Russ, I never meant their own server. I meant put all customers who want the robust onto the same sever.
But I did raise an enhancement with Adobe, where my suggestion is to have robust exceptions of by default and not be able to enable or disable from the CF admin. However if the customer wants to exploit their own site then they have the option to turn that level of exception on in the Application.cfc On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels <r...@michaels.me.uk> wrote: > > unfortunately no host can afford to tell all their customers "your better > off elsewhere". > It would not be cost efficient at all to give a shared hosting customer > their own server for the same price, they would lose money, I doubt the > cost would even be remotely covered. > > Both of hose solutions would put any host out of business very quickly. > > > On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott <andr...@andyscott.id.au > >wrote: > > > > > Yeah I guess, but that is why there are log files so there is really no > > excuse. But how cost efficient would it be to just move those people over > > to their own server so they can effect themselves? > > > > And I would bet that it is these people who also turn off UAC on Windows > > and get all types of infections and could very well be the ones ftping up > > infected files to begin with. > > > > Russ, I hear you but then maybe they are better of else where if they > can't > > understand the implications. > > > > > > -- > > Regards, > > Andrew Scott > > WebSite: http://www.andyscott.id.au/ > > Google+: http://plus.google.com/113032480415921517411 > > > > > > On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels <r...@michaels.me.uk> > > wrote: > > > > > > > > Unfortunately Andrew things are never that simple. > > > For every customer like yourself who wants this turned off, there will > be > > > 100 customers who want it turned on. > > > > > > Most people do not know about or care about the security side of > hosting, > > > and just want everything enabled which makes their life easier. > > > So as soon as they hear the word "disabled", their initial response > will > > be > > > things like. > > > 1) Our previous host did not do this > > > 2) Then we will have to look for another host > > > > > > Many hosts are i'm sure simply giving in to the demands of the majority > > of > > > their customers and providing them with the services they want even > > though > > > they are insecure. > > > > > > I regularly explain to customers/developers why cfexecute is disabled, > by > > > they do not have read/write access to the entire server, why > > > createobject(java) is disabled by default, and in in general why things > > > have to be locked down on a shared server. > > > We do however stick to our main security policies, so our servers are > > more > > > secure than most, but this of course comes at a cost as many customers > > > simply will not accept such restrictions and would rather go and find > an > > > insecure host instead. > > > > > > At the end of the day If you want security and control over your > hosting > > > environment the solution is simple, "DO NOT USE SHARED HOSTING". > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
