Choosing A Level Of Coldfusion Security - MACROMEDIA COLDFUSION 5-ADVANCED ADMINISTRATION Manual

62
If your Web server connections are encrypted with SSL, all communications,
including ColdFusion transmissions, are automatically encrypted. You do not have
to do anything from within ColdFusion to activate data encryption.

Choosing a Level of ColdFusion Security

The rest of this chapter is designed to help you decide which type of ColdFusion
security is right for your particular development needs. Basic and Advanced security
are mutually exclusive ColdFusion features. When you install ColdFusion Server,
Basic security is turned on by default. If you turn on Advanced security, it
automatically overrides all your Basic security settings except one: Tags you
protected with Basic security remain protected when you implement Advanced
security.
Note
If you turn off both Basic and Advanced security, all ColdFusion resources and server
administration functions become available to anyone who has access to the server.
When you install ColdFusion Server, leave Basic security passwords in place until you
finalized your security plan and are ready to implement it.
As you begin to think about how you will secure your Web applications, keep these
important points in mind:
Security is never absolute. Technology is fast-evolving and the Web is, by nature,
an environment that favors openness and access over privacy and security. You
should regularly review your security plans to make sure your company hasn't
outgrown them.
No single security model is perfect for every application or development
environment. For example, an intranet deployed only to employees from a server
behind your company's firewall and an e-commerce site on the Web would have
very different security plans. When they plan applications, ColdFusion
developers must weigh the costs and benefits of the various security alternatives
in the context of the project requirements.
Trust is perhaps the most important concept to consider when you are planning
any security strategy. When users decide whether or not to download something
from the Web, it usually depends on if they trust the site. The site can engender
trust in any number of ways, by providing a digital certificate, for instance.
Similarly, how open you choose to make your ColdFusion environment depends
on whether or not all your users are trusted. Generally speaking, the level of trust
is inversely proportional to the level of security you need to implement. If trust is
high—for example, if your development group consists of five people and they all
access the ColdFusion server over a LAN—then you can probably manage with a
less secure environment. However, if trust is lower—for example, if you're an
Internet Service Provider (ISP) hosting a development site—then you will need to
implement a more complex and restrictive security plan. The more public the
application or development environment, the lower the level of trust.
Chapter 3 ColdFusion Security