Tech Sharing

Tech Sharing

Advertisement

Secure Profile in ColdFusion 10

By on April 24, 2012

Installing ColdFusion is not an issue for most of the administrator, but the problem come when you try to configure the server at the release state and also secure.

tech.david-cheong.com

There are too many setting and tuning you need to secure your ColdFusion server. So with ColdFusion 10, there is a very good and useful features which call Secure Profile were introduced. It is recommended to choose this setting for production server. When the option is selected, this will enforce a lot of pre-configure security related setting.

tech.david-cheong.com

At the time of installation if secure profile is chosen, the following settings are affected:

tech.david-cheong.com

1.    Separate username and password setting is enabled for Administrator &RDS
2.    RDS service is disabled
3.    A List of IP addresses are asked which should have access to Administrator
4.    Strong and complex password for root admin user is mandatory
5.    Directory Browsing is disable in server
6.    Custom and least information error templates are used
7.    All debugging is disabled
8.    For a new data source default allowed SQL are select, insert, update, delete
9.    Below is a list of some more settings on server level which are affected –
 tech.david-cheong.com
Administrator settings affected by enabling Secure Profile –
tech.david-cheong.com
Administrator Settings
Path
Default Admin
Profile
Secure Profile
Changes to the setting
1
Use UUID for cftoken
Server Settings > Settings
Enabled
Enabled
Overwritten
2
Disable access to internal
ColdFusion Java components
Server Settings > Settings
Disabled
Enabled
Overwritten
3
Enable Global Script
Protection
Server Settings > Settings
Enabled
Enabled
Overwritten
4
Maximum size of post data
Server Settings > Settings
20MB
20MB
Overwritten
5
Missing Template Handler
Server Settings > Settings
no value
Custom missing error template
Retained if specified
6
Site-wide Error Handler
Server Settings > Settings
no value
Custom site-wide error template
Retained if specified
7
Request Queue Timeout Page
Server Settings > Request
Tuning
no value
Custom error template
Retained if specified
8
Cookie Timeout
Server Settings > Memory
Variables
15767000 minute
1440 minute
N/A
9
Disabling updating of ColdFusion internal cookies using ColdFusion tags/functions
Server Settings > Memory
Variables
Disabled
Enabled
N/A
10
Enabled WebSocket Server
Server Settings > WebSocket
Enabled
Disabled
N/A
11
Start Flash Policy Server
Server Settings > WebSocket
Enabled
Disabled
N/A
12
Allowed SQL (all settings)
Data & Services > Data Sources ><database> > Advanced Settings
Enabled
Create, Drop, Alter, Grant,Revoke, Stored Procedures are disabled
Retained if specified
13Enable Robust Exception Information
Debugging & Logging > Debug Output Settings
Disabled
Disabled
Overwritten
14Enable CFSTAT
Debugging & Logging > Debug Output Settings
Enabled
Disabled
Overwritten
15

Select the type of
Administrator authentication

Security > Administrator
Use a single password only
Separate user name and password authentication (allows multiple users)
N/A
16Enable RDS Service
Security > RDS
Configurable at install time
Disabled
N/A
17

Select the type of RDS
authentication

Security > RDS
Use a single password only
Separate user name and password authentication (allows multiple users)
N/A
18Allowed IP addresses for ColdFusion Administrator access
Security > Allowed IP Addresses
Not available at install time
Available at install time
N/A
tech.david-cheong.com

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Comments

No Responses to “Secure Profile in ColdFusion 10”

Write a Comment

Captcha * Time limit is exhausted. Please reload CAPTCHA.

%d bloggers like this: