Shahzad.Butt wrote: > > Does someone know how to lock down Coldfusion Server? Idea is that we > are going to be on internet through https. Now we need to secure our > server. We'd already locked down IIS etc, only bit left is to secure > Coldfusion Server. What sort of vulnerabilities we can have through our > CFMX server.
I'm sure there is more, but here is a list to start. Make sure you: - run CF as a normal user - disable RDS - disable unneeded tags with security implications (cfexecute etc.) - disable unneeded services (do you need ODBC?) - disable direct conection through the built-in webserver - run only trusted code - do not install example apps or documentation - verify the inaccessibility of the WEB-INF directory Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4