The previous sections focused on secure ColdFusion coding practices, but if the installation of ColdFusion is configured insecurely, all of that work is for nothing. Securing the ColdFusion Application Server requires making the OS, web server, and the ColdFusion configuration secure. For ColdFusion 9, Adobe published the Adobe ColdFusion 9 Server Lockdown Guide which covered how to properly configure ColdFusion 9 on Windows or Linux. It covered various OS settings, connecting ColdFusion to IIS or Apache, and settings within the ColdFusion Administrator.
ColdFusion 10 introduced the Secure Profile that can be enabled during installation. It simplifies securing ColdFusion by applying more secure defaults to the configuration instead of having to apply them manually. Some of the settings changes are:
- Disables the RDS service
- Enables separate username and password for Administrator and RDS
- Restricts access to ColdFusion Administrator to a list of IP addresses
- Provides default missing template, site-wide error, and request queue timeout pages to reduce information leakage
- Disables all debugging
Adobe recommends using Secure Profile for production or public-facing servers.
Additional Resources:
ColdFusion has had security sandboxing for quite a long time, but is probably an under utilized option that can help secure ColdFusion because it is only really useful in Enterprise. Sandboxing allows you to restrict access to data sources, ColdFusion tags/functions, directories, and servers/ports on a subdirectory. If a piece of ColdFusion code tries to access a restricted resource in the sandbox, ColdFusion will throw an error. The best use of sandboxing is to restrict everything on the webroot of a server and then only allow what is needed per the subdirectory (web application).
Additional Resources:
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Second Edition by Dafydd Stuttard and Marcus Pinto
- SQL Injection Attacks and Defense, Second Edition by Justin Clarke
- XSS Attacks: Cross Site Scripting Exploits and Defense by Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov and Anton Rager