> I've been checking out some of the popular ColdFusion-based
> sites, and noticed that all of them block /cfide/administrator
> and /cfdocs somehow. Sometimes a password dialog pops up,
> sometimes the page returns an error "forbidden". This is
> obviously a good idea, but how is it implemented?
>
> We're using IIS on our site, and I guess it would be smart
> also to block /iisadmin. Can someone help me out here? TIA.
For the most part, this is all web server administration stuff. If you're
using IIS, you might want to get a copy of the IIS Resource Kit.
There are several ways to prevent access to these things.
1. In the case of cfdocs, you shouldn't even install that on a production
server. Never install documentation or sample code on a production server.
2. You can use the web server's authentication mechanisms. In IIS, you can
use Basic Authentication, NTLM Authentication, Basic Authentication through
SSL or even client certificates with SSL. You should use SSL if possible,
otherwise NTLM Authentication. This will force a user to enter their NT
username and password, generally. To use SSL, you'll need to get an SSL
server certificate from Thawte or Verisign.
3. You can place these things on separate virtual servers, and only allow
access to those virtual servers from the appropriate sources. For example,
you might have a separate virtual server for the CF and IIS administration
tools, and only allow access from your internal network. You should still
use web server authentication, as described above.
Beyond this, there are many things involved in setting up a secure web
server. You should read the IIS security guidelines provided on the
Microsoft site, although I don't remember where they are there - you'll have
to search for them. You should read the Allaire knowledge base & security
articles on their site, and it's helpful to follow NT security stuff in
general.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
