This document provides guidance on locking down ColdFusion application servers. It discusses installing only necessary components, using dedicated user accounts, restricting file permissions, updating the Java runtime, securing the ColdFusion Administrator, and configuring Tomcat. The document is based on official ColdFusion lockdown guides and highlights new aspects in CF2016 like blocking the /CFIDE path by default. It emphasizes principles of least privilege, defense in depth, and avoiding defaults to help secure ColdFusion installations.
Can you contain the future - Docker, Container Technologies, The Future, and YouColdFusionConference
Linux containers and Docker have been all the rage in sysOps for quite some time now. Come to this session to learn about how you can or if you should be using them, and to learn about container technologies, how thy differ from VMs and if they truly are the future. Take a look at Docker basics and get an understanding of how it can be used as part of your workflow, not just for development, but for production deployments as well. We will also bust some Myths surrounding container technologies and Docker.
If you are like most CFML developers the application you work on has been around for a few years. The task of securing your legacy application code from vulnerabilities can be an overwhelming and time consuming task. Many developers don't know where to start, and never do.
This session will arm you with an approach slaying the legacy security vulnerabilities in your CFML code.
Can you contain the future - Docker, Container Technologies, The Future, and YouColdFusionConference
Linux containers and Docker have been all the rage in sysOps for quite some time now. Come to this session to learn about how you can or if you should be using them, and to learn about container technologies, how thy differ from VMs and if they truly are the future. Take a look at Docker basics and get an understanding of how it can be used as part of your workflow, not just for development, but for production deployments as well. We will also bust some Myths surrounding container technologies and Docker.
If you are like most CFML developers the application you work on has been around for a few years. The task of securing your legacy application code from vulnerabilities can be an overwhelming and time consuming task. Many developers don't know where to start, and never do.
This session will arm you with an approach slaying the legacy security vulnerabilities in your CFML code.
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....Gavin Pickin
Vagrant is a great solution for providing all of your devs a standard dev environment, but like all the other great technology out there, you have to learn it, and then implement it.
Not anymore, this session will give you a well used, documented Vagrant Setup, with the flexibility to use it for all of your future dev projects too. Learn how this Vagrant Environment is setup, and how to extend it. Kill the learning curve, and spin it up today.
This setup is being used by several devs, on several projects, and has simple flexibility built in. Drop your repos in the main folder, follow simple conventions, and add a small amount of configuration and be able to spin up your environment in minutes. This setup can configure a simple welcome page, configure the web server and cfml engine mappings, datasources, web server settings per site, host entries, and much more.
As great as this sounds, nothing is ever perfect, learn how some assumptions left me looking silly, and owing another developer a meal, and how I resolved that issue and made this vagrant setup even better.
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016Gavin Pickin
Everyone who wasn't writing JavaScript, probably is now. Atwood's Law: any application that can be written in JavaScript, will eventually be written in JavaScript.
That's great, but how do we test it? In ColdFusion we have CFCs, most languages have classes... but JavaScript doesn't have classes (yet).
So how do I write unit tests, what units are there, and how do I make my code look like that? JavaScript is a flexible language, and with great flexibility comes great complexity and responsibility. Take your JavaScript spaghetti and make it unit testable.
Attendees should have some exposure to JavaScript, but this is for the Professional Newbie... who always needs to learn and adapt.
In this advanced session, we will investigate all the ways that you can automate your testing processes with TestBox and many CI and automation tools. From Jenkins integration, Travis CI, Node runners, Grunt watchers and much more. This session will show you the value of continuous integration and how to apply it with modern tools and technologies.
Microsoft has traditionally been a laggard in the JavaScript space, making such developers question whether their war cries were being heard aloud. Fortunately, the situation is rapidly improving since the release of Visual Studio Code. Code is a free, lightweight, cross-platform code editor which is sure to change your perception of Microsoft.
This presentation will demonstrate how to utilize popular JavaScript tooling within the editor. The focus will be placed on the first-class support for debuggers, linters, transpilers, and task runners.
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....Gavin Pickin
Vagrant is a great solution for providing all of your devs a standard dev environment, but like all the other great technology out there, you have to learn it, and then implement it.
Not anymore, this session will give you a well used, documented Vagrant Setup, with the flexibility to use it for all of your future dev projects too. Learn how this Vagrant Environment is setup, and how to extend it. Kill the learning curve, and spin it up today.
This setup is being used by several devs, on several projects, and has simple flexibility built in. Drop your repos in the main folder, follow simple conventions, and add a small amount of configuration and be able to spin up your environment in minutes. This setup can configure a simple welcome page, configure the web server and cfml engine mappings, datasources, web server settings per site, host entries, and much more.
As great as this sounds, nothing is ever perfect, learn how some assumptions left me looking silly, and owing another developer a meal, and how I resolved that issue and made this vagrant setup even better.
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016Gavin Pickin
Everyone who wasn't writing JavaScript, probably is now. Atwood's Law: any application that can be written in JavaScript, will eventually be written in JavaScript.
That's great, but how do we test it? In ColdFusion we have CFCs, most languages have classes... but JavaScript doesn't have classes (yet).
So how do I write unit tests, what units are there, and how do I make my code look like that? JavaScript is a flexible language, and with great flexibility comes great complexity and responsibility. Take your JavaScript spaghetti and make it unit testable.
Attendees should have some exposure to JavaScript, but this is for the Professional Newbie... who always needs to learn and adapt.
In this advanced session, we will investigate all the ways that you can automate your testing processes with TestBox and many CI and automation tools. From Jenkins integration, Travis CI, Node runners, Grunt watchers and much more. This session will show you the value of continuous integration and how to apply it with modern tools and technologies.
Microsoft has traditionally been a laggard in the JavaScript space, making such developers question whether their war cries were being heard aloud. Fortunately, the situation is rapidly improving since the release of Visual Studio Code. Code is a free, lightweight, cross-platform code editor which is sure to change your perception of Microsoft.
This presentation will demonstrate how to utilize popular JavaScript tooling within the editor. The focus will be placed on the first-class support for debuggers, linters, transpilers, and task runners.
Setting up your Multi Engine Environment - Apache Railo and ColdFusionGavin Pickin
Presented at cf.Objective() May 2014.
More info and resources related to presentation available here
http://www.gpickin.com/cfo2014/
Description of Target Audience
Are you a developer looking to setup Multiple CFML Engines in your Development or Server Environment, and after reading all of the different blogs out there, just want a walk through, to help clear things up, well, this session is for you.
Assumed Knowledge
None required, although basic installation / configuration or a web server and cfml engine would be easier to follow along.
Objective of the Topic
To give the audience all the knowledge and resources they need to be able to go home and install their own multiple cfml engine environment.
This topic will help walk the audience through dos and don'ts, and with a step by step on how to get Apache, Railo and Coldfusion to all play nicely together. There are many blogs out there showing users how to set up one engine, or another, but this session will help clear up the process. We will install Apache and connect to Coldfusion, Railo and a Railo Cluster, and install a small App to help manage the Websites, Apache, and Connectors, to save you diving into the CONF files continuously.
Why am I qualified to Present
I have been programming Coldfusion for over 14 years, and having been Team Lead and responsible for Server Install, Maint and Configuration for the last 13 years at 2 companies, I have been involved with the day to day coding in Coldfusion, but also the one in the firing line if Coldfusion server is not performing as required.
Recently my team and I have undertaken a migration Project of 100+ CFML websites (varying types and age), in which testing multiple CFML engines was required, I setup our Dev Staging and Production servers, as well as our Local Developer environments.
I built a couple of tools to help manage the setup, which I will share with the audience.
What Will the Audience Learn
- Basic Apache Config
- How to Install Coldfusion and extract the Connector
- How to Install Railo (instances) and extract the Connector
- How to Setup and Connect to a Railo Cluster
- How to edit the Apache and Tomcat Conf files to make them easier to maintain
- How to use my small App to Manage the Apache / Tomcat configurations
Webinar Slides: New Tungsten Dashboard - Overview, Installation and ArchitectureContinuent
Tungsten Dashboard is our graphical user interface (GUI) for managing your Tungsten MySQL clusters interactively using a web browser, on your desktop, laptop, tablet or mobile. In our session, we'll provide a Tungsten Dashboard overview and discuss architecture, pre-requisites and security limitations.
AGENDA
- Configure the Tungsten Cluster Manager API
- Install and configure the Tungsten Dashboard
- Configure the Apache 2.4 web server
- Test connectivity to the Tungsten Manager API directly
- Install and configure HA proxy
- Test connectivity to the Tungsten Manager API via HA proxy
- Access the Tungsten Dashboard via a browser
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...Continuent
In this training session, we'll provide a Tungsten Dashboard overview and discuss architecture, pre-requisites and security limitations. A simple GUI management tool for Tungsten Clustering for MySQL / MariaDB / Percona Server, the Dashboard is usually installed on a standalone web server with HAProxy installed. This training session uses an example of a 6-node composite cluster.
AGENDA
- Tungsten Dashboard Welcome
- Tungsten Dashboard Overview
- Tungsten Dashboard Prerequisites
- Tungsten Dashboard Security Limitations
- Configure the Tungsten Cluster Manager API
- Test Connectivity to the Tungsten Manager API Directly
- Install the Tungsten Dashboard
- Install and Configure the Apache 2.4 Web Server
- Configure the Tungsten Dashboard
- Install and Configure HAProxy
- Test Connectivity to the Tungsten Manager API via HAProxy
- Access the Tungsten Dashboard GUI via a Browser
Presented at Open CF Summit 2012. Discusses options for adding WebSockets support to the different ColdFusion engines, both open source and commercial.
PHP is a first class citizen on IIS. A lot has been done in order to make sure that PHP can work well and fast on Windows. We will start by installing PHP with PHP Manager and discussing all the options including what thread safe vs non thread safe and VC6 vs VC9 means. Next we'll take a look at how to optimize the FastCGI IIS extension that Microsoft and Zend developed to provide a secure and performant environment for PHP applications. The last part of this webcast will show how to build PHP with Profile Guided Optimizations (PGO), a technique that can provide a significant performance boost in a wide range of applications.
How to test if Cloudflare is running live for your websiteVu Long Tran
This is a guide on how to test if Cloudflare is running live for your website, including creating a har file and finding the ray ID to help with troubleshooting issues with Cloudflare Support
Spelix is a webapplication using PHP on the server, HTML5 and JS on the client. PHP is running as a FastCGI process serving requests via Nginx. This presentations describes some of the key-takeaways that I've learned with that project, the essentials of running Nginx with PHP, starting from the basics, but also covering techniques like Memcached or leveraging the FastCGI cache. It contains several examples and performance comparison charts.
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsShapeBlue
Demonstration of CloudStack’s latest features for troubleshooting the Virtual Router connectivity and configuration, called Run and Get Diagnostics. Run Diagnostics gives the admin ability to execute diagnostics commands native the VR OS directly from the CloudStack UI. Admin is able to determine connectivity capabilities of the VR without logging into the SystemVM at all. Get diagnostics feature allow the admin to gather information about the SystemVM as fast as clicking on a button in the ‘QuickView’ of the VM. Admin can also execute custom scripts on each SystemVM type from the CloudStack UI. This session will begin with complete presentation of the features followed by live demo and Q&A.
Less and faster – Cache tips for WordPress developersSeravo
Otto Kekäläinen, the code-loving CEO of Seravo held a webinar on May 12, 2020, that focused on the cache: what should a WordPress developer know and which are the best practices to follow?
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Locking Down CF Servers
1. Locking Down CF Servers
Pete Freitag, Foundeo Inc.
foundeo.com | hackmycf.com | fuseguard.com
2. About Pete Freitag
✤ Owner of Foundeo Inc. (Gold Sponsor)
✤ HackMyCF - Remote ColdFusion Security Scanner
✤ FuseGuard - Web App Firewall for CFML
✤ Consulting - Install, Configure, Review, CFML Dev
✤ 18+ Years working with CF
✤ Author of CF9-2016 Lockdown Guides, CFMX Cookbook (SAMs)
✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
3. Our FocusToday
✤ Securing your ColdFusion Server Install
✤ Not covering:
✤ Hardening Your Operating System
✤ Database Security
✤ Securing your Application Source Code
5. Heavily Based on:
✤ ColdFusion 2016 Lockdown Guide: http://bit.ly/cf2016lockdown
✤ ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown
✤ ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown
✤ ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown
✤ This talk assumes CF2016, but is most applies for CF10-11 as well
✤ CF9 and below are no longer supported (no more security patches)
6. Why Do I need
to Lockdown
my install?
Can't the installer do everything for me?
What is secure?
What tradeoffs are acceptable?
(cc) http://www.flickr.com/photos/toddler/4169974226/
7. Principal of
Least Privilege
Grant only the minimum permission
required to accomplish a task.
(cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
12. SecurityTradeoffs
✤ Security vs Usability
✤ 5 second session timeout?
✤ Force password change
too frequently.
✤ Security vs Performance
✤ Is HTTP vs HTTPS still a
performance tradeoff? See:
www.httpvshttps.com
✤ Security vs Time / Money
✤ There is often no visible
difference to steak holders
between secure and
insecure.
✤ Security often not viewed
as worthy investment
until it is too late.
13. Lockdown GuideTips
✤ Time - Be prepared to spend some time performing the steps (2-4
hours, or more)
✤ Test often - most steps that will break something if performed
incorrectly will tell you to test.
✤ Decide - the lockdown guide gives you guidance and instructions but
it does not dictate that every step must be performed. Access the
tradeoffs and implications as you go.
14. What's New in CF2016 Lockdown
✤ /CFIDE is blocked by web server connectors by default
✤ /CFIDE/scripts moved to /cf_scripts/scripts
✤ Ships with Tomcat 8 instead of Tomcat 7
✤ Rearranged Lockdown Guide to hopefully improve workflow.
15. Pre-Installation
✤ Lockdown and Patch OS
✤ OS Vendors have Lockdown Guides as well.
✤ https://access.redhat.com/documentation/en-US/
Red_Hat_Enterprise_Linux/6/html/Security_Guide/
✤ Windows Security Compliance Toolkit: http://
technet.microsoft.com/en-us/library/cc677002.aspx
✤ Ensure network firewall in place.
✤ Remove all unnecessary software.
16. Pre-Installation
✤ Windows: Create multiple
partitions OS, CF, Web Root.
✤ Limits impact of a path
traversal vulnerability.
✤ Create a user account for CF
to run as.
17. InstallWeb Server
✤ IIS - Install Minimal Role Services:
✤ Common HTTP Features: Default Document
✤ Common HTTP Features: HTTP Errors
✤ Common HTTP Features: Static Content
✤ Health and Diagnostics: HTTP Logging
✤ Security: Request Filtering
✤ Security: IP and Domain Restrictions
✤ Application Development: .NET Extensibility 4.5 (or latest version)
✤ Application Development: ASP.NET 4.5 (or latest version)
✤ Application Development: CGI
✤ Application Development: ISAPI Extensions
✤ Application Development: ISAPI Filters
✤ Management Tools: IIS Management Console
18.
19. IIS Request Filtering
✤ Block or whitelist URIs
✤ Block or whitelist by file extension
✤ Block or whitelist HTTP verbs
✤ Request Limits
✤ Content Length
✤ URL Length
✤ Query String Length
22. Restrict File Extensions
✤ Can be setup per folder, site or globally for IIS
✤ Whitelist - only serve files in allowed list of extensions
✤ eg: restrict /photos/ folder to only serve jpg, png, gif
✤ eg: global whitelist: cfm, jpg, png, gif, js, css, pdf
✤ Takes time to come up with list but worth it
✤ The /jakarta virtual directory must allow dll extension
✤ Blacklist - do not serve files on blacklist / deny list.
24. IIS Identities
✤ Application Pool Identity - user that the IIS process for your site is
running as.
✤ Anonymous Authentication Identity - user that the app pool
impersonates when handling an unauthenticated request for content.
✤ All requests are anonymous unless you enable authentication.
25. Application Pool Identity
✤ ApplicationPoolIdentity - default, low privilege,
automatically isolates each application pool. Member of
IIS_IUSRS group.
✤ Custom User - if using network shares with
ApplicationPoolIdentity you have to grant entire machine
access to share, so you may opt to create your own user in that
case.
26. Anonymous Authentication
Identity
✤ IUSR
✤ The default
✤ No isolation between all sites
✤ Implicit member of Users group.
✤ ApplicationPoolIdentity
✤ Provides isolation between sites
✤ Shares identity with Application Pool
27. Additional IIS Lockdown
✤ Remove unused ASP.NET ISAPI Filters and Handler Mappings
✤ Keep the StaticFile Handler (unless you do not serve js, css,
images, etc)
✤ Keep the ISAPI-dll handler - needed for CF connector.
✤ Remove Response headers such as X-Powered-By: ASP.NET
28. Configure Apache
✤ Remove modules that you do not use (eg php)
✤ fgrep LoadModule *.conf
✤ Block unused servlet mapping URI's
✤ RedirectMatch 404 (?i).*/flex2gateway.*
✤ File Extension blacklist:
✤ RedirectMatch 404 (?i).*.(jsp|php).*
✤ Run SELinux enforcing mode if possible.
39. Post-Install
✤ Install any/all CF security hotfixes and updates.
✤ Install / Update Web Server connectors
✤ Configure administrator settings.
40. Accessing CF Administrator
✤ Use Builtin Web Server
✤ Access locally over RDP
✤ SSH Tunnel on Linux
✤ If accessed outside of localhost add TLS / HTTPS
✤ Using webserver (IIS / Apache) - intentionally harder in CF2016
✤ Use dedicated connector / edit uriworkermap.properties
✤ Setup IP Restrictions, SSL, Additional User Auth
41. Dedicated User Account
✤ Windows: Change Service Log On identity. Otherwise CF runs with
full permission to everything.
✤ Unix: The installer allows you to specify a user to run CF as.
✤ The default nobody user is probably not the best choice as other
services might share this account.
42. File System Permissions
Path CF User Permissions
Web Server Identity
Permissions
Your Web Root
Read Only
Additional as needed Read Only
CF Install Dir Full
Can be restricted further
/cf_scripts
Read Only
CF Connector Read
Read
Write (Logs)
43. File System Permissions
✤ /cf_scripts and other directories under CF root can be restricted read
only permission by the cf user to prevent runtime change.
✤ Run CF10-2016 hotfix installer from command line as administrator.
✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
44. Update JVM
✤ Update to latest supported JVM (1.8 currently for CF10-2016)
✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle!
✤ Adobe recommends you run the latest supported JVM (eg 1.8.
{highest number}) instead of specific version numbers.
✤ If using cfsearch or cfhtmltopdf the Add on Services Server has
its own jvm configuration file: jetty/jetty.lax
45. Sandbox Security
✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry
✤ More flexible on Enterprise but still works on standard.
✤ Test before enabling.
46. Session Mechanism
Feature J2EE CF
Configure in Application.cfc No Yes
Token size configurable Yes No
Configure in web.xml Yes No
Interoperates with J2EE applications Yes No
SessionRotate No Yes
SessionInvalidate No Yes
CF10-2016/tomcat
48. Tomcat
✤ Shutdown port / password
✤ Changing port on windows causes CF service stop to fail.
✤ Connector settings:
✤ connector secret (have to redo when updating connector)
✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/
tomcat-7.0-doc/security-howto.html
50. ColdFusion Administrator
✤ Default ScriptSrc Directory
✤ Setup an alias so /cf_scripts/scripts/ -> /some-
folder/
✤ If you don’t use cfform, cfajaxproxy, etc you can skip.
✤ If you use the builtin web server you need to configure an alias
51. ColdFusion Administrator
✤ Allowed file extensions for CFInclude tag
✤ Mitigates directory traversal / path injection that leads to code
execution attack.
✤ Comma separated list of file extensions that execute, typically can
be set to just cfm