C.F.R.§12.212or48C.F.R.§§227.7202-1through227.7202-4,asapplicable,theCommercialComputerSoftwareandCommercialComputerSoftwareDocumentationarebeinglicensedtoU.S.Governmentendusers(a)onlyasCommercialItemsand(b)withonlythoserightsasaregrantedtoallotherenduserspursuanttothetermsandconditionsherein.Unpublished-rightsreservedunderthecopyrightlawsoftheUnitedStates.
ForU.S.GovernmentEndUsers,Adobeagreestocomplywithallapplicableequalopportunitylawsincluding,ifappropriate,theprovisionsofExecutiveOrder11246,asamended,Section402oftheVietnamEraVeteransReadjustmentAssistanceActof1974(38USC4212),andSection503oftheRehabilitationActof1973,asamended,andtheregulationsat41CFRParts60-1through60-60,60-250,and60-741.Theaffirmativeactionclauseandregulationscontainedintheprecedingsentenceshallbeincorporatedbyreference.
TableofContents1Introduction
1.1DefaultFilePathsandUsernames1.2OperatingSystemsandWebServers1.3ColdFusionVersion1.4ScopeofDocument1.5ApplyingtoExistingInstallations1.6NamingConventions
2ColdFusionOnWindows
2.1InstallationPrerequisites2.2Install&ConfigureIIS2.3RuntheWindowsColdFusionInstaller2.4InstallColdFusionHotfixes2.5SetupWebsitesinIIS2.6RuntheColdFusion2018ServerAutoLockdownTool2.7UpdateJVM
3ColdFusionAdministratorSettings
3.1ServerSettings>Settings3.2ServerSettings>RequestTuning3.3ServerSettings>Caching3.4ServerSettings>ClientVariables3.5ServerSettings>MemoryVariables3.6ServerSettings>Mappings3.7ServerSettings>Mail3.8ServerSettings>WebSocket3.9ServerSettings>Charting3.10Data&Services>DataSources3.11Data&Services>ColdFusionCollections3.12Data&Services>Solr3.13Data&Services>FlexIntegration3.14Data&Services>PDFService3.15Debugging&Logging>DebugOutputSettings3.16Debugging&Logging>DeveloperProfile3.17Debugging&Logging>DebuggerSettings3.18Debugging&Logging>LoggingSettings3.19Debugging&Logging>RemoteInspectionSettings3.20EventGateways>Settings3.21EventGateways>GatewayInstance3.22Security>Administrator3.23Security>RDS3.24Security>SandboxSecurity3.25Security>UserManager3.26Security>AllowedIPAddresses3.27Security>SecureProfile3.28ServerUpdate>Updates:Settings
4AdditionalLockdownMeasures
4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1only4.2ToRuntheBuiltinWebServeroverTLS4.3ToDisabletheBuiltinWebServer4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwroot4.5RestrictColdFusionFileSystemPermissions4.6LockdowntheColdFusionAdd-onServices4.7LockdownFileExtensions4.8AdditionalURIstoConsiderBlocking4.9OptionallyRemoveASP.NET4.10RemoveASP.NETISAPIFiltersandHandlerMappings4.11DisableUnusedServletMappings4.12AdditionalTomcatSecurityConsiderations4.13AdditionalFileSecurityConsiderations4.14AddingClickJackingProtection4.15RestrictingHTTPVerbs4.16SecurityConstraintsinweb.xml4.17LimitRequestSize
ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page2of49
4.18DistributedModeorReverseProxy4.19HTTPResponseHeaderstoimproveSecurity
5ColdFusionLockdownonLinux
5.1LinuxInstallationPrerequisites5.2CreateaDedicatedUserAccountforColdFusion5.3ColdFusionInstallation5.4AccessColdFusionAdministratorviaaSSHTunnel5.5InstallColdFusionHotfixes5.6InstallandConfigureApacheWebServer5.7RuntheLinuxColdFusionAutoLockdownTool5.8UpdateJVM5.9SetupAuditing5.10Changeumask5.11AdditionalLockdownSteps
6PerformanceMonitoringToolsetSecurityConsiderations
6.1InstallingthePMT6.2ColdFusionServerAutoDiscovery6.3PMTDatastore6.4RunPMTandPMTDatastoreasDedicatedUser6.5UpdatePMTJVM
7APIManagerSecurityConsiderations
7.1InstallAPIManager7.2ConnectAPIManagertoIIS7.3RunAPIManagerasaDedicatedUser
8PatchManagementProcedures9SourcesofInformation10ReferenceTables
10.1Tagsthatuse/cf_scripts/assets
11Troubleshooting
11.1ColdFusioncannotwritefilesunderthewebroot11.2Requestingacfmresultsina404afterLockdowntool11.3IISdoesnothavepermissiontoreadweb.configfile11.4WebSocketsarenotworkingafterrunninglockdowntool11.5HelpInstallingColdFusionHotfixes
12RevisionHistory
ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page3of49
1IntroductionTheColdFusion2018LockdownGuideiswrittentohelpserveradministratorssecuretheirColdFusion2018installations.InthisdocumentyouwillfindseveraltipsandsuggestionsintendedtoimprovethesecurityofyourColdFusionserver.
IMPORTANT:Thereaderisstronglyencouragedtotestallrecommendationsonanisolatedtestenvironmentbeforedeployingintoproduction.
1.1DefaultFilePathsandUsernamesThisguidewillprovideexamplefilesystempathsforinstallation,youshouldnotusethesameexampleinstallationpathsprovidedinthisguide.
1.2OperatingSystemsandWebServersThisguidefocusesonWindows2016/IIS9,andRedHatEnterpriseLinux(RHEL)7/Apache2.4.ManyofthesuggestionspresentedinthisdocumentcanbeextrapolatedtoapplytosimilarOperatingSystemsandWebServers.
1.3ColdFusionVersionThisguidewaswrittenforColdFusion2018EnterpriseEdition.
1.4ScopeofDocumentThisdocumentdoesnotdetailsecuritysettingsfortheOperatingSystem,theWebServer,Databases,orNetworkFirewalls.ItisfocusedonsecuritysettingsfortheColdFusionserveronly.
Allsuggestionsinthisdocumentshouldbetestedandvalidatedonanon-productionenvironmentbeforedeployingtoproduction.
1.5ApplyingtoExistingInstallationsThisguideiswrittenfromtheperspectiveofafreshinstallation.Whenpossibleconsiderperformingafreshinstallationoftheoperatingsystem,webserverandtheColdFusionserver.Ifanattackerhascompromisedtheexistingserverinanywayyoushouldstartwithafreshoperatingsysteminstallationonnewhardware.
1.6NamingConventionsInthisguidewewillrefertotheColdFusioninstallationrootdirectoryas{cf.root}itcorrespondstothedirectorythatyouselectwhen
installingColdFusion.TheColdFusioninstancerootisreferredtoas{cf.instance.root}inthisguide,enterpriseinstallationsmayhave
multipleinstances,butthedefaultinstanceis{cf.root}/cfusion/
ColdFusion2018LockdownGuide(2020-03-31)—1Introduction Page4of49
2ColdFusionOnWindowsThissectioncoverstheinstallationandconfigurationofColdFusion2018onaWindows2016server.IfyouarerunningLinuxpleasestartatthesection5ColdFusionLockdownonLinux .
Inthissectionwewillperformthefollowing:
InstallationPrerequisitesInstall&ConfigureIISInstallColdFusionRuntheColdFusionAutoLockdownToolUpdatetheJVM
2.1InstallationPrerequisitesBeforeyoubegintheinstallationprocesspleasereviewthefollowing:
Configureanetworkfirewall(and/orconfigureWindowsfirewall)toblockallincomingpublictrafficduringinstallation.ReadtheMicrosoftWindowsSecurityComplianceManagerguidelinesanddocumentation:http://www.microsoft.com/en-us/download/details.aspx?id=16776Createseparatepartitionsand/ordrivesforColdFusionInstallation,websiteassets,andlogfiles.Thismayreducewhatcanbecompromisedbyapathtraversalattack.Itcouldalsomitigateadenialofserviceattackthatattemptstofillthemainsystemdrive.Removeordisableanysoftwareontheserverthatisnotrequired.RunWindowsUpdateandensureallsoftwarerunningontheserverisfullypatched.EnsurethatallpartitionsuseNTFStoallowforfinegrainedaccesscontrolandauditing.DownloadColdFusionfromadobe.comVerifythattheMD5orSHAchecksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.InPowerShellyoucanrunGet-FileHash installer-file-name.exe -Algorithm md5toobtainthechecksum.
2.2Install&ConfigureIISIMPORTANT:BeforeconfiguringIISensurethatpublictrafficisblockedbyyournetworkorOSfirewall.Youshouldonlyenablepublictrafficaftercompletingallthestepsinthelockdownguide.
2.2.1InstallIISRolesandFeatures
OpentheWindowsServerManagerapplication,undertheManagemenuselectAddRolesandFeatures.IfIISisnotalreadyinstalledcheckWebServer(IIS).
AminimalsetofIISRoleServicesmayincludethefollowing:
CommonHTTPFeatures:DefaultDocumentCommonHTTPFeatures:HTTPErrorsCommonHTTPFeatures:StaticContentHealthandDiagnostics:HTTPLoggingSecurity:RequestFilteringSecurity:IPandDomainRestrictionsApplicationDevelopment:.NETExtensibility4.6(orlatestversion)ApplicationDevelopment:ASP.NET4.6(orlatestversion)ApplicationDevelopment:CGIApplicationDevelopment:ISAPIExtensionsApplicationDevelopment:ISAPIFiltersManagementTools:IISManagementConsole
IftheserverapplicationusesWebSocketsalsoinstall:
ApplicationDevelopment:WebSocketProtocol
IfyouwishtoaddwebserverlevelauthenticationtoanysitesyoushouldalsoinstalloneoftheAuthenticationmodulessuchas:
Security:WindowsAuthentication
SelectanyadditionalIISroleservicesorfeaturesthatyourwebapplicationsrequire.Youcanalwaysgobackandaddadditionalroleserviceslaterifnecessary.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page5of49
2.2.2AddWebSitestoIIS
Ataminimumcreateawebrootdirectoryforeachwebsiteontheserverfilesystem.Toincreaseisolationbetweenwebsitesyoumayconsiderplacingeachsiteonauniquedriveletter.
Nextcopythewebsitesourcecodeintoeachwebrootdirectory.
InIISaddyourwebsite.
TestyourIISconfigurationbyrequestingastaticfilesuchasatxtorjsfile.
2.3RuntheWindowsColdFusionInstaller
2.3.1ColdFusionInstaller:InstallerConfiguration
OntheInstallerConfigurationviewselectServerconfigurationunlessyouaredeployingtoanexternalJEEserver(suchasJBoss,WeblogicorWebsphere).
alttext
2.3.2ColdFusionInstaller:ServerProfile
NextselectProductionProfile+SecureProfileandenteracommaseparatedlistofIPaddressesthatareallowedtoaccesstheColdFusionAdministrator.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page6of49
alttext
Tip:ifyouwanttoallowlocalhostaccesstotheColdFusionAdministrator,enterboththeIPv4 127.0.0.1andIPv6::1
versionoflocalhost.SomebrowsersmayuseIPv6bydefaultfor localhost.
TheSecureProfileoptionprovidesamoresecurefoundationofdefaultsettings.Youcanreviewthesettingsittoggleshere:https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html
SomeofthesettingsthattheSecureProfiletogglescouldcauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.
AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.
2.3.3ColdFusionInstaller:Sub-componentsInstallation
OnlyselectSub-componentsthatyourserverapplicationsrequire.
alttext
ODBCService-RequiredwhenconnectingtoAccessDatabases,notrequiredforSQLServer.SolrService-Fulltextsearchengineusedbycfindex,cfsearchandcfcollectiontags.
PDFGService-WebkitbasedPDFRenderingengineusedbythecfhtmltopdftag.Youcanstilluse cfdocumentandcfpdf
withoutinstallingthisservice.AdminComponentforRemoteStart/Stop-AllowsColdFusionBuilderorServerManagerAIRapptostartorstopColdFusion.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page7of49
Notrecommendedforproductionservers..NETIntegrationServices-AllowscreateObjectandcfobjecttocreateinstancesof.NETobjectsandassemblies.
2.3.4ColdFusionInstaller:EnablingorDisablingServlets
Checkanyservletsthatarerequiredbyyourapplication.MostColdFusionapplicationsdonotrequireanyoftheseservletstobeenabled.
alttext
RDS-Usedfordevelopment,allowsremoteaccesstothefilesystemanddatabases.Thisshouldnotbeenabledonaproductionserver.JSDebug-Usedfordebugging,shouldnotbeenabledonaproductionserver.CFReporting-Onlyrequiredifthecfreporttagisused.
CFSWF-Usedbyflashforms<cfform format="flash">togenerateFlashswffilesdynamically.
FlashForms-Usedbyflashforms<cfform format="flash">
2.3.5ColdFusionInstaller:AccessAdd-onServicesRemotely
IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018
Add-onServiceswindowsservicewillbeinstalled.
WhentheAccessAdd-onServicesRemotelycheckboxisunchecked,theAdd-onServicesareonlyaccessiblefromthelocalmachine,localhost.IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers(otherthanlocalhost),checkthecheckboxand
specifytheIPaddressesoftheremoteColdFusionservers.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page8of49
alttext
2.3.6ColdFusionInstaller:SelectInstallationDirectory
SpecifyafilesystempathfortheColdFusionInstallationroot{cf.root}-consideravoidingthedefaultC:\ColdFusion2018\path.
WindowsColdFusionInstaller:SelectInstallationDirectory
2.3.7ColdFusionInstaller:Built-inWebServerPortNumber
Selectanondefaultportnumber.Ensurethattheportnumberisblockedbyyournetwork/osfirewall.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page9of49
WindowsColdFusionInstaller:Built-inWebServerPortNumber
2.3.8ColdFusionInstaller:PerformanceMonitoringToolset
EnterthehostnameorinternalIPaddressoftheserverforusewiththeperformancemonitoringtoolset.Thisvaluecanbechangedlater.
WindowsColdFusionInstaller:PerformanceMonitoringToolset
2.3.9ColdFusionInstaller:AdministratorCredentials
Enterausernameotherthanadminandselectastrongpassword.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page10of49
WindowsColdFusionInstaller:AdministratorCredentials
2.4InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.Forexample: http://127.0.0.1:8500/CFIDE/administrator/(replace8500withyourportyouselectedduringinstallation).
ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.
Tip:Hotfixesaretypicallycumulative,soiftherearemultiplehotfixes,youtypicallyonlyneedtoinstallthelatestone.SecurityhotfixesmayhaveadditionalstepssuchasupdatingtheJVMorupdatingconnectors-besuretoreadeachSecurityBulletinfordetails.
Runthehotfixinstallerfromanelevated(RunasAdministrator)CommandPromptorPowerShellterminal(replacehotfix_XXX.jarwith
theactualhotfixfilename):
Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning Get-FileHash hotfix_XXX.jar -Algorithm md5(in
PowerShell),seethatthechecksummatchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates
x:\cf2018\jre\bin\java -jar x:\cf2018\cfusion\hf-updates\hotfix_XXX.jar
Visit:https://www.adobe.com/support/security/andreadanypertinentColdFusionSecurityBulletins.Confirmthatallrequiredsecuritypatcheshavebeenapplied.
SomehotfixesorupdatesmayrequireyoutoruntheColdFusionWebServerConfigurationTooltoUpgradetheconnector.Carefullyreviewthehotfixreleasenotestodetermineifthereareanyadditionalstepsthatshouldbeperformed.
ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
2.4.1DownloadingHotfixesViaProxy
IfyourserverrequiresaproxyservertoconnecttotheinternetyoumayneedtoaddthefollowingJVMArguments(inColdFusionAdministratorunderServerSettings>JavaandJVM)andthenrestartColdFusiontouseyourproxyserver:
-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=12345 -Dhttp.proxyUser=u -Dhttp.proxyPassword=p
2.4.2ServersWithoutaPublicInternetConnection
Ifyourserverdoesnothaveapublicinternetconnectionyoucanlocatethehotfix_XXX.jarfileurlusingtheColdFusionUpdateFeed:https://www.adobe.com/go/coldfusion-updates.Downloadthehotfix_XXX.jarfileonacomputerwithinternetaccess,verifythe
checksum,andthentransferittotheserver.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page11of49
2.5SetupWebsitesinIISFirstensurethatthefirewallisconfiguredtoblocklivetraffic.
NextcreatethefilesystemforeachwebsitethatwilluseColdFusionandcopyallthewebfilesintothefilesystem.
CreateandconfigureeachwebsitethatwilluseColdFusioninIIS.
2.6RuntheColdFusion2018ServerAutoLockdownToolTheAutoLockdownToolPerformsthefollowingstepsforyou:
ConnectsColdFusiontotheWebServer(wsconfig)SetstheColdFusionServiceidentitytorunasadedicatedaccount,optionallycreatestheaccountforyou.SetsfilesystempermissionsforyourwebrootandColdFusioninstallationdirectoryAddsRequestFilteringRulestoblockvariousURIsAddsaConnectorSharedSecretOptionallyChangetheTomcatShutdownPortConfiguresanewcf_scriptsaliasChangesRegistryPermissions
Beforeyourunthetool,makesurehavedonethefollowing:
InstalledColdFusion2018withSecureProfileEnabledLoggedintotheColdFusionAdministratoratleastonceCreatedyourwebsitesinIIS,andcopiedwebsitefiles
DownloadandrunthelatestcopyoftheColdFusion2018ServerAutoLockdownTool:https://www.adobe.com/support/coldfusion/downloads.html
2.6.1LockdownInstaller:ColdFusionInstallationDirectory
ChoosethedirectorythatColdFusionwasinstalledto.
LockdownInstaller:SelectInstallationDirectory
2.6.2LockdownInstaller:ColdFusionUpdates
ChooseYes/AutomatictoensurethatColdFusionhasbeenupdatedtothelatesthotfix.AdoberecommendsthatyouinstallColdFusionupdatesbeforerunningtheLockdowntool.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page12of49
LockdownInstaller:ColdFusionUpdates
2.6.3LockdownInstaller:ColdFusionConfiguration
Selecttheinstancethatyouwanttolockdown.
LockdownInstaller:ColdFusionConfiguration
2.6.4LockdownInstaller:WebServerConfiguration
Selectthetypeofwebserveryouareusing,IISinthiscase.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page13of49
LockdownInstaller:WebServerConfiguration
2.6.5LockdownInstaller:WebsitesinIIS
SelectthewebsitesthatyouwishtoconnectColdFusiontoandtolockdown.
Tip:youcanholdshiftorctrlwhenclickingtoselectsites
LockdownInstaller:WebsitesinIIS
2.6.6LockdownInstaller:IISApplicationPoolDetail
Verifythattheapplicationpoolnamesarecorrectforeachthewebsite.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page14of49
LockdownInstaller:IISApplicationPoolDetail
2.6.7LockdownInstaller:IISWebsitesWebrootDetail
Verifythatthewebrootpathsarecorrectforeachwebsite.
LockdownInstaller:IISWebsitesWebrootDetail
2.6.8LockdownInstaller:ColdFusionAdministratorConfiguration
EntertheColdFusionAdministratorusernameandpasswordspecifiedduringtheColdFusionInstallation.Alsoensurethatthebuiltinwebserverportiscorrectlyspecified(defaultportis8500).
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page15of49
LockdownInstaller:ColdFusionAdministratorConfiguration
2.6.9LockdownInstaller:OSAdministratorAccountDetails
EntertheAdministratorusername,passwordandservernameordomain.
LockdownInstaller:IISWebsitesWebrootDetail
2.6.10LockdownInstaller:ColdFusionRuntimeUser
CreateauniqueusernamefortheuseraccountthatColdFusionwillrunas.Specifythedomain,andastrongpassword.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page16of49
LockdownInstaller:ColdFusionRuntimeUser
2.6.11LockdownInstaller:ShutdownPort
ChooseYesandEnterarandomportnumberthatisnotinuse.
LockdownInstaller:ColdFusionRuntimeUser
2.6.12ConfirmthattheAutoLockdownToolRanSuccessfully
Openthe{cf.root}/lockdown/{cf.instance}/Logs/folderandreviewthelogfilestoconfirmthattheinstallercompletedwithout
fatalerrors.Specificallylookinthelogfile(s)thatbeginwithServerLockdown_andlookforalinecontaining:Successfullylockeddown
ColdFusion!
2.6.13CheckUserAccountPermissions
WhenthelockdowninstallercreatesaWindowsuseraccountforColdFusiontorunas,itdoesnotcheckthebox DenythisuserpermissionstologontoRemoteDesktopSessionHostserverintheUserAccountProperties.
TofixthisopentheComputerManagementapp,underLocalUsersandGroups findtheuseraccountandclickProperties.SelecttheRemoteDesktopServicesProfiletabandthencheckthebox.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page17of49
2.6.14AdditionalResourcesfortheAutoLockdownTool:
https://helpx.adobe.com/coldfusion/using/server-lockdown.htmlhttps://coldfusion.adobe.com/2018/07/server-auto-lockdown/
2.7UpdateJVMOraclereleasesJavasecurityupdatesonaquarterlybasis,mostoftheseupdatesincludesecurityvulnerabilitiesthatcouldbeexploitedinaserverenvironment.
ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/
2.7.1DownloadandInstallJava
FirstdownloadthelatestversionofJavafromhttps://www.adobe.com/support/coldfusion/downloads.htmlthatColdFusion2018supports(Java11atthetimeofthispublication).Selectthejavazipdistributionanddownload.
Tip:Verifythechecksumbyrunning
Extractthejavazipfileyoudownloadtoapermanentlocation,forexample C:\Java\jdk-11.0.2\
2.7.2UpdateColdFusionServerJVM
Tip:Makeabackupofthe{cf.instance.root}/bin/jvm.configfileandthe{cf.root}/cfusion/jetty/jetty.laxfile
beforemakingchanges.IfyoutypethepathincorrectlyColdFusionwillfailtostart.
LogintotheColdFusionAdministrator,thenclickonServerSettingsthenJavaandJVM.UpdatetheJavaVirtualMachinePathsettingtopointtothenewJVM,forexample:C:\Java\jdk-11.0.2\
RestartColdFusion.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.
IfyouneedtorevertyourchangesandgobacktothedefaultJVM,replacejvm.configwithyourbackupandrestart/startColdFusion.
RepeatforeachColdFusioninstance.
Testyoursitesagain.
2.7.3UpdateJVMforColdFusionAdd-onServices
IfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)
theyruninaseparateprocessandwillusethe{cf.root}/jrebydefault.
Locatethefile{cf.root}/cfusion/jetty/jetty.laxandmakeabackupofit.Nextrightclickonjetty.laxandopenitwith
Notepadoranyplaintexteditor.Lookforalinethatdefinesthepropertylax.nl.current.vmforexample:
lax.nl.current.vm=C:\\ColdFusion2018\\jre\\bin\\javaw.exe
Changeittopointtojavaw.exeonyournewJVM.Ensurethatyouusetwobackslashes\toseparatefolders.Forexample:
lax.nl.current.vm=C:\\java\\jdk-11.0.XX\\jre\\bin\\javaw.exe
RestarttheColdFusion2018Add-onServicesservice.
Testyoursitesagain.
ForadditionalinformationonupdatingtheJVMpleasesee:
http://blogs.coldfusion.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server
http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start
https://www.youtube.com/watch?v=zzC31EAlZ8Y
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page18of49
3ColdFusionAdministratorSettingsInthissectionseveralrecommendationsaremadeforColdFusionserversettings.Itisimportanttounderstandthatchangestosomeofthesesettingsmayaffecthowyourwebsitefunctions,andperforms.Besuretounderstandtheimplicationsofallsettingsbeforemakinganychanges.
3.1ServerSettings>Settings
Setting Suggestion AdditionalInfo
TimeoutRequestsAfter Checked/5Sec. Setthisvalueaslowaspossible.Anytemplates(suchasscheduledtasks)thatmighttakelonger,shouldusethecfsettingtag.Forexample:<cfsetting requesttimeout="60">
UseUUIDforCFToken Checked WhenuncheckedthecftokenvaluesaresequentialandmakeitfairlyeasytohijacksessionsbyguessingavalidCFID/CFTOKENpair.ThissettingisnotnecessarilyrequiredifJ2EEsessionareenabled,howeveritdoesn’thurttoturnitonanyways.
DisableCFCTypecheck Unchecked Developersmayrelyontheargumenttypes,enablingthissettingmightallowattackerstocausenewexceptionsintheapplication.Thissettingmaybeenabledifthedeveloper(s)havebuilttheapplicationtoaccountforthis.PerformancemaydegradewhenthissettingisUnchecked.
DisableaccesstointernalColdFusionJavacomponents
Checked TheinternalColdFusionJavacomponentsmayallowadministrativedutiestobeperformed.Somedevelopersmaywritecodethatreliesonthesecomponents.Thispracticeshouldbeavoidedasthesecomponentsarenotdocumented.
PrefixserializedJSONwith Checked:// ThissettinghelpspreventJSONhijacking,avulnerabilitywhichwasexploitableinveryoldbrowsers(IE9andbelow).ColdFusionAJAXtagsandfunctionsautomaticallyremovetheprefix.IfdevelopershavewrittenCFCfunctionswithreturnformat=”json”orusetheSerializeJSONfunction,theprefixwillbeapplied,andshouldberemovedintheclientcodebeforeprocessing.Developerscanoverridethissettingattheapplicationlevel.
MaximumOutputBuffersize 1024KBorlower Aloweroutputbuffersizemayreducethememoryfootprintinsomeapplications.Keepinmindthatoncetheoutputbufferisflushedtagsthatmodifytheresponseheaderswillthrowanexception.
EnableIn-MemoryFileSystem
Uncheckedifnotused Ifyourapplicationsdonotrequireinmemoryfilesystemuncheckthischeckbox.
MemoryLimitforIn-MemoryVirtualFileSystem
TunedbasedonJVMheapsizeandfeatureusage
EnsurethatyouhaveallocatedsufficientJVMheapspacetoaccommodatethememorylimit.
MemoryLimitperApplicationforIn-MemoryVirtualFileSystem
TunedbasedonJVMheapsizeandfeatureusage
EnsurethatyouhavesufficientJVMheapspacetoaccommodatethememorylimit.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page19of49
Watchconfigurationfilesforchanges(checkeveryNseconds)
Unchecked Ifyourconfigurationrequiresthissettingtobeenabled(ifusingWebSphereNDverticalclusterforexample),increasethetimetobeaslargeaspossible.IfanattackerisabletomodifytheconfigurationofyourColdFusionserver,theirchangescanbecomeactivewithinashortperiodoftimewhenthissettingisenabled.
EnableGlobalScriptProtection
UnderstandLimits,checked ThissettingprovidesverylimitedprotectionagainstcertainCrossSiteScriptingattackvectors.ItisimportanttounderstandthatenablingthissettingdoesnotprotectyoursitefromallpossibleCrossSiteScriptingattacks.
Disablecreationofunnamedapplications
Checked Applicationsshouldhaveanamesotheycanbeisolatedfromeachother.
AllowaddingapplicationvariablestoServletContext
Unchecked Keepuncheckedtoimproveapplicationisolation.
DefaultScriptSrcDirectory /not-default/ BecausethescriptsdirectoryalsocontainsCFMLsourcecode,youshouldcreateavirtualdirectory/aliasatanon-defaultlocation.Defaultvaluesare/cf_scripts/scriptsor
/cf2018_scripts
AllowedfileextensionsforCFIncludetag
cfm Thissettingrestrictsthefileextensionswhichgetcompiled(executed)byacfincludetag.
Anyfilefileextensionsnotmatchingthislistarestaticallyincluded,anyCFMLsourcecodewouldnotbeexecuted.TakecaretoensurethatyouhavespecifiedanyfileextensionsoffilesthatcontainCFMLcodeandareincludedwithcfinclude.ThissettingwasaddedinCF2018
Update3.Itcanbedefinedatanapplicationlevelaswellviathis.blockedExtForFileUpload.
BlockedfileextensionsforCFFileuploads
*orlist ThissettingrestrictswhatfileextensionsareallowedtobeuploadedbyColdFusion.Ifyoudonotallowfileuploadsyoushouldsetthisto*to
blockallextensions.Ifyoudoallowuploads,ensurethatallexecutablefileextensions(suchascfm)arespecifiedasacommaseperatedlist.Thissettingcanbedefinedatanapplicationlevelaswell.
MissingTemplateHandler CustomTemplate ThemissingtemplatehandlerHTMLoutputshouldbeequivalenttothe404errorhandlerspecifiedonyourwebserver.
Site-wideErrorHandler CustomTemplate Whenblank,thesite-wideerrorhandlermayexposeinformationaboutthecauseofexceptions.Specifyacustomsite-wideerrorhandlerthatdisclosesthesamegenericmessagetotheuserforallexceptions.Besuretologandmonitortheactualexceptionsthrown.
MaximumnumberofPOSTrequestparameters
Aslowasyourapplicationallows Setthistothemaximumnumberofformfieldsyouhaveonanygivenpage.AllowingtoomanyformfieldsmayallowforaDOSattackknownasHashDOS.Seehttps://www.petefreitag.com/item/808.cfm
Setting Suggestion AdditionalInfo
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page20of49
Maximumsizeofpostdata Aslowaspossible IfyourapplicationdoesnotdealwithlargeHTTPPOSToperations(suchasfileuploads,orlargewebservicerequests),reducethissizeto1MB.Iftheapplicationdoesallowuploadsoffilessetthistothemaximumsizeyouwanttoallow.YoushouldalsobeabletospecifyaHTTPRequestsizelimitonyourwebserver.
RequestThrottleThreshold 1MB ColdFusionwillthrottleanyrequestlargerthanthisvalue.Ifyourapplicationrequiresalargenumberofconcurrentfileuploadstotakeplace,youmayneedtoincreasethissetting.
RequestThrottleMemory Tuned Ona32bitinstallationthedefaultvaluewouldbecloseto20%oftheheap.64bitserversallowformuchlargerheapsizes.Aimfor10%ofthemaximumheapsizeasanupperlimitforthissetting.
AllowRESTDiscovery Uncheckedifnotused. Thissettingenablestheendpoint/rest/_api_listingor
/api/_api_listingtoallowtheColdFusion
APImanagertogetalistingofRESTapis.ColdFusionAdministratorauthenticationisrequired.
Setting Suggestion AdditionalInfo
3.2ServerSettings>RequestTuningTheRequestTuningsettingscanmitigatetheimpactDenialofService(DOS)attacksagainstyourserver.
Setting Suggestion AdditionalInfo
MaximumnumberofsimultaneousTemplaterequests
Tunedbasedonhardware Whenthissettingistoohighortoolowtheabilitytoperformadenialofserviceattackincreases.Whentoolowrequestswillbequeuedwhentheserverisplacedunderload.WhentoohighrequestsmaynotbequeuedunderloadcausingtheCPUtimeofallrequeststoincreasesignificantly(knownascontextswitching).Findagoodmediumbyperformingloadtestsagainstyourproductionenvironment,usethevaluethathastheabilitytoservethemostrequestspersecond.
MaximumnumberofsimultaneousFlashRemotingrequests
1ifnotusingFlashRemotingotherwisetuned.
Ifyourapplicationsdonotuseflashremotingsetthisvalueto1anddisableflashremoting.Ifyoudouseflashremotingusealoadtestingapproachtofindtheoptimalvalueforthissetting.NotethattheServerMonitorfeatureinEnterprisemakesuseofflashremoting.
MaximumnumberofsimultaneousWebServicerequests
1ifnotpublishingSOAPwebservicesotherwisetuned
IfyourapplicationsdonotpublishSOAPwebservicessetthisvalueto1.Otherwisetunethissettingusingloadtests.
MaximumnumberofsimultaneousCFCfunctionrequests
1ifnotusingRemoteCFCfunctionrequests,otherwisetuned
ThissettingappliesonlytoCFCfunctionsthathaveaccess=remotespecified,whentheyare
invokedviaaHTTPrequest,forexample:/example.cfc?method=MethodName.The
ColdFusionAJAXproxyusesthismethodtoinvokeCFCs.Ifyourapplicationsdonotmakeuseofthisfeaturesetto1.Otherwiseuseloadtestingtofindtheoptimalvalueforthissetting.
MaximumnumberofsimultaneousReportthreads
1 Keepat1unlessusingcfreportheavily.
MaximumnumberofthreadsavailableforCFTHREAD
1ifnotusingcfthread,tunedotherwise
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page21of49
Timeoutrequestswaitinginqueueafter
5seconds(MatchRequestTimeout) ThissettingcangenerallybesetequivalenttotheTimeoutRequestsAftervaluespecifiedintheSettingssection.AlowersettingheremaydecreasetheeffectivenessofDOSattacks.
RequestQueueTimeoutPage CustomTemplate SpecifyaHTMLfilegivingtheuseramessagetowaitandretrytheirrequestagain.Themessageshouldnotdisclosethefactthatthequeuetimedout.
Setting Suggestion AdditionalInfo
3.3ServerSettings>Caching
Setting Suggestion AdditionalInfo
TrustedCache Checked EnablingtrustedcacheimprovesperformancebycachingCFMLcodeforthedurationoftheserverprocess(unlessmanuallycleared).Thismayalsomitigateasituationwhereanattackerattemptstochangeafileontheserver,thenewcodewouldnotexecuteuntiltheserverisrestartedorthecacheiscleared.
3.4ServerSettings>ClientVariables
Setting Suggestion AdditionalInfo
DefaultStorageMechanismforClientSessions
None/Cookie Ifapplicationshaveclientmanagementenabledalargeamountofdatacanaccumulateontheserver.Thiscanleadtoastoragefailureifdisksbecomefull.BecausetheregistryistypicallylocatedonthesystempartitionitisnotrecommendedtousetheRegistry.
3.5ServerSettings>MemoryVariables
Setting Suggestion AdditionalInfo
UseJ2EEsessionvariables CheckedifJEEinteroperabilityrequired WhencheckedColdFusionwillusethesessionmanagementoftheunderlyingJEEcontainer(egTomcat).InsteadofusingCFIDand
CFTOKENtheJSESSIONIDcookieisused.
WhenJ2EEsessionsareenabledcertainfeaturessuchasapplicationspecificsessioncookiesettings(this.sessionCookieinApplication.cfc)donotapply.ThefunctionsSessionRotateandSessionInvalidatedonotoperateonJ2EEsessions.
EnableSessionVariables Uncheckedonlyifnotusingsessions Mostapplicationsrequiresessionvariables,howeverifnoneoftheapplicationsontheserverrequiresessionvariablesthenyoumayuncheckthisbox.
SessionStorage InMemoryorRedis WhenusingRedistostoresessionstakeextremecaretoensurethatthedatastoreisprotectedbynetworkfirewallsandastrongpassword.
MaximumTimeout:SessionVariables
Lessthan2days Thedefaultoftwodaysisgenerallytoolongforsessionstopersist.Lowersessiontimeoutsreducethewindowofriskofsessionhijacking.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page22of49
DefaultTimeout:SessionVariables
20minutesorless Twentyminutesisagooddefaultvalue,butmaximumsecurityapplicationsmayrequirealowertimeoutvalue.
CookieTimeout -1 Bysettingto-1ColdFusionwillsetthesessioncookieasabrowsersessioncookies,whichisvalidaslongastheusersbrowserwindowisopen.
HTTPOnly Checked SessioncookiesshouldalwaysbemarkedasHTTPOnlytopreventJavaScriptorotherclientsidetechnologiesfromaccessingtheirvalues(onsupportedclients).
Secure CheckedifallsitesuseHTTPS Aclientwillonlytransmitasecurecookieoverasecuredconnection(HTTPS)
DisableupdatingColdFusioninternalcookiesusingColdFusiontags/functions.
CheckedifallsitesuseHTTPS Youcanusethisfeaturetopreventadeveloperfromoverridingyourglobalsessioncookiesecuritysettings.Checkthisonlyifallapplicationswillusethesamesettings.
Setting Suggestion AdditionalInfo
3.6ServerSettings>MappingsRemoveanymappingsyourapplicationsdonotrequire,suchas/gateway
3.7ServerSettings>MailConsiderusingSSLorTLStoconnecttothemailservertoencrypttheemailintransit.
ConsiderenablingLogallmailmessagessentbyColdFusion
3.8ServerSettings>WebSocketDisabletheWebSocketServiceifitisnotusedbyanyapplicationsontheserver.
3.9ServerSettings>ChartingConsiderchangingtheDiskcachelocationtoanondefaultpath.TheColdFusionuserwillrequirereadandwritepermissiontothepathspecifiedifcfchartisused.
3.10Data&Services>DataSourcesRemovetheexampledatasources,cfartgallery,cfbookclub,cfcodeexplorer,cfdocexamples.
EnsurethatthedatabaseuserthatColdFusionconnectsas,alsohaslimitedpermissionstoonlywhatisnecessary.Youshouldnotuse saor
rootaccounts.
Setting Suggestion AdditionalInfo
LoginTimeout(sec) 5Seconds DecreasethisvaluetobelessthantheTimeoutRequestsaftersetting.
QueryTimeout(seconds) Not0 SpecifyanupperlimittomitigateDOSattacks.
AllowedSQL Enableonlyoperationsrequiredbytheapplication,egSELECT,INSERT,UPDATE,
DELETE
TheCREATE,DROP,ALTER,GRANT,andREVOKEoperationsarenotcommonlyrequiredinwebapplications.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page23of49
3.11Data&Services>ColdFusionCollectionsRemovetheexamplecollection:bookclubifitexists.
3.12Data&Services>SolrConsiderusingaHTTPSconnectiontotheSolrserver,especiallyifitislocatedonaremoteserver.
3.13Data&Services>FlexIntegrationUncheckEnableFlashRemotingandEnableRemoteAdobeLiveCycleDataManagementaccessiftheyarenotusedbyyourapplication.
IfusingLiveCycleDataServicesESconsidercheckingtheEnableRMIoverSSLforDataManagement checkboxandspecifyakeystoreandpassword.
3.14Data&Services>PDFServiceIfthePDFServiceisusedtogeneratePDFscontainingsensitivedata,orifthePDFservicerunningonaremoteserver,ensurethatHTTPSisenabled.
3.15Debugging&Logging>DebugOutputSettings
Setting Suggestion AdditionalInfo
EnableRobustExceptionInformation
Unchecked Whenrobustexceptioninformationisenabledsensitiveinformationmaybedisclosedwhenexceptionsoccur.
EnableAJAXDebugLogWindow
Unchecked Debuggingshouldnotbeenabledonaproductionserver.
EnableRequestDebuggingOutput
Unchecked Debuggingshouldnotbeenabledonaproductionserver.
3.16Debugging&Logging>DeveloperProfileTheDeveloperProfileshouldnotbeenabledonProductionservers.
3.17Debugging&Logging>DebuggerSettings
Setting Suggestion AdditionalInfo
AllowLineDebugging Unchecked Debuggingshouldnotbeenabledonaproductionserver.
3.18Debugging&Logging>LoggingSettings
Setting Suggestion AdditionalInfo
Logdirectory NonDefault EnsurethatthelocationofthisdirectoryhassufficientstoragespacetoholdMaximumFileSizemultipliedbytheMaximumnumberofarchivesmultipliedbythenumberoflogfiles(6ormore).Consideraseparatedrive/partitionforstoringlogs.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page24of49
Maximumnumberofarchives 10ormore WhenalogfilereachestheMaximumFileSize(5000KBbydefault),itisarchived.Whenthemaximumnumberofarchivesisreachedforaparticularlogfile,theoldestlogfileisdeleted.Somesecuritycomplianceregulationsrequirethatlogfilesarekeptforaminimumperiodoftime.Ensurethatthisvalueishighenoughtoretainlogfilesfortherequiredduration.
Useoperatingsystemloggingfacilities
Checked CertainlogentrieswillbeduplicatedtosyslogonUnixbasedoperatingsystem.
Enableloggingforscheduledtasks
Checked Logscheduledtaskexecution.
Setting Suggestion AdditionalInfo
3.19Debugging&Logging>RemoteInspectionSettings
Setting Suggestion AdditionalInfo
AllowRemoteInspection Unchecked Debuggingfeaturesshouldnotbeenabledonaproductionserver.
3.20EventGateways>SettingsUncheckEnableColdFusionEventGatewayServicesifyourapplicationsdonotrequiretheuseofeventgateways.
3.21EventGateways>GatewayInstanceDeletetheSMSMenuApp andanyothergatewaysthatarenotinuse.
3.22Security>Administrator
Setting Suggestion AdditionalInfo
ColdFusionAdministrationAuthentication
Separateusernameandpasswordauthentication
UsingseparateusernamesandpasswordsallowsyoutospecifywhichpartsoftheColdFusionadministratoreachusermayuse.
PasswordSeed Generateacryptographicallysecurerandomvalue
Thepasswordseedisusedgenerateanencryptionkeytoencryptanddecryptpasswordsfordatasourcesandotherservices.
AllowconcurrentloginsessionsforAdministratorConsole
Unchecked UnchecktopreventconcurrentloginsbythesameuseraccountintheColdFusionAdministrator.
3.23Security>RDSRDSshouldnotbeenabledonproductionserver.
IfRDSwaspreviouslyenabledensurethatthe{cf.instance.root}/wwwroot/WEB-INF/web.xmldoesnotcontaina
ServletMappingfortheRDSServlet.
3.24Security>SandboxSecuritySandboxesallowyoutolockdownwhichCFMLsourcefileshaveaccessthefilesystem,tag/functionexecution,datasourceaccess,andnetworkaccess.Itishighlyrecommendedthatyousetupasandboxormultiplesandboxesforyourapplications.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page25of49
Configuresandboxesforeachsite,orhighriskportionsofeachsite.Usingtheprincipalofleastprivilegedenyaccesstoanytags,functions,datasources,filepaths,andIP/portsthatdonotneedtobeaccessedbycodeintheparticularsandbox.
Yourapplicationshouldbethoroughlytestedbeforeenablingsandboxsecuritytoensurethatyoursandboxhasbeenconfiguredcorrectly.
3.25Security>UserManagerAdduseraccountsforeachpersonthatwilllogintotheColdFusionAdministrator.
3.26Security>AllowedIPAddresses
Setting Suggestion AdditionalInfo
AllowedIPAddressesforExposedServices
Empty AnyIPaddressinthislistmayexecuteremoteservicesthatexposeserverfunctionalityviawebservices.ToinvokethesewebservicestheclientmustbeontheallowedIPlist,andhaveausernameandpassword.Itisrecommendedthatyoudonotusethisfeatureinenvironmentsrequiringmaximumsecurity.ThisfeaturehasbeendeprecatedasofColdFusion11+
AllowedIPAddressesforColdFusionInternalComponents
Listofinternal/administrativeIPaddresses
SpecifytolimitwhichIPaddressesmayconnecttotheColdFusionadministratorandAdminAPI.
3.27Security>SecureProfileComparethevaluesyouhavespecifiedwiththesecureprofilerecommendedvalues.
Revieweachsettingthatwillbechangedandtestyourapplicationtoensurethatthesecureprofilesettingswillnotcauseanyissues.
3.28ServerUpdate>Updates:Settings
Setting Suggestion AdditionalInfo
AutomaticallyCheckforUpdates
Checked CheckforColdFusionupdateseverytimeyoulogintoColdFusionadministrator.Anotificationiconwillshowupinupperrighttoolbarifanupdateisavailable.
CheckforUpdateseveryNdays
Checked Setupemailalertstobenotifiedwhenaserverupdateisavailable.
SiteURL https://www.adobe.com/go/coldfusion-updates
EnsurethattheURLiscorrectandusesHTTPS.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page26of49
4AdditionalLockdownMeasuresThestepsoutlinedinthissectioncanprovideadditionalsecuritybutmayrequirespecialcareorattentiontoconfigureandmaintain.
4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1onlyBydefaulttheconnectorwilllistenonallIPaddresses.Toconfigurethebuiltinwebservertoonlylistenonasingleaddress(forexample127.0.0.1)locatethe<Connector />in{cf.instance.root}/runtime/conf/server.xmlwithaportattributematchingthe
portyourbuiltinwebserverisrunningon,addanaddressattribute.Forexample:
<Connector address="127.0.0.1" ...>
RestartColdFusionandconfirmthatthebuiltinwebservernowonlylistensonthespecifiedaddress.See https://tomcat.apache.org/tomcat-9.0-doc/config/http.htmlformoreinformation.
4.2ToRuntheBuiltinWebServeroverTLSThebuiltinwebservercanbeconfiguredtorunoverTLS/HTTPS.Thisishighlyrecommended,especiallyifthebuiltinserverisconfiguredtolistenonaddressesotherthanlocalhost.
First,acertificatemustbegenerated.Youmayobtainacertificatefromatrustedcertificateauthority(recommended)orgenerateaselfsignedcertificate.
Togenerateaselfsignedcertificate,runthefollowingcommand:
{cf.root}/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore {cf.root}/tomcat.keystore
Specifyauniquepasswordforthekeystorewhenprompted.
Nextmakeabackupof,thenedit{cf.instance.root}/runtime/conf/server.xmlandlocatethe<Connector>tagthathasaport
valuematchingyourbuiltinwebserver.CommentoutthedefaultbuiltinwebserverConnectortagandreplacewithsomethinglikethis:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="{cf.root}\tomcat.keystore"
keystorePass="{your.password}"
keyAlias="tomcat"
clientAuth="false"
sslProtocol="TLSv1.2" />
Besuretoreplace{cf.root}withthepathtoyourColdFusioninstallationroot(egC:\ColdFusion2018)and{your.password}with
thevalueyouspecifiedwhenyougeneratedyourcertificate.Considerchangingtheport8443toanondefaultvalue.
RestarttheColdFusioninstance,andvisithttps://127.0.0.1:8443/CFIDE/administrator/(changeporttomatchvalueyouused).Ifyouusedaselfsignedcertificateyouwillreceiveacertificatewarning.
ConsiderspecifyingtheciphersattributeanduseServerCipherSuitesOrder="true"toensureastrongTLScipherisfavored.Because
therecommendationsforpreferredTLSprotocolsandcipherschangefrequentlypleaseseekthecurrentadviceofcryptographyexpertsforoptimalTLSconfiguration.
FormoreinformationaboutconfiguringTomcatwithTLS,see: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.htmlandhttps://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
4.3ToDisabletheBuiltinWebServerThebuiltinwebservermaybeusedonproductionserverstoservetheColdFusionAdministrator.ItmayalsobeusedbythePerformanceMonitoringToolkit.Youmaydisablethebuiltinwebserverwhenitsuseisnotrequired.
Backupandeditthe{cf.instance.root}/runtime/conf/server.xmlfile,andremoveorcommentouttheConnectortagsimilartothefollowing:
<!--
<Connector port="8500" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8451" />
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page27of49
-->
ThismustberepeatedforeachColdFusioninstancecreated.
RestartColdFusionandconfirmthattheserverportisdisabled.
Important:YoumustuseXMLcommentswithtwodashes<!-- xml comment has two dashes -->ifyouuseaCFML
comment(3dashes)<!--- cfml comment has three --->ColdFusionmaynotstart.
4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwrootColdFusionwillhaveFullControlofthewwwrootfolderinyour{cf.instance.root}youmayconsiderrestrictingthatdirectorytoread
only,becausethecf_scriptsfoldermaybeservedovertheIISorApachewebserver.Ifyoudorestrictwritepermissionon wwwrootyou
willneedtoallowwritepermissiontothefollowingsubdirectories:
WEB-INF/cfclasses
WEB-INF/rest-skeletons
WEB-INF/cfc-skeletons
4.5RestrictColdFusionFileSystemPermissionsColdFusionwillhaveFullControlofitsinstallationdirectorybydefault.YoumayconsiderrestrictingfullcontroltoonlyfilesandfoldersthatColdFusionneedstowriteto.YoucanusefilesystemauditingtodeterminewhichfilesColdFusionwritestoduringnormaloperationofyourapplication.
Somedirectoriesthatarecommonlywrittentoinclude:
{cf.instance.root}/logs
{cf.instance.root}/tmpCache
{cf.instance.root}/stubs
{cf.instance.root}/Mail
{cf.instance.root}/runtime/work
{cf.instance.root}/jetty/logs
{cf.instance.root}/jetty/work
{cf.instance.root}/jetty/multicore/collections/
NotethatuseofColdFusionAdministratormaywriteconfigurationtoseverallocations,youshouldensurethatyourAdministratorsettingshavebeenspecifiedandwillnotchangebeforerestrictingthefilesystempermissions.
4.6LockdowntheColdFusionAdd-onServicesIfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)
theyrunasaseparateprocess/service.TheAdd-onServicesleverageJettyastheJEEservletcontainerinsteadofTomcat(whichisusedbytheColdFusionApplicationServer).
Ifyouarenotcurrentlyusingthecfsearch,cfcollection,cfindex,orcfhtmltopdftagsensurethatyouhavedisabledtheservice.
Nextensurethatitisnotrunningunderaprivilegeduseraccountsuchasroot,orSystem.YoumaycreateadedicateduserspecificallyfortheAdd-onServices.Thisusersimplyneedsread/writepermissionontheSolrHomefolder.BydefaultSolrHomewillpointto{cf.root}/cfusion/jettyyoucanfindtheexactpathbygoingtotheColdFusionAdministratorandlookingattheSolrHomesetting
underData&Services>SolrServer .
Considerusinganon-defaultport(8989isthedefault)andenablingHTTPS.GototheColdFusionAdministratorandclicktheShow
AdvancedSettingsbuttonontheData&Services>SolrServertochangethesesettings.
Formaximumisolation,considerinstallingtheColdFusionAdd-onServicesonadedicatedserver.UsingHTTPSishighlyrecommendedwhenSolrisrunningonadifferentserver.
ConsulttheJettyDocumentationformoreinformation:https://www.eclipse.org/jetty/documentation/
4.7LockdownFileExtensions
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page28of49
ColdFusionprovidesanumberofcapabilitiesthatarenotusedcommonlywhichcanbeblocked.AgoodexampleofthisisJSPfileexecution.Hereisalistoffileextensionsthatusuallycanbeblocked(checkwithdevelopersfirst).
FileExtension Purpose SafetoBlock
.cfml ExecutesCFMLtemplates(sameas.cfmfiles)
The.cfmlfileisnottypicallyusedbydevelopers,ifyoudon’tuse.cfmlblockthisfileextension.
.jsp JavaServerPages Yes,ifyourapplicationsdonotusejsp
.jws JavaWebServices Yesifnotused.
.cfr CFReportFiles Yes,ifcfreportisnotused.
.cfswf Dynamicallygeneratedswffilesfromflashforms
Yes,ifflashformsarenotused.
.hbmxml HibernateXMLMappings Yes,thesefilesshouldalwaysbeblocked.
4.7.1BlockingbyFileExtensionwithApache
Toblock.cfml,.jsp,.jwsand.hbmxmlfilesaddthefollowingtoyourApachehttpd.conffile:
RedirectMatch 404 (?i).*\.(cfml|jsp|jws|hbmxml).*
Restartapacheandcreateatest.cfmlfiletoconfirmthattheruleisworking.
4.7.2BlockingbyFileExtensiononIIS
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickDenyFileNameExtensionintheActionsmenuontheright.Addafilenameextensionincludingthedotandclickok.
4.7.3FileExtensionWhitelistingonIIS
Amorerobustsolutionistospecifyawhitelistofallowedfileextensions,andblocktherest.Forexampleallowonly.cfm.css.js.pngandblockanythingelse.Yourapplicationmayrequireadditionalextensions.
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickAllowFileNameExtension.Alloweachfileextensionyoursitesserve(forexamplecfm,css,js,png,html,jpg,swf,ico,etc).
Youmustalsoensurethatthe.dllfileextensionisallowedinthe/jakartavirtualdirectoryinorderforColdFusionresourcestobe
served.
Testyourwebsitesaftermakingchangesinthissection.
4.8AdditionalURIstoConsiderBlockingHerearesomeadditionalURIsthatColdFusionmayserverequestsonthatyoucanconsiderblockingifyoudonotusethefeaturesitsupports.
URI Description
/connector UsedbythePerformanceMonitoringToolkit
/CFFileServlet Servesdynamicallygeneratedassets.Itsupportsthecfreport,
cfpresentation,cfchart,andcfimage(withaction=captcha
andaction=writeToBrowser)tags
/rest//api//restapps//cfapiresources/ UsedforCFMLRestWebServices
4.8.1BlockingURIsinIIS
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheURLtab.ClicktheDenySequencebuttonandentertheURItoblock.
NotetheAutoLockdownToolblocksURIsusingRequestFilteringaswell,howeveritappliesthesettingstothewebsitelevel,nottheglobalIISlevel.YoumayconsideraddingtheURIsitblockstothegloballeveltoensuretheywillbeblockedbysitesontheserver.
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page29of49
4.8.2BlockingURIsinApache
ToblockaURI,addthefollowingtothehttpd.conffile:
RedirectMatch 404 (?i).*/CFIDE.*
Theabovewouldblockandreturna404HTTPstatuswhenthecaseinsensitive(?i)pattern/CFIDEisfoundanywhere.*intheURI.
4.9OptionallyRemoveASP.NETOnceyouhaveallwebsitesconfiguredinIIS,youmayconsiderremovingtheIISRoleServices:ASP.NET,.NETExtensibilityandCGIwhicharerequiredbytheconnectorinstaller,howevermaynotbeneededatruntime.
IfyouarerunningtheIISWebSocketproxythenASP.NETsupportisrequiredandmustnotberemoved.
Thisapproachwhileitmayprovideadditionalsecuritybyallowingremovalofunusedsoftware,doeshavetwodrawbacks.FirstthisisnotaprocedurethatisofficiallydocumentedorsupportedbyAdobe.Adobedoesnottestwithoutthesesettingsenabledsoyoumayencountersomethingunexpected.SecondwhenaColdFusionupdateisreleasedfortheconnectororifyouwanttoadd/update/deleteanIISconnectoryoumustre-enabletheseroleservicesbeforeupdatingtheconnector.
4.10RemoveASP.NETISAPIFiltersandHandlerMappingsIfyoudonotrequireASP.NETfunctionality,andyoudonotwanttofullyremoveASP.NETfromtheserverduetoissuesoutlinedintheprevioussectionyoucanremovetheISAPIFiltersandHandlerMappingsthatASP.NETusestoprocessrequests.
FirstmakeabackupoftheapplicationHost.configfile,typicallylocatedinC:\Windows\System32\inetsrv\config\,andany
web.configfiles.
IntheIISglobalserverlevelclickonISAPIFiltersandremoveallASP.NETISAPIfilters.NextclickonISAPIandCGIRestrictionsclickoneachASP.NETISAPIfilterandclickDeny.
NextclickonHandlerMappingsintheIISglobalrootnode.RemoveallunnecessaryHandlerMappings.DonotremovetheStaticFile
handlerunlessyourapplicationdoesnotservestaticfiles(js,css,images,etc).DonotremovetheISAPI-dllhandler,thiswillberequired
fortheColdFusionwebserverconnectortofunction.AminimalconfigurationincludesonlyStaticFile,ISAPI-DLL,andcfmHandler.
4.11DisableUnusedServletMappingsAllJEEwebapplicationshaveafileinthe WEB-INFdirectorycalledweb.xmlthisfiledefinestheservletsandservletmappingsfortheJEE
webapplication.AservletmappingdefinesaURIpatternthataparticularservletrespondsto.Forexampletheservletthathandlesrequestsfor.cfmfilesiscalledtheCfmServlettheservletmappingforthatlookslikethis:
<servlet-mapping id="coldfusion_mapping_3">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
</servlet-mapping>
Theservletsarealsodefinedintheweb.xmlfile.TheCfmServletisalsodefinedinweb.xmlasfollows:
<servlet id="coldfusion_servlet_3">
<servlet-name>CfmServlet</servlet-name>
<display-name>CFML Template Processor</display-name>
<description>Compiles and executes CFML pages and tags</description>
<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
<init-param id="InitParam_1034013110656ert">
<param-name>servlet.class</param-name>
<param-value>coldfusion.CfmServlet</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
Wecanremoveservletmappingsintheweb.xmltoreducethesurfaceofattack.Youdon’ttypicallywanttoremovetheCfmServletorthe*.cfmservletmapping,butthereareotherservletsandmappingsthatmayberemoved.
Inadditionsomeservletsmaydependoneachother,soitmaybebettertojustremovetheservlet-mappinginstead.
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page30of49
Besuretobackupweb.xmlbeforemakingchanges,asincorrectchangesmaypreventtheserverfromstarting.
ServletMapping Servlet Purpose
*.cfm*.CFM*.Cfm CfmServlet HandlesExecutionofCFMLincfmfiles.
Required.
*.cfml*.CFML*.Cfml CfmServlet HandlesexecutionofCFMLcontainedinfileswiththe.cfmlfileextension.Theseservletmappingscanbecommentedoutifyoudonothaveanyfileswitha.cfmlfileextensioninyourcodebase.
*.cfc*.CFC*.Cfc CFCServlet Handlesexecutionofremotefunctioncallsincfcfiles.TheseservletmappingscanbecommentedoutifyoudonotuseanyCFCswithaccess=remote
*.cfml/**.cfm/**.cfc/* CfmServletCFCServlet Theseservletmappingsareusedforsearchenginesafeurl’ssuchas/index.cfm/x/y
/CFIDE/main/ide.cfm RDSServlet UsedforRDS,thisservletmappingshouldbecommentedoutonproductionservers.
/JSDebugServlet/* JSDebugServlet Usedfordebuggingcfclient,shouldbecommentedoutonproductionservers.
*.jws CFCServlet JavaWebServices-allowsyoutoeasilywriteanddeploySOAPwebservicesinJavasimilartoaCFC.Shouldbecommentedoutofyourapplicationsdonothaveanyjwsfiles.
*.cfr CFCServlet Usedforcfreport,canbecommentedoutifcfreportisnotused.
/CFFormGateway/* CFFormGateway Requiredforflashforms<cfform
format=flash>,canbecommentedoutifnot
used.
/CFFileServlet/* CFFileServlet Usedforservingfilesgenerateddynamicallyfromvarioustagssuchascfchart,cfimage,
etc.
/securityanalyzer/* CFSecurityAnalyzerServlet UsedforCFBuildersecurityanalyzer.Notneededonproductionservers.
/rest/*/api/*/restapps/*
/cfapiresources/*
CFRestServlet UsedtoserveCFMLrestwebservices
*.hbmxml CFForbiddenServlet UsedtopreventservingHibernatemappingfiles.Thisshouldnotberemoved.
/cfform-internal/* CFInternalServlet Requiredforflashforms<cfform
format=flash>,canbecommentedoutifnot
needed.
*.cfswf CFSwfServlet Dynamicallygeneratedswffilesfromflashforms,canbecommentedoutifflashformsarenotneeded.
*.as*.sws*.swc CFForbiddenServlet UsedtopreventservingActionScript/Flashsourcecode.
/flashservices/gateway/* FlashGateway UsedforFlashRemoting
/flex-internal/* FlexInternalServlet UsedforFlexHistoryManager
*.mxml FlexMxmlServlet UsedtocompileFlexmxmlfilesintoswf
/flex2gateway/* MessageBrokerServlet UsedforFlashRemoting
/cfmobile/* CFMobileServlet Usedforcfclient
/pms/connector/* PMSGenericServlet UsedbythePerformanceMonitoringToolset
Toremoveaservletmapping,youcancommentitoutusinganXMLcomment forexampletodisabletheRDSservletmapping:
<!--
<servlet-mapping id="coldfusion_mapping_9">
<servlet-name>RDSServlet</servlet-name>
<url-pattern>/CFIDE/main/ide.cfm</url-pattern>
</servlet-mapping>
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page31of49
-->
RestartColdFusionandtestyourapplicationaftercommentingoutservletmappings.Itisagoodideatoonlyremoveoneatatimeandthentestagain.
4.12AdditionalTomcatSecurityConsiderationsConsulttheTomcat9SecurityConsiderationsdocumenthttp://tomcat.apache.org/tomcat-9.0-doc/security-howto.htmlforadditionaltomcatspecificsecuritysettings.
4.13AdditionalFileSecurityConsiderationsPaycarefulattentiontothefilepermissionsofsensitiveconfigurationfileslocatedin{cf.instance.root}/lib/suchas
password.properties,seed.propertiesandallneo-*.xmlfiles.Inadditionthefileslocatedin
{cf.instance.root}/runtime/conf/containimportantconfigurationfilesutilizedbytheTomcatcontainer.
4.14AddingClickJackingProtectionColdFusion10introducedtwoServletFiltersCFClickJackFilterDenyandCFClickJackFilterSameOrigin.WhenaURLismapped
tooneoftheseservletstheX-Frame-OptionsHTTPheaderwillbereturnedwithavalueofDENYorSAMEORGIN.Youcanaddafilter-mappinginweb.xmltoenablethesefiltersforagivenURI,thisfunctionalitycouldalsobeaccomplishedatthewebserverlevel.
4.15RestrictingHTTPVerbsMostwebapplicationsonlyneedtofunctiononGET,HEADandPOST.ApplicationsthatmakeuseofCrossOriginResourceSharing(CORS)willalsorequiretheOPTIONSheader.ServersthathostRESTwebservicesmayrequireadditionalHTTPmethods.
4.15.1WhitelistingHTTPVerbsinApache
TheLimitandLimitExceptdirectivescanbeusedtoapplyconfigurationbasedontheHTTPmethod.Forexampletodenyallrequests
exceptGET,HEADandPOSTyoucanaddthefollowingtoyourhttpd.conf:
<Location />
<LimitExcept GET HEAD POST>
Order Deny,Allow
Deny from all
</LimitExcept>
</Location>
TraceEnable off
NotethatLimitExceptdoesnotapplytotheHTTPTRACEmethod.TheTRACEmethodcanbedisabledusingtheApachedirective
TraceEnable.RestartApache.
4.15.2WhitelistingHTTPVerbsinIIS
ClickontherootnodeinIISanddoubleclickRequestFilteringandselecttheHTTPVerbstab.ClickAllowverbandeachHTTPverbyouwanttoallow.
Nowtodisallowanyverbthathasnotbeenexplicitlyallowed,clickEditFeatureSettingsandUncheckAllowunlistedverbs.
4.16SecurityConstraintsinweb.xmlTheservletcontainer(Tomcat)canenforcecertainsecurityconstraintstoensurethatagivenURIissecured,ortolimitcertainURIstoHTTPPOSToverasecure(SSL)connection:
<security-constraint>
<display-name>POST SSL</display-name>
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page32of49
<web-resource-collection>
<web-resource-name>POST ONLY SSL</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>POST ONLY</display-name>
<web-resource-collection>
<web-resource-name>BLOCK NOT POST</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
4.17LimitRequestSizeLimitingthesizeofvariouselementsoftheHTTPrequestcanhelpmitigatedenialofserviceattacksandotherrisks.
Considerspecifyingsmallerrequestsizelimitsbydefault,andthenuselargersizesonURIswherefilesareuploadedorverylargeformsubmissionsoccur.
4.17.1LimitRequestSizeinIIS
InIISyoucanusetheEditFeatureSettingsdialoginRequestFilteringtocontroltheMaximumAllowedContentLength ,MaximumURLLengthandMaximumQueryStringLength .
4.17.2LimitRequestSizeinApache
Apachehasseveraldirectivesthatcanbeusedtocontroltheallowedsizeoftherequest.Hereareafewdirectivesyoushouldconsidersetting:LimitRequestBody,LimitXMLRequestBody,LimitRequestLine,LimitRequestFieldSize,LimitRequestFields.
4.18DistributedModeorReverseProxyConsiderrunninginareverseproxyordistributedmode,suchthatonlythewebserverandColdFusionserverareondifferentservers.ThismethodprovidesisolationbetweenyourwebserverandtheColdFusionapplicationserver.
Indistributedmode,onlythewebserverconnectorisinstalledontheservercontainingthewebserver.
FormoreinformationonconfiguringColdFusiontorunindistributedmodeconsultthisblogentry: http://blogs.coldfusion.com/setting-up-coldfusion-in-distributed-envionment/
4.19HTTPResponseHeaderstoimproveSecurityThereareseveralHTTPresponseheadersthatyoumayconsideraddingtothewebservertoimprovesecurity.Someheadersyoumayconsideraddinginclude:
Strict-Transport-Security
X-Frame-Options
Content-Security-Policy
X-Content-Type-Options
X-XSS-Protection
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page33of49
Referrer-Policy
4.19.1AddingHTTPResponseHeadersinIIS
OpenIISanddoubleclicktheHTTPResponseHeadersicon.ThenclickAddandspecifyaheadernameandvalue.
4.19.2AddingHTTPResponseHeadersinApache
AddaHeaderdirectivetoyourhttpd.conf:
Header set Strict-Transport-Security "maxage=31536000"
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page34of49
5ColdFusionLockdownonLinuxThissectioncoversinstallationofColdFusiononLinuxwithApache.ToinstallColdFusion2018onLinuxwewillperformthefollowingsteps:
PerforminstallationprerequisitesCreateaDedicatedUserAccountforColdFusiontorunas.InstallColdFusionCheckfor,andinstallanyColdFusionhotfixes.ConfigureApacheConfigurefilesystempermissions.RunthewebserverconfigurationtooltoconnectColdFusiontoApacheSetupColdFusionAdministratorSiteUpdatetheJVM
5.1LinuxInstallationPrerequisitesBeforeyoubegintheColdFusioninstallationprocessperformthefollowingsteps:
Configureanetworkfirewall(and/orconfigurealocalfirewallusingiptables)toblockallincomingpublictrafficduringinstallation.ReadtheRedHatEnterpriseLinux7SecurityGuide:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/InstallRedHatLinuxwithminimalpackages,youdonotneedtoinstallagraphicaldesktopenvironment.EnableSELinuxEnforcingmodeduringinstallation.Seehttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/formoreinformationaboutSELinux.Removeordisableanysoftwareontheserverthatisnotrequired.Toseewhatpackagesareinstalledrun: yum list installed |
moretoremoveapackage:yum erase php
Runyumupdateandensurethatallsoftwarerunningontheserverisfullypatched.DownloadColdFusionfromadobe.comVerifythattheMD5checksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.YoucanrunthefollowinginaCommandPrompt:md5sum installer-file-name.bin
5.2CreateaDedicatedUserAccountforColdFusionCreateanewgroupwhichwillcontainbothColdFusionusersandapache’suser,inthisguidewewillnamethisgroupwebusersplease
chooseauniquename:
groupadd webusers
CreateasystemuserforColdFusiontorunas,inthisguideweusetheusername cfuser,butagain,pickauniqueusername:
adduser --system -g webusers -s /sbin/nologin -M -c ColdFusion cfuser
IfyouarerunningmultipleinstancesofColdFusionconsidercreatingadedicateduseraccountforeachinstancetoruninisolation.
5.3ColdFusionInstallationRuntheinstallerastherootuserorbyusingsudo.
InstallerConfiguration:Choose#1-ServerconfigurationIfyouaredeployingColdFusionaJEEserversuchasWebSphere,WebLogic,JBoss,etc.selectanEARorWARfile,otherwisechooseoption1Serverconfiguration.SelectColdFusionServerProfile: ChooseProductionProfile+SecureProfile .TheDevelopmentProfileshouldnotbeselected,itenablesfeaturesthatareintendedfordevelopmentpurposes.TheProductionProfiledisablesdevelopmentfeaturesbydefault.TheProductionProfile+SecureProfileoptionhasallthefeaturesoftheProductionProfileplusprovidesamoresecurefoundationofdefaultsettings.SomeofthesettingsthattheSecureProfiletogglesmaycauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.IPAddressesallowed:127.0.0.1,::1CommaseparateanyotherIPaddressesthatneedtoaccessColdFusionAdministrator.Sub-componentsInstallation:Selectonlyservicesthatarerequiredbyyourapplication.
SolrService-theSolrserviceisneededonlyifyouareusingcfsearch,cfcollection,cfindextags.DisabletheSolrserviceifnotneeded.PDFG-enableifyouareusingthecfhtmltopdftag.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page35of49
AdmincomponentforRemoteStart/Stop-disable.StartColdFusiononsysteminit-enable.
Enabling/DisablingServlets:
UncheckRDS,JSDebugUncheckCFReportingifyouarenotusingthecfreporttag.
UncheckCFSWFandFlashFormsifnotusingFlashForms(cfform format=flash)
AccessAdd-onServicesRemotely:IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018Add-onServiceswillbeinstalled.WhenyouspecifynfortheAccessAdd-onServicesRemotelyoption,
theAdd-onServicesareonlyaccessiblefromthelocalmachine(localhost).IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers,enteryandthenspecifytheIPaddressesoftheremoteColdFusionservers.Selectnunlessremoteaccessis
required.ChooseInstallFolder:Selectanondefaultinstallationfolder,inthisguidewewilluse/opt/cf2018/Built-inWebServerPortNumber:Selectanon-defaultportnumber.PerformanceMonitoryToolsetHostname/IPAddress:EntertheinternalIPaddressoftheserverifyouwishtousethePMT.ThisvaluecanbechangedlaterintheAdministrator.RuntimeUser:Enterthenameoftheusercreatedintheprevioussection:cfuser
ConfigureColdFusionwithOpenOffice: Skipifnotrequired-OpenOfficeintegrationisusedbycfdocumenttoconvertWorddocumentstoPDForPowerPointpresentationstoPDF/HTML.AdministratorCredentials:selectauniqueusername(notadmin),andchooseastrongpassword.ServerUpdates:Yautomaticallycheckforserverupdates.
NowstartColdFusion:
service cf2018 start
5.4AccessColdFusionAdministratorviaaSSHTunnelBecausemostlinuxserversdonothaveadesktopinstalled,andbecausetheColdFusionadministratorisnolongeraccessibleviatheApachewebserverasofCF2016+itcanbeusefultocreateatemporarySSHtunnelwhenyouneedtoconnecttotheColdFusionAdministrator.
ToaccessColdFusionAdministratoryoucancreateaSSHtunnelthatpointstothebuiltinwebserverport(8500bydefault),byopeningalocalport(33333inourexample,butyoucanuseanylocalportnumberyouwantaslongasitisnotinuse)onyourdesktop.
IfyourdesktopcomputerisrunningMacorLinuxyoucancreateaSSHtunneltoport8500onyourlocalport33333byrunningthefollowingcommand(locallyonyourdesktop,notonyourColdFusionserver):
ssh -L 33333:127.0.0.1:8500 [email protected]
IfyouarerunningaWindowsdesktopyoucanuseputty.exe(downloadfromputty.org)
putty -L 33333:127.0.0.1:8500 your.new.server.example.com
Nowopenyourwebbrowserandpointtohttp://127.0.0.1:33333/CFIDE/administrator/
ThetrafficbetweenyourserveranddesktopwillbeencryptedovertheSSHprotocol.YoucanalsoconfigurethebuiltinwebservertouseHTTPSontopofthataswell(seesection4.2).
5.5InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.
ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.
Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning md5sumonthehotfix_XXX.jarfile,seethatthechecksum
matchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates
Runthehotfixinstallerasrootorwithsudo(replacehotfix_XXX.jarwiththeactualhotfixfilename):
/opt/cf2018/jre/bin/java -jar /opt/cf2018/cfusion/hf-updates/hotfix_XXX.jar
ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
5.6InstallandConfigureApacheWebServer
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page36of49
5.6.1InstallorUpdateApache
IfApache(httpd)hasnotyetbeeninstalled,installitusingyum:
yum install httpd
IfApache(httpd)wasalreadyinstalled,ensurethatthelatestversionisinstalled:
yum update httpd
5.6.2RemoveUnnecessaryModules
Ensurethatthelatestversionofopensslandmod_sslareinstalledaswellusingsimilaryumcommandsasabove.
Removeanyunneededmodules,forexample:
yum erase php*
Editthe/etc/httpd/conf/httpd.confandremoveorcommentout(byplacinga#atthebeginningoftheline)anyLoadModulelines
thatloadunnecessarymodules.Mostmoduleswillbeincludedinseparateconfigurationfiles(lookin/etc/httpd/conf.modules.d/),youcaneasilyfindalistoffilesthatloadmodulesbyrunning:
fgrep --recursive LoadModule /etc/httpd/
Somemodulesthatyoumaybeabletoremove(orcommentoutbyplacinga#atthebeginningoftheline)include: mod_imap,mod_info,
mod_userdir,mod_status,mod_cgi,mod_autoindex.
5.6.3SetupDirectoryforWebRoots
Optional:Ifyouwishtosetupanondefaultwebrootfollowtheinstructionsinthissection.Ifyouplantousethedefaultwebroot/var/www/htmlthencopyyourCFMLfilesintothatdirectory.
Ifyouhavemultiplewebsitesyoumaywishtocreateafolderforallyoursites.Inthisguidewewilluse /www/astherootfolder,butyou
shouldchooseauniquepathname.
mkdir -p /www/default/wwwroot/
mkdir -p /www/example.com/wwwroot/
mkdir -p /www/other.example.com/wwwroot/
CopyyourCFMLsourcecodeintothedirectory,the/www/default/wwwroot/couldbesetupasadefaultsiteforApache.
Nextletsaddtheapacheusertothewebusersgroupwecreatedpreviously.
usermod -aG webusers apache
Setupsomefilesystempermissions:
chown -R root:webusers /www
chmod -R 750 /www
chcon -R -t httpd_sys_content_t -u system_u /www/default/wwwroot/
chcon -R -t httpd_sys_content_t -u system_u /www/example.com/wwwroot/
chcon -R -t httpd_sys_content_t -u system_u /www/other.example.com/wwwroot/
Edithttpd.confandchangetheDocumentRootfrom/var/www/htmltoyournewdefaultsiteroot,forexample
/www/default/wwwroot
Nexttellapachethatitisallowedtoservefilestothepublicunderthefolder /wwwbyadding:
<Directory "/www">
Options None
AllowOverride None
Require all granted
</Directory>
Createanindex.htmlfileinthedefaultsite:
echo 'Hello' > /www/default/wwwroot/index.html
RestartApache
service httpd restart
TesttomakesureApacheisworking:
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page37of49
curl http://localhost/
Theabovecurlcommandshouldoutputthecontentsofthe/www/default/wwwroot/index.htmlwhichshouldbeHello.
5.6.4StartApacheonBoot
BydefaultApachewillnotstartuponsystemboot,youneedtotell systemctltoenabletheservice.Asrootorusingsudorunthe
following:
systemctl enable httpd.service
5.6.5ConnectApachetoColdFusion
NotethatthereisabugintheAutoLockdownToolwhenitconfigurestheconnectorwhenSELinuxisenabled.Youmaybeabletoskipthisstep(andallowtheAutoLockdownTooltoconnectApachetoColdFusion)ifyoudonothaveSELinuxenabledorifthebughasbeenresolved:https://tracker.adobe.com/#/view/CF-4203248
RunwsconfigasrootorwithsudotoconnectColdFusiontoApache:
/opt/coldfusion2018/cfusion/runtime/bin/wsconfig -ws Apache -dir /etc/httpd/conf -bin /usr/sbin/httpd
YoumayseeanerrorthatApachewasunabletostart,thisisduetothebugmentionedabove.Tocorrectthis,runthefollowingcommands:
WSCONFIG_DIR=/opt/coldfusion2018/config/wsconfig
NUM=1
#Create a `mod_jk.log` file:
touch $WSCONFIG_DIR/$NUM/mod_jk.log
#Set file system permissions:
chown -R cfuser:apache $WSCONFIG_DIR
chmod -R 540 $WSCONFIG_DIR
chmod 550 $WSCONFIG_DIR/$NUM/mod_jk.so
chmod 560 $WSCONFIG_DIR/$NUM/mod_jk.log
chcon -t httpd_modules_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.so
chcon -t httpd_log_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.log
chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/uriworkermap.properties
chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk_vhost.conf
#allow apache to connect to CF AJP connector port (defined in server.xml)
semanage port -a -t http_port_t -p tcp 8018
#update JkShmFile path mod_jk.conf
sed '/JkShmFile/s/.*/JkShmFile "\/var\/cache\/httpd\/1_jk_shm\"/' /etc/httpd/conf/mod_jk.conf >
/etc/httpd/conf/mod_jk.conf
Tip:youcanputtheabovecommandsintoafilethatbeginswith!/bin/bashandthenrunthemallatonceasascript.
Atthispointyoucanrestartapache,andtryaccessingatest.cfmfiletoseeifitworks.
5.7RuntheLinuxColdFusionAutoLockdownToolBeforerunningtheColdFusionAutoLockdownToolpleaseensurethefollowing:
ColdFusionisrunning,andyouhaveloggedintotheColdFusionAdministratoratleastonce. service cf2018 start
Apacheisrunningservice httpd starttestbyaccessingport80or443.
Runtheautolockdowntoolastherootuserorbyusingsudo.
ColdFusionInstallationDirectory-enterthedirectorywhereColdFusionisinstalled.ApplylatestColdFusionupdate -selectYestohavethelockdowntoolcheckforupdatesandinstallthem.
AutomaticUpdateorManual-selectAutomaticiftheserverisconnectedtotheinternet.ColdFusionInstance-enterthenameoftheinstancetolockdown,selectthedefaultcfusion.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page38of49
WebServer-selectApacheAdminUsername-enteryourColdFusionAdministratorusername.AdminPassword-enteryourColdFusionAdministratorpassword.InternalWebServerPort-enterportnumberyouchoosefortheinternalwebserverduringinstallation(defaultis8500).SystemAdminUser-entertheusernameforyourrootuseraccount.SystemAdminPassword-ifroothasapasswordyoumayenterit,ifitdoesnothaveapasswordconfiguredjusthitenter.DoyouhaveausercreatedforrunningCFservices?-selectYes.ColdFusionRuntimeUsername-entertheusernamefortheColdFusionuseryoucreated,egcfuser.
ColdFusionRuntimeUserPassword-hitenterbecausetheuserwascreatedasasystemaccountsoitdoesnothaveapassword.ColdFusionRuntimeUserGroup-enterthenameofthegroupyoucreated,forexamplewebusers
DoyouhaveausercreatedforrunningWebServerservices?-selectYes.WebServerGroup-thenameofthegroupthatthewebserveruserbelongsto(defaultisapacheonRedHatLinux).
WebServerUsername-theusernameforthewebserveruser(defaultisapacheonRedHatLinux).
WebServerPassword-hitenter,thewebserveruseriscreatedasasystemaccountsoitdoesnothaveapasswordbydefaultonRedHatLinux.WebServerConfDirectoryPath-enterthepathtothefolderthatcontainshttpd.confonRedHatLinuxitwillbe
/etc/httpd/conf
WebServerBinaryPath-enterthepathtothehttpdbinary,onRedHatLinuxitwillbe/usr/sbin/httpd
WebServerWebRootPath-enterthepathtothewebrootdirectoryyoucreated,forexample:/web/
FileUploadPath-thelockdowninstallerwillgrantwritepermissionstothefolderspecified.Ifyouhavemorethanonefolder,youcandothismanuallywithchmod,forexamplechmod u+w /web/example.com/path-to-write-to/
Aliasforcf_scripts-selectapathotherthanthedefaults,not/cf_scriptsandnot/cf2018_scripts
ShutdownPort-changetheshutdownporttoanon-defaultvalue.
ReviewtheLockdownToollogsin/opt/coldfusion2018/lockdown/cfusion/Logs(pathmaydiffer),andensurethatitstates
ColdFusionServerhasbeenlockeddownsuccessfullyandthattherearenoerrors.
5.8UpdateJVMTheJavaVirtualMachineincludedwiththeColdFusioninstallermaynotcontainthelatestjavasecurityhotfixes.YoumustperiodicallycheckforJVMsecurityhotfixes.
ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/
DownloadtheRPMforthelatestsupportedJREfromAdobehttps://www.adobe.com/support/coldfusion/downloads.html.Installtherpm:
rpm -ivh jre-11.0.xx_linux-x64_bin.rpm
AfteryourunthebinarytheJVMisinstalledin/usr/java/asymboliclinkiscreatedpointingtothelatestinstalledversion
/usr/java/latest/youpointColdFusiontothispathtosimplifyfutureJVMupdates.
VerifythattheversionofJavain/usr/java/latest/isaversionsupportedforColdFusion2018.AtthetimeofthiswritingJava10isthe
latestsupportedmajorversionofJava.
/usr/java/latest/bin/java -version
Locatethejvm.configfile,(bydefaultitislocatedin/opt/coldfusion2018/cfusion/bin/)andmakeabackup:
cp jvm.config jvm.config.backup
ToupdateusingColdFusionAdministrator:clickonServerSettings>JavaandJVMandthenadd/usr/java/latest/totheJavaVirtualMachinePathtextbox.
Toupdateviashell:Editjvm.configinatexteditortolocatethelinebeginningwithjava.home=forexample:
java.home=/opt/coldfusion2018/jre
Changethatlineto:
java.home=/usr/java/latest
RestartColdFusionforthenewJVMtotakeeffect.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.ToreverttothedefaultJVMreplacejvm.configwithjvm.config.backupandrestartColdFusionagain.
5.8.1UpdateJVMAdd-OnServices
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page39of49
Ifyouinstalledtheadd-onservicesensurethatthestartupscriptpointstotheupdatedJVM,lookfortheline:
SOLR_JVM="/opt/coldfusion2018/jre"
Andupdateitto:
SOLR_JVM="/usr/java/latest"
5.9SetupAuditingFirstensurethatauditdisinstalledandconfiguredtomeetyourrequirementsin/etc/audit/auditd.conf
Useauditctltoaddauditingtofilesystemoperations,forexample:
auditctl -w /opt/coldfusion2018 -p wax -k cf2018
Theabovewillauditallwrite,attributechangeandexecuteoperationsonthepath/opt/coldfusion2018/andtagallentrieswiththe
filterkeycf2018.Nowthatthefilterkeyissetupyoucanquerytheauditlogusing:
ausearch -k cf2018
KeepinmindthattheabovemightgetabitnoisyifColdFusioniswritingalotoflogfiles,placingthelogfileselsewherewillreducethisnoise.
Youmayalsoconsidersettingupauditingonotherimportantpathssuchas/etc/oryourwebrootfilesystem.
5.10ChangeumaskEditthe{cf.root}/bin/sysinitstartupscriptandaddthelinenearthetopbutbelowthe#descriptioncomment:
umask 007
Considersettingamorerestrictiveumaskonthegrouppermission.
5.11AdditionalLockdownStepsGobackSection3ColdFusionAdministratorSettingsandthentoSection4AdditionalLockdownMeasurestoperformadditionalsteps.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page40of49
6PerformanceMonitoringToolsetSecurityConsiderations
6.1InstallingthePMTSelectanon-defaultpathtoinstallto.Selectanon-defaultportnumbers.Enterausernameotherthanadminanduseastrongpassword.
ForadditionalisolationconsiderinstallingthePMTonadedicatedserver.ThePMTServiceandPMTDatastorecouldalsobeisolatedtodedicatedservers.
6.2ColdFusionServerAutoDiscoveryThePMTautodiscoveryfeaturecandetectColdFusionserversovermulticast(defaultport46864).Ensurethatyournetworkfirewalloroperatingsystemfirewallisconfiguredtolimitaccessaccordingly.
Moreinformationaboutautodiscovery:https://coldfusion.adobe.com/2018/07/auto-discovery/
6.3PMTDatastoreThePMTdatastoreisanElasticSearchserver.AnycomputerwithaccesstotheportthatthePMTdatastoreisrunningoncanaccessallthedataitcontains.
EnsurethatthePMTdatastoreisnotrunningonthedefaultport 9200to9300
EnsurethatanetworkorOSfirewallhasbeenconfiguredtodenyexternalaccesstothisport.ColdFusion2018serversthataremonitoredrequireaccesstothePMTdatastoreport.
6.4RunPMTandPMTDatastoreasDedicatedUserTheColdFusion2018PerformanceMonitoringToolsetserviceandColdFusion2018PerformanceMonitoringToolsetDatastore servicerunasLocalSystembydefault.
CreatetwoLocalUserAccountsinthisguidewewillusetheusernames:pmtdatastoreandpmtservicehoweveryoushouldcreate
uniquenames.Nextcreateagroupthatcontainsbothusersforexamplepmtgroup.
Grantreadonlypermissiontothegroup(egpmtgroup)onthePerformanceMonitoringToolsetinstallationdirectory(thedefaultis
C:\ColdFusion2018PerformanceMonitoringToolsetor/opt/ColdFusion2018PerformanceMonitoringToolset).
GrantFullControl(readandwrite)permissiontothelogsandconfigdirectoryunderthePMTinstallationdirectorytothe pmtservice
useraccount.
GrantFullControl(readandwrite)permissiontothedatastore/dataanddatastore/logsdirectoryunderthePMTinstallation
directorytothepmtdatastoreuseraccount.
Notethatthepmtserviceuserdoesnotneedaccesstothedatastoresubfolder,youmayconsiderdenyingthepmtserviceuser
accesstothedatastorefolder.
UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetservicetopointtoyourpmtserviceuser.
UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetDatastore servicetopointtoyourpmtserviceuser.
Restartbothservices.
6.5UpdatePMTJVMEditthejvm.configfilelocatedintheconfigsubfolderofthePMTinstallationdirectory.Replacethefollowingline:
java.home=C:\ColdFusion2018PerformanceMonitoringToolset\jre
WithapathpointingtoyourcurrentJVM,forexample:
ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page41of49
java.home=C:\Java\jdk-11.0.XX\
ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page42of49
7APIManagerSecurityConsiderations
7.1InstallAPIManagerDownloadandRuntheAPIManagerInstaller.
Considerchangingportstonon-defaultvalues.
Useadedicatedpartition/drivefortheAPImanagerapplicationserverfiles.
FormaximumisolationyoucaninstalltheAPIManager,DataStoreandAnalyticsServerservicesonseparateservers.IfyouareinstallingeverythingonasingleserverchecktheDataStoreandAnalyticsServercheckboxestoinstalltheseserviceslocally.
7.2ConnectAPIManagertoIISFollowsections2.2toensurethattherequiredIISroleservicesareinstalledontheserver.CreateanemptydirectoryforanewsiteinIIS,forexampled:\sites\api.example.com\wwwroot\
Createemptysubfolderscalledportal,amp,analyticsandadmin.
URI Purpose Restrict
/analytics Allowspublishers,subscribersandadminstoseestatsrelatedtotheAPIuse.
Restricttoadmins,publishersandsubscribers
/admin APIManageradministratorinterface. Blockpublicaccess.
/amp InternalAPIforAPIManager.Usedby/portal/analytics
Restricttoadmins,publishersandsubscribers
/amp/admin InternalAPIforAPIManagerAdmin BlockPublicAccess
BlockorrestrictaccesstotheURIsusingrequestfiltering,IPrestrictions,orwebserverauthentication.
7.3RunAPIManagerasaDedicatedUserCreateauniqueuserforeachservice(forexample:apimanager,apidatastore,apianalytics)withminimalpermission.Nextcreatea
usergroupcontainingeachserviceuser,inthisguidewewillcallthegroupapimanagers,butyoushoulduseuniqueusernamesandgroup
names.
StopallAPIManagerServices.
GrantreadonlypermissiontotheapimanagersgroupfortheentireApiManagerinstallationrootdirectory{api.root}(forexample
x:\ApiManager\or/opt/ApiManager/).
Nextgrantreadandwrite(FullControl)permissiontotheapidatastoreuserforthe{api.root}/database/datastore/directory.
StarttheAPIDatastoreService.
Grantreadandwrite(FullControl)permissiontotheapianalyticsuserforthefollowingdirectories:
{api.root}/database/analytics/data/
{api.root}/database/analytics/logs/
StarttheAPIAnalyticsService
Grantreadandwrite(FullControl)permissiontotheapimanageruserforthefollowingdirectories:
{api.root}/conf
{api.root}/logs
StarttheAPImanagerservicesandtest.
Onlinuxyouwillneedtocreateastartupscripttoruneachoftheservicesastheirdedicatedusersforexample:
su apidatastore -C "/opt/ApiManager/database/datastore/redis-server
/opt/ApiManager/database/datastore/redis.conf.properties"
su apianalytics -C "/opt/apimanager/database/analytics/bin/elasticsearch"
ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page43of49
su apimanager -C "/opt/ApiManager/bin/start.sh"
ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page44of49
8PatchManagementProceduresStayinguptodatewithpatchesisessentialtomaintainingsecurityontheserver.Thesystemadministratorshouldmonitorthevendorssecuritypagesforallsoftwareinuse.Mostvendorshaveasecuritymailinglistthatwillnotifyyoubyemailwhenvulnerabilitiesarediscovered.
SignupfortheAdobeSecurityNotificationService:https://www.adobe.com/subscription/adbeSecurityNotifications.html
Checkthefollowingwebsitesfrequently:
AdobeColdFusionSecurityBulletins:https://helpx.adobe.com/security/products/coldfusion.html
MicrosoftSecurityTechCenter:https://www.microsoft.com/en-us/msrc
RedHatSecurity:https://www.redhat.com/security/updates/
ListingofsecurityvulnerabilitiesinApachewebserver:https://httpd.apache.org/security_report.html
ListingofsecurityvulnerabilitiesinTomcat:https://tomcat.apache.org/security-9.html
TokeepupdatedwithColdFusion2018updatesyoucanusetheserverupdatefeatureinColdFusionadministrator.Considersettingupaninstancetoemailyouwhennewupdatesarereleased.
YoushouldalsoconsidersubscribingtotheColdFusionCommunityPortalhttps://coldfusion.adobe.com/.
Finallythirdathirdpartycommercialservicehttp://hackmycf.comwillletyouknowwhenrelevantColdFusion,Java,Tomcat,etcsecuritypatchesarereleased.Itwillalsoscanyourserveronaperiodicbasisandsendyouareport.
ColdFusion2018LockdownGuide(2020-03-31)—8PatchManagementProcedures Page45of49
9SourcesofInformationSourcesofInformation
MicrosoftSecurityComplianceManagementToolkit:http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3eNSAOperatingSystemSecurityGuides:http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtmlNSAGuidetoSecureConfigurationofRedHatEnterpriseLinux5:http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdfTipsforSecuringApache:http://www.petefreitag.com/item/505.cfmApacheSecuritybyIvanRistic,2005O’ReillyISBN:0-596-00724-8TipsforSecureFileUploadswithColdFusion:http://www.petefreitag.com/item/701.cfmHackMyCF.comRemoteColdFusionvulnerabilityscanner:http://hackmycf.com/FixingApache(13)PermissionDenied403ForbiddenErrors:http://www.petefreitag.com/item/793.cfmApacheTomcat8.5SecurityConsiderations:http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html *GettingstartedwithAppCmd.exe:http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexeThankstoCharlieArehartforprovidingseveralsuggestionsandfeedbackonpriorversionsoftheguide.ProfessionalMicrosoftIIS8bySchaefer,Kenneth;Cochran,Jeff;Forsyth,Scott;Glendenning,Dennis;Perkins,Benjamin.Wiley.ISBN:978-1-118-38804-4ColdFusionandSELinux:http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616-50DA-0559-A0DD2E158FF884F3ColdFusionMXwithSELinuxEnforcing:http://www.ghidinelli.com/2007/12/06/coldfusion-mx-with-selinux-enforcing
ColdFusion2018LockdownGuide(2020-03-31)—9SourcesofInformation Page46of49
10ReferenceTables
10.1Tagsthatuse/cf_scripts/assets
Tag URIPattern Notes
cfajaxproxy /cf_scripts/scripts/ajax/
cfajaximport /cf_scripts/scripts/ Thistagletsyouoverridethedefaultscriptsrcsetting
cfautosuggest /cf_scripts/scripts/ajax/
cfcalendar /cf_scripts/scripts/ajax/
cfchart /cf_scripts/scripts/ajax/
/cf_scripts/scripts/chart/
cfclient /cf_scripts/cfclient/
cfdiv /cf_scripts/scripts/ajax/
cffileupload /cf_scripts/scripts/ajax/
cfform /cf_scripts/scripts/cfform.js
/cf_scripts/scripts/masks.js
cfform format=flash /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cfform format=xml /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cfgrid /cf_scripts/scripts/ajax/
cfgrid format=applet /cf_scripts/classes/ DeprecatedsinceCF11
cfinput(autosuggest,datefield) /cf_scripts/scripts/ajax/
cflayout /cf_scripts/scripts/ajax/
cfmap /cf_scripts/scripts/ajax/
cfmediaplayer /cf_scripts/scripts/ajax/
cfmenu /cf_scripts/scripts/ajax/
cfmessagebox /cf_scripts/scripts/ajax/
cfpod /cf_scripts/scripts/ajax/
cfprogressbar /cf_scripts/scripts/ajax/
cfslider /cf_scripts/scripts/ajax/
cfsprydataset /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cftextarea /cf_scripts/scripts/ajax/
/cf_scripts/scripts/ckeditor/
Considerblockingtheckeditorsubfolderifyoudonotusethistagbecauseithascfmfilesinit.
cftooltip /cf_scripts/scripts/ajax/
cftree /cf_scripts/scripts/ajax/
cftree format=applet /cf_scripts/classes/ DeprecatedsinceCF11
cfwebsocket /cf_scripts/scripts/ajax/
cfwindow /cf_scripts/scripts/ajax/
ColdFusion2018LockdownGuide(2020-03-31)—10ReferenceTables Page47of49
11Troubleshooting
11.1ColdFusioncannotwritefilesunderthewebrootTheAutoLockdowntoolgivesColdFusionreadonlypermissiontothewebroot,iftherearefilesorfoldersthatColdFusionmustwritetoyouneedtogivetheColdFusionuseraccount(egcfuser)writepermission.
11.2Requestingacfmresultsina404afterLockdowntoolHerearetwopossiblecauses.
TheIISApplicationPool.NETFrameworkVersionmaynothavebeensettoNoManagedCode.
Theautolockdowntooldoesnotcreateinheritablefilesystempermission,soColdFusion’suseraccountmaynothavepermissiontoreadthefileifitwascreatedafterthelockdowntoolran.SeethesectiontitledAdjustWindowsFileSystemPermissions.
11.3IISdoesnothavepermissiontoreadweb.configfileIfyoumadeachangeinIISafterrunningthelockdowntoolthatcausedanew web.configfiletobecreated,thenewfilemaynothavethe
appropriatepermissions.SeethesectiontitledAdjustWindowsFileSystemPermissions.
11.4WebSocketsarenotworkingafterrunninglockdowntoolSitesthatusetheColdFusionWebSocketproxymustchangethe.NETFrameworkVersionintheIISApplicationPoolSettingsfromNoManagedCodetoaversionof.NETthatsupportsWebSockets(v4+).
11.5HelpInstallingColdFusionHotfixesConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
ColdFusion2018LockdownGuide(2020-03-31)—11Troubleshooting Page48of49
12RevisionHistoryVersion1.0-2018-08-13-InitialRelease.
Version1.1-2018-10-05
Typoinsection4.11DisableUnusedServletMappingsonPage34 /flex/internal/shouldbe/flex-internal/
Version1.2-2019-03-19
Removedsection(previously2.7)AdjustWindowsFileSystemPermissions becauseitisnolongernecessaryduetobugfixes:https://tracker.adobe.com/#/view/CF-4202957RevisedtheUpdateJVMsectionspertainingtoOraclelicensingchanges.ChangedAllowconcurrentloginsessionsforAdministratorConsolefromcheckedtounchecked.
Version1.3-2020-03-31
Addednoteinsection4.4aboutwritepermissiontoWEB-INFcfclasses,rest-skeletons,andcfc-skeletons
ColdFusion2018LockdownGuide(2020-03-31)—12RevisionHistory Page49of49