SlideShare a Scribd company logo

Locking Down CF Servers

ColdFusionConference
ColdFusionConference

This document discusses how to lock down ColdFusion servers through securing the installation, post-installation configuration, and settings in the ColdFusion Administrator. It recommends following principles of least privilege, defense in depth, and reducing the attack surface. Specific steps include installing only necessary components, disabling unneeded servlets, restricting file permissions, updating to the latest JVM, securing sessions, and locking down the ColdFusion Administrator interface. The overall goal is to grant only the minimum permissions required to operate ColdFusion securely.

1 of 47
Download to read offline
Locking Down CF Servers Pete Freitag, Foundeo Inc. foundeo.com | hackmycf.com | fuseguard.com
About Pete Freitag ✤ Owner of Foundeo Inc. ✤ HackMyCF - Remote ColdFusion Security Scanner ✤ FuseGuard - Web App Firewall for CFML ✤ Consulting - Install, Configure, Review, CFML Dev ✤ 17+ Years working with CF ✤ Author of CF9-11 Lockdown Guides, CFMX Cookbook (SAMs) ✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
Our FocusToday ✤ Securing your ColdFusion Server Install ✤ Not covering: ✤ Hardening Your Operating System ✤ Database Security ✤ Securing your Application Source Code
Agenda ✤ Guiding Principals ✤ Installation ✤ Post Installation Lockdown ✤ ColdFusion Administrator Configuration ✤ Tomcat Configuration
Heavily Based on: ✤ Adobe ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown ✤ Adobe ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown ✤ Adobe ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown ✤ This talk assumes CF11, but is mostly the same for CF10 as well ✤ CF9 and below are no longer supported (no more security patches)
Why Do I need to Lockdown my install? Can't the installer do everything for me? What is secure? What tradeoffs are acceptable? (cc) http://www.flickr.com/photos/toddler/4169974226/
Principal of Least Privilege Grant only the minimum permission required to accomplish a task. (cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
Defense in Depth Multiple Layers of Redundant Security. (cc) http://www.flickr.com/photos/flygraphix/4791988161/
Reduce Attack Surface
ColdFusion ASP.NET PHP DNS FTP Web Server ColdFusion Web Server vs. Reduce Attack Surface
Avoid Defaults Avoid using defaults for configurable options such as paths, usernames, etc.
Services I Like: ✤ Duo Security: Two Factor Authentication ✤ (RDP, SSH) ✤ Dome9: Cloud Firewall ✤ Easily grant temporary access to administrative ports.
Pre-Installation ✤ Lockdown and Patch OS ✤ OS Vendors have Lockdown Guides as well. ✤ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Security_Guide/ ✤ Windows Security Compliance Toolkit: http:// technet.microsoft.com/en-us/library/cc677002.aspx ✤ Ensure network firewall in place. ✤ Remove all unnecessary software.
Pre-Installation ✤ Windows: Create multiple partitions OS, CF, Web Root. ✤ Limits impact of a path traversal vulnerability. ✤ Create a user account for CF to run as.
Installation
Installation Install only necessary subcomponents
Installation Disable unneeded Servlets
Installation
Installation
Installation
Installation
Installation
Post-Install ✤ Install any/all CF security hotfixes and updates. ✤ Install / Update Web Server connectors ✤ Configure administrator settings.
Accessing CF Administrator ✤ Setup webserver (IIS / Apache) ✤ IP Restrictions, SSL, Additional User Auth ✤ or Use Builtin Web Server
Using BuiltinWeb Server ✤ Pro: Easy /CFIDE block ✤ Con: Harder to configure SSL, Virtual Directories, IP Restrictions ✤ Works well if using RDP to access from localhost, or setting up ssh tunneling on unix ✤ If you need to access from public network, create a dedicated site, use SSL, IP restrictions, etc.
Block /CFIDE ✤ If possible block all CFIDE ✤ If partially required block everything else. ✤ Block server wide, not by virtual host ✤ Always Restrict: ✤ /CFIDE/administrator ✤ /CFIDE/adminapi ✤ CF11 no longer has /CFIDE/GraphData.cfm
X Red = Should be blocked Orange = Block if possible Yellow = Low risk but can be blocked
Apache ✤ RedirectMatch 404 (?i).*/CFIDE.* ✤ <LocationMatch "(?i).*/CFIDE">
IIS Request Filtering ✤ Block or whitelist URIs ✤ Block or whitelist by file extension ✤ Block or whitelist HTTP verbs ✤ Request Limits ✤ Content Length ✤ URL Length ✤ Query String Length
IIS Request Filtering
Application Pool Defaults
Block unused servlet mappings ✤ /cfform-gateway ✤ /cfform-internal ✤ /rest ✤ /CFIDE/main/rds.cfm ✤ /CFIDE/GraphData.cfm (cfchart on CF10) ✤ /WSRPProducer ✤ /CFFileServlet ✤ /CFFormGateway ✤ /flashservices/gateway ✤ /flex2gateway ✤ See web.xml
Restrict File Extensions ✤ By Folder (user upload directories): ✤ Eg: Restrict folder to serve only jpg, png, gif files. ✤ Can be done globally or on site specific as well ✤ The /jakarta virtual directory needs dll extension
Dedicated User Account ✤ Windows: Change Service Log On identity. Otherwise CF runs with full permission to everything. ✤ Unix: The installer allows you to specify a user to run CF as. ✤ The default nobody user is probably not the best choice as other services might share this account.
File System Permissions Path CF User Permissions Web Server User Permissions Web Root Read Only Additional as needed
 Read Only CF Root Full Can be restricted further /CFIDE CF Connector Read Read Write (Logs)

File System Permissions ✤ /CFIDE and other directories under CF root can be restricted read only permission by the cf user to prevent runtime change. ✤ Run CF10/CF11 hotfix installer from command line as administrator. ✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
Update JVM ✤ Update to latest supported JVM (1.8 currently for CF10-11) ✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle! ✤ Adobe recommends you run the latest supported JVM (eg 1.8. {highest number}) instead of specific version numbers.
Sandbox Security ✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry ✤ More flexible on Enterprise but still works on standard.
Session Mechanism Feature J2EE CF Configure in Application.cfc No Yes Token size configurable Yes No Configure in web.xml Yes No Interoperates with J2EE applications Yes No SessionRotate No Yes SessionInvalidate No Yes CF10-11/tomcat
web.xml Servlet Mappings
Tomcat ✤ Shutdown port / password ✤ Changing port on windows causes CF service stop to fail. ✤ Connector settings: ✤ connector secret (have to redo when updating connector) ✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/ tomcat-7.0-doc/security-howto.html
ColdFusion Administrator
ColdFusion Administrator ✤ Default ScriptSrc Directory ✤ Setup an alias so /CFIDE/scripts/ -> /some-folder/ ✤ Allows you to block /CFIDE ✤ If you don’t use cfform, cfajaxproxy, etc you can skip. ✤ If you use the builtin web server you need to configure an alias
ColdFusion Administrator ✤ Allowed file extensions for CFInclude tag ✤ Mitigates directory traversal / path injection that leads to code execution attack. ✤ Comma separated list of file extensions that execute, typically can be set to just cfm
ColdFusion Administrator Additional Settings
AdditionalTools ✤ HackMyCF ✤ FuseGuard ✤ CF Unofficial Updater (CF9 and below)
Questions? foundeo.com | hackmycf.com | fuseguard.com

Recommended

Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
ColdFusionConference
 
ColdFusion builder plugins
ColdFusion builder pluginsColdFusion builder plugins
ColdFusion builder plugins
ColdFusionConference
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015
ColdFusionConference
 
Hidden gems in cf2016
Hidden gems in cf2016Hidden gems in cf2016
Hidden gems in cf2016
ColdFusionConference
 
Command box
Command boxCommand box
Command box
ColdFusionConference
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challenges
ColdFusionConference
 
Realtime with websockets
Realtime with websocketsRealtime with websockets
Realtime with websockets
ColdFusionConference
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 

Recommended

Keep Applications Online
Keep Applications OnlineKeep Applications Online
Keep Applications Online
ColdFusionConference
 
ColdFusion builder plugins
ColdFusion builder pluginsColdFusion builder plugins
ColdFusion builder plugins
ColdFusionConference
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015
ColdFusionConference
 
Hidden gems in cf2016
Hidden gems in cf2016Hidden gems in cf2016
Hidden gems in cf2016
ColdFusionConference
 
Command box
Command boxCommand box
Command box
ColdFusionConference
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challenges
ColdFusionConference
 
Realtime with websockets
Realtime with websocketsRealtime with websockets
Realtime with websockets
ColdFusionConference
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Securing applications
Securing applicationsSecuring applications
Securing applications
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Cfml features modern_coding
Cfml features modern_codingCfml features modern_coding
Cfml features modern_codingColdFusionConference
 
Restful API's with ColdFusion
Restful API's with ColdFusionRestful API's with ColdFusion
Restful API's with ColdFusion
ColdFusionConference
 
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for EhchacheScale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
ColdFusionConference
 
My Database Skills Killed the Server
My Database Skills Killed the ServerMy Database Skills Killed the Server
My Database Skills Killed the Server
ColdFusionConference
 
Dev objective2015 lets git together
Dev objective2015 lets git togetherDev objective2015 lets git together
Dev objective2015 lets git together
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
Workflows and Digital Signatures
Workflows and Digital SignaturesWorkflows and Digital Signatures
Workflows and Digital Signatures
ColdFusionConference
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
ColdFusionConference
 
Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016
ColdFusionConference
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
Stacy London
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Php Performance On Windows
Php Performance On WindowsPhp Performance On Windows
Php Performance On Windows
ruslany
 
PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008Krit Kamtuo
 
Migration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anitMigration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anit
ColdFusionConference
 
Expand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWSExpand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWS
ColdFusionConference
 
Cf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionCf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusion
mcollinsCF
 
Websockets
WebsocketsWebsockets
Websockets
Billy Cravens
 

More Related Content

What's hot

Securing applications
Securing applicationsSecuring applications
Securing applications
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Restful API's with ColdFusion
Restful API's with ColdFusionRestful API's with ColdFusion
Restful API's with ColdFusion
ColdFusionConference
 
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for EhchacheScale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
ColdFusionConference
 
My Database Skills Killed the Server
My Database Skills Killed the ServerMy Database Skills Killed the Server
My Database Skills Killed the Server
ColdFusionConference
 
Dev objective2015 lets git together
Dev objective2015 lets git togetherDev objective2015 lets git together
Dev objective2015 lets git together
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
Workflows and Digital Signatures
Workflows and Digital SignaturesWorkflows and Digital Signatures
Workflows and Digital Signatures
ColdFusionConference
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
ColdFusionConference
 
Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016
ColdFusionConference
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
Stacy London
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Php Performance On Windows
Php Performance On WindowsPhp Performance On Windows
Php Performance On Windows
ruslany
 
PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008Krit Kamtuo
 
Migration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anitMigration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anit
ColdFusionConference
 
Expand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWSExpand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWS
ColdFusionConference
 

What's hot (20)

Securing applications
Securing applicationsSecuring applications
Securing applications
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
 
Cfml features modern_coding
Cfml features modern_codingCfml features modern_coding
Cfml features modern_coding
 
Restful API's with ColdFusion
Restful API's with ColdFusionRestful API's with ColdFusion
Restful API's with ColdFusion
 
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for EhchacheScale ColdFusion with Terracotta Distributed Caching for Ehchache
Scale ColdFusion with Terracotta Distributed Caching for Ehchache
 
My Database Skills Killed the Server
My Database Skills Killed the ServerMy Database Skills Killed the Server
My Database Skills Killed the Server
 
Dev objective2015 lets git together
Dev objective2015 lets git togetherDev objective2015 lets git together
Dev objective2015 lets git together
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
 
Workflows and Digital Signatures
Workflows and Digital SignaturesWorkflows and Digital Signatures
Workflows and Digital Signatures
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
 
Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016Hidden Gems in ColdFusion 2016
Hidden Gems in ColdFusion 2016
 
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember DataIn The Trenches With Tomster, Upgrading Ember.js & Ember Data
In The Trenches With Tomster, Upgrading Ember.js & Ember Data
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Php Performance On Windows
Php Performance On WindowsPhp Performance On Windows
Php Performance On Windows
 
PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008PHP Enhancement with Windows Server 2008
PHP Enhancement with Windows Server 2008
 
Migration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anitMigration to ColdFusion 11 – making it seamless and easy anit
Migration to ColdFusion 11 – making it seamless and easy anit
 
Expand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWSExpand Your ColdFusion App Power with AWS
Expand Your ColdFusion App Power with AWS
 

Similar to Locking Down CF Servers

Cf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionCf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusion
mcollinsCF
 
Websockets
WebsocketsWebsockets
Websockets
Billy Cravens
 
Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet
Config Management Camp 2015 - How to Deploy CFEngine in the Open InternetConfig Management Camp 2015 - How to Deploy CFEngine in the Open Internet
Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet
CFEngine
 
Cold fusion Security-How to Secure Coldfusion Server
Cold fusion Security-How to Secure Coldfusion ServerCold fusion Security-How to Secure Coldfusion Server
Cold fusion Security-How to Secure Coldfusion Server
Mindfire Solutions
 
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusionSetting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Gavin Pickin
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
Ales Lichtenberg
 
"Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment""Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment"webhostingguy
 
How to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your websiteHow to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your website
Vu Long Tran
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
2014 cf summit_clustering
2014 cf summit_clustering2014 cf summit_clustering
2014 cf summit_clustering
ColdFusionConference
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
Valent Mustamin
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
Andrew Khoury
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
The app server, web server and everything in between
The app server, web server and everything in betweenThe app server, web server and everything in between
The app server, web server and everything in betweenColdFusionConference
 
PHP and FastCGI Performance Optimizations
PHP and FastCGI Performance OptimizationsPHP and FastCGI Performance Optimizations
PHP and FastCGI Performance Optimizations
Alessandro Pilotti
 
Webinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
Webinar Slides: New Tungsten Dashboard - Overview, Installation and ArchitectureWebinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
Webinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
Continuent
 
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
Continuent
 

Similar to Locking Down CF Servers (20)

Cf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionCf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusion
 
Websockets
WebsocketsWebsockets
Websockets
 
Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet
Config Management Camp 2015 - How to Deploy CFEngine in the Open InternetConfig Management Camp 2015 - How to Deploy CFEngine in the Open Internet
Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet
 
Cold fusion Security-How to Secure Coldfusion Server
Cold fusion Security-How to Secure Coldfusion ServerCold fusion Security-How to Secure Coldfusion Server
Cold fusion Security-How to Secure Coldfusion Server
 
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusionSetting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
 
"Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment""Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment"
 
How to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your websiteHow to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your website
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
It pro toronto 2013
It pro toronto 2013It pro toronto 2013
It pro toronto 2013
 
2014 cf summit_clustering
2014 cf summit_clustering2014 cf summit_clustering
2014 cf summit_clustering
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
The app server, web server and everything in between
The app server, web server and everything in betweenThe app server, web server and everything in between
The app server, web server and everything in between
 
PHP and FastCGI Performance Optimizations
PHP and FastCGI Performance OptimizationsPHP and FastCGI Performance Optimizations
PHP and FastCGI Performance Optimizations
 
Webinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
Webinar Slides: New Tungsten Dashboard - Overview, Installation and ArchitectureWebinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
Webinar Slides: New Tungsten Dashboard - Overview, Installation and Architecture
 
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...
 

More from ColdFusionConference

Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
ColdFusionConference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
ColdFusionConference
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
ColdFusionConference
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
ColdFusionConference
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
ColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
ColdFusionConference
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
ColdFusionConference
 
Rest ful tools for lazy experts
Rest ful tools for lazy expertsRest ful tools for lazy experts
Rest ful tools for lazy experts
ColdFusionConference
 
Herding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandboxHerding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
Everyones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusionEveryones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 

More from ColdFusionConference (20)

Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
 
Rest ful tools for lazy experts
Rest ful tools for lazy expertsRest ful tools for lazy experts
Rest ful tools for lazy experts
 
Herding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandboxHerding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandbox
 
Everyones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusionEveryones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusion
 

Recently uploaded

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 

Recently uploaded (20)

How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 

Locking Down CF Servers

  • 1. Locking Down CF Servers Pete Freitag, Foundeo Inc. foundeo.com | hackmycf.com | fuseguard.com
  • 2. About Pete Freitag ✤ Owner of Foundeo Inc. ✤ HackMyCF - Remote ColdFusion Security Scanner ✤ FuseGuard - Web App Firewall for CFML ✤ Consulting - Install, Configure, Review, CFML Dev ✤ 17+ Years working with CF ✤ Author of CF9-11 Lockdown Guides, CFMX Cookbook (SAMs) ✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
  • 3. Our FocusToday ✤ Securing your ColdFusion Server Install ✤ Not covering: ✤ Hardening Your Operating System ✤ Database Security ✤ Securing your Application Source Code
  • 4. Agenda ✤ Guiding Principals ✤ Installation ✤ Post Installation Lockdown ✤ ColdFusion Administrator Configuration ✤ Tomcat Configuration
  • 5. Heavily Based on: ✤ Adobe ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown ✤ Adobe ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown ✤ Adobe ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown ✤ This talk assumes CF11, but is mostly the same for CF10 as well ✤ CF9 and below are no longer supported (no more security patches)
  • 6. Why Do I need to Lockdown my install? Can't the installer do everything for me? What is secure? What tradeoffs are acceptable? (cc) http://www.flickr.com/photos/toddler/4169974226/
  • 7. Principal of Least Privilege Grant only the minimum permission required to accomplish a task. (cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
  • 8. Defense in Depth Multiple Layers of Redundant Security. (cc) http://www.flickr.com/photos/flygraphix/4791988161/
  • 11. Avoid Defaults Avoid using defaults for configurable options such as paths, usernames, etc.
  • 12. Services I Like: ✤ Duo Security: Two Factor Authentication ✤ (RDP, SSH) ✤ Dome9: Cloud Firewall ✤ Easily grant temporary access to administrative ports.
  • 13. Pre-Installation ✤ Lockdown and Patch OS ✤ OS Vendors have Lockdown Guides as well. ✤ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Security_Guide/ ✤ Windows Security Compliance Toolkit: http:// technet.microsoft.com/en-us/library/cc677002.aspx ✤ Ensure network firewall in place. ✤ Remove all unnecessary software.
  • 14. Pre-Installation ✤ Windows: Create multiple partitions OS, CF, Web Root. ✤ Limits impact of a path traversal vulnerability. ✤ Create a user account for CF to run as.
  • 23. Post-Install ✤ Install any/all CF security hotfixes and updates. ✤ Install / Update Web Server connectors ✤ Configure administrator settings.
  • 24. Accessing CF Administrator ✤ Setup webserver (IIS / Apache) ✤ IP Restrictions, SSL, Additional User Auth ✤ or Use Builtin Web Server
  • 25. Using BuiltinWeb Server ✤ Pro: Easy /CFIDE block ✤ Con: Harder to configure SSL, Virtual Directories, IP Restrictions ✤ Works well if using RDP to access from localhost, or setting up ssh tunneling on unix ✤ If you need to access from public network, create a dedicated site, use SSL, IP restrictions, etc.
  • 26. Block /CFIDE ✤ If possible block all CFIDE ✤ If partially required block everything else. ✤ Block server wide, not by virtual host ✤ Always Restrict: ✤ /CFIDE/administrator ✤ /CFIDE/adminapi ✤ CF11 no longer has /CFIDE/GraphData.cfm
  • 27. X Red = Should be blocked Orange = Block if possible Yellow = Low risk but can be blocked
  • 28. Apache ✤ RedirectMatch 404 (?i).*/CFIDE.* ✤ <LocationMatch "(?i).*/CFIDE">
  • 29. IIS Request Filtering ✤ Block or whitelist URIs ✤ Block or whitelist by file extension ✤ Block or whitelist HTTP verbs ✤ Request Limits ✤ Content Length ✤ URL Length ✤ Query String Length
  • 32. Block unused servlet mappings ✤ /cfform-gateway ✤ /cfform-internal ✤ /rest ✤ /CFIDE/main/rds.cfm ✤ /CFIDE/GraphData.cfm (cfchart on CF10) ✤ /WSRPProducer ✤ /CFFileServlet ✤ /CFFormGateway ✤ /flashservices/gateway ✤ /flex2gateway ✤ See web.xml
  • 33. Restrict File Extensions ✤ By Folder (user upload directories): ✤ Eg: Restrict folder to serve only jpg, png, gif files. ✤ Can be done globally or on site specific as well ✤ The /jakarta virtual directory needs dll extension
  • 34. Dedicated User Account ✤ Windows: Change Service Log On identity. Otherwise CF runs with full permission to everything. ✤ Unix: The installer allows you to specify a user to run CF as. ✤ The default nobody user is probably not the best choice as other services might share this account.
  • 35. File System Permissions Path CF User Permissions Web Server User Permissions Web Root Read Only Additional as needed
 Read Only CF Root Full Can be restricted further /CFIDE CF Connector Read Read Write (Logs)

  • 36. File System Permissions ✤ /CFIDE and other directories under CF root can be restricted read only permission by the cf user to prevent runtime change. ✤ Run CF10/CF11 hotfix installer from command line as administrator. ✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
  • 37. Update JVM ✤ Update to latest supported JVM (1.8 currently for CF10-11) ✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle! ✤ Adobe recommends you run the latest supported JVM (eg 1.8. {highest number}) instead of specific version numbers.
  • 38. Sandbox Security ✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry ✤ More flexible on Enterprise but still works on standard.
  • 39. Session Mechanism Feature J2EE CF Configure in Application.cfc No Yes Token size configurable Yes No Configure in web.xml Yes No Interoperates with J2EE applications Yes No SessionRotate No Yes SessionInvalidate No Yes CF10-11/tomcat
  • 41. Tomcat ✤ Shutdown port / password ✤ Changing port on windows causes CF service stop to fail. ✤ Connector settings: ✤ connector secret (have to redo when updating connector) ✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/ tomcat-7.0-doc/security-howto.html
  • 43. ColdFusion Administrator ✤ Default ScriptSrc Directory ✤ Setup an alias so /CFIDE/scripts/ -> /some-folder/ ✤ Allows you to block /CFIDE ✤ If you don’t use cfform, cfajaxproxy, etc you can skip. ✤ If you use the builtin web server you need to configure an alias
  • 44. ColdFusion Administrator ✤ Allowed file extensions for CFInclude tag ✤ Mitigates directory traversal / path injection that leads to code execution attack. ✤ Comma separated list of file extensions that execute, typically can be set to just cfm
  • 46. AdditionalTools ✤ HackMyCF ✤ FuseGuard ✤ CF Unofficial Updater (CF9 and below)