How many times Administrators might have wondered what all to configure to make the server release ready and secure. There are different guidelines and recommendation documents out there.
With ColdFusion 10, option to have Secure Profile enabled is added at installation time. It is recommended to choose this for production or public facing servers. When selected, this will enforce a lot of security related configurations enabling fewer configurations required by administrator to secure the server.
At time of installation if secure profile is chosen, following settings are affected –
With ColdFusion 10, option to have Secure Profile enabled is added at installation time. It is recommended to choose this for production or public facing servers. When selected, this will enforce a lot of security related configurations enabling fewer configurations required by administrator to secure the server.
At time of installation if secure profile is chosen, following settings are affected –
1.
Separate
username and password setting is enabled for Administrator &RDS
2.
RDS
service is disabled
3.
A List
of IP addresses are asked which should have access to Administrator
4.
Strong
and complex password for root admin user is mandatory
5.
Directory
Browsing is disable in server
6.
Custom
and least information error templates are used
7.
All
debugging is disabled
8.
For a
new data source default allowed SQL are select, insert, update, delete
9.
Below
is a list of some more settings on server level which are affected -
Administrator settings affected by enabling Secure Profile -
Administrator Settings
|
Path
|
Default Admin
Profile
|
Secure Profile
|
Changes to the setting
| |
1
|
Use UUID for cftoken
|
Server Settings > Settings
|
Enabled
|
Enabled
|
Overwritten
|
2
|
Disable access to internal
ColdFusion Java components
|
Server Settings > Settings
|
Disabled
|
Enabled
|
Overwritten
|
3
|
Enable Global Script
Protection
|
Server Settings > Settings
|
Enabled
|
Enabled
|
Overwritten
|
4
|
Maximum size of post data
|
Server Settings > Settings
|
20MB
|
20MB
|
Overwritten
|
5
|
Missing Template Handler
|
Server Settings > Settings
|
no value
|
Custom missing error template
|
Retained if specified
|
6
|
Site-wide Error Handler
|
Server Settings > Settings
|
no value
|
Custom site-wide error template
|
Retained if specified
|
7
|
Request Queue Timeout Page
|
Server Settings > Request
Tuning
|
no value
|
Custom error template
|
Retained if specified
|
8
|
Cookie Timeout
|
Server Settings > Memory
Variables
|
15767000 minute
|
1440 minute
|
N/A
|
9
|
Disabling updating of ColdFusion internal cookies using ColdFusion tags/functions
|
Server Settings > Memory
Variables
|
Disabled
|
Enabled
|
N/A
|
10
|
Enabled WebSocket Server
|
Server Settings > WebSocket
|
Enabled
|
Disabled
|
N/A
|
11
|
Start Flash Policy Server
|
Server Settings > WebSocket
|
Enabled
|
Disabled
|
N/A
|
12
|
Allowed SQL (all settings)
|
Data & Services > Data Sources ><database> > Advanced Settings
|
Enabled
|
Create, Drop, Alter, Grant,Revoke, Stored Procedures are disabled
|
Retained if specified
|
13 | Enable Robust Exception Information |
Debugging & Logging > Debug Output Settings
| Disabled |
Disabled
|
Overwritten
|
14 | Enable CFSTAT |
Debugging & Logging > Debug Output Settings
| Enabled |
Disabled
| Overwritten |
15 | Administrator authentication |
Security > Administrator
| Use a single password only |
Separate user name and password authentication (allows multiple users)
| N/A |
16 |
Enable RDS Service
|
Security > RDS
| Configurable at install time |
Disabled
| N/A |
17 | authentication |
Security > RDS
| Use a single password only |
Separate user name and password authentication (allows multiple users)
| N/A |
18 |
Allowed IP addresses for ColdFusion Administrator access
|
Security > Allowed IP Addresses
| Not available at install time |
Available at install time
| N/A |
Ray has created a very nice Administrator Extension. The details can be found as Security Profile Admin Extension for ColdFusion 10
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer
what about secure profile for ColdFusion 9 ? do that exist?
ReplyDeleteSecure profile is a new feature introduced in ColdFusion 10. There is no official port back to secure profile on ColdFusion 9.
ReplyDeleteDoesn't work on CF 10 standard. Where to install?
ReplyDeleteIt should work. Couple of APIs in this Extension may not work on Standard edition though. Have you followed all steps to install it? What error do you get?
ReplyDelete