> Thanks, Dave. We are securing access to the directory, and > we require SSL. We just wanted as much security as possible.
I guess my point is, though, that renaming the directory doesn't really provide any security - just the illusion of security, really. But it's good that you did the other things. Ideally, you should limit access only to trusted hosts - typically, machines on your internal network. I like using a separate virtual server for that, so that there's no real possibility of someone from the outside world being able to request the CF Administrator at all. > We tried renaming the CFIDE directory, and it didn't work > -- the browser came up with a 404 error. Your web server may have an existing virtual mapping, in which case you'd have to change or remove that mapping. Finally, it's worth noting that, for some things, you do want a publicly-accessible CFIDE directory - you typically just don't want people running the CF Administrator. To that end, when I configure a server I usually create two CFIDE directories; one for public access which contains everything other than the CF Administrator, and one for private access which contains the CF Administrator as well as everything else. If you're running RDS on the server (which you shouldn't, if it's a public server), you'll need the public CFIDE directory if you want to use web server permissions to control who can run RDS - the RDS client references the URL path "/CFIDE/main/ide.cfm". Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
