ColdFusion Performance Tuning Keen Haynes Certified ColdFusion Developer.
Adobe ColdFusion 2018 Lockdown Guide...ColdFusion 2018 Lockdown Guide (2018-08-13) — 1...
49
Adobe ColdFusion 2018 Lockdown Guide Written by Pete Freitag, Foundeo Inc. © 2018 Adobe Systems Incorporated and its Licensors. All Rights Reserved. Adobe ColdFusion (2018 release) Lockdown Guide If this guide is distributed with software that includes an end user agreement, this guide, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. Except as permitted by any such license, no part of this guide may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of Adobe Systems Incorporated. Please note that the content in this guide is protected under copyright law even if it is not distributed with software that includes an end user license agreement. The content of this guide is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Adobe Systems Incorporated. Adobe Systems Incorporated assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational content contained in this guide. Please remember that existing artwork or images that you may want to include in your project may be protected under copyright law. The unauthorized incorporation of such material into your new work could be a violation of the rights of the copyright owner. Please be sure to obtain any permission required from the copyright owner. Any references to company names in sample templates are for demonstration purposes only and are not intended to refer to any actual organization. Adobe, the Adobe logo, Adobe Content Server, Adobe Digital Editions, and Adobe PDF are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Java is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Microsoft, Windows and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Macintosh and Mac OS are trademarks of Apple Inc., registered in the U.S. and other countries. All other trademarks are the property of their respective owners. Adobe Systems Incorporated, 345 Park Avenue, San Jose, California 95110, USA. Notice to U.S. Government End Users. The Software and Documentation are “Commercial Items,” as that term is defined at 48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §§227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under the copyright laws of the United States. For U.S. Government End Users, Adobe agrees to comply with all applicable equal opportunity laws including, if appropriate, the provisions of Executive Order 11246, as amended, Section 402 of the Vietnam Era Veterans Readjustment Assistance Act of 1974 (38 USC 4212), and Section 503 of the Rehabilitation Act of 1973, as amended, and the regulations at 41 CFR Parts 60-1 through 60-60, 60-250, and 60-741. The affirmative action clause and regulations contained in the preceding sentence shall be incorporated by reference.
Transcript of Adobe ColdFusion 2018 Lockdown Guide...ColdFusion 2018 Lockdown Guide (2018-08-13) — 1...
AdobeColdFusion2018LockdownGuideWrittenbyPeteFreitag,FoundeoInc.
©2018AdobeSystemsIncorporatedanditsLicensors.AllRightsReserved.
AdobeColdFusion(2018release)LockdownGuide
Ifthisguideisdistributedwithsoftwarethatincludesanenduseragreement,thisguide,aswellasthesoftwaredescribedinit,isfurnishedunderlicenseandmaybeusedorcopiedonlyinaccordancewiththetermsofsuchlicense.Exceptaspermittedbyanysuchlicense,nopartofthisguidemaybereproduced,storedinaretrievalsystem,ortransmitted,inanyformorbyanymeans,electronic,mechanical,recording,orotherwise,withoutthepriorwrittenpermissionofAdobeSystemsIncorporated.Pleasenotethatthecontentinthisguideisprotectedundercopyrightlawevenifitisnotdistributedwithsoftwarethatincludesanenduserlicenseagreement.
Thecontentofthisguideisfurnishedforinformationaluseonly,issubjecttochangewithoutnotice,andshouldnotbeconstruedasacommitmentbyAdobeSystemsIncorporated.AdobeSystemsIncorporatedassumesnoresponsibilityorliabilityforanyerrorsorinaccuraciesthatmayappearintheinformationalcontentcontainedinthisguide.
Pleaserememberthatexistingartworkorimagesthatyoumaywanttoincludeinyourprojectmaybeprotectedundercopyrightlaw.Theunauthorizedincorporationofsuchmaterialintoyournewworkcouldbeaviolationoftherightsofthecopyrightowner.Pleasebesuretoobtainanypermissionrequiredfromthecopyrightowner.Anyreferencestocompanynamesinsampletemplatesarefordemonstrationpurposesonlyandarenotintendedtorefertoanyactualorganization.
Adobe,theAdobelogo,AdobeContentServer,AdobeDigitalEditions,andAdobePDFareeitherregisteredtrademarksortrademarksofAdobeSystemsIncorporatedintheUnitedStatesand/orothercountries.JavaisatrademarkorregisteredtrademarkofSunMicrosystems,Inc.intheUnitedStatesandothercountries.LinuxistheregisteredtrademarkofLinusTorvaldsintheU.S.andothercountries.Microsoft,WindowsandWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.MacintoshandMacOSaretrademarksofAppleInc.,registeredintheU.S.andothercountries.Allothertrademarksarethepropertyoftheirrespectiveowners.
AdobeSystemsIncorporated,345ParkAvenue,SanJose,California95110,USA.
NoticetoU.S.GovernmentEndUsers.TheSoftwareandDocumentationare“CommercialItems,”asthattermisdefinedat48C.F.R.§2.101,consistingof“CommercialComputerSoftware”and“CommercialComputerSoftwareDocumentation,”assuchtermsareusedin48C.F.R.§12.212or48C.F.R.§227.7202,asapplicable.Consistentwith48C.F.R.§12.212or48C.F.R.§§227.7202-1through227.7202-4,asapplicable,theCommercialComputerSoftwareandCommercialComputerSoftwareDocumentationarebeinglicensedtoU.S.Governmentendusers(a)onlyasCommercialItemsand(b)withonlythoserightsasaregrantedtoallotherenduserspursuanttothetermsandconditionsherein.Unpublished-rightsreservedunderthecopyrightlawsoftheUnitedStates.
ForU.S.GovernmentEndUsers,Adobeagreestocomplywithallapplicableequalopportunitylawsincluding,ifappropriate,theprovisionsofExecutiveOrder11246,asamended,Section402oftheVietnamEraVeteransReadjustmentAssistanceActof1974(38USC4212),andSection503oftheRehabilitationActof1973,asamended,andtheregulationsat41CFRParts60-1through60-60,60-250,and60-741.Theaffirmativeactionclauseandregulationscontainedintheprecedingsentenceshallbeincorporatedbyreference.
TableofContents1Introduction
1.1DefaultFilePathsandUsernames1.2OperatingSystemsandWebServers1.3ColdFusionVersion1.4ScopeofDocument1.5ApplyingtoExistingInstallations1.6NamingConventions
2ColdFusionOnWindows
2.1InstallationPrerequisites2.2Install&ConfigureIIS2.3RuntheWindowsColdFusionInstaller2.4InstallColdFusionHotfixes2.5SetupWebsitesinIIS2.6RuntheColdFusion2018ServerAutoLockdownTool2.7UpdateJVM
3ColdFusionAdministratorSettings
3.1ServerSettings>Settings3.2ServerSettings>RequestTuning3.3ServerSettings>Caching3.4ServerSettings>ClientVariables3.5ServerSettings>MemoryVariables3.6ServerSettings>Mappings3.7ServerSettings>Mail3.8ServerSettings>WebSocket3.9ServerSettings>Charting3.10Data&Services>DataSources3.11Data&Services>ColdFusionCollections3.12Data&Services>Solr3.13Data&Services>FlexIntegration3.14Data&Services>PDFService3.15Debugging&Logging>DebugOutputSettings3.16Debugging&Logging>DeveloperProfile3.17Debugging&Logging>DebuggerSettings3.18Debugging&Logging>LoggingSettings3.19Debugging&Logging>RemoteInspectionSettings3.20EventGateways>Settings3.21EventGateways>GatewayInstance3.22Security>Administrator3.23Security>RDS3.24Security>SandboxSecurity3.25Security>UserManager3.26Security>AllowedIPAddresses3.27Security>SecureProfile3.28ServerUpdate>Updates:Settings
4AdditionalLockdownMeasures
4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1only4.2ToRuntheBuiltinWebServeroverTLS4.3ToDisabletheBuiltinWebServer4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwroot4.5RestrictColdFusionFileSystemPermissions4.6LockdowntheColdFusionAdd-onServices4.7LockdownFileExtensions4.8AdditionalURIstoConsiderBlocking4.9OptionallyRemoveASP.NET4.10RemoveASP.NETISAPIFiltersandHandlerMappings4.11DisableUnusedServletMappings4.12AdditionalTomcatSecurityConsiderations4.13AdditionalFileSecurityConsiderations4.14AddingClickJackingProtection4.15RestrictingHTTPVerbs4.16SecurityConstraintsinweb.xml4.17LimitRequestSize
ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page2of49
4.18DistributedModeorReverseProxy4.19HTTPResponseHeaderstoimproveSecurity
5ColdFusionLockdownonLinux
5.1LinuxInstallationPrerequisites5.2CreateaDedicatedUserAccountforColdFusion5.3ColdFusionInstallation5.4AccessColdFusionAdministratorviaaSSHTunnel5.5InstallColdFusionHotfixes5.6InstallandConfigureApacheWebServer5.7RuntheLinuxColdFusionAutoLockdownTool5.8UpdateJVM5.9SetupAuditing5.10Changeumask5.11AdditionalLockdownSteps
6PerformanceMonitoringToolsetSecurityConsiderations
6.1InstallingthePMT6.2ColdFusionServerAutoDiscovery6.3PMTDatastore6.4RunPMTandPMTDatastoreasDedicatedUser6.5UpdatePMTJVM
7APIManagerSecurityConsiderations
7.1InstallAPIManager7.2ConnectAPIManagertoIIS7.3RunAPIManagerasaDedicatedUser
8PatchManagementProcedures9SourcesofInformation10ReferenceTables
10.1Tagsthatuse/cf_scripts/assets
11Troubleshooting
11.1ColdFusioncannotwritefilesunderthewebroot11.2Requestingacfmresultsina404afterLockdowntool11.3IISdoesnothavepermissiontoreadweb.configfile11.4WebSocketsarenotworkingafterrunninglockdowntool11.5HelpInstallingColdFusionHotfixes
12RevisionHistory
ColdFusion2018LockdownGuide(2020-03-31)—TableofContents Page3of49
1IntroductionTheColdFusion2018LockdownGuideiswrittentohelpserveradministratorssecuretheirColdFusion2018installations.InthisdocumentyouwillfindseveraltipsandsuggestionsintendedtoimprovethesecurityofyourColdFusionserver.
IMPORTANT:Thereaderisstronglyencouragedtotestallrecommendationsonanisolatedtestenvironmentbeforedeployingintoproduction.
1.1DefaultFilePathsandUsernamesThisguidewillprovideexamplefilesystempathsforinstallation,youshouldnotusethesameexampleinstallationpathsprovidedinthisguide.
1.2OperatingSystemsandWebServersThisguidefocusesonWindows2016/IIS9,andRedHatEnterpriseLinux(RHEL)7/Apache2.4.ManyofthesuggestionspresentedinthisdocumentcanbeextrapolatedtoapplytosimilarOperatingSystemsandWebServers.
1.3ColdFusionVersionThisguidewaswrittenforColdFusion2018EnterpriseEdition.
1.4ScopeofDocumentThisdocumentdoesnotdetailsecuritysettingsfortheOperatingSystem,theWebServer,Databases,orNetworkFirewalls.ItisfocusedonsecuritysettingsfortheColdFusionserveronly.
Allsuggestionsinthisdocumentshouldbetestedandvalidatedonanon-productionenvironmentbeforedeployingtoproduction.
1.5ApplyingtoExistingInstallationsThisguideiswrittenfromtheperspectiveofafreshinstallation.Whenpossibleconsiderperformingafreshinstallationoftheoperatingsystem,webserverandtheColdFusionserver.Ifanattackerhascompromisedtheexistingserverinanywayyoushouldstartwithafreshoperatingsysteminstallationonnewhardware.
1.6NamingConventionsInthisguidewewillrefertotheColdFusioninstallationrootdirectoryas{cf.root}itcorrespondstothedirectorythatyouselectwhen
installingColdFusion.TheColdFusioninstancerootisreferredtoas{cf.instance.root}inthisguide,enterpriseinstallationsmayhave
multipleinstances,butthedefaultinstanceis{cf.root}/cfusion/
ColdFusion2018LockdownGuide(2020-03-31)—1Introduction Page4of49
2ColdFusionOnWindowsThissectioncoverstheinstallationandconfigurationofColdFusion2018onaWindows2016server.IfyouarerunningLinuxpleasestartatthesection5ColdFusionLockdownonLinux .
Inthissectionwewillperformthefollowing:
InstallationPrerequisitesInstall&ConfigureIISInstallColdFusionRuntheColdFusionAutoLockdownToolUpdatetheJVM
2.1InstallationPrerequisitesBeforeyoubegintheinstallationprocesspleasereviewthefollowing:
Configureanetworkfirewall(and/orconfigureWindowsfirewall)toblockallincomingpublictrafficduringinstallation.ReadtheMicrosoftWindowsSecurityComplianceManagerguidelinesanddocumentation:http://www.microsoft.com/en-us/download/details.aspx?id=16776Createseparatepartitionsand/ordrivesforColdFusionInstallation,websiteassets,andlogfiles.Thismayreducewhatcanbecompromisedbyapathtraversalattack.Itcouldalsomitigateadenialofserviceattackthatattemptstofillthemainsystemdrive.Removeordisableanysoftwareontheserverthatisnotrequired.RunWindowsUpdateandensureallsoftwarerunningontheserverisfullypatched.EnsurethatallpartitionsuseNTFStoallowforfinegrainedaccesscontrolandauditing.DownloadColdFusionfromadobe.comVerifythattheMD5orSHAchecksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.InPowerShellyoucanrunGet-FileHash installer-file-name.exe -Algorithm md5toobtainthechecksum.
2.2Install&ConfigureIISIMPORTANT:BeforeconfiguringIISensurethatpublictrafficisblockedbyyournetworkorOSfirewall.Youshouldonlyenablepublictrafficaftercompletingallthestepsinthelockdownguide.
2.2.1InstallIISRolesandFeatures
OpentheWindowsServerManagerapplication,undertheManagemenuselectAddRolesandFeatures.IfIISisnotalreadyinstalledcheckWebServer(IIS).
AminimalsetofIISRoleServicesmayincludethefollowing:
CommonHTTPFeatures:DefaultDocumentCommonHTTPFeatures:HTTPErrorsCommonHTTPFeatures:StaticContentHealthandDiagnostics:HTTPLoggingSecurity:RequestFilteringSecurity:IPandDomainRestrictionsApplicationDevelopment:.NETExtensibility4.6(orlatestversion)ApplicationDevelopment:ASP.NET4.6(orlatestversion)ApplicationDevelopment:CGIApplicationDevelopment:ISAPIExtensionsApplicationDevelopment:ISAPIFiltersManagementTools:IISManagementConsole
IftheserverapplicationusesWebSocketsalsoinstall:
ApplicationDevelopment:WebSocketProtocol
IfyouwishtoaddwebserverlevelauthenticationtoanysitesyoushouldalsoinstalloneoftheAuthenticationmodulessuchas:
Security:WindowsAuthentication
SelectanyadditionalIISroleservicesorfeaturesthatyourwebapplicationsrequire.Youcanalwaysgobackandaddadditionalroleserviceslaterifnecessary.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page5of49
2.2.2AddWebSitestoIIS
Ataminimumcreateawebrootdirectoryforeachwebsiteontheserverfilesystem.Toincreaseisolationbetweenwebsitesyoumayconsiderplacingeachsiteonauniquedriveletter.
Nextcopythewebsitesourcecodeintoeachwebrootdirectory.
InIISaddyourwebsite.
TestyourIISconfigurationbyrequestingastaticfilesuchasatxtorjsfile.
2.3RuntheWindowsColdFusionInstaller
2.3.1ColdFusionInstaller:InstallerConfiguration
OntheInstallerConfigurationviewselectServerconfigurationunlessyouaredeployingtoanexternalJEEserver(suchasJBoss,WeblogicorWebsphere).
alttext
2.3.2ColdFusionInstaller:ServerProfile
NextselectProductionProfile+SecureProfileandenteracommaseparatedlistofIPaddressesthatareallowedtoaccesstheColdFusionAdministrator.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page6of49
alttext
Tip:ifyouwanttoallowlocalhostaccesstotheColdFusionAdministrator,enterboththeIPv4 127.0.0.1andIPv6::1
versionoflocalhost.SomebrowsersmayuseIPv6bydefaultfor localhost.
TheSecureProfileoptionprovidesamoresecurefoundationofdefaultsettings.Youcanreviewthesettingsittoggleshere:https://helpx.adobe.com/coldfusion/configuring-administering/administering-coldfusion-security.html
SomeofthesettingsthattheSecureProfiletogglescouldcauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.
AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.
2.3.3ColdFusionInstaller:Sub-componentsInstallation
OnlyselectSub-componentsthatyourserverapplicationsrequire.
alttext
ODBCService-RequiredwhenconnectingtoAccessDatabases,notrequiredforSQLServer.SolrService-Fulltextsearchengineusedbycfindex,cfsearchandcfcollectiontags.
PDFGService-WebkitbasedPDFRenderingengineusedbythecfhtmltopdftag.Youcanstilluse cfdocumentandcfpdf
withoutinstallingthisservice.AdminComponentforRemoteStart/Stop-AllowsColdFusionBuilderorServerManagerAIRapptostartorstopColdFusion.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page7of49
Notrecommendedforproductionservers..NETIntegrationServices-AllowscreateObjectandcfobjecttocreateinstancesof.NETobjectsandassemblies.
2.3.4ColdFusionInstaller:EnablingorDisablingServlets
Checkanyservletsthatarerequiredbyyourapplication.MostColdFusionapplicationsdonotrequireanyoftheseservletstobeenabled.
alttext
RDS-Usedfordevelopment,allowsremoteaccesstothefilesystemanddatabases.Thisshouldnotbeenabledonaproductionserver.JSDebug-Usedfordebugging,shouldnotbeenabledonaproductionserver.CFReporting-Onlyrequiredifthecfreporttagisused.
CFSWF-Usedbyflashforms<cfform format="flash">togenerateFlashswffilesdynamically.
FlashForms-Usedbyflashforms<cfform format="flash">
2.3.5ColdFusionInstaller:AccessAdd-onServicesRemotely
IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018
Add-onServiceswindowsservicewillbeinstalled.
WhentheAccessAdd-onServicesRemotelycheckboxisunchecked,theAdd-onServicesareonlyaccessiblefromthelocalmachine,localhost.IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers(otherthanlocalhost),checkthecheckboxand
specifytheIPaddressesoftheremoteColdFusionservers.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page8of49
alttext
2.3.6ColdFusionInstaller:SelectInstallationDirectory
SpecifyafilesystempathfortheColdFusionInstallationroot{cf.root}-consideravoidingthedefaultC:\ColdFusion2018\path.
WindowsColdFusionInstaller:SelectInstallationDirectory
2.3.7ColdFusionInstaller:Built-inWebServerPortNumber
Selectanondefaultportnumber.Ensurethattheportnumberisblockedbyyournetwork/osfirewall.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page9of49
WindowsColdFusionInstaller:Built-inWebServerPortNumber
2.3.8ColdFusionInstaller:PerformanceMonitoringToolset
EnterthehostnameorinternalIPaddressoftheserverforusewiththeperformancemonitoringtoolset.Thisvaluecanbechangedlater.
WindowsColdFusionInstaller:PerformanceMonitoringToolset
2.3.9ColdFusionInstaller:AdministratorCredentials
Enterausernameotherthanadminandselectastrongpassword.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page10of49
WindowsColdFusionInstaller:AdministratorCredentials
2.4InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.Forexample: http://127.0.0.1:8500/CFIDE/administrator/(replace8500withyourportyouselectedduringinstallation).
ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.
Tip:Hotfixesaretypicallycumulative,soiftherearemultiplehotfixes,youtypicallyonlyneedtoinstallthelatestone.SecurityhotfixesmayhaveadditionalstepssuchasupdatingtheJVMorupdatingconnectors-besuretoreadeachSecurityBulletinfordetails.
Runthehotfixinstallerfromanelevated(RunasAdministrator)CommandPromptorPowerShellterminal(replacehotfix_XXX.jarwith
theactualhotfixfilename):
Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning Get-FileHash hotfix_XXX.jar -Algorithm md5(in
PowerShell),seethatthechecksummatchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates
x:\cf2018\jre\bin\java -jar x:\cf2018\cfusion\hf-updates\hotfix_XXX.jar
Visit:https://www.adobe.com/support/security/andreadanypertinentColdFusionSecurityBulletins.Confirmthatallrequiredsecuritypatcheshavebeenapplied.
SomehotfixesorupdatesmayrequireyoutoruntheColdFusionWebServerConfigurationTooltoUpgradetheconnector.Carefullyreviewthehotfixreleasenotestodetermineifthereareanyadditionalstepsthatshouldbeperformed.
ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
2.4.1DownloadingHotfixesViaProxy
IfyourserverrequiresaproxyservertoconnecttotheinternetyoumayneedtoaddthefollowingJVMArguments(inColdFusionAdministratorunderServerSettings>JavaandJVM)andthenrestartColdFusiontouseyourproxyserver:
-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=12345 -Dhttp.proxyUser=u -Dhttp.proxyPassword=p
2.4.2ServersWithoutaPublicInternetConnection
Ifyourserverdoesnothaveapublicinternetconnectionyoucanlocatethehotfix_XXX.jarfileurlusingtheColdFusionUpdateFeed:https://www.adobe.com/go/coldfusion-updates.Downloadthehotfix_XXX.jarfileonacomputerwithinternetaccess,verifythe
checksum,andthentransferittotheserver.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page11of49
2.5SetupWebsitesinIISFirstensurethatthefirewallisconfiguredtoblocklivetraffic.
NextcreatethefilesystemforeachwebsitethatwilluseColdFusionandcopyallthewebfilesintothefilesystem.
CreateandconfigureeachwebsitethatwilluseColdFusioninIIS.
2.6RuntheColdFusion2018ServerAutoLockdownToolTheAutoLockdownToolPerformsthefollowingstepsforyou:
ConnectsColdFusiontotheWebServer(wsconfig)SetstheColdFusionServiceidentitytorunasadedicatedaccount,optionallycreatestheaccountforyou.SetsfilesystempermissionsforyourwebrootandColdFusioninstallationdirectoryAddsRequestFilteringRulestoblockvariousURIsAddsaConnectorSharedSecretOptionallyChangetheTomcatShutdownPortConfiguresanewcf_scriptsaliasChangesRegistryPermissions
Beforeyourunthetool,makesurehavedonethefollowing:
InstalledColdFusion2018withSecureProfileEnabledLoggedintotheColdFusionAdministratoratleastonceCreatedyourwebsitesinIIS,andcopiedwebsitefiles
DownloadandrunthelatestcopyoftheColdFusion2018ServerAutoLockdownTool:https://www.adobe.com/support/coldfusion/downloads.html
2.6.1LockdownInstaller:ColdFusionInstallationDirectory
ChoosethedirectorythatColdFusionwasinstalledto.
LockdownInstaller:SelectInstallationDirectory
2.6.2LockdownInstaller:ColdFusionUpdates
ChooseYes/AutomatictoensurethatColdFusionhasbeenupdatedtothelatesthotfix.AdoberecommendsthatyouinstallColdFusionupdatesbeforerunningtheLockdowntool.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page12of49
LockdownInstaller:ColdFusionUpdates
2.6.3LockdownInstaller:ColdFusionConfiguration
Selecttheinstancethatyouwanttolockdown.
LockdownInstaller:ColdFusionConfiguration
2.6.4LockdownInstaller:WebServerConfiguration
Selectthetypeofwebserveryouareusing,IISinthiscase.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page13of49
LockdownInstaller:WebServerConfiguration
2.6.5LockdownInstaller:WebsitesinIIS
SelectthewebsitesthatyouwishtoconnectColdFusiontoandtolockdown.
Tip:youcanholdshiftorctrlwhenclickingtoselectsites
LockdownInstaller:WebsitesinIIS
2.6.6LockdownInstaller:IISApplicationPoolDetail
Verifythattheapplicationpoolnamesarecorrectforeachthewebsite.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page14of49
LockdownInstaller:IISApplicationPoolDetail
2.6.7LockdownInstaller:IISWebsitesWebrootDetail
Verifythatthewebrootpathsarecorrectforeachwebsite.
LockdownInstaller:IISWebsitesWebrootDetail
2.6.8LockdownInstaller:ColdFusionAdministratorConfiguration
EntertheColdFusionAdministratorusernameandpasswordspecifiedduringtheColdFusionInstallation.Alsoensurethatthebuiltinwebserverportiscorrectlyspecified(defaultportis8500).
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page15of49
LockdownInstaller:ColdFusionAdministratorConfiguration
2.6.9LockdownInstaller:OSAdministratorAccountDetails
EntertheAdministratorusername,passwordandservernameordomain.
LockdownInstaller:IISWebsitesWebrootDetail
2.6.10LockdownInstaller:ColdFusionRuntimeUser
CreateauniqueusernamefortheuseraccountthatColdFusionwillrunas.Specifythedomain,andastrongpassword.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page16of49
LockdownInstaller:ColdFusionRuntimeUser
2.6.11LockdownInstaller:ShutdownPort
ChooseYesandEnterarandomportnumberthatisnotinuse.
LockdownInstaller:ColdFusionRuntimeUser
2.6.12ConfirmthattheAutoLockdownToolRanSuccessfully
Openthe{cf.root}/lockdown/{cf.instance}/Logs/folderandreviewthelogfilestoconfirmthattheinstallercompletedwithout
fatalerrors.Specificallylookinthelogfile(s)thatbeginwithServerLockdown_andlookforalinecontaining:Successfullylockeddown
ColdFusion!
2.6.13CheckUserAccountPermissions
WhenthelockdowninstallercreatesaWindowsuseraccountforColdFusiontorunas,itdoesnotcheckthebox DenythisuserpermissionstologontoRemoteDesktopSessionHostserverintheUserAccountProperties.
TofixthisopentheComputerManagementapp,underLocalUsersandGroups findtheuseraccountandclickProperties.SelecttheRemoteDesktopServicesProfiletabandthencheckthebox.
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page17of49
2.6.14AdditionalResourcesfortheAutoLockdownTool:
https://helpx.adobe.com/coldfusion/using/server-lockdown.htmlhttps://coldfusion.adobe.com/2018/07/server-auto-lockdown/
2.7UpdateJVMOraclereleasesJavasecurityupdatesonaquarterlybasis,mostoftheseupdatesincludesecurityvulnerabilitiesthatcouldbeexploitedinaserverenvironment.
ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/
2.7.1DownloadandInstallJava
FirstdownloadthelatestversionofJavafromhttps://www.adobe.com/support/coldfusion/downloads.htmlthatColdFusion2018supports(Java11atthetimeofthispublication).Selectthejavazipdistributionanddownload.
Tip:Verifythechecksumbyrunning
Extractthejavazipfileyoudownloadtoapermanentlocation,forexample C:\Java\jdk-11.0.2\
2.7.2UpdateColdFusionServerJVM
Tip:Makeabackupofthe{cf.instance.root}/bin/jvm.configfileandthe{cf.root}/cfusion/jetty/jetty.laxfile
beforemakingchanges.IfyoutypethepathincorrectlyColdFusionwillfailtostart.
LogintotheColdFusionAdministrator,thenclickonServerSettingsthenJavaandJVM.UpdatetheJavaVirtualMachinePathsettingtopointtothenewJVM,forexample:C:\Java\jdk-11.0.2\
RestartColdFusion.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.
IfyouneedtorevertyourchangesandgobacktothedefaultJVM,replacejvm.configwithyourbackupandrestart/startColdFusion.
RepeatforeachColdFusioninstance.
Testyoursitesagain.
2.7.3UpdateJVMforColdFusionAdd-onServices
IfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)
theyruninaseparateprocessandwillusethe{cf.root}/jrebydefault.
Locatethefile{cf.root}/cfusion/jetty/jetty.laxandmakeabackupofit.Nextrightclickonjetty.laxandopenitwith
Notepadoranyplaintexteditor.Lookforalinethatdefinesthepropertylax.nl.current.vmforexample:
lax.nl.current.vm=C:\\ColdFusion2018\\jre\\bin\\javaw.exe
Changeittopointtojavaw.exeonyournewJVM.Ensurethatyouusetwobackslashes\toseparatefolders.Forexample:
lax.nl.current.vm=C:\\java\\jdk-11.0.XX\\jre\\bin\\javaw.exe
RestarttheColdFusion2018Add-onServicesservice.
Testyoursitesagain.
ForadditionalinformationonupdatingtheJVMpleasesee:
http://blogs.coldfusion.com/post.cfm/how-to-change-upgrade-jdk-version-of-coldfusion-server
http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start
https://www.youtube.com/watch?v=zzC31EAlZ8Y
ColdFusion2018LockdownGuide(2020-03-31)—2ColdFusionOnWindows Page18of49
3ColdFusionAdministratorSettingsInthissectionseveralrecommendationsaremadeforColdFusionserversettings.Itisimportanttounderstandthatchangestosomeofthesesettingsmayaffecthowyourwebsitefunctions,andperforms.Besuretounderstandtheimplicationsofallsettingsbeforemakinganychanges.
3.1ServerSettings>Settings
Setting Suggestion AdditionalInfo
TimeoutRequestsAfter Checked/5Sec. Setthisvalueaslowaspossible.Anytemplates(suchasscheduledtasks)thatmighttakelonger,shouldusethecfsettingtag.Forexample:<cfsetting requesttimeout="60">
UseUUIDforCFToken Checked WhenuncheckedthecftokenvaluesaresequentialandmakeitfairlyeasytohijacksessionsbyguessingavalidCFID/CFTOKENpair.ThissettingisnotnecessarilyrequiredifJ2EEsessionareenabled,howeveritdoesn’thurttoturnitonanyways.
DisableCFCTypecheck Unchecked Developersmayrelyontheargumenttypes,enablingthissettingmightallowattackerstocausenewexceptionsintheapplication.Thissettingmaybeenabledifthedeveloper(s)havebuilttheapplicationtoaccountforthis.PerformancemaydegradewhenthissettingisUnchecked.
DisableaccesstointernalColdFusionJavacomponents
Checked TheinternalColdFusionJavacomponentsmayallowadministrativedutiestobeperformed.Somedevelopersmaywritecodethatreliesonthesecomponents.Thispracticeshouldbeavoidedasthesecomponentsarenotdocumented.
PrefixserializedJSONwith Checked:// ThissettinghelpspreventJSONhijacking,avulnerabilitywhichwasexploitableinveryoldbrowsers(IE9andbelow).ColdFusionAJAXtagsandfunctionsautomaticallyremovetheprefix.IfdevelopershavewrittenCFCfunctionswithreturnformat=”json”orusetheSerializeJSONfunction,theprefixwillbeapplied,andshouldberemovedintheclientcodebeforeprocessing.Developerscanoverridethissettingattheapplicationlevel.
MaximumOutputBuffersize 1024KBorlower Aloweroutputbuffersizemayreducethememoryfootprintinsomeapplications.Keepinmindthatoncetheoutputbufferisflushedtagsthatmodifytheresponseheaderswillthrowanexception.
EnableIn-MemoryFileSystem
Uncheckedifnotused Ifyourapplicationsdonotrequireinmemoryfilesystemuncheckthischeckbox.
MemoryLimitforIn-MemoryVirtualFileSystem
TunedbasedonJVMheapsizeandfeatureusage
EnsurethatyouhaveallocatedsufficientJVMheapspacetoaccommodatethememorylimit.
MemoryLimitperApplicationforIn-MemoryVirtualFileSystem
TunedbasedonJVMheapsizeandfeatureusage
EnsurethatyouhavesufficientJVMheapspacetoaccommodatethememorylimit.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page19of49
Watchconfigurationfilesforchanges(checkeveryNseconds)
Unchecked Ifyourconfigurationrequiresthissettingtobeenabled(ifusingWebSphereNDverticalclusterforexample),increasethetimetobeaslargeaspossible.IfanattackerisabletomodifytheconfigurationofyourColdFusionserver,theirchangescanbecomeactivewithinashortperiodoftimewhenthissettingisenabled.
EnableGlobalScriptProtection
UnderstandLimits,checked ThissettingprovidesverylimitedprotectionagainstcertainCrossSiteScriptingattackvectors.ItisimportanttounderstandthatenablingthissettingdoesnotprotectyoursitefromallpossibleCrossSiteScriptingattacks.
Disablecreationofunnamedapplications
Checked Applicationsshouldhaveanamesotheycanbeisolatedfromeachother.
AllowaddingapplicationvariablestoServletContext
Unchecked Keepuncheckedtoimproveapplicationisolation.
DefaultScriptSrcDirectory /not-default/ BecausethescriptsdirectoryalsocontainsCFMLsourcecode,youshouldcreateavirtualdirectory/aliasatanon-defaultlocation.Defaultvaluesare/cf_scripts/scriptsor
/cf2018_scripts
AllowedfileextensionsforCFIncludetag
cfm Thissettingrestrictsthefileextensionswhichgetcompiled(executed)byacfincludetag.
Anyfilefileextensionsnotmatchingthislistarestaticallyincluded,anyCFMLsourcecodewouldnotbeexecuted.TakecaretoensurethatyouhavespecifiedanyfileextensionsoffilesthatcontainCFMLcodeandareincludedwithcfinclude.ThissettingwasaddedinCF2018
Update3.Itcanbedefinedatanapplicationlevelaswellviathis.blockedExtForFileUpload.
BlockedfileextensionsforCFFileuploads
*orlist ThissettingrestrictswhatfileextensionsareallowedtobeuploadedbyColdFusion.Ifyoudonotallowfileuploadsyoushouldsetthisto*to
blockallextensions.Ifyoudoallowuploads,ensurethatallexecutablefileextensions(suchascfm)arespecifiedasacommaseperatedlist.Thissettingcanbedefinedatanapplicationlevelaswell.
MissingTemplateHandler CustomTemplate ThemissingtemplatehandlerHTMLoutputshouldbeequivalenttothe404errorhandlerspecifiedonyourwebserver.
Site-wideErrorHandler CustomTemplate Whenblank,thesite-wideerrorhandlermayexposeinformationaboutthecauseofexceptions.Specifyacustomsite-wideerrorhandlerthatdisclosesthesamegenericmessagetotheuserforallexceptions.Besuretologandmonitortheactualexceptionsthrown.
MaximumnumberofPOSTrequestparameters
Aslowasyourapplicationallows Setthistothemaximumnumberofformfieldsyouhaveonanygivenpage.AllowingtoomanyformfieldsmayallowforaDOSattackknownasHashDOS.Seehttps://www.petefreitag.com/item/808.cfm
Setting Suggestion AdditionalInfo
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page20of49
Maximumsizeofpostdata Aslowaspossible IfyourapplicationdoesnotdealwithlargeHTTPPOSToperations(suchasfileuploads,orlargewebservicerequests),reducethissizeto1MB.Iftheapplicationdoesallowuploadsoffilessetthistothemaximumsizeyouwanttoallow.YoushouldalsobeabletospecifyaHTTPRequestsizelimitonyourwebserver.
RequestThrottleThreshold 1MB ColdFusionwillthrottleanyrequestlargerthanthisvalue.Ifyourapplicationrequiresalargenumberofconcurrentfileuploadstotakeplace,youmayneedtoincreasethissetting.
RequestThrottleMemory Tuned Ona32bitinstallationthedefaultvaluewouldbecloseto20%oftheheap.64bitserversallowformuchlargerheapsizes.Aimfor10%ofthemaximumheapsizeasanupperlimitforthissetting.
AllowRESTDiscovery Uncheckedifnotused. Thissettingenablestheendpoint/rest/_api_listingor
/api/_api_listingtoallowtheColdFusion
APImanagertogetalistingofRESTapis.ColdFusionAdministratorauthenticationisrequired.
Setting Suggestion AdditionalInfo
3.2ServerSettings>RequestTuningTheRequestTuningsettingscanmitigatetheimpactDenialofService(DOS)attacksagainstyourserver.
Setting Suggestion AdditionalInfo
MaximumnumberofsimultaneousTemplaterequests
Tunedbasedonhardware Whenthissettingistoohighortoolowtheabilitytoperformadenialofserviceattackincreases.Whentoolowrequestswillbequeuedwhentheserverisplacedunderload.WhentoohighrequestsmaynotbequeuedunderloadcausingtheCPUtimeofallrequeststoincreasesignificantly(knownascontextswitching).Findagoodmediumbyperformingloadtestsagainstyourproductionenvironment,usethevaluethathastheabilitytoservethemostrequestspersecond.
MaximumnumberofsimultaneousFlashRemotingrequests
1ifnotusingFlashRemotingotherwisetuned.
Ifyourapplicationsdonotuseflashremotingsetthisvalueto1anddisableflashremoting.Ifyoudouseflashremotingusealoadtestingapproachtofindtheoptimalvalueforthissetting.NotethattheServerMonitorfeatureinEnterprisemakesuseofflashremoting.
MaximumnumberofsimultaneousWebServicerequests
1ifnotpublishingSOAPwebservicesotherwisetuned
IfyourapplicationsdonotpublishSOAPwebservicessetthisvalueto1.Otherwisetunethissettingusingloadtests.
MaximumnumberofsimultaneousCFCfunctionrequests
1ifnotusingRemoteCFCfunctionrequests,otherwisetuned
ThissettingappliesonlytoCFCfunctionsthathaveaccess=remotespecified,whentheyare
invokedviaaHTTPrequest,forexample:/example.cfc?method=MethodName.The
ColdFusionAJAXproxyusesthismethodtoinvokeCFCs.Ifyourapplicationsdonotmakeuseofthisfeaturesetto1.Otherwiseuseloadtestingtofindtheoptimalvalueforthissetting.
MaximumnumberofsimultaneousReportthreads
1 Keepat1unlessusingcfreportheavily.
MaximumnumberofthreadsavailableforCFTHREAD
1ifnotusingcfthread,tunedotherwise
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page21of49
Timeoutrequestswaitinginqueueafter
5seconds(MatchRequestTimeout) ThissettingcangenerallybesetequivalenttotheTimeoutRequestsAftervaluespecifiedintheSettingssection.AlowersettingheremaydecreasetheeffectivenessofDOSattacks.
RequestQueueTimeoutPage CustomTemplate SpecifyaHTMLfilegivingtheuseramessagetowaitandretrytheirrequestagain.Themessageshouldnotdisclosethefactthatthequeuetimedout.
Setting Suggestion AdditionalInfo
3.3ServerSettings>Caching
Setting Suggestion AdditionalInfo
TrustedCache Checked EnablingtrustedcacheimprovesperformancebycachingCFMLcodeforthedurationoftheserverprocess(unlessmanuallycleared).Thismayalsomitigateasituationwhereanattackerattemptstochangeafileontheserver,thenewcodewouldnotexecuteuntiltheserverisrestartedorthecacheiscleared.
3.4ServerSettings>ClientVariables
Setting Suggestion AdditionalInfo
DefaultStorageMechanismforClientSessions
None/Cookie Ifapplicationshaveclientmanagementenabledalargeamountofdatacanaccumulateontheserver.Thiscanleadtoastoragefailureifdisksbecomefull.BecausetheregistryistypicallylocatedonthesystempartitionitisnotrecommendedtousetheRegistry.
3.5ServerSettings>MemoryVariables
Setting Suggestion AdditionalInfo
UseJ2EEsessionvariables CheckedifJEEinteroperabilityrequired WhencheckedColdFusionwillusethesessionmanagementoftheunderlyingJEEcontainer(egTomcat).InsteadofusingCFIDand
CFTOKENtheJSESSIONIDcookieisused.
WhenJ2EEsessionsareenabledcertainfeaturessuchasapplicationspecificsessioncookiesettings(this.sessionCookieinApplication.cfc)donotapply.ThefunctionsSessionRotateandSessionInvalidatedonotoperateonJ2EEsessions.
EnableSessionVariables Uncheckedonlyifnotusingsessions Mostapplicationsrequiresessionvariables,howeverifnoneoftheapplicationsontheserverrequiresessionvariablesthenyoumayuncheckthisbox.
SessionStorage InMemoryorRedis WhenusingRedistostoresessionstakeextremecaretoensurethatthedatastoreisprotectedbynetworkfirewallsandastrongpassword.
MaximumTimeout:SessionVariables
Lessthan2days Thedefaultoftwodaysisgenerallytoolongforsessionstopersist.Lowersessiontimeoutsreducethewindowofriskofsessionhijacking.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page22of49
DefaultTimeout:SessionVariables
20minutesorless Twentyminutesisagooddefaultvalue,butmaximumsecurityapplicationsmayrequirealowertimeoutvalue.
CookieTimeout -1 Bysettingto-1ColdFusionwillsetthesessioncookieasabrowsersessioncookies,whichisvalidaslongastheusersbrowserwindowisopen.
HTTPOnly Checked SessioncookiesshouldalwaysbemarkedasHTTPOnlytopreventJavaScriptorotherclientsidetechnologiesfromaccessingtheirvalues(onsupportedclients).
Secure CheckedifallsitesuseHTTPS Aclientwillonlytransmitasecurecookieoverasecuredconnection(HTTPS)
DisableupdatingColdFusioninternalcookiesusingColdFusiontags/functions.
CheckedifallsitesuseHTTPS Youcanusethisfeaturetopreventadeveloperfromoverridingyourglobalsessioncookiesecuritysettings.Checkthisonlyifallapplicationswillusethesamesettings.
Setting Suggestion AdditionalInfo
3.6ServerSettings>MappingsRemoveanymappingsyourapplicationsdonotrequire,suchas/gateway
3.7ServerSettings>MailConsiderusingSSLorTLStoconnecttothemailservertoencrypttheemailintransit.
ConsiderenablingLogallmailmessagessentbyColdFusion
3.8ServerSettings>WebSocketDisabletheWebSocketServiceifitisnotusedbyanyapplicationsontheserver.
3.9ServerSettings>ChartingConsiderchangingtheDiskcachelocationtoanondefaultpath.TheColdFusionuserwillrequirereadandwritepermissiontothepathspecifiedifcfchartisused.
3.10Data&Services>DataSourcesRemovetheexampledatasources,cfartgallery,cfbookclub,cfcodeexplorer,cfdocexamples.
EnsurethatthedatabaseuserthatColdFusionconnectsas,alsohaslimitedpermissionstoonlywhatisnecessary.Youshouldnotuse saor
rootaccounts.
Setting Suggestion AdditionalInfo
LoginTimeout(sec) 5Seconds DecreasethisvaluetobelessthantheTimeoutRequestsaftersetting.
QueryTimeout(seconds) Not0 SpecifyanupperlimittomitigateDOSattacks.
AllowedSQL Enableonlyoperationsrequiredbytheapplication,egSELECT,INSERT,UPDATE,
DELETE
TheCREATE,DROP,ALTER,GRANT,andREVOKEoperationsarenotcommonlyrequiredinwebapplications.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page23of49
3.11Data&Services>ColdFusionCollectionsRemovetheexamplecollection:bookclubifitexists.
3.12Data&Services>SolrConsiderusingaHTTPSconnectiontotheSolrserver,especiallyifitislocatedonaremoteserver.
3.13Data&Services>FlexIntegrationUncheckEnableFlashRemotingandEnableRemoteAdobeLiveCycleDataManagementaccessiftheyarenotusedbyyourapplication.
IfusingLiveCycleDataServicesESconsidercheckingtheEnableRMIoverSSLforDataManagement checkboxandspecifyakeystoreandpassword.
3.14Data&Services>PDFServiceIfthePDFServiceisusedtogeneratePDFscontainingsensitivedata,orifthePDFservicerunningonaremoteserver,ensurethatHTTPSisenabled.
3.15Debugging&Logging>DebugOutputSettings
Setting Suggestion AdditionalInfo
EnableRobustExceptionInformation
Unchecked Whenrobustexceptioninformationisenabledsensitiveinformationmaybedisclosedwhenexceptionsoccur.
EnableAJAXDebugLogWindow
Unchecked Debuggingshouldnotbeenabledonaproductionserver.
EnableRequestDebuggingOutput
Unchecked Debuggingshouldnotbeenabledonaproductionserver.
3.16Debugging&Logging>DeveloperProfileTheDeveloperProfileshouldnotbeenabledonProductionservers.
3.17Debugging&Logging>DebuggerSettings
Setting Suggestion AdditionalInfo
AllowLineDebugging Unchecked Debuggingshouldnotbeenabledonaproductionserver.
3.18Debugging&Logging>LoggingSettings
Setting Suggestion AdditionalInfo
Logdirectory NonDefault EnsurethatthelocationofthisdirectoryhassufficientstoragespacetoholdMaximumFileSizemultipliedbytheMaximumnumberofarchivesmultipliedbythenumberoflogfiles(6ormore).Consideraseparatedrive/partitionforstoringlogs.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page24of49
Maximumnumberofarchives 10ormore WhenalogfilereachestheMaximumFileSize(5000KBbydefault),itisarchived.Whenthemaximumnumberofarchivesisreachedforaparticularlogfile,theoldestlogfileisdeleted.Somesecuritycomplianceregulationsrequirethatlogfilesarekeptforaminimumperiodoftime.Ensurethatthisvalueishighenoughtoretainlogfilesfortherequiredduration.
Useoperatingsystemloggingfacilities
Checked CertainlogentrieswillbeduplicatedtosyslogonUnixbasedoperatingsystem.
Enableloggingforscheduledtasks
Checked Logscheduledtaskexecution.
Setting Suggestion AdditionalInfo
3.19Debugging&Logging>RemoteInspectionSettings
Setting Suggestion AdditionalInfo
AllowRemoteInspection Unchecked Debuggingfeaturesshouldnotbeenabledonaproductionserver.
3.20EventGateways>SettingsUncheckEnableColdFusionEventGatewayServicesifyourapplicationsdonotrequiretheuseofeventgateways.
3.21EventGateways>GatewayInstanceDeletetheSMSMenuApp andanyothergatewaysthatarenotinuse.
3.22Security>Administrator
Setting Suggestion AdditionalInfo
ColdFusionAdministrationAuthentication
Separateusernameandpasswordauthentication
UsingseparateusernamesandpasswordsallowsyoutospecifywhichpartsoftheColdFusionadministratoreachusermayuse.
PasswordSeed Generateacryptographicallysecurerandomvalue
Thepasswordseedisusedgenerateanencryptionkeytoencryptanddecryptpasswordsfordatasourcesandotherservices.
AllowconcurrentloginsessionsforAdministratorConsole
Unchecked UnchecktopreventconcurrentloginsbythesameuseraccountintheColdFusionAdministrator.
3.23Security>RDSRDSshouldnotbeenabledonproductionserver.
IfRDSwaspreviouslyenabledensurethatthe{cf.instance.root}/wwwroot/WEB-INF/web.xmldoesnotcontaina
ServletMappingfortheRDSServlet.
3.24Security>SandboxSecuritySandboxesallowyoutolockdownwhichCFMLsourcefileshaveaccessthefilesystem,tag/functionexecution,datasourceaccess,andnetworkaccess.Itishighlyrecommendedthatyousetupasandboxormultiplesandboxesforyourapplications.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page25of49
Configuresandboxesforeachsite,orhighriskportionsofeachsite.Usingtheprincipalofleastprivilegedenyaccesstoanytags,functions,datasources,filepaths,andIP/portsthatdonotneedtobeaccessedbycodeintheparticularsandbox.
Yourapplicationshouldbethoroughlytestedbeforeenablingsandboxsecuritytoensurethatyoursandboxhasbeenconfiguredcorrectly.
3.25Security>UserManagerAdduseraccountsforeachpersonthatwilllogintotheColdFusionAdministrator.
3.26Security>AllowedIPAddresses
Setting Suggestion AdditionalInfo
AllowedIPAddressesforExposedServices
Empty AnyIPaddressinthislistmayexecuteremoteservicesthatexposeserverfunctionalityviawebservices.ToinvokethesewebservicestheclientmustbeontheallowedIPlist,andhaveausernameandpassword.Itisrecommendedthatyoudonotusethisfeatureinenvironmentsrequiringmaximumsecurity.ThisfeaturehasbeendeprecatedasofColdFusion11+
AllowedIPAddressesforColdFusionInternalComponents
Listofinternal/administrativeIPaddresses
SpecifytolimitwhichIPaddressesmayconnecttotheColdFusionadministratorandAdminAPI.
3.27Security>SecureProfileComparethevaluesyouhavespecifiedwiththesecureprofilerecommendedvalues.
Revieweachsettingthatwillbechangedandtestyourapplicationtoensurethatthesecureprofilesettingswillnotcauseanyissues.
3.28ServerUpdate>Updates:Settings
Setting Suggestion AdditionalInfo
AutomaticallyCheckforUpdates
Checked CheckforColdFusionupdateseverytimeyoulogintoColdFusionadministrator.Anotificationiconwillshowupinupperrighttoolbarifanupdateisavailable.
CheckforUpdateseveryNdays
Checked Setupemailalertstobenotifiedwhenaserverupdateisavailable.
SiteURL https://www.adobe.com/go/coldfusion-updates
EnsurethattheURLiscorrectandusesHTTPS.
ColdFusion2018LockdownGuide(2020-03-31)—3ColdFusionAdministratorSettings Page26of49
4AdditionalLockdownMeasuresThestepsoutlinedinthissectioncanprovideadditionalsecuritybutmayrequirespecialcareorattentiontoconfigureandmaintain.
4.1ToConfiguretheBuiltinWebServertobindto127.0.0.1onlyBydefaulttheconnectorwilllistenonallIPaddresses.Toconfigurethebuiltinwebservertoonlylistenonasingleaddress(forexample127.0.0.1)locatethe<Connector />in{cf.instance.root}/runtime/conf/server.xmlwithaportattributematchingthe
portyourbuiltinwebserverisrunningon,addanaddressattribute.Forexample:
<Connector address="127.0.0.1" ...>
RestartColdFusionandconfirmthatthebuiltinwebservernowonlylistensonthespecifiedaddress.See https://tomcat.apache.org/tomcat-9.0-doc/config/http.htmlformoreinformation.
4.2ToRuntheBuiltinWebServeroverTLSThebuiltinwebservercanbeconfiguredtorunoverTLS/HTTPS.Thisishighlyrecommended,especiallyifthebuiltinserverisconfiguredtolistenonaddressesotherthanlocalhost.
First,acertificatemustbegenerated.Youmayobtainacertificatefromatrustedcertificateauthority(recommended)orgenerateaselfsignedcertificate.
Togenerateaselfsignedcertificate,runthefollowingcommand:
{cf.root}/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore {cf.root}/tomcat.keystore
Specifyauniquepasswordforthekeystorewhenprompted.
Nextmakeabackupof,thenedit{cf.instance.root}/runtime/conf/server.xmlandlocatethe<Connector>tagthathasaport
valuematchingyourbuiltinwebserver.CommentoutthedefaultbuiltinwebserverConnectortagandreplacewithsomethinglikethis:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="{cf.root}\tomcat.keystore"
keystorePass="{your.password}"
keyAlias="tomcat"
clientAuth="false"
sslProtocol="TLSv1.2" />
Besuretoreplace{cf.root}withthepathtoyourColdFusioninstallationroot(egC:\ColdFusion2018)and{your.password}with
thevalueyouspecifiedwhenyougeneratedyourcertificate.Considerchangingtheport8443toanondefaultvalue.
RestarttheColdFusioninstance,andvisithttps://127.0.0.1:8443/CFIDE/administrator/(changeporttomatchvalueyouused).Ifyouusedaselfsignedcertificateyouwillreceiveacertificatewarning.
ConsiderspecifyingtheciphersattributeanduseServerCipherSuitesOrder="true"toensureastrongTLScipherisfavored.Because
therecommendationsforpreferredTLSprotocolsandcipherschangefrequentlypleaseseekthecurrentadviceofcryptographyexpertsforoptimalTLSconfiguration.
FormoreinformationaboutconfiguringTomcatwithTLS,see: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.htmlandhttps://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
4.3ToDisabletheBuiltinWebServerThebuiltinwebservermaybeusedonproductionserverstoservetheColdFusionAdministrator.ItmayalsobeusedbythePerformanceMonitoringToolkit.Youmaydisablethebuiltinwebserverwhenitsuseisnotrequired.
Backupandeditthe{cf.instance.root}/runtime/conf/server.xmlfile,andremoveorcommentouttheConnectortagsimilartothefollowing:
<!--
<Connector port="8500" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8451" />
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page27of49
-->
ThismustberepeatedforeachColdFusioninstancecreated.
RestartColdFusionandconfirmthattheserverportisdisabled.
Important:YoumustuseXMLcommentswithtwodashes<!-- xml comment has two dashes -->ifyouuseaCFML
comment(3dashes)<!--- cfml comment has three --->ColdFusionmaynotstart.
4.4DenyColdFusionWritePermissiontoBuiltinWebServerwwwrootColdFusionwillhaveFullControlofthewwwrootfolderinyour{cf.instance.root}youmayconsiderrestrictingthatdirectorytoread
only,becausethecf_scriptsfoldermaybeservedovertheIISorApachewebserver.Ifyoudorestrictwritepermissionon wwwrootyou
willneedtoallowwritepermissiontothefollowingsubdirectories:
WEB-INF/cfclasses
WEB-INF/rest-skeletons
WEB-INF/cfc-skeletons
4.5RestrictColdFusionFileSystemPermissionsColdFusionwillhaveFullControlofitsinstallationdirectorybydefault.YoumayconsiderrestrictingfullcontroltoonlyfilesandfoldersthatColdFusionneedstowriteto.YoucanusefilesystemauditingtodeterminewhichfilesColdFusionwritestoduringnormaloperationofyourapplication.
Somedirectoriesthatarecommonlywrittentoinclude:
{cf.instance.root}/logs
{cf.instance.root}/tmpCache
{cf.instance.root}/stubs
{cf.instance.root}/Mail
{cf.instance.root}/runtime/work
{cf.instance.root}/jetty/logs
{cf.instance.root}/jetty/work
{cf.instance.root}/jetty/multicore/collections/
NotethatuseofColdFusionAdministratormaywriteconfigurationtoseverallocations,youshouldensurethatyourAdministratorsettingshavebeenspecifiedandwillnotchangebeforerestrictingthefilesystempermissions.
4.6LockdowntheColdFusionAdd-onServicesIfyouinstalledtheColdFusion2018Add-onServicesforSolr(cfsearch,cfcollection,cfindex)orthePDFService(cfhtmltopdf)
theyrunasaseparateprocess/service.TheAdd-onServicesleverageJettyastheJEEservletcontainerinsteadofTomcat(whichisusedbytheColdFusionApplicationServer).
Ifyouarenotcurrentlyusingthecfsearch,cfcollection,cfindex,orcfhtmltopdftagsensurethatyouhavedisabledtheservice.
Nextensurethatitisnotrunningunderaprivilegeduseraccountsuchasroot,orSystem.YoumaycreateadedicateduserspecificallyfortheAdd-onServices.Thisusersimplyneedsread/writepermissionontheSolrHomefolder.BydefaultSolrHomewillpointto{cf.root}/cfusion/jettyyoucanfindtheexactpathbygoingtotheColdFusionAdministratorandlookingattheSolrHomesetting
underData&Services>SolrServer .
Considerusinganon-defaultport(8989isthedefault)andenablingHTTPS.GototheColdFusionAdministratorandclicktheShow
AdvancedSettingsbuttonontheData&Services>SolrServertochangethesesettings.
Formaximumisolation,considerinstallingtheColdFusionAdd-onServicesonadedicatedserver.UsingHTTPSishighlyrecommendedwhenSolrisrunningonadifferentserver.
ConsulttheJettyDocumentationformoreinformation:https://www.eclipse.org/jetty/documentation/
4.7LockdownFileExtensions
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page28of49
ColdFusionprovidesanumberofcapabilitiesthatarenotusedcommonlywhichcanbeblocked.AgoodexampleofthisisJSPfileexecution.Hereisalistoffileextensionsthatusuallycanbeblocked(checkwithdevelopersfirst).
FileExtension Purpose SafetoBlock
.cfml ExecutesCFMLtemplates(sameas.cfmfiles)
The.cfmlfileisnottypicallyusedbydevelopers,ifyoudon’tuse.cfmlblockthisfileextension.
.jsp JavaServerPages Yes,ifyourapplicationsdonotusejsp
.jws JavaWebServices Yesifnotused.
.cfr CFReportFiles Yes,ifcfreportisnotused.
.cfswf Dynamicallygeneratedswffilesfromflashforms
Yes,ifflashformsarenotused.
.hbmxml HibernateXMLMappings Yes,thesefilesshouldalwaysbeblocked.
4.7.1BlockingbyFileExtensionwithApache
Toblock.cfml,.jsp,.jwsand.hbmxmlfilesaddthefollowingtoyourApachehttpd.conffile:
RedirectMatch 404 (?i).*\.(cfml|jsp|jws|hbmxml).*
Restartapacheandcreateatest.cfmlfiletoconfirmthattheruleisworking.
4.7.2BlockingbyFileExtensiononIIS
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickDenyFileNameExtensionintheActionsmenuontheright.Addafilenameextensionincludingthedotandclickok.
4.7.3FileExtensionWhitelistingonIIS
Amorerobustsolutionistospecifyawhitelistofallowedfileextensions,andblocktherest.Forexampleallowonly.cfm.css.js.pngandblockanythingelse.Yourapplicationmayrequireadditionalextensions.
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheFileNameExtensionstab,andthenclickAllowFileNameExtension.Alloweachfileextensionyoursitesserve(forexamplecfm,css,js,png,html,jpg,swf,ico,etc).
Youmustalsoensurethatthe.dllfileextensionisallowedinthe/jakartavirtualdirectoryinorderforColdFusionresourcestobe
served.
Testyourwebsitesaftermakingchangesinthissection.
4.8AdditionalURIstoConsiderBlockingHerearesomeadditionalURIsthatColdFusionmayserverequestsonthatyoucanconsiderblockingifyoudonotusethefeaturesitsupports.
URI Description
/connector UsedbythePerformanceMonitoringToolkit
/CFFileServlet Servesdynamicallygeneratedassets.Itsupportsthecfreport,
cfpresentation,cfchart,andcfimage(withaction=captcha
andaction=writeToBrowser)tags
/rest//api//restapps//cfapiresources/ UsedforCFMLRestWebServices
4.8.1BlockingURIsinIIS
ClickontherootnodeofIISandthendoubleclickRequestFiltering.ClickontheURLtab.ClicktheDenySequencebuttonandentertheURItoblock.
NotetheAutoLockdownToolblocksURIsusingRequestFilteringaswell,howeveritappliesthesettingstothewebsitelevel,nottheglobalIISlevel.YoumayconsideraddingtheURIsitblockstothegloballeveltoensuretheywillbeblockedbysitesontheserver.
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page29of49
4.8.2BlockingURIsinApache
ToblockaURI,addthefollowingtothehttpd.conffile:
RedirectMatch 404 (?i).*/CFIDE.*
Theabovewouldblockandreturna404HTTPstatuswhenthecaseinsensitive(?i)pattern/CFIDEisfoundanywhere.*intheURI.
4.9OptionallyRemoveASP.NETOnceyouhaveallwebsitesconfiguredinIIS,youmayconsiderremovingtheIISRoleServices:ASP.NET,.NETExtensibilityandCGIwhicharerequiredbytheconnectorinstaller,howevermaynotbeneededatruntime.
IfyouarerunningtheIISWebSocketproxythenASP.NETsupportisrequiredandmustnotberemoved.
Thisapproachwhileitmayprovideadditionalsecuritybyallowingremovalofunusedsoftware,doeshavetwodrawbacks.FirstthisisnotaprocedurethatisofficiallydocumentedorsupportedbyAdobe.Adobedoesnottestwithoutthesesettingsenabledsoyoumayencountersomethingunexpected.SecondwhenaColdFusionupdateisreleasedfortheconnectororifyouwanttoadd/update/deleteanIISconnectoryoumustre-enabletheseroleservicesbeforeupdatingtheconnector.
4.10RemoveASP.NETISAPIFiltersandHandlerMappingsIfyoudonotrequireASP.NETfunctionality,andyoudonotwanttofullyremoveASP.NETfromtheserverduetoissuesoutlinedintheprevioussectionyoucanremovetheISAPIFiltersandHandlerMappingsthatASP.NETusestoprocessrequests.
FirstmakeabackupoftheapplicationHost.configfile,typicallylocatedinC:\Windows\System32\inetsrv\config\,andany
web.configfiles.
IntheIISglobalserverlevelclickonISAPIFiltersandremoveallASP.NETISAPIfilters.NextclickonISAPIandCGIRestrictionsclickoneachASP.NETISAPIfilterandclickDeny.
NextclickonHandlerMappingsintheIISglobalrootnode.RemoveallunnecessaryHandlerMappings.DonotremovetheStaticFile
handlerunlessyourapplicationdoesnotservestaticfiles(js,css,images,etc).DonotremovetheISAPI-dllhandler,thiswillberequired
fortheColdFusionwebserverconnectortofunction.AminimalconfigurationincludesonlyStaticFile,ISAPI-DLL,andcfmHandler.
4.11DisableUnusedServletMappingsAllJEEwebapplicationshaveafileinthe WEB-INFdirectorycalledweb.xmlthisfiledefinestheservletsandservletmappingsfortheJEE
webapplication.AservletmappingdefinesaURIpatternthataparticularservletrespondsto.Forexampletheservletthathandlesrequestsfor.cfmfilesiscalledtheCfmServlettheservletmappingforthatlookslikethis:
<servlet-mapping id="coldfusion_mapping_3">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
</servlet-mapping>
Theservletsarealsodefinedintheweb.xmlfile.TheCfmServletisalsodefinedinweb.xmlasfollows:
<servlet id="coldfusion_servlet_3">
<servlet-name>CfmServlet</servlet-name>
<display-name>CFML Template Processor</display-name>
<description>Compiles and executes CFML pages and tags</description>
<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
<init-param id="InitParam_1034013110656ert">
<param-name>servlet.class</param-name>
<param-value>coldfusion.CfmServlet</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
Wecanremoveservletmappingsintheweb.xmltoreducethesurfaceofattack.Youdon’ttypicallywanttoremovetheCfmServletorthe*.cfmservletmapping,butthereareotherservletsandmappingsthatmayberemoved.
Inadditionsomeservletsmaydependoneachother,soitmaybebettertojustremovetheservlet-mappinginstead.
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page30of49
Besuretobackupweb.xmlbeforemakingchanges,asincorrectchangesmaypreventtheserverfromstarting.
ServletMapping Servlet Purpose
*.cfm*.CFM*.Cfm CfmServlet HandlesExecutionofCFMLincfmfiles.
Required.
*.cfml*.CFML*.Cfml CfmServlet HandlesexecutionofCFMLcontainedinfileswiththe.cfmlfileextension.Theseservletmappingscanbecommentedoutifyoudonothaveanyfileswitha.cfmlfileextensioninyourcodebase.
*.cfc*.CFC*.Cfc CFCServlet Handlesexecutionofremotefunctioncallsincfcfiles.TheseservletmappingscanbecommentedoutifyoudonotuseanyCFCswithaccess=remote
*.cfml/**.cfm/**.cfc/* CfmServletCFCServlet Theseservletmappingsareusedforsearchenginesafeurl’ssuchas/index.cfm/x/y
/CFIDE/main/ide.cfm RDSServlet UsedforRDS,thisservletmappingshouldbecommentedoutonproductionservers.
/JSDebugServlet/* JSDebugServlet Usedfordebuggingcfclient,shouldbecommentedoutonproductionservers.
*.jws CFCServlet JavaWebServices-allowsyoutoeasilywriteanddeploySOAPwebservicesinJavasimilartoaCFC.Shouldbecommentedoutofyourapplicationsdonothaveanyjwsfiles.
*.cfr CFCServlet Usedforcfreport,canbecommentedoutifcfreportisnotused.
/CFFormGateway/* CFFormGateway Requiredforflashforms<cfform
format=flash>,canbecommentedoutifnot
used.
/CFFileServlet/* CFFileServlet Usedforservingfilesgenerateddynamicallyfromvarioustagssuchascfchart,cfimage,
etc.
/securityanalyzer/* CFSecurityAnalyzerServlet UsedforCFBuildersecurityanalyzer.Notneededonproductionservers.
/rest/*/api/*/restapps/*
/cfapiresources/*
CFRestServlet UsedtoserveCFMLrestwebservices
*.hbmxml CFForbiddenServlet UsedtopreventservingHibernatemappingfiles.Thisshouldnotberemoved.
/cfform-internal/* CFInternalServlet Requiredforflashforms<cfform
format=flash>,canbecommentedoutifnot
needed.
*.cfswf CFSwfServlet Dynamicallygeneratedswffilesfromflashforms,canbecommentedoutifflashformsarenotneeded.
*.as*.sws*.swc CFForbiddenServlet UsedtopreventservingActionScript/Flashsourcecode.
/flashservices/gateway/* FlashGateway UsedforFlashRemoting
/flex-internal/* FlexInternalServlet UsedforFlexHistoryManager
*.mxml FlexMxmlServlet UsedtocompileFlexmxmlfilesintoswf
/flex2gateway/* MessageBrokerServlet UsedforFlashRemoting
/cfmobile/* CFMobileServlet Usedforcfclient
/pms/connector/* PMSGenericServlet UsedbythePerformanceMonitoringToolset
Toremoveaservletmapping,youcancommentitoutusinganXMLcomment forexampletodisabletheRDSservletmapping:
<!--
<servlet-mapping id="coldfusion_mapping_9">
<servlet-name>RDSServlet</servlet-name>
<url-pattern>/CFIDE/main/ide.cfm</url-pattern>
</servlet-mapping>
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page31of49
-->
RestartColdFusionandtestyourapplicationaftercommentingoutservletmappings.Itisagoodideatoonlyremoveoneatatimeandthentestagain.
4.12AdditionalTomcatSecurityConsiderationsConsulttheTomcat9SecurityConsiderationsdocumenthttp://tomcat.apache.org/tomcat-9.0-doc/security-howto.htmlforadditionaltomcatspecificsecuritysettings.
4.13AdditionalFileSecurityConsiderationsPaycarefulattentiontothefilepermissionsofsensitiveconfigurationfileslocatedin{cf.instance.root}/lib/suchas
password.properties,seed.propertiesandallneo-*.xmlfiles.Inadditionthefileslocatedin
{cf.instance.root}/runtime/conf/containimportantconfigurationfilesutilizedbytheTomcatcontainer.
4.14AddingClickJackingProtectionColdFusion10introducedtwoServletFiltersCFClickJackFilterDenyandCFClickJackFilterSameOrigin.WhenaURLismapped
tooneoftheseservletstheX-Frame-OptionsHTTPheaderwillbereturnedwithavalueofDENYorSAMEORGIN.Youcanaddafilter-mappinginweb.xmltoenablethesefiltersforagivenURI,thisfunctionalitycouldalsobeaccomplishedatthewebserverlevel.
4.15RestrictingHTTPVerbsMostwebapplicationsonlyneedtofunctiononGET,HEADandPOST.ApplicationsthatmakeuseofCrossOriginResourceSharing(CORS)willalsorequiretheOPTIONSheader.ServersthathostRESTwebservicesmayrequireadditionalHTTPmethods.
4.15.1WhitelistingHTTPVerbsinApache
TheLimitandLimitExceptdirectivescanbeusedtoapplyconfigurationbasedontheHTTPmethod.Forexampletodenyallrequests
exceptGET,HEADandPOSTyoucanaddthefollowingtoyourhttpd.conf:
<Location />
<LimitExcept GET HEAD POST>
Order Deny,Allow
Deny from all
</LimitExcept>
</Location>
TraceEnable off
NotethatLimitExceptdoesnotapplytotheHTTPTRACEmethod.TheTRACEmethodcanbedisabledusingtheApachedirective
TraceEnable.RestartApache.
4.15.2WhitelistingHTTPVerbsinIIS
ClickontherootnodeinIISanddoubleclickRequestFilteringandselecttheHTTPVerbstab.ClickAllowverbandeachHTTPverbyouwanttoallow.
Nowtodisallowanyverbthathasnotbeenexplicitlyallowed,clickEditFeatureSettingsandUncheckAllowunlistedverbs.
4.16SecurityConstraintsinweb.xmlTheservletcontainer(Tomcat)canenforcecertainsecurityconstraintstoensurethatagivenURIissecured,ortolimitcertainURIstoHTTPPOSToverasecure(SSL)connection:
<security-constraint>
<display-name>POST SSL</display-name>
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page32of49
<web-resource-collection>
<web-resource-name>POST ONLY SSL</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>POST ONLY</display-name>
<web-resource-collection>
<web-resource-name>BLOCK NOT POST</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
4.17LimitRequestSizeLimitingthesizeofvariouselementsoftheHTTPrequestcanhelpmitigatedenialofserviceattacksandotherrisks.
Considerspecifyingsmallerrequestsizelimitsbydefault,andthenuselargersizesonURIswherefilesareuploadedorverylargeformsubmissionsoccur.
4.17.1LimitRequestSizeinIIS
InIISyoucanusetheEditFeatureSettingsdialoginRequestFilteringtocontroltheMaximumAllowedContentLength ,MaximumURLLengthandMaximumQueryStringLength .
4.17.2LimitRequestSizeinApache
Apachehasseveraldirectivesthatcanbeusedtocontroltheallowedsizeoftherequest.Hereareafewdirectivesyoushouldconsidersetting:LimitRequestBody,LimitXMLRequestBody,LimitRequestLine,LimitRequestFieldSize,LimitRequestFields.
4.18DistributedModeorReverseProxyConsiderrunninginareverseproxyordistributedmode,suchthatonlythewebserverandColdFusionserverareondifferentservers.ThismethodprovidesisolationbetweenyourwebserverandtheColdFusionapplicationserver.
Indistributedmode,onlythewebserverconnectorisinstalledontheservercontainingthewebserver.
FormoreinformationonconfiguringColdFusiontorunindistributedmodeconsultthisblogentry: http://blogs.coldfusion.com/setting-up-coldfusion-in-distributed-envionment/
4.19HTTPResponseHeaderstoimproveSecurityThereareseveralHTTPresponseheadersthatyoumayconsideraddingtothewebservertoimprovesecurity.Someheadersyoumayconsideraddinginclude:
Strict-Transport-Security
X-Frame-Options
Content-Security-Policy
X-Content-Type-Options
X-XSS-Protection
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page33of49
Referrer-Policy
4.19.1AddingHTTPResponseHeadersinIIS
OpenIISanddoubleclicktheHTTPResponseHeadersicon.ThenclickAddandspecifyaheadernameandvalue.
4.19.2AddingHTTPResponseHeadersinApache
AddaHeaderdirectivetoyourhttpd.conf:
Header set Strict-Transport-Security "maxage=31536000"
ColdFusion2018LockdownGuide(2020-03-31)—4AdditionalLockdownMeasures Page34of49
5ColdFusionLockdownonLinuxThissectioncoversinstallationofColdFusiononLinuxwithApache.ToinstallColdFusion2018onLinuxwewillperformthefollowingsteps:
PerforminstallationprerequisitesCreateaDedicatedUserAccountforColdFusiontorunas.InstallColdFusionCheckfor,andinstallanyColdFusionhotfixes.ConfigureApacheConfigurefilesystempermissions.RunthewebserverconfigurationtooltoconnectColdFusiontoApacheSetupColdFusionAdministratorSiteUpdatetheJVM
5.1LinuxInstallationPrerequisitesBeforeyoubegintheColdFusioninstallationprocessperformthefollowingsteps:
Configureanetworkfirewall(and/orconfigurealocalfirewallusingiptables)toblockallincomingpublictrafficduringinstallation.ReadtheRedHatEnterpriseLinux7SecurityGuide:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/InstallRedHatLinuxwithminimalpackages,youdonotneedtoinstallagraphicaldesktopenvironment.EnableSELinuxEnforcingmodeduringinstallation.Seehttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/formoreinformationaboutSELinux.Removeordisableanysoftwareontheserverthatisnotrequired.Toseewhatpackagesareinstalledrun: yum list installed |
moretoremoveapackage:yum erase php
Runyumupdateandensurethatallsoftwarerunningontheserverisfullypatched.DownloadColdFusionfromadobe.comVerifythattheMD5checksumlistedonadobe.comdownloadpagematchesthefileyoudownloaded.YoucanrunthefollowinginaCommandPrompt:md5sum installer-file-name.bin
5.2CreateaDedicatedUserAccountforColdFusionCreateanewgroupwhichwillcontainbothColdFusionusersandapache’suser,inthisguidewewillnamethisgroupwebusersplease
chooseauniquename:
groupadd webusers
CreateasystemuserforColdFusiontorunas,inthisguideweusetheusername cfuser,butagain,pickauniqueusername:
adduser --system -g webusers -s /sbin/nologin -M -c ColdFusion cfuser
IfyouarerunningmultipleinstancesofColdFusionconsidercreatingadedicateduseraccountforeachinstancetoruninisolation.
5.3ColdFusionInstallationRuntheinstallerastherootuserorbyusingsudo.
InstallerConfiguration:Choose#1-ServerconfigurationIfyouaredeployingColdFusionaJEEserversuchasWebSphere,WebLogic,JBoss,etc.selectanEARorWARfile,otherwisechooseoption1Serverconfiguration.SelectColdFusionServerProfile: ChooseProductionProfile+SecureProfile .TheDevelopmentProfileshouldnotbeselected,itenablesfeaturesthatareintendedfordevelopmentpurposes.TheProductionProfiledisablesdevelopmentfeaturesbydefault.TheProductionProfile+SecureProfileoptionhasallthefeaturesoftheProductionProfileplusprovidesamoresecurefoundationofdefaultsettings.SomeofthesettingsthattheSecureProfiletogglesmaycauseapplicationcompatibilityissues.Justasyoushouldwitheachstepinthisguide,ensurethatyouhavetestedyourapplicationforsuchissues.AsofColdFusion11+theSecureProfilesettingscanalsobetoggledfromtheColdFusionAdministrator.IPAddressesallowed:127.0.0.1,::1CommaseparateanyotherIPaddressesthatneedtoaccessColdFusionAdministrator.Sub-componentsInstallation:Selectonlyservicesthatarerequiredbyyourapplication.
SolrService-theSolrserviceisneededonlyifyouareusingcfsearch,cfcollection,cfindextags.DisabletheSolrserviceifnotneeded.PDFG-enableifyouareusingthecfhtmltopdftag.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page35of49
AdmincomponentforRemoteStart/Stop-disable.StartColdFusiononsysteminit-enable.
Enabling/DisablingServlets:
UncheckRDS,JSDebugUncheckCFReportingifyouarenotusingthecfreporttag.
UncheckCFSWFandFlashFormsifnotusingFlashForms(cfform format=flash)
AccessAdd-onServicesRemotely:IfyouselectedthePDFG(cfhtmltopdftag)orSolr(cfsearch,cfindex,cfcollectiontags)sub-componentstheColdFusion2018Add-onServiceswillbeinstalled.WhenyouspecifynfortheAccessAdd-onServicesRemotelyoption,
theAdd-onServicesareonlyaccessiblefromthelocalmachine(localhost).IfyouwanttoallowaccesstotheservicesfrommultipleColdFusionservers,enteryandthenspecifytheIPaddressesoftheremoteColdFusionservers.Selectnunlessremoteaccessis
required.ChooseInstallFolder:Selectanondefaultinstallationfolder,inthisguidewewilluse/opt/cf2018/Built-inWebServerPortNumber:Selectanon-defaultportnumber.PerformanceMonitoryToolsetHostname/IPAddress:EntertheinternalIPaddressoftheserverifyouwishtousethePMT.ThisvaluecanbechangedlaterintheAdministrator.RuntimeUser:Enterthenameoftheusercreatedintheprevioussection:cfuser
ConfigureColdFusionwithOpenOffice: Skipifnotrequired-OpenOfficeintegrationisusedbycfdocumenttoconvertWorddocumentstoPDForPowerPointpresentationstoPDF/HTML.AdministratorCredentials:selectauniqueusername(notadmin),andchooseastrongpassword.ServerUpdates:Yautomaticallycheckforserverupdates.
NowstartColdFusion:
service cf2018 start
5.4AccessColdFusionAdministratorviaaSSHTunnelBecausemostlinuxserversdonothaveadesktopinstalled,andbecausetheColdFusionadministratorisnolongeraccessibleviatheApachewebserverasofCF2016+itcanbeusefultocreateatemporarySSHtunnelwhenyouneedtoconnecttotheColdFusionAdministrator.
ToaccessColdFusionAdministratoryoucancreateaSSHtunnelthatpointstothebuiltinwebserverport(8500bydefault),byopeningalocalport(33333inourexample,butyoucanuseanylocalportnumberyouwantaslongasitisnotinuse)onyourdesktop.
IfyourdesktopcomputerisrunningMacorLinuxyoucancreateaSSHtunneltoport8500onyourlocalport33333byrunningthefollowingcommand(locallyonyourdesktop,notonyourColdFusionserver):
ssh -L 33333:127.0.0.1:8500 [email protected]
IfyouarerunningaWindowsdesktopyoucanuseputty.exe(downloadfromputty.org)
putty -L 33333:127.0.0.1:8500 your.new.server.example.com
Nowopenyourwebbrowserandpointtohttp://127.0.0.1:33333/CFIDE/administrator/
ThetrafficbetweenyourserveranddesktopwillbeencryptedovertheSSHprotocol.YoucanalsoconfigurethebuiltinwebservertouseHTTPSontopofthataswell(seesection4.2).
5.5InstallColdFusionHotfixesLogintotheColdFusionAdministratorviathebuilt-inwebserver.
ClickonServerUpdates>Updatesifanyhotfixesareavailableselectthelatesthotfix,andclickDownload.
Tip:Youcanverifytheintegrityofthedownloadedhotfixbyrunning md5sumonthehotfix_XXX.jarfile,seethatthechecksum
matchesthevaluefoundinAdobeColdFusionupdatefeed:https://www.adobe.com/go/coldfusion-updates
Runthehotfixinstallerasrootorwithsudo(replacehotfix_XXX.jarwiththeactualhotfixfilename):
/opt/cf2018/jre/bin/java -jar /opt/cf2018/cfusion/hf-updates/hotfix_XXX.jar
ConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
5.6InstallandConfigureApacheWebServer
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page36of49
5.6.1InstallorUpdateApache
IfApache(httpd)hasnotyetbeeninstalled,installitusingyum:
yum install httpd
IfApache(httpd)wasalreadyinstalled,ensurethatthelatestversionisinstalled:
yum update httpd
5.6.2RemoveUnnecessaryModules
Ensurethatthelatestversionofopensslandmod_sslareinstalledaswellusingsimilaryumcommandsasabove.
Removeanyunneededmodules,forexample:
yum erase php*
Editthe/etc/httpd/conf/httpd.confandremoveorcommentout(byplacinga#atthebeginningoftheline)anyLoadModulelines
thatloadunnecessarymodules.Mostmoduleswillbeincludedinseparateconfigurationfiles(lookin/etc/httpd/conf.modules.d/),youcaneasilyfindalistoffilesthatloadmodulesbyrunning:
fgrep --recursive LoadModule /etc/httpd/
Somemodulesthatyoumaybeabletoremove(orcommentoutbyplacinga#atthebeginningoftheline)include: mod_imap,mod_info,
mod_userdir,mod_status,mod_cgi,mod_autoindex.
5.6.3SetupDirectoryforWebRoots
Optional:Ifyouwishtosetupanondefaultwebrootfollowtheinstructionsinthissection.Ifyouplantousethedefaultwebroot/var/www/htmlthencopyyourCFMLfilesintothatdirectory.
Ifyouhavemultiplewebsitesyoumaywishtocreateafolderforallyoursites.Inthisguidewewilluse /www/astherootfolder,butyou
shouldchooseauniquepathname.
mkdir -p /www/default/wwwroot/
mkdir -p /www/example.com/wwwroot/
mkdir -p /www/other.example.com/wwwroot/
CopyyourCFMLsourcecodeintothedirectory,the/www/default/wwwroot/couldbesetupasadefaultsiteforApache.
Nextletsaddtheapacheusertothewebusersgroupwecreatedpreviously.
usermod -aG webusers apache
Setupsomefilesystempermissions:
chown -R root:webusers /www
chmod -R 750 /www
chcon -R -t httpd_sys_content_t -u system_u /www/default/wwwroot/
chcon -R -t httpd_sys_content_t -u system_u /www/example.com/wwwroot/
chcon -R -t httpd_sys_content_t -u system_u /www/other.example.com/wwwroot/
Edithttpd.confandchangetheDocumentRootfrom/var/www/htmltoyournewdefaultsiteroot,forexample
/www/default/wwwroot
Nexttellapachethatitisallowedtoservefilestothepublicunderthefolder /wwwbyadding:
<Directory "/www">
Options None
AllowOverride None
Require all granted
</Directory>
Createanindex.htmlfileinthedefaultsite:
echo 'Hello' > /www/default/wwwroot/index.html
RestartApache
service httpd restart
TesttomakesureApacheisworking:
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page37of49
curl http://localhost/
Theabovecurlcommandshouldoutputthecontentsofthe/www/default/wwwroot/index.htmlwhichshouldbeHello.
5.6.4StartApacheonBoot
BydefaultApachewillnotstartuponsystemboot,youneedtotell systemctltoenabletheservice.Asrootorusingsudorunthe
following:
systemctl enable httpd.service
5.6.5ConnectApachetoColdFusion
NotethatthereisabugintheAutoLockdownToolwhenitconfigurestheconnectorwhenSELinuxisenabled.Youmaybeabletoskipthisstep(andallowtheAutoLockdownTooltoconnectApachetoColdFusion)ifyoudonothaveSELinuxenabledorifthebughasbeenresolved:https://tracker.adobe.com/#/view/CF-4203248
RunwsconfigasrootorwithsudotoconnectColdFusiontoApache:
/opt/coldfusion2018/cfusion/runtime/bin/wsconfig -ws Apache -dir /etc/httpd/conf -bin /usr/sbin/httpd
YoumayseeanerrorthatApachewasunabletostart,thisisduetothebugmentionedabove.Tocorrectthis,runthefollowingcommands:
WSCONFIG_DIR=/opt/coldfusion2018/config/wsconfig
NUM=1
#Create a `mod_jk.log` file:
touch $WSCONFIG_DIR/$NUM/mod_jk.log
#Set file system permissions:
chown -R cfuser:apache $WSCONFIG_DIR
chmod -R 540 $WSCONFIG_DIR
chmod 550 $WSCONFIG_DIR/$NUM/mod_jk.so
chmod 560 $WSCONFIG_DIR/$NUM/mod_jk.log
chcon -t httpd_modules_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.so
chcon -t httpd_log_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk.log
chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/uriworkermap.properties
chcon -t httpd_config_t -u system_u $WSCONFIG_DIR/$NUM/mod_jk_vhost.conf
#allow apache to connect to CF AJP connector port (defined in server.xml)
semanage port -a -t http_port_t -p tcp 8018
#update JkShmFile path mod_jk.conf
sed '/JkShmFile/s/.*/JkShmFile "\/var\/cache\/httpd\/1_jk_shm\"/' /etc/httpd/conf/mod_jk.conf >
/etc/httpd/conf/mod_jk.conf
Tip:youcanputtheabovecommandsintoafilethatbeginswith!/bin/bashandthenrunthemallatonceasascript.
Atthispointyoucanrestartapache,andtryaccessingatest.cfmfiletoseeifitworks.
5.7RuntheLinuxColdFusionAutoLockdownToolBeforerunningtheColdFusionAutoLockdownToolpleaseensurethefollowing:
ColdFusionisrunning,andyouhaveloggedintotheColdFusionAdministratoratleastonce. service cf2018 start
Apacheisrunningservice httpd starttestbyaccessingport80or443.
Runtheautolockdowntoolastherootuserorbyusingsudo.
ColdFusionInstallationDirectory-enterthedirectorywhereColdFusionisinstalled.ApplylatestColdFusionupdate -selectYestohavethelockdowntoolcheckforupdatesandinstallthem.
AutomaticUpdateorManual-selectAutomaticiftheserverisconnectedtotheinternet.ColdFusionInstance-enterthenameoftheinstancetolockdown,selectthedefaultcfusion.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page38of49
WebServer-selectApacheAdminUsername-enteryourColdFusionAdministratorusername.AdminPassword-enteryourColdFusionAdministratorpassword.InternalWebServerPort-enterportnumberyouchoosefortheinternalwebserverduringinstallation(defaultis8500).SystemAdminUser-entertheusernameforyourrootuseraccount.SystemAdminPassword-ifroothasapasswordyoumayenterit,ifitdoesnothaveapasswordconfiguredjusthitenter.DoyouhaveausercreatedforrunningCFservices?-selectYes.ColdFusionRuntimeUsername-entertheusernamefortheColdFusionuseryoucreated,egcfuser.
ColdFusionRuntimeUserPassword-hitenterbecausetheuserwascreatedasasystemaccountsoitdoesnothaveapassword.ColdFusionRuntimeUserGroup-enterthenameofthegroupyoucreated,forexamplewebusers
DoyouhaveausercreatedforrunningWebServerservices?-selectYes.WebServerGroup-thenameofthegroupthatthewebserveruserbelongsto(defaultisapacheonRedHatLinux).
WebServerUsername-theusernameforthewebserveruser(defaultisapacheonRedHatLinux).
WebServerPassword-hitenter,thewebserveruseriscreatedasasystemaccountsoitdoesnothaveapasswordbydefaultonRedHatLinux.WebServerConfDirectoryPath-enterthepathtothefolderthatcontainshttpd.confonRedHatLinuxitwillbe
/etc/httpd/conf
WebServerBinaryPath-enterthepathtothehttpdbinary,onRedHatLinuxitwillbe/usr/sbin/httpd
WebServerWebRootPath-enterthepathtothewebrootdirectoryyoucreated,forexample:/web/
FileUploadPath-thelockdowninstallerwillgrantwritepermissionstothefolderspecified.Ifyouhavemorethanonefolder,youcandothismanuallywithchmod,forexamplechmod u+w /web/example.com/path-to-write-to/
Aliasforcf_scripts-selectapathotherthanthedefaults,not/cf_scriptsandnot/cf2018_scripts
ShutdownPort-changetheshutdownporttoanon-defaultvalue.
ReviewtheLockdownToollogsin/opt/coldfusion2018/lockdown/cfusion/Logs(pathmaydiffer),andensurethatitstates
ColdFusionServerhasbeenlockeddownsuccessfullyandthattherearenoerrors.
5.8UpdateJVMTheJavaVirtualMachineincludedwiththeColdFusioninstallermaynotcontainthelatestjavasecurityhotfixes.YoumustperiodicallycheckforJVMsecurityhotfixes.
ImportantNote:Asof2019OraclenolongerallowscommericaluseofJavawithoutalicense.HoweverColdFusion“CustomersshallbesupportedonOracleJavaSEwithouthavingtocontractforsupportdirectlywithOracleinordertorunColdFusion”.Detailshere:https://coldfusion.adobe.com/2019/01/oracle-java-support-adobe-coldfusion/
DownloadtheRPMforthelatestsupportedJREfromAdobehttps://www.adobe.com/support/coldfusion/downloads.html.Installtherpm:
rpm -ivh jre-11.0.xx_linux-x64_bin.rpm
AfteryourunthebinarytheJVMisinstalledin/usr/java/asymboliclinkiscreatedpointingtothelatestinstalledversion
/usr/java/latest/youpointColdFusiontothispathtosimplifyfutureJVMupdates.
VerifythattheversionofJavain/usr/java/latest/isaversionsupportedforColdFusion2018.AtthetimeofthiswritingJava10isthe
latestsupportedmajorversionofJava.
/usr/java/latest/bin/java -version
Locatethejvm.configfile,(bydefaultitislocatedin/opt/coldfusion2018/cfusion/bin/)andmakeabackup:
cp jvm.config jvm.config.backup
ToupdateusingColdFusionAdministrator:clickonServerSettings>JavaandJVMandthenadd/usr/java/latest/totheJavaVirtualMachinePathtextbox.
Toupdateviashell:Editjvm.configinatexteditortolocatethelinebeginningwithjava.home=forexample:
java.home=/opt/coldfusion2018/jre
Changethatlineto:
java.home=/usr/java/latest
RestartColdFusionforthenewJVMtotakeeffect.VisittheSystemInformationpageofColdFusionadministratortoconfirmthattheJVMhasbeenupdated.ToreverttothedefaultJVMreplacejvm.configwithjvm.config.backupandrestartColdFusionagain.
5.8.1UpdateJVMAdd-OnServices
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page39of49
Ifyouinstalledtheadd-onservicesensurethatthestartupscriptpointstotheupdatedJVM,lookfortheline:
SOLR_JVM="/opt/coldfusion2018/jre"
Andupdateitto:
SOLR_JVM="/usr/java/latest"
5.9SetupAuditingFirstensurethatauditdisinstalledandconfiguredtomeetyourrequirementsin/etc/audit/auditd.conf
Useauditctltoaddauditingtofilesystemoperations,forexample:
auditctl -w /opt/coldfusion2018 -p wax -k cf2018
Theabovewillauditallwrite,attributechangeandexecuteoperationsonthepath/opt/coldfusion2018/andtagallentrieswiththe
filterkeycf2018.Nowthatthefilterkeyissetupyoucanquerytheauditlogusing:
ausearch -k cf2018
KeepinmindthattheabovemightgetabitnoisyifColdFusioniswritingalotoflogfiles,placingthelogfileselsewherewillreducethisnoise.
Youmayalsoconsidersettingupauditingonotherimportantpathssuchas/etc/oryourwebrootfilesystem.
5.10ChangeumaskEditthe{cf.root}/bin/sysinitstartupscriptandaddthelinenearthetopbutbelowthe#descriptioncomment:
umask 007
Considersettingamorerestrictiveumaskonthegrouppermission.
5.11AdditionalLockdownStepsGobackSection3ColdFusionAdministratorSettingsandthentoSection4AdditionalLockdownMeasurestoperformadditionalsteps.
ColdFusion2018LockdownGuide(2020-03-31)—5ColdFusionLockdownonLinux Page40of49
6PerformanceMonitoringToolsetSecurityConsiderations
6.1InstallingthePMTSelectanon-defaultpathtoinstallto.Selectanon-defaultportnumbers.Enterausernameotherthanadminanduseastrongpassword.
ForadditionalisolationconsiderinstallingthePMTonadedicatedserver.ThePMTServiceandPMTDatastorecouldalsobeisolatedtodedicatedservers.
6.2ColdFusionServerAutoDiscoveryThePMTautodiscoveryfeaturecandetectColdFusionserversovermulticast(defaultport46864).Ensurethatyournetworkfirewalloroperatingsystemfirewallisconfiguredtolimitaccessaccordingly.
Moreinformationaboutautodiscovery:https://coldfusion.adobe.com/2018/07/auto-discovery/
6.3PMTDatastoreThePMTdatastoreisanElasticSearchserver.AnycomputerwithaccesstotheportthatthePMTdatastoreisrunningoncanaccessallthedataitcontains.
EnsurethatthePMTdatastoreisnotrunningonthedefaultport 9200to9300
EnsurethatanetworkorOSfirewallhasbeenconfiguredtodenyexternalaccesstothisport.ColdFusion2018serversthataremonitoredrequireaccesstothePMTdatastoreport.
6.4RunPMTandPMTDatastoreasDedicatedUserTheColdFusion2018PerformanceMonitoringToolsetserviceandColdFusion2018PerformanceMonitoringToolsetDatastore servicerunasLocalSystembydefault.
CreatetwoLocalUserAccountsinthisguidewewillusetheusernames:pmtdatastoreandpmtservicehoweveryoushouldcreate
uniquenames.Nextcreateagroupthatcontainsbothusersforexamplepmtgroup.
Grantreadonlypermissiontothegroup(egpmtgroup)onthePerformanceMonitoringToolsetinstallationdirectory(thedefaultis
C:\ColdFusion2018PerformanceMonitoringToolsetor/opt/ColdFusion2018PerformanceMonitoringToolset).
GrantFullControl(readandwrite)permissiontothelogsandconfigdirectoryunderthePMTinstallationdirectorytothe pmtservice
useraccount.
GrantFullControl(readandwrite)permissiontothedatastore/dataanddatastore/logsdirectoryunderthePMTinstallation
directorytothepmtdatastoreuseraccount.
Notethatthepmtserviceuserdoesnotneedaccesstothedatastoresubfolder,youmayconsiderdenyingthepmtserviceuser
accesstothedatastorefolder.
UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetservicetopointtoyourpmtserviceuser.
UpdatetheServiceLogOnIdentityfortheColdFusion2018PerformanceMonitoringToolsetDatastore servicetopointtoyourpmtserviceuser.
Restartbothservices.
6.5UpdatePMTJVMEditthejvm.configfilelocatedintheconfigsubfolderofthePMTinstallationdirectory.Replacethefollowingline:
java.home=C:\ColdFusion2018PerformanceMonitoringToolset\jre
WithapathpointingtoyourcurrentJVM,forexample:
ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page41of49
java.home=C:\Java\jdk-11.0.XX\
ColdFusion2018LockdownGuide(2020-03-31)—6PerformanceMonitoringToolsetSecurityConsiderations Page42of49
7APIManagerSecurityConsiderations
7.1InstallAPIManagerDownloadandRuntheAPIManagerInstaller.
Considerchangingportstonon-defaultvalues.
Useadedicatedpartition/drivefortheAPImanagerapplicationserverfiles.
FormaximumisolationyoucaninstalltheAPIManager,DataStoreandAnalyticsServerservicesonseparateservers.IfyouareinstallingeverythingonasingleserverchecktheDataStoreandAnalyticsServercheckboxestoinstalltheseserviceslocally.
7.2ConnectAPIManagertoIISFollowsections2.2toensurethattherequiredIISroleservicesareinstalledontheserver.CreateanemptydirectoryforanewsiteinIIS,forexampled:\sites\api.example.com\wwwroot\
Createemptysubfolderscalledportal,amp,analyticsandadmin.
URI Purpose Restrict
/analytics Allowspublishers,subscribersandadminstoseestatsrelatedtotheAPIuse.
Restricttoadmins,publishersandsubscribers
/admin APIManageradministratorinterface. Blockpublicaccess.
/amp InternalAPIforAPIManager.Usedby/portal/analytics
Restricttoadmins,publishersandsubscribers
/amp/admin InternalAPIforAPIManagerAdmin BlockPublicAccess
BlockorrestrictaccesstotheURIsusingrequestfiltering,IPrestrictions,orwebserverauthentication.
7.3RunAPIManagerasaDedicatedUserCreateauniqueuserforeachservice(forexample:apimanager,apidatastore,apianalytics)withminimalpermission.Nextcreatea
usergroupcontainingeachserviceuser,inthisguidewewillcallthegroupapimanagers,butyoushoulduseuniqueusernamesandgroup
names.
StopallAPIManagerServices.
GrantreadonlypermissiontotheapimanagersgroupfortheentireApiManagerinstallationrootdirectory{api.root}(forexample
x:\ApiManager\or/opt/ApiManager/).
Nextgrantreadandwrite(FullControl)permissiontotheapidatastoreuserforthe{api.root}/database/datastore/directory.
StarttheAPIDatastoreService.
Grantreadandwrite(FullControl)permissiontotheapianalyticsuserforthefollowingdirectories:
{api.root}/database/analytics/data/
{api.root}/database/analytics/logs/
StarttheAPIAnalyticsService
Grantreadandwrite(FullControl)permissiontotheapimanageruserforthefollowingdirectories:
{api.root}/conf
{api.root}/logs
StarttheAPImanagerservicesandtest.
Onlinuxyouwillneedtocreateastartupscripttoruneachoftheservicesastheirdedicatedusersforexample:
su apidatastore -C "/opt/ApiManager/database/datastore/redis-server
/opt/ApiManager/database/datastore/redis.conf.properties"
su apianalytics -C "/opt/apimanager/database/analytics/bin/elasticsearch"
ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page43of49
su apimanager -C "/opt/ApiManager/bin/start.sh"
ColdFusion2018LockdownGuide(2020-03-31)—7APIManagerSecurityConsiderations Page44of49
8PatchManagementProceduresStayinguptodatewithpatchesisessentialtomaintainingsecurityontheserver.Thesystemadministratorshouldmonitorthevendorssecuritypagesforallsoftwareinuse.Mostvendorshaveasecuritymailinglistthatwillnotifyyoubyemailwhenvulnerabilitiesarediscovered.
SignupfortheAdobeSecurityNotificationService:https://www.adobe.com/subscription/adbeSecurityNotifications.html
Checkthefollowingwebsitesfrequently:
AdobeColdFusionSecurityBulletins:https://helpx.adobe.com/security/products/coldfusion.html
MicrosoftSecurityTechCenter:https://www.microsoft.com/en-us/msrc
RedHatSecurity:https://www.redhat.com/security/updates/
ListingofsecurityvulnerabilitiesinApachewebserver:https://httpd.apache.org/security_report.html
ListingofsecurityvulnerabilitiesinTomcat:https://tomcat.apache.org/security-9.html
TokeepupdatedwithColdFusion2018updatesyoucanusetheserverupdatefeatureinColdFusionadministrator.Considersettingupaninstancetoemailyouwhennewupdatesarereleased.
YoushouldalsoconsidersubscribingtotheColdFusionCommunityPortalhttps://coldfusion.adobe.com/.
Finallythirdathirdpartycommercialservicehttp://hackmycf.comwillletyouknowwhenrelevantColdFusion,Java,Tomcat,etcsecuritypatchesarereleased.Itwillalsoscanyourserveronaperiodicbasisandsendyouareport.
ColdFusion2018LockdownGuide(2020-03-31)—8PatchManagementProcedures Page45of49
9SourcesofInformationSourcesofInformation
MicrosoftSecurityComplianceManagementToolkit:http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3eNSAOperatingSystemSecurityGuides:http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtmlNSAGuidetoSecureConfigurationofRedHatEnterpriseLinux5:http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdfTipsforSecuringApache:http://www.petefreitag.com/item/505.cfmApacheSecuritybyIvanRistic,2005O’ReillyISBN:0-596-00724-8TipsforSecureFileUploadswithColdFusion:http://www.petefreitag.com/item/701.cfmHackMyCF.comRemoteColdFusionvulnerabilityscanner:http://hackmycf.com/FixingApache(13)PermissionDenied403ForbiddenErrors:http://www.petefreitag.com/item/793.cfmApacheTomcat8.5SecurityConsiderations:http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html *GettingstartedwithAppCmd.exe:http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexeThankstoCharlieArehartforprovidingseveralsuggestionsandfeedbackonpriorversionsoftheguide.ProfessionalMicrosoftIIS8bySchaefer,Kenneth;Cochran,Jeff;Forsyth,Scott;Glendenning,Dennis;Perkins,Benjamin.Wiley.ISBN:978-1-118-38804-4ColdFusionandSELinux:http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616-50DA-0559-A0DD2E158FF884F3ColdFusionMXwithSELinuxEnforcing:http://www.ghidinelli.com/2007/12/06/coldfusion-mx-with-selinux-enforcing
ColdFusion2018LockdownGuide(2020-03-31)—9SourcesofInformation Page46of49
10ReferenceTables
10.1Tagsthatuse/cf_scripts/assets
Tag URIPattern Notes
cfajaxproxy /cf_scripts/scripts/ajax/
cfajaximport /cf_scripts/scripts/ Thistagletsyouoverridethedefaultscriptsrcsetting
cfautosuggest /cf_scripts/scripts/ajax/
cfcalendar /cf_scripts/scripts/ajax/
cfchart /cf_scripts/scripts/ajax/
/cf_scripts/scripts/chart/
cfclient /cf_scripts/cfclient/
cfdiv /cf_scripts/scripts/ajax/
cffileupload /cf_scripts/scripts/ajax/
cfform /cf_scripts/scripts/cfform.js
/cf_scripts/scripts/masks.js
cfform format=flash /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cfform format=xml /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cfgrid /cf_scripts/scripts/ajax/
cfgrid format=applet /cf_scripts/classes/ DeprecatedsinceCF11
cfinput(autosuggest,datefield) /cf_scripts/scripts/ajax/
cflayout /cf_scripts/scripts/ajax/
cfmap /cf_scripts/scripts/ajax/
cfmediaplayer /cf_scripts/scripts/ajax/
cfmenu /cf_scripts/scripts/ajax/
cfmessagebox /cf_scripts/scripts/ajax/
cfpod /cf_scripts/scripts/ajax/
cfprogressbar /cf_scripts/scripts/ajax/
cfslider /cf_scripts/scripts/ajax/
cfsprydataset /cf_scripts/scripts/ajax/ DeprecatedsinceCF11
cftextarea /cf_scripts/scripts/ajax/
/cf_scripts/scripts/ckeditor/
Considerblockingtheckeditorsubfolderifyoudonotusethistagbecauseithascfmfilesinit.
cftooltip /cf_scripts/scripts/ajax/
cftree /cf_scripts/scripts/ajax/
cftree format=applet /cf_scripts/classes/ DeprecatedsinceCF11
cfwebsocket /cf_scripts/scripts/ajax/
cfwindow /cf_scripts/scripts/ajax/
ColdFusion2018LockdownGuide(2020-03-31)—10ReferenceTables Page47of49
11Troubleshooting
11.1ColdFusioncannotwritefilesunderthewebrootTheAutoLockdowntoolgivesColdFusionreadonlypermissiontothewebroot,iftherearefilesorfoldersthatColdFusionmustwritetoyouneedtogivetheColdFusionuseraccount(egcfuser)writepermission.
11.2Requestingacfmresultsina404afterLockdowntoolHerearetwopossiblecauses.
TheIISApplicationPool.NETFrameworkVersionmaynothavebeensettoNoManagedCode.
Theautolockdowntooldoesnotcreateinheritablefilesystempermission,soColdFusion’suseraccountmaynothavepermissiontoreadthefileifitwascreatedafterthelockdowntoolran.SeethesectiontitledAdjustWindowsFileSystemPermissions.
11.3IISdoesnothavepermissiontoreadweb.configfileIfyoumadeachangeinIISafterrunningthelockdowntoolthatcausedanew web.configfiletobecreated,thenewfilemaynothavethe
appropriatepermissions.SeethesectiontitledAdjustWindowsFileSystemPermissions.
11.4WebSocketsarenotworkingafterrunninglockdowntoolSitesthatusetheColdFusionWebSocketproxymustchangethe.NETFrameworkVersionintheIISApplicationPoolSettingsfromNoManagedCodetoaversionof.NETthatsupportsWebSockets(v4+).
11.5HelpInstallingColdFusionHotfixesConsulttheColdFusionHotfixInstallationGuide fortroubleshootinghotfixinstallationissues:http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
ColdFusion2018LockdownGuide(2020-03-31)—11Troubleshooting Page48of49
12RevisionHistoryVersion1.0-2018-08-13-InitialRelease.
Version1.1-2018-10-05
Typoinsection4.11DisableUnusedServletMappingsonPage34 /flex/internal/shouldbe/flex-internal/
Version1.2-2019-03-19
Removedsection(previously2.7)AdjustWindowsFileSystemPermissions becauseitisnolongernecessaryduetobugfixes:https://tracker.adobe.com/#/view/CF-4202957RevisedtheUpdateJVMsectionspertainingtoOraclelicensingchanges.ChangedAllowconcurrentloginsessionsforAdministratorConsolefromcheckedtounchecked.
Version1.3-2020-03-31
Addednoteinsection4.4aboutwritepermissiontoWEB-INFcfclasses,rest-skeletons,andcfc-skeletons
ColdFusion2018LockdownGuide(2020-03-31)—12RevisionHistory Page49of49
