A–C
D–H
I–Z
Developer services
Project centers
Community resources
- Adobe Cookbooks (share code)
- CSS Advisor (browser bug fixes)
- Exchanges (share components)
- Adobe Labs
- Adobe Open Source
- Forums
- RSS feeds
- Bug base
- User groups
- Adobe Community Experts (ACE)
- Developer events
Integration
Product documentation
Downloads
Samples
Training and books
- Online training
- Classroom training
- Certification
- Adobe Developer Library
- Adobe Press
- Safari Books Online
Newsletters
Blogs
Archives
ADC program
Additional resources
Table of Contents
Configuring ColdFusion MX 7 Server Security
Pre-installation
Network Layer Security
Network security vulnerabilities are among the first threats to any Internet- or intranet-facing application server. This section deals with the process of hardening hosts on the network against these vulnerabilities. It addresses network segmentation, TCP/IP stack hardening, and the use of firewalls for host protection.
| Standard | Place ColdFusion servers within a demilitarized zone (DMZ). |
|---|---|
| Description | Segmentation should exist in at least two levels for web servers. Separate the external network from the DMZ that contains the web servers, which in turn must be separated from the internal network. Use firewalls to implement the layers of separation. Categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed. |
| Standard | Use Network Address Translation (NAT) with RFC 1918 private IP addresses on ColdFusion application servers. |
| Description | Assign private IP addresses (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT'd internal host through the Internet. |
| Standard | Use a firewall to protect exposed network perimeters. |
| Description | Use the following criteria to select a firewall solution:
|
| Standard | Do not use default listening ports for databases (Oracle – 1521, MS SQL – 1433) |
| Description | See the database documentation. |
Operating System Security
By configuring many of the Windows 2003 systemwide settings through the Group Policy Objects, you do not have to configure Registry settings manually for servers on the same domain. However, you should install web servers as stand-alone servers, not as members of the organization's domain. Using stand-alone servers potentially limits the scope of a security breach to a single computer. To apply policy changes to multiple servers, use either scripts or a DMZ-only domain.
| Standard | Install only necessary IIS services. |
|---|---|
| Description | Service vulnerabilities are used by attackers to compromise systems. The more services that are installed on the server, the more vulnerabilities that may be exploited. IIS has the option to install WWW Service, IIS Admin, FTP, NNTP, and SMTP. FTP and NNTP should not be installed on a dedicated ColdFusion server. Also, if no application needs the ability to send and receive e-mail locally, SMTP should not be installed. |
| Standard | Install all necessary security patches in Windows 2003. |
| Description | There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a timely fashion. Test patches before applying them to production servers. Create policy and procedures to check for and install patches on a regular basis. |
| Standard | Apply the High Security Member Server Baseline Policy (MBSP). |
| Description | Download the Windows Server 2003 Security Guide. The guide includes three policy templates; one is the High Security template. Apply only the High Security template to the IIS server prior to installing ColdFusion. After applying the template, you must modify the following settings to allow IIS to run properly: Under User Rights Assignments:
Under System Services:
|
| Standard | Change or remove the web server banner. |
| Description | Modifying the IIS banner has some potential benefits if automated attack scripts that launch exploits against a server are based on the banner. Changing the banner obscures the kind of web server that the attacker is connected to. To remove the banner, set the following Registry key: HLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader to 1 |
| Standard | Place IIS content on a dedicated NTFS disk partition. |
| Description | Disk segmentation is a process of keeping specific data on your server on separate physical disks for added security. Arranging data in this way reduces the risk of directory traversal attacks. Move the IIS inetpub or wwwroot directory to a partition different from the system (contains system32 directory) or boot partition. |
| Standard | Install and configure virus protection software. |
| Description | Virus scanners can identify infected files by scanning for a signature or watching for anomalous behavior. Scanners keep their virus signatures in a file, which is usually stored on the local hard drive. Because new viruses are discovered often, you should frequently update this file for the virus scanner to identify all current viruses. |
| Standard | Use Network Time Protocol (NTP) in a secure fashion. |
| Description | For forensic analysis, keep accurate time on ColdFusion servers. Use NTP to synchronize the time on all systems that are connected directly to the Internet. Figure 1 shows how to configure Internet time in Windows Server 2003 to time.nist.gov.
Figure 1. Configuring Internet time in Windows Server 2003 |
