Accessibility

ColdFusion Article

 

Configuring ColdFusion MX 7 Server Security

Erick Lee

Product Security Team

This article lists recommendations and best practices for securing servers on the web running Microsoft Windows Server 2003 and Macromedia ColdFusion MX 7. This is not a comprehensive host-hardening guide for Windows 2003. Instead, this article describes a variety of security-hardening settings that you should implement to enhance the security of ColdFusion MX 7 running on IIS 6.0 servers that host HTML content within a corporate intranet. To ensure that the ColdFusion application servers stay secure, however, you should also implement security monitoring, detection, and response procedures.

I wrote this article primarily for consultants, security specialists, systems architects, and IT professionals who are responsible for planning application or infrastructure development and deployment of ColdFusion MX 7 running on IIS 6.0. These roles include the following common job descriptions:

Requirements

To read this article from a conceptual point of view, you do not need to download and install ColdFusion MX 7. However, to implement the recommended security settings while reading along, you must download and install ColdFusion MX 7.

ColdFusion MX 7

Pre-installation

Network Layer Security

Network security vulnerabilities are among the first threats to any Internet- or intranet-facing application server. This section deals with the process of hardening hosts on the network against these vulnerabilities. It addresses network segmentation, TCP/IP stack hardening, and the use of firewalls for host protection.

Recommendation
Standard Place ColdFusion servers within a demilitarized zone (DMZ).
Description Segmentation should exist in at least two levels for web servers. Separate the external network from the DMZ that contains the web servers, which in turn must be separated from the internal network. Use firewalls to implement the layers of separation. Categorize and control the traffic that passes through each network layer to ensure that only the absolute minimum of required data is allowed.
Standard Use Network Address Translation (NAT) with RFC 1918 private IP addresses on ColdFusion application servers.
Description Assign private IP addresses (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) to make it more difficult for an attacker to route traffic to and from a NAT'd internal host through the Internet.
Standard Use a firewall to protect exposed network perimeters.
Description

Use the following criteria to select a firewall solution:

  • Implement firewalls that support proxy servers and/or "stateful inspection," rather than simple packet-filtering solutions.
  • Use a firewall that supports a "deny all services except those explicitly permitted" security paradigm.
  • Implement a firewall solution that is dual-homed or multihomed. This architecture provides the greatest level of security and helps to prevent unauthorized users from bypassing the security of the firewall.
Standard Do not use default listening ports for databases (Oracle – 1521, MS SQL – 1433)
Description See the database documentation.

Operating System Security

By configuring many of the Windows 2003 systemwide settings through the Group Policy Objects, you do not have to configure Registry settings manually for servers on the same domain. However, you should install web servers as stand-alone servers, not as members of the organization's domain. Using stand-alone servers potentially limits the scope of a security breach to a single computer. To apply policy changes to multiple servers, use either scripts or a DMZ-only domain.

Recommendation
Standard Install only necessary IIS services.
Description

Service vulnerabilities are used by attackers to compromise systems. The more services that are installed on the server, the more vulnerabilities that may be exploited.

IIS has the option to install WWW Service, IIS Admin, FTP, NNTP, and SMTP. FTP and NNTP should not be installed on a dedicated ColdFusion server. Also, if no application needs the ability to send and receive e-mail locally, SMTP should not be installed.
Standard Install all necessary security patches in Windows 2003.
Description

There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a timely fashion. Test patches before applying them to production servers.

Create policy and procedures to check for and install patches on a regular basis.
Standard Apply the High Security Member Server Baseline Policy (MBSP).
Description

Download the Windows Server 2003 Security Guide. The guide includes three policy templates; one is the High Security template. Apply only the High Security template to the IIS server prior to installing ColdFusion.

After applying the template, you must modify the following settings to allow IIS to run properly:

Under User Rights Assignments:

  • To allow anonymous users to connect to IIS, remove the Guests group from the "Deny access to this computer from the network" policy. The IUSR account is a member of the Guests group.

Under System Services:

  • Set HTTP SSL service to Automatic. The HTTP SSL service enables IIS to perform Secure Sockets Layer (SSL) functions.
  • Set IIS Admin Service to Automatic. The IIS Admin Service allows administration of IIS components such as File Transfer Protocol (FTP), Application Pools, websites, web service extensions, and Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers.
  • Set World Wide Web Publishing Service to Automatic. The World Wide Web Publishing Service provides network connectivity and administration of websites.
Standard Change or remove the web server banner.
Description

Modifying the IIS banner has some potential benefits if automated attack scripts that launch exploits against a server are based on the banner. Changing the banner obscures the kind of web server that the attacker is connected to.

To remove the banner, set the following Registry key:

HLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader to 1
Standard Place IIS content on a dedicated NTFS disk partition.
Description Disk segmentation is a process of keeping specific data on your server on separate physical disks for added security. Arranging data in this way reduces the risk of directory traversal attacks. Move the IIS inetpub or wwwroot directory to a partition different from the system (contains system32 directory) or boot partition.
Standard Install and configure virus protection software.
Description Virus scanners can identify infected files by scanning for a signature or watching for anomalous behavior. Scanners keep their virus signatures in a file, which is usually stored on the local hard drive. Because new viruses are discovered often, you should frequently update this file for the virus scanner to identify all current viruses.
Standard Use Network Time Protocol (NTP) in a secure fashion.
Description

For forensic analysis, keep accurate time on ColdFusion servers. Use NTP to synchronize the time on all systems that are connected directly to the Internet. Figure 1 shows how to configure Internet time in Windows Server 2003 to time.nist.gov.

Configuring Internet time in Windows Server 2003

Figure 1. Configuring Internet time in Windows Server 2003

Installation

Now that you have hardened Windows 2003, you can install ColdFusion on the server. Whether you are new to ColdFusion or a seasoned veteran, the installation process is straightforward. Remember that this article describes installing ColdFusion MX 7 on IIS 6.0 only.

Best Practices

Even before running the application installer, it is important to check the integrity of the installer and server. Maintain best practices throughout the entire installation process to ensure a secure deployment.

Recommendation
Standard Log in with the least privileges.
Description Log in to your computer using an account that is not in the Administrators group, and use the Run As command to run the ColdFusion installer.
Standard Do not download or run ColdFusion from sources you distrust.
Description Malicious programs can contain code to violate security in several ways, including data theft, modification and deletion, and denial of service.

Installer Options

During installation many options are available that can either increase or decrease the security posture of ColdFusion. This section describes guiding principles to increase the security of your installed ColdFusion server on IIS.

Recommendation
Standard Do not enable RDS.
Description Macromedia does not recommend enabling RDS for production servers. For more information, see "Disable RDS in production environment." If RDS is required for your organization, create a strong RDS password.
Standard Use strong RDS and ColdFusion Administrator passwords.
Description Ensure that passwords are not easily guessable (for example, words in a dictionary or variations of the user name); do not pertain directly to a user's family or personal interests; and contain both letters and numbers. Passwords for normal system users are a minimum of six characters. Passwords for privileged users are a minimum of eight characters. If your organization uses a stronger password policy than this one, by all means continue using those guidelines.
Standard Place ColdFusion content on a dedicated NTFS disk partition.
Description Disk segmentation is a process that keeps specific data on your server on separate physical disks for added security. Arranging data in this way reduces the risk of directory traversal attacks. Move ColdFusion content directory to a partition different from the system partition, which contains the system32 directory, or boot partition.
Standard Disable unnecessary sub-components
Description

Three sub-component options are available with the ColdFusion installer:

  • ColdFusion MX 7 ODBC Services
    Provides a connection for data sources such as Microsoft Access. This service is unnecessary for database server access. You can disable ODBC services after installation.
  • ColdFusion MX 7 Search Services
    Handles local file indexing to facilitate searches of web server content. You can disable search services after installation.
  • Getting Started Experience, Tutorials, and Documentation
    Consists of sample applications and documentation to assist new users in developing ColdFusion applications. Do not enable this option on production servers.

Post-installation

The following section describes in detail the different tasks recommended to harden your installed ColdFusion MX 7 server. ColdFusion is highly customizable and can work in many different environments. Even though some of the recommendations may not fit your organization's needs, it is important to understand the security implications of improperly configuring a public web server.

ColdFusion Server Security

The following recommended settings apply to the ColdFusion server outside of the Administrative web application (cfide\administrator). To reduce the security risks to the server, apply these setting immediately after installing ColdFusion.

Recommendation
Standard Install necessary security patches for ColdFusion.
Description There is an increased risk that an unauthorized user may gain access to the application server if vendor security patches and upgrades are not applied in a timely fashion. Test patches before applying them to production servers to ensure compatibility and availability of ColdFusion applications. In addition, create policies and procedures to check for, and install, patches on a regular basis. You can find ColdFusion updates by visiting the ColdFusion Support Center.
Standard Remove the cfdocs virtual directory.
Description

Sample applications are installed by default in the cfdocs virtual directory and are accessible to anyone. These applications should never be available on a production server:

  1. Log in to your computer using an account that is not in the Administrators group.
  2. Use the Run As command to run IIS Manager as an administrator.
  3. In IIS Manager, expand the local computer and expand the Default website.
  4. Right-click the cfdocs directory and select Delete.
Standard Restrict access to the cfide virtual directory to specific IP address and NT user accounts.
Description

The administrative CFIDE web application is installed by default and grants access to everyone. The only protection offered by the application is a password field. That means an attacker needs only to guess your password to gain administrative rights to your ColdFusion application server:

  1. Log in to your computer using an account that is not in the Administrators group.

  2. Use the Run As command to run IIS Manager as an administrator.

    To grant access to a computer:

  3. In IIS Manager, expand the local computer, right-click a website, directory, or file, and select Properties.
  4. Click the Directory Security or File Security tab. In the IP Address and Domain Name Restrictions section, click Edit.
  5. Click Denied Access. When you select Denied Access, you deny access to all computers and domains, except those to which you specifically grant access.
  6. Click Add.
  7. Select Single Computer.
  8. Type the IP address of your administrative host; localhost is recommended (127.0.0.1).

  9. Click OK twice.

    To restrict access to an NT account:

  10. In the Authentication and Access Control section, click Edit.
  11. Deselect the Enable Anonymous Access option.
Standard Disable unnecessary system services on the host.
Description

After installation, ColdFusion creates default system services that are configured to run when the system starts. Many of these services are not required in every ColdFusion deployment. The following services are either required or optional to run ColdFusion MX 7:

ColdFusion MX 7 Application Server (Required)
Specifies the JRun 4 server on which ColdFusion needs to handle requests.

ColdFusion MX 7 Search Server (Optional)
Manages and controls configuration and services of a Verity K2 indexing engine

.
Standard Create a ColdFusion service account.
Description

ColdFusion installs this account by default using the LocalSystem account. The built-in LocalSystem user account has a high level of accessibility; it is part of the Administrators group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system.

To run the ColdFusion MX 7 application server using a specific non-administrative account, follow these instructions:

  1. In the Computer Management MMC, create a local user for the ColdFusion service to log in as.

    1. Select the option"User cannot change password".
    2. Under the Member Of tab, ensure that the Users group is listed.
  2. Select Start menu > Settings > Control Panel > Administrative Tools > Services.
  3. Double-click the ColdFusion MX 7 Application Server service.
  4. Stop the service.
  5. Under the Log On tab, click the This Account option and browse to the user account you created. Enter the password for that account.

  6. Give the user account that ColdFusion Server is running under the following rights. Under "User Rights Assignment" in the "Local Security Settings" MMC:

    1. Deny log on through Terminal Services.
    2. Deny log on locally.
    3. Log on as Service (should be already set).

  7. Give the new user account "Read & Execute, List Folder Contents, and Read" permissions for the following items:

    1. ColdFusion web content directories (i.e. cfide or cfdocs)
    2. C:\cfusion or C:\cfusionmx (and all subdirectories)
  8. Start the ColdFusion MX 7 application server service.
Standard Disable unused web service extensions.
Description

If the server is used exclusively for ColdFusion, disable all other web extensions using the IIS Manager (see Figure 2).

IIS Manager

Figure 2. IIS Manager

Auditing and Logging

The proper and secure use of application auditing and logging can help ensure that security and other anomalous events are tracked and detected as quickly as possible. Effective use of auditing and logging within an application includes such items as tracking successful and failed logins, as well as key application events such as the creation or deletion of key records.

You can use auditing to detect many types of attacks, including the following:

Recommendation
Standard Create logging event sources during deployment, not programmatically through application code.
Description Creating an event source requires administrative privileges. Do not grant these privileges to a running application process. Instead, in the deployment procedure of an application, document a stand-alone script that is necessary to create the new event sources. An administrator executes this script once. Once the event source is created, the script is no longer necessary; remove it from the system.
Standard Set appropriate ColdFusion log file access control lists (ACLs).
Description

Setting the appropriate credentials helps prevent attackers from deleting the files to cover their tracks.

The security permissions on the log file directory should be Full Control for Administrators and SYSTEM groups. The ColdFusion user account should have read and write permissions only.
Standard Set appropriate IIS log file ACLs.
Description Setting the appropriate credentials helps prevent attackers from deleting the files to cover their tracks. Make sure the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) are set appropriately. The permissions are set as secure by default in Windows 2003 Server; therefore, no modification is needed. The security permissions on the log file directory should be Full Control for Administrators and SYSTEM groups.
Standard Write logs to a separate server.
Description If resources permit, send logs to another server in real time that is not accessible by the attacker (write only), using Syslog, Tivoli, MOM (Microsoft Operations Manager) Server, or some other mechanism. Protecting logs this way helps prevent tampering. In addition, storing logs in a central repository helps you correlate and monitor—for example, when you use multiple ColdFusion servers and someone attempts a password-guessing attack across multiple machines where the hacker queries each machine for a password.

Administrator Options

The following section describes most of the security-related options available in the ColdFusion Administrator. If the Administrator is unavailable, you can modify these options by editing the XML files in the cf_root\lib\ directory. However, editing these files directly is not recommended. After modifying these options, you must restart the ColdFusion server. If you don't, none of your changes will take effect.

Recommendation
Standard Server Setting > Settings > Time Requests
Description Set timeout requests to a maximum of 30 seconds to help prevent coding errors from becoming a denial of service issue. If there is an application that must run longer, you can specify <cfsetting requesttimeout="<seconds>"> to override this administrative setting.
Standard Server Setting > Settings > Enable Use UUID for cftoken
Description A UUID guarantees a unique identifier for the token. This reduces the risk of session ID collisions, which makes it harder for an attacker to gain access to a valid session.
Standard Server Setting > Settings > Enable Global Script Protection
Description Select the Global Script Protection option. This is a new security feature in ColdFusion MX 7 that isn't available in other web application platforms. It helps protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks.
Standard Server Setting > Settings > Specify a Sitewide Error Handler
Description Prevent information leaks through verbose error messages. Specifying a sitewide error handler covers you when cftry/cfcatch are not used. This page should be a generic error message that you return to the user. Also, if the error handler displays user input, it should be reviewed for potential cross-site scripting issues.
Standard Server Settings > Memory Variables > Use J2EE Session Variables
Description

Enable the Use J2EE Session Variables option. ColdFusion provides two types of session management: its own proprietary means and through J2EE. J2EE sessions provide the following security and performance related features in ColdFusion:

  • Session terminates when the user closes all browser windows.
  • J2EE session management uses a session-specific session identifier, jsessionid, which is created at the start of each session.
  • Share session variables between ColdFusion pages and JSP pages or Java servlets that you call from the ColdFusion pages. This could prevent you from having to store sensitive information in a cookie.
Standard Server Setting > Memory Variables > Maximum Timeout > Session
Description Set the maximum session timeout to 20 minutes to limit the window of opportunity for session hijacking.
Standard Server Setting > Memory Variables > Default Timeout > Session
Description Set the default session timeout to 20 minutes to limit the window of opportunity for session hijacking. (The default value is 20 minutes.)
Standard Server Setting > Memory Variables > Maximum Timeout > Application
Description Set the maximum application timeout to 24 hours.
Standard Server Setting > Memory Variables > Default Timeout > Application
Description Set the default application timeout to 8 hours.
Standard Server Settings > Mail > Mail Server
Description Require a user name and password to authenticate to your mail server.
Standard Server Settings > Mail > Connection Timeout
Description Set the connection timeout to 60 seconds (The default value is 60 seconds.)
Standard Data & Services > Data Sources
Description Do not use an administrative account to connect ColdFusion to a data source. For example, do not use SA account to connect to Microsoft SQL Server. The account accessing the database should be granted specific privileges to the objects it needs to access. In addition, the account created to connect the database should be Windows-based, not a SQL account. Windows accounts have many more auditing, password, and other security controls associated with them. For example, account lockouts and password complexity requirements are built into Windows. However, a database would need custom code to handle these security-related tasks.
Standard Data & Services > Data Sources
Description

Disable the following AllowedSQL options for all data sources:

  • Create
  • Drop
  • Grant
  • Revoke
  • Alter

As an administrator, you do not have control over what a developer sends to the database. However, there should be no circumstance where the previous commands need to be sent to an SQL server from a web application.

Restricting database queries to parameterized stored procedures or query strings (using the CFQUERYPARAM tag) can greatly reduce the risk of SQL injection attacks. For more information regarding CFQUERYPARAM and SQL injection, read Securing Database Access Using the cfqueryparam Tag by Dave Watts.
Standard Debugging & Logging > Debugging Settings > Enable Robust Exception Information
Description Disable this option for production servers. (Default)
Standard Debugging & Logging > Debugging Settings > Enable Debugging
Description Disable this option for production servers. (Default)
Standard Debugging & Logging > Logging Settings > Log directory
Description As a defensive measure, store log files in a different location than the default location. This obfuscates the whereabouts of the log files from an attacker.
Standard Security > Sandbox Security > Enable ColdFusion Security
Description

The ColdFusion sandbox allows you to place access security restrictions on files, directories, methods, and data sources. Sandboxes make the most sense for a hosting provider or corporate intranet where multiple applications share the same server. First, select this option.

Next, configure a sandbox. If you don't, all code in all directories can execute without restriction. Code in a directory and its subdirectories inherits the access controls defined for the sandbox. For example, if ABC company creates multiple applications within a directory, all applications have the same permissions as the parent. A sandbox applied to ABC-apps applies to app1 and app2. The following is a sample directory structure:

D:\inetpub\wwwroot\ABC-apps\app1
D:\inetpub\wwwroot\ABC-apps\app2

Note: If you create a new sandbox for app2, it does not inherit settings from ABC-apps.

Sandbox security configurations are application-specific; however, there are general guidelines to follow:

  1. Create a default restricted sandbox and copy setting to each subsequent sandbox, removing restrictions as needed by the application, except in the case of files/directories where access is granted rather than restricted:

    • Restrict access to data sources that the sandboxed application should not have accessed to
    • Restrict access to powerful tags, for example CFREGISTRY and CFEXECUTE
  2. Restrict file and directory access to limit the ability of tags and functions to perform actions to specified paths.
  3. Give every application a sandbox.

For more information on sandbox security, see the ColdFusion LiveDocs.

Application Deployment

After the server is properly configured and your application is developed, you must securely deploy the application to the production server. The following section describes some recommendations for publishing content to your hardened ColdFusion server.

Recommendation
Standard Disable RDS in a production environment.
Description

In production environments, you should not use RDS. In earlier versions of ColdFusion, RDS ran as a separate service or process and could be disabled by disabling the service. In ColdFusion MX 7, RDS is integrated into the main service. To disable it, you must disable the RDSServlet mapping in the web.xml file. The following procedure assumes that ColdFusion is installed in the default location:

  1. Back up C:\CFusionMX7\wwwroot\WEB-INF\web.xml.
  2. Open web.xml for editing.

  3. Comment out the RDSServlet mapping, as follows:

    <!—
<servlet-mapping> 
<servlet-name>RDSServlet</servlet-name> 
<url-pattern>/CFIDE/main/ide.cfm</url-pattern> 
</servlet-mapping>
-->
  4. Save the file.
  5. Restart ColdFusion.
Standard Use RDS over SSL.
Description During development, you should use SSL v3 to encrypt all RDS communications between Dreamweaver MX and the ColdFusion server. This includes remote access to server data sources and drives, provided that both are accessed through RDS.
Standard Use SFTP for remote file transfer.
Description The SSH protocol suite comes with SFTP, an encrypted replacement of FTP. Dreamweaver MX supports SFTP. Unfortunately, Windows 2003 Server does not include the SSH server. You can install the SSH server using one of several commercial and free software packages. OpenSSH is a free SSH server program, for example.
Standard Ensure that FTP is disabled.
Description

FTP transfers unencrypted data and authentication credentials over the network. To reduce the risk of eavesdropping, you should not use FTP. FTP is disabled by default in IIS 6.

Select Programs > Administration Tools > Internet Information Services (IIS) Manager to ensure that FTP is disabled or not installed.
Standard Implement page encoding.
Description ColdFusion MX includes a utility called cfencode, which obscures the source of ColdFusion pages that comprise an application. Although this technique cannot prevent determined hackers from reading the contents of a CFML page, it does prevent trivial inspection of the pages.
Standard Configure NFTS permissions on web content.
Description

Although the following permissions are application-dependent, some general rules apply:

File types: CGI (.exe, .dll, .cmd, .pl)
ACLs: Everyone (X), System and Administrators (Full Control)

File types: Scripts (.cfm, .cfml, .jsp, .asp, .aspx, , .sgml, .wml, and .etc)
ACLs: Everyone (X), System and Administrators (Full Control)

File types: Includes (.inc, .shtm, .shtml)
ACLs: Everyone (X), System and Administrators (Full Control)

File types: Static content (.txt, .gif, .jpg, .html, .xml)
ACLs: Everyone (R), System and Administrators (Full Control)

Using the "Run As" command

The following steps describe how to use "Run As" to start IIS Manager from the command line and from the Windows Start menu:

From the command prompt, type the following:

runas /user:administrative_accountname "mmc %systemroot%\system32\inetsrv\iis.msc"

You can also access the Run As command by using the Windows interface. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager. Right-click Internet Information Services Manager and select the options in the Run As dialog box (see Figure 3).

Accessing the Run As command in Windows

Figure 3. Accessing the Run As command in Windows

Where to Go from Here

The following information sources were the latest available at the time of writing this article:

About the author

Erick Lee has over a decade of information technology experience. His focus at Macromedia is on product security. Prior to joining Macromedia, he worked as a security consultant for @stake, where he focused on application and network security by assessing cryptographic systems, source code, network protocols, and infrastructure security. Before that he was the principal owner of IT firm Kinetisys. There he designed and built web applications for legal and service industry clients. He was also a member of the R&D team for eSecurityOnline, formally a branch of Ernst & Young, where he researched vulnerabilities, wrote security policy (ISO-7799, HIPPA, etc.), and assembled host-hardening guidelines for over 51 platforms and technologies.