Accessibility
 
Icon or Spacer

MPSB03-02 - Using Windows NT Authentication and Windows file permissions

Originally Posted: January 30, 2003
Last Updated: January 30, 2003

Summary

When ColdFusion MX is used with Microsoft IIS, Windows NT Authentication, and NTFS file permissions - IIS must be configured to check the file permissions before passing the request to ColdFusion MX.

Issues

This bulletin applies in the following situation:

ColdFusion MX is configured to use Microsoft IIS web server
IIS is configured to Authenticate users to a Windows account
NTFS file permissions are used to control access to ColdFusion templates or directories based on the user's Windows account

--------------------------------------------------------------------------------
When this type of access control is desired, IIS must be configured to check the file permissions before passing a ColdFusion request to the ColdFusion MX process.
IIS can be configured to check the file permissions by changing the following IIS settings. IIS allows these settings to be changed for one web site, or for all web sites.

Step 1. Set IIS to check template files

  • select Properties, Home Directory, Configuration
  • select the .cfm file extension and choose Edit
  • enable the Check File Exists checkbox
  • select any other ColdFusion MX file extensions that should have file permissions checked by IIS. Enable the Check File Exists checkbox for these extensions also.
    • .cfml
    • .dbm
    • .jsp (Enterprise edition only)
    • .jsw (Enterprise edition only)

Step 2. Create additional .cfm files

ColdFusion MX uses two template pathnames which do not normally exist as files. If the default IIS web directories are used, these files would be located at:

  • InetPub\wwwroot\CFIDE\GraphData.cfm
  • InetPub\wwwroot\CFIDE\main\ide.cfm

When IIS checks that template files exist, it is necessary to create these two files and to create the CFIDE\main directory for the second file. These two files can be empty (zero length) files. NTFS file permissions may placed on them like any other file.

The GraphData.cfm filename is used by <cfchart>. The ide.cfm filename is used by ColdFusion MX Administrator and by RDS.

Step 3. Configure IIS to handle missing template files

Note: This step is not necessary if you did not specify a Missing Template Handler in ColdFusion MX Administrator.

When IIS checks that template files exist, IIS will recognize and report a request for a non-existant file before the request is passed to ColdFusion MX. If you specify a Missing Template Handler in ColdFusion MX Administrator, this Missing Template Handler will not be executed.

IIS can be set to use the ColdFusion Missing Template Handler instead of the default IIS message.

  • select Properties, Custom Errors, HTTP Error 404 , Edit Properties
  • select URL as the Message Type and enter URL path to your ColdFusion MX Missing Template Handler

When this IIS Custom Error setting is used, your Missing Template Handler will be executed for all requests for missing web pages, not just missing ColdFusion MX templates.
--------------------------------------------------------------------------------

Affected Software Versions

  • ColdFusion MX (All Editions, Windows Platform with IIS)

What Macromedia Is Doing

Macromedia has notified customers of the security issue through standard communication channels.

What Customers Should Do

ColdFusion MX customers who wish to use Windows user accounts and NTFS file permissions to control access to ColdFusion templates should configure IIS as described in this bulletin.

Revisions

January 30, 2002 - Bulletin first released.

Reporting Security Issues

Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security.

ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Macromedia reserves the right, from time to time, to update the information in this document with current information.