Ill weigh in on this for a few reasons. One of the servers in the Krebs article is one that I was called in to fix. Ive had to investigate/fix several other breached servers over the past year. All were new to us clients that came to us with a breached server. Another reason is that I maintain a large number of ColdFusion servers at CF Webtools. Another is that other hosting companies contact CF Webtools and myself to assist with ColdFusion server issues.
I am not all that concerned about the exploit. All software has bugs. Adobe fixed it pretty quick once it was noticed. Reading David Eplers blog post (http://www.dcepler.net/post.cfm/how-patching-coldfusion-8-0-x-made-you-more-vulnerable-in-some-cases-or-fun-with-cve-2013-0632-from-apsb13-03) may lead you to think that Adobe didnt do proper testing. But thats not the concern here. I know of many properly locked down servers that didnt get hacked even though it was attempted. The concern here is Who should be responsible for setting up, maintaining and securing a public facing server? (http://www.trunkful.com/index.cfm/2014/3/7/Who-Patches-Your-ColdFusion-Servers) The short answer is A qualified systems administrator" and that should be the end of the discussion. I dont care if youre installing ColdFusion, Railo, PHP, .NET, Ruby, MySQL or any other system. If you are not a systems administrator you should not be working on the server. There are no excuses and the costs of making a mistake are growing very quickly. Should the ColdFusion installer do all the things in the lockdown guide for me? The answer is mixed. Id love to see CFIDE split apart so that CFAdmin is standalone from the scripts. How Adobe does it is up to them. Another change Id like to see is during the install is to have the option to pick the user account that ColdFusion will run under. This has been an option for the Linux installer, but not on Windows. (At least not that I can remember.) The last item Id like to see is during the Secure Profile install is that CFAdmin is locked down to localhost by default and the option to add an IP address if needed. I think these changes would be a huge step in persuading the sysadmin into properly securing ColdFusion installations. I know these have been mentioned before and during the ColdFusion 10 beta cycle many new security and installation changes where made. These were deferred. Id like to see these added this time. I know some people are going to take issue with requiring systems administrators to install and maintain ColdFusion servers. Too bad. I think it is obvious now that the costs of not having a qualified systems administrator are too high. Regards, Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 26, 2014, at 10:45 AM, Andrew Scott <andr...@andyscott.id.au> wrote: > > I agree with Ben and Dave.... > > There was a point, where I was siding with Adam on this. But Ben you make a > good point, which I think Dave was trying to get at. SysAdmins by default > are the type that want to do everything, they need to know what it is they > have control over. Therefore, if Adobe in this case locked it down, they > would become too complacent with the product. > > But.... > > > Where Adam is coming from, is that there are a lot more people out there > developing and maintaining cheap VPS servers for clients, which has been a > huge push by the Community to some degree when hosting ever pops up. You > know I feel safer having someone who manages the SysAdmin side of it, than > rely on my knowledge as a developer. > > The problem is the perception of the younger developers coming up, is just > that, they expect things to be done for them, in cases like what Adam is > describing is that it is locked down 100%. Which I think would force these > younger, newer developers to ColdFusion, to then learn the security of > ColdFusion if they are forced to begin unlocking what they need. > > Now the question is how would Adobe then begin to cater for both those > worlds? > > > Regards, > Andrew Scott > WebSite: http://www.andyscott.id.au/ > Google+: http://plus.google.com/113032480415921517411 > > > > On Thu, Mar 27, 2014 at 2:12 AM, Ben Forta <b...@forta.com> wrote: > >> >> Sure, the installer could make things simpler, and maybe should. But, >> that's a double edged sword, make things easier and admins will be even >> less likely to learn and manage what they really need to. At the end of the >> day, whether it is Windows or Apache or your mail server or CF or Java or >> Oracle or anything else, if you think you can run install and click Next a >> few times and then ignore a public facing server, you are asking for >> trouble, and have no one to blame but yourself when it happens. >> >> --- Ben >> >> (Sent from a handheld device) >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358134 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm