CFSERVER and security

2002-02-07 Thread Brian L. Wolfsohn

At 12:48 PM 5/8/2001 -0400, you wrote:

Is this T: drive physically on your server, or is it on another server? If
it is on another server, the CF Service must be run in the context of a user
that would have access to that other server. Just because you can see the
drive share doesn't mean CF can.

This response was originally part of a discussion on accessing files using 
cffile, and the need to run cfserver under a user account as opposed to the 
system account.

I'm concerned with the ramifications of running cfserver as a user account 
as opposed to the system account.  Are there security issues that don't 
exist when it's run under the system account ?  We've got a pretty heavily 
used existing live box that has been running cfserver under the system 
account.  I'm concerned about A:breaking existing applications and 
B:creating security holes that didn't exist before.

Any advice would be appreciated.


Brian L. Wolfsohnhttp://www.cus.com
CUS Business Systems Ft.Lauderdale,FL
Software for Auctioneers (954) 565-5600 Email:[EMAIL PROTECTED]
__
Why Share?
  Dedicated Win 2000 Server · PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
  Instant Activation · $99/Month · Free Setup
  http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists



RE: CFSERVER and security

2002-02-07 Thread Herbener, Martin - School Information Technology

I currently run CF with a non-system account.

a) breaking current applications is certainly an issue.  I have figured 
out
how to set permissions that work for me (documented at
http://www.defusion.com/articles/index.cfm?ArticleID=89) but, 
depending on
what databases and other components you use you may have to experiment.

b) new security holes: I regard using a non-system account as an 
overall
security improvement, because someone who gets control of CF doesn't
necessarily get control of the box.  However, someone who gets control 
of CF
may, in a non-system account situation, get some sort of access to 
other
machines.  Exactly what access they obtain depends on how you set up 
the
account.

 -Original Message-
 From: Brian L. Wolfsohn [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 07, 2002 11:47 AM
 To: CF-Talk
 Subject: CFSERVER and security
 
 
 At 12:48 PM 5/8/2001 -0400, you wrote:
 
 Is this T: drive physically on your server, or is it on 
 another server? If
 it is on another server, the CF Service must be run in the 
 context of a user
 that would have access to that other server. Just because 
 you can see the
 drive share doesn't mean CF can.
 
 This response was originally part of a discussion on 
 accessing files using 
 cffile, and the need to run cfserver under a user account as 
 opposed to the 
 system account.
 
 I'm concerned with the ramifications of running cfserver as a 
 user account 
 as opposed to the system account.  Are there security issues 
 that don't 
 exist when it's run under the system account ?  We've got a 
 pretty heavily 
 used existing live box that has been running cfserver under 
 the system 
 account.  I'm concerned about A:breaking existing applications and 
 B:creating security holes that didn't exist before.
 
 Any advice would be appreciated.
 
 
 Brian L. Wolfsohnhttp://www.cus.com
 CUS Business Systems Ft.Lauderdale,FL
 Software for Auctioneers (954) 565-5600 Email:[EMAIL PROTECTED]
 

__
Get Your Own Dedicated Windows 2000 Server
  PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER
  Instant Activation · $99/Month · Free Setup
  http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists