1. Created two domain users, svc_cf_[servername] and svc_web_[servername]. One is for the CFMX service, and the other is for the iPlanet/Sun One service.
2. Gave the ColdFusion service user full control of
/winnt/*
/cfusionmx/*
/webroot/*
/logs/*
(Note: I write my logs to a central location outside of the normal directories)
3. Gave the iPlanet/Sun One service user full control of:
/winnt/*
/webroot/*
/logs/*
and Read & Execute permission for
/cfusionmx/*
4. Removed permission from certain directories within the webroot that should not be accessible over the Web.
5. Changed the two services to log in with their new domain accounts and restarted the services.
6. Disabled the two CFMX ODBC services.
The setup seems like it is working, although the site I am building does not do much at this point.
I wish the CF and iPlanet documentation was more clear on exactly what the services need permission to access. I imagine CF does not need full control over /winnt/, but I do not want to spend hours experimenting with security at this point. CFFILE may need to save temporary files somewhere under /winnt/. iPlanet may only need access to the
\CFusionMX\runtime\lib\wsconfig\ directory in the CFMX folder. I also discovered that CFMX needs a minimum of "List Folder / Read Data" permission on the base of the webroot folder or scripts in subfolders will not work, even if you grant CFMX full control over the subfolders where the actual CF code resides. I did not grant any registry permissions. CF5 probably needs registry access more than CFMX.
Thank you,
Mike Chabot
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
