Steven Erat's Blog Steven Erat Photography
 
 
Viewing By Entry
 
 

TalkingTree  Securing the ColdFusion MX Administrator

 

UPDATE June 2010:: You should read the the 2010 article on Adobe.com: ColdFusion 9 Lockdown Guide [PDF] for the most recent security advice at this time.

---

While there are Macromedia technotes and documentation on securing the ColdFusion 5 Administrator, there hasn't been much published on securing the Administrator in ColdFusion MX.

You would think that you could just remove the physical /CFIDE directory from the external webroot, or remove the /CFIDE mapping for the website from the IIS Management Console, but some ColdFusion features like CFFORM or CFGRID have dependencies on files under CFIDE, so removing it entirely would likely break applications or limit them if those features haven't been used yet, and of course, you'd have to restore the /CFIDE everytime you want to adjust ColdFusion Admin settings. A practical solution that would provide application dependencies under CFIDE while also making the Administrator publicly unavailable and secure follows:

  • Find the physical ColdFusion MX CFIDE directory on the system, and zip archive it to a backup
  • If using IIS, remove the virtual mapping for /CFIDE from the IIS MMC
  • Make the physical CFIDE directory available in the external web server document root
  • From that CFIDE, remove the subdirectory administrator/ but leave everything else. The ColdFusion Admin runs entirely from the administrator/ directory.
  • Use a different webserver instance or the built-in JWS webserver to serve the ColdFusion Administrator, but restrict that webserver instance to listen only on a private interface such as localhost/127.0.0.1 or an intranet IP on a seperate NIC
  • To restrict the interface in the built-in JWS webserver that comes with ColdFusion, edit the jrun.servlet.http.WebService section in jrun.xml to change the attribute name="interface" element from * to localhost or the internal IP and then restart the server instance. Refer to vendor documentation if restricting the interface on an external webserver.
  • Copy the full CFIDE directory with its administrator/ subdirectory to the document root for this private website instance.

The result of this configuration is a publicly facing external webserver that can serve your application and any dependencies from the /CFIDE directory without making the CF Admin available, and another webserver instance that will serve only the Administrator on a private internal IP or localhost. Since the CF Admin isn't accessible publicly, there's no risk of someone attempting to tamper with it.

posted on 20 July, 2005 at 7:36 PM.
ColdFusion | Comments (8)
 

Comments

Since macromedia.com runs on a cluster of CF instances, our approach is to have JWS enabled on every machine but have Apache rewrite /CFIDE/administrator/* to a 404 error so you can only get at the machines using JWS - which of course is not accessible outside the firewall (and nor are the internal machine names / IPs accessible outside the firewall either!).

It's a nice, simple approach that requires very little reconfiguration.


comment by Sean Corfield, posted at 7/20/05 9:31 PM

The way I lock down the CF Administrator on a public facing site running windows is:
1) Rename the admnistrator directory to something cryptic like 'w9e92xgwf'
2) Use IIS authentication on the renamed directory.

It's quick and easy while stilling giving me access from anywhere. Similar solutions should be simple on *nix/Apache.

Gus


comment by Gus, posted at 7/21/05 5:05 AM

Thank you both for your suggestions. Collectively, I'll try to use all this to publish a technote on the topic since one is lacking.


comment by Steven Erat, posted at 7/21/05 11:52 AM

you can always just move your web root for your site off of the path entirely. IIS will still run CFML even if it's serving the files from a drive the CF isn't installed on. On *nix, don't expose the directories under CFIDE to anything but a virtual host (and secure the administrator directory with a login) and map it in the client's host file. all public requests should go to cf's wwwroot.


comment by keith, posted at 7/21/05 1:21 PM

There are directories under /CFIDE which are required for ColdFusion applications, such as the Javascript and jar files needed for CFGRID. If you totally block all access to /CFIDE then you will break applications that depend on those things.


comment by Steven Erat, posted at 7/21/05 2:28 PM

I would really love to be able to do away with CFIDE/administrator.

If we were to reinstall, or deploy to additional servers, it is a pointless hassle to go clicking through all of that mess when what I would really want is a copy of what is already in use elsewhere.

Doing a copy of the entire install directory has seemed to pass some rudimentary tests, but the next step is dealing with upgrades in a smart way. when CF 7.x or 8 comes out, it would be great to just copy over some of those neo-something xml files, if I could be sure that I was getting all the settings and none of the code that was being nixed by the next revision of CF.

This is the kind of thing we all take for granted with F/OSS software, but commercial companies don't seem as interested in making this stuff accessible.

(if this exposes my email address, could you just scrap this whole post?)


comment by Jack at aboveNet, posted at 8/26/05 4:06 PM

I have CFIDE in \wwwroot\ but my clients are virtual hosted like \wwwroot\abc.com or \wwwroot\xyz.com none is getting the CFIDE. Is there any way of pointing the CFIDE instead of coping over to each site?


comment by Tanvir Gaus, posted at 4/30/08 10:52 AM

Mostly like you DO NOT want to make CFIDE publicly available on internet websites, which was the whole point of th is blog entry. You DO want CFIDE available internally so you can administer ColdFusion from a secure environment, and you DON'T need to make the full CFIDE available on every hosted domain. There are two subdirectories you might want to make publicaly available such as /CFIDE/scripts, but there is a CFML language attribute to dynamically point a scripts folder such that it doesn't have to be under CFIDE at all.

I suggest you contact Adobe Support if you'd like someone to help provide more details about securing CFIDE.


comment by Steven Erat, posted at 4/30/08 3:11 PM
 

  

Calendar
 
<< September 2010 >>
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Search This Site
 
This is an exact search only

About This Site
 
Adobe Alumni & Community Professional. Expert in ColdFusion, Flex, LCDS, Photoshop, Lightroom. Linux RHCE. Follow Me!. For my photography check out Boston Portrait Photographer.
More about me

Recent Entries
 
ColdFusion 9.01 Server Monito..

Recent Comments
 
Posted By Swagat:
Ben Forta, best-selling ColdFusion author is coming to India this August at India's largest Adobe Flash Platform Conference. Ben Forta will conduct a ...

Posted By Steve:
The updated presentation I gave at CF.Objective() 2010 is available here: [link] At the end of the preso I gave a brief, pre-recorded demo of wri ...

Posted By Brad Munz:
I've come across a OOM problem in HotSpot which looks alot like this: java.lang.OutOfMemoryError: requested 4096000 bytes for GrET in /BUILD_AREA/jdk6 ...

recently played
 

no song is playing

now playing, a plug-in for itunes

Categories
 
RSS Adobe (34)
RSS Bicycling (9)
RSS Blogging (39)
RSS Books (13)
RSS Breeze (13)
RSS CFMX Podcasts (10)
RSS ColdFusion (429)
RSS Computer Technology (51)
RSS Events (26)
RSS Flex (20)
RSS Gadgets (10)
RSS HiTech Industry (16)
RSS Java (25)
RSS Learning (57)
RSS Linux (70)
RSS Mac OS X (22)
RSS Macromedia (27)
RSS Meetup (35)
RSS New England (62)
RSS Odds & Ends (25)
RSS Outdoors (32)
RSS Personal (29)
RSS Photos (111)
RSS Photoshop (29)
RSS Podcasts (18)
RSS Rants (19)
RSS Restaurants (8)
RSS Science (34)
RSS Spain (16)
RSS Travel (42)
RSS Twitter (10)
RSS Video (20)
RSS Webcam (3)
RSS Writing (10)

Blogs I Read
 
Terrence Ryan
Ben Forta
Ray Camden
Kinky Solutions
Dan Vega
Gary Gilbert
Simeon Bateman
Red Hat Blogs
O'Reilly Digital Media
O'Reilly Radar
John Nack
The Strobist
Scott Kelby
Matt Kloskowski
Joe McNally
Digital Photography School
Engadget
Science Blog

RSS
 


Add to Google
Add to My Yahoo!

Aggregated By
 


Aggregated by ColdFusionBlogger.org

Credits and Stuff
 
BlogCFC - Free ColdFusion Powered Blog Software
CJM Group - ColdFusion Website Hosting


 
 
blog | photos | flickr | referers | webcam | stats | about | contact
 
Copyright © 2010 Steven Erat. All rights reserved.
This is a personal weblog. The opinions expressed here represent my own and not those of my employer