This article goes over securing CFIDE for ColdFusion against malicious uploads (http://www.adobe.com/support/security/advisories/apsa13-01.html) Update 1/16/2013: Adobe has issued a patch (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html). DataBank still recommends locking down ColdFusion below in addition to applying the patch. Update 5/15/2013: Due to recent changes in security on DataBank's network, all CF Admin requests are locked down to internal connections only (i.e. from RDC or through an SSH Tunnel for Linux)
Note that if you are adding a new site to the server, you will need to follow the steps below for securing the CFIDE directory.
- Log into the server via Remote Desktop.
- Run the following via command line for IIS 7.x: %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/ipSecurity
- Open Internet Information Services (IIS) and expand the websites. Find the CFIDE virtual directory for each website and select it. Expand the CFIDE virtual directory and lock down the following directories: AIR, appdeployment, debug, images, orm ,portlets, scheduler, ServerManager, Services, Websocket, wizards, and main. Under the CFIDE folder administrator, adminapi, componentutils, probe.cfm, and multiservermonitor-access-policy.xml.
- Click the button for IP Address and Domain Restrictions and choose Add Allow Entry... from the sidebar.
- Enter in 127.0.0.1 for all three directories and 69.63.128.150 for the administrator directory only (EWH IP address) as the allow entries. Do this for all of the folders/files listed in Step 3. This will allow only localhost to view those directories thereby preventing malicious uploads to the directories. You must do this for each CFIDE directory on the server/for each website in IIS with the directory. Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.
 - Log into the server via Remote Desktop.
- Open Internet Information Services (IIS) and expand the websites. Find the CFIDE virtual directory for each of the websites on the server. Expand the CFIDE virtual directory and lock down the following directories: AIR, appdeployment, debug, images, orm ,portlets, scheduler, ServerManager, Services, Websocket, wizards, and main. Under the CFIDE folder administrator, adminapi, componentutils, probe.cfm, and multiservermonitor-access-policy.xml.
- Choose the Directory Security tab and click Edit next to IP address and domain name restrictions.
- Select Denied Access and click the Add button. Enter in 127.0.0.1 for both directories and 69.63.128.150 for the administrator directory only (EWH IP address). Click OK to get out of the popup windows.
- Do this for all of the folders/files under Step 2. This will allow only localhost to view those directories thereby preventing malicious uploads to the directories. You must do this for each CFIDE directory on the server/for each website in IIS with the directory. Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.
- SSH into the server and become root. Open the Apache configuration file for all sites (http.conf) and add the following to the file.
<LocationMatch "/CFIDE/administrator/"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch> <LocationMatch "/CFIDE/adminapi"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch>
<LocationMatch "/CFIDE/componentutils"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch> - Save the file and restart Apache.
|
Last Modified:Thursday, September 20, 2018 2:18 PM
Type: HOWTO
Level: Novice
Rated 2 stars based on 2 votes.
Article has been viewed 25,004 times.
|