Hey Dave, Do you have any more info on URL scan specify about preventing URL variables from being received by CF? Is this only the case for extremely long URLs or URLs that contain odd ASCII?
I am just about to deploy two new servers next week and I would hate to have a problem with not being able to pass vars via url when we move the site on to the new servers. Mark W. Breneman -Macromedia Certified ColdFusion Developer -Network / Web Server Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 1:07 PM To: CF-Talk Subject: RE: MX Server installs and Microsoft Security Toolkits > Microsoft provides a whole bunch of Security Toolkits > to help lock down a server. For example there is the > "Microsoft Baseline Security Analyzer". Some of these > tools "blindly" goes in and locks down a bunch of stuff > that you are not aware of. You should be very reluctant to make "blind" changes with regard to security. If you want to administer a server, you need to understand the security ramifications of the default settings, and of the changes made to secure the server. Server administration is not a trivial matter. > Has anyone had problems running CFMX after applying > security patches to Windows servers running IIS? A common problem with CFMX, or any other application server, occurs when the URLScan tool is installed. This tool is an input filter for IIS, and may prevent .cfm requests from being handled correctly, or may prevent URL variables from being received by CF. Another problem may occur with the IIS Lockdown tool, which can remove all ISAPI extension mappings from IIS. ISAPI extension mappings that are set up by default in IIS are often vulnerable to exploits, and if you're not using them, you should remove them (which is true of anything on a server, actually). However, if you remove the ISAPI extension mapping for CF, IIS won't be able to process CF pages. > As for anything involving security, it is a matter of degree. > How much can you lock down a box before CFMX stops working? Exactly the right amount. What kind of answer were you expecting for this question? > If anyone has any white papers or other documentation on > this subject, it would be appreciated. I noticed in the > Security Section of the Macromedia that the white papers > that still have the Allaire Logo stamped on them with > dates such as 2001. Hope Macromedia is a little more > serious about security than this. It does not help the > CF cause. As Jochem noted, very little has changed as far as CF is concerned, with regards to security. Most security issues that you face when running a CF server have little or nothing to do with CF, but rather with the security of the server itself, and of the other services running on that server (particularly IIS). The freshness of the logos doesn't make the information more or less valid. The only major items that are specific to CFMX, really, concern the sandbox security model introduced in CFMX, which is pretty easy to figure out and to use, and which is covered in the CFMX documentation, I think. There's plenty of documentation out there on all these topics, also. Unfortunately, it's not all in one place, really; CF information is provided by Macromedia, IIS information by Microsoft, general web application security information by others, and so on. Fig Leaf Software offers a one-day seminar on securing CF servers running Windows, if you're interested in that. Information is available at http://training.figleaf.com/. There are plenty of books and online references available, also. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm