Securing the ColdFusion Administrator (CF9 Security Lock Down Guide)

October 1, 2010 · 2 Comment s

I've been doing way too much Windows server admin as of late, but I have enjoyed using the ColdFusion 9 Security Lock Down Guide as written by Pete Freitag.

The guide is a must read for anyone administering a ColdFusion server, however the guide misses one little item when tackling locking down your ColdFusion Administrator.

One Page 9, the guide introduces IIS7's request filtering and how you should block all references to /CFIDE/[path] in your applicationHost.config file, which you should then overwrite using the web.config file for each website.

On page 10 there is a block of XML that must be added to your CFAdmin site to allow requests to /CFIDE/administrator/

However, you must also add another line to allow access to /CFIDE/scripts due to the fact the ColdFusion Administrator makes use of some of the cfform and cfajax functionality.

In particular, if you are using Verity, then the Languages dropdown box (on the ColdFusion Collections page) will not be populated if you haven't given access to /CFIDE/scripts.

So make sure you also add:

<remove sequence="/CFIDE/scripts" />

Tags: ColdFusion

2 response s so far ↓

  • 1 ryan tj // Oct 2, 2010 at 1:40 AM

    most load balancers allow you to block url's also, or rather setup rules to send certain urls to a null service.

  • 2 Brad Wood // Oct 6, 2010 at 4:13 AM

    Why go through the trouble of blocking anything? I just remove the administrator directory (and a couple others) from all my public-facing sites. If I want to use the CF Admin, I have the full CFIDE folder on my default site which is bound to an IP that is only accessible inside my firewall.

Leave a Comment

Leave this field empty: