Securing The Coldfusion Administrator - MACROMEDIA COLDFUSION 5-ADVANCED ADMINISTRATION Manual

66

Securing the ColdFusion Administrator

The ColdFusion Administrator is a powerful tool that lets you perform administrative
tasks like managing server performance, adding and configuring ColdFusion data
sources, scheduling pages, and managing log files. You can secure the Administrator
with either Basic or Advanced Security. Just as with application development and
deployment, the level of security that controls administrative access depends on the
level of trust.
Note
You can access the ColdFusion Administrator either locally or remotely. Because the
ColdFusion Administrator is a Web-based interface, it inherits the level of encryption
you set on the Web server on which ColdFusion is installed. If the Administrator is
installed on a Web server that encrypts Web connections, information sent to the
server during remote server administration is automatically encrypted.
Securing the Administrator with Basic security
When Basic security is implemented, you enter a password to access to the
ColdFusion Administrator. (Note that the ColdFusion Administrator password is
separate from the RDS security password.) Anyone who knows the administrative
password can gain access to all the functionality of the ColdFusion Administrator.
This situation may be desirable if you're implementing ColdFusion in a small group
where no one person is a designated administrator and everyone pitches in with
administrative tasks.
The liabilities of using Basic security to protect the ColdFusion Administrator are
similar to those discussed in
63:
Securing the sdministrator with Advanced security
When Advanced security is implemented, you have complete control over who can
access the ColdFusion Administrator. Additionally, you can decentralize ColdFusion
server management by assigning varying degrees of administrative access to a select
number of users. If you manage ColdFusion servers for a large, diverse organization
or for hosted sites, you'll likely find that the ability to delegate server management
tasks helps you run your operation more efficiently. See "Securing the ColdFusion
Administrator" on page 102 in
page 79
Password vulnerability If the administrative password is lost, hacked, or stolen,
server security is compromised. See
information about protecting communications, including password
transmissions, between your server and clients.
Generalized access control Anyone who knows the administrative password
has full access to the ColdFusion Administrator. Users who are not familiar with
the Administrator could unwittingly cause problems by changing administrative
settings.
for more information.
"Developing applications with Basic security" on page
"Data encryption" on page 61
Chapter 5, "Configuring Advanced Security" on
Chapter 3 ColdFusion Security
for