Tips For Locking ColdFusion 10
For developers working on production-level, web-facing ColdFusion 10 applications, it is essential to follow the tips and techniques in Adobe’s ColdFusion 10 lockdown guide. While security concerns often vary according to the criticality of the application, there is no such thing as a system that is “too secure.” Anyone administrating or developing on the ColdFusion 10 platform should be familiar with all of the potential points of attack.
Fortunately, ColdFusion 10 allows developers to take care of many critical security settings right off the bat by allowing the user to install using a Secure Profile. This profile covers a wide range of defaults that help ensure security, such as disabling RDS service, enforcing complex passwords for the root admin user, disabling directory browsing, limiting SQL operations from new data sources and setting a host of timeout and data size defaults.
Post Install Operations
Though the Secure Profile provides an instant base for a secure platform, there is still much that can be done after installation. This includes:
- Updating the Java Virtual Machine (JVM) as the one included with the ColdFusion 10 install may not have all of the latest security patches
- Blocking files with extensions that will not be used by any application
- Removing ASP.NET once all sites are configured in IIS
- Enabling sandbox security
- Removing the Tomcat instance that is installed by default on port 8500
Additional Administrator Settings
Though the Secure Profile option hardens Administrator settings upon installation, there are further configurations that can improve security. For instance, setting “Prefix serialized JSON with:” to “//” prevents JSON hijacking.
This is just an overview of the many practices that will keep a Coldfusion 10 install protected from malicious attacks and accidental breaches. Be sure to check out Adobe’s ColdFusion 10 Lockdown Guide for a complete list of practices to ensure the best security and functionality for your application.