Regarding the security issue I had posted a week ago:
I finally broke down and opened an incident with Allaire. The young lady who
returned my call (thanks, Laura!) explained that:
(1) I must first grant NTFS access to any users who need access to the site
to the following directories:
x:\Program Files\ColdFusion\BIN\ ... ColdFusion binaries
x:\Inetpub\wwwroot\ ... The site itself
x:\WINNT\SYSTEM32\ ... Windows (Yipe!)
(2) I must then stop the following services:
Coldfusion Executive
Coldfusion Application Server
Coldfusion RDS
World Wide Web Publishing
(3) Finally, I have to restart the services in the reverse order.
Right now, my site is wide open to anonymous users. For most of the site,
that's OK -- but there will be some areas that will be restricted. The site
is scheduled to go live tomorrow, after which I will set up another site in
which I can try out different security schemes to determine what will work
best for us. My ideal would be to have intranet users log in to NT, and then
have all security on the site handled via NT challenge/response. Because we
have some users in remote offices, and others who dial in, this may not be
practical due to firewall issues.
Anyway, thanks to all who assisted me in resolving this problem.
JGB
---------- Original Text ----------
From: Jeffrey G. Brown@MIS@CM_PRODUCTS, on 4/18/00 4:32 PM:
To: internet[[EMAIL PROTECTED]]
Gentlebeings...
Bear with me, please, as I am somewhat new to Coldfusion and NT administration.
I began development of our intranet site in VBScript on IIS 4.0, and then we
switched to CF. The VBScript site, named cimnet2d, is still online, and all
users can view it. The new site, named cimnetcf, is totally CFM-based.
Admin-type users can see it, but not non-admin, ordinary users (hereafter
referred to as 'Joe User').
The directory trees for each site have exactly the same ACL permissions set
throughout, and the IIS 4.0 settings are the same. Both directory trees are
configured for Win NT 4.0 NTLM authentication (no anonymous or basic), and
have been given Read access throughout to members of the Authenticated Users
group. I finally realized that Coldfusion itself might have something to do
with the access problem, and tried an experiment.
A very simple file, containing only HTML (no VBScript or CFM code), named
'simple.htm' was placed in the cimnet2d home directory ( which has always
been accessible to Joe User). Log in as Joe User and access it with IE 4.0.
Result: access good. Rename it to simple.asp: access good. BUT, rename to
simple.cfm: no access! Same results in the cimnetcf home directory. The
problem, thus, lies not in the directory permissions for the site or the IIS
authentication settings, but in access to some Coldfusion resource.
The ACL for the \programs\coldfusion directory tree on the server contains
only SYSTEM and the Domain Admins group. Adding a user to the Doman Admins
group gives him access to cimnetcf; not practical for security reasons,
obviously. Windows NT is running the CF Server under the SYSTEM user.
What resource(s) must I make accessible, and to whom, for the CF site to work
for all authenticated users? How, in general, can I effectively integrate CF
with IIS/NT 4.0 security?
Many thanks...
JGB
===========================================================
Jeffrey G. Brown Intranet Webmaster
Milacron, Inc. Voice: 513-841-8655 Fax: 513-841-7345
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
