> What do most people do to secure their CFIDE directory? How > do you prevent people from going to > http://your_server_ip/cfide/administrator > and trying to hack your server? I've read various methods > such as moving the cfide folder, or having it only accessible > by using ColdFusions internal web server. I was hoping to > get some feedback from what others most commonly do.
Our standard configuration, with CF 7, is to use the CF internal web server, and only allow access to that from the console (or through remote console programs) or specific trusted internal IP addresses. Also, we flag and block requests using whatever sort of HTTP filter is being deployed with the site; with IIS, that tends to be URLScan (in IIS 5 or earlier) or the built-in URL filtering in IIS 6. > It is important, obviously, the current applications are > still able to access scripts used by cfform, and still have > access to the ColdFusion admin API. There are many ways you can get around this, without requiring access to /CFIDE/administrator. I wouldn't allow public access to the admin API either, though. Our standard configuration uses a public CFIDE folder with the things in it that we want public. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270640 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
