Wednesday, April 11, 2012

ColdFusion 10 & Secure Profile



How many times Administrators might have wondered what all to configure to make the server release ready and secure. There are different guidelines and recommendation documents out there. 


With ColdFusion 10, option to have Secure Profile enabled is added at installation time. It is recommended to choose this for production or public facing servers. When selected, this will enforce a lot of security related configurations enabling fewer configurations required by administrator to secure the server. 


At time of installation if secure profile is chosen, following settings are affected –

1.    Separate username and password setting is enabled for Administrator &RDS
2.    RDS service is disabled
3.    A List of IP addresses are asked which should have access to Administrator
4.    Strong and complex password for root admin user is mandatory
5.    Directory Browsing is disable in server
6.    Custom and least information error templates are used
7.    All debugging is disabled
8.    For a new data source default allowed SQL are select, insert, update, delete
9.    Below is a list of some more settings on server level which are affected -

Administrator settings affected by enabling Secure Profile -

Administrator Settings
Path
Default Admin
Profile
Secure Profile
Changes to the setting
1
Use UUID for cftoken
Server Settings > Settings
Enabled
Enabled
Overwritten
2
Disable access to internal
ColdFusion Java components
Server Settings > Settings
Disabled
Enabled
Overwritten
3
Enable Global Script
Protection
Server Settings > Settings
Enabled
Enabled
Overwritten
4
Maximum size of post data
Server Settings > Settings
20MB
20MB
Overwritten
5
Missing Template Handler
Server Settings > Settings
no value
Custom missing error template
Retained if specified
6
Site-wide Error Handler
Server Settings > Settings
no value
Custom site-wide error template
Retained if specified
7
Request Queue Timeout Page
Server Settings > Request
Tuning
no value
Custom error template
Retained if specified
8
Cookie Timeout
Server Settings > Memory
Variables
15767000 minute
1440 minute
N/A
9
Disabling updating of ColdFusion internal cookies using ColdFusion tags/functions
Server Settings > Memory
Variables
Disabled
Enabled
N/A
10
Enabled WebSocket Server
Server Settings > WebSocket
Enabled
Disabled
N/A
11
Start Flash Policy Server
Server Settings > WebSocket
Enabled
Disabled
N/A
12
Allowed SQL (all settings)
Data & Services > Data Sources ><database> Advanced Settings
Enabled
Create, Drop, Alter, Grant,Revoke, Stored Procedures are disabled
Retained if specified
13Enable Robust Exception Information
Debugging & Logging > Debug Output Settings
Disabled 
Disabled
Overwritten
14Enable CFSTAT
Debugging & Logging > Debug Output Settings
Enabled
Disabled
Overwritten
15
Select the type of
Administrator authentication
Security > Administrator 
Use a single password only
Separate user name and password authentication (allows multiple users)
N/A
16
Enable RDS Service
Security > RDS
Configurable at install time 
Disabled
N/A
17
Select the type of RDS
authentication
Security > RDS
Use a single password only
Separate user name and password authentication (allows multiple users)
N/A
18
Allowed IP addresses for ColdFusion Administrator access
Security > Allowed IP Addresses
Not available at install time
Available at install time
N/A



Ray has created a very nice Administrator Extension. The details can be found as Security Profile Admin Extension for ColdFusion 10
Related Entries:
How to Secure ColdFusion Session Cookies with CF 10
New Improved CFLogin
New way to add Sandbox permissions for Users with RDS access
Improved Session Management in ColdFusion 10
ColdFusion 10 Hot-Fix Installer

4 comments:

  1. what about secure profile for ColdFusion 9 ? do that exist?

    ReplyDelete
  2. Secure profile is a new feature introduced in ColdFusion 10. There is no official port back to secure profile on ColdFusion 9.

    ReplyDelete
  3. Doesn't work on CF 10 standard. Where to install?

    ReplyDelete
  4. It should work. Couple of APIs in this Extension may not work on Standard edition though. Have you followed all steps to install it? What error do you get?

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".