Adobe 38043740 - ColdFusion Standard - Mac Manual
Server lockdown guide
Hide thumbs
Also See for 38043740 - ColdFusion Standard - Mac:
- User manual (112 pages) ,
- Development manual (1350 pages)
Table of Contents
Advertisement
Quick Links
Download this manual
See also:
User Manual
Adobe ColdFusion 10
Server Lockdown Guide
Contents
Section 1: Introduction........................................1
Section 2: Installation Prerequisites......................... 3
Section 3 - Installing ColdFusion...........................32
Section 4 - Post ColdFusion Installation...................41
Section 5: ColdFusion Administrator Settings............57
Section 6: ColdFusion Server Services....................57
Section 7: Patch Management Procedures................83
Appendix A: Sources of Information.....................84
Appendix B: List of Acronyms............................85
Acronym...................................................85
Meaning....................................................85
Adobe® ColdFusion® 10 Server Lockdown
Guide
Section 1: Introduction
The ColdFusion 10 Server Lockdown Guide is written to help server administrators
secure their ColdFusion 10 installations. In this document you will find several tips
and suggestions intended to improve the security of your ColdFusion server. The
reader is strongly encouraged to test all recommendations on an isolated test
environment before deploying into production.
1.1 Default File Paths and Usernames
This guide will provide example file system paths for installation, you do not need to
use the same example installation paths provided in this guide.
1.2 Operating Systems and Web Servers
This guide focuses on Windows 2008 / IIS 7, and Redhat Enterprise Linux (RHEL)
6.3 / Apache 2.2. Many of the suggestions presented in this document can be
extrapolated to apply to similar Operating Systems and Web Servers.
Advertisement
Table of Contents
Related Manuals for Adobe 38043740 - ColdFusion Standard - Mac
Summary of Contents for Adobe 38043740 - ColdFusion Standard - Mac
-
Page 1: Table Of Contents
Adobe ColdFusion 10 Server Lockdown Guide Adobe® ColdFusion® 10 Server Lockdown Guide Contents Section 1: Introduction Section 1: Introduction………………………………….1 The ColdFusion 10 Server Lockdown Guide is written to help server administrators Section 2: Installation Prerequisites……………………. 3 secure their ColdFusion 10 installations. In this document you will find several tips Section 3 - Installing ColdFusion………………………32... - Page 2 1.3 ColdFusion Version This guide was written for ColdFusion 10.0 Enterprise Edition. 1.4 Scope of Document This document does not detail security settings for the Operating System, the Web Server, or Network Firewalls. It is focused on security settings for the ColdFusion server only.
-
Page 3: Section 2: Installation Prerequisites
Configure your Firewall to block all non-administrative traffic to the server during installation. Download ColdFusion 10 from Adobe.com Verify that the MD5 checksum of the downloaded file matches the MD5 specified on the Adobe.com download page. On Mac OSX: To obtain the MD5 checksum of a file on Mac OSX launch Terminal.app and type: md5 filename... - Page 4 Create Dedicated User Accounts Ensure that all partitions use NTFS to allow for fine grained access control. Setup a dedicated website for CF administrator 2.2.1 Create Dedicated User Accounts Create a new User for the ColdFusion Service to Run As, in the screenshot below we call this user cfusion, choose a unique username that may not be easily guessed.
- Page 6 Next create a new user for the IIS Application Pool: For both users right click and select Properties. In the Remote Desktop Services Profile tab check the box that says Deny this user permission to log on to Remote Desktop Session Host server. If you are setting up multiple instances of ColdFusion for different applications you will want to create dedicated user accounts for each instance to isolate them from each other.
- Page 7 2.2.2 Create Web Root Directory Created a separate partition for the CFML source and web site assets, for the examples in this guide it is mapped to drive f:\ Create a directory to contain the web sites for example f:\web\ and then create a sub directory to house each web site.
- Page 8 In the Advanced Security Settings Dialog click the Edit Button: Uncheck the checkbox labeled Include inheritable permissions from this object’s parent. A confirmation box will appear, select remove:...
- Page 9 Table 2.2.3.1 Web Root Content Security Permissions User / Group Permissions Administrators (or equivalent users and groups) Full Control • iisservice (Your Application Pool Identity User) List folder / read data • Read attributes • Read extended attributes • Read permissions •...
- Page 10 User / Group Permissions • cfusion (Your ColdFusion Service Identity) List folder / read data • Read attributes • Read extended attributes • Read permissions (Add additional write/delete permissions to folders or files that CF must write to) Click the Add button and add the iisservice user grant Read and List Folder Contents Permission. Add the cfusion user and grant Read, List Folder Contents Permission.
- Page 11 2.2.4 Add / Remove IIS Server Roles On a clean Windows 2008 install IIS may need to be installed. This is done by opening the Server Manager and selecting Roles:...
- Page 12 Next Click Add Roles, and select the checkbox next to Web Server (IIS):...
- Page 13 The IIS role includes a number of optional sub-components called “Role Services”. ColdFusion requires that the ASP.NET, CGI, ISAPI Extensions and ISAPI Filters Role Services are selected. After we have configured the ColdFusion 10 IIS connection we can actually remove the ASP.NET and CGI Role Services.
- Page 14 Review the list of Role Services and remove any that may not be necessary (for example Directory Browsing). You may find other Role Services to be useful or necessary, such as Logging Tools, HTTP Redirection, Request Filtering, and IP and Domain Restrictions.
- Page 15 2.2.5 Delete Default IIS Web Site A web site is installed with IIS called Default Web Site, right click and select Remove. 2.2.6 IIS Application Pool Settings Click on Application Pools in IIS Manager and then click Set Application Pool Defaults in the Actions menu. This allows you to change the defaults used when a new Application Pool is created.
- Page 16 Under Process Model change the Identity to be the IIS user you created (for example iisservice). You will be prompted for the password of this user:...
- Page 17 Remove any Application Pools that are defined and not in use, such as the DefaultAppPool 2.2.7 Anonymous Access Identity By default IIS7 is setup to use the built-in Windows user account called IUSR for anonymous request authentication. This means that when a request is made to your web site without authenticating with the web server will use IUSR for the NTFS file permissions.
- Page 18 Purpose Safe to Block /CFIDE/administrator ColdFusion Administrator Yes, we will create a dedicated web site for ColdFusion administrator access. /CFIDE/adminapi Admin API Usually, if the admin api is called from internal CFML code it will still work when the URI is blocked. If the admin api is accessed through a remote cfc function call then use another method to protect this uri (eg IP restriction)
- Page 19 /CFIDE/multiservermonitor- Used to set a policy for Yes - the server monitor now runs on its access-policy.xml allowing viewing the server own web server on port 5500. monitor from multiple domains. /CFIDE/orm Contains interfaces used with ORM. These interfaces do not need to be accessible through the web server.
- Page 20 /CFIDE/ServerManager Contains the AIR application binary for the Server Manager. /CFIDE/services Contains CFCs that can act as a service layer to Flex, or other client side applications. The client application must have a username / password and also an allowed IP. Enabling this feature can open up a large amount of security risk to the application...
- Page 21 Our strategy here is to block all URI’s that do not need to be accessible to the public. Some of the resources we will block here may not pose any known threat but could be used to determine the version of ColdFusion you are running.
- Page 22 Table 2.2.8.1 : CFIDE URIs Additional URI Sequences to consider blocking: Purpose Safe to Block Application.cf Block Application.cfc and Application.cfm requests which result in an error when accessed directly. WEB-INF WEB-INF contains configuration data used by the java application server. The Tomcat connector will block this already, but you can block it at the web server level as well.
- Page 23 Purpose Safe to Block /cffileservlet Serves dynamically generated Only if cfreport, cfpresentations assets. It supports the cfreport, and cfimage are not used. cfpresentation, and cfimage (with action=captcha and action=writeToBrowser) tags /rest Used for CF10 Rest web Only if CF10 REST web services services support.
- Page 24 Next click on Sites and Add Web Site to create a new website for ColdFusion Administrator, point the web root or content directory to the directory you just created. Bind the new site to 127.0.0.1 (or another IP address only accessible to system administrators). Select HTTPS for the protocol, and select the self signed certificate. Consider disabling anonymous access to this site and require web server authentication for an additional layer of protection and auditing.
- Page 25 Select Require SSL and Require 128-bit SSL and click Apply. Visit https://127.0.0.1/ and ensure that it requires SSL and authentication. Remove Request Filtering Rule for ColdFusion Administrator Site Because we have specified that the URI /CFIDE/administrator is blocked on a global level using IIS Request Filtering, we need to enable that URI only on our cfadmin web site.
- Page 27 2.3 Prerequisites for a RedHat Enterprise Linux 6.3 Installation Take the following steps before running the ColdFusion installer on Linux 2.3.1 - Before you Install RedHat Enterprise Linux Read through the NSA Guide to Secure Configuration of Red Hat Enterprise Linux 5 (A.3) - at the time of this writing a Guide specific to RHEL Version 6 was not yet published, check with the NSA operating system configuration guidance (A.2) list to see if an updated guide has been published.
- Page 28 If Apache (httpd) was already installed, ensure that the latest version is installed: # yum update httpd Ensure that the latest version of openssl and mod_ssl is installed as well using similar yum commands as above. Remove any unneeded modules, for example: # yum erase php* Edit the /etc/httpd/conf/httpd.conf and remove or comment out (by placing a # at the beginning of the line) any LoadModule lines that load unnecessary modules.
- Page 29 Create a user for ColdFusion to run as, in this guide we use cfusion, but again feel free to choose a unique name: # adduser -g webservices -s /sbin/nologin -M -c ColdFusion cfusion Specify a strong password for the new user: # passwd cfusion 2.3.6 - Apache Configuration Create a directory for ColdFusion Administrator web site:...
- Page 30 Deny from all Allow from 127.0.0.1 </Location> The above blocks all requests starting with /CFIDE for all IP’s except 127.0.0.1. You may want to change that to the IP address of an administration workstation instead, to allow yourself access to the ColdFusion Administrator.
- Page 31 <Location /CFIDE/administrator> SSLRequireSSL </Location> The above requires that mod_ssl and openssl are installed and configured. Finally lets require authentication for the /CFIDE/administrator URI, this will allow you to audit which administrators have made changes to the administrator settings. In this example we use Digest authentication, which requires a modern web browser (IE 6 and below may not work correctly) and mod_auth_digest installed on the server side.
-
Page 32: Section 3 - Installing Coldfusion
If you receive a 403 Forbidden response you may need to run chcon to set the SELinux context of the files, see Linux Post Installation section or Appendix A.10. Section 3 - Installing ColdFusion 3.1 Run ColdFusion Installer Run the ColdFusion 10 Installer. This guide covers the standard Server configuration option and does not cover installation as a WAR or EAR file, consult your JEE server vendor for installation specifics. - Page 34 Do not install ColdFusion 10 ODBC Services, ColdFusion 10 Admin component for Remote Start/Stop or Documentation. Select only the subcomponents that are required for your application.
- Page 35 Enable the Secure Profile, and specify IP address which may access ColdFusion Administrator. The Secure Profile option is new in ColdFusion 10 and provides a more secure foundation of default settings. You can review the settings it toggles here: http://www.shilpikhariwal.com/2012/04/coldfusion-10-presents-secure- profile.html...
- Page 36 Select an install directory, a non-standard directory location on a non-system partition is preferred.
- Page 37 Install the connector for IIS, you can select either All IIS websites or a specific one depending on your needs. If your web server will be hosting web sites that do not require ColdFusion, do not select all IIS websites, or be sure to manually remove ColdFusion from each site that does not require it.
- Page 39 Choose a strong password and unique username for the ColdFusion administrator. Strong passwords should contain a random mix of case, numbers, special characters and at least 8 characters in length.
- Page 40 You may consider checking the checkbox to allow ColdFusion to check for updates when you login to ColdFusion administrator - note that it will not install the updates, only check for new updates.
-
Page 41: Section 4 - Post Coldfusion Installation
Login to ColdFusion administrator and click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity of the download by performing verifying the md5 checksum on the hotfix_XXX.jar file, see that it matches the value found in Adobe ColdFusion update feed: https://www.adobe.com/go/coldfusion- updates If the md5 checksum matches install the hotfix from the command prompt: java -jar {coldfusion-home}\cfusion\hf-updates\hotfix_XXX.jar... - Page 42 The IIS Application Pool user (iisservice in our examples) must also have permission access the Tomcat IIS connector. Grant this user permission to the \config\wsconfig\ directory in your ColdFusion installation directory. Folder Permission {coldfusion-home} Full Control {coldfusion-home} Full Control • {coldfusion-home}/config/wsconfig/ List folder / read data...
- Page 43 4.1.3 Specify Log On User for ColdFusion Services Open the Services Manager and change the user the service runs as to be the user you created (cfusion in the guide example). The installation creates a service named ColdFusion 10 Application Server which runs the initial ColdFusion instance.
- Page 44 If you installed any optional subcomponents (such as Solr or .NET) ensure that their services run as the ColdFusion user account as well. If you installed a subcomponent but are not using it yet, you can change the service Startup type to Disabled. 4.1.4 Remove /CFIDE and /cfdocs virtual directories added by installer...
- Page 45 When the ColdFusion IIS connector installs it creates two virtual directories for each site the first is called jakarta, and is necessary for ColdFusion to process requests through IIS, and the second is CFIDE which can be removed. 4.1.5 Setup Virtual Directory alias for /CFIDE/scripts/ Because we have blocked /CFIDE/scripts and it is a security best practice to change the location of this to a non-default location we must setup a virtual directory in each site that relies on the assets in there.
- Page 46 4.1.6 Update Java Virtual Machine The Java Virtual Machine included with the ColdFusion installer may not be the latest JVM supported by Adobe ColdFusion 10, or it may contain security issues. Download the JVM from java.oracle.com. 4.1.7 Block Unused file types ColdFusion provides a number of capabilities that are not used commonly which can be blocked.
- Page 47 4.1.8 Remove Unused Handler Mappings The ColdFusion connector installer, adds a number of handler mappings on IIS as the following diagram shows: Mappings that are not used may be removed. Note that you should also block the removed extensions using Request Filtering as shown in the previous section.
- Page 48 .NET Extensibility and CGI which are required by the connector installer, however may not be needed at runtime. This approach while it may provide additional security by allowing removal of unused software, does have two drawbacks. First this is not a procedure that is officially documented or supported by Adobe, they do not test...
- Page 49 Click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity of the download by performing an md5sum on the hotfix_XXX.jar file, see that it matches the value found in Adobe ColdFusion update feed: https://www.adobe.com/go/coldfusion-updates...
- Page 50 You may consider using chmod -R 550 /web instead of 750 if write permission is not needed by ColdFusion on all files or directories. # chcon -R --reference=/var/www /web 4.2.3: Specify permissions for ColdFusion Directories chown -R cfusion:root /opt/coldfusion10/ chmod -R 750 /opt/coldfusion10/ You should consider a more restrictive file permission structure which removes any unnecessary write permissions.
- Page 51 -bin /usr/sbin/httpd \ -script /etc/init.d/httpd At this point you will find that with SELinux enabled Apache will fail to start because the mod_jk (the Tomcat connector module for Apache) module does not have sufficient permissions, the error may look something like this: Starting httpd: httpd: Syntax error on line 1033 of /etc/httpd/conf/httpd.conf: Syntax error on line 2 of /etc/httpd/conf/mod_jk.conf: Cannot load /opt/coldfusion10/config/wsconfig/1/mod_jk.so into server:...
- Page 52 The Java Virtual Machine included with the ColdFusion installer may not be the latest JVM supported by Adobe. Download the RPM for the JVM from java.oracle.com. After you run the binary the JVM is installed in /usr/java/ a symbolic link is created pointing to the latest installed version /usr/java/latest/ you point ColdFusion to this path to simplify future JVM updates.
- Page 53 # cp jvm.config jvm.config.backup To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/ to the Java Virtual Machine Path text box. To update via shell: Edit jvm.config in a text editor to locate the line beginning with java.home= for example: java.home=/opt/coldfusion10/jre Change that line to:...
- Page 54 4.2.8 Add umask to startup script Edit the /etc/init.d/coldfusion10 startup script and add the line near the top but below the #description comment: umask 007 Consider setting a more restrictive umask on for the group permission. 4.3 Post Configuration Settings for Windows and Linux The following changes should be made to both Windows and Linux installs.
- Page 55 /> This must be repeated for each ColdFusion instance created. 4.3.3 Apply any ColdFusion additional Security Patches Visit: http://www.adobe.com/support/security/ and read all pertinent ColdFusion Security Bulletins. Download and install any relevant security hotfixes not already installed. 4.3.4 Tomcat Shutdown Port Tomcat listens on a TCP port (8007 by default, may differ if multiple instances) for a SHUTDOWN command.
- Page 56 Please note: Changing the port setting may cause the shutdown of the ColdFusion Service on Windows to fail, you may need to kill the process manually to stop ColdFusion. The Linux shutdown script should still work properly when the port is changed. 4.3.5 Add a connector shared secret Specify a shared secret for the AJP connector by editing {cf.instance.home}/runtime/conf/server.xml...
-
Page 57: Section 5: Coldfusion Administrator Settings
Section 5: ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings. It is important to understand that changes to some of these settings may affect how your website functions, and performs. Be sure to understand the implications of all settings before making any changes. 5.1 Server Settings >... - Page 58 Setting Default Recommendation Description Disable access to Unchecked Checked The internal ColdFusion Java internal ColdFusion components may allow Java components administrative duties to be performed. Some developers may write code that relies on these components. This practice should be avoided as these components are not documented.
- Page 59 Setting Default Recommendation Description Enable In-Memory Checked Unchecked if not If your applications do not require in File System used memory file system uncheck this checkbox. Ensure that you have sufficient heap space to accommodate the memory limit. Watch Unchecked Unchecked If an attacker is able to modify the configuration files...
- Page 60 Setting Default Recommendation Description Enable Global Unchecked Understand This setting provides very limited Script Protection limitations, protection against certain Cross Checked Site Scripting attack vectors. It is important to understand that enabling this setting does not protect your site from all possible Cross Site Scripting attacks.
- Page 61 Setting Default Recommendation Description Missing Template Blank or Specified The missing template handler HTML Handler /CFIDE/administra should be equivalent to the 404 error tor/templates/miss handler specified on your web ing_template_erro server. r.cfm The default missing template handler allows a potential attacker to get a rough idea of the ColdFusion version in use.
- Page 62 Setting Default Recommendation Description Maximum size of 100MB As low as possible If your application does not deal with post data large HTTP POST operations (such as file uploads, or large web service requests), reduce this size to 1MB. If the application does allow uploads of files set this to the maximum size you want to allow.
- Page 63 5.2 Server Settings > Request Tuning The Request Tuning settings can help mitigate the ability to perform a successful Denial of Service (DOS) attack on your server. Setting Default Recommendation Description Maximum number Tuned based on When this setting is too high or too of simultaneous hardware low the ability to perform a denial of...
- Page 64 Setting Default Recommendation Description Maximum number 1 if not using This setting applies only to CFC of simultaneous Remote CFC functions that have access=remote CFC function function requests, specified, as they are invoked using requests otherwise tuned. /example.cfc?method=MethodName. This applies to methods invoked via the ColdFusion AJAX proxy as well.
- Page 65 5.3 Server Settings > Client Variables Setting Default Recommendation Description Default Cookie None / Cookie If applications have client Storage management enabled a large Mechanism amount of data can accumulate on for Client the server. This can lead to a Sessions storage failure if disks become full.
- Page 66 Setting Default Recommendation Description Maximum 2 Days Lower Two days is generally too long for Timeout: sessions to persist. Lower session Session timeouts reduce the window of risk Variables of session hijacking. Default 20 Minutes Lower Twenty minutes is a good default Timeout: value, but high security applications Session...
- Page 67 Setting Default Recommendation Description Disable Checked on Checked if all sites You can use this feature to prevent a updating Secure Profile require SSL. developer from overriding your ColdFusion global session cookie security internal settings. cookies using ColdFusion tags/function 5.5 Server Settings > Mail Setting Default Recommendation...
- Page 68 Setting Default Recommendation Description Query 0 (no timeout) Specified Specify an upper limit to mitigate Timeout DOS attacks. (seconds) Allowed SQL SELECT, Enable only what The CREATE, DROP, ALTER, INSERT, your application GRANT, and REVOKE operations UPDATE , requires. are not commonly used in web DELETE, applications.
- Page 69 5.8 Debugging & Logging > Debug Output Settings Setting Default Recommendation Description Enable Unchecked Unchecked When robust exception information Robust is enabled sensitive information may Exception be disclosed when exceptions occur. Information Enable AJAX Unchecked Unchecked Debugging should not be enabled on Debug Log a production server.
- Page 70 5.10 Debugging & Logging > Logging Settings Setting Default Recommendation Description Log directory {cf-root}/logs Ensure that the location of this directory has sufficient storage space to hold Maximum File Size multiplied by the Maximum number of archives multiplied by the number of log files (6 or more).
- Page 71 5.11 Event Gateways > Settings Setting Default Recommendation Description Enable Checked Unchecked, if not If you do not use Event Gateways, ColdFusion using Event disable the Event Gateway Service. Event Gateways Gateway Services 5.12 Security > Administrator Setting Default Recommendation Description ColdFusion Separate user...
- Page 72 5.13 Security > RDS Setting Default Recommendation Description Enable RDS Unchecked Unchecked RDS should not be enabled on production server. If RDS was previously enabled ensure that the /WEB-INF/web.xml does not contain a ServletMapping for the RDSServlet. 5.14 Security > Sandbox Security Setting Default Recommendation...
- Page 73 5.15 Security > Allowed IP Addresses Setting Default Recommendation Description Allowed IP None Any IP address in this list may Addresses for execute remote services that Exposed expose server functionality via Services web services. To invoke these web services the client must be on the allowed IP list, and have a username and password.
- Page 74 Setting Default Recommendation Description Site URL http://www.adobe. HTTPS version of Change the default URL to https to com/go/coldfusion url - or specify an avoid a spoofed update. -updates internal URL If your network security policy does not allow external internet...
- Page 75 Section 6: ColdFusion Server Services ColdFusion provides a large number of services for developers to take advantage of. Most applications do not make use of all these services, and can therefore be disabled to improve security. 6.1 Servlets and Servlet Mappings in web.xml All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and servlet mappings for the JEE web application.
- Page 76 In addition some servlets may depend on each other, so it may be better to just remove the servlet- mapping instead. Be sure to backup web.xml before making changes, as incorrect changes may prevent the server from starting. 6.2 Disabling RDS if Already Installed If RDS was installed on the server it may be disabled by placing XML comments around the RDS Servlet Mapping and the RDS Servlet.
- Page 77 JWS Files are Java Web Services files most ColdFusion applications do not use them. To remove support, simply remove the servlet mapping: <servlet-mapping id="coldfusion_mapping_10"> <servlet-name>CFCServlet</servlet-name> <url-pattern>*.jws</url-pattern> </servlet-mapping> Note that the jws mapping should also be removed on your webserver. 6.4 Disabling the GraphServlet The GraphServlet is used to serve SWF’s or images generated by cfchart and the deprecated cfgraph tags.
- Page 78 <servlet-name>MessageBrokerServlet</servlet-name> <url-pattern>/flex2gateway/*</url-pattern> </servlet-mapping> <servlet-mapping id="coldfusion_mapping_1"> <servlet-name>FlashGateway</servlet-name> <url-pattern>/flashservices/gateway/*</url-pattern> </servlet-mapping> 6.6 Disabling Flash Form Servlet Mappings If you are not using Flash forms (<cfform format="flash" ...>)you can disable the servlet mappings used to serve flash forms. Remove flash form servlet mappings: <servlet-mapping id="coldfusion_mapping_13"> <servlet-name>CFFormGateway</servlet-name>...
- Page 79 If you are not using the cfreport you can change the servlet mapping for *.cfr to point to the CFForbiddenServlet, this servlet will return 403 forbidden response if a cfr file is requested: <servlet-mapping id="coldfusion_mapping_12"> <servlet-name>CFCServlet</servlet-name> <url-pattern>*.cfr</url-pattern> </servlet-mapping> Change to: <servlet-mapping id="coldfusion_mapping_12">...
- Page 80 <servlet-mapping id="coldfusion_mapping_14"> <servlet-name>CFFileServlet</servlet-name> <url-pattern>/CFFileServlet/*</url-pattern> </servlet-mapping> 6.10 Disabling Remote CFC Invocation is used to serve SOAP web service requests, remote CFC method invocation (eg CFCServlet file.cfc?method=doSomething), AIR synchronization, and flash remoting. If you do not require these features you can change the servlet mappings that point to the to the .
- Page 81 Note: it is important that you do not delete these mappings, as this will allow your CFC source code to be downloaded.
- Page 82 6.11 Adding ClickJacking Protection ColdFusion 10 includes two new Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin. When a URL is mapped to one of these servlets the X-Frame-Options HTTP header will be returned with a value of DENY or SAMEORGIN. You can add a filter-mapping in web.xml to enable these filters for a given URI, this functionality could also be accomplished at the web server level.
-
Page 83: Section 7: Patch Management Procedures
Most vendors have a security mailing list that will notify you by email when vulnerabilities are discovered. Check the following websites frequently: Adobe Security Bulletins: http://www.adobe.com/support/security/ Microsoft Security Tech Center: http://technet.microsoft.com/en-us/security/default.aspx... -
Page 84: Appendix A: Sources Of Information
Appendix A: Sources of Information A.1 - Microsoft Security Compliance Management Toolkit: http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e A.2 - NSA Operating System Security Guides: http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml A.3 - NSA Guide to Secure Configuration of Red Hat Enterprise Linux 5: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf A.4 - ColdFusion and SELinux: http://www.talkingtree.com/blog/index.cfm?mode=entry&entry=28ED0616- 50DA-0559-A0DD2E158FF884F3 A.5 - ColdFusion MX with SELinux Enforcing:... -
Page 85: Appendix B: List Of Acronyms
Appendix B: List of Acronyms Acronym Meaning RHEL Red Hat Enterprise Linux (Microsoft) Internet Information Server Denial of Service Secure Socket Layer - Protocol often used for https HTTPS Hypertext Transfer Protocol Secure - Encryption layer for HTTP HTTP Hypertext Transfer Protocol Secure Shell - Protocol used to connecting to a remote server, typically on unix. - Page 86 Remote Development Services Cross Site Scripting CSRF Cross Site Request Forgery. Also referred to as XSRF. ColdFusion Component Internet Protocol...
-
Page 87: For More Information
Adobe, the Adobe logo, Adobe AIR, AIR, ColdFusion, Flash, JRun, and LiveCycle are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Mac OS is a trademark of Apple Inc., registered in the U.S. and other countries. Linux is the registered trademark of Linus Torvalds in the U.S.