MACROMEDIA COLDFUSION 4.5-ADMINISTRING COLDFUSION SERVER Manual page 301

Chapter 8: ColdFusion Security
Deploying Applications with Basic Security
Basic security lets you disable execution of CFML tags that could prevent security
hazards if they were used in a ColdFusion application, because they could be used to
upload, delete, or otherwise manipulate files on the ColdFusion server. ColdFusion
displays an error when it encounters a disabled tag in an application.
Besides the ability to restrict CFML tags, Basic security provides no runtime security
for ColdFusion applications. When Basic security is implemented, the responsibility
for securing applications falls mainly to the application developers. For example,
developers must authenticate end-users of their applications by creating customized
user directories. Developers can also integrate existing user directories, like NT
domains, by using any of the custom extension mechanisms supported by ColdFusion,
including CFX tags, and COM or CORBA objects. Similarly, developers must custom-
build all access privileges into all their applications.
Deploying Applications with Advanced Security
Advanced security lets ColdFusion developers authenticate users and match protected
resources with authorized users. Advanced security builds consistent, standardized
authentication right into the ColdFusion server engine, making it easier for developers
to control all aspects of access to their applications.
When Advanced security is implemented, developers don't need to create customized
directories or databases to authenticate users; Advanced Security can automatically
authenticate users against existing LDAP directories, NT domains, or ODBC data
sources. Advanced security also makes it easier to enforce access rights for
authenticated users and groups. You can expressly grant or forbid run-time access to
ColdFusion Applications, CFML tags, collections, components, Data sources, Files,
Directories, and Custom Tags on a user-by-user or group-by-group basis. For example,
you could use Advanced security to:
Restrict sensitive CFML tags like <CFREGISTRY> so they can be used only by
members of the NT Domain Administrators group of the local domain.
Make a sensitive search collection available only to your company's Human
Resources staff. No matter which applications use the collection, it would only
ever be available to this one group.
Make CORBA or COM objects that work with a company's financial information
available only to the departments and Web applications that require them
In the Enterprise edition of ColdFusion, Advanced security also lets you run
applications in a security sandbox, which assigns security permissions to any
applications running from a specified directory tree. Unlike other Advanced security
features, Security sandboxes automatically enforce control over resources without
additional coding to autehnticate and authorize users. Security sandboxes eliminate
the risk that one application will access another application's resources, and are most
useful to hosted sites where multiple ColdFusion applications are deployed on the
same server.
279