Tech Sharing

My Tech Journey
Application Coldfusion Programming Software Tips

Secure Profile in ColdFusion 10

24/04/2012

Installing ColdFusion is not an issue for most of the administrator, but the problem come when you try to configure the server at the release state and also secure.

tech.david-cheong.com

There are too many setting and tuning you need to secure your ColdFusion server. So with ColdFusion 10, there is a very good and useful features which call Secure Profile were introduced. It is recommended to choose this setting for production server. When the option is selected, this will enforce a lot of pre-configure security related setting.

tech.david-cheong.com

At the time of installation if secure profile is chosen, the following settings are affected:

tech.david-cheong.com

1.    Separate username and password setting is enabled for Administrator &RDS
2.    RDS service is disabled
3.    A List of IP addresses are asked which should have access to Administrator
4.    Strong and complex password for root admin user is mandatory
5.    Directory Browsing is disable in server
6.    Custom and least information error templates are used
7.    All debugging is disabled
8.    For a new data source default allowed SQL are select, insert, update, delete
9.    Below is a list of some more settings on server level which are affected –
 tech.david-cheong.com
Administrator settings affected by enabling Secure Profile –
tech.david-cheong.com
Administrator Settings
Path
Default Admin
Profile
Secure Profile
Changes to the setting
1
Use UUID for cftoken
Server Settings > Settings
Enabled
Enabled
Overwritten
2
Disable access to internal
ColdFusion Java components
Server Settings > Settings
Disabled
Enabled
Overwritten
3
Enable Global Script
Protection
Server Settings > Settings
Enabled
Enabled
Overwritten
4
Maximum size of post data
Server Settings > Settings
20MB
20MB
Overwritten
5
Missing Template Handler
Server Settings > Settings
no value
Custom missing error template
Retained if specified
6
Site-wide Error Handler
Server Settings > Settings
no value
Custom site-wide error template
Retained if specified
7
Request Queue Timeout Page
Server Settings > Request
Tuning
no value
Custom error template
Retained if specified
8
Cookie Timeout
Server Settings > Memory
Variables
15767000 minute
1440 minute
N/A
9
Disabling updating of ColdFusion internal cookies using ColdFusion tags/functions
Server Settings > Memory
Variables
Disabled
Enabled
N/A
10
Enabled WebSocket Server
Server Settings > WebSocket
Enabled
Disabled
N/A
11
Start Flash Policy Server
Server Settings > WebSocket
Enabled
Disabled
N/A
12
Allowed SQL (all settings)
Data & Services > Data Sources ><database> > Advanced Settings
Enabled
Create, Drop, Alter, Grant,Revoke, Stored Procedures are disabled
Retained if specified
13 Enable Robust Exception Information
Debugging & Logging > Debug Output Settings
 Disabled
Disabled
Overwritten
14 Enable CFSTAT
Debugging & Logging > Debug Output Settings
 Enabled
Disabled
 Overwritten
15

Select the type of
Administrator authentication
Security > Administrator
 Use a single password only
Separate user name and password authentication (allows multiple users)
 N/A
16 Enable RDS Service
Security > RDS
 Configurable at install time
Disabled
 N/A
17

Select the type of RDS
authentication
Security > RDS
 Use a single password only
Separate user name and password authentication (allows multiple users)
 N/A
18 Allowed IP addresses for ColdFusion Administrator access
Security > Allowed IP Addresses
 Not available at install time
Available at install time
 N/A
tech.david-cheong.com
Tags:

Related articles

Leave a Reply

google.com, pub-3772983857049267, DIRECT, f08c47fec0942fa0
%d bloggers like this: