adobe coldfusion 2018 lockdown guide...coldfusion 2018 lockdown guide (2018-08-13) — 1...

AdobeColdFusion2018LockdownGuideWrittenbyPeteFreitag,FoundeoInc.

AdobeColdFusion(2018release)LockdownGuide

Ifthisguideisdistributedwithsoftwarethatincludesanenduseragreement,thisguide,aswellasthesoftwaredescribedinit,isfurnishedunderlicenseandmaybeusedorcopiedonlyinaccordancewiththetermsofsuchlicense.Exceptaspermittedbyanysuchlicense,nopartofthisguidemaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,electronic,mechanical,recording,orotherwise,withoutthepriorwrittenpermissionofAdobeSystemsIncorporated.Pleasenotethatthecontentinthisguideisprotectedundercopyrightlawevenifitisnotdistributedwithsoftwarethatincludesanenduserlicenseagreement.

Thecontentofthisguideisfurnishedforinformationaluseonly,issubjecttochangewithoutnotice,andshouldnotbeconstruedasacommitmentbyAdobeSystemsIncorporated.AdobeSystemsIncorporatedassumesnoresponsibilityorliabilityforanyerrorsorinaccuraciesthatmayappearintheinformationalcontentcontainedinthisguide.

Pleaserememberthatexistingartworkorimagesthatyoumaywanttoincludeinyourprojectmaybeprotectedundercopyrightlaw.Theunauthorizedincorporationofsuchmaterialintoyournewworkcouldbeaviolationoftherightsofthecopyrightowner.Pleasebesuretoobtainanypermissionrequiredfromthecopyrightowner.Anyreferencestocompanynamesinsampletemplatesarefordemonstrationpurposesonlyandarenotintendedtorefertoanyactualorganization.

Adobe,theAdobelogo,AdobeContentServer,AdobeDigitalEditions,andAdobePDFareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedintheUnitedStatesand/orothercountries.JavaisatrademarkorregisteredtrademarkofSunMicrosystems,Inc.intheUnitedStatesandothercountries.LinuxistheregisteredtrademarkofLinusTorvaldsintheU.S.andothercountries.Microsoft,WindowsandWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.MacintoshandMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Allothertrademarksarethepropertyoftheirrespectiveowners.

AdobeSystemsIncorporated,345ParkAvenue,SanJose,California95110,USA.

NoticetoU.S.GovernmentEndUsers.TheSoftwareandDocumentationare“CommercialItems,”asthattermisdefinedat48C.F.R.§2.101,consistingof“CommercialComputerSoftware”and“CommercialComputerSoftwareDocumentation,”assuchtermsareusedin48C.F.R.§12.212or48C.F.R.§227.7202,asapplicable.Consistentwith48C.F.R.§12.212or48C.F.R.§§227.7202-1through227.7202-4,asapplicable,theCommercialComputerSoftwareandCommercialComputerSoftwareDocumentationarebeinglicensedtoU.S.Governmentendusers(a)onlyasCommercialItemsand(b)withonlythoserightsasaregrantedtoallotherenduserspursuanttothetermsandconditionsherein.Unpublished-rightsreservedunderthecopyrightlawsoftheUnitedStates.

ForU.S.GovernmentEndUsers,Adobeagreestocomplywithallapplicableequalopportunitylawsincluding,ifappropriate,theprovisionsofExecutiveOrder11246,asamended,Section402oftheVietnamEraVeteransReadjustmentAssistanceActof1974(38USC4212),andSection503oftheRehabilitationActof1973,asamended,andtheregulationsat41CFRParts60-1through60-60,60-250,and60-741.Theaffirmativeactionclauseandregulationscontainedintheprecedingsentenceshallbeincorporatedbyreference.

TableofContents1Introduction

1.1DefaultFilePathsandUsernames1.2OperatingSystemsandWebServers1.3ColdFusionVersion1.4ScopeofDocument1.5ApplyingtoExistingInstallations1.6NamingConventions

2ColdFusionOnWindows

2.1InstallationPrerequisites2.2Install&ConfigureIIS2.3RuntheWindowsColdFusionInstaller2.4InstallColdFusionHotfixes2.5SetupWebsitesinIIS2.6RuntheColdFusion2018ServerAutoLockdownTool2.7UpdateJVM

3ColdFusionAdministratorSettings

3.1ServerSettings>Settings3.2ServerSettings>RequestTuning3.3ServerSettings>Caching3.4ServerSettings>ClientVariables3.5ServerSettings>MemoryVariables3.6ServerSettings>Mappings3.7ServerSettings>Mail3.8ServerSettings>WebSocket3.9ServerSettings>Charting3.10Data&Services>DataSources3.11Data&Services>ColdFusionCollections3.12Data&Services>Solr3.13Data&Services>FlexIntegration3.14Data&Services>PDFService3.15Debugging&Logging>DebugOutputSettings3.16Debugging&Logging>DeveloperProfile3.17Debugging&Logging>DebuggerSettings3.18Debugging&Logging>LoggingSettings3.19Debugging&Logging>RemoteInspectionSettings3.20EventGateways>Settings3.21EventGateways>GatewayInstance3.22Security>Administrator3.23Security>RDS3.24Security>SandboxSecurity3.25Security>UserManager3.26Security>AllowedIPAddresses3.27Security>SecureProfile3.28ServerUpdate>Updates:Settings

4AdditionalLockdownMeasures

4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1only4.2ToRuntheBuiltinWebServeroverTLS4.3ToDisabletheBuiltinWebServer4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwroot4.5RestrictColdFusionFileSystemPermissions4.6LockdowntheColdFusionAdd-onServices4.7LockdownFileExtensions4.8AdditionalURIstoConsiderBlocking4.9OptionallyRemoveASP.NET4.10RemoveASP.NETISAPIFiltersandHandlerMappings4.11DisableUnusedServletMappings4.12AdditionalTomcatSecurityConsiderations4.13AdditionalFileSecurityConsiderations4.14AddingClickJackingProtection4.15RestrictingHTTPVerbs4.16SecurityConstraintsinweb.xml4.17LimitRequestSize

ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page2of49

4.18DistributedModeorReverseProxy4.19HTTPResponseHeaderstoimproveSecurity

5ColdFusionLockdownonLinux

5.1LinuxInstallationPrerequisites5.2CreateaDedicatedUserAccountforColdFusion5.3ColdFusionInstallation5.4AccessColdFusionAdministratorviaaSSHTunnel5.5InstallColdFusionHotfixes5.6InstallandConfigureApacheWebServer5.7RuntheLinuxColdFusionAutoLockdownTool5.8UpdateJVM5.9SetupAuditing5.10Changeumask5.11AdditionalLockdownSteps

6PerformanceMonitoringToolsetSecurityConsiderations

6.1InstallingthePMT6.2ColdFusionServerAutoDiscovery6.3PMTDatastore6.4RunPMTandPMTDatastoreasDedicatedUser6.5UpdatePMTJVM

7APIManagerSecurityConsiderations

7.1InstallAPIManager7.2ConnectAPIManagertoIIS7.3RunAPIManagerasaDedicatedUser

8PatchManagementProcedures9SourcesofInformation10ReferenceTables

10.1Tagsthatuse/cf_scripts/assets

11Troubleshooting

11.1ColdFusioncannotwritefilesunderthewebroot11.2Requestingacfmresultsina404afterLockdowntool11.3IISdoesnothavepermissiontoreadweb.configfile11.4WebSocketsarenotworkingafterrunninglockdowntool11.5HelpInstallingColdFusionHotfixes

12RevisionHistory

ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page3of49

1IntroductionTheColdFusion2018LockdownGuideiswrittentohelpserveradministratorssecuretheirColdFusion2018installations.InthisdocumentyouwillfindseveraltipsandsuggestionsintendedtoimprovethesecurityofyourColdFusionserver.

IMPORTANT:Thereaderisstronglyencouragedtotestallrecommendationsonanisolatedtestenvironmentbeforedeployingintoproduction.

1.1DefaultFilePathsandUsernamesThisguidewillprovideexamplefilesystempathsforinstallation,youshouldnotusethesameexampleinstallationpathsprovidedinthisguide.

1.2OperatingSystemsandWebServersThisguidefocusesonWindows2016/IIS9,andRedHatEnterpriseLinux(RHEL)7/Apache2.4.ManyofthesuggestionspresentedinthisdocumentcanbeextrapolatedtoapplytosimilarOperatingSystemsandWebServers.

1.3ColdFusionVersionThisguidewaswrittenforColdFusion2018EnterpriseEdition.

1.4ScopeofDocumentThisdocumentdoesnotdetailsecuritysettingsfortheOperatingSystem,theWebServer,Databases,orNetworkFirewalls.ItisfocusedonsecuritysettingsfortheColdFusionserveronly.

Allsuggestionsinthisdocumentshouldbetestedandvalidatedonanon-productionenvironmentbeforedeployingtoproduction.

1.5ApplyingtoExistingInstallationsThisguideiswrittenfromtheperspectiveofafreshinstallation.Whenpossibleconsiderperformingafreshinstallationoftheoperatingsystem,webserverandtheColdFusionserver.Ifanattackerhascompromisedtheexistingserverinanywayyoushouldstartwithafreshoperatingsysteminstallationonnewhardware.

1.6NamingConventionsInthisguidewewillrefertotheColdFusioninstallationrootdirectoryas{cf.root}itcorrespondstothedirectorythatyouselectwhen

installingColdFusion.TheColdFusioninstancerootisreferredtoas{cf.instance.root}inthisguide,enterpriseinstallationsmayhave

multipleinstances,butthedefaultinstanceis{cf.root}/cfusion/

ColdFusion2018LockdownGuide(2020-03-31)—1Introduction Page4of49

2ColdFusionOnWindowsThissectioncoverstheinstallationandconfigurationofColdFusion2018onaWindows2016server.IfyouarerunningLinuxpleasestartatthesection5ColdFusionLockdownonLinux .

Inthissectionwewillperformthefollowing:

InstallationPrerequisitesInstall&ConfigureIISInstallColdFusionRuntheColdFusionAutoLockdownToolUpdatetheJVM

2.1InstallationPrerequisitesBeforeyoubegintheinstallationprocesspleasereviewthefollowing:

Configureanetworkfirewall(and/orconfigureWindowsfirewall)toblockallincomingpublictrafficduringinstallation.ReadtheMicrosoftWindowsSecurityComplianceManagerguidelinesanddocumentation:http://www.microsoft.com/en-us/download/details.aspx?id=16776Createseparatepartitionsand/ordrivesforColdFusionInstallation,websiteassets,andlogfiles.Thismayreducewhatcanbecompromisedbyapathtraversalattack.Itcouldalsomitigateadenialofserviceattackthatattemptstofillthemainsystemdrive.Removeordisableanysoftwareontheserverthatisnotrequired.RunWindowsUpdateandensureallsoftwarerunningontheserverisfullypatched.EnsurethatallpartitionsuseNTFStoallowforfinegrainedaccesscontrolandauditing.DownloadColdFusionfromadobe.comVerifythattheMD5orSHAchecksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.InPowerShellyoucanrunGet-FileHash installer-file-name.exe -Algorithm md5toobtainthechecksum.

2.2Install&ConfigureIISIMPORTANT:BeforeconfiguringIISensurethatpublictrafficisblockedbyyournetworkorOSfirewall.Youshouldonlyenablepublictrafficaftercompletingallthestepsinthelockdownguide.

2.2.1InstallIISRolesandFeatures

OpentheWindowsServerManagerapplication,undertheManagemenuselectAddRolesandFeatures.IfIISisnotalreadyinstalledcheckWebServer(IIS).

AminimalsetofIISRoleServicesmayincludethefollowing:

CommonHTTPFeatures:DefaultDocumentCommonHTTPFeatures:HTTPErrorsCommonHTTPFeatures:StaticContentHealthandDiagnostics:HTTPLoggingSecurity:RequestFilteringSecurity:IPandDomainRestrictionsApplicationDevelopment:.NETExtensibility4.6(orlatestversion)ApplicationDevelopment:ASP.NET4.6(orlatestversion)ApplicationDevelopment:CGIApplicationDevelopment:ISAPIExtensionsApplicationDevelopment:ISAPIFiltersManagementTools:IISManagementConsole

IftheserverapplicationusesWebSocketsalsoinstall:

ApplicationDevelopment:WebSocketProtocol

IfyouwishtoaddwebserverlevelauthenticationtoanysitesyoushouldalsoinstalloneoftheAuthenticationmodulessuchas:

Security:WindowsAuthentication

SelectanyadditionalIISroleservicesorfeaturesthatyourwebapplicationsrequire.Youcanalwaysgobackandaddadditionalroleserviceslaterifnecessary.

ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page5of49

2.2.2AddWebSitestoIIS

Ataminimumcreateawebrootdirectoryforeachwebsiteontheserverfilesystem.Toincreaseisolationbetweenwebsitesyoumayconsiderplacingeachsiteonauniquedriveletter.

Nextcopythewebsitesourcecodeintoeachwebrootdirectory.

InIISaddyourwebsite.

TestyourIISconfigurationbyrequestingastaticfilesuchasatxtorjsfile.

2.3RuntheWindowsColdFusionInstaller

2.3.1ColdFusionInstaller:InstallerConfiguration

OntheInstallerConfigurationviewselectServerconfigurationunlessyouaredeployingtoanexternalJEEserver(suchasJBoss,WeblogicorWebsphere).

alttext

2.3.2ColdFusionInstaller:ServerProfile

NextselectProductionProfile+SecureProfileandenteracommaseparatedlistofIPaddressesthatareallowedtoaccesstheColdFusionAdministrator.

alttext

Tip:ifyouwanttoallowlocalhostaccesstotheColdFusionAdministrator,enterboththeIPv4 127.0.0.1andIPv6::1

versionoflocalhost.SomebrowsersmayuseIPv6bydefaultfor localhost.

TheSecureProfileoptionprovidesamoresecurefoundationofdefaultsettings.Youcanreviewthesettingsittoggleshere:https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html

SomeofthesettingsthattheSecureProfiletogglescouldcauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.

AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.

2.3.3ColdFusionInstaller:Sub-componentsInstallation

OnlyselectSub-componentsthatyourserverapplicationsrequire.

alttext

ODBCService-RequiredwhenconnectingtoAccessDatabases,notrequiredforSQLServer.SolrService-Fulltextsearchengineusedbycfindex,cfsearchandcfcollectiontags.

PDFGService-WebkitbasedPDFRenderingengineusedbythecfhtmltopdftag.Youcanstilluse cfdocumentandcfpdf

withoutinstallingthisservice.AdminComponentforRemoteStart/Stop-AllowsColdFusionBuilderorServerManagerAIRapptostartorstopColdFusion.

Notrecommendedforproductionservers..NETIntegrationServices-AllowscreateObjectandcfobjecttocreateinstancesof.NETobjectsandassemblies.

2.3.4ColdFusionInstaller:EnablingorDisablingServlets

Checkanyservletsthatarerequiredbyyourapplication.MostColdFusionapplicationsdonotrequireanyoftheseservletstobeenabled.

alttext

RDS-Usedfordevelopment,allowsremoteaccesstothefilesystemanddatabases.Thisshouldnotbeenabledonaproductionserver.JSDebug-Usedfordebugging,shouldnotbeenabledonaproductionserver.CFReporting-Onlyrequiredifthecfreporttagisused.

CFSWF-Usedbyflashforms<cfform format="flash">togenerateFlashswffilesdynamically.

FlashForms-Usedbyflashforms<cfform format="flash">

2.3.5ColdFusionInstaller:AccessAdd-onServicesRemotely

IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018

Add-onServiceswindowsservicewillbeinstalled.

WhentheAccessAdd-onServicesRemotelycheckboxisunchecked,theAdd-onServicesareonlyaccessiblefromthelocalmachine,localhost.IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers(otherthanlocalhost),checkthecheckboxand

specifytheIPaddressesoftheremoteColdFusionservers.

alttext

2.3.6ColdFusionInstaller:SelectInstallationDirectory

SpecifyafilesystempathfortheColdFusionInstallationroot{cf.root}-consideravoidingthedefaultC:\ColdFusion2018\path.

WindowsColdFusionInstaller:SelectInstallationDirectory

2.3.7ColdFusionInstaller:Built-inWebServerPortNumber

Selectanondefaultportnumber.Ensurethattheportnumberisblockedbyyournetwork/osfirewall.

WindowsColdFusionInstaller:Built-inWebServerPortNumber

2.3.8ColdFusionInstaller:PerformanceMonitoringToolset

EnterthehostnameorinternalIPaddressoftheserverforusewiththeperformancemonitoringtoolset.Thisvaluecanbechangedlater.

WindowsColdFusionInstaller:PerformanceMonitoringToolset

2.3.9ColdFusionInstaller:AdministratorCredentials

Enterausernameotherthanadminandselectastrongpassword.

WindowsColdFusionInstaller:AdministratorCredentials

2.4InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.Forexample: http://127.0.0.1:8500/CFIDE/administrator/(replace8500withyourportyouselectedduringinstallation).

ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.

Tip:Hotfixesaretypicallycumulative,soiftherearemultiplehotfixes,youtypicallyonlyneedtoinstallthelatestone.SecurityhotfixesmayhaveadditionalstepssuchasupdatingtheJVMorupdatingconnectors-besuretoreadeachSecurityBulletinfordetails.

Runthehotfixinstallerfromanelevated(RunasAdministrator)CommandPromptorPowerShellterminal(replacehotfix_XXX.jarwith

theactualhotfixfilename):

Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning Get-FileHash hotfix_XXX.jar -Algorithm md5(in

PowerShell),seethatthechecksummatchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates

x:\cf2018\jre\bin\java -jar x:\cf2018\cfusion\hf-updates\hotfix_XXX.jar

Visit:https://www.adobe.com/support/security/andreadanypertinentColdFusionSecurityBulletins.Confirmthatallrequiredsecuritypatcheshavebeenapplied.

SomehotfixesorupdatesmayrequireyoutoruntheColdFusionWebServerConfigurationTooltoUpgradetheconnector.Carefullyreviewthehotfixreleasenotestodetermineifthereareanyadditionalstepsthatshouldbeperformed.

ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide

2.4.1DownloadingHotfixesViaProxy

IfyourserverrequiresaproxyservertoconnecttotheinternetyoumayneedtoaddthefollowingJVMArguments(inColdFusionAdministratorunderServerSettings>JavaandJVM)andthenrestartColdFusiontouseyourproxyserver:

-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=12345 -Dhttp.proxyUser=u -Dhttp.proxyPassword=p

2.4.2ServersWithoutaPublicInternetConnection

Ifyourserverdoesnothaveapublicinternetconnectionyoucanlocatethehotfix_XXX.jarfileurlusingtheColdFusionUpdateFeed:https://www.adobe.com/go/coldfusion-updates.Downloadthehotfix_XXX.jarfileonacomputerwithinternetaccess,verifythe

checksum,andthentransferittotheserver.

2.5SetupWebsitesinIISFirstensurethatthefirewallisconfiguredtoblocklivetraffic.

NextcreatethefilesystemforeachwebsitethatwilluseColdFusionandcopyallthewebfilesintothefilesystem.

CreateandconfigureeachwebsitethatwilluseColdFusioninIIS.

2.6RuntheColdFusion2018ServerAutoLockdownToolTheAutoLockdownToolPerformsthefollowingstepsforyou:

ConnectsColdFusiontotheWebServer(wsconfig)SetstheColdFusionServiceidentitytorunasadedicatedaccount,optionallycreatestheaccountforyou.SetsfilesystempermissionsforyourwebrootandColdFusioninstallationdirectoryAddsRequestFilteringRulestoblockvariousURIsAddsaConnectorSharedSecretOptionallyChangetheTomcatShutdownPortConfiguresanewcf_scriptsaliasChangesRegistryPermissions

Beforeyourunthetool,makesurehavedonethefollowing:

InstalledColdFusion2018withSecureProfileEnabledLoggedintotheColdFusionAdministratoratleastonceCreatedyourwebsitesinIIS,andcopiedwebsitefiles

DownloadandrunthelatestcopyoftheColdFusion2018ServerAutoLockdownTool:https://www.adobe.com/support/coldfusion/downloads.html

2.6.1LockdownInstaller:ColdFusionInstallationDirectory

ChoosethedirectorythatColdFusionwasinstalledto.

LockdownInstaller:SelectInstallationDirectory

2.6.2LockdownInstaller:ColdFusionUpdates

ChooseYes/AutomatictoensurethatColdFusionhasbeenupdatedtothelatesthotfix.AdoberecommendsthatyouinstallColdFusionupdatesbeforerunningtheLockdowntool.

LockdownInstaller:ColdFusionUpdates

2.6.3LockdownInstaller:ColdFusionConfiguration

Selecttheinstancethatyouwanttolockdown.

LockdownInstaller:ColdFusionConfiguration

2.6.4LockdownInstaller:WebServerConfiguration

Selectthetypeofwebserveryouareusing,IISinthiscase.

LockdownInstaller:WebServerConfiguration

2.6.5LockdownInstaller:WebsitesinIIS

SelectthewebsitesthatyouwishtoconnectColdFusiontoandtolockdown.

Tip:youcanholdshiftorctrlwhenclickingtoselectsites

LockdownInstaller:WebsitesinIIS

2.6.6LockdownInstaller:IISApplicationPoolDetail

Verifythattheapplicationpoolnamesarecorrectforeachthewebsite.

LockdownInstaller:IISApplicationPoolDetail

2.6.7LockdownInstaller:IISWebsitesWebrootDetail

Verifythatthewebrootpathsarecorrectforeachwebsite.

LockdownInstaller:IISWebsitesWebrootDetail

2.6.8LockdownInstaller:ColdFusionAdministratorConfiguration

EntertheColdFusionAdministratorusernameandpasswordspecifiedduringtheColdFusionInstallation.Alsoensurethatthebuiltinwebserverportiscorrectlyspecified(defaultportis8500).

LockdownInstaller:ColdFusionAdministratorConfiguration

2.6.9LockdownInstaller:OSAdministratorAccountDetails

EntertheAdministratorusername,passwordandservernameordomain.

LockdownInstaller:IISWebsitesWebrootDetail

2.6.10LockdownInstaller:ColdFusionRuntimeUser

CreateauniqueusernamefortheuseraccountthatColdFusionwillrunas.Specifythedomain,andastrongpassword.

LockdownInstaller:ColdFusionRuntimeUser

2.6.11LockdownInstaller:ShutdownPort

ChooseYesandEnterarandomportnumberthatisnotinuse.

LockdownInstaller:ColdFusionRuntimeUser

2.6.12ConfirmthattheAutoLockdownToolRanSuccessfully

Openthe{cf.root}/lockdown/{cf.instance}/Logs/folderandreviewthelogfilestoconfirmthattheinstallercompletedwithout

fatalerrors.Specificallylookinthelogfile(s)thatbeginwithServerLockdown_andlookforalinecontaining:Successfullylockeddown

ColdFusion!

2.6.13CheckUserAccountPermissions

WhenthelockdowninstallercreatesaWindowsuseraccountforColdFusiontorunas,itdoesnotcheckthebox DenythisuserpermissionstologontoRemoteDesktopSessionHostserverintheUserAccountProperties.

TofixthisopentheComputerManagementapp,underLocalUsersandGroups findtheuseraccountandclickProperties.SelecttheRemoteDesktopServicesProfiletabandthencheckthebox.

2.6.14AdditionalResourcesfortheAutoLockdownTool:

https://helpx.adobe.com/coldfusion/using/server-lockdown.htmlhttps://coldfusion.adobe.com/2018/07/server-auto-lockdown/

2.7UpdateJVMOraclereleasesJavasecurityupdatesonaquarterlybasis,mostoftheseupdatesincludesecurityvulnerabilitiesthatcouldbeexploitedinaserverenvironment.

ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/

2.7.1DownloadandInstallJava

FirstdownloadthelatestversionofJavafromhttps://www.adobe.com/support/coldfusion/downloads.htmlthatColdFusion2018supports(Java11atthetimeofthispublication).Selectthejavazipdistributionanddownload.

Tip:Verifythechecksumbyrunning

Extractthejavazipfileyoudownloadtoapermanentlocation,forexample C:\Java\jdk-11.0.2\

2.7.2UpdateColdFusionServerJVM

Tip:Makeabackupofthe{cf.instance.root}/bin/jvm.configfileandthe{cf.root}/cfusion/jetty/jetty.laxfile

beforemakingchanges.IfyoutypethepathincorrectlyColdFusionwillfailtostart.

LogintotheColdFusionAdministrator,thenclickonServerSettingsthenJavaandJVM.UpdatetheJavaVirtualMachinePathsettingtopointtothenewJVM,forexample:C:\Java\jdk-11.0.2\

RestartColdFusion.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.

IfyouneedtorevertyourchangesandgobacktothedefaultJVM,replacejvm.configwithyourbackupandrestart/startColdFusion.

RepeatforeachColdFusioninstance.

Testyoursitesagain.

2.7.3UpdateJVMforColdFusionAdd-onServices

IfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)

theyruninaseparateprocessandwillusethe{cf.root}/jrebydefault.

Locatethefile{cf.root}/cfusion/jetty/jetty.laxandmakeabackupofit.Nextrightclickonjetty.laxandopenitwith

Notepadoranyplaintexteditor.Lookforalinethatdefinesthepropertylax.nl.current.vmforexample:

lax.nl.current.vm=C:\\ColdFusion2018\\jre\\bin\\javaw.exe

Changeittopointtojavaw.exeonyournewJVM.Ensurethatyouusetwobackslashes\toseparatefolders.Forexample:

lax.nl.current.vm=C:\\java\\jdk-11.0.XX\\jre\\bin\\javaw.exe

RestarttheColdFusion2018Add-onServicesservice.

Testyoursitesagain.

ForadditionalinformationonupdatingtheJVMpleasesee:

http://blogs.coldfusion.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server

http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start

https://www.youtube.com/watch?v=zzC31EAlZ8Y

3ColdFusionAdministratorSettingsInthissectionseveralrecommendationsaremadeforColdFusionserversettings.Itisimportanttounderstandthatchangestosomeofthesesettingsmayaffecthowyourwebsitefunctions,andperforms.Besuretounderstandtheimplicationsofallsettingsbeforemakinganychanges.

3.1ServerSettings>Settings

Setting Suggestion AdditionalInfo

TimeoutRequestsAfter Checked/5Sec. Setthisvalueaslowaspossible.Anytemplates(suchasscheduledtasks)thatmighttakelonger,shouldusethecfsettingtag.Forexample:<cfsetting requesttimeout="60">

UseUUIDforCFToken Checked WhenuncheckedthecftokenvaluesaresequentialandmakeitfairlyeasytohijacksessionsbyguessingavalidCFID/CFTOKENpair.ThissettingisnotnecessarilyrequiredifJ2EEsessionareenabled,howeveritdoesn’thurttoturnitonanyways.

DisableCFCTypecheck Unchecked Developersmayrelyontheargumenttypes,enablingthissettingmightallowattackerstocausenewexceptionsintheapplication.Thissettingmaybeenabledifthedeveloper(s)havebuilttheapplicationtoaccountforthis.PerformancemaydegradewhenthissettingisUnchecked.

DisableaccesstointernalColdFusionJavacomponents

Checked TheinternalColdFusionJavacomponentsmayallowadministrativedutiestobeperformed.Somedevelopersmaywritecodethatreliesonthesecomponents.Thispracticeshouldbeavoidedasthesecomponentsarenotdocumented.

PrefixserializedJSONwith Checked:// ThissettinghelpspreventJSONhijacking,avulnerabilitywhichwasexploitableinveryoldbrowsers(IE9andbelow).ColdFusionAJAXtagsandfunctionsautomaticallyremovetheprefix.IfdevelopershavewrittenCFCfunctionswithreturnformat=”json”orusetheSerializeJSONfunction,theprefixwillbeapplied,andshouldberemovedintheclientcodebeforeprocessing.Developerscanoverridethissettingattheapplicationlevel.

MaximumOutputBuffersize 1024KBorlower Aloweroutputbuffersizemayreducethememoryfootprintinsomeapplications.Keepinmindthatoncetheoutputbufferisflushedtagsthatmodifytheresponseheaderswillthrowanexception.

EnableIn-MemoryFileSystem

Uncheckedifnotused Ifyourapplicationsdonotrequireinmemoryfilesystemuncheckthischeckbox.

MemoryLimitforIn-MemoryVirtualFileSystem

TunedbasedonJVMheapsizeandfeatureusage

EnsurethatyouhaveallocatedsufficientJVMheapspacetoaccommodatethememorylimit.

MemoryLimitperApplicationforIn-MemoryVirtualFileSystem

TunedbasedonJVMheapsizeandfeatureusage

EnsurethatyouhavesufficientJVMheapspacetoaccommodatethememorylimit.

ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page19of49

Watchconfigurationfilesforchanges(checkeveryNseconds)

Unchecked Ifyourconfigurationrequiresthissettingtobeenabled(ifusingWebSphereNDverticalclusterforexample),increasethetimetobeaslargeaspossible.IfanattackerisabletomodifytheconfigurationofyourColdFusionserver,theirchangescanbecomeactivewithinashortperiodoftimewhenthissettingisenabled.

EnableGlobalScriptProtection

UnderstandLimits,checked ThissettingprovidesverylimitedprotectionagainstcertainCrossSiteScriptingattackvectors.ItisimportanttounderstandthatenablingthissettingdoesnotprotectyoursitefromallpossibleCrossSiteScriptingattacks.

Disablecreationofunnamedapplications

Checked Applicationsshouldhaveanamesotheycanbeisolatedfromeachother.

AllowaddingapplicationvariablestoServletContext

Unchecked Keepuncheckedtoimproveapplicationisolation.

DefaultScriptSrcDirectory /not-default/ BecausethescriptsdirectoryalsocontainsCFMLsourcecode,youshouldcreateavirtualdirectory/aliasatanon-defaultlocation.Defaultvaluesare/cf_scripts/scriptsor

/cf2018_scripts

AllowedfileextensionsforCFIncludetag

cfm Thissettingrestrictsthefileextensionswhichgetcompiled(executed)byacfincludetag.

Anyfilefileextensionsnotmatchingthislistarestaticallyincluded,anyCFMLsourcecodewouldnotbeexecuted.TakecaretoensurethatyouhavespecifiedanyfileextensionsoffilesthatcontainCFMLcodeandareincludedwithcfinclude.ThissettingwasaddedinCF2018

Update3.Itcanbedefinedatanapplicationlevelaswellviathis.blockedExtForFileUpload.

BlockedfileextensionsforCFFileuploads

*orlist ThissettingrestrictswhatfileextensionsareallowedtobeuploadedbyColdFusion.Ifyoudonotallowfileuploadsyoushouldsetthisto*to

blockallextensions.Ifyoudoallowuploads,ensurethatallexecutablefileextensions(suchascfm)arespecifiedasacommaseperatedlist.Thissettingcanbedefinedatanapplicationlevelaswell.

MissingTemplateHandler CustomTemplate ThemissingtemplatehandlerHTMLoutputshouldbeequivalenttothe404errorhandlerspecifiedonyourwebserver.

Site-wideErrorHandler CustomTemplate Whenblank,thesite-wideerrorhandlermayexposeinformationaboutthecauseofexceptions.Specifyacustomsite-wideerrorhandlerthatdisclosesthesamegenericmessagetotheuserforallexceptions.Besuretologandmonitortheactualexceptionsthrown.

MaximumnumberofPOSTrequestparameters

Aslowasyourapplicationallows Setthistothemaximumnumberofformfieldsyouhaveonanygivenpage.AllowingtoomanyformfieldsmayallowforaDOSattackknownasHashDOS.Seehttps://www.petefreitag.com/item/808.cfm

Maximumsizeofpostdata Aslowaspossible IfyourapplicationdoesnotdealwithlargeHTTPPOSToperations(suchasfileuploads,orlargewebservicerequests),reducethissizeto1MB.Iftheapplicationdoesallowuploadsoffilessetthistothemaximumsizeyouwanttoallow.YoushouldalsobeabletospecifyaHTTPRequestsizelimitonyourwebserver.

RequestThrottleThreshold 1MB ColdFusionwillthrottleanyrequestlargerthanthisvalue.Ifyourapplicationrequiresalargenumberofconcurrentfileuploadstotakeplace,youmayneedtoincreasethissetting.

RequestThrottleMemory Tuned Ona32bitinstallationthedefaultvaluewouldbecloseto20%oftheheap.64bitserversallowformuchlargerheapsizes.Aimfor10%ofthemaximumheapsizeasanupperlimitforthissetting.

AllowRESTDiscovery Uncheckedifnotused. Thissettingenablestheendpoint/rest/_api_listingor

/api/_api_listingtoallowtheColdFusion

APImanagertogetalistingofRESTapis.ColdFusionAdministratorauthenticationisrequired.

3.2ServerSettings>RequestTuningTheRequestTuningsettingscanmitigatetheimpactDenialofService(DOS)attacksagainstyourserver.

MaximumnumberofsimultaneousTemplaterequests

Tunedbasedonhardware Whenthissettingistoohighortoolowtheabilitytoperformadenialofserviceattackincreases.Whentoolowrequestswillbequeuedwhentheserverisplacedunderload.WhentoohighrequestsmaynotbequeuedunderloadcausingtheCPUtimeofallrequeststoincreasesignificantly(knownascontextswitching).Findagoodmediumbyperformingloadtestsagainstyourproductionenvironment,usethevaluethathastheabilitytoservethemostrequestspersecond.

MaximumnumberofsimultaneousFlashRemotingrequests

1ifnotusingFlashRemotingotherwisetuned.

Ifyourapplicationsdonotuseflashremotingsetthisvalueto1anddisableflashremoting.Ifyoudouseflashremotingusealoadtestingapproachtofindtheoptimalvalueforthissetting.NotethattheServerMonitorfeatureinEnterprisemakesuseofflashremoting.

MaximumnumberofsimultaneousWebServicerequests

1ifnotpublishingSOAPwebservicesotherwisetuned

IfyourapplicationsdonotpublishSOAPwebservicessetthisvalueto1.Otherwisetunethissettingusingloadtests.

MaximumnumberofsimultaneousCFCfunctionrequests

1ifnotusingRemoteCFCfunctionrequests,otherwisetuned

ThissettingappliesonlytoCFCfunctionsthathaveaccess=remotespecified,whentheyare

invokedviaaHTTPrequest,forexample:/example.cfc?method=MethodName.The

ColdFusionAJAXproxyusesthismethodtoinvokeCFCs.Ifyourapplicationsdonotmakeuseofthisfeaturesetto1.Otherwiseuseloadtestingtofindtheoptimalvalueforthissetting.

MaximumnumberofsimultaneousReportthreads

1 Keepat1unlessusingcfreportheavily.

MaximumnumberofthreadsavailableforCFTHREAD

1ifnotusingcfthread,tunedotherwise

Timeoutrequestswaitinginqueueafter

5seconds(MatchRequestTimeout) ThissettingcangenerallybesetequivalenttotheTimeoutRequestsAftervaluespecifiedintheSettingssection.AlowersettingheremaydecreasetheeffectivenessofDOSattacks.

RequestQueueTimeoutPage CustomTemplate SpecifyaHTMLfilegivingtheuseramessagetowaitandretrytheirrequestagain.Themessageshouldnotdisclosethefactthatthequeuetimedout.

3.3ServerSettings>Caching

TrustedCache Checked EnablingtrustedcacheimprovesperformancebycachingCFMLcodeforthedurationoftheserverprocess(unlessmanuallycleared).Thismayalsomitigateasituationwhereanattackerattemptstochangeafileontheserver,thenewcodewouldnotexecuteuntiltheserverisrestartedorthecacheiscleared.

3.4ServerSettings>ClientVariables

DefaultStorageMechanismforClientSessions

None/Cookie Ifapplicationshaveclientmanagementenabledalargeamountofdatacanaccumulateontheserver.Thiscanleadtoastoragefailureifdisksbecomefull.BecausetheregistryistypicallylocatedonthesystempartitionitisnotrecommendedtousetheRegistry.

3.5ServerSettings>MemoryVariables

UseJ2EEsessionvariables CheckedifJEEinteroperabilityrequired WhencheckedColdFusionwillusethesessionmanagementoftheunderlyingJEEcontainer(egTomcat).InsteadofusingCFIDand

CFTOKENtheJSESSIONIDcookieisused.

WhenJ2EEsessionsareenabledcertainfeaturessuchasapplicationspecificsessioncookiesettings(this.sessionCookieinApplication.cfc)donotapply.ThefunctionsSessionRotateandSessionInvalidatedonotoperateonJ2EEsessions.

EnableSessionVariables Uncheckedonlyifnotusingsessions Mostapplicationsrequiresessionvariables,howeverifnoneoftheapplicationsontheserverrequiresessionvariablesthenyoumayuncheckthisbox.

SessionStorage InMemoryorRedis WhenusingRedistostoresessionstakeextremecaretoensurethatthedatastoreisprotectedbynetworkfirewallsandastrongpassword.

MaximumTimeout:SessionVariables

Lessthan2days Thedefaultoftwodaysisgenerallytoolongforsessionstopersist.Lowersessiontimeoutsreducethewindowofriskofsessionhijacking.

DefaultTimeout:SessionVariables

20minutesorless Twentyminutesisagooddefaultvalue,butmaximumsecurityapplicationsmayrequirealowertimeoutvalue.

CookieTimeout -1 Bysettingto-1ColdFusionwillsetthesessioncookieasabrowsersessioncookies,whichisvalidaslongastheusersbrowserwindowisopen.

HTTPOnly Checked SessioncookiesshouldalwaysbemarkedasHTTPOnlytopreventJavaScriptorotherclientsidetechnologiesfromaccessingtheirvalues(onsupportedclients).

Secure CheckedifallsitesuseHTTPS Aclientwillonlytransmitasecurecookieoverasecuredconnection(HTTPS)

DisableupdatingColdFusioninternalcookiesusingColdFusiontags/functions.

CheckedifallsitesuseHTTPS Youcanusethisfeaturetopreventadeveloperfromoverridingyourglobalsessioncookiesecuritysettings.Checkthisonlyifallapplicationswillusethesamesettings.

3.6ServerSettings>MappingsRemoveanymappingsyourapplicationsdonotrequire,suchas/gateway

3.7ServerSettings>MailConsiderusingSSLorTLStoconnecttothemailservertoencrypttheemailintransit.

ConsiderenablingLogallmailmessagessentbyColdFusion

3.8ServerSettings>WebSocketDisabletheWebSocketServiceifitisnotusedbyanyapplicationsontheserver.

3.9ServerSettings>ChartingConsiderchangingtheDiskcachelocationtoanondefaultpath.TheColdFusionuserwillrequirereadandwritepermissiontothepathspecifiedifcfchartisused.

3.10Data&Services>DataSourcesRemovetheexampledatasources,cfartgallery,cfbookclub,cfcodeexplorer,cfdocexamples.

EnsurethatthedatabaseuserthatColdFusionconnectsas,alsohaslimitedpermissionstoonlywhatisnecessary.Youshouldnotuse saor

rootaccounts.

LoginTimeout(sec) 5Seconds DecreasethisvaluetobelessthantheTimeoutRequestsaftersetting.

QueryTimeout(seconds) Not0 SpecifyanupperlimittomitigateDOSattacks.

AllowedSQL Enableonlyoperationsrequiredbytheapplication,egSELECT,INSERT,UPDATE,

DELETE

TheCREATE,DROP,ALTER,GRANT,andREVOKEoperationsarenotcommonlyrequiredinwebapplications.

3.11Data&Services>ColdFusionCollectionsRemovetheexamplecollection:bookclubifitexists.

3.12Data&Services>SolrConsiderusingaHTTPSconnectiontotheSolrserver,especiallyifitislocatedonaremoteserver.

3.13Data&Services>FlexIntegrationUncheckEnableFlashRemotingandEnableRemoteAdobeLiveCycleDataManagementaccessiftheyarenotusedbyyourapplication.

IfusingLiveCycleDataServicesESconsidercheckingtheEnableRMIoverSSLforDataManagement checkboxandspecifyakeystoreandpassword.

3.14Data&Services>PDFServiceIfthePDFServiceisusedtogeneratePDFscontainingsensitivedata,orifthePDFservicerunningonaremoteserver,ensurethatHTTPSisenabled.

3.15Debugging&Logging>DebugOutputSettings

EnableRobustExceptionInformation

Unchecked Whenrobustexceptioninformationisenabledsensitiveinformationmaybedisclosedwhenexceptionsoccur.

EnableAJAXDebugLogWindow

Unchecked Debuggingshouldnotbeenabledonaproductionserver.

EnableRequestDebuggingOutput

Unchecked Debuggingshouldnotbeenabledonaproductionserver.

3.16Debugging&Logging>DeveloperProfileTheDeveloperProfileshouldnotbeenabledonProductionservers.

3.17Debugging&Logging>DebuggerSettings

AllowLineDebugging Unchecked Debuggingshouldnotbeenabledonaproductionserver.

3.18Debugging&Logging>LoggingSettings

Logdirectory NonDefault EnsurethatthelocationofthisdirectoryhassufficientstoragespacetoholdMaximumFileSizemultipliedbytheMaximumnumberofarchivesmultipliedbythenumberoflogfiles(6ormore).Consideraseparatedrive/partitionforstoringlogs.

Maximumnumberofarchives 10ormore WhenalogfilereachestheMaximumFileSize(5000KBbydefault),itisarchived.Whenthemaximumnumberofarchivesisreachedforaparticularlogfile,theoldestlogfileisdeleted.Somesecuritycomplianceregulationsrequirethatlogfilesarekeptforaminimumperiodoftime.Ensurethatthisvalueishighenoughtoretainlogfilesfortherequiredduration.

Useoperatingsystemloggingfacilities

Checked CertainlogentrieswillbeduplicatedtosyslogonUnixbasedoperatingsystem.

Enableloggingforscheduledtasks

Checked Logscheduledtaskexecution.

3.19Debugging&Logging>RemoteInspectionSettings

AllowRemoteInspection Unchecked Debuggingfeaturesshouldnotbeenabledonaproductionserver.

3.20EventGateways>SettingsUncheckEnableColdFusionEventGatewayServicesifyourapplicationsdonotrequiretheuseofeventgateways.

3.21EventGateways>GatewayInstanceDeletetheSMSMenuApp andanyothergatewaysthatarenotinuse.

3.22Security>Administrator

ColdFusionAdministrationAuthentication

Separateusernameandpasswordauthentication

UsingseparateusernamesandpasswordsallowsyoutospecifywhichpartsoftheColdFusionadministratoreachusermayuse.

PasswordSeed Generateacryptographicallysecurerandomvalue

Thepasswordseedisusedgenerateanencryptionkeytoencryptanddecryptpasswordsfordatasourcesandotherservices.

AllowconcurrentloginsessionsforAdministratorConsole

Unchecked UnchecktopreventconcurrentloginsbythesameuseraccountintheColdFusionAdministrator.

3.23Security>RDSRDSshouldnotbeenabledonproductionserver.

IfRDSwaspreviouslyenabledensurethatthe{cf.instance.root}/wwwroot/WEB-INF/web.xmldoesnotcontaina

ServletMappingfortheRDSServlet.

3.24Security>SandboxSecuritySandboxesallowyoutolockdownwhichCFMLsourcefileshaveaccessthefilesystem,tag/functionexecution,datasourceaccess,andnetworkaccess.Itishighlyrecommendedthatyousetupasandboxormultiplesandboxesforyourapplications.

Configuresandboxesforeachsite,orhighriskportionsofeachsite.Usingtheprincipalofleastprivilegedenyaccesstoanytags,functions,datasources,filepaths,andIP/portsthatdonotneedtobeaccessedbycodeintheparticularsandbox.

Yourapplicationshouldbethoroughlytestedbeforeenablingsandboxsecuritytoensurethatyoursandboxhasbeenconfiguredcorrectly.

3.25Security>UserManagerAdduseraccountsforeachpersonthatwilllogintotheColdFusionAdministrator.

3.26Security>AllowedIPAddresses

AllowedIPAddressesforExposedServices

Empty AnyIPaddressinthislistmayexecuteremoteservicesthatexposeserverfunctionalityviawebservices.ToinvokethesewebservicestheclientmustbeontheallowedIPlist,andhaveausernameandpassword.Itisrecommendedthatyoudonotusethisfeatureinenvironmentsrequiringmaximumsecurity.ThisfeaturehasbeendeprecatedasofColdFusion11+

AllowedIPAddressesforColdFusionInternalComponents

Listofinternal/administrativeIPaddresses

SpecifytolimitwhichIPaddressesmayconnecttotheColdFusionadministratorandAdminAPI.

3.27Security>SecureProfileComparethevaluesyouhavespecifiedwiththesecureprofilerecommendedvalues.

Revieweachsettingthatwillbechangedandtestyourapplicationtoensurethatthesecureprofilesettingswillnotcauseanyissues.

3.28ServerUpdate>Updates:Settings

AutomaticallyCheckforUpdates

Checked CheckforColdFusionupdateseverytimeyoulogintoColdFusionadministrator.Anotificationiconwillshowupinupperrighttoolbarifanupdateisavailable.

CheckforUpdateseveryNdays

Checked Setupemailalertstobenotifiedwhenaserverupdateisavailable.

SiteURL https://www.adobe.com/go/coldfusion-updates

EnsurethattheURLiscorrectandusesHTTPS.

4AdditionalLockdownMeasuresThestepsoutlinedinthissectioncanprovideadditionalsecuritybutmayrequirespecialcareorattentiontoconfigureandmaintain.

4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1onlyBydefaulttheconnectorwilllistenonallIPaddresses.Toconfigurethebuiltinwebservertoonlylistenonasingleaddress(forexample127.0.0.1)locatethe<Connector />in{cf.instance.root}/runtime/conf/server.xmlwithaportattributematchingthe

portyourbuiltinwebserverisrunningon,addanaddressattribute.Forexample:

RestartColdFusionandconfirmthatthebuiltinwebservernowonlylistensonthespecifiedaddress.See https://tomcat.apache.org/tomcat-9.0-doc/config/http.htmlformoreinformation.

4.2ToRuntheBuiltinWebServeroverTLSThebuiltinwebservercanbeconfiguredtorunoverTLS/HTTPS.Thisishighlyrecommended,especiallyifthebuiltinserverisconfiguredtolistenonaddressesotherthanlocalhost.

First,acertificatemustbegenerated.Youmayobtainacertificatefromatrustedcertificateauthority(recommended)orgenerateaselfsignedcertificate.

Togenerateaselfsignedcertificate,runthefollowingcommand:

{cf.root}/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore {cf.root}/tomcat.keystore

Specifyauniquepasswordforthekeystorewhenprompted.

Nextmakeabackupof,thenedit{cf.instance.root}/runtime/conf/server.xmlandlocatethe<Connector>tagthathasaport

valuematchingyourbuiltinwebserver.CommentoutthedefaultbuiltinwebserverConnectortagandreplacewithsomethinglikethis:

<Connector port="8443" protocol="HTTP/1.1"

SSLEnabled="true" scheme="https"

secure="true"

keystoreFile="{cf.root}\tomcat.keystore"

keystorePass="{your.password}"

keyAlias="tomcat"

clientAuth="false"

sslProtocol="TLSv1.2" />

Besuretoreplace{cf.root}withthepathtoyourColdFusioninstallationroot(egC:\ColdFusion2018)and{your.password}with

thevalueyouspecifiedwhenyougeneratedyourcertificate.Considerchangingtheport8443toanondefaultvalue.

RestarttheColdFusioninstance,andvisithttps://127.0.0.1:8443/CFIDE/administrator/(changeporttomatchvalueyouused).Ifyouusedaselfsignedcertificateyouwillreceiveacertificatewarning.

ConsiderspecifyingtheciphersattributeanduseServerCipherSuitesOrder="true"toensureastrongTLScipherisfavored.Because

therecommendationsforpreferredTLSprotocolsandcipherschangefrequentlypleaseseekthecurrentadviceofcryptographyexpertsforoptimalTLSconfiguration.

FormoreinformationaboutconfiguringTomcatwithTLS,see: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.htmlandhttps://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

4.3ToDisabletheBuiltinWebServerThebuiltinwebservermaybeusedonproductionserverstoservetheColdFusionAdministrator.ItmayalsobeusedbythePerformanceMonitoringToolkit.Youmaydisablethebuiltinwebserverwhenitsuseisnotrequired.

Backupandeditthe{cf.instance.root}/runtime/conf/server.xmlfile,andremoveorcommentouttheConnectortagsimilartothefollowing:

<Connector port="8500" protocol="HTTP/1.1"

connectionTimeout="20000"

redirectPort="8451" />

ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page27of49

ThismustberepeatedforeachColdFusioninstancecreated.

RestartColdFusionandconfirmthattheserverportisdisabled.

Important:YoumustuseXMLcommentswithtwodashesifyouuseaCFML

comment(3dashes)ColdFusionmaynotstart.

4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwrootColdFusionwillhaveFullControlofthewwwrootfolderinyour{cf.instance.root}youmayconsiderrestrictingthatdirectorytoread

only,becausethecf_scriptsfoldermaybeservedovertheIISorApachewebserver.Ifyoudorestrictwritepermissionon wwwrootyou

willneedtoallowwritepermissiontothefollowingsubdirectories:

WEB-INF/cfclasses

WEB-INF/rest-skeletons

WEB-INF/cfc-skeletons

4.5RestrictColdFusionFileSystemPermissionsColdFusionwillhaveFullControlofitsinstallationdirectorybydefault.YoumayconsiderrestrictingfullcontroltoonlyfilesandfoldersthatColdFusionneedstowriteto.YoucanusefilesystemauditingtodeterminewhichfilesColdFusionwritestoduringnormaloperationofyourapplication.

Somedirectoriesthatarecommonlywrittentoinclude:

{cf.instance.root}/logs

{cf.instance.root}/tmpCache

{cf.instance.root}/stubs

{cf.instance.root}/Mail

{cf.instance.root}/runtime/work

{cf.instance.root}/jetty/logs

{cf.instance.root}/jetty/work

{cf.instance.root}/jetty/multicore/collections/

NotethatuseofColdFusionAdministratormaywriteconfigurationtoseverallocations,youshouldensurethatyourAdministratorsettingshavebeenspecifiedandwillnotchangebeforerestrictingthefilesystempermissions.

4.6LockdowntheColdFusionAdd-onServicesIfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)

theyrunasaseparateprocess/service.TheAdd-onServicesleverageJettyastheJEEservletcontainerinsteadofTomcat(whichisusedbytheColdFusionApplicationServer).

Ifyouarenotcurrentlyusingthecfsearch,cfcollection,cfindex,orcfhtmltopdftagsensurethatyouhavedisabledtheservice.

Nextensurethatitisnotrunningunderaprivilegeduseraccountsuchasroot,orSystem.YoumaycreateadedicateduserspecificallyfortheAdd-onServices.Thisusersimplyneedsread/writepermissionontheSolrHomefolder.BydefaultSolrHomewillpointto{cf.root}/cfusion/jettyyoucanfindtheexactpathbygoingtotheColdFusionAdministratorandlookingattheSolrHomesetting

underData&Services>SolrServer .

Considerusinganon-defaultport(8989isthedefault)andenablingHTTPS.GototheColdFusionAdministratorandclicktheShow

AdvancedSettingsbuttonontheData&Services>SolrServertochangethesesettings.

Formaximumisolation,considerinstallingtheColdFusionAdd-onServicesonadedicatedserver.UsingHTTPSishighlyrecommendedwhenSolrisrunningonadifferentserver.

ConsulttheJettyDocumentationformoreinformation:https://www.eclipse.org/jetty/documentation/

4.7LockdownFileExtensions

ColdFusionprovidesanumberofcapabilitiesthatarenotusedcommonlywhichcanbeblocked.AgoodexampleofthisisJSPfileexecution.Hereisalistoffileextensionsthatusuallycanbeblocked(checkwithdevelopersfirst).

FileExtension Purpose SafetoBlock

.cfml ExecutesCFMLtemplates(sameas.cfmfiles)

The.cfmlfileisnottypicallyusedbydevelopers,ifyoudon’tuse.cfmlblockthisfileextension.

.jsp JavaServerPages Yes,ifyourapplicationsdonotusejsp

.jws JavaWebServices Yesifnotused.

.cfr CFReportFiles Yes,ifcfreportisnotused.

.cfswf Dynamicallygeneratedswffilesfromflashforms

Yes,ifflashformsarenotused.

.hbmxml HibernateXMLMappings Yes,thesefilesshouldalwaysbeblocked.

4.7.1BlockingbyFileExtensionwithApache

Toblock.cfml,.jsp,.jwsand.hbmxmlfilesaddthefollowingtoyourApachehttpd.conffile:

RedirectMatch 404 (?i).*\.(cfml|jsp|jws|hbmxml).*

Restartapacheandcreateatest.cfmlfiletoconfirmthattheruleisworking.

4.7.2BlockingbyFileExtensiononIIS

ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickDenyFileNameExtensionintheActionsmenuontheright.Addafilenameextensionincludingthedotandclickok.

4.7.3FileExtensionWhitelistingonIIS

Amorerobustsolutionistospecifyawhitelistofallowedfileextensions,andblocktherest.Forexampleallowonly.cfm.css.js.pngandblockanythingelse.Yourapplicationmayrequireadditionalextensions.

ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickAllowFileNameExtension.Alloweachfileextensionyoursitesserve(forexamplecfm,css,js,png,html,jpg,swf,ico,etc).

Youmustalsoensurethatthe.dllfileextensionisallowedinthe/jakartavirtualdirectoryinorderforColdFusionresourcestobe

served.

Testyourwebsitesaftermakingchangesinthissection.

4.8AdditionalURIstoConsiderBlockingHerearesomeadditionalURIsthatColdFusionmayserverequestsonthatyoucanconsiderblockingifyoudonotusethefeaturesitsupports.

URI Description

/connector UsedbythePerformanceMonitoringToolkit

/CFFileServlet Servesdynamicallygeneratedassets.Itsupportsthecfreport,

cfpresentation,cfchart,andcfimage(withaction=captcha

andaction=writeToBrowser)tags

/rest//api//restapps//cfapiresources/ UsedforCFMLRestWebServices

4.8.1BlockingURIsinIIS

ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheURLtab.ClicktheDenySequencebuttonandentertheURItoblock.

NotetheAutoLockdownToolblocksURIsusingRequestFilteringaswell,howeveritappliesthesettingstothewebsitelevel,nottheglobalIISlevel.YoumayconsideraddingtheURIsitblockstothegloballeveltoensuretheywillbeblockedbysitesontheserver.

4.8.2BlockingURIsinApache

ToblockaURI,addthefollowingtothehttpd.conffile:

RedirectMatch 404 (?i).*/CFIDE.*

Theabovewouldblockandreturna404HTTPstatuswhenthecaseinsensitive(?i)pattern/CFIDEisfoundanywhere.*intheURI.

4.9OptionallyRemoveASP.NETOnceyouhaveallwebsitesconfiguredinIIS,youmayconsiderremovingtheIISRoleServices:ASP.NET,.NETExtensibilityandCGIwhicharerequiredbytheconnectorinstaller,howevermaynotbeneededatruntime.

IfyouarerunningtheIISWebSocketproxythenASP.NETsupportisrequiredandmustnotberemoved.

Thisapproachwhileitmayprovideadditionalsecuritybyallowingremovalofunusedsoftware,doeshavetwodrawbacks.FirstthisisnotaprocedurethatisofficiallydocumentedorsupportedbyAdobe.Adobedoesnottestwithoutthesesettingsenabledsoyoumayencountersomethingunexpected.SecondwhenaColdFusionupdateisreleasedfortheconnectororifyouwanttoadd/update/deleteanIISconnectoryoumustre-enabletheseroleservicesbeforeupdatingtheconnector.

4.10RemoveASP.NETISAPIFiltersandHandlerMappingsIfyoudonotrequireASP.NETfunctionality,andyoudonotwanttofullyremoveASP.NETfromtheserverduetoissuesoutlinedintheprevioussectionyoucanremovetheISAPIFiltersandHandlerMappingsthatASP.NETusestoprocessrequests.

FirstmakeabackupoftheapplicationHost.configfile,typicallylocatedinC:\Windows\System32\inetsrv\config\,andany

web.configfiles.

IntheIISglobalserverlevelclickonISAPIFiltersandremoveallASP.NETISAPIfilters.NextclickonISAPIandCGIRestrictionsclickoneachASP.NETISAPIfilterandclickDeny.

NextclickonHandlerMappingsintheIISglobalrootnode.RemoveallunnecessaryHandlerMappings.DonotremovetheStaticFile

handlerunlessyourapplicationdoesnotservestaticfiles(js,css,images,etc).DonotremovetheISAPI-dllhandler,thiswillberequired

fortheColdFusionwebserverconnectortofunction.AminimalconfigurationincludesonlyStaticFile,ISAPI-DLL,andcfmHandler.

4.11DisableUnusedServletMappingsAllJEEwebapplicationshaveafileinthe WEB-INFdirectorycalledweb.xmlthisfiledefinestheservletsandservletmappingsfortheJEE

webapplication.AservletmappingdefinesaURIpatternthataparticularservletrespondsto.Forexampletheservletthathandlesrequestsfor.cfmfilesiscalledtheCfmServlettheservletmappingforthatlookslikethis:

<servlet-mapping id="coldfusion_mapping_3">

<servlet-name>CfmServlet</servlet-name>

<url-pattern>*.cfm</url-pattern>

</servlet-mapping>

Theservletsarealsodefinedintheweb.xmlfile.TheCfmServletisalsodefinedinweb.xmlasfollows:

<servlet-name>CfmServlet</servlet-name>

<display-name>CFML Template Processor</display-name>

<description>Compiles and executes CFML pages and tags</description>

<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>

<init-param id="InitParam_1034013110656ert">

<param-name>servlet.class</param-name>

<param-value>coldfusion.CfmServlet</param-value>

</init-param>

<load-on-startup>4</load-on-startup>

</servlet>

Wecanremoveservletmappingsintheweb.xmltoreducethesurfaceofattack.Youdon’ttypicallywanttoremovetheCfmServletorthe*.cfmservletmapping,butthereareotherservletsandmappingsthatmayberemoved.

Inadditionsomeservletsmaydependoneachother,soitmaybebettertojustremovetheservlet-mappinginstead.

Besuretobackupweb.xmlbeforemakingchanges,asincorrectchangesmaypreventtheserverfromstarting.

ServletMapping Servlet Purpose

*.cfm*.CFM*.Cfm CfmServlet HandlesExecutionofCFMLincfmfiles.

Required.

*.cfml*.CFML*.Cfml CfmServlet HandlesexecutionofCFMLcontainedinfileswiththe.cfmlfileextension.Theseservletmappingscanbecommentedoutifyoudonothaveanyfileswitha.cfmlfileextensioninyourcodebase.

*.cfc*.CFC*.Cfc CFCServlet Handlesexecutionofremotefunctioncallsincfcfiles.TheseservletmappingscanbecommentedoutifyoudonotuseanyCFCswithaccess=remote

*.cfml/**.cfm/**.cfc/* CfmServletCFCServlet Theseservletmappingsareusedforsearchenginesafeurl’ssuchas/index.cfm/x/y

/CFIDE/main/ide.cfm RDSServlet UsedforRDS,thisservletmappingshouldbecommentedoutonproductionservers.

/JSDebugServlet/* JSDebugServlet Usedfordebuggingcfclient,shouldbecommentedoutonproductionservers.

*.jws CFCServlet JavaWebServices-allowsyoutoeasilywriteanddeploySOAPwebservicesinJavasimilartoaCFC.Shouldbecommentedoutofyourapplicationsdonothaveanyjwsfiles.

*.cfr CFCServlet Usedforcfreport,canbecommentedoutifcfreportisnotused.

/CFFormGateway/* CFFormGateway Requiredforflashforms<cfform

format=flash>,canbecommentedoutifnot

/CFFileServlet/* CFFileServlet Usedforservingfilesgenerateddynamicallyfromvarioustagssuchascfchart,cfimage,

/securityanalyzer/* CFSecurityAnalyzerServlet UsedforCFBuildersecurityanalyzer.Notneededonproductionservers.

/rest/*/api/*/restapps/*

/cfapiresources/*

CFRestServlet UsedtoserveCFMLrestwebservices

*.hbmxml CFForbiddenServlet UsedtopreventservingHibernatemappingfiles.Thisshouldnotberemoved.

/cfform-internal/* CFInternalServlet Requiredforflashforms<cfform

format=flash>,canbecommentedoutifnot

needed.

*.cfswf CFSwfServlet Dynamicallygeneratedswffilesfromflashforms,canbecommentedoutifflashformsarenotneeded.

*.as*.sws*.swc CFForbiddenServlet UsedtopreventservingActionScript/Flashsourcecode.

/flashservices/gateway/* FlashGateway UsedforFlashRemoting

/flex-internal/* FlexInternalServlet UsedforFlexHistoryManager

*.mxml FlexMxmlServlet UsedtocompileFlexmxmlfilesintoswf

/flex2gateway/* MessageBrokerServlet UsedforFlashRemoting

/cfmobile/* CFMobileServlet Usedforcfclient

/pms/connector/* PMSGenericServlet UsedbythePerformanceMonitoringToolset

Toremoveaservletmapping,youcancommentitoutusinganXMLcomment forexampletodisabletheRDSservletmapping:

<servlet-mapping id="coldfusion_mapping_9">

<servlet-name>RDSServlet</servlet-name>

<url-pattern>/CFIDE/main/ide.cfm</url-pattern>

</servlet-mapping>

RestartColdFusionandtestyourapplicationaftercommentingoutservletmappings.Itisagoodideatoonlyremoveoneatatimeandthentestagain.

4.12AdditionalTomcatSecurityConsiderationsConsulttheTomcat9SecurityConsiderationsdocumenthttp://tomcat.apache.org/tomcat-9.0-doc/security-howto.htmlforadditionaltomcatspecificsecuritysettings.

4.13AdditionalFileSecurityConsiderationsPaycarefulattentiontothefilepermissionsofsensitiveconfigurationfileslocatedin{cf.instance.root}/lib/suchas

password.properties,seed.propertiesandallneo-*.xmlfiles.Inadditionthefileslocatedin

{cf.instance.root}/runtime/conf/containimportantconfigurationfilesutilizedbytheTomcatcontainer.

4.14AddingClickJackingProtectionColdFusion10introducedtwoServletFiltersCFClickJackFilterDenyandCFClickJackFilterSameOrigin.WhenaURLismapped

tooneoftheseservletstheX-Frame-OptionsHTTPheaderwillbereturnedwithavalueofDENYorSAMEORGIN.Youcanaddafilter-mappinginweb.xmltoenablethesefiltersforagivenURI,thisfunctionalitycouldalsobeaccomplishedatthewebserverlevel.

4.15RestrictingHTTPVerbsMostwebapplicationsonlyneedtofunctiononGET,HEADandPOST.ApplicationsthatmakeuseofCrossOriginResourceSharing(CORS)willalsorequiretheOPTIONSheader.ServersthathostRESTwebservicesmayrequireadditionalHTTPmethods.

4.15.1WhitelistingHTTPVerbsinApache

TheLimitandLimitExceptdirectivescanbeusedtoapplyconfigurationbasedontheHTTPmethod.Forexampletodenyallrequests

exceptGET,HEADandPOSTyoucanaddthefollowingtoyourhttpd.conf:

Order Deny,Allow

Deny from all

</LimitExcept>

</Location>

TraceEnable off

NotethatLimitExceptdoesnotapplytotheHTTPTRACEmethod.TheTRACEmethodcanbedisabledusingtheApachedirective

TraceEnable.RestartApache.

4.15.2WhitelistingHTTPVerbsinIIS

ClickontherootnodeinIISanddoubleclickRequestFilteringandselecttheHTTPVerbstab.ClickAllowverbandeachHTTPverbyouwanttoallow.

Nowtodisallowanyverbthathasnotbeenexplicitlyallowed,clickEditFeatureSettingsandUncheckAllowunlistedverbs.

4.16SecurityConstraintsinweb.xmlTheservletcontainer(Tomcat)canenforcecertainsecurityconstraintstoensurethatagivenURIissecured,ortolimitcertainURIstoHTTPPOSToverasecure(SSL)connection:

<security-constraint>

<display-name>POST SSL</display-name>

<web-resource-collection>

<web-resource-name>POST ONLY SSL</web-resource-name>

<url-pattern>/post/*</url-pattern>

<http-method>POST</http-method>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<security-constraint>

<display-name>POST ONLY</display-name>

<web-resource-collection>

<web-resource-name>BLOCK NOT POST</web-resource-name>

<url-pattern>/post/*</url-pattern>

<http-method>GET</http-method>

<http-method>HEAD</http-method>

<http-method>PUT</http-method>

<http-method>DELETE</http-method>

<http-method>TRACE</http-method>

</web-resource-collection>

<auth-constraint />

</security-constraint>

4.17LimitRequestSizeLimitingthesizeofvariouselementsoftheHTTPrequestcanhelpmitigatedenialofserviceattacksandotherrisks.

Considerspecifyingsmallerrequestsizelimitsbydefault,andthenuselargersizesonURIswherefilesareuploadedorverylargeformsubmissionsoccur.

4.17.1LimitRequestSizeinIIS

InIISyoucanusetheEditFeatureSettingsdialoginRequestFilteringtocontroltheMaximumAllowedContentLength ,MaximumURLLengthandMaximumQueryStringLength .

4.17.2LimitRequestSizeinApache

Apachehasseveraldirectivesthatcanbeusedtocontroltheallowedsizeoftherequest.Hereareafewdirectivesyoushouldconsidersetting:LimitRequestBody,LimitXMLRequestBody,LimitRequestLine,LimitRequestFieldSize,LimitRequestFields.

4.18DistributedModeorReverseProxyConsiderrunninginareverseproxyordistributedmode,suchthatonlythewebserverandColdFusionserverareondifferentservers.ThismethodprovidesisolationbetweenyourwebserverandtheColdFusionapplicationserver.

Indistributedmode,onlythewebserverconnectorisinstalledontheservercontainingthewebserver.

FormoreinformationonconfiguringColdFusiontorunindistributedmodeconsultthisblogentry: http://blogs.coldfusion.com/setting-up-coldfusion-in-distributed-envionment/

4.19HTTPResponseHeaderstoimproveSecurityThereareseveralHTTPresponseheadersthatyoumayconsideraddingtothewebservertoimprovesecurity.Someheadersyoumayconsideraddinginclude:

Strict-Transport-Security

X-Frame-Options

Content-Security-Policy

X-Content-Type-Options

X-XSS-Protection

Referrer-Policy

4.19.1AddingHTTPResponseHeadersinIIS

OpenIISanddoubleclicktheHTTPResponseHeadersicon.ThenclickAddandspecifyaheadernameandvalue.

4.19.2AddingHTTPResponseHeadersinApache

AddaHeaderdirectivetoyourhttpd.conf:

Header set Strict-Transport-Security "maxage=31536000"

5ColdFusionLockdownonLinuxThissectioncoversinstallationofColdFusiononLinuxwithApache.ToinstallColdFusion2018onLinuxwewillperformthefollowingsteps:

PerforminstallationprerequisitesCreateaDedicatedUserAccountforColdFusiontorunas.InstallColdFusionCheckfor,andinstallanyColdFusionhotfixes.ConfigureApacheConfigurefilesystempermissions.RunthewebserverconfigurationtooltoconnectColdFusiontoApacheSetupColdFusionAdministratorSiteUpdatetheJVM

5.1LinuxInstallationPrerequisitesBeforeyoubegintheColdFusioninstallationprocessperformthefollowingsteps:

Configureanetworkfirewall(and/orconfigurealocalfirewallusingiptables)toblockallincomingpublictrafficduringinstallation.ReadtheRedHatEnterpriseLinux7SecurityGuide:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/InstallRedHatLinuxwithminimalpackages,youdonotneedtoinstallagraphicaldesktopenvironment.EnableSELinuxEnforcingmodeduringinstallation.Seehttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/formoreinformationaboutSELinux.Removeordisableanysoftwareontheserverthatisnotrequired.Toseewhatpackagesareinstalledrun: yum list installed |

moretoremoveapackage:yum erase php

Runyumupdateandensurethatallsoftwarerunningontheserverisfullypatched.DownloadColdFusionfromadobe.comVerifythattheMD5checksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.YoucanrunthefollowinginaCommandPrompt:md5sum installer-file-name.bin

5.2CreateaDedicatedUserAccountforColdFusionCreateanewgroupwhichwillcontainbothColdFusionusersandapache’suser,inthisguidewewillnamethisgroupwebusersplease

chooseauniquename:

groupadd webusers

CreateasystemuserforColdFusiontorunas,inthisguideweusetheusername cfuser,butagain,pickauniqueusername:

adduser --system -g webusers -s /sbin/nologin -M -c ColdFusion cfuser

IfyouarerunningmultipleinstancesofColdFusionconsidercreatingadedicateduseraccountforeachinstancetoruninisolation.

5.3ColdFusionInstallationRuntheinstallerastherootuserorbyusingsudo.

InstallerConfiguration:Choose#1-ServerconfigurationIfyouaredeployingColdFusionaJEEserversuchasWebSphere,WebLogic,JBoss,etc.selectanEARorWARfile,otherwisechooseoption1Serverconfiguration.SelectColdFusionServerProfile: ChooseProductionProfile+SecureProfile .TheDevelopmentProfileshouldnotbeselected,itenablesfeaturesthatareintendedfordevelopmentpurposes.TheProductionProfiledisablesdevelopmentfeaturesbydefault.TheProductionProfile+SecureProfileoptionhasallthefeaturesoftheProductionProfileplusprovidesamoresecurefoundationofdefaultsettings.SomeofthesettingsthattheSecureProfiletogglesmaycauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.IPAddressesallowed:127.0.0.1,::1CommaseparateanyotherIPaddressesthatneedtoaccessColdFusionAdministrator.Sub-componentsInstallation:Selectonlyservicesthatarerequiredbyyourapplication.

SolrService-theSolrserviceisneededonlyifyouareusingcfsearch,cfcollection,cfindextags.DisabletheSolrserviceifnotneeded.PDFG-enableifyouareusingthecfhtmltopdftag.

ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page35of49

AdmincomponentforRemoteStart/Stop-disable.StartColdFusiononsysteminit-enable.

Enabling/DisablingServlets:

UncheckRDS,JSDebugUncheckCFReportingifyouarenotusingthecfreporttag.

UncheckCFSWFandFlashFormsifnotusingFlashForms(cfform format=flash)

AccessAdd-onServicesRemotely:IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018Add-onServiceswillbeinstalled.WhenyouspecifynfortheAccessAdd-onServicesRemotelyoption,

theAdd-onServicesareonlyaccessiblefromthelocalmachine(localhost).IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers,enteryandthenspecifytheIPaddressesoftheremoteColdFusionservers.Selectnunlessremoteaccessis

required.ChooseInstallFolder:Selectanondefaultinstallationfolder,inthisguidewewilluse/opt/cf2018/Built-inWebServerPortNumber:Selectanon-defaultportnumber.PerformanceMonitoryToolsetHostname/IPAddress:EntertheinternalIPaddressoftheserverifyouwishtousethePMT.ThisvaluecanbechangedlaterintheAdministrator.RuntimeUser:Enterthenameoftheusercreatedintheprevioussection:cfuser

ConfigureColdFusionwithOpenOffice: Skipifnotrequired-OpenOfficeintegrationisusedbycfdocumenttoconvertWorddocumentstoPDForPowerPointpresentationstoPDF/HTML.AdministratorCredentials:selectauniqueusername(notadmin),andchooseastrongpassword.ServerUpdates:Yautomaticallycheckforserverupdates.

NowstartColdFusion:

service cf2018 start

5.4AccessColdFusionAdministratorviaaSSHTunnelBecausemostlinuxserversdonothaveadesktopinstalled,andbecausetheColdFusionadministratorisnolongeraccessibleviatheApachewebserverasofCF2016+itcanbeusefultocreateatemporarySSHtunnelwhenyouneedtoconnecttotheColdFusionAdministrator.

ToaccessColdFusionAdministratoryoucancreateaSSHtunnelthatpointstothebuiltinwebserverport(8500bydefault),byopeningalocalport(33333inourexample,butyoucanuseanylocalportnumberyouwantaslongasitisnotinuse)onyourdesktop.

IfyourdesktopcomputerisrunningMacorLinuxyoucancreateaSSHtunneltoport8500onyourlocalport33333byrunningthefollowingcommand(locallyonyourdesktop,notonyourColdFusionserver):

ssh -L 33333:127.0.0.1:8500 user@your.new.server.example.com

IfyouarerunningaWindowsdesktopyoucanuseputty.exe(downloadfromputty.org)

putty -L 33333:127.0.0.1:8500 your.new.server.example.com

Nowopenyourwebbrowserandpointtohttp://127.0.0.1:33333/CFIDE/administrator/

ThetrafficbetweenyourserveranddesktopwillbeencryptedovertheSSHprotocol.YoucanalsoconfigurethebuiltinwebservertouseHTTPSontopofthataswell(seesection4.2).

5.5InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.

ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.

Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning md5sumonthehotfix_XXX.jarfile,seethatthechecksum

matchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates

Runthehotfixinstallerasrootorwithsudo(replacehotfix_XXX.jarwiththeactualhotfixfilename):

/opt/cf2018/jre/bin/java -jar /opt/cf2018/cfusion/hf-updates/hotfix_XXX.jar

ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide

5.6InstallandConfigureApacheWebServer

5.6.1InstallorUpdateApache

IfApache(httpd)hasnotyetbeeninstalled,installitusingyum:

yum install httpd

IfApache(httpd)wasalreadyinstalled,ensurethatthelatestversionisinstalled:

yum update httpd

5.6.2RemoveUnnecessaryModules

Ensurethatthelatestversionofopensslandmod_sslareinstalledaswellusingsimilaryumcommandsasabove.

Removeanyunneededmodules,forexample:

yum erase php*

Editthe/etc/httpd/conf/httpd.confandremoveorcommentout(byplacinga#atthebeginningoftheline)anyLoadModulelines

thatloadunnecessarymodules.Mostmoduleswillbeincludedinseparateconfigurationfiles(lookin/etc/httpd/conf.modules.d/),youcaneasilyfindalistoffilesthatloadmodulesbyrunning:

fgrep --recursive LoadModule /etc/httpd/

Somemodulesthatyoumaybeabletoremove(orcommentoutbyplacinga#atthebeginningoftheline)include: mod_imap,mod_info,

mod_userdir,mod_status,mod_cgi,mod_autoindex.

5.6.3SetupDirectoryforWebRoots

Optional:Ifyouwishtosetupanondefaultwebrootfollowtheinstructionsinthissection.Ifyouplantousethedefaultwebroot/var/www/htmlthencopyyourCFMLfilesintothatdirectory.

Ifyouhavemultiplewebsitesyoumaywishtocreateafolderforallyoursites.Inthisguidewewilluse /www/astherootfolder,butyou

shouldchooseauniquepathname.

mkdir -p /www/default/wwwroot/

mkdir -p /www/example.com/wwwroot/

mkdir -p /www/other.example.com/wwwroot/

CopyyourCFMLsourcecodeintothedirectory,the/www/default/wwwroot/couldbesetupasadefaultsiteforApache.

Nextletsaddtheapacheusertothewebusersgroupwecreatedpreviously.

usermod -aG webusers apache

Setupsomefilesystempermissions:

chown -R root:webusers /www

chmod -R 750 /www

chcon -R -t httpd_sys_content_t -u system_u /www/default/wwwroot/

chcon -R -t httpd_sys_content_t -u system_u /www/example.com/wwwroot/

chcon -R -t httpd_sys_content_t -u system_u /www/other.example.com/wwwroot/

Edithttpd.confandchangetheDocumentRootfrom/var/www/htmltoyournewdefaultsiteroot,forexample

/www/default/wwwroot

Nexttellapachethatitisallowedtoservefilestothepublicunderthefolder /wwwbyadding:

Options None

AllowOverride None

Require all granted

</Directory>

Createanindex.htmlfileinthedefaultsite:

echo 'Hello' > /www/default/wwwroot/index.html

RestartApache

service httpd restart

TesttomakesureApacheisworking:

curl http://localhost/

Theabovecurlcommandshouldoutputthecontentsofthe/www/default/wwwroot/index.htmlwhichshouldbeHello.

5.6.4StartApacheonBoot

BydefaultApachewillnotstartuponsystemboot,youneedtotell systemctltoenabletheservice.Asrootorusingsudorunthe

following:

systemctl enable httpd.service

5.6.5ConnectApachetoColdFusion

NotethatthereisabugintheAutoLockdownToolwhenitconfigurestheconnectorwhenSELinuxisenabled.Youmaybeabletoskipthisstep(andallowtheAutoLockdownTooltoconnectApachetoColdFusion)ifyoudonothaveSELinuxenabledorifthebughasbeenresolved:https://tracker.adobe.com/#/view/CF-4203248

RunwsconfigasrootorwithsudotoconnectColdFusiontoApache:

/opt/coldfusion2018/cfusion/runtime/bin/wsconfig -ws Apache -dir /etc/httpd/conf -bin /usr/sbin/httpd

YoumayseeanerrorthatApachewasunabletostart,thisisduetothebugmentionedabove.Tocorrectthis,runthefollowingcommands:

WSCONFIG_DIR=/opt/coldfusion2018/config/wsconfig

#Create a `mod_jk.log` file:

touch $WSCONFIG_DIR/$NUM/mod_jk.log

#Set file system permissions:

chown -R cfuser:apache $WSCONFIG_DIR

chmod -R 540 $WSCONFIG_DIR

chmod 550 $WSCONFIG_DIR/$NUM/mod_jk.so

chmod 560 $WSCONFIG_DIR/$NUM/mod_jk.log

chcon -t httpd_modules_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.so

chcon -t httpd_log_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.log

chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/uriworkermap.properties

chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk_vhost.conf

#allow apache to connect to CF AJP connector port (defined in server.xml)

semanage port -a -t http_port_t -p tcp 8018

#update JkShmFile path mod_jk.conf

sed '/JkShmFile/s/.*/JkShmFile "\/var\/cache\/httpd\/1_jk_shm\"/' /etc/httpd/conf/mod_jk.conf >

/etc/httpd/conf/mod_jk.conf

Tip:youcanputtheabovecommandsintoafilethatbeginswith!/bin/bashandthenrunthemallatonceasascript.

Atthispointyoucanrestartapache,andtryaccessingatest.cfmfiletoseeifitworks.

5.7RuntheLinuxColdFusionAutoLockdownToolBeforerunningtheColdFusionAutoLockdownToolpleaseensurethefollowing:

ColdFusionisrunning,andyouhaveloggedintotheColdFusionAdministratoratleastonce. service cf2018 start

Apacheisrunningservice httpd starttestbyaccessingport80or443.

Runtheautolockdowntoolastherootuserorbyusingsudo.

ColdFusionInstallationDirectory-enterthedirectorywhereColdFusionisinstalled.ApplylatestColdFusionupdate -selectYestohavethelockdowntoolcheckforupdatesandinstallthem.

AutomaticUpdateorManual-selectAutomaticiftheserverisconnectedtotheinternet.ColdFusionInstance-enterthenameoftheinstancetolockdown,selectthedefaultcfusion.

WebServer-selectApacheAdminUsername-enteryourColdFusionAdministratorusername.AdminPassword-enteryourColdFusionAdministratorpassword.InternalWebServerPort-enterportnumberyouchoosefortheinternalwebserverduringinstallation(defaultis8500).SystemAdminUser-entertheusernameforyourrootuseraccount.SystemAdminPassword-ifroothasapasswordyoumayenterit,ifitdoesnothaveapasswordconfiguredjusthitenter.DoyouhaveausercreatedforrunningCFservices?-selectYes.ColdFusionRuntimeUsername-entertheusernamefortheColdFusionuseryoucreated,egcfuser.

ColdFusionRuntimeUserPassword-hitenterbecausetheuserwascreatedasasystemaccountsoitdoesnothaveapassword.ColdFusionRuntimeUserGroup-enterthenameofthegroupyoucreated,forexamplewebusers

DoyouhaveausercreatedforrunningWebServerservices?-selectYes.WebServerGroup-thenameofthegroupthatthewebserveruserbelongsto(defaultisapacheonRedHatLinux).

WebServerUsername-theusernameforthewebserveruser(defaultisapacheonRedHatLinux).

WebServerPassword-hitenter,thewebserveruseriscreatedasasystemaccountsoitdoesnothaveapasswordbydefaultonRedHatLinux.WebServerConfDirectoryPath-enterthepathtothefolderthatcontainshttpd.confonRedHatLinuxitwillbe

/etc/httpd/conf

WebServerBinaryPath-enterthepathtothehttpdbinary,onRedHatLinuxitwillbe/usr/sbin/httpd

WebServerWebRootPath-enterthepathtothewebrootdirectoryyoucreated,forexample:/web/

FileUploadPath-thelockdowninstallerwillgrantwritepermissionstothefolderspecified.Ifyouhavemorethanonefolder,youcandothismanuallywithchmod,forexamplechmod u+w /web/example.com/path-to-write-to/

Aliasforcf_scripts-selectapathotherthanthedefaults,not/cf_scriptsandnot/cf2018_scripts

ShutdownPort-changetheshutdownporttoanon-defaultvalue.

ReviewtheLockdownToollogsin/opt/coldfusion2018/lockdown/cfusion/Logs(pathmaydiffer),andensurethatitstates

ColdFusionServerhasbeenlockeddownsuccessfullyandthattherearenoerrors.

5.8UpdateJVMTheJavaVirtualMachineincludedwiththeColdFusioninstallermaynotcontainthelatestjavasecurityhotfixes.YoumustperiodicallycheckforJVMsecurityhotfixes.

ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/

DownloadtheRPMforthelatestsupportedJREfromAdobehttps://www.adobe.com/support/coldfusion/downloads.html.Installtherpm:

rpm -ivh jre-11.0.xx_linux-x64_bin.rpm

AfteryourunthebinarytheJVMisinstalledin/usr/java/asymboliclinkiscreatedpointingtothelatestinstalledversion

/usr/java/latest/youpointColdFusiontothispathtosimplifyfutureJVMupdates.

VerifythattheversionofJavain/usr/java/latest/isaversionsupportedforColdFusion2018.AtthetimeofthiswritingJava10isthe

latestsupportedmajorversionofJava.

/usr/java/latest/bin/java -version

Locatethejvm.configfile,(bydefaultitislocatedin/opt/coldfusion2018/cfusion/bin/)andmakeabackup:

cp jvm.config jvm.config.backup

ToupdateusingColdFusionAdministrator:clickonServerSettings>JavaandJVMandthenadd/usr/java/latest/totheJavaVirtualMachinePathtextbox.

Toupdateviashell:Editjvm.configinatexteditortolocatethelinebeginningwithjava.home=forexample:

java.home=/opt/coldfusion2018/jre

Changethatlineto:

java.home=/usr/java/latest

RestartColdFusionforthenewJVMtotakeeffect.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.ToreverttothedefaultJVMreplacejvm.configwithjvm.config.backupandrestartColdFusionagain.

5.8.1UpdateJVMAdd-OnServices

Ifyouinstalledtheadd-onservicesensurethatthestartupscriptpointstotheupdatedJVM,lookfortheline:

SOLR_JVM="/opt/coldfusion2018/jre"

Andupdateitto:

SOLR_JVM="/usr/java/latest"

5.9SetupAuditingFirstensurethatauditdisinstalledandconfiguredtomeetyourrequirementsin/etc/audit/auditd.conf

Useauditctltoaddauditingtofilesystemoperations,forexample:

auditctl -w /opt/coldfusion2018 -p wax -k cf2018

Theabovewillauditallwrite,attributechangeandexecuteoperationsonthepath/opt/coldfusion2018/andtagallentrieswiththe

filterkeycf2018.Nowthatthefilterkeyissetupyoucanquerytheauditlogusing:

ausearch -k cf2018

KeepinmindthattheabovemightgetabitnoisyifColdFusioniswritingalotoflogfiles,placingthelogfileselsewherewillreducethisnoise.

Youmayalsoconsidersettingupauditingonotherimportantpathssuchas/etc/oryourwebrootfilesystem.

5.10ChangeumaskEditthe{cf.root}/bin/sysinitstartupscriptandaddthelinenearthetopbutbelowthe#descriptioncomment:

umask 007

Considersettingamorerestrictiveumaskonthegrouppermission.

5.11AdditionalLockdownStepsGobackSection3ColdFusionAdministratorSettingsandthentoSection4AdditionalLockdownMeasurestoperformadditionalsteps.

6PerformanceMonitoringToolsetSecurityConsiderations

6.1InstallingthePMTSelectanon-defaultpathtoinstallto.Selectanon-defaultportnumbers.Enterausernameotherthanadminanduseastrongpassword.

ForadditionalisolationconsiderinstallingthePMTonadedicatedserver.ThePMTServiceandPMTDatastorecouldalsobeisolatedtodedicatedservers.

6.2ColdFusionServerAutoDiscoveryThePMTautodiscoveryfeaturecandetectColdFusionserversovermulticast(defaultport46864).Ensurethatyournetworkfirewalloroperatingsystemfirewallisconfiguredtolimitaccessaccordingly.

Moreinformationaboutautodiscovery:https://coldfusion.adobe.com/2018/07/auto-discovery/

6.3PMTDatastoreThePMTdatastoreisanElasticSearchserver.AnycomputerwithaccesstotheportthatthePMTdatastoreisrunningoncanaccessallthedataitcontains.

EnsurethatthePMTdatastoreisnotrunningonthedefaultport 9200to9300

EnsurethatanetworkorOSfirewallhasbeenconfiguredtodenyexternalaccesstothisport.ColdFusion2018serversthataremonitoredrequireaccesstothePMTdatastoreport.

6.4RunPMTandPMTDatastoreasDedicatedUserTheColdFusion2018PerformanceMonitoringToolsetserviceandColdFusion2018PerformanceMonitoringToolsetDatastore servicerunasLocalSystembydefault.

CreatetwoLocalUserAccountsinthisguidewewillusetheusernames:pmtdatastoreandpmtservicehoweveryoushouldcreate

uniquenames.Nextcreateagroupthatcontainsbothusersforexamplepmtgroup.

Grantreadonlypermissiontothegroup(egpmtgroup)onthePerformanceMonitoringToolsetinstallationdirectory(thedefaultis

C:\ColdFusion2018PerformanceMonitoringToolsetor/opt/ColdFusion2018PerformanceMonitoringToolset).

GrantFullControl(readandwrite)permissiontothelogsandconfigdirectoryunderthePMTinstallationdirectorytothe pmtservice

useraccount.

GrantFullControl(readandwrite)permissiontothedatastore/dataanddatastore/logsdirectoryunderthePMTinstallation

directorytothepmtdatastoreuseraccount.

Notethatthepmtserviceuserdoesnotneedaccesstothedatastoresubfolder,youmayconsiderdenyingthepmtserviceuser

accesstothedatastorefolder.

UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetservicetopointtoyourpmtserviceuser.

UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetDatastore servicetopointtoyourpmtserviceuser.

Restartbothservices.

6.5UpdatePMTJVMEditthejvm.configfilelocatedintheconfigsubfolderofthePMTinstallationdirectory.Replacethefollowingline:

java.home=C:\ColdFusion2018PerformanceMonitoringToolset\jre

WithapathpointingtoyourcurrentJVM,forexample:

ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page41of49

java.home=C:\Java\jdk-11.0.XX\

ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page42of49

7APIManagerSecurityConsiderations

7.1InstallAPIManagerDownloadandRuntheAPIManagerInstaller.

Considerchangingportstonon-defaultvalues.

Useadedicatedpartition/drivefortheAPImanagerapplicationserverfiles.

FormaximumisolationyoucaninstalltheAPIManager,DataStoreandAnalyticsServerservicesonseparateservers.IfyouareinstallingeverythingonasingleserverchecktheDataStoreandAnalyticsServercheckboxestoinstalltheseserviceslocally.

7.2ConnectAPIManagertoIISFollowsections2.2toensurethattherequiredIISroleservicesareinstalledontheserver.CreateanemptydirectoryforanewsiteinIIS,forexampled:\sites\api.example.com\wwwroot\

Createemptysubfolderscalledportal,amp,analyticsandadmin.

URI Purpose Restrict

/analytics Allowspublishers,subscribersandadminstoseestatsrelatedtotheAPIuse.

Restricttoadmins,publishersandsubscribers

/admin APIManageradministratorinterface. Blockpublicaccess.

/amp InternalAPIforAPIManager.Usedby/portal/analytics

Restricttoadmins,publishersandsubscribers

/amp/admin InternalAPIforAPIManagerAdmin BlockPublicAccess

BlockorrestrictaccesstotheURIsusingrequestfiltering,IPrestrictions,orwebserverauthentication.

7.3RunAPIManagerasaDedicatedUserCreateauniqueuserforeachservice(forexample:apimanager,apidatastore,apianalytics)withminimalpermission.Nextcreatea

usergroupcontainingeachserviceuser,inthisguidewewillcallthegroupapimanagers,butyoushoulduseuniqueusernamesandgroup

names.

StopallAPIManagerServices.

GrantreadonlypermissiontotheapimanagersgroupfortheentireApiManagerinstallationrootdirectory{api.root}(forexample

x:\ApiManager\or/opt/ApiManager/).

Nextgrantreadandwrite(FullControl)permissiontotheapidatastoreuserforthe{api.root}/database/datastore/directory.

StarttheAPIDatastoreService.

Grantreadandwrite(FullControl)permissiontotheapianalyticsuserforthefollowingdirectories:

{api.root}/database/analytics/data/

{api.root}/database/analytics/logs/

StarttheAPIAnalyticsService

Grantreadandwrite(FullControl)permissiontotheapimanageruserforthefollowingdirectories:

{api.root}/conf

{api.root}/logs

StarttheAPImanagerservicesandtest.

Onlinuxyouwillneedtocreateastartupscripttoruneachoftheservicesastheirdedicatedusersforexample:

su apidatastore -C "/opt/ApiManager/database/datastore/redis-server

/opt/ApiManager/database/datastore/redis.conf.properties"

su apianalytics -C "/opt/apimanager/database/analytics/bin/elasticsearch"

ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page43of49

su apimanager -C "/opt/ApiManager/bin/start.sh"

ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page44of49

8PatchManagementProceduresStayinguptodatewithpatchesisessentialtomaintainingsecurityontheserver.Thesystemadministratorshouldmonitorthevendorssecuritypagesforallsoftwareinuse.Mostvendorshaveasecuritymailinglistthatwillnotifyyoubyemailwhenvulnerabilitiesarediscovered.

SignupfortheAdobeSecurityNotificationService:https://www.adobe.com/subscription/adbeSecurityNotifications.html

Checkthefollowingwebsitesfrequently:

AdobeColdFusionSecurityBulletins:https://helpx.adobe.com/security/products/coldfusion.html

MicrosoftSecurityTechCenter:https://www.microsoft.com/en-us/msrc

RedHatSecurity:https://www.redhat.com/security/updates/

ListingofsecurityvulnerabilitiesinApachewebserver:https://httpd.apache.org/security_report.html

ListingofsecurityvulnerabilitiesinTomcat:https://tomcat.apache.org/security-9.html

TokeepupdatedwithColdFusion2018updatesyoucanusetheserverupdatefeatureinColdFusionadministrator.Considersettingupaninstancetoemailyouwhennewupdatesarereleased.

YoushouldalsoconsidersubscribingtotheColdFusionCommunityPortalhttps://coldfusion.adobe.com/.

Finallythirdathirdpartycommercialservicehttp://hackmycf.comwillletyouknowwhenrelevantColdFusion,Java,Tomcat,etcsecuritypatchesarereleased.Itwillalsoscanyourserveronaperiodicbasisandsendyouareport.

ColdFusion2018LockdownGuide(2020-03-31)—8PatchManagementProcedures Page45of49

9SourcesofInformationSourcesofInformation

MicrosoftSecurityComplianceManagementToolkit:http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3eNSAOperatingSystemSecurityGuides:http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtmlNSAGuidetoSecureConfigurationofRedHatEnterpriseLinux5:http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdfTipsforSecuringApache:http://www.petefreitag.com/item/505.cfmApacheSecuritybyIvanRistic,2005O’ReillyISBN:0-596-00724-8TipsforSecureFileUploadswithColdFusion:http://www.petefreitag.com/item/701.cfmHackMyCF.comRemoteColdFusionvulnerabilityscanner:http://hackmycf.com/FixingApache(13)PermissionDenied403ForbiddenErrors:http://www.petefreitag.com/item/793.cfmApacheTomcat8.5SecurityConsiderations:http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html *GettingstartedwithAppCmd.exe:http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexeThankstoCharlieArehartforprovidingseveralsuggestionsandfeedbackonpriorversionsoftheguide.ProfessionalMicrosoftIIS8bySchaefer,Kenneth;Cochran,Jeff;Forsyth,Scott;Glendenning,Dennis;Perkins,Benjamin.Wiley.ISBN:978-1-118-38804-4ColdFusionandSELinux:http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616-50DA-0559-A0DD2E158FF884F3ColdFusionMXwithSELinuxEnforcing:http://www.ghidinelli.com/2007/12/06/coldfusion-mx-with-selinux-enforcing

ColdFusion2018LockdownGuide(2020-03-31)—9SourcesofInformation Page46of49

10ReferenceTables

10.1Tagsthatuse/cf_scripts/assets

Tag URIPattern Notes

cfajaxproxy /cf_scripts/scripts/ajax/

cfajaximport /cf_scripts/scripts/ Thistagletsyouoverridethedefaultscriptsrcsetting

cfautosuggest /cf_scripts/scripts/ajax/

cfcalendar /cf_scripts/scripts/ajax/

cfchart /cf_scripts/scripts/ajax/

/cf_scripts/scripts/chart/

cfclient /cf_scripts/cfclient/

cfdiv /cf_scripts/scripts/ajax/

cffileupload /cf_scripts/scripts/ajax/

cfform /cf_scripts/scripts/cfform.js

/cf_scripts/scripts/masks.js

cfform format=flash /cf_scripts/scripts/ajax/ DeprecatedsinceCF11

cfform format=xml /cf_scripts/scripts/ajax/ DeprecatedsinceCF11

cfgrid /cf_scripts/scripts/ajax/

cfgrid format=applet /cf_scripts/classes/ DeprecatedsinceCF11

cfinput(autosuggest,datefield) /cf_scripts/scripts/ajax/

cflayout /cf_scripts/scripts/ajax/

cfmap /cf_scripts/scripts/ajax/

cfmediaplayer /cf_scripts/scripts/ajax/

cfmenu /cf_scripts/scripts/ajax/

cfmessagebox /cf_scripts/scripts/ajax/

cfpod /cf_scripts/scripts/ajax/

cfprogressbar /cf_scripts/scripts/ajax/

cfslider /cf_scripts/scripts/ajax/

cfsprydataset /cf_scripts/scripts/ajax/ DeprecatedsinceCF11

cftextarea /cf_scripts/scripts/ajax/

/cf_scripts/scripts/ckeditor/

Considerblockingtheckeditorsubfolderifyoudonotusethistagbecauseithascfmfilesinit.

cftooltip /cf_scripts/scripts/ajax/

cftree /cf_scripts/scripts/ajax/

cftree format=applet /cf_scripts/classes/ DeprecatedsinceCF11

cfwebsocket /cf_scripts/scripts/ajax/

cfwindow /cf_scripts/scripts/ajax/

ColdFusion2018LockdownGuide(2020-03-31)—10ReferenceTables Page47of49

11Troubleshooting

11.1ColdFusioncannotwritefilesunderthewebrootTheAutoLockdowntoolgivesColdFusionreadonlypermissiontothewebroot,iftherearefilesorfoldersthatColdFusionmustwritetoyouneedtogivetheColdFusionuseraccount(egcfuser)writepermission.

11.2Requestingacfmresultsina404afterLockdowntoolHerearetwopossiblecauses.

TheIISApplicationPool.NETFrameworkVersionmaynothavebeensettoNoManagedCode.

Theautolockdowntooldoesnotcreateinheritablefilesystempermission,soColdFusion’suseraccountmaynothavepermissiontoreadthefileifitwascreatedafterthelockdowntoolran.SeethesectiontitledAdjustWindowsFileSystemPermissions.

11.3IISdoesnothavepermissiontoreadweb.configfileIfyoumadeachangeinIISafterrunningthelockdowntoolthatcausedanew web.configfiletobecreated,thenewfilemaynothavethe

appropriatepermissions.SeethesectiontitledAdjustWindowsFileSystemPermissions.

11.4WebSocketsarenotworkingafterrunninglockdowntoolSitesthatusetheColdFusionWebSocketproxymustchangethe.NETFrameworkVersionintheIISApplicationPoolSettingsfromNoManagedCodetoaversionof.NETthatsupportsWebSockets(v4+).

11.5HelpInstallingColdFusionHotfixesConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide

ColdFusion2018LockdownGuide(2020-03-31)—11Troubleshooting Page48of49

12RevisionHistoryVersion1.0-2018-08-13-InitialRelease.

Version1.1-2018-10-05

Typoinsection4.11DisableUnusedServletMappingsonPage34 /flex/internal/shouldbe/flex-internal/

Version1.2-2019-03-19

Removedsection(previously2.7)AdjustWindowsFileSystemPermissions becauseitisnolongernecessaryduetobugfixes:https://tracker.adobe.com/#/view/CF-4202957RevisedtheUpdateJVMsectionspertainingtoOraclelicensingchanges.ChangedAllowconcurrentloginsessionsforAdministratorConsolefromcheckedtounchecked.

Version1.3-2020-03-31

Addednoteinsection4.4aboutwritepermissiontoWEB-INFcfclasses,rest-skeletons,andcfc-skeletons

ColdFusion2018LockdownGuide(2020-03-31)—12RevisionHistory Page49of49

adobe coldfusion 2018 lockdown guide...coldfusion 2018 lockdown guide (2018-08-13) — 1...

Documents

coldfusion 10 lockdown guide - adobe 10 lockdown guide...

administering coldfusion mx mx...2 chapter 1 administering...

adobe coldfusion

working with xml in coldfusion - earthpark with xml in...

coldfusion development

coldfusion quick reference guide · coldfusion quick...

coldfusion 11 lockdown guide - adobe.com asp.net isapi...

cloud services api manager - adobe inc....html5 integrated...

coldfusion 2021 lockdown guide - adobe inc

prazer, coldfusion

adobe® coldfusion® 9 server lockdown guide coldfusion 9...

coldfusion 11 lockdown guide · • run the web server...

usermanual.wiki · iii contents chapter 1: introduction...

coldfusion 10 lockdown guide 1: introduction the coldfusion...

coldfusion lockdown

adobe® coldfusion® 9 server lockdown guide · 2020. 9....

november 2018 - seattle coldfusion user group · november...

coldfusion ii

coldfusion 10

coldfusion 10 lockdown guide - adobe inc. · windows...